Router UPC Connect Box - Pentest Report

SirGod · January 4, 2017

Router-ul Connect Box de la UPC, cel putin al meu, este Compal CH7465LG, software version CH7465LG-NCIP-4.50.18.20-NOSH. M-am apucat de ceva teste pe el si se pare ca SEARCH-LAB a facut o analiza de securitate foarte detaliata, incluzand atat componentele software (network, software, web) cat si hardware, pe Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH.

O scurta descriere puteti gasi aici, dar pierdeti toata distractia si informatia: https://www.exploit-db.com/exploits/40159/

Raportul complet, format PDF, este aici: http://www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf

Daca nu v-am convins, uite asa arata cuprinsul:

1 Executive Summary............................................................................................................................ 5
2 Introduction ....................................................................................................................................... 8
2.1 Foreword ................................................................................................................................. 8
2.2 Scope ....................................................................................................................................... 8
2.3 Document overview ................................................................................................................ 8
2.4 Version history ........................................................................................................................ 9
3 Test Environment............................................................................................................................. 10
3.1 Samples and other deliveries................................................................................................ 10
3.1.1 Unique identification and version numbers..................................................................... 10
3.1.2 Design ............................................................................................................................... 10
3.1.3 Components...................................................................................................................... 12
3.1.4 Interfaces.......................................................................................................................... 16
3.2 Documentation and other information................................................................................. 18
3.2.1 Generic and chipset-specific information......................................................................... 18
3.2.2 ToE-specific information................................................................................................... 18
3.3 Tools and testing equipment................................................................................................. 19
3.3.1 Hardware tools ................................................................................................................. 19
3.3.2 Software tools................................................................................................................... 19
4 Security Evaluation........................................................................................................................... 20
4.1 External interfaces................................................................................................................. 20
4.1.1 Front panel buttons and LEDs........................................................................................... 20
4.1.2 RF cable interface with DOCSIS......................................................................................... 21
4.1.3 Telephone connectors...................................................................................................... 21
4.1.4 Ethernet interfaces........................................................................................................... 21
4.2 Internal interfaces................................................................................................................. 21
4.2.1 Flash interfaces................................................................................................................. 22
4.2.2 EEPROM interface............................................................................................................. 22
4.2.3 Local memory interface .................................................................................................... 22
4.2.4 PCIe ................................................................................................................................... 22
4.2.5 UART of the Wi-Fi SoC (J15).............................................................................................. 23
4.2.6 UART of the Main SoC (J23).............................................................................................. 23
4.3 System software.................................................................................................................... 23
4.3.1 Flash contents of the main SoC ........................................................................................ 23
4.3.2 Shells of Main SoC............................................................................................................. 25
4.3.3 Shell of Wi-Fi SoC.............................................................................................................. 28
4.3.4 Shell access in Main SoC ................................................................................................... 29
4.4 Security of the network interfaces........................................................................................ 30
4.4.1 Service discovery .............................................................................................................. 30
4.4.2 Web Server ....................................................................................................................... 33
4.4.3 Web GUI............................................................................................................................ 38
Project work ID: P15-
4.4.4 UPnP.................................................................................................................................. 50
4.4.5 SNMP ................................................................................................................................ 50
4.4.6 RPC.................................................................................................................................... 52
4.4.7 Wi-Free ............................................................................................................................. 57
4.5 Security of the sensitive assets ............................................................................................. 59
4.5.1 Web interface credentials................................................................................................. 59
4.5.2 Wi-Fi credentials............................................................................................................... 60
4.5.3 WPS................................................................................................................................... 60
4.5.4 Security of the backup/restore functionality.................................................................... 61
4.5.5 DOCSIS credentials............................................................................................................ 62
5 Conformance to Requirements........................................................................................................ 64
5.1 Security checklist................................................................................................................... 64
6 Evaluation Results............................................................................................................................ 68
6.1 Findings and recommendations............................................................................................ 68
6.1.1 Serial interface was open on the Main SoC...................................................................... 68
6.1.2 Serial interface was open on the Wi-Fi SoC...................................................................... 68
6.1.3 Bootloader menu was accessible on the Main SoC UART ................................................ 68
6.1.4 Bootloader menu was accessible on the Wi-Fi SoC UART................................................ 69
6.1.5 cbnlogin could cause arbitrary code execution................................................................ 69
6.1.6 Unnecessary services were running on the Main SoC...................................................... 69
6.1.7 Buffer overflow in the Web server HTTP version field ..................................................... 69
6.1.8 HTTPS support was disabled on the Web server.............................................................. 70
6.1.9 Hard-coded private key was used for HTTPS.................................................................... 70
6.1.10 Hard-coded private key could be downloaded from the Web interface without authentication............................................................................................................................... 70
6.1.11 HTTPS certificate could be used to impersonate any web site ........................................ 70
6.1.12 Sensitive information disclosure....................................................................................... 71
6.1.13 Unauthenticated remote DoS against the device............................................................. 71
6.1.14 Super and CSR users could not be disabled...................................................................... 71
6.1.15 Attacker could change first installation flag ..................................................................... 72
6.1.16 Password brute-force protection was not active ............................................................. 72
6.1.17 Password brute-force protection could be bypassed....................................................... 72
6.1.18 The user of the modem might steal or replace the DOCSIS credentials .......................... 72
6.1.19 Unauthenticated remote command injection in ping command..................................... 73
6.1.20 Authenticated remote command injection in tracert command ..................................... 73
6.1.21 Unauthenticated remote command injection in stop diagnostic command ................... 73
6.1.22 Remote DoS with stop diagnostic command.................................................................... 73
6.1.23 Buffer overflow in stop diagnostic command................................................................... 74
6.1.24 Authenticated remote command injection with e-mail sending function ....................... 74
6.1.25 Session management was insufficient.............................................................................. 74
6.1.26 CSRF protection could be bypassed.................................................................................. 75
6.1.27 Unauthenticated DoS against Wi-Fi setting modification ................................................ 75
6.1.28 Unauthenticated DoS against the Wi-Fi functionality ...................................................... 75

