Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[broadstairs]

See BBC news website at http://www.bbc.co.uk/news/technology-38167453. Apparently some end user routers have been hacked including some ZyXEL and D-Link models according to this story.

Stuart

[sevenlayermuddle]

I'll be interested to hear the detail behind this one.  Something about the Beeb's report just doesn't sound convincing.

Is it only affecting those who allow remote admin, and do so without a password?

[ejs]

There's more detail in The Register article linked in the BBC report.

Some routers have a flaw in that the port that's open for TR-069 also accepts other commands (TR-064), which it shouldn't. These can then be used to take control of the router.

[kitz]

I'm led to believe that this does not affect the VMG series.

[NewtronStar]

Test your routers with ShieldsUP if the scan comes back with anything other than all ports are stealth you may have hole in the router that can be used for hackers of course ISP modem/routers will have the TR-069 port open for diagnostic reasons 

[broadstairs]

I'm led to believe that this does not affect the VMG series.

Well I checked mine anyway and both tr064 and tr069 are disabled. Ages ago I did a ShieldsUP and it came back stealth anyway.

Stuart

[Weaver]

Can you specify a target address for testing with Shields Up? Or is it always only your own machine, that is, the one browsing the site?

pentest-tools can test a specified target address iirc. Does an nmap and various other options.

[sevenlayermuddle]

Agreed, shields up is good reassurance.

But for zen users, maybe others too, be aware that certain ports are reported as 'closed' when you might have expected 'stealth'.  When I tried some time ago, it took me longer than I care to admit to satisfy myself all was well.   Certainly, went without any lunch that day

And after I did get to the bottom of it, I discovered it was already well documented on one of the world's best forums...

http://forum.kitz.co.uk/index.php?topic=15193.0

[Chrysalis]

This is no surprise, the vast majority of consumer routers on the market have lots of flaws, mainly due that many use ancient versions of code and they are barely maintained if at all post release.

[kitz]

>> I'll be interested to hear the detail behind this one.

OK since this has now hit the media and the affected ISPs have had chance to start rolling out the fixes I guess it should now be ok to say the following with regards to the ISPs using the affected Zyxel modems.

The issue was with the TR-064 stack not properly checking which interface HTTP requests came from.  TR-064 is only supposed to accept LAN side requests.  The bug allowed TR-064 requests to be injected into TR-069 (WAN) HTTP requests.  The device then assumed that the request was coming come the LAN HTTP server.  In summary, these requests had the ability to open [http] port 80 on the firewall,  thereby exposing the web administration GUI to the WAN side.

I can confirm Zyxel has stated that it does not affect their VMG series which we usually recommend on here.
It is worrying though, that there are probably lots of routers out there (not just Zyxel) using the same code in their firmware.

---

There's bits I dont quite get - this is more ejs's domain -  with regard to port 7547 & TR069.   What I dont understand, nor have time to look further into, but from memory I thought the TR-069 standard either specified or recommends that requests are only supposed to connect to an authorised server, so in the case of these ISP based modems are they not being configured properly in the first place so that TR-069 requests can only come from their own servers?

[ejs]

The open port used for TR-069 has only a single purpose. It's used when the ACS server wants the CPE device to initiate a connection to the ACS server. The ACS server sends a HTTP GET request to the port (often 7547). If the URL and username and password sent in the request are correct, then the CPE device will connect to the pre-configured ACS server address in its config. There aren't any other commands that can be sent to this port, it deliberately has a very limited function.

It would be good security practice to have some firewall rules that restricted access to port 7547 (or other port used for that TR-069 purpose) to the specific range of IP addresses that belonged to the ISP's servers, but I don't think it's part for the TR-069 specification itself.

It isn't only that the TR-064 commands can open access to the web interface. They also try to inject commands into the config in an attempt to make the router download and execute the malware, by putting the commands into `backticks` and setting the NTP server address to contain those commands.

[sevenlayermuddle]

Now, maybe I should be worried.

My billion 7800dxl, which was not supplied by ISP, seems to be factory configured for TR 069 on port 30005.  Shields up identified 30005 as open, even though remote access is set to 'disable'. 

Then I did a fw update, and now port 30005 is 'stealth'. 

Firmware release notes said, under Mods and bug fixes,   "1. Support TR069 WAN port modification."

Happy to talk more about other parameters if anybody interested.   But maybe one of the Gurus can advise....  should I (and other Billion users) be worried, and should any further testing be in order. 

[Chrysalis]

Also the web interface daemon should be configured to not even listen on the WAN interface if properly and securely configured.

e.g. asuswrt used to listen on * even when was set to lan only in the options.

[sevenlayermuddle]

On the Billion, there's an option 'Wan interface used by TR-069 client'.

It had been factory set to 'Any_WAN'.  With the old firmware, setting it to LAN made no difference, shields up still said 'open'.   With the new firmware it still defaults to 'Any_WAN', but show up as stealth.

Apols if I'm talking twaddle, I confess I'm way out of my depth.   Conversely, if I'm posting detail that I shouldn't, let me know and I'll edit & remove.

[Chrysalis]

Well it shows you cannot trust what the UI tells you, consumer routers are built with cheap in mind, which includes cheap software development and security auditing.