For non-native readers, this is a writeup of my DEVCORE Conference 2019 talk. Describe a misconfiguration that exposed a magic service on port 3097 on our country’s largest ISP, and how we find RCE on that to affect more than 250,000 modems :P

Hello everyone, I am Orange! This article is a question I shared on DEVCORE Conference 2019, telling how to move from a configuration error in China Telecom to a link to the vulnerability of home data machines that can control hundreds of thousands or even millions of units!

前言

As a research team of DEVCORE, our job is to study the latest attack trends, explore the latest weaknesses, find loopholes that can affect the world, and report back to manufacturers to prevent these loopholes from flowing into the underground black market and being exploited by black haters or even national-level players, making this world safer!

Taking "vulnerability research" as a job has always been the dream of many information security technology enthusiasts, but most people only see the light of publishing loopholes or the light of the on-site seminars, and notice the hard work behind it. In fact, "vulnerability research" is often a very peaceful and boring process.

Vulnerability mining is not like Capture the Flag (CTF). There must be loopholes and a correct solution waiting for you to solve. Under the scope of the question's purpose, as long as you think about the idea of the question based on existing conditions and cues, you can find out the problem. Although there are still those fresh, high-quality, and difficult competitions such as HITCON CTF or Plaid CTF, "Find out vulnerabilities" and "How to exploit vulnerabilities" are already two different things in nature!

CTF is very suitable for people with a certain degree of improvement in their abilities, but the disadvantage is that if they are often within the limited small frame, their ideas and vision are easily limited, and the attack and defense of the real world are often more complex and have a greater dimension! It is conceivable that it is absolutely not a simple matter to discover new weaknesses in a product that has been mature, used for many years, and the world's security personnel are paying attention to! The top CTF competition is only 48 hours, but how long can you last if you cannot know if there are loopholes in the goal?

In our previous study, we found three remote code execution vulnerabilities that do not need to be certified among well-known SSL VPN manufacturers. Although the results are sophisticated, it took the entire research group six months (plus the subsequent processing can even last one year), and even continued to complete the first two months with zero production and no vulnerabilities found. Therefore, for a good loophole researcher, in addition to the ability to integrate, how much you see and whether you can deeply explore, you also need to have the ability to think independently, and be so full of interest that you can endure loneliness and other characteristics, so that you can kill a path in the face of high-difficulty challenges!

Vulnerability research is often not a company's money-making project, but a department that cannot be invested. How many companies can allow employees to do a research that may not necessarily produce in half a year or a year? What's more, is it just to report the research results without conditions to make the world safer? This is our DEVCORE Regardless of the excellence of being better than others in the practice of supervising tests or red team training, in addition to the accumulation of military firehouses on weekdays, when encountering loopholes, they will also want to maximize the harm of this loophole, use the gay thinking and various combinations to exploit a low-risk loophole to the extreme, which is also in line with the real way of attacking you by the gay enemy!

影響範圍

Story Back to one day at the beginning of this year, our DEVCORE's information center monitored that there are a large number of network addresses in Taiwan, opening the 3097 connection port, and interestingly, these addresses are not the addresses of servers, but ordinary home computers. Generally speaking, home computers are connected to the Internet through the data machine, and will never open any service externally. Even the SSH and HTTP management interface of the data machine can only be accessed by the internal network. Therefore, we suspect that this is related to the configuration error of the ISP! We have also successfully discovered a remote code execution loophole that does not need to be certified on this connection port! For example, it is the feeling that the guest is already sleeping in the sand in your living room!

Through this loophole, we can complete :

Listen to network traffic, retrieve network identity, PTT password, and even your credit card information

Update hijacking, puddle attack, internal attacks to control your computer and even your mobile phone

Combining the Red Team Training to Browse Through Various Developers’ Whitelist Policy

More More.

The relevant CVE vulnerability number is :

CVE-2019-13411

CVE-2019-13412

CVE-2019-15064

CVE-2019-15065

CVE-2019-15066

Compared with the previous attacks on household data machines, the impact this time is even more serious! In the past, no matter how serious the vulnerability was, as long as the household data machine did not open any connection ports, the attacker could not exploit it. However, this vulnerability included configuration errors of China Telecom, which caused your data machine to run naked on the Internet. The attacker was only 010-59,000. Moreover, since it did not have the control rights of the data machine, this attack was generally unable to prevent and repair it!

After scanning IPv4 across the Internet, there are about 250,000 Taiwan data machines in Taiwan that have this problem, 010-59,000, but the result is only 010-59,000, so the actual victims must be larger than this number!

Through the counter-examination of online addresses, up to 90% of the victims are China Telecom's dynamic IP, while the remaining 10% include fixed IP and other telecommunications companies. As for why there are other telecommunications companies? Our understanding is that China Telecom, as Taiwan's largest telecommunications provider, holds resources and hardware facilities that other telecommunications providers are far away. Therefore, in some relatively remote locations, other telecommunications providers may still be the equipment of China Telecommunications providers on the last mile from other telecommunications providers to users! Since we are not a manufacturer, we cannot know the complete list of affected data models, but the author is also a victim ╮(╯_╰)╭, so we can determine that the China Telecom Optical Generation GPON data machines used by the most people are also within the affected range!

(Pictures are copied from the Internet)

漏洞挖掘

It is just a configuration error and cannot be said to be a big problem, so next we hope to dig out more serious vulnerabilities in this service! The mining of software vulnerabilities is divided into : according to the original code, execution files and API files.

Black box test

Gray box test

White box test

In a situation where there is nothing, you can only rely on experience and understanding of the system to guess the implementation behind each instruction and find loopholes.

