Airtel Broadband – Beetel CPE Device – 450TC1 – MGMNT SSID – Hack – Exploit

WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh

In this Post, we illustrate a possible hack – exploit with Beetel ADSL Routers/Modems (Broadband CPE) distributed by Airtel Broadband, INDIA – which once exploited, we can gain Subject’s (target) LAN network access and thereby WAN ( WAN- if operating in PPPOE/Router/NAT Mode & no custom IPTables rules and/or Network ACLs are defined).

CPE Device Model: Beetel 450 TC1
CPE Device Default Admin Credentials: admin | password
Tested Device Information:

 RAS version: TM4-0Q-020__TME-0Q-020
System   ID: $2.11.65.2(RE5.C21)3.12.7.0 20100628_V022[Jun 28 2010 14:44:06]
romRasSize: 1351290
system up time:     9:32:48 (347163 ticks)
bootbase version: VTC_SPI1.12 | 2010/09/09

Default Broadcasted SSIDs:

SSID1 – AIRTEL – SSID Index 1 – (when connected to this SSID – we can connect to Internet) (We can only Configure this SSID i.e. SSID with Index  -1).

Inssider – SSID1 and SSID2 being Broadcasted by same CPE Device

SSID2 – MGMNT – SSID Index 2 – (when connected to this SSID – we can only view CPE Device STATUS page and can’t connect to Internet  (probably due to IPtables) (We can’t Configure this SSID or disable this SSID i.e. SSID with index – 2).

Exploit Summary: Connect to Secondary SSID (SSID with Index – 2) – MGMNT – (Airtel CPE Service SSID) in order to reveal Credentials associated with Primary SSID (SSID with Index – 1).

Procedure:

By default (with factory defaults), this specific Router broadcasts two SSIDs – one named Airtel and other MGMNT. Consumer can only modify Airtel SSID (with SSID Index 1) as per their requirements BUT can’t turn off MGMNT SSID (using SSID 1 or SSID2 or Ethernet) – as shown below.

MGMNT SSID by default broadcasts with WEP Encrypted Cipher HEX-10Digits (64Bits) with OPEN Authentication (WEP64 Security – OPEN) with WEP key set to “0987654321”, as show below:

MGMNT SSID – SSID Index – 2

Also note in Web Based Administration Page, all buttons are grayed out/disabled – so we can’t Configure/turn off SSID 2 (MGMNT).

Now when we are connected to MGMNT SSID (using default WEP key – 0987654321), we will get an IP Addr from dhcpd DHCP Pool and we open Device Administration Page, CPE device detects that we are connecting using MGMNT SSID (Airtel CPE Service SSID), it will automatically redirect URL to http://x.x.x.x/ssid_index2.html (from http://x.x.x.x) – where x.x.x.x is IPv4 address of the CPE Device – which in our case (and default) is 192.168.1.1 –  as shown below:

MGMNT SSID – SSID Index – 2 – Login Page-01

We login to MGMNT SSID using Default Credentials i.e. admin | password, and we presented STATUS Page of the device – also note that we can’t really Configure CPE Device when connected using MGMNT (because we are not entertained with full featured Device Administration version with MGMNT – but rather represented with only STATUS page – arbitrarily – we are represented with lite version).

MGMNT SSID – SSID Index – 2 – Login Page-02

And here goes our exploit, we enter URL as http://x.x.x.x/basic/home_wlan.htm – and voila — we are represented with Page to configure Primary SSID — i.e. SSID which can route packets to WAN/Internet.

MGMNT SSID – SSID Index – 2 – Login Page-03

This exploit can be prevented by simply changing the default admin credentials (because we are using default admin credentials to log into Administration Page when connected to MGMNT [SSID Index – 2]) .

Our sole intent is to get Beetel 450TC1 Consumers (with specific firmware’s) Aware, Safe and Secure.

Airtel ISP can also help consumers of these exploitable devices/firmwares by Updating Patched firmware using CWMP/TR-069 and some scripting. Hopefully, this possible exploit will be resolved by Airtel Broadband India, until then, 450TC1 users, never use WEP PSK for SSID1 and change Default admin credentials.

 

Hope this helps and Cheers 🙂 | Your feedback is highly appreciated.

WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh

 

 

 

Copyright © 2013

For copyright purposes, VirtualizationMaximus.com is not in the public domain. The fact that this blog owner publishes an RSS feed does not grant any rights for republication or re-use of the material except in the manner described below.

All content in this blog created by the blog owner and his guest authors is the property of the blog owner and his guest authors and protected by international copyright laws and cannot be stored on any retrieval system, reproduced, reposted, displayed, modified or transmitted in any form, electronic or otherwise without written permission of the copyright owner except as noted below.

A brief excerpt of content that does not exceed 128 words or 512 characters may be quoted as long as a link is provided back to the source page on this blog and authorship is properly attributed.