UPC router reverse engineering - case study
-
Upload
dusan-klinec -
Category
Technology
-
view
1.298 -
download
10
Transcript of UPC router reverse engineering - case study
![Page 1: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/1.jpg)
UPC router reverse
engineering
Messing around the firmware & digging for WPA2 password generator
Dušan Klinec, Miroslav Svítok
deadcode.me
![Page 2: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/2.jpg)
The beginning of the story
![Page 3: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/3.jpg)
The beginning of the story
31.12.2015
https://haxx.in/upc_keys.c
![Page 4: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/4.jpg)
The weakness
• Default SSID & Passwd computation from public
information
Serial ID
SAAP12345678
SSID
PASSWD
Derivation: MD5 + some home-brew mangling
![Page 5: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/5.jpg)
The attack
• Bruteforce, complexity = 1e8 iterations
• For all serial ID combinations
• Compute SSID, if matches, print passwd
Serial ID
SAAP12345678
SSID
PASSWD
![Page 6: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/6.jpg)
The attack
• 20 password candidates on average
• Under 2 seconds on Samsung Galaxy S7
Serial ID
SAAP12345678
SSID
PASSWD
![Page 7: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/7.jpg)
![Page 8: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/8.jpg)
![Page 9: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/9.jpg)
Technicolor TC 7200
48.53 % of all UPC[0-9]{7} networks in Brno 02/2016
Vulnerable modem
* 2868 UPC samples collected / 17516 total
![Page 10: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/10.jpg)
UBEE EVW 3226
15.44 % of all UPC[0-9]{7} networks in Brno 02/2016
Not-yet-vulnerable modem
* 2868 UPC samples collected / 17516 total
![Page 11: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/11.jpg)
Attack outline
• Get the firmware
• Analyze binaries generating wifi config files
• Reverse engineer password generating routine
![Page 12: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/12.jpg)
Getting the
firmware – UART
![Page 13: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/13.jpg)
Getting the firmware - UART
• Some soldering needed
• USB-UART bridge (2 USD on eBay)
![Page 14: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/14.jpg)
Getting the firmware - UART
• Collect information – e.g., memory layout, kernel,
compression, encryption, …
• Modify boot arguments, dump flash
• Default credentials / no-auth access to CLI
![Page 15: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/15.jpg)
Getting the
firmware – UART
![Page 16: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/16.jpg)
Getting the firmware – EEPROM read
![Page 17: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/17.jpg)
Getting the firmware – old school way
![Page 18: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/18.jpg)
Getting the firmware – old school way
• USB-SPI bridge (BusPirate / other)
• Dump flash memory
• Use binwalk to analyze the dump
• Decompress (squashfs, lzma) the FS, kernel
![Page 19: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/19.jpg)
Getting the firmware – old school way
![Page 20: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/20.jpg)
Getting the firmware –
without getting hands
dirty
![Page 21: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/21.jpg)
Getting the firmware #2
• Attacking the software / APIs
• Command injection / code execution
• Unsanitized input data in administration interface
• Ping command, traceroute command
https://firefart.at/post/upc_ubee_fail/
![Page 22: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/22.jpg)
Getting the firmware #2
• Via system vulnerability using USB port
• .auto file is executed if USB is named “EVW3226”
https://firefart.at/post/upc_ubee_fail/
![Page 23: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/23.jpg)
Getting the firmware #2
• Rewrite /etc/passwd with a new admin password
• Start SSH server on the router
• Enjoy the root access
![Page 24: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/24.jpg)
Getting the firmware
• DD all block devices to the USB flash drive
• Tar the whole FS to the USB flash drive
![Page 25: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/25.jpg)
Searching the firmware
# cli
IMAGE_NAME=vgwsdk-3.5.0.24-150324.img
FSSTAMP=20150324141918
VERSION=EVW3226_1.0.20
![Page 26: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/26.jpg)
Searching the firmware
# ps –a
5681 admin 1924 S hostapd -B /tmp/secath0
![Page 27: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/27.jpg)
Searching the firmware
# cat /tmp/secath0
interface=ath0
bridge=rndbr1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ssid=UPC2659797
wpa=3
wpa_passphrase=IVGDQAMI
wpa_key_mgmt=WPA-PSK
![Page 28: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/28.jpg)
Searching the firmware
# find . -type f -exec grep -il 'secath0' {} \;
./fss/gw/lib/libUtility.so
./fss/gw/usr/sbin/aimDaemon
./fss/gw/usr/www/cgi-bin/setup.cgi
./var/tmp/conf_filename
./var/tmp/www/cgi-bin/setup.cgi
![Page 29: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/29.jpg)
Searching the firmware
![Page 30: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/30.jpg)
Searching the firmware
![Page 31: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/31.jpg)
Searching the firmware
![Page 32: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/32.jpg)
Searching the firmware
![Page 33: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/33.jpg)
![Page 34: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/34.jpg)
![Page 35: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/35.jpg)
That’s not all…
![Page 36: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/36.jpg)
![Page 37: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/37.jpg)
![Page 38: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/38.jpg)
![Page 39: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/39.jpg)
Profanities
• Profanity found? Switch to non-insulting alphabet
• BBCDFFGHJJKLMNPQRSTVVWXYZZ
![Page 40: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/40.jpg)
Non-optimal
• Contains a lot of duplicate entries, varying case
• toupper() on runtime – database case mixed
• Some entries cannot be generated at all, e.g.
