Dhiraagu Wifi hotspot is something I had mentioned in an earlier post, however, I hadn't got a chance to experience the service on my laptop till recently. The opportunity popped up when my flight to UK got delayed and had to kill some time at the food outlet at the airport. My laptop readily found the "Dhiraagu Wireless Hotspot" SSID and a stable connection was established. The service was quite decent and I could browse and download in comfort and with speed. It certainly was a luxury that quite a few people would happily pay for.

As ever, curiosity got the better of me and I decided to peek a look at how the service was operating. Access controlled wifi hotspots usually operate by allowing unprotected (that is WEP/WPA free) access to the wireless network and then authenticating the client with a central access controller. The client needs to open a web page, any page, upon which the browser gets redirected to a service login page where the user is prompted to enter the login details that grant them access to the internet thereafter. The login mechanism also serves as a means to facilitate billing.

The Dhiraagu system operates in a similar manner. Below is the screen that we are shown upon connecting. Notice that they are giving the username/password to login with in the current free access promotion they are running.



The browser flickers as the system guides it through a series of links to complete the authentication. Looking at the URLs that the browser hit through, I picked one "interesting" looking IP...

http://202.1.201.230:8002/Portal?NMIP=203.104.25.251?OS=http://www.msn.com/

And voila comes the web administration interface for a Cisco router - the equipment that Dhiraagu is using to provide the Wifi hotspot service!



The router apparently is configured without any administration password and the act of going to the router's IP address provided unfettered access to the wifi router and hence control over the wifi hotspot service.



I wonder if this is true for all the rest of Dhiraagu hotspots splattered across Male'. The service is great, BUT is this how the system was deployed? This configuration of the wifi hotspot lets anyone command control over the router and facilitates all kinds of mischief!

Miadhu, one of Technova's recently launched websites, was attacked yesterday. The intruder gained access to the site via our custom developed Content Management System(CMS) backend that handles the management operations of the site. Access to the CMS was gained by means of password guessing - a work which was made unbelievably trivial with the presence of an account name and password to match - "miadhu" for both! The attackers then attempted to delete existing content and to add data to the website of which the latter they managed to execute successfully. They left behind random messages in the articles they added - messages that were as deep and simple as a "kekeke" to ones dissing Jabir and President Maumoon.

Miadhu notified us of the intrusion and we spent a good hour rummaging through the logs, mapping out the actions of the attacker and assessing the damage. Patching the door through which the attackers entered only involved changing account names and passwords in addition to advising the client to maintain secure password policies.

The website is now back running as it were...

Ah. Data back up disks are always nice - especially those with older snaps of work. You find things that you've totally forgotten about. Perhaps it is a photo, a document or maybe that song you used to play all the freaking time. As for me, I just stumbled across a hasty log and an interesting screenshot I had taken around mid 2005.

There is a litter of articles dedicated to Dhiraagu on my blog - there is one about their E-Bill system, another on the WWW proxy server and yet another on their WebSMS service. However, the Dhiraagu MMS service, which I recall as being officially launched in July 05, is something I haven't posted about. But now that I chanced upon this "ancient" screenshot and given that Dhiraagu has revamped their MMS website, I thought I'd share...

The screenshot shows the Dhiraagu MMS internet portal that is intended to be used to retrieve recieved MMS and to acquire MMS content for the phone. The shot shows an SQL injection probe on their website and listed by the system as response is a list of database tables - a couple with interesting names. I leave to your imagination what they contain, for I don't remember going pursuing any further on the matter Note that Dhiraagu seems to have re-programmed their MMS service sometime late last year and I have no idea whether the lapses that gave rise to this exploit exist on the new website.

I came back from shopping this evening to find that my brother had messaged me on MSN Messenger saying he wanted to talk to me about something quite urgently. I called him up only to find him answering on the first ring and then unloading a megaton worth of speech in under a minute. He sounded excited and mostly illegible so I took my time digesting what he was saying. Basically what he said was that he had been checking the monthly call details of our home line when he got curious and took a look at the Dhiraagu E-Bill system to see what goes on under the skin. What he found was more than intriguing and he wanted me to investigate it further. (My brother has a bit of what he found out on his blog.) Now, here's my take on it.

Overview
The flaw Jaheen stumbled across lies in the online phone records viewing facility called E-Bill provided by Dhiraagu. Specifically, the flaw exists in the bill downloading section of this online application that allows registered users to download the call records for their line. The lapse in appropriate security measures and the utmost trusting of the data provided by the user seem to let a (malicious?) user view the call details for ANY account number of a Dhiraagu customer.

Walk-through
First, I should note that in order to access and execute the flaw, you need to be a registered user of the E-Bill facility. You need to log in and have a valid session underway to access the required bill downloading facility.

That said, viewing the bill of a specific user is not that trivial a task either. The account number of the desired customer needs to be provided to the system instead of merely providing the customer's telephone number. The account number is printed on the monthly bills that Dhiraagu sends out. The account number is printed in the format XX/XXXXXX/XXXX, where the Xs represent digits. Individual user targeting is thus limited greatly but this is not to say that the consequences of this bug are thus insignificant. It is always possible to mess around and generate a combination of digits which in turn will quite likely correspond with a valid account number of some random customer. A very possible scenario could be an attacker generating all the combinations of the numbers and asking for the bills for each of these generated account numbers!

