UPC router reverse engineering - case study
74
UPC router reverse engineering Messing around the firmware & digging for WPA2 password generator Dušan Klinec, Miroslav Svítok deadcode.me
-
Upload
dusan-klinec -
Category
Technology
-
view
1.298 -
download
10
Transcript of UPC router reverse engineering - case study
UPC router reverse
engineering
Messing around the firmware & digging for WPA2 password generator
Dušan Klinec, Miroslav Svítok
deadcode.me
The beginning of the story
The beginning of the story
31.12.2015
https://haxx.in/upc_keys.c
The weakness
• Default SSID & Passwd computation from public
information
Serial ID
SAAP12345678
SSID
PASSWD
Derivation: MD5 + some home-brew mangling
The attack
• Bruteforce, complexity = 1e8 iterations
• For all serial ID combinations
• Compute SSID, if matches, print passwd
Serial ID
SAAP12345678
SSID
PASSWD
The attack
• 20 password candidates on average
• Under 2 seconds on Samsung Galaxy S7
Serial ID
SAAP12345678
SSID
PASSWD
Technicolor TC 7200
48.53 % of all UPC[0-9]{7} networks in Brno 02/2016
Vulnerable modem
* 2868 UPC samples collected / 17516 total
UBEE EVW 3226
15.44 % of all UPC[0-9]{7} networks in Brno 02/2016
Not-yet-vulnerable modem
* 2868 UPC samples collected / 17516 total
Attack outline
• Get the firmware
• Analyze binaries generating wifi config files
• Reverse engineer password generating routine
Getting the
firmware – UART
Getting the firmware - UART
• Some soldering needed
• USB-UART bridge (2 USD on eBay)
Getting the firmware - UART
• Collect information – e.g., memory layout, kernel,
compression, encryption, …
• Modify boot arguments, dump flash
• Default credentials / no-auth access to CLI
Getting the
firmware – UART
Getting the firmware – EEPROM read
Getting the firmware – old school way
Getting the firmware – old school way
• USB-SPI bridge (BusPirate / other)
• Dump flash memory
• Use binwalk to analyze the dump
• Decompress (squashfs, lzma) the FS, kernel
Getting the firmware – old school way
Getting the firmware –
without getting hands
dirty
Getting the firmware #2
• Attacking the software / APIs
• Command injection / code execution
• Unsanitized input data in administration interface
• Ping command, traceroute command
https://firefart.at/post/upc_ubee_fail/
Getting the firmware #2
• Via system vulnerability using USB port
• .auto file is executed if USB is named “EVW3226”
https://firefart.at/post/upc_ubee_fail/
Getting the firmware #2
• Rewrite /etc/passwd with a new admin password
• Start SSH server on the router
• Enjoy the root access
Getting the firmware
• DD all block devices to the USB flash drive
• Tar the whole FS to the USB flash drive
Searching the firmware
# cli
IMAGE_NAME=vgwsdk-3.5.0.24-150324.img
FSSTAMP=20150324141918
VERSION=EVW3226_1.0.20
Searching the firmware
# ps –a
5681 admin 1924 S hostapd -B /tmp/secath0
Searching the firmware
# cat /tmp/secath0
interface=ath0
bridge=rndbr1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ssid=UPC2659797
wpa=3
wpa_passphrase=IVGDQAMI
wpa_key_mgmt=WPA-PSK
Searching the firmware
# find . -type f -exec grep -il 'secath0' {} \;
./fss/gw/lib/libUtility.so
./fss/gw/usr/sbin/aimDaemon
./fss/gw/usr/www/cgi-bin/setup.cgi
./var/tmp/conf_filename
./var/tmp/www/cgi-bin/setup.cgi
Searching the firmware
Searching the firmware
Searching the firmware
Searching the firmware
That’s not all…
Profanities
• Profanity found? Switch to non-insulting alphabet
• BBCDFFGHJJKLMNPQRSTVVWXYZZ
Non-optimal
• Contains a lot of duplicate entries, varying case
• toupper() on runtime – database case mixed
• Some entries cannot be generated at all, e.g.
