BT Home Flub Pwnin The BT Home Hub (4)
The following are the full details of the vulnerabilities we reported (BID 25972) to BT regarding their Home Hub router. We are going to have a brief detail on all POCs. If you have any suggestions, recommendations or corrections, do not hesitate to contact us. All the vulnerabilities and demo exploits discussed below have been tested on version
220.127.116.11 of the firmware, unless otherwise specified. Have fun and be responsible!
Exploit #1: Enable remote assistance and notify intruder when victim Home Hub is owned
This is the exploit shown in our first demo video on which we forge the enable remote assistance request using an authentication bypass bug we found within the router firmware. Even if the victim has changed the password, the request will still go through no matter what. After successful exploitation, the attacker is notified via email with the URL (IP address) needed to control the Home Hub remotely.
In our exploit we set the credentials tech:12345678. Notice the double forward slash in the action attribute which allows us to bypass the authentication! The exploit Proof of Concept code follows:
- Through the
nameparameter (already published on BID 16839): http://192.168.1.254/cgi/b/intfs/_intf_/ov/?ce=1&be=0&l0=3&l1=1&name=
urlparameter. This one is a good one because there are not restrictions on the length of the payload or type of characters that can be injected. Plus, it works even if the victim is not authenticated (again, the vulnerable script is available without needing to authenticate) http://192.168.1.254/cgi/b/ic/connect/?nm=1&client=192.168.1.64&server=198.18.1.2&event=DNSSpoofed&url="><a%20b=" http://192.168.1.254/cgi/b/ic/connect/?nm=1&client=&server=&event=DNSSpoofed&url="><a%20b=" http://192.168.1.254/cgi/b/ic/connect/?url="><a%20b=
The last PoC URL has also been successfully tested on a Thomson Speedtouch 780 firmware version 18.104.22.168), which is shipped by Bethere in the UK.
Vulnerability #3: Several persistent XSS
Persistent XSS on Configuration / Application Sharing / Add new Game or App:
A request which takes advantage of this vulnerability may look like the following::
POST /cgi/b/games/newserv/?ce=1&be=1&l0=4&l1=5&tid=CREATE_GAME HTTP/1.1
On the other hand, there is a persistent XSS on the logs page by attempting to authenticate (with the web server) using a malformed username:
Oct 27 16:10:19 LOGIN User
[XSS_payload_goes_here]` tried to login on [HTTPS] (from 192.168.1.66)
The line where the payload is returned looks like the following:
LOGIN User tried to login on [HTTP] (from 192.168.1.66)
Vulnerability #4: Double-slash Authentication Bypass
This authentication bypass allows intruders to view any page that would normally require the admin password. Additionally, any administrative request can be made without requiring the admin password. The bug is extremely simple to exploit, and works like a charm! By simply requesting the password-protected resource with two forward slashes, the authentication is bypassed completely. I.e.:
Basic wireless configuration info:
- Local network information:
- Firewall security settings:
- Internet connection information:
- Game and Application sharing:
- Remote assistance:
- Backup and Restore:
Dump config file:
Not only administrative pages can be viewed without a password, but administrative changes can also be made. I.e.: the following request enables remote assistance without requiring a password:
POST /cgi/b/ras//?ce=1&be=1&l0=5&l1=5 HTTP/1.1
The previous request could be performed by a malicious website through a hidden form as shown in Exploit #1.
Vulnerability #5: A-to-C authentication bypass
Let me explain what I mean by A-to-C authentication bypass. Sometimes on a application we're supposed to go through an intermediate B point before we reach C. However, sometimes, knowing C in advance might allow you to gain access to data without going through B. In this case, by simply knowing URLs that would only be accessible to authenticated admin users, an attacker can bypass the password prompt completely.
For instance, some pages that are only available after accessing the Advanced section are supposed to require a password to be accessed, but can be accessed without authenticating. i.e.:
Keep in mind that the WEP/WPA key in the clear. There are other pages whose links can only be seen after authenticating, but can actually be accessed without authenticating by simply accessing the URL directly. However, the Wireless Security page is probably the most interesting one.
BT has finally password-protected the Wireless Security page on firmware version 6.2.6.B.
Vulnerability #6: Privilege Escalation
BT Home Hubs have three accounts by default: Basic, admin, and tech. Since version 22.214.171.124 of the firmware, saving a backup of the config file and loading a new one is restricted to the tech account which is usually used by BT technical support. However, the admin user can access such functionalities by simply accessing any of the following URLs:
This is pretty much it. I hope that you've learned something new. Again, if you have any ideas, suggestions or aditional information, contact us.