This document discusses vulnerabilities in TR-064 and TR-069 protocols for managing broadband network devices. It describes how TR-064 had issues with no password protection and readable credentials, allowing full device access. It also discusses prior vulnerabilities like Misfortune Cookie that allowed bypassing authentication in TR-069. The document then demonstrates how exploiting a persistent cross-site scripting vulnerability in the FreeACS server software through TR-069 requests could allow adding an administrative user and completely compromising the server. This could potentially allow attacking and reconfiguring millions of networked devices.
2. ABOUT.ME
• Security Researcher at Xiphos Research
• Been poking embedded stuff with a pointy stick for ages.
• Formerly: Forensics student, pharmaceuticals student, internet
miscreant…
• “Proper Bad Dodgy”, “Unprofessional”, “Childish”, “A bad
influence”…
3. WHAT WE WILL BE TALKING ABOUT
• The TR-064 Protocol – and related vulnerabilities (TR-06FAIL,
etc…)
• The TR-069 Protocol – and related vulnerabilities (Misfortune
Cookie, etc…)
• Hacking ACS Servers for World Domination.
• Other Stuff in No Particular Order.
4. BEFORE WE BEGIN
• See the excellent prior art on this subject by Shahar Tal.
• “I Hunt TR-069 Admins” and the “Misfortune Cookie” research.
• Also, worth reading the specs I link to and trying some of this
for yourself.
5. FIRSTLY, A PRIMER ON TR-XXX
• TR-XXX are DSL Forum Specifications.
• Basically define specifications for protocols and such to
manage broadband networks for ISP’s to
follow/implement/ignore.
• Of interest today are TR-064 and TR-069, but there are many
others…
6. TR-064
• TR-064 is “LAN-Side DSL CPE Configuration”.
• Specification outlines a SOAP based protocol to allow
configuration of CPE devices from the LAN side, for example,
by “Broadband Setup” software shipped to consumers.
• https://www.broadband-forum.org/technical/download/TR-
064.pdf
7. TR-069
• “CPE WAN Management Protocol” (CWMP)
• Outlines the protocol for management of CPE devices over
WAN. Also SOAP based, and disgustingly complicated at first
glance.
• https://www.broadband-forum.org/technical/download/TR-
069_Amendment-5.pdf (yes, its on version 5…)
8. LETS TALK ABOUT TR-064 A BIT…
• TR-064 allows managing ANY setting on a CPE device.
• (provided you are on the LAN side of the device…)
• Has total read/write to full device configuration.
• ACS Configuration (for TR-069 access…)
• DNS settings…
• Wireless Security settings…
• Actually comes with some “security” requirements…
9. TR-064 SECURITY SPECIFICATIONS
• “Access to any action that allows configuration changes to the
CPE MUST be password protected.”
• “Access to any password-protected action MUST require HTTP
digest authentication.”
• “Sensitive information, such as passwords, MUST NOT be
readable at all.”
• Its also only meant to listen on the LAN interface…
10.
11. TR-064 SECURITY REALITIES, OR “TR-
06FAIL”
• Password Protected? Oh hell no!
• Actual credentials (WiFi keys…) readable in plaintext? Oh hell
yes!
• Accessible via the internet? Oh hell yes!
• BONUS TRIVIAL COMMAND INJECTION VULN? WHY NOT?!
14. AS DID TALKTALK… AND POST OFFICE…
ETC…
Everyone had a bad time
with this… TalkTalk,
Eircom, Post Office,
Demon, etc…
15. SO, WHO DID IT?
WHERE IS THE ATTRIBUTION PARTY?
16. NATURALLY, SKIDDIES…
I know you can’t actually
read this. But it’s the
source code of one of the
TR-064 exploits that
script kiddies are using
to spread malware…
The important part is:
<NewNTPServer1>
`commands here`
</NewNTPServer1>
… Trivial command
injection
17. THIS WAS NOT THE FIRST TIME, EITHER…
• Before TR-06FAIL happened, we had Misfortune Cookie.
• Affected the same RomPager server.
• Affected the TR-069 component.
• Allowed remotely accessing the device without authentication, due to
what was effectively a write-what-where kind of issue.
18. MISFORTUNE COOKIE TL;DR
• Allows overwriting internal state variables on the TR-069
service on the router.
• Below is from a PoC from Kenzo, exploits Eircom "P-660HW-T1
v3“.
• #Bypass the CWMP port check. Bypass the password check
• headers = {"Cookie":
"C88605=AAAAAAAA;C107257012=x08x0bx27x19x66x
40xb0x21;C107257012=x08x0bx27x19"}
19. LETS TALK ABOUT TR-069…
• Another DSL Forum Specification.
• Has a bit about security in it.
• Supports TLS! And Authentication!
• Protocol is a total fucking mess. “Designed by Committee” kind
of crap.
20. TR-069…
• SSL/TLS is totally optional.
• Some setups are super solid, with mutual auth (client-side certs,
pinning…), others are plaintext.
• Authentication? Also kind of optional.
• CPE to ACS often uses basic-auth… Kinda. It often uses the “username”
as an identifier.
• ACS to CPE is often TLS (client cert) but can be shared secret without
TLS.
21. TR-069…
• Lots of XML trash in the protocol.
• Built on STUN, SOAP, and also there is parts of it that use
XMPP…
• Attack surface is immense.
22. SO, WE KNOW THE CPE END IS A CROCK OF
SHIT.
• What about the ISP end?
• Surely the ISP are securing their servers very, very well?
