I recently had to work with a home fiber router that was supplied by the ISP, the FiberHome AN5506-02-F.
Compared to the previous internet access solution, which was based on a cable modem and required the user to use their own router, the new solution has both advantages and disadvantages. The advantages would be: integrated WiFi, security and firewall. The disadvantages: only one LAN port available (@100Mbps), only 2.4GHz (@150Mbps), outdated software, locked-down interface, no easy way to expose a second router.
The unit is very similar to the AN5506-04 model ( http://flytec.com.py/download/files/AN5506-04F-manual.pdf ), except it has only 2 UTP ports, only 1 phone port and no CATV interface.
To get around the issue of the (old) router not being accessible from outside, the solution is to add that router into the DMZ setting. This is needed for things like web hosting, ftp server, some chat clients, torrents, etc.
You can log in with your supplied standard username and password, no need for admin rights for this. The usual link is http://192.168.1.1 . Write down your old router's MAC address, either from the 'Status -> LAN -> DHCP Clients List' or from its label.
Add the MAC address to the static leases list, just to be sure that the old router will always get the same IP. Might not be needed, but in case something happens you want to be sure that you don't expose the wrong host to the Internet.
Add the IP address from above to the DMZ zone.
Every time your IP will be accessed, the ports exposed to the outside will be the ones on your old router. Assuming the old one is more secure than the new router, this will also improve security.
There are also other ways to do this, but this one is the easiest. Not a hack, just poorly documented functionality.
The router home page uses a framed design, with the left frame (./left.asp) consisting on some hardcoded data and JS includes and the right frame being the active UI.
The hardcoded data is a crude state machine to select a different skin or menu structure based on the ISP values.
"checkResult" is the result of the login, with all values except 1,3,4,6,11 being accepted. So you can set it to 0 or 2 to signal the JS that the user is logged in. The check is only done in one place, utils.js, so you can set a breakpoint at the method entry point and override the value:
Each time the script pauses at that line, you can set the checkResult value to a valid one and press continue - most the pages will happily load. You can automate this process with a Tampermonkey script, which could override the security function with a dummy one:
We can already see two critical security problems: only client-side security and unique checkpoint.
Looking further into the request and responses (XHR) I could see that for this version of router/ISP an XML resource is being loaded:
Looks like the menu and submenu layout, this could have been deduced as well by looking at the JS code.
Changing 1.xml to 2.xml yields an advanced menu:
Tracing back how this XML is loaded, leads us back to another semi-hardcoded page:
Long story short, setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.
The exposed menu items are not interesting for a normal user (they don't add features or increase speed or anything else) and can brick the router if modified.
I haven't played much more with this, but I suspect the unit might be susceptible to some basic attacks: directory traversal, RCE, privileges elevation, ...
There are some other topic that are left as an exercise for the reader: switching to different skins and languages, dumping the file system, finding out the admin username/password combo.
Compared to the previous internet access solution, which was based on a cable modem and required the user to use their own router, the new solution has both advantages and disadvantages. The advantages would be: integrated WiFi, security and firewall. The disadvantages: only one LAN port available (@100Mbps), only 2.4GHz (@150Mbps), outdated software, locked-down interface, no easy way to expose a second router.
The unit is very similar to the AN5506-04 model ( http://flytec.com.py/download/files/AN5506-04F-manual.pdf ), except it has only 2 UTP ports, only 1 phone port and no CATV interface.
Exposing the inner router
To get around the issue of the (old) router not being accessible from outside, the solution is to add that router into the DMZ setting. This is needed for things like web hosting, ftp server, some chat clients, torrents, etc.
You can log in with your supplied standard username and password, no need for admin rights for this. The usual link is http://192.168.1.1 . Write down your old router's MAC address, either from the 'Status -> LAN -> DHCP Clients List' or from its label.
Add the MAC address to the static leases list, just to be sure that the old router will always get the same IP. Might not be needed, but in case something happens you want to be sure that you don't expose the wrong host to the Internet.
Add the IP address from above to the DMZ zone.
Every time your IP will be accessed, the ports exposed to the outside will be the ones on your old router. Assuming the old one is more secure than the new router, this will also improve security.
There are also other ways to do this, but this one is the easiest. Not a hack, just poorly documented functionality.
Studying the firmware
The router home page uses a framed design, with the left frame (./left.asp) consisting on some hardcoded data and JS includes and the right frame being the active UI.
The hardcoded data is a crude state machine to select a different skin or menu structure based on the ISP values.
