Dumping the admin password of the BT Home Hub (pt 2)
This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.
The BT Home Hub’s serial number - which is the default admin password - can also be found on UPnP description XML files. If you own a BT Home Hub, just notice the ’serialNumber’ tags on http://api.home/upnp/IGD.xml and http://api.home/dslf/IGD.xml
Note that no password is required to access such files, as they’re used for UPnP (authentication-less) operations. Note: UPnP is enabled by default on the BTHH.
The attack needs to take place either via the Ethernet or the WLAN (Wi-Fi) interface, just like the MDAP attack described in our previous post. Unless of course you use a cross-domain vulnerability such as XSS which allows you to remotely scrape the contents of the description XML files and send them to a third-party site. Remember that the default admin password is simply the serial number with the string ‘CP’ prefixed to it. In other words, if the serial number was 0633EHPSL, the default admin password for the Home Hub would be CP0633EHPSL. Enjoy!
UPDATE: the serial number disclosure reported in this post was originally tested on a BT Home Hub running firmware version 6.2.2.6 (please see screenshots for more information). However, it appears that BT has replaced such information with the Hub’s MAC address in the latest firmware (6.2.6.E at time of writing).
Since only the latest firmware uses the Hub’s serial number as the default admin password, the reported serial number disclosure via UPnP XML description files is NOT exploitable. Nevertheless, the MDAP attack has been verified on the latest firmware and has been confirmed by several users both on the BT Home Hub v1 and v1.5.
comments
I’m on 6.2.6.E and I’ve checked the IGD.xml file, the Serial Number field shows my MAC code not the serial number. Is this a change in 6.2.6.E?
On my HH v15 the serialnumber field has the MAC address in it
Just to add that I’m on 6.2.6.E (forgot to mention that)
Apologies for three posts in a row but I just checked and UPnP is definitely switched off on my HH (I immediately disabled it on reading your initial HH posts some months ago).
Should these files still be available even when UPnP is off? Because they are…
even when you switch off UPnP the IGD description may still be present.
Ok. Reading it in detail the upnp/IGD.xml file contains the following:
Device not enabled: UPNP-IGD
So at least it seems to be off.
However the dslf/IGD.xml looks like it still offers services - does this mean that even turning off UPnP that one could still utilise the dslf stuff to pwn it?
have any flaws been found in the H firmware?
Thanks
The serial number disclosure reported in this post was originally tested on a BT Home Hub running firmware version 6.2.2.6. However, it appears that BT has replaced such information with the Hub’s MAC address in the latest firmware (6.2.6.E at time of writing).
Since only the latest firmware uses the Hub’s serial number as the default admin password, the reported serial number disclosure via UPnP XML description files is NOT exploitable.
Nevertheless, the MDAP attack described in our previous post has been verified on the latest firmware and has been confirmed by several users both, on the BT Home Hub v1, and v1.5.
You can dump the serial number of the HomeHub 6.2.6.E by connecting to the HTTPS port and examining the SSL Certificate… the default OU of the certificate issuer is the serial number of the device…
Hence, the pwndhub I am currently using has just dished out this after I ran a Nessus scan on it…
OU = 0641EHJRR
O = THOMSON
CN = BT Home Hub
Please verify this works for others…
I can verify that the OU of the SSL certificate gives the serial number on 6.2.6.E on my HH v1.5
Just point your browser to https://api.home/ and click examine certificate when prompted ;)
We got a winner :) I can confirm this works on the BT Home Hub v1, firmware 6.2.6.E. Good catch Aaron!
Any other ideas on how to obtain the Hub’s S/N and therefore the default admin password? The more techniques the merrier!
btw, the troubleshooting page - which doesn’t require a password to be seen - *used to* include the S/N but BT removed such info in the latest firmware: https://api.home/cgi/b/bttroubleshooting/