Inspired from https://0x90.psaux.io/2020/03/01/Taking-Back-What-Is-Already-Yours-Router-Wars-Episode-I/
(In this blog series, it was found that Chinese manufacturer had kept backdoor in the router. So I want to check mine too because NTC's FTTH routers are also made in China)
DISCLAIMER: I am NOT responsible if you messed up anything in your router.
The router setup page can also be accessed from http://broadcom.home/
Got access to many configuration pages like: ACS Client(TR-069), PPOE, Qos, Ip tunneling (4in6 and 6in4), Certificate, OMCI, SIP and many more. All these pages can be viewed from here: http://prabeshsapkota.info.np/ftth.html. Be sure you are logged in in http://192.168.1.1/ before accessing the site .
(Ever wondered how your ISP can remotely restart your router or change your password or troubleshoot your router that is on the table at your home? Well, Its all through this ACS which is using TR-069 protocol. The given link above is of TR-069 client configuration page. ISP have TR-069 Server which controls all the routers, basically used for technical troubleshooting but can also be misused easily without letting us know. There seems to be no option to disable it but we can probably change the url so that it causes error and ISP's ACS don't get connection from our router. But due to probable IP filtering in the firmware, we cant setup our own ACS and keep its url in the router.)
There are two other user accounts other than user: admin and support.
Got a 0 day DOS bug to crash the whole router which make internet unusable until restarted.
Was able to download some files. They were useless though.
FTP seems enabled but no progress regarding it.
There is most likely a demo firmware: http://192.168.1.1/wlrouter/index.asp, which isn't connected to db so don't have any data or privilege just files are there. Might help in some exploit though.
More Coming Soon..
└──╼ $nmap -p- 192.168.1.1
80/tcp open http
443/tcp open https
5431/tcp open park-agent
8110/tcp open unknown
What the hell is 81100? I went to the url: http://192.168.1.1:8110/. Seems like its logging something about router. You can see it here. I googled about it but got nothing much. Ran service detection with nmap:
└──╼ $nmap -sV -p 8110 192.168.1.1
1 service unrecognized despite returning data.
Got nothing but surprisingly, my internet connection went off. My mobile phone and laptop got disconnected, couldn't re-connect and there was no internet connection in my ethernet connected desktop. I didn't understand what was going on. So, I restarted (powered off and on) my router and connected again. Everything was fine. I again tried to run service detection.
└──╼ $nmap -sV -p 8110 192.168.1.1
8110/tcp open rtmp Real-Time Messaging Protocol
This time I got something but again my connection went off. I am now pretty sure that this was due to the nmap scan. So I again restarted and ran the scan again. My internet connection went off again.
The scan sometimes couldn't detect the service because the router crashes before the scan completes . The router crashed after/during every scan. I continued to get same result.
Not sure but seems like I found DOS bug. I think I am able to crash any NTC FTTH router after being connected to it, might even be possible without being connected but in either case its not what I want right now so I will look into it later.
Now, the only open ports remaining are 80, 443 and 5431 running http, https and park-agent services respectively. The port 5431 opens and closes randomly. So sometimes it isn't seen in some scans. And it seems to be related to uPNP services which is responsible for media sharing stuffs. Nothing much here.
At least that's what I thought at first till I knew that the service runs with root privileges. Then I searched if there are any already known exploits for it which led me to this whitepaper. Seems like its format string vulnerability. But the exploit given by defense code and its simple POC didn't worked. It concludes that my router isn't vulnerable to this one.
Searching about other UPnP vulnerabilities in routers, I came across this UPnP SSDP M-SEARCH Information Discovery Vulnerability. I confirmed that my router is vulnerable to this bug with the help of this article and this one:
$nmap -sV -p 5431 192.168.1.1
5431/tcp open upnp Belkin/Linksys wireless router UPnP (UPnP 1.0; BRCM400 1.0)
Service Info: OS: Linux 2.4; Device: router; CPE: cpe:/o:linux:linux_kernel:2.4
#######################################################################
msf6 > use auxiliary/scanner/upnp/ssdp_msearch && set RHOSTS 192.168.1.1 && run
[*] 192.168.1.1:1900 SSDP Custom/1.0 UPnP/1.0 Proc/Ver | http://192.168.1.1:5431/dyndev/uuid:deea96d1-e097-42b2-8f36-87c1a3e5684c | uuid:deea96d1-e097-42b2-8f36-87c1a3e5684c::upnp:rootdevice
Using this vulnerability, I was able to download was this xml file but it wasn't of any help.
Customers are given access to 20 pages from router login setup page after logging in successfully. (http://192.168.1.1: user: user)
These pages give us basic management abilities which are far away from being root. So, I went though source code to see if I can get something juicy, and I did. I viewed source code of menu.html which was iframed in home page as sidebar. There were 3 js files: menuTree.js, menuTitle.js and menuBcm.js. The third js file contained the list of almost all the pages of router and the 2nd js file contained their corresponding name. From those js files I was able to get access to many hidden pages which weren't supposed to be accessible by user account. Also, at the end of menuBcm.js, I saw this interesting code:
if ( user == 'admin' )
menuAdmin(options);
else if ( user == 'support' )
menuSupport(options);
else if ( user == 'user' )
menuUser();
I just found out that there were two accounts other than user account. The customers are only given access to user account, we couldn't even change password of admin or support user from Access Control section. So, I tried logging in with probable passwords for admin and support user, but failed. Anyways, from the above code, It was pretty clear that the js files shows the pages list in sidebar based on the privilege of users. But one can easily see all the pages from the js file. So we can directly go to the certain pages and get admin accessible pages from user account. Some pages were just blank. But I still didn't see any pages for ssh, telnet and port forwarding stuffs.
So I had to google and find more hidden pages. For this, I collected the general router page directories and brute-forced.
So, here's the list of pages we were given access to as a user and here's the list of hidden pages I found. Some pages I thought are not so important are commented out to make it look little cleaner. The order may not be accurate since I kept them guessing randomly.
NOTE: Apparently, it may seem like I have got access to many things but the above hidden pages are automatically given access to users in other routers. These are part of normal management setup in other routers. In short, we just got to the level of other routers in terms of access control. Plus many of these pages are just in readable form. In many pages, When we make some changes and click save button, nothing happens.
I think, we are still behind 'cause we still haven't got access to port forwarding, telnet, ssh and such other configuration pages. Even if we don't have access to configuration pages we got some information about them from /wlrouter/passpoint.asp: It shows that FPT in running on open port 20 but it doesn't seem to be the case. Even in AGL page, the FTP is marked as enabled: Pic. Something's not adding up.
Only if we get access to the page to configure telnet and ssh, we could continue further.
The reason for brute-forcing pages was to see if I can get a page that enables telnet or ssh but got none. I too tried to see if I can download any configuration files which might contain some admin login credentials or something like that. But the only configuration file I was able to download was download.conf whose contents were useless. The other file I was able to download was this xml file which I got while confirming UPnP vulnerability existence.
So, I am thinking if I can somehow get router firmware from the ACS url I got to know about from tr69cfg.html. First, I will try to set up my own ACS and change the url in router to mine and see if I get any requests from the router and configure my router accordingly using my ACS. If this doesn't work, I will setup a bridge between my router and ISP using bridge-util and try to intercept requests between the ACS and my router. The requests might contain sensitive information like admin credentials or firmware link. Lets see what happens..
If all of these doesn't work, I will rip off the router and see if serial ports are available and try to get serial access using CH341A. . If there's no serial port, I think I will figure out something till then. If not, I shall just have to give up and be happy for what I have got to learn so far.
