A vulnerability and a hidden admin account all inside “SITEL DS114-W” routers !

Hello, Hope you are doing well everyone ! It has been a long time since my last post, well let’s say I was occupied by some stuff but I’m back with a new discovery🙂

As as an Algerian internet consumer, I’m a subscriber at “Djaweb ISP” as I don’t have much choices — let’s not talk about that now and dive into some serious stuff !

I found out the routers shipped by Algerian ISP “Djaweb” are now backdoored with a secret admin account and as it appears they didn’t do a good job in hiding it  … not only that but with a session management vulnerability too !

EXPLORATION :

As usual internet goes down from time to time and we are used to that in Algeria, this time it took long time so I went to restart the modem from the web interface .

VULNERABILITY #1 :

But after restarting it I logged out and kept looking at the “login” page thinking “What if there is a vulnerability inside .. ?” and that’s when the journey started ..

login

As usual, I hooked up “Burp” as a proxy and logged in :

2

“Cookie : SessionID=3” … too easy to predict !

Now comes Burp “Intruder” functionality, it will allow us to brute force any parameter inside the request body and that’s exactly what we need to brute force the SessionID .

Steps : ( quick tips for Burp )

1- Right click on the request and click “Send to Intruder”

2- Go to the “intruder” tab you’ll see :

Screen Shot 2015-01-04 at 3.23.38 AM

3- Navigate to “Positions”, that’s where we are going to specify the parameter we want to brute force. Leave the “Attack type” to “Sniper”

Screen Shot 2015-01-04 at 3.24.25 AM

4- Go to “payloads” and set the payload type to “Numbers” with :

  • Type : Sequential
  • From : 1
  • To : 100
  • Step : 1

Screen Shot 2015-01-04 at 3.25.10 AM

So in total the app will make 100 requests to the router      

Now with everything set I fired up the intruder attack and …

Screen Shot 2015-01-04 at 3.25.21 AM

We can see that the session #4 is what we had earlier initialized for our access by the web app :

Screen Shot 2015-01-04 at 3.47.24 AM

But when scrolling down we see some weird things :

Screen Shot 2015-01-04 at 3.47.44 AM

Sessions from 40 to 49 are also initialized, I logged off the sessions dropped down .. when logged back in and brute forced the session IDs they appear to be another 10 sessions initialized on another range .

Knowing that the user only require one session to be initialized and it should be hooked to only the user logged in, not any other one, so when the user login to the router other sessions are initialized giving an attacker with a simple brute force access to the router without knowing the password .

This makes up a session management vulnerability .

pwned

The vendor has been notified but without response from them .

VULNERABILITY #2 :

I had a sense that there was more than one vulnerability inside that damn thing … so have gone further, testing every functionality from login to rebooting the modem and while doing that I came up across another weird thing. The thing resides inside the config file.

Step 1 : I saved the config file, while burp is hooked up as usual .

Step 2 : The router give you a “.img” file which when executed under a OSX environment you’ll get :

Screen Shot 2015-01-04 at 7.52.15 PM

As it’s not a valid image to be mounted . I looked into the burpsuite request-response raw data and surprisingly :

Screen Shot 2015-01-04 at 3.49.46 AM

The configuration parameters are saved in a plain text format !!! I inspected every parameter inside until ….. :

Screen Shot 2015-01-04 at 7.57.22 PM

The first two account I did set and the passwords are the ones I specified, but what about that 3rd “admin” account that has a parameter saying “<V N=”BACKDOOR” V=”0x1″/>”, which means “BACKDOOR = YES”

Trying to ssh to the router with that account :

Screen Shot 2015-01-04 at 8.03.32 PM

Aaaand, IT WORKS !!!

picard-facepalm7

Well, obviously the routers are shipped by the ISP with a backdoor account, and this is the 2nd discovery ! I have built a python script that automate the process of the two attacks :

  • If the user is already logged into the router and have a valid session we can brute force the whole range from 1 to 100 in order to find the other initialized session, and to save time you can chose a step of “10” from 1 to 100 so you’ll only make “10” requests to the router instead of “100” to successfully login .
  • If the attacker is not sure if the user is logged into the account and want to get access then use the backdoor account : Username : admin , Password : 5B80airocon

The vendor has been notified but without response from them .

CONCLUSION :

Routers are becoming the main attack surface for bad hackers, as it’s the entry point for them to take over your network . Make sure your router is secure and doesn’t expose any service ( HTTP, SSH, FTP ) to the wild web .

As usual happy hacking🙂, for any questions please leave a comment !

Tagged , , , , ,

6 thoughts on “A vulnerability and a hidden admin account all inside “SITEL DS114-W” routers !

  1. […] A vulnerability and a hidden admin account all inside "SITEL DS114-W" routers !. […]

  2. Sou says:

    nice discovery, at least you know how to use your time even if no internet connection is available (i.e: modern age oxygen), oh, and your password is 13 characters (just teasing you :p)

  3. MOh says:

    Well done bro ! just discovered your blog and this is actually the first post i read, awesome !
    And, yeah, still no response from the vendor ? lol

  4. farouk says:

    very nice .the first time i saw that modem i smelled the vulnerability pfff they gave me that shit and until now they still blocking my adsl port

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: