hack-technicolor / hack-technicolor

Hacking Technicolor Gateways wiki repository
https://hack-technicolor.rtfd.io/en/stable/
GNU General Public License v3.0
254 stars 57 forks source link

Support for Technicolor DGA4231VDF (VCNT-I) from Vodafone in UK #122

Open Ansuel opened 4 years ago

Ansuel commented 4 years ago

General info

My gateway is currently running firmware version 17.4.c.0277-2441004-20190521105542 from Vodafone in UK

Did anybody ever manage to get root on that device already? No, other variant with loder firmware are vulnerable to ddns bug... Tested and it seems to be patched (a direct request respond with faildto save)

Select all applicable

Say something more about the adopted strategy here

This should be vulnerable to the #C strategy but i can't manage to make it work. The default vodafone configuration for uk should be using a pppoe connection.

Firmware versions

There are 2 version. The modem has born with 17.4.c and then they updated to 19.3. I still can't find any way to download rbi.

Other details

everything else you already discovered or tried for this device and other details like how this usually receives firmware upgrades and if you know something more about this

The rbi are send with cwmp so to grab them we need to sniff a cwmp transaction and steal the firmware repo from vodafone co.uk I checked the webui and vodafone devs produce a general webui for all the variant and then they just disable some part based on the country (for example nz have tons of more feature than the uk variant). Trying to access the disabled page result in a 404 Not Found.

Connecting the ethernet wan port cause the internet led to blink so it seems it does try to do some type of connection using the wan port but still the tch-exploit doesn't see anything. Can someone give me some hints or how to check what actually does the modem using wireshark ?

Ansuel commented 4 years ago

Using the tch-exploit, the tool doesn't even detect any dhcp request.... anyway the router from vodafone guide should work in 2 way... with xdsl cable and connected to an ont with an ethernet cable. (the led light switch from red blink to white blink when i connect an ethernet cable to the wan port)

Any idea how to check why nothing is detected?

LuKePicci commented 4 years ago

First, let a Linux PC connected to its wan port to sniff any packet. You should see some PADI packets (for PPPoE) coming from some VLAN ID.

tch-exploit can be used but it won't handle the L3 link (it only supports DHCP) and thus ACS discovery.

This means, you need to use pppoe-server to setup a working PPPoE link for it.

I will tell you how to send ACS discovery messages by PPPoE using pppoe-server once you manage to get it connected over your lab environment.

Ansuel commented 4 years ago

yep I have the PADI packet...

LuKePicci commented 4 years ago

Sidenote: once you manage to get it connected and bootstrap from the ACS of your choice it will probably be easier (for testing purpose) to setup a real ACS instead of going directly with tch-exploit

LuKePicci commented 4 years ago

yep I have the PADI packet...

Cool, which VLAN?

Ansuel commented 4 years ago
0000   ff ff ff ff ff ff 20 b0 01 31 4b 9c 88 63 11 09   ...... ..1K..c..
0010   00 00 00 13 01 01 00 00 01 03 00 0b 43 50 31 39   ............CP19
0020   31 38 55 41 35 39 59 00 00 00 00 00 00 00 00 00   18UA59Y.........
0030   00 00 00 00 00 00 00 00                           ........

From wireshark i have pppoe tags with host-uniq can't find anything else

LuKePicci commented 4 years ago

No VLAN layer like this? image

Ansuel commented 4 years ago

nope just Frame to Ethernet II to PPP-over-Ethernet

LuKePicci commented 4 years ago

That's fine, just make sure it's not there on ANY received PADI, sometimes the router try to sense over both plain eth and vlan.

So, get the latest pppoe-server version, you have two command line arguments available to set HURL and MOTM headers in dedicated PADM packets. Let it to connect, set the PPPoE server to propose PAP (so you will see its default credentials in plaintext when it tries to use it - failing), configure it to accept any hardcoded PPPoE credentials the router is using by default (from what you just see from failed login attempts). Let me know when you're done.

