Just another vulnerable router – The ADB P.RG A4201G case

We decided to take part to the whole router insecurity buzz, by conducting a research to assess the security of ADB (former Pirelli Broadband) P.RG A4201G, a router/VoIP gateway provided by a popular Greek ISP.  During our investigation a few interesting facts about routers and their firmware came to light and will be described in this article.

The router’s management interface is developed in HTML and Javascript. By default there are two user accounts, a simple user account provided to the subscriber and an administrative account whose credentials are used only by the ISP in order to provide support and remote firmware updates. The investigation resulted in the following findings :

1. Multiple CSRF vulnerabilities in the router’s web interface.
2. Insecure permissions on CGI scripts

CSRF Vulnerabilities

The router’s interface has known CSRF vulnerabilities initially found in an Arcadyan router interface[1], suggesting that the deployed firmware has probably been re-used, with the appropriate modifications, by multiple models.

An example request disabling the router’s firewall is shown below :

POST /cgi-bin/fire_eb.exe HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/firewall_main.stm
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
fire_enable=0&savesetting=SAVE+SETTINGS

In order for this request to work, a user must be authenticated. Does this provide enough protection? The answer is no.

Insecure permissions

Although administrative panel webpages are not accessible by simple users (attempts will result to an 404), the scripts that configure various router options in these pages can be executed with simple user privileges. This appears to be a wrongly mitigated vulnerability discovered in Belkin F5D7230-4 [2].

Two scenarios of DNS Hijacking attack

Although we can assume that users rarely change their default passwords, we won’t, because in this case changing the password will not prevent such attacks. The reason is the existence of the  administrator account which is managed by the ISP. The credentials can be easily retrieved using trivial reverse engineering techniques on the firmware image and they are common for all subscribers. Also they are rarely changed by the ISP (e.x. until a recent firmware update, they remained unchanged for more than a year[3]).

The first approach is changing the DNS server of the router. To simplify the attack we provide a simple python script which generates the appropriate iframes.

The second approach, which is more stealthy but less effective, is  changing the options in the DNS Forwarding page (by the way, this page is available to non-administrative accounts although it doesn’t appear on the non-administrative menu). The interface pretty much explains the functionality

“DNS Fordwarding

You can assign a DNS Server for URL. When query this URL, dns proxy will query it from prior assigned DNS Server.”

Exploitation and Impact

The exploitation of the above vulnerabilities in the contect of a social engineering attack, can also lead to :

• Unwanted service exposure
• DNS Hijacking
• VoIP Denial of Service
• Disabling wireless security
• Disabling of the remote support provided by the ISP
• User/Admin account password change

Conclusion

This whole firmware reuse/rebrand raised some issues requiring closer attention :

a) It seems that router firmware reuse (with minor changes) is popular among router manufacturers. A bit of google search revealed that similar firmware has been used in Pirelli, Arcadyan, Sagem, Belkin, T-Sinus and BuffaloTech routers. However due to various reasons (contracts, 3rd parties involved etc.), vulnerability patches are not applied to all firmware variations. A Belkin CSRF vulnerability found in 2008, was never correctly mitigated on an Arcadyan router and still exists on P.RG A4201G, whose latest firmware update was applied on 20th October 2013.

b) ISPs worldwide seem to deploy this tactic of having exclusive rights to the administrative account “for support and updates”. Even if support is the only reason they maintain such accounts  they should at least do it without exposing their clients to such serious dangers.

Timeline

Vendor Informed : 26/11/2013

ISP Informed: 5/12/2013

Vendor Replied: 9/12/2013

Vendor confirmed (known!) vulnerabilities : 17/12/2013

A firmware update will be released in the following weeks. Until the issue is fixed, users are advised to avoid using the DNS server of their router ( howto)

References

[1] http://terminus.ignaciocano.com/k/2011/01/01/csrf-en-el-panel-de-administracion-del-router-arcadyan-de-ya-com/

[2] http://www.cvedetails.com/cve/CVE-2008-1244/

[3] http://www.adslgr.com/forum/threads/555901-Admin-password-για-το-μαύρο-Pirelli!

Comments are closed.