Backdoor in FiberHome routers

In FiberHome routers used by providers to connect subscribers to optical GPON communication lines, identified 17 security issues, including the presence of backdoors with predefined credentials that allow remote control of equipment. The problems allow a remote attacker to gain root access to the device without authenticating. The presence of vulnerabilities has been confirmed in FiberHome HG6245D and RP2602 devices, as well as partially in AN5506-04- * devices, but it is possible that problems affect other router models of this company that have not been tested.

It is noted that, by default, IPv4 access to the administrator interface on the studied devices is limited to the internal network interface, which allows access only from the local network, but at the same time, IPv6 access is not limited in any way, which allows using the existing backdoors when accessing IPv6 from the external network.

In addition to the web interface that works over HTTP / HTTPS, the devices provide a function for remote activation of the command line interface, which can be accessed via telnet. The CLI is activated by sending a custom request over HTTPS with predefined credentials. In addition, a vulnerability (stack overflow) was discovered in the http server serving the web interface, exploited by sending a request with a specially formed HTTP Cookie value.

In total, the researcher identified 17 security problems, of which 7 affect the HTTP server, 6 – the telnet server, and the rest are related to system-wide flaws. Among the identified issues:

  • Leaked information about subnets, firmware, FTTH connection ID, IP and MAC addresses at the stage before passing the authentication.
  • Saving user passwords in the log in clear text.
  • Store credentials in clear text for connecting to wireless networks and passwords.
  • Stack overflow in HTTP server.
  • The presence in the firmware of the private key for SSL certificates, which can be downloaded via HTTPS (“curl https: //host/privkeySrv.pem”).
  • Backdoor for telnet activation – the http-server code contains a special request handler “/ telnet”, as well as a handler “/ fh” for privileged access.
  • Firmware hardcoded engineering passwords and authentication parameters. In total, 23 stitched accounts linked to different providers were identified in the http server code. Passwords were used in the https: // ip / fh handler to activate telnet:
    • user / user1234
    • f ~ i! b @ e # r $ h% o ^ m * esuperadmin / s (f) u_h + g | u
    • admin / lnadmin
    • admin / CUadmin
    • admin / admin
    • telecomadmin / nE7jA% 5m
    • adminpldt / z6dUABtl270qRxt7a2uGTiw
    • gestiontelebucaramanga / t3l3buc4r4m4ng42013
    • rootmet / m3tr0r00t
    • awnfibre / fiber @ dm! n
    • trueadmin / admintrue
    • admin / G0R2U1P2ag
    • admin / 3UJUh2VemEfUtesEchEC2d2e
    • admin / 6 to 32 characters MAC address on br0 interface
    • admin / 888888
    • L1vt1m4eng / 888888
    • useradmin / 888888
    • user / 888888
    • admin / 1234
    • user / tattoo @ home
    • admin / tele1234
    • admin / aisadmin
/Media reports.