24th Feb 2003 [SBWID-6014]
COMMAND
Telindus password recovery due to weak encryption scheme
SYSTEMS AFFECTED
Telindus ADSL router 112x, firmware release 6.0.x
PROBLEM
In Elia Florio "ioProgrammo" [http://www.edmaster.it/ioprogrammo]
[[email protected]] advisory :
An old security problem for Telindus 112x series (and Arescom NetDSL
1000 too) is well documented here:
http://www.tigerteam.it/files/telindus-advisory.txt (english)
http://www.tigerteam.it/files/telindus-advisory.IT.txt (italian)
There is a new exploit to crack router password, partially-based on
this old problem, which was fixed by Telindus introducing a new
firmware release (6.0.x), where UDP packets over 9833 port (containing
plain-text password) are encrypted, to ensure product security.
However, after some studies, I discovered that the encryption scheme is
trivial and can be broken using some information which the router
itself reveals (the router name) to the user.
NOTE: The encryption scheme was succesfully decrypted on 2 routers
carried by different ISP : MATAV (Hungary) and Telecom (Italy), both
with 6.0.x firmware.
[---------------------------------------------------------------------]
PROOF OF CONCEPT:
Using a sniffer I capture a packet (encrypted) from a 1124 router and
compare it with another packet (unencrypted) taken from another router,
with has the old firmware (< 6.0.x). This procedure (how-to-capture-
packet) was explained in a previous security advisory (by others) and
is based on UDP sniffing over the 9833 port while "Telindus 9100 M.
Application" is trying to contact the router over the LAN.
CYPHER-TEXT
0100 00 03 02 00 08 00 00 A2 A3 2B 63 4B 73 23 AB 99 .......��+cKs#�TM
0110 02 0A 22 9A 61 02 93 7B AB A3 2B 90 08 08 00 2B .."sa."{��+�...+
0120 6B 7B AB 9B 28 08 10 01 92 72 22 99 89 91 B1 82 k{�>(...'r"TM`�,
0130 42 29 6A A2 62 49 61 03 B3 2B 91 01 B1 71 81 71 B)j�bIa.�+`.�q�q
0140 91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 89 C9 `�ڣ�).S�a.TM�.�
0150 D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01 ѱ�TM�.`���.~...
0160 E0 08 98 00 30 00 2E C0 9F 0A 88 08 B0 00 30 00 �.~.0..�Y.^.�.0.
0170 85 38 9A 64 0A 00 18 00 10 00 02 00 20 00 10 00 ...8sd........ ..
0180 00 09 30 00 00 09 38 00 00 09 40 00 00 09 80 00 ..0...8...@....
0190 10 00 10 0A 20 00 00 08 20 00 10 00 00 10 50 00 .... ... .....P.
01A0 10 00 00 0A 30 00 10 00 00 0A 48 00 20 00 00 00 ....0.....H. ...
01B0 00 0A 88 00 02 10 28 00 02 11 10 00 00 20 40 00 ..^...(...... @.
PLAIN-TEXT
0100 00 03 00 01 01 00 00 05-44 53 4C 30 30 01 01 00 ........DSL00...
0110 0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02 .1111111111111..
0120 00 32 4E 44 31 30 36 30-56 45 2D 54 4C 49 2C 20 .2ND1060VE-TLI,
0130 76 65 72 20 35 2E 33 2E-31 31 42 3B 54 68 75 20 ver 5.3.11B;Thu
0140 44 65 63 20 20 36 20 31-36 3A 33 36 3A 33 33 20 Dec 6 16:36:33
0150 32 30 30 31 01 33 00 02-00 3C 01 13 00 06 00 60 2001.3...<.....`
0160 6C 1D BD 7E 01 16 00 06-00 00 86 60 62 F7 04 08 l..~.......`b...
0170 00 02 00 01 04 15 00 02-00 FF 01 0D 00 04 00 00 ................
0180 00 00 01 0E 00 04 00 00-00 00 01 14 00 02 00 00 ................
0190 40 03 00 02 00 00 40 04-00 02 00 00 01 26 00 00 @.....@......&..
01A0 01 27 00 00 01 28 00 00-01 30 00 02 00 02 01 44 .'...(...0.....D
01B0 00 00 42 05 00 00 42 22-00 00 04 18 00 00 08 FF ..B...B"........
Both payloads begin with "00 03 xx xx xx 00 00" bytes sequence.
In the plain packet we can read the router name and the password: the
beginning of a text string has an important byte, which stores the
string length:
05-44 53 4C 30 30 01 01 00
^^----------------------------------> lenght of string "DSL00"
0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02 00
^^----------------------------------> lenght of string "1111111111111"
I suppose that "0x 0x 00" is a kind of termination sequence for
<router name> and <password> fields.
Now look at the encrypted packet: because the total length is similar
to that of the plain packet (>200 bytes), I suppose that "A2" is now a
crypted lenght byte, so the router name field begins after this byte.
But I know the router name, because Telindus 9100 M. Application shows
it to me during the connection test with router. In this case it was
"Telindus ADSL Router",very long! I think that is enough to begin a
crypto-analytic attack over the packet.
"Telindus ADSL Router" [20 byte = 14hex] crypto-lenght=A2
T e l i n d u s A D S L R o u t e r
A3 2B 63 4B 73 23 AB 99 02 0A 22 9A 61 02 93 7B AB A3 2B 90 encrypted
54 65 6C 69 6E 64 75 73 20 41 44 53 4C 20 52 6F 75 74 65 72 plain ASCII
Looking this, I try to suppose that:
1) the encryption scheme is based on a fixed crypto system
("e", "u", "t" are encrypted in same way in the text)
2) there is a special encryption for stop/mark bytes between
words (add -2 or -3 to final char R=93 / r=90 ????)
3) the encryption scheme is case sensitive
Trying to write a crypto table, I can notice that every letter is coded
from the previous adding "8" to crypto-byte. For example r=93, then
s=9B...
CRYPTO TABLE (hex codes)
-------------------------------------
CHAR CRYPT PLAIN
a 0B 61
b 13 62
c 1B 63
d 23 64
e 2B 65
f 33 66
g 3B 67
h 43 68
i 4B 69
j 53 6A
k 5B 6B
l 63 6C
m 6B 6D
n 73 6E
o 7B 6F
p 83 70
q 8B 71
r 93 72
s 9B 73
t A3 74
u AB 75
v B3 76
w BB 77
y C3 78
x CB 79
z D3 7A
...
1 89 31
2 91 32
3 98 33
...
I think that the encryption function is very similar to this :
ENCRYPT(x) = x*8 + int(x/20h) - (int(x/20h))*100h
For example ("q" = 71h)
ENCRYPT(71h) = 71h*8 + 71h/20h - (71h/20H)*100H = 388 + 3 - 300 = 8Bh
There are some encryption variants for blank space, capital and the
last letters of words.
Now, where is the router password in the encrypted packet? After 20
bytes (the router name length in this case) there is "08 08 00",
probably a field marker, then there is 2B, which is the crypto-lentgth
of password.
The encrypted password-string begins there.
Using the table, I can unmask the real router password:
m o u s e
2B 6B 7B AB 9B 28 08 10 01
^^----------------------------------crypto length of password
Other informations can be also decrypted :
N D S 1 2 6 0 H E - T L I
72 22 99 89 91 B1 82 42 29 6A A2 62 49 61 03
v e r 6 . 0 . 2 7 T u e J u l 3 0
B3 2B 91 01 B1 71 81 71 91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01
1 9 : 1 6 : 3 6 2 0 0 2
89 C9 D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01
[----------------------------------------------------------------------]
SOLUTION
n/a