I duplicated the execution of the flaw using the same "tools" my brother used; i.e. using the Live HTTP Header extension for Mozilla Firefox. This extension is quite handy for these sorts of uses and misc. other debugging purposes.

Forging ahead, first up the E-Bill interface is accessed and login process completed. This gives a cheesy interface that looks like this.


The bills download feature is accessed by clicking on the "Download bills" link from the left menu. The page that comes up next differs depending on the E-Bill account type and the number of telephone numbers combined into the E-Bill account that was logged in with. Skipping ahead, the E-Bill system throws up a page that looks like this:


Now this is where the magic begins. Enter the time duration for which the call records are desired. The select the appropriate links to get to a download page where you are asked to click a button to start the downloading. HTTP Live Header (HLH) extension comes into play at this point. HLH is set to capture the traffic. Then the download button is clicked and soon enough Firefox happily displays the download save dialog for the file being received. The file is saved but there is nothing abnormal till this point still.

Now to execute the amazing rabbit-out-of-hat magic of the E-Bill system, a bit of sleight-of-hand is added the process. The button click in the above mentioned download process creates a HTTP POST request which shows up among the last on the status window of HLH. This request is selected and the "Replay" button clicked to replay the download process with a few changes for the final effect.


As shown above, the highlighted "account=xxxxxxxxx" bit tells the E-Bill system which account number to generate the call records for! This is where our opportunity comes. This number is then changed to a known account number or any random number and the HTTP "replay" continues as normal. Soon as the modified request is replayed, the E-Bill system again spits out a call records file for download. The difference this time? It is no longer the call records for the logged in account but for the account number furnished in the modified replay.


Conclusion
Simply by manipulating a single 12 digit number that the E-Bill system trusts the user?s browser with, we can extract the phone records of ANY Dhiraagu customer. This is a serious flaw and the resulting breach of privacy is a major concern for customers who no doubt would want their phone usage records to be kept safe and confidential.

Now I know quite a few people would wet themselves on hearing of the dirty things one can do to Dhiraagu. I also know quite a few people would risk actually trying what I am about to narrate, so here I begin with a disclaimer.

-----
Disclaimer: The information presented in this article is mostly for entertainment purposes and whatever educational value it may posses must be the result of some exotic butterfly flapping its wings under the canopy of the Amazon. At no time do I recommend you or any circus animals attempting these and consequently, I take no responsibility for your actions.
-----

If you are a dialup user on Dhiraagu Dhivehinet then every time you dial-in you get an IP address assigned automatically. An IP address is sort of a unique identifier for your computer on the internet. I was setting up an internet dialup connection to Dhiraagu on a friend's computer a few years ago when I wondered what would happen if I were to specify my own IP address in the settings rather than let Dhiraagu automatically assign me. If things were set correctly at Dhiraagu, what I was about to do should not be possible. However, I decided to try it out anyway, hoping that they might have mucked it up.

I decided I would attempt using the IP for the Dhiraagu proxy server, i.e. assign myself the same identity as the web proxy operated by Dhiraagu. As you might already know, all WWW traffic flows through a proxy server if you are a Dhivehinet customer, therefore the proxy server knows what you browse, when you browse and can totally keep tabs on you. Similarly, by assuming myself its identity I should be able to see what the real proxy sees. I should be able to grant myself the same power! Sure enough, as soon as I dialed in with the forced IP, the connection status icon at the bottom of the screen lit up. The received packet count in the connection status window kept on increasing endlessly. I was getting bombarded by the web traffic coming into the proxy! I had successfully assumed its identity. I then disconnected and I sat there with a wicked smile painted on my face, imagining the possibilities this opened up.

Few minutes later, my fingers were flying over the keyboard furiously as I wrote a quick ?n dirty proxy server software. Its purpose was to act as a proxy, logging all the data it receives. I could have done a kazillion fun things to add to that but I resisted the temptation. An hour or so later, I had the proxy program working as I wanted and so went back to dialing in. As soon as my connection got established, the program started displaying the various requests coming in from users on the Dhiraagu network. Less than a minute into the dialup and my program crashed due to overflow. There was too much data! I reprogrammed bits to fix the issue and went back on, logging data for about 5 minutes before disconnecting.

I opened up the log file created by my program and analyzed the various connection attempts. By the end of going over the log, I had another reason to be quite amused. The log indicated that about 75% of all requests I had intercepted was for pornographic websites. This was proof that much of the Maldivian internet users used the internet for porn!!

Anyway, this "flaw" gives rise to a whole set of opportunities. I could impersonate any server on Dhiraagu. I could become one of their FTP servers and start logging username/passwords. I could become one of the web servers and start serving rogue web pages. I could become the email server and log username/password as people attempt to check mail. The possibilities were almost endless...

I have mailed Dhiraagu several times over the years regarding this issue but never received a reply. Sadly, this was still working about 6 months ago according to a friend who tried it. However, it may have been fixed in the recent endeavor by Dhiraagu to improve the security in their networks.


UPDATE (11-09-2005):
I just received a log from "Fatty" of Digitial Squid that re-confirms what I revealed in the article. Thanks Fatty!

Below is a screenshot of the captured traffic in Ethereal where I have placed a "http" filter to list only the web traffic. On the right side, it shows the various websites people are browsing and on the left of that is the associated IP address requesting that particular page. It is interesting to note that 53 percent of the requests are for porn

For the technical lot who are keen to see the actual Ethereal capture, HERE is the log that Fatty provided me with.