`Date: Wed, 10 Feb 1999 22:10:57 +0100
From: Pascal Gienger <[email protected]>
To: [email protected]
Subject: Security Bug in Bintec Router Firmware (CLID)
Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier
Abstract:
Non-interpretation of "international" or "national" incoming call setup
leads to a security problem when you accept connections based on their
incoming call number.
Bintec is a manufacturer of routers whose market share is growing steadily.
So the following information should be of general interest.
Bintec Routers are shipped with the BOSS Operating system, current release
is V4.9, Rel.3.
Bricks do support besides PPP links also raw IP encapsulation over HDLC
frames (ISDN Line).
In the latter case, WAN partner are distinguished based upon their incoming
call number (CLID), so you must "trust" your telephone company for issuing
the right information. People may set their own "outgoing" number, but only
the ones marked as "screened" by the telco are looked at.
In Germany, you have to dial an "0" to exit your local area, and "00" to
access international calls. These zeros, however, do not belong to the
real telephone number, they are not passed along with the ISDN call request.
So a call from +41 1 1234567 (0041 1 1234567) is passed as "4111234567".
A call from 0411 1234567 (national call from city zone "4111") is
also passed as "4111234567". You have to set this "4111234567" as an
incoming number in the brick setup because otherwise the Brick would
not recognize the call.
The only difference is a flag which says whether the call is an international
one or not.
BOSS does not distinguish these two, leaving this security hole open. If you
know the number of a WAN partner abroad which number has less than 9
digits, you can search the local zone in Germany and trying to get there
the appropriate number to access the router. Might be complicated, but if
you know that there is sensitive stuff to get...
A possible fix would be to always insist on a form like "49411123456789" for
the national german call (with leading international prefix).
I wrote a notice to Bintec 24h ago, but I got no response until now.
I'll tell their answer as soon as I'll get it.
I would not be surprised to hear that other router firmwares are acting in
the same way...
Pascal
--
Unix, Pascal Gienger, Moosstr. 7 /\ 7 .rtssooM ,regneiG lacsaP xinU
Networx 78467 Konstanz, [email protected] / \ ed.tenz@p ,znatsnoK 76487 xrowteN
& WWW http://pascal.znet.de/ \ed.tenz.lacsap\\:ptth WWW &
http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth
----------------------------------------------------------------------------
Date: Thu, 11 Feb 1999 13:19:16 +0100
From: Thomas Schmidt <[email protected]>
To: [email protected]
Subject: AW: Security Bug in Bintec Router Firmware (CLID)
Pascal Gienger wrote:
> Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier
>
> Abstract:
> Non-interpretation of "international" or "national" incoming call setup
> leads to a security problem when you accept connections based on their
> incoming call number.
>
> Bintec is a manufacturer of routers whose market share is growing steadily.
> So the following information should be of general interest.
> Bintec Routers are shipped with the BOSS Operating system, current release
> is V4.9, Rel.3.
>
> Bricks do support besides PPP links also raw IP encapsulation over HDLC
> frames (ISDN Line).
> In the latter case, WAN partner are distinguished based upon their incoming
> call number (CLID), so you must "trust" your telephone company for issuing
> the right information. People may set their own "outgoing" number, but only
> the ones marked as "screened" by the telco are looked at.
>
There is a security mechanism available for all BinTec Routers that can be
used to verify if the "Calling Party Number" of an incoming call was modified
by the calling party.
The SETUP-message of an incoming call at an ISDN-interface contains
a parameter field called "Screening Indicator". This Screening Indicator
can not be set by the originiating user, but it is modified by the first
exchange at the call originator side. Possible values for the screening
indicator are (refer to ITU Q.931 or ETSI 300 102-1) :
- "user-provided - not screened"
- "user_failed provided - verified and passed"
- "user_failed provided - verified and failed"
- "network provided"
>From firmware revision BOSS V4.8 Release 1, the user could select
if the screening indicator is verified and specify the expected value.
This can be done for every indiviual number, and is selected by
modification of the SNMP configurationtable "dialtable".
Unfortuantely there are many smaller PABX (private branch exchange)
used by our customers, that do not pass through the value of the
screening indicator without modification, so we decided, not to verify
all numbers by default.
For users of raw IP connections, we recommend verification of the
screening indicator.
# Thomas Schmidt / Product Manager
# BinTec Communications AG
# D-90449 Nuernberg / Suedwestpark 94
# Phone : 49-911-9673-0
# Fax : 49-911-6880725
# EMail : [email protected]
----------------------------------------------------------------------------
Date: Fri, 12 Feb 1999 08:55:05 +0100
From: Pascal Gienger <[email protected]>
To: [email protected]
Subject: Re: Security Bug in Bintec Router Firmware (CLID)
On Thu, Feb 11, 1999 at 01:19:16PM +0100, Thomas Schmidt wrote:
> >From firmware revision BOSS V4.8 Release 1, the user could select
> if the screening indicator is verified and specify the expected value.
> This can be done for every indiviual number, and is selected by
> modification of the SNMP configurationtable "dialtable".
But this still leaves the hole of the same incoming number of
possible international and national calls open....
The screening was only one thing (and I corrected this in my routers'
setup, thanks to Mr Schmidt!). The other thing is the same incoming
number for (e.g.) +41 1 1234567 and +49 411 1234567, resulting
both in 4111234567.
The "numbering type" field is not looked at. ;-) "Numbering plan" should
always be ISDN for non-modem connections...
It would be nice if that would be integrated in the future releases
of the firmware.
Pascal
--
Unix, Pascal Gienger, Moosstr. 7 /\ 7 .rtssooM ,regneiG lacsaP xinU
Networx 78467 Konstanz, [email protected] / \ ed.tenz@p ,znatsnoK 76487 xrowteN
& WWW http://pascal.znet.de/ \ed.tenz.lacsap\\:ptth WWW &
http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth
`