UPC router reverse engineering - case study

74
UPC router reverse engineering Messing around the firmware & digging for WPA2 password generator Dušan Klinec, Miroslav Svítok deadcode.me

Transcript of UPC router reverse engineering - case study

Page 1: UPC router reverse engineering - case study

UPC router reverse

engineering

Messing around the firmware & digging for WPA2 password generator

Dušan Klinec, Miroslav Svítok

deadcode.me

Page 2: UPC router reverse engineering - case study

The beginning of the story

Page 3: UPC router reverse engineering - case study

The beginning of the story

31.12.2015

https://haxx.in/upc_keys.c

Page 4: UPC router reverse engineering - case study

The weakness

• Default SSID & Passwd computation from public

information

Serial ID

SAAP12345678

SSID

PASSWD

Derivation: MD5 + some home-brew mangling

Page 5: UPC router reverse engineering - case study

The attack

• Bruteforce, complexity = 1e8 iterations

• For all serial ID combinations

• Compute SSID, if matches, print passwd

Serial ID

SAAP12345678

SSID

PASSWD

Page 6: UPC router reverse engineering - case study

The attack

• 20 password candidates on average

• Under 2 seconds on Samsung Galaxy S7

Serial ID

SAAP12345678

SSID

PASSWD

Page 7: UPC router reverse engineering - case study
Page 8: UPC router reverse engineering - case study
Page 9: UPC router reverse engineering - case study

Technicolor TC 7200

48.53 % of all UPC[0-9]{7} networks in Brno 02/2016

Vulnerable modem

* 2868 UPC samples collected / 17516 total

Page 10: UPC router reverse engineering - case study

UBEE EVW 3226

15.44 % of all UPC[0-9]{7} networks in Brno 02/2016

Not-yet-vulnerable modem

* 2868 UPC samples collected / 17516 total

Page 11: UPC router reverse engineering - case study

Attack outline

• Get the firmware

• Analyze binaries generating wifi config files

• Reverse engineer password generating routine

Page 12: UPC router reverse engineering - case study

Getting the

firmware – UART

Page 13: UPC router reverse engineering - case study

Getting the firmware - UART

• Some soldering needed

• USB-UART bridge (2 USD on eBay)

Page 14: UPC router reverse engineering - case study

Getting the firmware - UART

• Collect information – e.g., memory layout, kernel,

compression, encryption, …

• Modify boot arguments, dump flash

• Default credentials / no-auth access to CLI

Page 15: UPC router reverse engineering - case study

Getting the

firmware – UART

Page 16: UPC router reverse engineering - case study

Getting the firmware – EEPROM read

Page 17: UPC router reverse engineering - case study

Getting the firmware – old school way

Page 18: UPC router reverse engineering - case study

Getting the firmware – old school way

• USB-SPI bridge (BusPirate / other)

• Dump flash memory

• Use binwalk to analyze the dump

• Decompress (squashfs, lzma) the FS, kernel

Page 19: UPC router reverse engineering - case study

Getting the firmware – old school way

Page 20: UPC router reverse engineering - case study

Getting the firmware –

without getting hands

dirty

Page 21: UPC router reverse engineering - case study

Getting the firmware #2

• Attacking the software / APIs

• Command injection / code execution

• Unsanitized input data in administration interface

• Ping command, traceroute command

https://firefart.at/post/upc_ubee_fail/

Page 22: UPC router reverse engineering - case study

Getting the firmware #2

• Via system vulnerability using USB port

• .auto file is executed if USB is named “EVW3226”

