Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

UPC router reverse engineering - case study

1,895 views

Published on

Security analysis of the UPC UBEE EVW3226 router, reverse engineering, WPA2 password generation algorithm. Statistic analysis of the password generation function is provided. Results from the wardriving.

Published in: Technology
  • Be the first to comment

UPC router reverse engineering - case study

  1. 1. UPC router reverse engineering Messing around the firmware & digging for WPA2 password generator Dušan Klinec, Miroslav Svítok deadcode.me
  2. 2. The beginning of the story
  3. 3. The beginning of the story 31.12.2015 https://haxx.in/upc_keys.c
  4. 4. The weakness • Default SSID & Passwd computation from public information Serial ID SAAP12345678 SSID PASSWD Derivation: MD5 + some home-brew mangling
  5. 5. The attack • Bruteforce, complexity = 1e8 iterations • For all serial ID combinations • Compute SSID, if matches, print passwd Serial ID SAAP12345678 SSID PASSWD
  6. 6. The attack • 20 password candidates on average • Under 2 seconds on Samsung Galaxy S7 Serial ID SAAP12345678 SSID PASSWD
  7. 7. Technicolor TC 7200 48.53 % of all UPC[0-9]{7} networks in Brno 02/2016 Vulnerable modem * 2868 UPC samples collected / 17516 total
  8. 8. UBEE EVW 3226 15.44 % of all UPC[0-9]{7} networks in Brno 02/2016 Not-yet-vulnerable modem * 2868 UPC samples collected / 17516 total
  9. 9. Attack outline • Get the firmware • Analyze binaries generating wifi config files • Reverse engineer password generating routine
  10. 10. Getting the firmware – UART
  11. 11. Getting the firmware - UART • Some soldering needed • USB-UART bridge (2 USD on eBay)
  12. 12. Getting the firmware - UART • Collect information – e.g., memory layout, kernel, compression, encryption, … • Modify boot arguments, dump flash • Default credentials / no-auth access to CLI
  13. 13. Getting the firmware – UART
  14. 14. Getting the firmware – EEPROM read
  15. 15. Getting the firmware – old school way
  16. 16. Getting the firmware – old school way • USB-SPI bridge (BusPirate / other) • Dump flash memory • Use binwalk to analyze the dump • Decompress (squashfs, lzma) the FS, kernel
  17. 17. Getting the firmware – old school way
  18. 18. Getting the firmware – without getting hands dirty
  19. 19. Getting the firmware #2 • Attacking the software / APIs • Command injection / code execution • Unsanitized input data in administration interface • Ping command, traceroute command https://firefart.at/post/upc_ubee_fail/
  20. 20. Getting the firmware #2 • Via system vulnerability using USB port • .auto file is executed if USB is named “EVW3226” https://firefart.at/post/upc_ubee_fail/
  21. 21. Getting the firmware #2 • Rewrite /etc/passwd with a new admin password • Start SSH server on the router • Enjoy the root access
  22. 22. Getting the firmware • DD all block devices to the USB flash drive • Tar the whole FS to the USB flash drive
  23. 23. Searching the firmware # cli IMAGE_NAME=vgwsdk-3.5.0.24-150324.img FSSTAMP=20150324141918 VERSION=EVW3226_1.0.20
  24. 24. Searching the firmware # ps –a 5681 admin 1924 S hostapd -B /tmp/secath0
  25. 25. Searching the firmware # cat /tmp/secath0 interface=ath0 bridge=rndbr1 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ssid=UPC2659797 wpa=3 wpa_passphrase=IVGDQAMI wpa_key_mgmt=WPA-PSK
  26. 26. Searching the firmware # find . -type f -exec grep -il 'secath0' {} ; ./fss/gw/lib/libUtility.so ./fss/gw/usr/sbin/aimDaemon ./fss/gw/usr/www/cgi-bin/setup.cgi ./var/tmp/conf_filename ./var/tmp/www/cgi-bin/setup.cgi
  27. 27. Searching the firmware
  28. 28. Searching the firmware
  29. 29. Searching the firmware
  30. 30. Searching the firmware
  31. 31. That’s not all…
  32. 32. Profanities • Profanity found? Switch to non-insulting alphabet • BBCDFFGHJJKLMNPQRSTVVWXYZZ
  33. 33. Non-optimal • Contains a lot of duplicate entries, varying case • toupper() on runtime – database case mixed • Some entries cannot be generated at all, e.g. PROSTITUTE (10 characters, password has 8)
