Deep Packet Inspection (DPI) systems are software and hardware complexes to classify passing Internet traffic by data type (Web page, document, audio, video), protocol (HTTP, BitTorrent, VoIP/SIP) and specific programs (Skype, WhatsApp), often with additional functionality. DPI systems are common and used worldwide by wired and wireless access providers.
Mobile operators use deep traffic analysis systems primarily to prioritize different content on the Internet (QoS), so that one can download a large file and watch a video on YouTube simultaneously, and so that one cellular user actively using the Internet does not cause problems for other users. Operators have been using DPI since about the early 2000s, with the advent of UMTS (3G), to more or less fairly share a wireless channel of limited bandwidth.
Mobile operators use other DPI features, such as TCP and HTTP traffic acceleration (TCP PEP, Performance-enhancing Proxy), to speed up the Internet on mobile networks and identify users by websites. If you try to enter the operator’s personal account from your phone, on many operators it will open immediately, without the need to enter a login and password. Or, what could be encountered 5 years ago, simply going to a suspicious website or clicking on an ad banner from an Android game would turn into an automatic subscription to a paid service, which could be found out from a text message.
How it works
The traffic deep analysis system is configured to add HTTP service headers when making an HTTP request to sites (hosts) from the list defined by the operator. The headers may contain the subscriber’s internal IP address, phone number (MSISDN), IMEI and IMSI identifiers, the identifier of the base station (tower) to which the subscriber is connected (ECI/TAC).
We will need to install a simple HTTP server on a server on the Internet that will receive the request, display it on the screen, and send an HTTP response. Something like this:
Send HTTP-request using Megafon SIM-card:
The server received:
Nothing unusual. Let’s change the Host header to some internal domain of the operator, for example, to the main megafon.ru site:
On the server:
The server received not only HTTP headers sent by curl, but also additional X-Real-IP and X-NOKIA-MSISDN headers containing internal IP address (behind Carrier-grade NAT) and phone number!
Why it happened this way? Apparently, when compiling the list they forgot to bind specific domains to specific IP addresses or ranges, and the site opening check from the list is performed only by comparing Host HTTP header.
Often, access to internal sites is not charged by operators, allowing you to get free internet by simply substituting the Host header of an HTTP request.
Megafon has many internal hosts for which DPI adds different headers:
welcome.megafonnw.ru adds X-Megafon-IMSI header with SIM-card identifier (IMSI) wap.megafon.ru adds X-Megafon-IMEISV with phone identifier (IMEI) id.megafon.ru discloses the numbers of the towers to which the phone is currently connected in the headers X-Megafon-TAC and X-Megafon-ECI region-specific site (e.g. szfwp.megafon.ru) adds the header X-3GPP-USER-LOCATION-INFO
Service headers are also added for zg.megafon.ru, m.megafon.ru and igapi.megafon.ru
There were special hosts that had X-MSISDN and X-FORWARDED-FOR service headers added to their requests:
login.tele2.ru market.tele2.ru oplata.tele2.ru play.tele2.ru wap.tele2.ru block.tele2.ru
The X-MSISDN header contained the phone number of the Tele2 client. The X-FORWARDED-FOR header contained the client’s internal IP address.
Tele2 uses Ericsson’s DPI. It was reconfigured in early December, and the problem has been fixed.
DPI Beeline adds X-Nokia-msisdn and IMEI:
service headers to HTTP requests to any IP address with Host: balance.beeline.ru header
Hosts beeline.ru, www.beeline.ru, spb.beeline.ru are not processed by DPI, connections to them are allowed based on IP address, not Host header.
DPI MTS adds service headers to the following hosts: * 111.mts.ru: X-MSISDN-1hIjUVLgCcdQ: 79110981234 SGSN-MCC-MNC: 25001
* books.mts.ru: X-MSISDN: 79110981234
* pda.mts.ru: X-AQIC5wM2LY4SfcyEwLC5hS0e02r4: 79110981234 SGSN-MCC-MNC: 25001 X-SGSN-IP: 126.96.36.199
* h2o.mts.ru, interceptor.mts.ru, internet.mts.ru: X-MSISDN-B0kOoE2clldi: 79110981234
Packet processing features
The Tele2 proxy adds the following headers to the HTTP/1.0 user request if they are missing:
And the following header in the server response if the request was made over HTTP/1.1:
The response is chunked-encoding on the proxy side.[/DATAENCODE
The proxy buffers or skips some requests until it waits for a valid response, and can split large packets into several smaller ones. A response to a GET request will come only after the server starts forwarding the response body. The response will not reach the client if the server has sent only the headers, without the body. This feature does not apply to POST requests.
If the client sends both HTTP GET request headers and data in the same packet, they will be split into two packets by the proxy:
This feature does not apply to POST requests.