LuKePicci commented 4 years ago

Also make sure the 8021q driver is not loaded, otherwise you won't see VLAN tagged packets on plain eth0 (or whatever) interface

Ansuel commented 4 years ago

ok so the next step is establish a pppoe server and make the modem connects to it i have lots of padi packet and no vlan entry

Ansuel commented 4 years ago

@LuKePicci could be that i missed something... i'm posting a tcpdump from the connection to the error i get (on the pppoe-server running in foreground i get generic-error and the hostuniq tag)

4:58:35.973408 PPPoE PADT [ses 0x6] [Host-Uniq "CP1918UA59Y"]
14:58:35.984369 PPPoE PADI [Service-Name] [Host-Uniq "CP1918UA59Y"]
14:58:35.984482 PPPoE PADO [AC-Name "ubuntu"] [Service-Name] [AC-Cookie 0x060D1B7642F45CEA03380A5D72ABDCB711210000] [Host-Uniq "CP1918UA59Y"]
14:58:35.984931 PPPoE PADR [Service-Name] [Host-Uniq "CP1918UA59Y"] [AC-Cookie 0x060D1B7642F45CEA03380A5D72ABDCB711210000]
14:58:35.985441 PPPoE PADS [ses 0x7] [Service-Name] [Host-Uniq "CP1918UA59Y"]
14:58:36.004836 PPPoE  [ses 0x7] LCP, Conf-Request (0x01), id 1, length 16
14:58:36.005011 PPPoE  [ses 0x7] LCP, Conf-Request (0x01), id 1, length 20
14:58:36.005021 PPPoE  [ses 0x7] LCP, Conf-Ack (0x02), id 1, length 16
14:58:36.008425 PPPoE  [ses 0x7] LCP, Conf-Ack (0x02), id 1, length 20
14:58:36.008723 PPPoE  [ses 0x7] LCP, Echo-Request (0x09), id 0, length 10
14:58:36.018599 PPPoE  [ses 0x7] LCP, Echo-Request (0x09), id 0, length 10
14:58:36.018673 PPPoE  [ses 0x7] LCP, Echo-Reply (0x0a), id 0, length 10
14:58:36.030220 PPPoE  [ses 0x7] PAP, Auth-Req (0x01), id 1, Peer autoconfig@broadband.vodafone.co.uk, Name V0daf0n3!
14:58:36.030233 PPPoE  [ses 0x7] LCP, Echo-Reply (0x0a), id 0, length 10
14:58:37.600790 PPPoE  [ses 0x7] PAP, Auth-NACK (0x03), id 1, Msg Authentication failure
14:58:37.600824 PPPoE  [ses 0x7] LCP, Term-Request (0x05), id 2, length 27
14:58:37.605170 PPPoE  [ses 0x7] LCP, Term-Request (0x05), id 2, length 46
14:58:37.605194 PPPoE  [ses 0x7] LCP, Term-Ack (0x06), id 2, length 6
14:58:37.605484 PPPoE  [ses 0x7] LCP, Term-Ack (0x06), id 2, length 6
14:58:37.615361 PPPoE PADT [ses 0x7] [Host-Uniq "CP1918UA59Y"] [AC-Cookie 0x060D1B7642F45CEA03380A5D72ABDCB711210000]
14:58:37.615456 PPPoE PADT [ses 0x7] [Generic-Error "Received PADT"]
14:58:37.847738 PPPoE PADT [ses 0x7] [Host-Uniq "CP1918UA59Y"]

in the server istance i have this

PADT: Generic-Error: CP1918UA59Y
B�\�8 Generic-Error: 
]r�ܷ!
LuKePicci commented 4 years ago

Auth Nak authentication failure, that is OK, open N the tcpdump output in Wireshark, you should see the PAP protocol messages with credentials to setup an account for.

Ansuel commented 4 years ago

Cattura @LuKePicci ok now? this should be it correct?

