Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .
Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.
Analysis :
Let’s download an update and take a look at it and try to find some vulnerabilities. ( 073K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4c8H3i4K6u0V1L8r3W2F1K9#2)9J5k6h3y4G2L8g2)9J5c8W2u0W2M7$3!0#2M7X3y4W2M7#2)9J5c8Y4y4G2k6Y4c8%4j5i4u0W2i4K6u0r3g2p5c8Q4x3X3c8i4z5o6V1#2x3f1&6p5i4K6g2X3g2U0y4Q4x3X3f1H3i4K6g2X3x3e0p5H3y4K6t1&6i4K6g2X3c8V1W2Q4x3X3g2J5j5i4t1`. )
Image
The ras file is in LIF format !! …
Hmmm let’s put that file for Binwalk test for God’s sake ! ( check : 74fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4G2k6r3g2Q4x3X3g2Y4L8$3!0Y4L8r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6H3i4K6u0r3j5X3W2F1N6$3q4D9K9#2)9J5c8Y4N6A6K9$3W2Q4x3V1k6u0L8Y4y4@1j5h3I4D9j5i4c8A6L8$3^5`. for more informations on how to install it ).
This is what Binwalk told me about that file :
Image
You can clearly see and confirm that the router is using zynos firmware. We can also see that there is two blocks of LZMA compressed data … let’s extract them and have a look.
Image
The problem is that when I tried to decompress the two blocks I get an error : ” Compressed data is corrupt “Image
Hmm, first the “ras” file was in LIF format .. and now the lzma compress blocks are corrupted !!
I googled this and tried to find a solution for this, FOUND NOTHING . How am I going to solve this ??
One idea came in my mind .. “Strings” command and here is what I got :
Image
Aaaah ! so the blocks aren’t compressed with LZMA or anything ! and the whole “ras” firmware file is just big chunk of data in clear text.
Ok, let’s try and find some useful STRINGS …
After some time searching “I” didn’t find the useful thing that will help us find vulnerabilities on the firmware !!
I didn’t give up …
I just was thinking and questioning :
Me: What do you want from this firmware file !
Me: I want to find remote vulnerabilities that will help me extract the “admin” password.
Me: Does the web interface let you save the current configuration ?
Image
Me: yes !!
Me: Is the page password protected ?
Image
Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !
Ok, enough questions haha ..
Now, when I activated TamperData and clicked “ROMFILE SAVE” I’ve found out that the rom-0 file is located on “IP/rom-0″ and the directory isn’t password protected or anything.
So we are able to download the configuration file which contains the “admin” password. I took a look at rom-0 file and couldn’t figure out how to reverse-engineer it, and when you don’t know something it’s not a shame to ask for help .. and that’s what I did !
I contacted “Craig” from devttys0.com, he is an expect when it comes to hacking embdded devices . He’s a great guy and he replied to my email and pointed me to 30fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1H3i4K6u0W2y4e0N6Q4x3X3f1J5x3U0W2Q4x3X3f1J5y4W2)9J5c8Y4A6&6L8X3!0K6i4K6u0W2M7r3S2H3 which is a free rom-0 file decompressor .
Image
When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .
So what i need to do now is to automate the process of :
Download rom-0 file.
Upload it to 175K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1H3i4K6u0W2y4e0N6Q4x3X3f1J5x3U0W2Q4x3X3f1J5y4W2)9J5c8Y4A6&6L8X3!0K6i4K6u0W2M7r3S2H3
get the repy back and extract the admin password from it.
loop this process to a range of ip addresses.
And that’s exactly what I did, I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords. So what I just need to do now is to add some functionality to it.
Well I thought about this, and I’m posting this script online ONLY FOR EDUCATIONAL PURPOSES.
You can find the scripts here : 2d6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4M7V1&6S2M7%4u0G2i4K6u0r3P5Y4W2F1L8%4y4Q4x3X3c8S2N6s2c8S2j5$3E0W2M7W2)9J5c8R3`.`.
Demo :
Image
PS : I OWN ALL THE IP RANGE I WAS SCANNING ” FOR SURE ;) “
Prevention :
Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network :
forward
THATS ALL, or if you want to play a little with attackers that are using scripts too .. just forward port 80 to you local http server and put a LARGE file in the root directory and name it rom-0 .. just let them download like 1GB rom-0 file haha haha .. I have also automated the process of port forwarding and I’m running the scripts daily just to prevent hackers from attacking weak users …
In the next post I’ll demonstrate how would a malicious hacker exploit this to hack TONS of networks and get a meterpreter/reverse_shell on every PC on the target network ..
Hope you enjoyed this analysis, if you have anything to add or any questions to ask don’t hesitate to contact me ! BE THEIR HERO, HAPPY HACKING ;)
