Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:12202
HistoryAug 17, 1999 - 12:00 a.m.

bintec.boss.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
58
JSON
`Date: Wed, 10 Feb 1999 22:10:57 +0100  
From: Pascal Gienger <[email protected]>  
To: [email protected]  
Subject: Security Bug in Bintec Router Firmware (CLID)  
  
Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier  
  
Abstract:  
Non-interpretation of "international" or "national" incoming call setup  
leads to a security problem when you accept connections based on their  
incoming call number.  
  
Bintec is a manufacturer of routers whose market share is growing steadily.  
So the following information should be of general interest.  
Bintec Routers are shipped with the BOSS Operating system, current release  
is V4.9, Rel.3.  
  
Bricks do support besides PPP links also raw IP encapsulation over HDLC  
frames (ISDN Line).  
In the latter case, WAN partner are distinguished based upon their incoming  
call number (CLID), so you must "trust" your telephone company for issuing  
the right information. People may set their own "outgoing" number, but only  
the ones marked as "screened" by the telco are looked at.  
  
In Germany, you have to dial an "0" to exit your local area, and "00" to  
access international calls. These zeros, however, do not belong to the  
real telephone number, they are not passed along with the ISDN call request.  
So a call from +41 1 1234567 (0041 1 1234567) is passed as "4111234567".  
A call from 0411 1234567 (national call from city zone "4111") is  
also passed as "4111234567". You have to set this "4111234567" as an  
incoming number in the brick setup because otherwise the Brick would  
not recognize the call.  
The only difference is a flag which says whether the call is an international  
one or not.  
  
BOSS does not distinguish these two, leaving this security hole open. If you  
know the number of a WAN partner abroad which number has less than 9  
digits, you can search the local zone in Germany and trying to get there  
the appropriate number to access the router. Might be complicated, but if  
you know that there is sensitive stuff to get...  
  
A possible fix would be to always insist on a form like "49411123456789" for  
the national german call (with leading international prefix).  
  
I wrote a notice to Bintec 24h ago, but I got no response until now.  
I'll tell their answer as soon as I'll get it.  
  
I would not be surprised to hear that other router firmwares are acting in  
the same way...  
  
Pascal  
--  
Unix, Pascal Gienger, Moosstr. 7 /\ 7 .rtssooM ,regneiG lacsaP xinU  
Networx 78467 Konstanz, [email protected] / \ ed.tenz@p ,znatsnoK 76487 xrowteN  
& WWW http://pascal.znet.de/ \ed.tenz.lacsap\\:ptth WWW &  
http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth  
  
----------------------------------------------------------------------------  
  
Date: Thu, 11 Feb 1999 13:19:16 +0100  
From: Thomas Schmidt <[email protected]>  
To: [email protected]  
Subject: AW: Security Bug in Bintec Router Firmware (CLID)  
  
Pascal Gienger wrote:  
  
> Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier  
>  
> Abstract:  
> Non-interpretation of "international" or "national" incoming call setup  
> leads to a security problem when you accept connections based on their  
> incoming call number.  
>  
> Bintec is a manufacturer of routers whose market share is growing steadily.  
> So the following information should be of general interest.  
> Bintec Routers are shipped with the BOSS Operating system, current release  
> is V4.9, Rel.3.  
>  
> Bricks do support besides PPP links also raw IP encapsulation over HDLC  
> frames (ISDN Line).  
> In the latter case, WAN partner are distinguished based upon their incoming  
> call number (CLID), so you must "trust" your telephone company for issuing  
> the right information. People may set their own "outgoing" number, but only  
> the ones marked as "screened" by the telco are looked at.  
>  
  
  
There is a security mechanism available for all BinTec Routers that can be  
used to verify if the "Calling Party Number" of an incoming call was modified  
by the calling party.  
  
  
The SETUP-message of an incoming call at an ISDN-interface contains  
a parameter field called "Screening Indicator". This Screening Indicator  
can not be set by the originiating user, but it is modified by the first  
exchange at the call originator side. Possible values for the screening  
indicator are (refer to ITU Q.931 or ETSI 300 102-1) :  
- "user-provided - not screened"  
- "user_failed provided - verified and passed"  
- "user_failed provided - verified and failed"  
- "network provided"  
  
>From firmware revision BOSS V4.8 Release 1, the user could select  
if the screening indicator is verified and specify the expected value.  
This can be done for every indiviual number, and is selected by  
modification of the SNMP configurationtable "dialtable".  
  
Unfortuantely there are many smaller PABX (private branch exchange)  
used by our customers, that do not pass through the value of the  
screening indicator without modification, so we decided, not to verify  
all numbers by default.  
  
For users of raw IP connections, we recommend verification of the  
screening indicator.  
  
# Thomas Schmidt / Product Manager  
# BinTec Communications AG  
# D-90449 Nuernberg / Suedwestpark 94  
# Phone : 49-911-9673-0  
# Fax : 49-911-6880725  
# EMail : [email protected]  
  
----------------------------------------------------------------------------  
  
Date: Fri, 12 Feb 1999 08:55:05 +0100  
From: Pascal Gienger <[email protected]>  
To: [email protected]  
Subject: Re: Security Bug in Bintec Router Firmware (CLID)  
  
On Thu, Feb 11, 1999 at 01:19:16PM +0100, Thomas Schmidt wrote:  
  
> >From firmware revision BOSS V4.8 Release 1, the user could select  
> if the screening indicator is verified and specify the expected value.  
> This can be done for every indiviual number, and is selected by  
> modification of the SNMP configurationtable "dialtable".  
  
But this still leaves the hole of the same incoming number of  
possible international and national calls open....  
The screening was only one thing (and I corrected this in my routers'  
setup, thanks to Mr Schmidt!). The other thing is the same incoming  
number for (e.g.) +41 1 1234567 and +49 411 1234567, resulting  
both in 4111234567.  
The "numbering type" field is not looked at. ;-) "Numbering plan" should  
always be ISDN for non-modem connections...  
  
It would be nice if that would be integrated in the future releases  
of the firmware.  
  
Pascal  
--  
Unix, Pascal Gienger, Moosstr. 7 /\ 7 .rtssooM ,regneiG lacsaP xinU  
Networx 78467 Konstanz, [email protected] / \ ed.tenz@p ,znatsnoK 76487 xrowteN  
& WWW http://pascal.znet.de/ \ed.tenz.lacsap\\:ptth WWW &  
http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth  
  
`
JSON