Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[CVE-2018-6311 and CVE-2018-6312] Foxconn femtocell remote and local root access Raw

CVE-2018-6311

[Suggested description] One can gain root access on the Foxconn femtocell FEMTO AP-FC4064-T version AP_GT_B38_5.8.3lb15-W47 LTE Build 15 via UART pins without any restrictions, which leads to full system compromise and disclosure of user communications.


[VulnerabilityType Other] Insufficient physical access control


[Vendor of Product] Foxconn Electronics Inc.


[Affected Product Code Base] FEMTO AP-FC4064-T - AP_GT_B38_5.8.3lb15-W47 LTE Build 15


[Affected Component] UART Pins on mother board


[Attack Type] Physical


[Impact Code execution] true


[Impact Denial of Service] true


[Impact Escalation of Privileges] true


[Impact Information Disclosure] true


[Attack Vectors] Physical access via UART pins


[Discoverer] CFL Lab

CVE-2018-6312

[Suggested description] A privileged account with a weak default password on the Foxconn femtocell FEMTO AP-FC4064-T version AP_GT_B38_5.8.3lb15-W47 LTE Build 15 can be used to turn on the TELNET service via the web interface, which allows root login without any password. This vulnerability will lead to full system compromise and disclosure of user communications.


[VulnerabilityType Other] CWE-521: Weak Password Requirements, CWE-284: Improper Access Control, CWE-259: Use of Hard-coded Password


[Vendor of Product] Foxconn Electronics Inc.


[Affected Product Code Base] FEMTO AP-FC4064-T - AP_GT_B38_5.8.3lb15-W47 LTE Build 15


[Affected Component] Whole operating system


[Attack Type] Remote


[Impact Code execution] true


[Impact Denial of Service] true


[Impact Escalation of Privileges] true


[Impact Information Disclosure] true


[Attack Vectors] Weak default privileged account password, Root access via telnet.


[Discoverer] CFL Lab

@DrmnSamoLiu

This comment has been minimized.

Show comment
Hide comment
@DrmnSamoLiu

DrmnSamoLiu Mar 9, 2018

POC

These vulnerabilities have already been patched and applied to all affected femtocells out there.
此漏洞已通報原廠及修補完畢

1

亞太電信是在台灣發展4G家用基站的先驅之一,也是目前最大力推廣家用基站的廠商。 從新聞稿來看,亞太計畫在全台包括車站、人潮多的市場、景點及社區等地部署超過上萬台的微型基地台,為將來的5G通訊時代鋪路。

和傳統基站不一樣的是,微型基站通常架設在比傳統基站容易接近的地方,家用基站甚至就直接開放民眾申請放置,因此硬體及軟體上的資訊安全管理將會是個很大的挑戰,我們也被委託檢測針對此家用基站進行相關檢測。
Asia Pacific Telecom Co.,Ltd. (APTG) is one of the first telecommunication service providers in Taiwan to deploy 4G femtocells.
As the company is campaigning to deploy their femtocells all over the nation in places like train stations, supermarkets and even in people's houses, we were tasked to check how they are doing on its information security.

2
由於顧及民眾安裝的便利性,說明書中的步驟只有接上電源、插入網路孔這兩個步驟。 微型基站確實也不像一般無線路由器或網路攝影機一樣,需要使用者自行設定帳號密碼等,因此這並不是大問題。
不過,因為家用基站是使用網路將資料傳輸至亞太電信的機房,因此我們就有機會從這台家用基站的網頁管理介面開始進行檢測。
The installation process is really simple: "Just plug it into your router/modem's LAN port and power it up." as stated in official installation guide. So users won't need to make any changes or setup anything for its software.
However, we could still find the femtocell's IP address in our router's DHCP table and try to access its management webpage.
3
它的網頁管理介面相當樸素簡單,除了登入鍵之外沒有任何其他功能,因此我們就先從最簡單的密碼猜測開始。
對猜密碼有點經驗的人大概都會先從admin/admin開始猜,我們也不例外,因此在輸入並點擊登入鍵後……
At the first glance, it is a quite plain login page with limited functions and things to play with.
So, using the supernatural hacker instincts and impulse that everyone possesses, we typed in admin/admin as the username and password.
4
我們成功登入了!
And quite unexpectedly.... We're logged in.

不過雖然admin看起來像是最高權限的管理者帳號,我們卻發現它並不能進行任何的修改動作,系統會警告權限不足,顯然還有其他帳號的權限更大。
Fortunately, although the username sounds like it's privileged, it's actually not a super user, as we can't view or edit any sensitive data from the webpage.
5

進行幾組帳號密碼猜測都沒結果後,我們決定把機殼拆開,看看是否可以從硬體層得到什麼資訊。
電路板上有幾組排針,我們也從中找到了UART介面用的接腳。
After trying a bunch of other username/password combinations with no luck, we opened up the case and tried to see if we can gain access via local ports.
6

非常意外的是,UART介面沒有任何軟體上的防護,而且root帳號根本沒有密碼!
我們就這樣不小心得到了微型基站的root權限。
We successfully identified some UART pins on the motherboard, and here comes another surprise....
7

There's no password for root login!
We just gained root access to this femtocell with barely any efforts.

