Dumping The Admin Password Of The BT Home Hub (pt 2)

Tue, 27 May 2008 09:11:51 GMT

This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.

The BT Home Hub's serial number - which is the default admin password - can also be found on UPnP description XML files. If you own a BT Home Hub, just notice the serialNumber tags on http://api.home/upnp/IGD.xml and http://api.home/dslf/IGD.xml

Note that no password is required to access such files, as they're used for UPnP (authentication-less) operations. Note: UPnP is enabled by default on the BTHH.

The attack needs to take place either via the Ethernet or the WLAN (Wi-Fi) interface, just like the MDAP attack described in our previous post. Unless of course you use a cross-domain vulnerability such as XSS which allows you to remotely scrape the contents of the description XML files and send them to a third-party site. Remember that the default admin password is simply the serial number with the string 'CP' prefixed to it. In other words, if the serial number was 0633EHPSL, the default admin password for the Home Hub would be CP0633EHPSL. Enjoy!

UPDATE: the serial number disclosure reported in this post was originally tested on a BT Home Hub running firmware version 6.2.2.6 (please see screenshots for more information). However, it appears that BT has replaced such information with the Hub's MAC address in the latest firmware (6.2.6.E at time of writing).

Since only the latest firmware uses the Hub's serial number as the default admin password, the reported serial number disclosure via UPnP XML description files is NOT exploitable. Nevertheless, the MDAP attack has been verified on the latest firmware and has been confirmed by several users both on the BT Home Hub v1 and v1.5.

MJWMJW
I'm on 6.2.6.E and I've checked the IGD.xml file, the Serial Number field shows my MAC code not the serial number. Is this a change in 6.2.6.E?
StephenStephen
On my HH v15 the serialnumber field has the MAC address in it
StephenStephen
Just to add that I'm on 6.2.6.E (forgot to mention that)
StephenStephen
Apologies for three posts in a row but I just checked and UPnP is definitely switched off on my HH (I immediately disabled it on reading your initial HH posts some months ago). Should these files still be available even when UPnP is off? Because they are...
pdppdp
even when you switch off UPnP the IGD description may still be present.
StephenStephen
Ok. Reading it in detail the upnp/IGD.xml file contains the following:
Device not enabled: UPNP-IGD
So at least it seems to be off. However the dslf/IGD.xml looks like it still offers services - does this mean that even turning off UPnP that one could still utilise the dslf stuff to pwn it?
rishirishi
Have any flaws been found in the H firmware? Thanks!
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
The serial number disclosure reported in this post was originally tested on a BT Home Hub running firmware version 6.2.2.6. However, it appears that BT has replaced such information with the Hub's MAC address in the latest firmware (6.2.6.E at time of writing). Since only the latest firmware uses the Hub's serial number as the default admin password, the reported serial number disclosure via UPnP XML description files is NOT exploitable. Nevertheless, the MDAP attack described in our previous post has been verified on the latest firmware and has been confirmed by several users both, on the BT Home Hub v1, and v1.5.
AaronAaron
You can dump the serial number of the HomeHub 6.2.6.E by connecting to the HTTPS port and examining the SSL Certificate... the default OU of the certificate issuer is the serial number of the device... Hence, the pwndhub I am currently using has just dished out this after I ran a Nessus scan on it...
OU = 0641EHJRR
O = THOMSON
CN = BT Home Hub
Please verify this works for others...
StephenStephen
I can verify that the OU of the SSL certificate gives the serial number on 6.2.6.E on my HH v1.5 Just point your browser to https://api.home/ and click examine certificate when prompted ;)
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
We got a winner :) I can confirm this works on the BT Home Hub v1, firmware 6.2.6.E. Good catch Aaron! Any other ideas on how to obtain the Hub's S/N and therefore the default admin password? The more techniques the merrier! btw, the troubleshooting page - which doesn't require a password to be seen - *used to* include the S/N but BT removed such info in the latest firmware: https://api.home/cgi/b/bttroubleshooting/
GaryGary
You can also get the Serial Number by visiting this page: http://pbteu.bt.motive.com/ElectiveFWUpgradePortal/ and clicking on "Schedule your BT Home Hub upgrade" or follow the link direct: http://pbteu.bt.motive.com/ElectiveFWUpgradePortal/jsp/Loading.jsp?URL=Schedule.jsp This has to be done while connected to a HomeHub.
MartinMartin
Gary, that was perfect. I couldn't get the other methods to work as I didn't realise you had to add on the CP to the start of what was returned.
fLaMePr0oFfLaMePr0oF
Another method for getting the serial number of any BTHH is to download and run the latest BT Home Hub Recovery Tool 6.2.2.6 (can get it here: http://www.josephn.net/download/dl.php?file=bthh_recovery)... When the tool tries to access the HH and asks for authentication, the serial number will be displayed above the user/pass input fields. (LoL @ BT for changing password to serial to improve security when serial can be accessed SO easily!)
pwn-a-cyclepwn-a-cycle
the link is http://www.josephn.net/download/dl.php?file=bthh_recovery @fLaMePr0oF - seems you accidently appended a ).. to the url
AndyAndy
You can still get the serial. Go to https://api.home View the cert like said, but it's simply the OU- organizational unit above serial number. Add CP to that string, and that's the serial.