I have still the NACK Msg Login Incorrect

LuKePicci commented 4 years ago

Ok, now make sure you configure pppoe-server as: /etc/ppp/pppoe-server-options

...
require-pap
#require-chap

/etc/ppp/pap-secrets

# Secrets for authentication using CHAP
# client              server   secret                 IP addresses
"autoconfig@broadband.vodafone.co.uk"               *        "V0daf0n3!"                 172.x.x.x
Ansuel commented 4 years ago

Ok i removed the login option to skip the password verification and now it has connected correctly...

next step :D

Ansuel commented 4 years ago

Will try your suggestion...

Ansuel commented 4 years ago

Nope still auth-nack... anyway solved with skipping the login check completely

Also the modem from the webui think it's connected

LuKePicci commented 4 years ago

Ok, make sure you can ping your PC from inside the vdf router LAN, then add:

Then fire up tch-exploit and keep an eye on tch serial log, mayne it will complaing about not using https, cross your fingers

Ansuel commented 4 years ago

the serial after the wifi init is muted so i think we can't really find that BUT vodafone uk removed so much feature that they vrongly added the event log one and i can check the logread from there... (i have the cwmp vodafone.co.uk link....)

LuKePicci commented 4 years ago

We will need that link as soon as we get a decent DM dump from this vcnt-i

Ansuel commented 4 years ago

I'm using this command...

sudo pppoe-server -I enxa0cec81089dc -F -M provcode=BLABLABLABLABLA4,ntp1=82.197.164.46,ntp2=162.159.200.1 -H http://10.0.0.1:6666

With the exploit open but no luck... also with tcp dump i can see some CP, Conf-Reject (0x04), id 13, length 17

don't know if related...

think i'm doing something wrong...

also the exploit is still waiting for dhcp request. is this right?

LuKePicci commented 4 years ago

Can you browse http://10.0.0.1:6666 from tch lan side?

also the exploit is still waiting for dhcp request. is this right?

yeah, I think tch-exploit will not break if something asks directly for the cwmp endpoint without any previous DHCP bootstrap, maybe @BoLaMN could confirm

CP, Conf-Reject (0x04), id 13, length 17

share the dump file, so I can look into it

edit: make sure you did factory reset the tch, otherwise it won't let you feed it with a new ACS URL

Ansuel commented 4 years ago

Here the dump...

https://we.tl/t-rSZGCcwa8P

LuKePicci commented 4 years ago

You can safely ignore those CF reject, they refers to PP compression, that's normal

I see some HTTP requests to 10.0.0.1:20000, is it the tch-explot cwmp port?

Ansuel commented 4 years ago

think it's my pc when i tried to contact the link

LuKePicci commented 4 years ago

ok so the link was incorrect, you need to use that one tch-explots expects (look into its source, idk what is it)

Ansuel commented 4 years ago

Anyway yes the link is reachable since it gives me error 404 instead of not reachable

LuKePicci commented 4 years ago

Ok the port is that one tch.-exploit says on startup: image

So http://10.0.0.1:that_port/who_knows should return you a cwmp response or an arror instead of not found

Ansuel commented 4 years ago

from the log it doesn't seems to contact that server... how can we make sure the modem is using our http server?

LuKePicci commented 4 years ago

unless it is refusing the non-https link (logread should reveal this in case), you should see ntp sync to occur (tch-exploits provides it as well) and then an attempt to connect the ACS. Try setting up tch-exploit to listen on the same port as the real vdf ACS, or just take tch.exploit apart and pass some other test link to it

Ansuel commented 4 years ago

the programm work even without dhcp request... i think the modem is not taking our acs link... coud be that i'm missing something in the pppoe-server? Also should the server provide actual connection?