得到root權限後,剩下的就會容易許多。
因為是要檢測資安問題,我們決定從剛剛的網頁介面著手。一番搜尋後,終於找到了網頁介面的設定檔,並找出了另外三組帳號及密碼的hash值。
From then on, we began our journey to discover further exploits.
With some help of the hacker instincts, three more web management account was found, but the password was hashed.

8

亞太電信的家用基站是由身為最大股東的鴻海公司製造的,這一點基站背後就有標明,因此foxconn這組帳號顯得非常特別。
The manufacturer and vendor of APTG's femtocells is actually Foxconn Electronics Inc. , so apparently our manufacturer had left themselves a way to access and manage these femtocells.

我們把密碼的hash值丟給john進行字典檔破解,結果很意外地馬上就完成了,也發現密碼的強度真的都和admin/admin差不多……
We fed those password hashes to john and IMMEDIATELY get the password cracked. For security reasons, we can only reveal that the passwords are just 8 digits long and solely composed of lower case alphabets.

既然密碼已經破解成功,我們嘗試登入foxconn帳號,也如預期的一樣發現這個帳號才是最高權限的帳號。
它能使用的功能比admin多出非常多,而且也能看到所有的重要資訊,其中甚至還有加密通訊用的IPsec金鑰。
Knowing the passwords, we logged in as foxconn and voilà.... EVERYTHING IS THERE.
We can even see the IPsec SA keys to use it to decrypt communication.
9
10

11
(before decryption)
12
(after decryption)

13
有一項功能是從網頁介面開啟Telnet服務,因此我們也試著從Telnet登入看看。
Moreover, there's an "Enable Telnet" tab in the menu to start Telnet service on the system, so we clicked it and tried to login via Telnet.

14
發現Telnet允許root登入,而且剛剛大家也知道root沒有設密碼了!
The last surprise here is .... it allows root access! With that empty password!

到此我們可以發現,只要任何人有機會連接到家用基站的網頁管理介面,都能夠使用基本的暴力破解或字典檔攻擊,輕易登入foxconn帳號並開啟Telnet服務,最終獲得整台裝置的root權限。
這代表這台基站可能被用來發動攻擊或做為跳板、而且任何經過這台基站的通訊都不再是安全的。
So this is it, with its weak account name and passwords, anyone who's able to visit the femtocell's management webpage can brute force/dictionary attack it and gain root control of the system. Not only the device may be used to launch attacks, any communications going in and out from it won't be safe anymore.

這些漏洞其實不只在亞太家用基站才有,而是整個資訊業界常犯的錯誤,一旦被利用了,後果不堪設想。 尤其這類裝置的特性就是每一台的設定都一模一樣,只要一台被破解了,等於全部的裝置都被破解。
通報亞太及鴻海後,他們以相當高的效率修補好了這些問題,並且所有上線的微型基站都已更新過,我們也實測過這篇文章中的攻擊手法都沒用了。

亞太電信在此事件後更積極地投入資安防護,我們也呼籲台灣各資通訊業者務必持續加強資安防護能力( 或是找專業資安團隊洽談;D )。

These are fairly simple vulnerability of course, but it applies to all devices using the same firmware. Considering the amount of femtocells already and will be out there, this might pose a serious problem if not been discovered and patched.
Fortunately, after reporting to APTG and Foxconn, they released a patch within a week and resolved these problems. Every APTG femtocell online will be automatically patched and should be more secured, at least all the methods shown in this post won't succeed again.
-CFL Lab

Owner

DrmnSamoLiu commented Mar 9, 2018

POC

These vulnerabilities have already been patched and applied to all affected femtocells out there.
此漏洞已通報原廠及修補完畢

1

亞太電信是在台灣發展4G家用基站的先驅之一,也是目前最大力推廣家用基站的廠商。 從新聞稿來看,亞太計畫在全台包括車站、人潮多的市場、景點及社區等地部署超過上萬台的微型基地台,為將來的5G通訊時代鋪路。

和傳統基站不一樣的是,微型基站通常架設在比傳統基站容易接近的地方,家用基站甚至就直接開放民眾申請放置,因此硬體及軟體上的資訊安全管理將會是個很大的挑戰,我們也被委託檢測針對此家用基站進行相關檢測。
Asia Pacific Telecom Co.,Ltd. (APTG) is one of the first telecommunication service providers in Taiwan to deploy 4G femtocells.
As the company is campaigning to deploy their femtocells all over the nation in places like train stations, supermarkets and even in people's houses, we were tasked to check how they are doing on its information security.