黑箱測試

3097 The connection port provides many instructions related to the telecommunications network. The prediction is the debugging interface for the engineer to provide various network settings for the data machine at a remote end!

Among them, all functions can be listed through the HELP command. We found a command called MISC. The name is like classifying a bunch of instructions that don’t know how to classify. One of them is called SCRIPT, which attracted us! Its parameter is a file name. After execution, it seems to be the file as Shell Script, but it cannot obtain any code to execute through this command, but it cannot be left with a controllable file on the remote machine. But interestingly, the MISC SCRIPT instruction will display STDERR, so you can use this feature to complete any file reading!

從黑箱進化成灰箱

In terms of exploitation of vulnerabilities, whether it is memory utilization or network exploration, it is all about the acquisition of three rights: reading (Read), writing (Write) and code execution (eXecute). Now we have obtained the right to read the first reading. What’s next?

Unless the error interface seems to be running under high-right users, you can directly obtain the password for system user management login by reading the system password file!

Through the cracking of root user passwords, we successfully logged in to the data SSH machine SSH transformed the "black box" into a "gray box"! Although we can successfully control our own data now, ordinary household data machines will not open SSH services externally. In order to achieve the data that can control others "remotely", we still have to find a way to obtain the execution permission of the code from the service 3097.

The entire Zhonghua Telecom data machine is an embedded Linux system running on the MIPS processor architecture, while the 3097 service is processed by a binary file in /usr/bin/omcimain. The entire file size is nearly 5MB, which is not a small number for reverse engineering, but compared with black box testing, at least there is something to analyze. It's great!

123456789101112$ uname -aLinux I-040GW.cht.com.tw 2.6.30.9-5VT #1 PREEMPT Wed Jul 31 15:40:34 CST 2019[luna SDK V1.8.0] rlx GNU/Linux$ netstat -anp | grep 3097tcp 0 0 127.0.0.1:3097 0.0.0.0:* LISTEN$ ls -lh /usr/bin/omcimain-rwxr-x 1 root root 4.6M Aug 1 13:40 /usr/bin/omcimain$ file /usr/bin/omcimainELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked

從灰箱進化成白箱

Now, we can understand the principles and implementation behind each instruction through reverse engineering! However, first of all, reverse engineering is a painful and troublesome past. A small program may contain thousands, or even tens of thousands of lines of combined language codes, so the strategy of digging at this time becomes very important! From the perspective of function, it seems that there are loopholes related to command injection, so start digging with function as the development point!

The core of the entire 3097 service is actually a multi-layer IF-ELSE option, and each small frame corresponds to the implementation of a function. For example, cli_config_cmdline corresponds to the CONFIG instruction, so we use the prompts of the HELP instruction to mine each function one by one!

After a while, no serious vulnerability was found : (However, we noticed that when all the commands failed to match, a function with_fallback will be entered. The main purpose of this function is to connect the failed matching command to /usr/bin/diag and continue to execute!

with_fallback is roughly edited as follows. Since Ghidra had not appeared at that time, this original code was slowly restored from the MIPS combination language! Where s1 is the entered instruction. If the instruction does not appear in the defined list and the question in the instruction, it will be mixed with /usr/bin/diag and entered the system for execution! Of course, in order to prevent relevant weaknesses such as command injection, before entering the system, you will first check whether there are harmful characters based on the list of BLACKLISTS.

1234567891011121314151617181920212223242526char *input=util_trim(s1);if (input[0]=='\0' || input[0]=='#') return 0;while (SUB_COMMAND_LIST[i] !=0) { sub_cmd=SUB_COMMAND_LIST[i++]; if (strncmp(input, sub_cmd, strlen(sub_cmd))==0) break;}if (SUB_COMMAND_LIST[i]==0 strchr(input, '?')==0) return -10;//.while (BLACKLISTS[i] !=0) { if (strchr(input, BLACKLISTS[i]) !=0) { util_fdprintf(fd, 'invalid char '%c' in command\n', BLACKLISTS[i]); return -1; } i++;}snprintf(file_buf, 64, '/tmp/tmpfile.%d.%06ld', getpid(), random() % 1000000);snprintf(cmd_buf, 1024, '/usr/bin/diag %s %s 2/dev/null', input, file_buf);system(cmd_buf); and BLACKLISTS definition is as follows :

1char *BLACKLISTS='|(){}`;';If it were your words, could you think of how to go through it?

The answer is very simple! Command injection is often so simple and practical!

Here we demonstrate how to know the victim's IP address from PTT to the real meaning of "pointing wherever you point" when entering it!

後記

The story almost comes to the end. The whole article seems to be lightly written, describing a loophole from discovery to exploitation. From the result, it may be just a simple command injection, but in fact, the time spent in the middle and the wrong paths you are reading the article cannot imagine, just like walking in the dark, and you will never know whether the path you are taking is the right path to the goal before you walk out of the mystery!

Digging out new loopholes is not an easy task, especially today when various attack techniques are ready to mature, it is even more difficult to come up with a brand new attack technique! In the field of vulnerability research, Taiwan has not yet had enough energy. If you can't meet you in your daily challenges, if you want to experience the real world's offense and defense, please join us to communicate with us.D

通報時程

July 28, 2019 - Report to China Telecom via TWCERT/CC

August 14, 2019 - The manufacturer responded to the inventory and repaired the equipment

August 27, 2019 - The manufacturer replied that the repair was completed in early September

August 30, 2019 - The manufacturer responded that the impacted equipment has been updated

September 11, 2019 - The manufacturer replied that some users need to send an update, and postpone the public time

September 23, 2019 - Confirm that it is open with TWCERT/CC

September 25, 2019 - Posted to DEVCORE Conference 2019

November 11, 2019 - Blog Posts