• Surely the ISP ACS software is ROCK SOLID ENTERPRISE SOFTWARE!?!?
• Surely TR-069 can’t be as bad as you say, right?
23. AND NOW FOR THE SECOND
ACT
IN WHICH WE GO HACK THE PLANET.
25. WORLD DOMINATION
• So, say, we wanted to hack CPE devices en-masse.
• But we did not feel particularly inclined to actually go hack
them one at a time, even with botnet/scanning/etc…
• We want to do them all in one go…
26. I DECIDED TO START AUDITING ACS
SERVERS.
• Hacking an ACS server is way quicker than hacking millions of
CPE’s one at a time.
• Auditing has gone slowly. Free time project.
• In todays talk, we discuss some hilarious 0day in FreeACS.
27. DISCLOSURE TIMELINE(S)
• At some point in the last while: Found bugs in FreeACS
• Between then and now: Worked on weaponizing Said Bugs.
• Today: Public Disclosure of Said Bugs.
28. FREEACS
• FreeACS has been around for absolutely ages.
• Seems to be maintained by one person, maybe a small group…
• Technologies Used:
• Apache Tomcat (ew, Java)
• MySQL
29. FREEACS
• “The Most Complete TR-069 ACS available for free under the
MIT License.”
• Most Complete = Most Attack Surface.
• I don’t think I have even scratched the surface here…
31. LOWEST HANGING FRUIT
• Default Login Credentials: admin/xaps (do people change this?)
• Shodan: title:FreeACS
• Google: intitle:”FreeACS Web Web”
• Try Censys.io, Bing, etc… Scan some ports… Etc
32. POST-AUTH IS MADE OF XSS WITH
OPTIONAL ACS
• Found a bunch of reflected XSS vulns post-auth.
• Pretty much every parameter ever will reflect some XSS.
• Post-Auth, so who cares, but have some screenshots anyway…
33.
34.
35.
36. WE WANT THE FOLLOWING THINGS…
• Pre-Authentication (can’t rely on cracking a login or default
credentials)
• Remote (exploitable over the internet.)
• Privileged Access (gives us “Admin” role on the ACS server)
• Easy (because, lets face it, we want to do world domination on
the cheap!)
37. WHAT’S THE PRE-AUTH ATTACK SURFACE?
• Well, its pretty huge.
• Easiest is to attack from the perspective of a TR-069 client.
• So I set about creating a valid CWMP Notify message to send.
39. WE TRIED FUZZING THE XML…
• I got my testing instance to cease responding a bunch of times.
• I got bored really, really fast.
• So I thought back to “is there something else I can attack here?”
40. TR-069/CWMP NOTIFY MESSAGES
• So there’s the XML.
• What is missing in that example is the auth.
• It uses Basic Auth.
41. CWMP NOTIFY AND BASIC AUTH.
• Turns out the HTTP Basic Auth “username” is used to denote
which device.
• Used as a unique identifier.
• So its input into things and messed with… And Basic Auth is a
loose spec of user input…
42. THE POSSIBLY UNEXPLOITABLE…
• TL;DR: The Basic-Auth username is passed into a SQL query with no
sanitizing.
• It leads to a fairly trivial SQL injection vulnerability (in theory).
• However, there is a char-length limit that meant I couldn’t get
anything working easily. Someone else might figure it out.
• You CAN cause a perma-DoS of the ACS, however, with a broken SQL
statement…
43. THE EASILY EXPLOITABLE
• Username is totally unsanitized.
• Username shows up in the UI a load of times when doing ACS
admin things.
• So maybe we can get some nice XSS?
44. PERSISTENT XSS IN ADMIN
• TL;DR it worked.
• Persistent XSS in admin area via a CWMP Notify Message.
• Some payload limitations – char length and the likes…
47. SO WE CAN INJECT REMOTE JS INTO
ADMIN…
• Now lets fully take over the ACS…
• I figured the easiest way to do this is to add a new admin
user…
• So lets look at how that plays out…
48. ADDING A NEW ADMIN USER
• It is just a POST request.
• No CSRF tokens or XSS protection going on here.
• We can do this in JavaScript we copy and pasted from Stack
Overflow!
52. SO… WHAT DO…
• Scan Internet/Shodan/Censys/Google for FreeACS Servers.
• Inject our XSS via CWMP NOTIFY message.
• Wait a while for payloads to fire…
• Hack the Planet!
53. WHAT WE CAN DO WITH HACKED ACS?
• We can reconfigure settings on all clients (think: all users of ISP)
• Change everyones DNS servers for mass pharming attack or worse :D
• We can reflash firmwares on all clients – persistent mass
rootkitting.
• Imagine the cleanup costs of this?
• We can probably mess with billing or provision new devices,
perhaps…
55. THANKS
• BSides Edinburgh Organizers!
• Shahar Tal, kenzo, and others for the prior-art.
• Coworkers and friends (LizardHQ, etc…) for helping
• Cybergibbons and Ken from PTP
• The DSL Forum, for writing hilarious specs.
• Vendors and software developers for keeping me in a job.
• You, for putting up with this utter nonsense
56. YOU MAY SUBSCRIBE TO MY NEWSLETTER
• Email (which constantly goes unanswered):
darren.martyn@xiphosresearch.co.uk
• XMPP (will be ignored if you don’t use OTR…):
infodox@jabber.ccc.de
• Twitter (actually might get a response!)
@info_dox
• mastodon.social (the new super hip not-twitter thing)
@lsd