[9492] in bugtraq
AW: Security Bug in Bintec Router Firmware (CLID)
daemon@ATHENA.MIT.EDU (Thomas Schmidt)
Thu Feb 11 19:24:48 1999
Date: Thu, 11 Feb 1999 13:19:16 +0100
Reply-To: "ts@bintec.de" <ts@bintec.de>
From: Thomas Schmidt <ts@BINTEC.DE>
To: BUGTRAQ@NETSPACE.ORG
Pascal Gienger wrote:
> Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier
>
> Abstract:
> Non-interpretation of "international" or "national" incoming call setup
> leads to a security problem when you accept connections based on their
> incoming call number.
>
> Bintec is a manufacturer of routers whose market share is growing steadily.
> So the following information should be of general interest.
> Bintec Routers are shipped with the BOSS Operating system, current release
> is V4.9, Rel.3.
>
> Bricks do support besides PPP links also raw IP encapsulation over HDLC
> frames (ISDN Line).
> In the latter case, WAN partner are distinguished based upon their incoming
> call number (CLID), so you must "trust" your telephone company for issuing
> the right information. People may set their own "outgoing" number, but only
> the ones marked as "screened" by the telco are looked at.
>
There is a security mechanism available for all BinTec Routers that can be
used to verify if the "Calling Party Number" of an incoming call was modified
by the calling party.
The SETUP-message of an incoming call at an ISDN-interface contains
a parameter field called "Screening Indicator". This Screening Indicator
can not be set by the originiating user, but it is modified by the first
exchange at the call originator side. Possible values for the screening
indicator are (refer to ITU Q.931 or ETSI 300 102-1) :
- "user-provided - not screened"
- "user_failed provided - verified and passed"
- "user_failed provided - verified and failed"
- "network provided"
From firmware revision BOSS V4.8 Release 1, the user could select
if the screening indicator is verified and specify the expected value.
This can be done for every indiviual number, and is selected by
modification of the SNMP configurationtable "dialtable".
Unfortuantely there are many smaller PABX (private branch exchange)
used by our customers, that do not pass through the value of the
screening indicator without modification, so we decided, not to verify
all numbers by default.
For users of raw IP connections, we recommend verification of the
screening indicator.
# Thomas Schmidt / Product Manager
# BinTec Communications AG
# D-90449 Nuernberg / Suedwestpark 94
# Phone : 49-911-9673-0
# Fax : 49-911-6880725
# EMail : ts@bintec.de