PROSTITUTE (10 characters, password has 8)
Non-optimal
• Substring search test
• More efficient to remove substrings from database
• “COCK”, “COCKS”, “COCKY”, “ACOCK”
• (Only the first one is needed, the rest is redundant)
Profanity search
• All UBEE MACs generated
• 224 = 16777216 passwords
• 32105 (0.19%) hit the profanity detection
• Cca in 1000 customers, almost 2 could
complain
Profanity stats
# of characters Occurrences
3 23090
4 6014
5 3001
Profanity stats
Statistic properties of the password function
Uniformity tests
Uniformity tests
• H0: the distribution of characters from the alphabet
is uniform over characters.
• Halt: The distribution is not uniform.
Uniformity tests
Uniform distribution on characters
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Uniformity tests
Output alphabet projection distribution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Uniformity tests
Do not strip the entropy
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Uniformity tests
Do only one hashing – no homebrew mangling
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Password gen conclusion
• Uses only MAC as an input
• Only one password guess
• Very effective – 2 MD5 hashes
• Compared to Blasty (router serial ID space
brute-forcing)
More vulnerabilities
UBEE vulnerabilities
• UPC Wi-Free can be sniffed
• After gaining root access, Wi-Free can be sniffed / tampered with
• Authentication bypass (backdoor)
• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1
UBEE vulnerabilities
• Insecure session management
• no-cookies, IP address authenticated
• Local file inclusion
http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2
• Buffer overflow in configuration file request
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• Backup file disclosure – not deleted, publicly available
http://192.168.0.1/Configuration_file.cfg
UBEE vulnerabilities
• Backup file is not encrypted
• Web asks for password for backup encryption
• Backup is not actually encrypted, password is stored in plaintext
• Backup restore buffer overflow
• Password longer than 65536 characters
• Arbitrary code execution
• Backup file = tar, can contain symbolic links
• After extraction can overwrite CGI scripts
War driving #1 – Brno
02/2016
Total networks 17 516
UPC networks 2 868 16.37 %
UPC vulnerable 1 835 63.98 % UPC
UPC UBEE vulnerable 443 15.45 % UPC
UPC Technicolor vulnerable 1 392 48.54 % UPC
UBEE changed 98 18.11 % UBEE
Technicolor changed 304 17.92 % Tech.
War driving #2 – Bratislava
10/2016
Total networks 22 172
UPC networks 3 092 13.95 %
UPC vulnerable 1 327 42.92 % UPC
UPC UBEE vulnerable 822 26.58 % UPC
UPC Technicolor vulnerable 505 16.33 % UPC
UBEE changed 205 19.96 % UBEE
Technicolor changed 96 03.10 % Tech.
Compal CH7465LG 930 30.08 % UPC
New target
• Security Swiss cheese
• 35 vulnerabilities found by
independent security team
• Default WPA2 seems to be
properly implemented -
allegedly
Recap
• Firmware dumped
• WPA2 pwd gen reverse engineered
• Function statistical analysis
• Wardriving
• Android app for automated testing
Timeline
• 27. Jan 2016: Start of the analysis.
• 04. Feb 2016: Official disclosure to Liberty Global.
• 04. May 2016: Check with Liberty Global on state of
the fix.
• 28. Jun 2016: Sending this article for review to
Liberty Global.
• 04. Jul 2016: Publication of the research.
Thank you for your attention!
Questions
References / resources
• https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-
Reversing.html
• https://www.freeture.ch/?p=766
• http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
• https://haxx.in/upc-wifi/
• https://firefart.at/post/upc_ubee_fail/
• http://www.wifileaks.cz/
• http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-
multiple-vulnerabilities
• http://www.search-lab.hu/advisories/secadv-20150720
• http://www.search-
lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
• https://github.com/devttys0/binwalk