https://firefart.at/post/upc_ubee_fail/

Page 23: UPC router reverse engineering - case study

Getting the firmware #2

• Rewrite /etc/passwd with a new admin password

• Start SSH server on the router

• Enjoy the root access

Page 24: UPC router reverse engineering - case study

Getting the firmware

• DD all block devices to the USB flash drive

• Tar the whole FS to the USB flash drive

Page 25: UPC router reverse engineering - case study

Searching the firmware

# cli

IMAGE_NAME=vgwsdk-3.5.0.24-150324.img

FSSTAMP=20150324141918

VERSION=EVW3226_1.0.20

Page 26: UPC router reverse engineering - case study

Searching the firmware

# ps –a

5681 admin 1924 S hostapd -B /tmp/secath0

Page 27: UPC router reverse engineering - case study

Searching the firmware

# cat /tmp/secath0

interface=ath0

bridge=rndbr1

dump_file=/tmp/hostapd.dump

ctrl_interface=/var/run/hostapd

ssid=UPC2659797

wpa=3

wpa_passphrase=IVGDQAMI

wpa_key_mgmt=WPA-PSK

Page 28: UPC router reverse engineering - case study

Searching the firmware

# find . -type f -exec grep -il 'secath0' {} \;

./fss/gw/lib/libUtility.so

./fss/gw/usr/sbin/aimDaemon

./fss/gw/usr/www/cgi-bin/setup.cgi

./var/tmp/conf_filename

./var/tmp/www/cgi-bin/setup.cgi

Page 29: UPC router reverse engineering - case study

Searching the firmware

Page 30: UPC router reverse engineering - case study

Searching the firmware

Page 31: UPC router reverse engineering - case study

Searching the firmware

Page 32: UPC router reverse engineering - case study

Searching the firmware

Page 33: UPC router reverse engineering - case study
Page 34: UPC router reverse engineering - case study
Page 35: UPC router reverse engineering - case study

That’s not all…

Page 36: UPC router reverse engineering - case study
Page 37: UPC router reverse engineering - case study
Page 38: UPC router reverse engineering - case study
Page 39: UPC router reverse engineering - case study

Profanities

• Profanity found? Switch to non-insulting alphabet

• BBCDFFGHJJKLMNPQRSTVVWXYZZ

Page 40: UPC router reverse engineering - case study

Non-optimal

• Contains a lot of duplicate entries, varying case

• toupper() on runtime – database case mixed

• Some entries cannot be generated at all, e.g.

PROSTITUTE (10 characters, password has 8)

Page 41: UPC router reverse engineering - case study

Non-optimal

• Substring search test

• More efficient to remove substrings from database

• “COCK”, “COCKS”, “COCKY”, “ACOCK”

• (Only the first one is needed, the rest is redundant)

Page 42: UPC router reverse engineering - case study

Profanity search

• All UBEE MACs generated

• 224 = 16777216 passwords

• 32105 (0.19%) hit the profanity detection

• Cca in 1000 customers, almost 2 could

complain

Page 43: UPC router reverse engineering - case study

Profanity stats

# of characters Occurrences

3 23090

4 6014

5 3001

Page 44: UPC router reverse engineering - case study

Profanity stats

Page 45: UPC router reverse engineering - case study

Statistic properties of the password function

Page 46: UPC router reverse engineering - case study
Page 47: UPC router reverse engineering - case study
Page 48: UPC router reverse engineering - case study
Page 49: UPC router reverse engineering - case study
Page 50: UPC router reverse engineering - case study

Uniformity tests

Page 51: UPC router reverse engineering - case study
Page 52: UPC router reverse engineering - case study

Uniformity tests

• H0: the distribution of characters from the alphabet

is uniform over characters.

• Halt: The distribution is not uniform.

Page 53: UPC router reverse engineering - case study

Uniformity tests

Uniform distribution on characters

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

1 pos

2 pos

3 pos

4 pos

5 pos

6 pos

7 pos

8 pos

total

Page 54: UPC router reverse engineering - case study

Uniformity tests

Output alphabet projection distribution

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

1 pos

2 pos

3 pos

4 pos

5 pos

6 pos

7 pos

8 pos

total

Page 55: UPC router reverse engineering - case study

Uniformity tests

Do not strip the entropy

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

1 pos

2 pos

3 pos

4 pos

5 pos

6 pos

7 pos

8 pos

total

Page 56: UPC router reverse engineering - case study

Uniformity tests

Do only one hashing – no homebrew mangling

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

1 pos

2 pos

3 pos

4 pos

5 pos

6 pos

7 pos

8 pos

total

Page 57: UPC router reverse engineering - case study

Password gen conclusion

• Uses only MAC as an input

• Only one password guess

• Very effective – 2 MD5 hashes

• Compared to Blasty (router serial ID space

brute-forcing)

