Technicolor TG784n v3 hidden dangers and privilige escalation (made simple)

If you are reading this post: congratulations!, you are reading my first post ever on a blog.

I am pretty sure we share (if you like security) some concerns regarding internet-connected devices in your house, specially those you can’t understand correctly (in my case smartphones and ISP devices). This post regards the latter since, even though i am not familiar with Technicolor routers, i am still familiar with routers. I wanted to answer the question:

What services do my router offer, specially to the outside world?

First, a little:

Background:

Some of the things i will say here are not rocket science and you most likely know them but i think it is still important to reiterate because this blog intends to take security solutions and concerns to everyone. The internet device you see on your house, which was put there by your Internet Service Provider (ISP) routes your traffic between your internal devices and, between them and the internet. You may have dozens of internet-connected devices in your house, with different (private) IP addresses but they are all mapped to a single public IP address given by your ISP to identify your network to the world. Such mapping is made using NAT+PAT (Network Address Translation + Port Address Translation). Since you are mapping multiple private addresses to a single public one,  you must distinguish packets from different internal devices based on ports. Network 101 is over! time to get to the interesting parts.

ISP routers offer multiple services to network users (e.g. DNS, FTP, HTTP management page, Telnet for router management). While i knew this before, i was curious to find out more services. These services are typically protected from outside accesses, i.e., only users using private addresses may access them, which makes sense. Yet, the services i wanted to find out more about were the external services, available on the public address of the router (you can have different services on different router addresses by playing with the firewall).

I started with the internal network. Nmap to the rescue:

nmap -p0- -A -T5 -v default_gateway

where:
-p0-: all ports from 0-65535
-A: aggressive/advanced mode which performs OS/services fingerprinting, traceroute
-T5: maximum speed (i am scanning the router in my own house)
-v: show verbose output:
-default_gateway: the router address your devices use to send traffic to networks other than your current (e.g. internet).

Nmap reported six open ports (services):

    • 21(FTP): to store files. Typically used by the media center capabilities of the router.
    • 23(Telnet): to allow router management. If you trust your family you may keep Telnet.
    • 53(DNS): used by your network devices for name resolution.
    • 80(HTTP): user-friendly/limited/buggy administration alternative.
    • 443 (SSL): Reported as remote management.
    • 1723(PPTP): VPN server i suppose.

The only service ringing my paranoid bells is 443 (SSL). Yet, it is seen internally so, i ignored it for the time being. I skipped to the true troublemaker: the external IP. I performed the same Nmap command but this time with my public address (check yours in whatismyipaddress.com). I also ran Nmap from a public server to rule out firewall restrictions and make the scan more realistic. Nmap reported an open port: 51005 but could not identify clearly what service was there:

CWMP server port open

CWMP server port open

So i tried to connect to that port using the browser and i received this:

HTTP response from 51005

HTTP response from 51005

I don’t know about you but i had to change my pants because this intel made me dirty them. So i searched the port and the router and found out that this service was working as a server for the CWMP – CPE (Customer-premises Equipment) WAN Management Protocol. Being an acronym inside an acronym made me fetch another fresh pair. I am far from being an expert on such remote management protocol but, both words sound suspicious, so i needed to stop that service but i could not find the option on the web interface (work smart not hard). Just out of curiosity i checked other addresses on the range of my operator and noticed that they were running the same service. The passwords are most likely the same for every router and i will dig deeper into that later.

So, i tried to telnet to my router with the same user/password as the one used on the web interface:Administrator:. Yes, the password is blank. Routers default administrator are widely known to be limited (coff…useless…coff coff). The services running on this router can be checked on: service system list (either directly or going through each menu service=>system=>list). As i expected, the service was not shown to me using the Administrator account (couldn’t access the system menu) which led me to search for the root password, debug password, privilege escalation but Google hadn’t the solution. Some people suggested going to the FTP server and get the the user.ini config, modify it and replace it but the Administrator user couldn’t even ls the current directory (WTF?). So, i found out about another user:password, upgrade:Th0ms0n!, which apparently had more privileges. I tried to use it on the Telnet server but it wasn’t enabled but i tried it on the FTP server and managed to get the user.ini:

I searched the user.ini  for Administrator and found this:

Users and roles relations

Users and roles relations

Sorry to blur the hashes. It is not that i don’t trust you but..i don’t. Through the web administration page source, i managed to find what was the hash2 (MD5, really? says my mom). I could not find the meaning of the other fields but the role key is interesting. So i changed the Administrator role to root, uploaded the new file and restarted the router. Once more, i FTPed to the router as Administrator but couldn’t even ls, bro! I checked the user.ini Administrator name and noticed that the role was once more Administrator…weird… I checked once more the files on the main FTP directory and found another interesting file: security.cfg with the following interesting entries prefixed with r (there were more):

Roles definition

Roles definition

Well, i guess i hit the culprit. I assumed the r’s meant roles which makes this some sort of hierarchy (genius!) where the Administrator is a weak/limited role. I also assumed that after the second role “;” there were the capabilities of the roles. SuperUser seems all juiced up since it inherits from root and has lots of any’s, so:

Setting Administrator with the same privileges as SuperUser

 I tried:

rAdministrator;root

in the hope of getting all privileges from root (no specification==default==full power) but i assume i must specify them. After this i could finally access the router services menu and turn off the CWMP service:

Enabled 51005 service

Enabled 51005 service

As you can see, there are two CWMPs(-C and -S or Client and Server respectively). This is because the operator may connect to the router CWMP-S and the router may contact an operator CWMP server to retrieve configurations. The client CWMP concerns me too since i am not sure if the operator may push different configurations leaving me once more out of the cool root group but i will worry about that later.

How do i turn off this service then?

The Technicolor router has (as expected) a similar interface to other more widely used routers (the notion of menus and submenus). “?” lists the available commands, when you type a command and enter you go to the menu of that command and if you want to go back just type “..” (prompt users will find this familiar). To disable the service type: service, then system and then modify. You will be asked for name, state, port, qoslabel, etc. Just put the name “CWMP-S” and “disabled” state.  For the other keep them empty (just press enter until you see a message):

:service system modify name=CWMP-S state=disabled

To finish, just type “saveall” and enter and wait to see the prompt again and you are ready to go! I re-scanned my public IP but the service was no longer available (one less thing to worry about).

Final considerations

This post was meant to address the more paranoid people. To be honest, i had never messed with this router before but after escalating the privileges i will now customize it to my needs (i.e. mess with the firewall and IDS). I am not implying with this post  that you should disable the remote management service, fearing that your ISP may connect to it. I am not even sure of the management capabilities of this service. I am more concerned with the possibility of having a malicious hacker bruteforcing my router or using a leaked password which i am pretty sure is the same as any other router for the same ISP. I did not mention but, you should always keep a backup of the modified files (i keep .save files on the FTP server). I may on next posts analyze the stored passwords to check if i can find the default service password. This post is huge as you may notice but it is my first and i wanted you to get to know my writing style and myself a little better.

Stay safe 😉

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s