Exploit works on the BGW210. Status on other devices is unknown.
BGW320: Firmware 3.18.1 does NOT work.
This method can take many attempts to succeed. If anyone is able to improve the consistency, please let me know.
- 3.18.2_en.bin
- (Optional if BGW firmware =< 3.18.2)
http://gateway.c01.sbcglobal.net/firmware/ALPHA/210/001E46/BGW210-700_3.18.2/spTurquoise210-700_3.18.2_ENG.bin
- mfg_dat_decode
https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html
- get_mfg_dat.sh
- get_rootcerts.sh
- Residential Gateway (RG) vulnerable to the muhttpd path traversal exploit
- This guide was written for the BGW210.
- As of December 2023, confirmed downgrade works from firmware 4.25.5
- It has not been tested on the BGW320 or any of the NVG line.
- Device with an ethernet port
- Basic knowledge of commandline
Download the provided resources before proceeding. Ensure the scripts are executable by running:
chmod +x get_mfg_dat.shchmod +x get_rootcerts.sh
After finishing this method, ensure these settings are reverted to Automatic (DHCP).
Windows
- Settings → Network & Internet → Ethernet
- Select the active Ethernet connection
- Under IP settings, click "Edit"
- Change Automatic (DHCP) to Manual
- Toggle on IPv4
- Fill in the fields as follows:
- IP address:
- 192.168.1.x (i.e., 192.168.1.200)
- Subnet prefix length:
- 24
- If it says "Subnet Mask" instead, use 255.255.255.0
- Gateway:
- 192.168.1.254
- IP address:
Mac
- System Settings/Preferences → Network
- Select the active Ethernet connection
- *Ventura 13: Click Details*
- Click "Advanced".
- Click "TCP/IP".
- Configure IPv4
- Set "Configure IPv4" to "Manually"
- Fill in the following details:
- IP address:
- 192.168.1.x (i.e., 192.168.1.200)
- Subnet Mask:
- 255.255.255.0
- Router:
- 192.168.1.254
- IP address:
- Click "Apply" to save changes
- Unplug the power cable
- If attached, unplug the Ethernet cable connected to the ONT port
- Connect computer's Ethernet port to one of the Ethernet ports on the RG. Do not connect it to the ONT.
- Plug the RG's power cable back in and wait for it to boot up.
- Navigate to the U-verse portal at 192.168.1.254
- Click the "Diagnostics" tab
- Click the "Update" link
- If current firmware version is below 3.18.2, skip this step.
- If current firmware version is above 3.18.2, upload the 3.18.2_EN.bin file and wait for the update to complete.
- Test if the RG is vulnerable to the exploit. Make sure the BGW is fully booted, then, in the computer's terminal, run:
curl --ignore-content-length -X"GET a/etc/hosts" http://192.168.1.254:80If the hosts file is printed, the exploit will work.
To decode mfg.dat, you'll need to download the attroot2031.der, attsubca2021.der, and attsubca2030.der files. From the computer's terminal, run:
./get_rootcerts.sh
This will likely take several tries. The updated version of the script by @mdonohue should require only one terminal open.
- Unplug the RG's power cable.
- In the terminal, run:
./get_mfg_dat.sh.
- Plug in the RG's power cable again.
- Repeat until successful. The mfg.dat file should be bigger than 200kb.
- Stop the script by either exiting the terminal or pressing
Ctrl+C. - Copy the mfg.dat file and all three *.der files to the same directory as mfg_dat_decode
- Run mfg_dat_decode
- If there's no error, the certificates will have been extracted and decoded successfully.
Change the computer's IP back to Automatic/DHCP.
- 8311 Discord Server
- @ChrisEric1 CECL#5569 – 3.18.2_en.bin + CVE tip
- @ibutsu – Lots of scripting help
- @jack2333 – Lots of help with troubleshooting and testing
- @redbeard#3977 – Documenting their experiment with this exploit
- @tofu#6072 – Initial CVE tip to @redbeard
- @up_n_atom – *.der file locations
- Derek Abdine – CVE Write-up
- devicelocksmith – mfg_dat_decode
- mdonohue – Optimization of get_mfg_dat.sh