"checkResult" is the result of the login, with all values except 1,3,4,6,11 being accepted. So you can set it to 0 or 2 to signal the JS that the user is logged in. The check is only done in one place, utils.js, so you can set a breakpoint at the method entry point and override the value:
Each time the script pauses at that line, you can set the checkResult value to a valid one and press continue - most the pages will happily load. You can automate this process with a Tampermonkey script, which could override the security function with a dummy one:
web_access_check = function(i){}
We can already see two critical security problems: only client-side security and unique checkpoint.
Looking further into the request and responses (XHR) I could see that for this version of router/ISP an XML resource is being loaded:
Looks like the menu and submenu layout, this could have been deduced as well by looking at the JS code.
Changing 1.xml to 2.xml yields an advanced menu:
Tracing back how this XML is loaded, leads us back to another semi-hardcoded page:
Long story short, setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.
The exposed menu items are not interesting for a normal user (they don't add features or increase speed or anything else) and can brick the router if modified.
I haven't played much more with this, but I suspect the unit might be susceptible to some basic attacks: directory traversal, RCE, privileges elevation, ...
There are some other topic that are left as an exercise for the reader: switching to different skins and languages, dumping the file system, finding out the admin username/password combo.
Thanks!
ReplyDeleteUseful tutorial.
Thank you for the tutorial. I find it very useful. I have enabled the second LAN 2 port and I will test it to see if it works in the future. Or maybe I can switch it to bridge mode and connect the old router.
ReplyDeleteSo I have checked LAN 2 and is only working at 100 Mbps. Pretty good if you need it for a Raspberry or TV. In the end I switched it to bridge mode and use my Gigabit router.
DeleteHi,
DeleteDid you manage to configure just LAN 2 port in bridge mode ?
Thanks.
It there a more "detailed" step by step on how to do it ? for dummies like me.
ReplyDeleteOh, I got access but it's not admin. There is any way to find out the admin user/password ?
ReplyDeleteI haven't tried to find the default admin login or password. It probably requires access to the filesystem and some way of decoding the "/etc/shadow" file. Or perhaps the password is hardcoded in the CGI scripts.
Deletehi, i'm currently looking for 2.xml, will you be able to send it over to me please?
ReplyDeletewagulo@gmail.com, TIA
Deletehttps://pastebin.com/VRpsMgcw
DeleteI can't access it anymore as admin. Is something changed in the last few days or is just me? Or maybe it had to do with the fact that i changed de log in ”user” and ”pass”?
ReplyDeleteThe router might reset to its default user and password after a reset.
DeleteHello,
ReplyDeleteI have tried exactly what you said ' setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.' but it returns an error and the menu/website is empty:
https://imgur.com/Rx9oq8V
https://imgur.com/a/5qSzD
Greetings from Romania :)
Strange. Perhaps you need to log in once with the normal user then try the breakpoint and set. Can't remember right now and don't have the router on-hand, but I can walk you through it.
DeleteOtherwise, just set a breakpoint on the line with the error and see what the "request" object looks like. Just type "request" into the console or mouse over the variable.
I tried that, but with the same result.
ReplyDeleteIf you could help me and maybe guide me through it, that would be great.
I tried to further debug this:
It seems that it cannot load 2.xml(the file you exposed in your article), I even tried manually accessing the 2.xml file link but it redirects me automatically to the login page. The line at which the error occurs contains the following line: this.data = this._getSubMenus(1, request.responseXML.documentElement);
I manually tried to see the contents of the responseXML array, setting curUserType=1 and curUserType=2. It seems like if the varriable = 1, then the array contains the menu links, and if the variable = 2, then the array is empty.
Thanks
Try to login first with the normal user, then try the hack. I think it's user/user or user/digi, should be written on the modem or the installation piece of paper.
DeleteYep, I did login first with the normal user. Does it make a difference that I changed the default one? :) See printscreens with all the steps I did with descriptions:
ReplyDeletehttps://imgur.com/a/etnFt
Thanks
I have the same error, exactly like in screenshot. Ligius, you can remotely enter via teamviewer on my computer, or on Alex Stockel PC to try if you don't have a physical router?
DeleteWe can perhaps set up a chat at a certain time, let's say Monday 15 Jan at 21:00 CET. For example https://bloochat.com/rb6ms . We can go further from there with TeamViewer.
DeleteAny luck resolving this? I'm encountering the same issue as Alex and Vlad. thanks
DeleteThe new firmware has fixed this vulnerability
DeleteHello. I have the same router and the folowing setup:
ReplyDelete1. android phone conected to WiFi
2. samsung TV conected to RJ45 (wired lan) ith DLNA
Andorid phone doesn't see the TV. Any thoughts on this? I guess the lan ports are filtered?!
PS: same setup but with different router works.