DPI Tele2 most likely does not store connection state (stateless), and tries to look for HTTP request in every new TCP segment the client sends. In addition, the request does not necessarily have to start from the first byte of the segment, but can be separated by line breaks. For example, the following request is correct from a DPI perspective:
This feature could be exploited via browser, until Tele2 reconfigured DPI and limited service hosts to IP address ranges. It is possible to create such POST request of multipart/form-data type (file sending), which body will contain new HTTP request header, which DPI will take as a new request within Keep-Alive session and add service headers, and send it via browser.
The remote server received the user number. Apparently, this is a serious flaw in Ericsson software, and is inherent not only in Tele2.
Bilain’s DPI analyzes the headers, stores the state of the HTTP stream and slows down or limits data transfer if an atypical HTTP sending procedure is started, for example, if the client starts sending large data streams in the body of the GET request (what is after the double rn, as if it were a POST request), or if the server sends more data than specified in the Content-Length header. A response to the HTTP request is required, otherwise DPI will not allow the connection.
MTS doesn’t work sending big data in headers (apparently there is a check on header length and its value).
For MTS to make tracking of new HTTP requests within a keep-alive session stop working, HTTP response headers and HTTP response body should be sent from the server in separate packets, without Content-Length and with Content-Type: application/octet-stream: all headers are sent in the first TCP packet, including rnrn, while the second and subsequent packets contain the data itself.
Internet Blocking Bypass
With a negative balance and a connected Internet option that implies blocking access when the included traffic package is exhausted, operators redirect all HTTP-requests to their own stub pages located, as a rule, on subdomains of the operator’s main domain. MTS, Beeline, and Megafon check whether it is possible to access the site by comparing the HTTP header Host, no IP-address check is performed. The same was with Tele2, before DPI reconfiguration.
HTTP requests to any IP address and port 80 with Host header pointing to service domain do not consume traffic from packet and work even with negative balance. It was found out empirically that sending a POST request with a large Content-Length value and including Content-Length in the server response is enough to establish two-way communication and bypass blocking:
After that, arbitrary (non-HTTP) data can be transferred both ways.
I made a patch (https://my.mixtape.moe/bpnaya.patch) to the ShadowSocks 2.5.6 proxy server that adds these HTTP headers when the connection is established:
1. Apply patch, compile
2. Create /etc/shadowsocks.conf file on the server (see below)
3. Start ss-server on the server: ss-server -c /etc/shadowsocks.conf
4. Run ss-local on a device with 3G/LTE connection: ss-local -s SERVERIP -p 80 -l 1081 -m table -k verysecretpassword -H DOMAIN where DOMAIN: unblock.mts.ru or bonus.mts.ru for MTS corp.megafon.ru for Megafon balance.beeline.ru for Beeline
5. Configure your browser and other programs to Socks5-proxy 127.0.0.1:1081
Or use ss-redir via iptables
In early December 2016, I tried to contact technical support of all four operators to report the problem. To disclose the details of the free internet for free wasn’t too keen, so I was expecting a reward for the reported vulnerability. To keep things fair, and to confirm that I wasn’t some simpleton asking for money, web vulnerabilities unrelated to DPI were found: for Bilain – getting access to my personal account from the attacker’s site, without entering my username and password, for MTS – disclosing my phone number, balance and tariff from the attacker’s site.
MTS and Beeline refused to work with Anonymous, so exactly one year ago, on December 29, 2016, a face-to-face meeting was organized with security representatives of MTS and Beeline, where they were given all the details of web vulnerabilities. It was offered to sign a contract to search for vulnerabilities in DPI if they were satisfied.
During 2017, I repeatedly contacted MTS and Beeline to clarify how things were progressing with closing web vulnerabilities, but received no response. I wrote from different email addresses to rule out technical problems with email delivery, as well as private messages on Twitter.
Beeline “shut down” the vulnerability only at the end of October – made it so that it could not be exploited via a web browser, but any program installed on the phone can still access the personal account, find out the phone number, change the tariff, connect options.
MTS still hasn’t closed the vulnerability. Any website can find out your phone number.
Megafon responded to the first two messages, but no further response from them.
The only one who pleased me was Tele2 representatives. They responded quickly and clearly, and offered a cash reward.
Any program that has access to the Internet on your phone with a MegaFon SIM can find out your location with the accuracy of the base station, phone number, IMEI and IMSI identifiers. With an MTS SIM, it can get your phone number, IMEI and IMSI identifiers, while Beeline will only allow you to reveal your phone number.
An attacker’s website containing a specially crafted request will reveal your phone number to MTS.
Also, don’t forget about vulnerabilities of the mobile operators’ web-services that are not related to DPI: with Beeline any program can get access to your personal account, find out your phone number, balance, tariff, connected options and can manage them from there, and with MTS – get your phone number and balance.
DPI can be dangerous. Operators are reluctant to contact and fix vulnerabilities. If you use MTS, Beeline or Megafon, write complaints, nag them.
Explore and experiment!
Go to loudnigra.xyz from your MTS mobile and wait for a call!
PS: Free Internet and all these headlines still work on Ukrainian Kyivstar, Serbian Telenor, Latvian Tele2.
Author: Sergey Nabatov Source: https://habrahabr.ru/post/345852/
the dump furniture outlet near me