The TM+MM

Before starting the article itself, I think I should warn that the information contained here is only for purely informational purposes, and that what any user does beyond this depends on them and I’m not responsible. With this detail clarified, here goes the article:

The TM+MM is the new type of phone booth that Siemens is manufacturing for Telefónica, with more functionalities than the “traditional” booths, such as internet access through ADSL, sending short messages to mobile phones, and the possibility of taking digital photos. Since I believe we’re not the type of people who are satisfied just knowing what something is made for, we’ll proceed to do some tests with the booths that are already working in Zaragoza (I don’t know if they’re in other places too).

The TM+MM

First, I’ll give a physical description of what has been installed so far (always in closed and well-guarded places).

The front of the booth has been replaced with a wider one that contains the following:

• A Samsung TFT color backlit screen of 11 inches. Resolution of 800x600
• An alphabetic keyboard of 50 QWERTY-type steel keys, slightly inclined
• A trackball with two buttons, although the secondary button has been deactivated
• Speakers
• A webcam
• A conventional numeric keypad
• A box under the booth with the ADSL router and its power supply. It’s supposed that in the future this box will be located on the ceiling of the booths

And moving on to the computer hardware inside, we find:

• An industrial SBC board
• A Pentium processor at 166 MHz
• Two USB ports (one of them occupied by the webcam)
• Two serial ports (one of them communicates with the voice system controller board)
• An ethernet card
• 128 megabytes of RAM
• 10 gigabyte hard drive
• The board that controls the booth’s voice system, which is the usual board

Connection Diagram

Regarding software:

• A RedHat Linux distribution, probably 7.2
• Kernel 2.4.18
• FVWM with alogin (automatically starts with a user in X)
• XFree86 4.2.0
• Escape-based browser that allows navigation, email sending, and sending short messages to mobile phones. Apart from that, it stores (supposedly for statistical purposes) everything the user does (visited URLs, clicked banners…)

Navigation System

• Blackdown’s JDK1.1.8
• Videoconferencing system based on GnomeMeeting
• Application to control communication between boards
• An automatic software update system through which it connects via HTTPS to a server to download the packages it should update
• An OpenSSH version 3.1p1 SSH server
• Squid 2.4

Regarding the security of the booth, so far we haven’t achieved anything. It only has ports 22 (the patched SSH server) and port 80 (supposedly for the update port) open to the outside. The rest of the ports are closed. You can only exit the main application by opening the booth door, or with the Telefónica technician card (things that are impossible for us. I take the opportunity to remind you that all booths of this type are in closed and guarded premises). The LILO runs under chroot and prevents booting in single-user mode or entering any type of command. What we haven’t tried yet is to try to exploit some browser bug, which doesn’t allow downloading files, Flash animations. We also don’t know if with some type of Java browser (which it does interpret) we could do something.

The booth’s technical manual says:

To avoid external hacker-type attacks, the Kernel packet filtering functionality is used, which rejects fragmented packets.

Which we don’t really know what the hell it refers to, but oh well 😈

If you scan it with Nessus, it finds two critical vulnerabilities in the SSH server, but none work with their proper exploit. But even so, these are the two critical vulnerabilities it finds:

The host is running a version of OpenSSH earlier than 3.2.1

There’s a buffer overflow in this daemon if AFS is enabled on your system, or if the KerberosTgtPassing or AFSTokenPassing options are enabled. Depending on the scenario, the vulnerability can be avoided by enabling UsePrivilegeSeparation.

Versions earlier than 2.9.9 are vulnerable to a remote root exploit. Versions earlier than 3.2.1 are vulnerable to a local root exploit.

Solution: Update the OpenSSH version

• Risk: High
• CVE: CAN-2002-0575
• BID: 4560
• Nessus ID: 10954

The host is running a version of OpenSSH earlier than 3.4

There’s a flaw in this version that can be exploited remotely to give the attacker a shell on the host.

Solution: Update OpenSSH to version 3.4

• Risk: High
• CVE: CAN-2002-0639, CAN-2002-0640
• BID: 5093
• Nessus ID: 11031

I think it’s convenient to clarify that the control of voice calls is still done by the booth through hardware, which only communicates with the computer to transmit user messages, so I don’t think it would be possible to make free phone calls even if the booth were taken control of, although I think it would be possible to send SMS and browse the internet for free.

IPs of some of the booths:

• 80.37.142.174

Interesting URLs:

• SIEMENS ELASA, the booth manufacturer
• TM+MM Manual