Page 58: UPC router reverse engineering - case study
Page 59: UPC router reverse engineering - case study

More vulnerabilities

Page 60: UPC router reverse engineering - case study

UBEE vulnerabilities

• UPC Wi-Free can be sniffed

• After gaining root access, Wi-Free can be sniffed / tampered with

• Authentication bypass (backdoor)

• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1

Page 61: UPC router reverse engineering - case study

UBEE vulnerabilities

• Insecure session management

• no-cookies, IP address authenticated

• Local file inclusion

http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2

• Buffer overflow in configuration file request

http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

• Backup file disclosure – not deleted, publicly available

http://192.168.0.1/Configuration_file.cfg

Page 62: UPC router reverse engineering - case study

UBEE vulnerabilities

• Backup file is not encrypted

• Web asks for password for backup encryption

• Backup is not actually encrypted, password is stored in plaintext

• Backup restore buffer overflow

• Password longer than 65536 characters

• Arbitrary code execution

• Backup file = tar, can contain symbolic links

• After extraction can overwrite CGI scripts

Page 63: UPC router reverse engineering - case study

War driving #1 – Brno

02/2016

Page 64: UPC router reverse engineering - case study
Page 65: UPC router reverse engineering - case study
Page 66: UPC router reverse engineering - case study

Total networks 17 516

UPC networks 2 868 16.37 %

UPC vulnerable 1 835 63.98 % UPC

UPC UBEE vulnerable 443 15.45 % UPC

UPC Technicolor vulnerable 1 392 48.54 % UPC

UBEE changed 98 18.11 % UBEE

Technicolor changed 304 17.92 % Tech.

Page 67: UPC router reverse engineering - case study

War driving #2 – Bratislava

10/2016

Page 68: UPC router reverse engineering - case study
Page 69: UPC router reverse engineering - case study

Total networks 22 172

UPC networks 3 092 13.95 %

UPC vulnerable 1 327 42.92 % UPC

UPC UBEE vulnerable 822 26.58 % UPC

UPC Technicolor vulnerable 505 16.33 % UPC

UBEE changed 205 19.96 % UBEE

Technicolor changed 96 03.10 % Tech.

Compal CH7465LG 930 30.08 % UPC

Page 70: UPC router reverse engineering - case study

New target

• Security Swiss cheese

• 35 vulnerabilities found by

independent security team

• Default WPA2 seems to be

properly implemented -

allegedly

Page 71: UPC router reverse engineering - case study

Recap

• Firmware dumped

• WPA2 pwd gen reverse engineered

• Function statistical analysis

• Wardriving

• Android app for automated testing

Page 72: UPC router reverse engineering - case study

Timeline

• 27. Jan 2016: Start of the analysis.

• 04. Feb 2016: Official disclosure to Liberty Global.

• 04. May 2016: Check with Liberty Global on state of

the fix.

• 28. Jun 2016: Sending this article for review to

Liberty Global.

• 04. Jul 2016: Publication of the research.

Page 73: UPC router reverse engineering - case study

Thank you for your attention!

Questions

Page 74: UPC router reverse engineering - case study

References / resources

• https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-

Reversing.html

• https://www.freeture.ch/?p=766

• http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/

• https://haxx.in/upc-wifi/

• https://firefart.at/post/upc_ubee_fail/

• http://www.wifileaks.cz/

• http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-

multiple-vulnerabilities

• http://www.search-lab.hu/advisories/secadv-20150720

• http://www.search-

lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf

• https://github.com/devttys0/binwalk