2
由於顧及民眾安裝的便利性,說明書中的步驟只有接上電源、插入網路孔這兩個步驟。 微型基站確實也不像一般無線路由器或網路攝影機一樣,需要使用者自行設定帳號密碼等,因此這並不是大問題。
不過,因為家用基站是使用網路將資料傳輸至亞太電信的機房,因此我們就有機會從這台家用基站的網頁管理介面開始進行檢測。
The installation process is really simple: "Just plug it into your router/modem's LAN port and power it up." as stated in official installation guide. So users won't need to make any changes or setup anything for its software.
However, we could still find the femtocell's IP address in our router's DHCP table and try to access its management webpage.
3
它的網頁管理介面相當樸素簡單,除了登入鍵之外沒有任何其他功能,因此我們就先從最簡單的密碼猜測開始。
對猜密碼有點經驗的人大概都會先從admin/admin開始猜,我們也不例外,因此在輸入並點擊登入鍵後……
At the first glance, it is a quite plain login page with limited functions and things to play with.
So, using the supernatural hacker instincts and impulse that everyone possesses, we typed in admin/admin as the username and password.
4
我們成功登入了!
And quite unexpectedly.... We're logged in.

不過雖然admin看起來像是最高權限的管理者帳號,我們卻發現它並不能進行任何的修改動作,系統會警告權限不足,顯然還有其他帳號的權限更大。
Fortunately, although the username sounds like it's privileged, it's actually not a super user, as we can't view or edit any sensitive data from the webpage.
5

進行幾組帳號密碼猜測都沒結果後,我們決定把機殼拆開,看看是否可以從硬體層得到什麼資訊。
電路板上有幾組排針,我們也從中找到了UART介面用的接腳。
After trying a bunch of other username/password combinations with no luck, we opened up the case and tried to see if we can gain access via local ports.
6

非常意外的是,UART介面沒有任何軟體上的防護,而且root帳號根本沒有密碼!
我們就這樣不小心得到了微型基站的root權限。
We successfully identified some UART pins on the motherboard, and here comes another surprise....
7

There's no password for root login!
We just gained root access to this femtocell with barely any efforts.

得到root權限後,剩下的就會容易許多。
因為是要檢測資安問題,我們決定從剛剛的網頁介面著手。一番搜尋後,終於找到了網頁介面的設定檔,並找出了另外三組帳號及密碼的hash值。
From then on, we began our journey to discover further exploits.
With some help of the hacker instincts, three more web management account was found, but the password was hashed.

8

亞太電信的家用基站是由身為最大股東的鴻海公司製造的,這一點基站背後就有標明,因此foxconn這組帳號顯得非常特別。
The manufacturer and vendor of APTG's femtocells is actually Foxconn Electronics Inc. , so apparently our manufacturer had left themselves a way to access and manage these femtocells.

我們把密碼的hash值丟給john進行字典檔破解,結果很意外地馬上就完成了,也發現密碼的強度真的都和admin/admin差不多……
We fed those password hashes to john and IMMEDIATELY get the password cracked. For security reasons, we can only reveal that the passwords are just 8 digits long and solely composed of lower case alphabets.

既然密碼已經破解成功,我們嘗試登入foxconn帳號,也如預期的一樣發現這個帳號才是最高權限的帳號。
它能使用的功能比admin多出非常多,而且也能看到所有的重要資訊,其中甚至還有加密通訊用的IPsec金鑰。
Knowing the passwords, we logged in as foxconn and voilà.... EVERYTHING IS THERE.
We can even see the IPsec SA keys to use it to decrypt communication.
9
10

11
(before decryption)
12
(after decryption)

13
有一項功能是從網頁介面開啟Telnet服務,因此我們也試著從Telnet登入看看。
Moreover, there's an "Enable Telnet" tab in the menu to start Telnet service on the system, so we clicked it and tried to login via Telnet.

14
發現Telnet允許root登入,而且剛剛大家也知道root沒有設密碼了!
The last surprise here is .... it allows root access! With that empty password!

到此我們可以發現,只要任何人有機會連接到家用基站的網頁管理介面,都能夠使用基本的暴力破解或字典檔攻擊,輕易登入foxconn帳號並開啟Telnet服務,最終獲得整台裝置的root權限。
這代表這台基站可能被用來發動攻擊或做為跳板、而且任何經過這台基站的通訊都不再是安全的。
So this is it, with its weak account name and passwords, anyone who's able to visit the femtocell's management webpage can brute force/dictionary attack it and gain root control of the system. Not only the device may be used to launch attacks, any communications going in and out from it won't be safe anymore.

這些漏洞其實不只在亞太家用基站才有,而是整個資訊業界常犯的錯誤,一旦被利用了,後果不堪設想。 尤其這類裝置的特性就是每一台的設定都一模一樣,只要一台被破解了,等於全部的裝置都被破解。
通報亞太及鴻海後,他們以相當高的效率修補好了這些問題,並且所有上線的微型基站都已更新過,我們也實測過這篇文章中的攻擊手法都沒用了。

亞太電信在此事件後更積極地投入資安防護,我們也呼籲台灣各資通訊業者務必持續加強資安防護能力( 或是找專業資安團隊洽談;D )。

These are fairly simple vulnerability of course, but it applies to all devices using the same firmware. Considering the amount of femtocells already and will be out there, this might pose a serious problem if not been discovered and patched.
Fortunately, after reporting to APTG and Foxconn, they released a patch within a week and resolved these problems. Every APTG femtocell online will be automatically patched and should be more secured, at least all the methods shown in this post won't succeed again.
-CFL Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment