PW - CVE Hunting: Wi-Fi Routers, OSINT & 'The Tyranny of the Default'

all right so I just want to thank everyone for for making it out here tonight I know this is uh it's it's getting late and this is the the last presentation fortunately I only I only have 20 mans to torture you guys with so all right and uh you know before we get started I just want to let you know that this is uh this is going to go over my my methodology this is not how to get a CV or or even how to do Cutting Edge research because this is not cutting edge research but if you're looking for a cve I feel after watching this presentation uh at least point you in the right direction

all right so now in regards to our agenda there's you know the the staple who am I the the tyranny of the default applied open source intelligence or ENT as sure everyone here is aware of and we going to go over some case studies and uh this presentation will just go over some um some vulnerabilities I I found personally um starting starting June as of last year I I I gave myself a I just wanted to toine one cve and uh you know why you should listen to this talk I am not an expert but you know found a several dozen cves and this just to go over my my methodology all right so who am I uh I

am a security an at Sedar and and they're an an an awesome uh managed uh security services provider where they provide MDR EDR and penetration testing services most importantly I'm a bug Enthusiast I love insects I love PR Manis I raise PR Manis and that's uh that's uh that on the right you see who I call uh lightning Lily because she had really fast reflexes but love pray Menace and if you're interested I did some previous talks earlier this year I did a a fire talk at shukan in regards to Android exploitation and a talk on blooth reverse engineering last year at pide Rochester all right so now we're going to go over the the title The the tyranny

of the default and I'm just going to start off with a quote from Steve Gibson um security Now is my favorite podcast they have you know it runs it runs every Tuesday and they provide a wealth of knowledge for going on 20 years he's the CEO of Gibson research Corporation author of spinrite and uh he gets down to the assembly and he knows his stuff but I'm just going to go over his quote um and from the words of Steve Gibson I coined the term years ago that tyranny of the default which is the sort of expression I like to use for most users that don't go in and change things they just like to assume that someone's

smarter than them chose the settings that are best for them and so they just say yes when ask a lot of questions um from my perspective this applies to uh what started this talk which is the use of default credentials and uh you know if you think about if you think about the overarching power of a tyrant we often default we often default using default credentials for various reasons and that kind of buzz clicking word to just use a default to has caused many issues so now this is just a quick case study this is this is not something I discovered but I just I thought it'd make a good seg way so uh if you see

this article from cisa if you see that uh programable logic controllers could be compromised by using a default password of all ones 111 and uh yeah not very much entropy in that respect but it just goes to show you that you know if our if if if critical infrastructure is is being protected by um very low entropy we can run into all sorts of issues and uh you know as the states here you know um the PLC was ultimately compromised so now we're going to go into the the methodology um now a lot of people are aware because in the United States all Wireless all wirelessly admitting devices have to meet certain specifications and because of that we

can get a wealth of knowledge by looking at the the aggregated report so if you go to fcc.io or FCC report you can find uh um you can find public records will you can see internal ex external schematics um you can get and just a lot of information um surprisingly available so as I as I started embarking on this open source uh in intelligence the the the issue started with a with an older Ruder I I I had in my possession so I wanted to looking at how the the password was ultimately uh derived I I wanted to see if this was just an issue with my device in particular if this was a a wider issue and as you'll see moving

forward this uh this caused a few problems now the main issue here though is that if you go to fcc.io if you look at some of the if you look at some of the diagrams sometimes you can't get a clear indication of what's going on here so in this case I see uh I see where the the label is but I'm not getting much information out than that so using like so in regards to the ENT portion of the title um I used a combination of fcc.io along with a few others including eBay all right so now AIS uh AIS makes many models of devices this this talk actually did not start with this with

this model right here um but part of part of my methodology was if I can't see the if I can't see the contents of a label then I want to see how else this information can be aggregated so in my case I decided just to reference eBay you know people sell things on eBay and uh often times all the labels are are Rel available so looking at this information Things become a little bit more apparent here so let's take a look at this pre-shared key here so you know now to uh to someone who who may not be well versed um you looking at that string of characters it it may appear to be random but it's it's

anything but random in fact this password could could simply be derived by just taking essentially in most cases uh roughly the first half of the SSID along with the the last three octs of the of of the of the MAC address now the problem though is not so much the fact that they decide to to base the password off the MAC address but really it's the fact that all the interfaces have a similar Mac address so if you think about it if you're going to set a password to be based on the Mac address but all the Mac addresses including the wireless interface were only different by a characters so essentially by just without using any

fancy tools I mean you could just use like maybe wiggle Wi-Fi if you're if you're using Android you could simply get within proximity of a wireless access point and determine the wireless password by Just Simply Having the name you're probably thinking well you know this is just a default password we should care about this but as you'll see moving forward um there's there's a and this is a little bit more than an antidotal Evidence all I would say a large majority of the time when you see these default SS IDs the passwords have not been changed either for the same reason you know users will get a device they may have the issue actually accessing the the anim the the

admin panel so what's simpler to use what appears to be a random password and uh it's was easily uh derivable so now here's what's interesting now I actually found this slide after uh this this presentation got accepted and I did not notice this initially it SS makes a lot of devices out of all the devices that had the same issue only this particular model explicitly said how this password was derived and I I I I thought I thought it was interesting I didn't I actually didn't didn't figure this out until after the presentation got accepted but if you see here if you look on the bottom uh where it says WPA2 psk it clearly defines that the password is

generated from the SSID and the MAC address and with all the Mac addresses with all the interfaces essentially being identical except for the final octet these are easily derived but it wasn't just AIS that made this problem um it seems to be an issue with with cable modem routers that are that are trying to reach either docs as two or three that part of that specification so let's look at some distribution here now this uh this particular model you see it says uh SSID D ddw 365 that's actually a model from U not ays but we have the same problem here the as you'll see moving forward the pass through is essentially generated from ddw365 which is like roughly half

of the SSID along with the second half of the the customer Mac address which is not which is an interface which is almost identical to the the wireless Mac address if you look at distribution as of 2019 um you see these uh these are spread at in Phoenix and uh now I didn't I didn't include more recent data but just citing uh 2019 these are all default SSID ideas and U with a a little bit of research uh I'm approximating that I'd say roughly 34s of these are also using the same default password um but a little bit antidotal but I've had uh I've encountered many people these devices and and generally speaking um users that

that have the knowledge will change their SSID if you see this default there's a good there's it's highly likely and remember there's no special tools needed here you don't you don't have to you don't have to gather packets or anything like that just approach the device look and uh all that information be really available and it's not just UB and it's not just ARS there's also Technic col you see uh here's another device you see SSID TC 871 um now they they it's interesting I and I I haven't only only that one a mod was actually documented how the the algorithm for but I find it interesting that there's three different manufactors all using this very basic logic of of

you know concatenating the MAC address and the SS S ID to form the default credential now technically for this particular model it's not exactly the first half of the SSID and the in the last three octets there's it's a there there's a slight change but it's 90% the same and uh in regards to in regards to ENT uh VI stumblr it's very similar to to wiggle Wi-Fi the reason why I I chose VI stumblr is that a lot of these Wireless SSID databases they have like they'll have they'll have throttle and they'll have limits to how how much you can query in this case for Vi stumbl there were there were no limits so you

can you can query to your to your heart's content and um now granted though the distribution isn't isn't uh isn't as dense as some of the AIS and UB be but there's a lot of targets and I'm I'm only showing a few areas if you didn't if if you if you stumble across this you'll you see you'll probably notice some of these on your street all right so now in regards to the case study uh uh the wireless the wre the Wi-Fi passage algorithm is a is a focal upon that talk um but as you can see uh if you look at the the first cve 439 that reflects Street of and models 438 reflects two but essentially this is a

combination of ays UB and Technicolor and this kind of got the kind of got the the gears in my head flowing so I'm like well I wonder how many other manufacturers so I spent a lot of time just you know going we over eBay and I I I I relied heavy on eBay but it's it was the easiest way to to gather this information and uh fortunately it seems like there was a certain time period where this was like a common collusion when it comes to the this particular scheme fortunately they are they have not made this mistakes in subsequent products but if you have one of these devices you have more problems to worry

about than just the default password because a large majority of these devices are vulnerable to so many other exploits that you're better off just not using the product entirely so they you know we'll just I recommend end the lifing for for various reasons there's so many exploits that this is the least you have to worry about but this is requires no tools to exploit all right so now I like bugs I also you know I growing up I also had this weird idea that you know maybe one day I'd become an archaeologist I'd be like Indiana Jones well I decided well this is my it's my my best opportunity you want to if you think about past

performance and you think about the idea that um that companies are making the same mistakes I decided Well let's look at some older devices let's see if I can find the you know go for some more low hanging fruit once again this is my methodology this is not how to do Cutting Edge research but it got me several cves just off this particular issue uh and once again you know and I I don't 100% agree with this quote the the best predictor of future behavior is past Behavior but if you think about credit score and you think about criminal record you know we we unofficially agree that people tend to make the same mistakes again

so at this point I I I had exhausted all the you know all the UB and Technical devices and fortunately they haven't made this mistake in the future so this isn't the this isn't the the smear these companies they they they actually have learned from this mistake they haven't made any subsequent issues I started to Branch further into the current router that I was using uh for my ISP which is actually a hyron device now interestingly enough I did not find the same issue I did find an issue with how passwords were being generated for a for a hyron device it wasn't it wasn't the same but it in some ways it's it's kind of

worse all right so now before I get into that that particular password actually I can go I can go ahead and mention it it's not really a focal point here um but this is password account so I'm going to ahead and state it um in in in this case for this particular model which was you know powering my my home internet um the the default password was essentially the word hyron concatenated with a five charact with a five with a five hex value which only was only about a million that I mean there should be you know in the in the billions I mean the Ute was very low but setting that aside I wanted to look at some other

things so that when when it comes to past performance I love referencing miter directly because you want to you want to find a you want to find an exploit just see what is she the the manufacturer hadn't before and most likely they'll have the same issue so this was someone else's Discovery this uh this cross-side scripting right here but I'm like um in 2020 so I'm like okay well this is kind of interesting if you if uh if you add their if you add a device um and you essentially hit an x button an SSX payload can be triggered but the problem is that in my opinion require a little too much user interaction and so I I didn't I didn't

really like that aspect too much and also uh I wanted to see because this issue actually was fixed um I wanted to see if any other uh any other parameters are vulnerable so I just went through each I went through all the parameters and tried SSX and I found another one so I'm like well looks like they didn't and I came to conclusion that he must have just checked one page I just went through all the other parameters and F another cross-site scripting all right so here's the cross script in the iph found now um sorry about the the image here it's a little bit blurry here but um and this case there's a there's a page uh there's a

page in the administration portal called the device location page where you essentially just enter you can name where you'd like the device to be located at so like let's say garage but within that field uh you know it didn't have proper uh uh sanitization of user input so it gave me uh it allowed me to export a user's cookie now the thing about it is you think in this particular issue um this was only uh this particular issue can only be exploited by someone with the administrator rights fortunately even though that even though admin rights were required look at this is like a booby drab so if you if you're able to if you're able to log into the

administration panel you could set this cross-site payload and if the user changed their password but happened to visit the page you could exfiltrate that data and here's just a quick demo of that and uh it's not uh we're not going to go into the Leeds of it but essenti what what this demonstration shows is me setting up an an AWS box U me visiting the page and me showing data data being xrated by SSX and things get a little bit more interesting from

here um there's a little there's a little bit of an ioc if you see how the you see how everything was displaced right here um but other than that though just visiting the page uh extrated the the data as you can see here it's shown that the password is depicted here uh but but but let's uh let's move a little bit further so you know I only had one hyron device but uh I actually acquired uh another device uh by essentially using a a combination of eBay and thrift stores and a little bit of recycling so I had I had another device had an ad Trend device what I find interesting is that I I found a few issues with this product

and once again during the the process of creating this presentation I I I discovered that uh that someone else had reported some similar issues they they must but they just kind of they just they held off on uh on publishing the cve so we kind of had some simultaneous submissions but these are for different products so the reason why I say dja Vu I'll explain that here in a second here all right so I don't expect you guys to be able to read this but what's important here is that back to the password con now we're all used to you know rers having default pass is a admin admin I mean this is not this is this

isn't anything uh this isn't anything crazy what's interesting about this though is that they they had they had one interesting mitigation so although the default password for root was admin to admin if you plug the device into the the ethernet it it was publicly accessible over the Internet which kind of gave us a race condition so if you have ethernet cable plugged in there that's enough time for your device to already be compromised because it's already it's wide open so even though they required a password change it wasn't quite good enough and there's some other issues I found um I eventually did find a cross-site scripting here and uh and I also found some other issues regarding tet service

and command injection we're going to just move forward a little bit here so here I'm going to this is a quick demo it's kind of segue into the second vulnerability so um I'm not terribly surprised that you know they had default admin admin although that you know that's that's a that's a botnet herder's dream interesting this is just going to show how during the during the setup process how I can go ahead and create another account um with root level Privileges and even after the person changed the password I'd still have a way access I have a way access to device what what I found interesting about this uh while I was looking at some of the other devices other

accounts that that were on this device is I realized another issue well there was a there was a hardcode account here for a hardcore support support account that also had root level permissions and guess what it's very similar to the Wi-Fi issue the the default password is ultimately based on the Mac address so so there's so there's a there was there there's essentially a hardcoded uh I'm going to get into this in a second here um this just shows me adding the account we're going to move forward here now here we have the support account here uh and the thing about it is all right um all right so Ju Ju Just to wrap things up this support account

it had a root level password that that consisted of the the second half of the MAC address and uh if you think about it if you're connected to a network you can just by looking at the gateway address you can easy determine what that information is or through the through the Wi-Fi through the BSS ID so that's obviously not a good situation here and how did I locate this well another one of their devices they documented this on one of their products only one of them but because you know adtran bought uh bought smart RG they they didn't up all the documents so we end up in this strange situation here so we're going to

go over that and the other issue this is a little bit uh little bit redundant there was also a command injection that did require authentication but because there's so many ways to bypass authentication this is a little bit redundant but it's still something that should be fixed in software and this is just using shell meta characters you want to know how to do that try Port sger this is you know the this tutorial is how I figured it out very straightforward and just a quick demo showing that and we are almost done here and if you think about shell Medicare do you think about things like like tick uh um you know uh the the

dollar uh the dollar parentheses some of these symbols can be used in Linux versus Windows and in this case there was busy box under um there's busy box under it so it would just allow me to to inject shell medic characters and that uh that gave me command injection with the route now once again it's authenticated but it's easy to bypass the that that requirement here so we're going to go ahead and just move forward we're we're short on time so we got to get to the conclusions here manufactor should require users to set a new password before device can be used self-explanatory but for the for the at least the ad TR devices these devices were were produced

in the last few years so these are new devices fortunately ad Tran was great uh they they they updated their firw and they fix all these devices so at least for adran they they were a great vendor to work with um and and uh and not to say anything bad about anybody else I just didn't get a whole lot of feedback and I want to thank you for taking the time to see me once again and uh I'm out of time here but I love being in Vegas so have a great evening if he has any questions well being from Norway myself one of the things I know is that in the state of California there's a law saying

that you're not allowed to sell products software Hardware with default passwords in them I have no idea how they are actually uh you know uh using that law for in in real life but what you're showing now is because I've seen this for the past 20 years at least products are you know the vendors are putting in very simple algorithms for generating passwords so that in many cases the vendors or the companies selling these products will be able to support the customers because customers will call in and say I I I can't remember the password I lost the paper piece and then they can say the just tell me the numbers on you like your serial number

or your Mac address and then we can sort of help you figure out the passwords that's one of the reasons but as with the law in California if you say that well you're not allowed to have default passwords then it's sort of interesting to you know would you have an opinion on when they have so incredibly easy um Solutions in place to sort of generate or guess the password do you think that you could say that is not allowed either according to the law in California is that a question I I I I I for me it's not the default it's just I feel like the product should not be usable until after password change

because I I mean there has to be some kind of initial setup but the problem in granted though like I I found I found even way more issues than this I just just's too many unfixed issues at this point but I you know default credentials is uh we're under the the tyranny of that is a problem yeah yeah questions one question no questions thank you for being here interesting Talk and of course enjoy Vegas