BT Home Flub - Pwnin the BT Home Hub

Mon, 08 Oct 2007 16:41:42 GMT
by pagvac

OK, let me get to the point. The BT Home Hub, which is probably the most popular home router in the UK, is susceptible to critical vulnerabilities.

BT's plan is to sneak one of these boxes into every UK home. Not only does the BT Home Hub support broadband but also VoIP (BT Broadband Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision). Additionally BT will give users the option to use their BT Home Hub to join FON, a community-shared Wi-Fi. An unofficial source has reported us that there are 2+ million BT Home Hub users in the UK.

If you're thinking: "well I'm not based in the UK so this research doesn't concern me", then think again! The BT Home Hub is just a Thomson/Alcatel Speedtouch 7G router. Furthermore, the vulnerabilities we found are most likely present in other Speedtouch models due to code reuse (more on that later).

So what can we do? Well, we can fully own the router remotely. At the moment we have three demo exploits which do the following:

  • enable backdoor in order to control the router remotely
  • disable wireless completely (can only be re-enabled if the user is technically capable)
  • steal the WEP/WPA key

Of course there other other attacks you could launch! We can hijack any action with full admin privileges or steal any info returned by a router's page. This means evilness of the exploits are only limited by the attacker's imagination. Other examples of evil attacks include evesdropping VoIP conversations (change 'sip config primproxyaddr' statement in config file), stealing VoIP credentials, exposing internal hosts on the DMZ, change the DNS settings for stealing online banking credentials, disable auto updates (change cwmp.ini section in config file), etc ...

The only requirement for the router to be owned is that a victim user visits a (malicious) website. The good news is that our exploits do NOT require knowledge of the admin password! How can that be? Well, we rely on a authentication bypass bug we discovered!

Even though I've been the owner of a BT Home Hub for quite a while, I never bothered to try to find vulnerabilities in it. However, on the last dc4420 meeting, after I gave a talk on breaking into Axis cameras, some of the guys there inspired me to research the BT Home Hub. After poking with it for a while, pdp and I couldn't believe how vulnerable the web interface of the device was! I remember pdp sarcastically saying: "wow, it's really locked down man!", We discovered issues such as:

  • authentication bypass (any admin action can be made without username/password!)
  • system-wide CSRF
  • several persistent XSS
  • several non-persistent XSS
  • privilege escalation

We're now in the process of contacting BT and Thomson. However, I don't have high hopes for BT. Last year, I found a way to dump the BT Voyager 2091's config file without credentials. Even though I forwarded them my findings they never responded at all.

Enjoy the demo video which was kindly prepared by pdp. We misspelled some words on the chat conversation, so please forgive us! In the video, the attacker social-engineers the victim to visit a malicious website. The malicious website in turn enables remote assistance on the victim's router with a password chosen by the attacker. After that, the attacker gains full privileges to the router remotely, and steals the config file and WEP key.

