Recently Jazztel (my ISP) replaced the router I was using (ZTE H218N) with a new router known as "Livebox Fibra". This new router is used by Jazztel and Orange here in Spain. A lot of people have been trying to extract the SIP data and the ONT password in order to configure other custom routers. There are some public ways to root the router, but we are not going to talk about that in this blog post.
In this blog post, I am going to introduce you a security issue with this router that allows an attacker to take full control of the router if the router web server is exposed to the Internet or if the attacker is connected to the router (for example by using a malicious app in the smartphone of the owner of the router).
The router provides a web page to configure it.
But you can also use an iOS and Android app to configure the router (called "Mi Livebox"):
The first time I started the app, I was surprised because the app showed the router status without asking me for a user and password. Also, I was able to modify some router params without having to put any user or password. I thought: "I need to know what magic way it is using to do this!" ;P
I configured Burp Proxy on my phone and started to see the traffic..
Do you see that? No? It is using Basic HTTP Auth! But what is it using as user and password?
base64decode('[AUTH_HEADER]') = ApiUsr:ApiUsrPass
So it is using a harcoded user and password!!
But it only uses this user and password in the first call to the router API (http://192.168.1.1/API/WAN).. The router returns the MAC address and other general information. The rest of API endpoints does not work with this user and password..
If we see the rest of the request to the API, we can see that It uses another auth info in all the rest of requests.. If we decode this Base64 string, we obtain the following:
UsrAdmin:[Some Trash]
So it seems that the password for the "UsrAdmin" user is generated with some other data.. I said: "Ok, let's decompile and reverse engineer the APK" ;P
In com/orange/milivebox/es/main/utils/Utils.smali we find the function "lambda$getCredentialsAPIrouter$0" that receives as params the MAC address of the router and a variable called "secret", whose value is "MiLiveBoxApp".
This function does the following:
- Removes the ":" in the MAC address. cleanedMac = mac.replace(":","")
- Generates the MD5 of the "secret" variable ("MiLiveBoxApp")
- To the MD5 value, it appends the first 16 chars of the MD5. MD5("MiLiveBoxApp") = "62ea048211246ab16d2ef5729b7520ad"; so finally key="62ea048211246ab16d2ef5729b7520ad62ea048211246ab1".
- It encrypts the cleanedMac using TripleDES ECB using the generated key as key.
Now, we know how the app and the router generate the password, so now we can generate the password and make requests to configure whatever we want in the router! An attacker could just create a malicious app to steal your SIP data (accesible in the endpoint http://192.168.1.1/API/VoIP/SIP/Lines/) or get your calls log (http://192.168.1.1/API/CallRegistry) or get/set your WiFi password (http://192.168.1.1/API/LAN/WIFI/) or whatever he want.
You can get a list of the available endpoints in: http://192.168.1.1/API/Capabilities
There is also a "UsrOrange" user with the same password than "UsrAdmin". It is also allowed to access to the API. It seems like a special user for support.
There is also a "UsrOrange" user with the same password than "UsrAdmin". It is also allowed to access to the API. It seems like a special user for support.
What to do if you are a customer / How to protect yourself
The latest version of the firmware is: "AR_LBFIBRA_sp-00.03.04.112S(Thu Aug 31 17:59:39 2017)". There is no fix for this issue, so you have to protect yourself.
- Do not expose your router to the internet. Check your NAT config on your router. There are an important number of routers exposed on Shodan..
- The endpoint "http:/192.168.1.1/API/Access/LanApi" (for UsrAdmin) and "http:/192.168.1.1/API/Access/OspApi" (for UsrOrange) accept "GET" and "PUT" requests. GET gives you the password for UsrAdmin and UsrOrange, but you can change it by sending a "PUT" request with the following body (and reboot your router):
- http:/192.168.1.1/API/Access/LanApi: For UsrAdmin: {"User":"UsrAdmin","Password":"NewPassword"}
- http:/192.168.1.1/API/Access/OspApi: For UsrAdmin: {"User":"UsrOrange","Password":"NewPassword"}
- Configure another router
Tools
Since there are a lot of people that want to extract their SIP data to configure other routers, I have developed a small tool in Java to extract the SIP data from the router using this security issue. This tool also gives you the possibility of changing your UsrAdmin and UsrOrange password to protect you of malicious apps.
You can download and check the source code here: https://github.com/segura2010/LiveboxFibraExtractor
I hope you liked this blog post! See you in the next post!
I hope you liked this blog post! See you in the next post!