6.1.29 Unauthenticated changes in WPS settings....................................................................... 75
6.1.30 Unauthenticated local command injection with RPC on Main SoC.................................. 76
6.1.31 Unauthenticated local command injection with RPC on Wi-Fi SoC.................................. 76
6.1.32 Buffer overflow in the Wi-Fi SoC RPC implementation .................................................... 76
6.1.33 Hard-coded keys were used to encrypt the backup file ................................................... 77
6.1.34 UPC Wi-Free network interface was accessible on the Wi-Fi SoC.................................... 77
6.1.35 Backup/restore interface allowed remote reconfiguration without authentication....... 77
6.2 Risk Analysis .......................................................................................................................... 78
7 References........................................................................................................................................ 81
Appendix A Certificate used for HTTPS.............................................................................................. 82
Appendix B Private key used for HTTPS ............................................................................................ 83
Appendix C Serial console on J15 ...................................................................................................... 85
Appendix D Interactive shell on J15................................................................................................... 87
Appendix E Serial console on J23 ...................................................................................................... 91
Appendix F Interactive boot shell on J23 .......................................................................................... 96

Edited January 4, 2017 by SirGod

Byte-ul · January 4, 2017

Remote arbitrary system command execution with root privileges without authentication

Stii daca poate fi accesata interfata routerului si de pe wifi free? Nu sunt acum acasa sa verific.

SirGod · January 4, 2017

Nu știu, nu am încercat. Momentan mi-am crăpat routerul și lucrez la asta. O sa încerc maine dacă mai ai nevoie.

Sandu · January 4, 2017

2 hours ago, Byte-ul said:

Remote arbitrary system command execution with root privileges without authentication

Stii daca poate fi accesata interfata routerului si de pe wifi free? Nu sunt acum acasa sa verific.

Nu merge

Se pare ca nu este singurul modem afectat.

https://www.exploit-db.com/exploits/40156/

//edit

https://firefart.at/post/upc_ubee_fail/

=))