Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .
Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.
Let’s download an update and take a look at it and try to find some vulnerabilities. ( http://www.tp-link.com/Resources/software/TD-W8951ND_V3.0_110729_FI.rar )
The ras file is in LIF format !! …
Hmmm let’s put that file for Binwalk test for God’s sake ! ( check : http://code.google.com/p/binwalk/wiki/Installation for more informations on how to install it ).
This is what Binwalk told me about that file :
You can clearly see and confirm that the router is using zynos firmware. We can also see that there is two blocks of LZMA compressed data … let’s extract them and have a look.
The problem is that when I tried to decompress the two blocks I get an error : ” Compressed data is corrupt “
Hmm, first the “ras” file was in LIF format .. and now the lzma compress blocks are corrupted !!
I googled this and tried to find a solution for this, FOUND NOTHING . How am I going to solve this ??
One idea came in my mind .. “Strings” command and here is what I got :
Aaaah ! so the blocks aren’t compressed with LZMA or anything ! and the whole “ras” firmware file is just big chunk of data in clear text.
Ok, let’s try and find some useful STRINGS …
After some time searching “I” didn’t find the useful thing that will help us find vulnerabilities on the firmware !!
I didn’t give up …
I just was thinking and questioning :
- Me: What do you want from this firmware file !
- Me: I want to find remote vulnerabilities that will help me extract the “admin” password.
- Me: Does the web interface let you save the current configuration ?
- Me: yes !!
- Me: Is the page password protected ?
- Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !
Ok, enough questions haha ..
Now, when I activated TamperData and clicked “ROMFILE SAVE” I’ve found out that the rom-0 file is located on “IP/rom-0″ and the directory isn’t password protected or anything.
So we are able to download the configuration file which contains the “admin” password. I took a look at rom-0 file and couldn’t figure out how to reverse-engineer it, and when you don’t know something it’s not a shame to ask for help .. and that’s what I did !
I contacted “Craig” from devttys0.com, he is an expect when it comes to hacking embdded devices . He’s a great guy and he replied to my email and pointed me to http://188.8.131.52/zynos.php which is a free rom-0 file decompressor .
When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .
So what i need to do now is to automate the process of :
- Download rom-0 file.
- Upload it to http://184.108.40.206/zynos.php
- get the repy back and extract the admin password from it.
- loop this process to a range of ip addresses.
And that’s exactly what I did, I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords. So what I just need to do now is to add some functionality to it.
Well I thought about this, and I’m posting this script online ONLY FOR EDUCATIONAL PURPOSES.
You can find the scripts here : https://github.com/MrNasro/zynos-attacker/
PS : I OWN ALL THE IP RANGE I WAS SCANNING ” FOR SURE ;) “
Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network :
THATS ALL, or if you want to play a little with attackers that are using scripts too .. just forward port 80 to you local http server and put a LARGE file in the root directory and name it rom-0 .. just let them download like 1GB rom-0 file haha haha .. I have also automated the process of port forwarding and I’m running the scripts daily just to prevent hackers from attacking weak users …
In the next post I’ll demonstrate how would a malicious hacker exploit this to hack TONS of networks and get a meterpreter/reverse_shell on every PC on the target network ..
Hope you enjoyed this analysis, if you have anything to add or any questions to ask don’t hesitate to contact me ! BE THEIR HERO, HAPPY HACKING ;)
The decoded.php script is now located at : http://220.127.116.11/zynos/decoded.php , I have updated the code.py script