PROSTITUTE (10 characters, password has 8)
![Page 41: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/41.jpg)
Non-optimal
• Substring search test
• More efficient to remove substrings from database
• “COCK”, “COCKS”, “COCKY”, “ACOCK”
• (Only the first one is needed, the rest is redundant)
![Page 42: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/42.jpg)
Profanity search
• All UBEE MACs generated
• 224 = 16777216 passwords
• 32105 (0.19%) hit the profanity detection
• Cca in 1000 customers, almost 2 could
complain
![Page 43: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/43.jpg)
Profanity stats
# of characters Occurrences
3 23090
4 6014
5 3001
![Page 44: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/44.jpg)
Profanity stats
![Page 45: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/45.jpg)
Statistic properties of the password function
![Page 46: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/46.jpg)
![Page 47: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/47.jpg)
![Page 48: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/48.jpg)
![Page 49: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/49.jpg)
![Page 50: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/50.jpg)
Uniformity tests
![Page 51: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/51.jpg)
![Page 52: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/52.jpg)
Uniformity tests
• H0: the distribution of characters from the alphabet
is uniform over characters.
• Halt: The distribution is not uniform.
![Page 53: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/53.jpg)
Uniformity tests
Uniform distribution on characters
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
![Page 54: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/54.jpg)
Uniformity tests
Output alphabet projection distribution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
![Page 55: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/55.jpg)
Uniformity tests
Do not strip the entropy
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
![Page 56: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/56.jpg)
Uniformity tests
Do only one hashing – no homebrew mangling
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
![Page 57: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/57.jpg)
Password gen conclusion
• Uses only MAC as an input
• Only one password guess
• Very effective – 2 MD5 hashes
• Compared to Blasty (router serial ID space
brute-forcing)
![Page 58: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/58.jpg)
![Page 59: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/59.jpg)
More vulnerabilities
![Page 60: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/60.jpg)
UBEE vulnerabilities
• UPC Wi-Free can be sniffed
• After gaining root access, Wi-Free can be sniffed / tampered with
• Authentication bypass (backdoor)
• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1
![Page 61: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/61.jpg)
UBEE vulnerabilities
• Insecure session management
• no-cookies, IP address authenticated
• Local file inclusion
http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2
• Buffer overflow in configuration file request
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• Backup file disclosure – not deleted, publicly available
http://192.168.0.1/Configuration_file.cfg
![Page 62: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/62.jpg)
UBEE vulnerabilities
• Backup file is not encrypted
• Web asks for password for backup encryption
• Backup is not actually encrypted, password is stored in plaintext
• Backup restore buffer overflow
• Password longer than 65536 characters
• Arbitrary code execution
• Backup file = tar, can contain symbolic links
• After extraction can overwrite CGI scripts
![Page 63: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/63.jpg)
War driving #1 – Brno
02/2016
![Page 64: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/64.jpg)
![Page 65: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/65.jpg)
![Page 66: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/66.jpg)
Total networks 17 516
UPC networks 2 868 16.37 %
UPC vulnerable 1 835 63.98 % UPC
UPC UBEE vulnerable 443 15.45 % UPC
UPC Technicolor vulnerable 1 392 48.54 % UPC
UBEE changed 98 18.11 % UBEE
Technicolor changed 304 17.92 % Tech.
![Page 67: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/67.jpg)
War driving #2 – Bratislava
10/2016
![Page 68: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/68.jpg)
![Page 69: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/69.jpg)
Total networks 22 172
UPC networks 3 092 13.95 %
UPC vulnerable 1 327 42.92 % UPC
UPC UBEE vulnerable 822 26.58 % UPC
UPC Technicolor vulnerable 505 16.33 % UPC
UBEE changed 205 19.96 % UBEE
Technicolor changed 96 03.10 % Tech.
Compal CH7465LG 930 30.08 % UPC
![Page 70: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/70.jpg)
New target
• Security Swiss cheese
• 35 vulnerabilities found by
independent security team
• Default WPA2 seems to be
properly implemented -
allegedly
![Page 71: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/71.jpg)
Recap
• Firmware dumped
• WPA2 pwd gen reverse engineered
• Function statistical analysis
• Wardriving
• Android app for automated testing
![Page 72: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/72.jpg)
Timeline
• 27. Jan 2016: Start of the analysis.
• 04. Feb 2016: Official disclosure to Liberty Global.
• 04. May 2016: Check with Liberty Global on state of
the fix.
• 28. Jun 2016: Sending this article for review to
Liberty Global.
• 04. Jul 2016: Publication of the research.
![Page 73: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/73.jpg)
Thank you for your attention!
Questions
![Page 74: UPC router reverse engineering - case study](https://reader034.fdocuments.in/reader034/viewer/2022052117/5880145d1a28abbc128b4687/html5/thumbnails/74.jpg)
References / resources
• https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-
Reversing.html
• https://www.freeture.ch/?p=766
• http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
• https://haxx.in/upc-wifi/
• https://firefart.at/post/upc_ubee_fail/
• http://www.wifileaks.cz/
• http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-
multiple-vulnerabilities
• http://www.search-lab.hu/advisories/secadv-20150720
• http://www.search-
lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
• https://github.com/devttys0/binwalk