LuKePicci commented 4 years ago

actual connection to NTP server should be enough, anyway you can try

also, I'm assuming it does cwmp bootstrap from that same VLAN

If you manage to get a traffic dump from a real vdf UK customer (any eth wan, even on different router models/vendors) it would makeeasy to verify such assumptions

also try replacing BLABLABLABLABLA4 with 0123456789ABCDEF

Ansuel commented 4 years ago

no luck i have fear the modem is ignoring the hurl tag

BoLaMN commented 4 years ago

not sure if passing a few more cmd parameters might help as the port changes every boot, eg.

sudo tch-exploit —port 1337 —ip 1.0.0.1 —acspass 0123456789ABCDEF

all the cwmp routes are ‘POST’ which is why the 404 error if you hit the ‘/done‘ or ‘/file.sts’ end points you should have more luck.

the modems log output normally outputs things that are going on.

also maybe change your ip outside of the a non public ip ranges as I know there’s catches that block it from working correctly

Ansuel commented 4 years ago

@LuKePicci you said that the ntp server must be real... what do you mean with this?

LuKePicci commented 4 years ago

all the cwmp routes are ‘POST’ which is why the 404 error

right! my bad, 404 on a GET is expected, thx

not sure if passing a few more cmd parameters might help as the port changes every boot, eg.

yeah, having the option to set a fixed port would be helpful since the CPE will ignore a different port once another one was sent as ACS URL

@LuKePicci you said that the ntp server must be real... what do you mean with this?

I mean it must be reachable and return a reasonable output, so using 10.0.0.1 as NTP server should be ok if you're running a NTP server on your PC (again, tch.exploit should do this I guess). CWMP requires NTP to work in order to validate TLS certificates.

LuKePicci commented 4 years ago

no luck i have fear the modem is ignoring the hurl tag

I can't guarantee vdf UK implemented ACS dicovery as vdf IT did, but I would be quite surprised to see a different tag used on purpuse since our infamous Host-Uniq is there too. Again, looking into real traffic dump will let us check this, pppoe headers are in plaintext.

BTW if something is wrong in ACS dicovery, logread should contain som info about what's happening

Ansuel commented 4 years ago

the log shows only part of the errors i think.... only error from nginx and from real cwmp

Ansuel commented 4 years ago

Could be that acs dicovery is skipped if an acs url is present?

LuKePicci commented 4 years ago

the cwmp standard requires the discovered ACS URL, whenever ACS discovery is enabled, to be of higher priority wrt any hardcoded ACS URL.

Even if we assume ACS dicovery is disabled, then we should see some attempts to contact the DNS server to resolve the real ACS URL, or its HTTPS tls/tcp port when it's a direct IP instead of an hostname - not the case here.