Archived Comments

pdppdp
here comes the stage6 video: http://stage6.divx.com/user/gnucitizen/video/1722388/BT-Home-Flub
HubertHubert
Nice work. A configuration interface that's not web-based at all, like on my Apple Airport Extreme router might be a good idea after all. The web and telnet interface on the Thomson router I've used was better designed and had more features than those I've seen on Belkin and Netgear devices, but obviously they have some work to do towards making it secure.
devloopdevloop
Hi guys ! I found a similar vulnerability in a modem/router provided by one of our ISP in France (Neuf Telecom) The router got a web administration interface WITHOUT password-protection and it's vulnerable to CSRF and a persistent XSS. Intruders can create NAT rules, change WEP/WPA encryption and password, activate/deactivate the hotspot or steal the credentials for the PPoA connection :p But the router is very basic so it's not possible to change DNS servers or stuff like that. Article here (in french): http://devloop.lyua.org/blog/index.php?2007/09/23/468-la-securite-de-la-neufbox-4
phillphill
I have a home hub. Is there anything I can do to stop this? Is there a port I can close or something?
pdppdp
phill, at the moment I don't think that there is a way to protect yourself from this type of attack at router level. You need to upgrade as soon as BT releases an update.
memalsmemals
phill: just do not visit any maliciouss websites. easy ;)
Mark KentMark Kent
Hi Adrian, Please send me any details you have, and I'll aim to get them to the right people in BT. Best regards, Mark Kent
Adrian PastorAdrian Pastor
phill, If you are a fan of Firefox extensions, NoScript filters cross-site POST requests from untrusted to trusted sites. This protection should avoid someone exploiting your router if properly configured.
zipzip
Nice music, who is the artist ?
blahblah
What's the point of the post other then to promote yourself? Users of this modem have no work around let alone patch. "However, I don't have high hopes for BT" Obviously you didn't learn from your previous experience. If you releas code they'll fix it. By making your... annoucement you've given enough direction for people with malicious intent to find what you have. But you know all this. zip; the tune is a... Spanish? version of, the girl from ipanema.
robadamsrobadams
Caetano Veloso - Garota de Ipanema. Lovin' it
vijayvijay
Interesting research. Btw you can disable remote assistance if you follow the instructions at the following site: http://baldric.net/2007/01/22/bt-home-hub-and-the-gpl/ to get "root privileges" then under [ mlpuser.ini ] and delete "defremadmin=enabled" or better yet: just delete the tech user completely. You could also change the RAS port under [ system_raccess.ini ] although you wouldn't gain much.
Adrian PastorAdrian Pastor
btw, I forgot to give thanks to Jan Fry for testing the vulnerabilities on the Thomson/Alcatel's Speedtouch 780 (provided by BeThere in the UK). zip, the song is Brazilian I believe (sung in Portuguese). blah, I don't think there is anything wrong with publishing vulnerability research, especially when it's independent and unpaid. The good news is we have been in touch with some technical people from BT who are in the process of verifying the vulnerabilities we found.
TaffyTaffy
I dout BT will do anything .. as they already have a bad reputation with this kind of stuff
antivirustanejaantivirustaneja
Nice work...bt if you release the code as well only then they'll do as quickly as they can ....moreover hereafter they can't ignore your research.......
DavidBDavidB
I know there are supposed to be some malicious sites that have cross-scripting to perform attacks on machines/routers. Does anyone have a list of these as I'd like to put some additional rules into my firewalls to prevent access to these sites?
Adrian PastorAdrian Pastor
DavidB, That would be very unfeasible. Probably the closest thing you can do to that is using a black-list database from some popular web content filtering proxy software. I mean, the malicious JS that exploits your router could be anywhere such as in a free .googlepages.com webpage.
JohnJohn
I've been looking into the BT homehub recently, I'm interested to see how secure the remote desktop facility is.
13371337
Any exploits for Software version: 6.2.6.B ? These Homehubs really are weak. A padlock from poundland is more secure!
Adrian PastorAdrian Pastor
1337: The CSRF, XSS and double-slash auth bypass are still there on version 6.2.6.B. For instance, although version 6.2.6.B has now password-protected the page that shows the WEP/WPA, it's still possible to access it *without* authenticating by ending the URL with 2 slashes: http://192.168.1.254/cgi/b/_wli_/seccfg// Try it on your Home Hub. It should work. This means that people can still steal your WEP/WPA key by scraping the previous URL through one of the many XSS vulns still present on version 6.2.6.B. However, version 6.2.6.B has added lots of restrictions such as disabling telnet, remote assistance and worst of all: the config file is now encrypted/obfuscated!: http://192.168.1.254/cgi/b/backup/user.ini// However, I have not checked if uploading a clear-text version of the config file still works. If so, you could still mod your own Home Hub without restrictions by simply editing user.ini. Check out our other 'Pwnin the BT Home Hub' posts for more info: http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-2 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-3 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4
cephalopodcephalopod
er... wouldn't a simple change of the homehub LAN IP prevent these hacks?!
pdppdp
nope, it will make it slightly more complicated but in general it wont prevent anything.
cephalopodcephalopod
looking at the majority of the XSS vulnerabilities, they make use of 192.168.1.254 in the javascript - so surely it'll prevent script kiddies exercising that? how about combining that with deleting the tech user aswell... would that prevent all bar the UPnP vulnerability?
pdppdp
the only way to prevent UPnP based attacks is to disable UPnP on your router. On some router models this is not trivial at all and sometimes even impossible.
lahtiblahtib
The song is "Girl From Ipanema" by Stan Getz...it's American, not portuguese or brazilian. Great post!