<<< Date Index >>>     <<< Thread Index >>>

BT Home Flub: Pwnin the BT Home Hub



http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub

The BT Home Hub, which is probably the most popular home router in the
UK, is susceptible to critical vulnerabilities.

BT's plan is to sneak one of this boxes into every UK home. Not only
does the BT Home Hub support broadband but also VoIP (BT Broadband
Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision).
Additionally, BT will give users the option to use their BT Home Hub to
join FON, a community-shared Wi-Fi. An unofficial source has reported
us that there are 2+ million BT Home Hub users in the UK.

If you're thinking: "well I'm not based in the UK so this research
doesn't concern me", then think again! The BT Home Hub is just a
Thomson/Alcatel Speedtouch 7G router. Furthermore, the vulnerabilities
we found are most likely present in other Speedtouch models due to
code reuse (more on that later).

So what can we do? Well, we can fully own the router remotely. At the
moment we have three demo exploits which do the following:

    * enable backdoor in order to control the router remotely
    * disable wireless completely (can only be re-enabled if the user
is technically capable)
    * steal the WEP/WPA key

Of course there other other attacks you could launch! We can hijack
any action with full admin privileges or steal any info returned by a
router's page. This means evilness of the exploits are only limited by
the attacker's imagination. Other examples of evil attacks include
evesdropping VoIP conversations (change 'sip config primproxyaddr'
statement in config file), stealing VoIP credentials, exposing
internal hosts on the DMZ, change the DNS settings for stealing online
banking credentials, disable auto updates (change 'cwmp.ini' section
in config file), etc …

The only requirement for the router to be owned is that a victim user
visits a (malicious) website. The good news is that our exploits do
NOT require knowledge of the admin password! How can that be? Well, we
rely on a authentication bypass bug we discovered!

Even though I've been the owner of a BT Home Hub for quite a while, I
never bothered to try to find vulnerabilities in it. However, on the
last dc4420 meeting, after I gave a talk on breaking into Axis
cameras, some of the guys there inspired me to research the BT Home
Hub. After poking with if for a while, pdp and I couldn't believe how
vulnerable the web interface of the device was! I remember pdp
sarcastically saying: "wow, it's really locked down man!", We
discovered issues such as:

    * authentication bypass (any admin action can be made without
username/password!)
    * system-wide CSRF
    * several persistent XSS
    * several non-persistent XSS
    * privilege escalation

We're now in the process of contacting BT and Thomson. However, I
don't have high hopes for BT. Last year, I found a way to dump the BT
Voyager 2091's config file without credentials. Even though I
forwarded them my findings they never responded at all.

Enjoy the demo video which was kindly prepared by pdp. We misspelled
some words on the chat conversation, so please forgive us! In the
video, the attacker social-engineers the victim to visit a malicious
website. The malicious website in turn enables remote assistance on
the victim's router with a password chosen by the attacker. After
that, the attacker gains full privileges to the router remotely, and
steals the config file and WEP key.

--
pagvac
gnucitizen.org, ikwt.com