Security analysis of the UPC UBEE EVW3226 router, reverse engineering, WPA2 password generation algorithm. Statistic analysis of the password generation function is provided. Results from the wardriving.
Dusan KlinecCTO / co-founder at PhoneX Security - šifrovaná komunikace - encrypted/secure communication
4. The weakness
• Default SSID & Passwd computation from public
information
Serial ID
SAAP12345678
SSID
PASSWD
Derivation: MD5 + some home-brew mangling
5. The attack
• Bruteforce, complexity = 1e8 iterations
• For all serial ID combinations
• Compute SSID, if matches, print passwd
Serial ID
SAAP12345678
SSID
PASSWD
6. The attack
• 20 password candidates on average
• Under 2 seconds on Samsung Galaxy S7
Serial ID
SAAP12345678
SSID
PASSWD
9. Technicolor TC 7200
48.53 % of all UPC[0-9]{7} networks in Brno 02/2016
Vulnerable modem
* 2868 UPC samples collected / 17516 total
10. UBEE EVW 3226
15.44 % of all UPC[0-9]{7} networks in Brno 02/2016
Not-yet-vulnerable modem
* 2868 UPC samples collected / 17516 total
11. Attack outline
• Get the firmware
• Analyze binaries generating wifi config files
• Reverse engineer password generating routine
18. Getting the firmware – old school way
• USB-SPI bridge (BusPirate / other)
• Dump flash memory
• Use binwalk to analyze the dump
• Decompress (squashfs, lzma) the FS, kernel
21. Getting the firmware #2
• Attacking the software / APIs
• Command injection / code execution
• Unsanitized input data in administration interface
• Ping command, traceroute command
https://firefart.at/post/upc_ubee_fail/
22. Getting the firmware #2
• Via system vulnerability using USB port
• .auto file is executed if USB is named “EVW3226”
https://firefart.at/post/upc_ubee_fail/
23. Getting the firmware #2
• Rewrite /etc/passwd with a new admin password
• Start SSH server on the router
• Enjoy the root access
24. Getting the firmware
• DD all block devices to the USB flash drive
• Tar the whole FS to the USB flash drive
25. Searching the firmware
# cli
IMAGE_NAME=vgwsdk-3.5.0.24-150324.img
FSSTAMP=20150324141918
VERSION=EVW3226_1.0.20
40. Non-optimal
• Contains a lot of duplicate entries, varying case
• toupper() on runtime – database case mixed
• Some entries cannot be generated at all, e.g.
PROSTITUTE (10 characters, password has 8)
41. Non-optimal
• Substring search test
• More efficient to remove substrings from database
• “COCK”, “COCKS”, “COCKY”, “ACOCK”
• (Only the first one is needed, the rest is redundant)
42. Profanity search
• All UBEE MACs generated
• 224 = 16777216 passwords
• 32105 (0.19%) hit the profanity detection
• Cca in 1000 customers, almost 2 could
complain
52. Uniformity tests
• H0: the distribution of characters from the alphabet
is uniform over characters.
• Halt: The distribution is not uniform.
53. Uniformity tests
Uniform distribution on characters
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
54. Uniformity tests
Output alphabet projection distribution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
55. Uniformity tests
Do not strip the entropy
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
56. Uniformity tests
Do only one hashing – no homebrew mangling
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
57. Password gen conclusion
• Uses only MAC as an input
• Only one password guess
• Very effective – 2 MD5 hashes
• Compared to Blasty (router serial ID space
brute-forcing)
60. UBEE vulnerabilities
• UPC Wi-Free can be sniffed
• After gaining root access, Wi-Free can be sniffed / tampered with
• Authentication bypass (backdoor)
• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1
61. UBEE vulnerabilities
• Insecure session management
• no-cookies, IP address authenticated
• Local file inclusion
http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2
• Buffer overflow in configuration file request
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• Backup file disclosure – not deleted, publicly available
http://192.168.0.1/Configuration_file.cfg
62. UBEE vulnerabilities
• Backup file is not encrypted
• Web asks for password for backup encryption
• Backup is not actually encrypted, password is stored in plaintext
• Backup restore buffer overflow
• Password longer than 65536 characters
• Arbitrary code execution
• Backup file = tar, can contain symbolic links
• After extraction can overwrite CGI scripts
70. New target
• Security Swiss cheese
• 35 vulnerabilities found by
independent security team
• Default WPA2 seems to be
properly implemented -
allegedly
71. Recap
• Firmware dumped
• WPA2 pwd gen reverse engineered
• Function statistical analysis
• Wardriving
• Android app for automated testing
72. Timeline
• 27. Jan 2016: Start of the analysis.
• 04. Feb 2016: Official disclosure to Liberty Global.
• 04. May 2016: Check with Liberty Global on state of
the fix.
• 28. Jun 2016: Sending this article for review to
Liberty Global.
• 04. Jul 2016: Publication of the research.