Ansuel commented 4 years ago

what i have from the log

Date        Time        Category    Severity    Log Details
02.05.2019  09:07:26    system      Info        PROT_TRACE: LAST STATE: <Idle>
02.05.2019  09:07:26    system      Info        PROT_TRACE: Effective retry wait time 11
02.05.2019  09:07:26    system      Info        PROT_TRACE: Max retry wait time 11
02.05.2019  09:07:26    system      Info        PROT_TRACE: Min retry wait time 10
02.05.2019  09:07:26    system      Info        PROT_TRACE: Nb of retries 8
02.05.2019  09:07:26    system      Critical        CONNECTION: Failed to resolve.
02.05.2019  09:07:26    system      Error       APP_TRACE: bad address 'vfcc.bootstrapacs.vodafone.co.uk'
02.05.2019  09:07:26    system      Info        CONNECTION: Connecting to server retry 7.
02.05.2019  09:07:26    system      Info        PROT_TRACE: Events are waiting, need to contact ACS
02.05.2019  09:07:22    system      Warning     User sucessfully logged in to UI from LAN
02.05.2019  09:07:22    lan     Info        DHCPACK(br-lan) 192.168.1.36 9c:b6:d0:ec:f5:45 Ansuel-XPS
02.05.2019  09:07:22    lan     Info        DHCPREQUEST(br-lan) 192.168.1.36 9c:b6:d0:ec:f5:45 
02.05.2019  09:07:22    data        Notice      Added new STA to monitor [9c:b6:d0:ec:f5:45]
02.05.2019  09:07:22    data        Notice      Deleting STA from monitor [9c:b6:d0:ec:f5:45]
02.05.2019  09:07:16    system      Info        PROT_TRACE: LAST STATE: <Idle>
02.05.2019  09:07:16    system      Info        PROT_TRACE: Effective retry wait time 10
02.05.2019  09:07:16    system      Info        PROT_TRACE: Max retry wait time 10
02.05.2019  09:07:16    system      Info        PROT_TRACE: Min retry wait time 9
02.05.2019  09:07:16    system      Info        PROT_TRACE: Nb of retries 7
02.05.2019  09:07:16    system      Critical        CONNECTION: Failed to resolve.
02.05.2019  09:07:16    system      Error       APP_TRACE: bad address 'vfcc.bootstrapacs.vodafone.co.uk'
02.05.2019  09:07:16    system      Info        CONNECTION: Connecting to server retry 6.
02.05.2019  09:07:16    system      Info        PROT_TRACE: Events are waiting, need to contact ACS
02.05.2019  09:07:14    firewall        Warning     [  109.235000] DROP(dest guest)IN=br-lan OUT=pppoe-wan MAC=20:b0:01:31:4b:9c:9c:b6:d0:ec:f5:45:08:00 SRC=192.168.1.36 DST=149.154.167.91 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7653 DF PROTO=TCP SPT=1034 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x9800 
LuKePicci commented 4 years ago

Cool, I just saw you didn't set a DNS server IP from PPPoE link, give it something reachable so you can see what is it trying to resolve..

Alro reset it again, if it's trying to use the hardcoded one it means it falled back already. Reset and see if it tries to use yours.

BoLaMN commented 4 years ago

all those command parameters I mentioned are already built into the current release.

the ntp server built into tch-exploit doesnt get loaded as there was no need for it yet.

there’s a branch called dns where you’d be able to hijack the dns request and point it back to tch-exploit but would require you to change the hostname it’s hijacking (https://github.com/BoLaMN/tch-exploit/blob/dns/src/index.coffee#L42) and compile a release your self

u can put a wildcard (dns.route ‘*’, ip) in as the hostname and it’ll just redirect any dns request it gets back

Ansuel commented 4 years ago

@BoLaMN so i should change the url to the vodafone acs and compile the image myself?

with what params should i run it if i want to use 10.0.0.1 address and port 1337 ? (using the custom version)

LuKePicci commented 4 years ago

i should change the url to the vodafone acs and compile the image myself?

yeah but this won't work if it's https://vfcc.bootstrapacs.vodafone.co.uk/something, you said you saw the entire URL, was it HTTP or HTTPS?

Ansuel commented 4 years ago

the url i say is from the log... i can see some request from tcpdump... we can check with that right ?

BoLaMN commented 4 years ago

I thought it was mainly to get around the wansensing dns lookup to see if it’s got an actual connection or not

02.05.2019 09:07:26 system Critical CONNECTION: Failed to resolve. 02.05.2019 09:07:26 system Error APP_TRACE: bad address 'vfcc.bootstrapacs.vodafone.co.uk' 02.05.2019 09:07:26 system Info CONNECTION: Connecting to server retry 7.

LuKePicci commented 4 years ago

we can check with that right ?

sure, once you manage to provide a valid dns response resolving vfcc.bootstrapacs.vodafone.co.uk into 10.0.0.1 you will either see TLS handshake attemtps or plain TCP connections. In the latter case you're pretty close to get root. In the former ... well, you should really check whether it's using ACS discovery on real vdf UK lines or not.

Ansuel commented 4 years ago

@BoLaMN the script fail with net is not defined :( (as soon as the modem try to resolve the acs url)

(also respond(response is not a function))