The bug is still present today. However, access to the administration console is blocked by default to outside IP addresses
 |
| Default router access control configuration |
According to the settings shown in the previous screenshot, one may asume that the router is protected from untrustworthy connections. Nevertheless, that's not the case. Developers failed to include the HTTPs server in these access control settings. Thus, even if we disable access from external addresses to the HTTP server, the HTTPs server would still be accessible from the Internet, leaving the bug exploitable.
Mapping port 443
As a first try in order to solve the problem, I used the router web management interface to map port 443 to a nonexistent device. The router allowed this configuration, but moved the web server to port 8443. This change could reduce the likeliness of an attacker exploiting the bug, since it is a less common port, but it is definitely not a proper solution. Moreover, mappings of port 8443 are not allowed by the router, so this course of action seems limited. |
| The router does not allow mappings to port 8443 |
Modifying router firewall rules
Since the problem lies in a port that is open to the Internet, why shouldn't I use the router firewall? Right? Well, it is not that simple. The web management interface does not allow such fine settings and SSH access to the router is disabled to LAN hosts. In order to enable SSH we need the password for the router admin account, which is not provided to us by Vodafone. One we have it we can logging to the router through SSH and add an iptables rule. However, this modification won't be persistent (i.e. will be lost after a router reboot).
Getting router administrator password
Even though the password for the admin user is available on the Internet, Vodafone remotely modifies it when the router starts up. In order to obtain it, I followed the tutorial available here (in Spanish). Since the mentioned tutorial is a little old, I'll detail the steps I followed:
Firstly, you need to disconnect the router from the Internet and reset it to its default settings (by holding the reset button during 20-30 seconds until all lights on the device turn off). Now you can login on the router web server (the router IP address is the default gateway we get through DHCP). The user is admin and the password VF-EShg253 .
Once inside the web management console, you need to enable Port mirroring for the ethwan interface (Status & support tab). I used Chrome for doing so, and it started to download a .cap file. While the file continues being downloaded, we connect back the router to the Internet. After a while, we will get logged off the management console. Once this happens, we make a copy of the file Chrome is downloading and change its extension from .crdownload to .cap. Afterwards, we can cancel the file download in Chrome, which will remove the .crdownload file.
Once inside the web management console, you need to enable Port mirroring for the ethwan interface (Status & support tab). I used Chrome for doing so, and it started to download a .cap file. While the file continues being downloaded, we connect back the router to the Internet. After a while, we will get logged off the management console. Once this happens, we make a copy of the file Chrome is downloading and change its extension from .crdownload to .cap. Afterwards, we can cancel the file download in Chrome, which will remove the .crdownload file.
 |
| admin password in Wireshark |
Finally, the .cap file we obtained before can be opened with Wireshark. As you can see in the previous screenshot, using the appropriate display filter, it will show the users' passwords Vodafone has sent to the router. In my case, admin is the user 1, so the last password shown is the one I need to use. Anyway, if that does not work for you one of the other passwords should be the right one, you can just try them on the web portal.
Connecting through SSH
Once we have the administrative password, we need to enable SSH access to the router. This can be done on the web management interface, logging in with the admin user and the obtained password. Once inside, we need to go to Settings > Access Control and allow SSH access from the LAN:
We apply the settings and SSH access should be available. In Windows you can use PuTTY and in Linux just the ssh command will suffice. Anyhow, you should input the following parameters:
- Host / IP address: Router private IP address
- User: admin
- Password: The one obtained on the previous section
Once connected, you should get the following console:
It is very limited, but using the shell command you will get a BusyBox terminal:
Firstly we will run the su command to get root privileges. Then we need to add to add to iptables the rule to block incoming connections to port 443:
iptables -I INPUT -p tcp --dport https -j DROP
Even if we set the HTTPS server to be listening on port 8443 we need to use this rule, since the mapping between port 443 and port 8443 is performed on the nat table, which is processed before than the filter table.
Once this command is executed no connection to the HTTPS server will be accepted. Although this also applies to LAN connections, we still have access using HTTP on port 80.
In order to close the SSH connection with the router you can run the exit command three times (close superuser connection, close BusyBox and close the SSH connection).
Once this command is executed no connection to the HTTPS server will be accepted. Although this also applies to LAN connections, we still have access using HTTP on port 80.
In order to close the SSH connection with the router you can run the exit command three times (close superuser connection, close BusyBox and close the SSH connection).
Persistency
I have tried to make this iptables rule persistent after reboots, but I couldn't. I created a script that would run the iptables rule, saved it at /etc/init.d and added a line /etc/inittab. However, it didn't run at boot time (not properly, at least). Anyway, even though this solution is interesting as a provisional fix, it is too cumbersome for it to be applied by any user.
Finally, I decided to use a Raspberry Pi that is connected to the router. It periodically checks if the router has port 443 open. If it detects the port open, the script starts a SSH session with the router and adds the iptables rule that blocks incoming connections to port 443. The script is available at GitHub and has been tested in Raspbian.
Vodafone customer support
I contacted Vodafone about this matter, and the staff tried to solve it by changing the router management password, removing port mappings or they would just hung up on me. Finally, the employee that understood the issue stated that he couldn't replicate it (?) and didn't offer any solution. He said that he could ask for a new router to be sent to me, but it would be the same model.
As a result, to avoid sensitive data leakage from my WiFi network (due to a 2015 vulnerability), I needed to follow all this process. I didn't get any help from Vodafone, who didn't even provide administration credentials for the router.
As a result, to avoid sensitive data leakage from my WiFi network (due to a 2015 vulnerability), I needed to follow all this process. I didn't get any help from Vodafone, who didn't even provide administration credentials for the router.
No comments:
Post a Comment