  34. 34. Non-optimal • Substring search test • More efficient to remove substrings from database • “COCK”, “COCKS”, “COCKY”, “ACOCK” • (Only the first one is needed, the rest is redundant)
  35. 35. Profanity search • All UBEE MACs generated • 224 = 16777216 passwords • 32105 (0.19%) hit the profanity detection • Cca in 1000 customers, almost 2 could complain
  36. 36. Profanity stats # of characters Occurrences 3 23090 4 6014 5 3001
  37. 37. Profanity stats
  38. 38. Statistic properties of the password function
  39. 39. Uniformity tests
  40. 40. Uniformity tests • H0: the distribution of characters from the alphabet is uniform over characters. • Halt: The distribution is not uniform.
  41. 41. Uniformity tests Uniform distribution on characters A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  42. 42. Uniformity tests Output alphabet projection distribution A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  43. 43. Uniformity tests Do not strip the entropy A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  44. 44. Uniformity tests Do only one hashing – no homebrew mangling A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  45. 45. Password gen conclusion • Uses only MAC as an input • Only one password guess • Very effective – 2 MD5 hashes • Compared to Blasty (router serial ID space brute-forcing)
  46. 46. More vulnerabilities
  47. 47. UBEE vulnerabilities • UPC Wi-Free can be sniffed • After gaining root access, Wi-Free can be sniffed / tampered with • Authentication bypass (backdoor) • http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1
  48. 48. UBEE vulnerabilities • Insecure session management • no-cookies, IP address authenticated • Local file inclusion http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2 • Buffer overflow in configuration file request http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa • Backup file disclosure – not deleted, publicly available http://192.168.0.1/Configuration_file.cfg
  49. 49. UBEE vulnerabilities • Backup file is not encrypted • Web asks for password for backup encryption • Backup is not actually encrypted, password is stored in plaintext • Backup restore buffer overflow • Password longer than 65536 characters • Arbitrary code execution • Backup file = tar, can contain symbolic links • After extraction can overwrite CGI scripts
  50. 50. War driving #1 – Brno 02/2016
  51. 51. Total networks 17 516 UPC networks 2 868 16.37 % UPC vulnerable 1 835 63.98 % UPC UPC UBEE vulnerable 443 15.45 % UPC UPC Technicolor vulnerable 1 392 48.54 % UPC UBEE changed 98 18.11 % UBEE Technicolor changed 304 17.92 % Tech.
  52. 52. War driving #2 – Bratislava 10/2016
  53. 53. Total networks 22 172 UPC networks 3 092 13.95 % UPC vulnerable 1 327 42.92 % UPC UPC UBEE vulnerable 822 26.58 % UPC UPC Technicolor vulnerable 505 16.33 % UPC UBEE changed 205 19.96 % UBEE Technicolor changed 96 03.10 % Tech. Compal CH7465LG 930 30.08 % UPC
  54. 54. New target • Security Swiss cheese • 35 vulnerabilities found by independent security team • Default WPA2 seems to be properly implemented - allegedly
  55. 55. Recap • Firmware dumped • WPA2 pwd gen reverse engineered • Function statistical analysis • Wardriving • Android app for automated testing
  56. 56. Timeline • 27. Jan 2016: Start of the analysis. • 04. Feb 2016: Official disclosure to Liberty Global. • 04. May 2016: Check with Liberty Global on state of the fix. • 28. Jun 2016: Sending this article for review to Liberty Global. • 04. Jul 2016: Publication of the research.
  57. 57. Thank you for your attention! Questions
  58. 58. References / resources • https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2- Reversing.html • https://www.freeture.ch/?p=766 • http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/ • https://haxx.in/upc-wifi/ • https://firefart.at/post/upc_ubee_fail/ • http://www.wifileaks.cz/ • http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router- multiple-vulnerabilities • http://www.search-lab.hu/advisories/secadv-20150720 • http://www.search- lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf • https://github.com/devttys0/binwalk

×