I've checked it again via vpn, it works. I can make a video/screencast step-by-step but it should be like this:
ReplyDelete1) load the page. Open menu_romania.asp. Set a breakpoint on line 26.
2) if you have the default user/password you can log in, skip to step 3.
3) refresh (f5)
4) no user/pass. Load the page, load the menu_romania.js in debugger.
5) Set a breakpoint on line 331. Try to log in with any user.
6) once the script breaks, type checkResult=2 in the console. Hit F8 to resume the script
7) the script should now break in the asp file, line 26. Type curUserType="2"
8) resume (F8)
You should now see the admin menu.
Hi Ligius, I tried to do it with this method but I don't have the menu_romania.js I only have frame_romania.js and it has only 288 lines. I don't know if you can help me.
ReplyDeleteHi Ligius,
ReplyDeleteSame problem here, as explained by Alex R.
Can you kindly make a screencast?
Thanks
Hi, the same problem we don't have menu_romania.js just frame_romania.js
ReplyDeleteTry to save the page: Ctrl+S, "complete" and upload it somewhere so I can take a look at it until I get access to a unit. You can use zippyshare, dropbox or anything else.
DeleteWrite me at my first name @gmail.com . I need access to one of those "new" routers to figure out if anything's changed. Sorry I haven't had time to respond to all replies, new job.
ReplyDeletehi, ligius I have a fiberhome an5506-04-gg, I want to know how to open the ports for a dvr
ReplyDeleteI've went with Claudiu over his router, and, after a remotely-pushed update, the vulnerability above is not present anymore.
ReplyDeleteHello.
ReplyDeleteI cannot modify the checkResult variable in the console. It always remains 1, and the login validation fails. Any idea why?
My method does not work anymore on the newly patched routers.
Delete
ReplyDeleteto change the password is: account_user=admin;account_pwd=123456789&account_pwd2=123456789&btnApply1=Apply&curIndex=0
Your method continues working, but we must add more breakpoints. I did all of these steps before reading your post :( and I tried to do more, I tried to do the requests to change the passwords, but the page that change the password doesn't work.
The problem is that probably the modem webserver store any type of user login identity that is validated before execute this action.
Any help I will appreciate so much and sorry for the poor English
To create a new user or update the password we need to do a request to
URL: 192.168.1.1/goform/setuser
Body to create a new user is: account_user=newuser;account_pwd=123456789&account_pwd2=123456789&btnApply1=Apply&curIndex=new
Hi, this is from config file of AN5506-02-F
ReplyDeleteHardware version : WKE2.134.321F1G
Software version : RP2624
Minor version : 00.00
Basic part version : BP2624
!usermanage config---------------------------------------------
user add rdsadmin login-password e9c316acd1cf8382adb56b4b491f8754
user role rdsadmin ADMIN enable-password e9c316acd1cf8382adb56b4b491f8754
maybe someone will understand the password format. It looks like hex.. of a hash or something. There are 16bytes in hex. Can be AES128?
I do not know what hash is this but i found the password by bruteforce telnet.
Deleteuser: rdsadmin
pass: adu#
This credentials are only for telnet service, and there you can change all the settings of the device. Try not to brick. (sorry for my bad english.)
Telnet nu functioneaza la mine. Portul 23 e closed. Tu cum ai intrat pe telnet ?
DeleteAm rulat telnet în Windows cu ip-ul gateway-ului. ( telnet 192.168.1.1 )
DeleteÎn win10 trebuie să activezi telnet mai întâi.
A cerut user și parolă. După astea este afișată o interfață în consolă cu tot felul de opțiuni.
Pentru 'brute force' la user și parolă se găsesc soft-uri bune în Kali-linux.
Probabil ai găsit rezolvare până acum.
Any news about a working method?I have a fiberhome an5506-02-fg ,and i'm trying from a while to make the 2nd lan port work , so i can connect my 2nd pc to it, but without success..
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteCa să poți accesa routerul cu telnet NU îl conectezi la fibră , îl conectezi DOAR la portul 1 cu laptop/desktop. etc
ReplyDeleteAşa am reuşit să resetez routerul.....
userul şi parola sunt ok.
User : rdsadmin
pass : adu#
Salut. A reusit cineva sa activeze si cel de-al doilea port din comman line ? Mersi.
ReplyDeleteNow if you change the curUserType to 2, the request made for http://192.168.1.1/menu/hgu/romania/voipwifi/sip/2.xml will be redirected by redirect2login.asp to the login page, so the page cannot be built because the response doesn't contain responseXML.
ReplyDeletehttps://imgur.com/a/88iTB0T
Scoateti fibra din router si dati un reset la router, din CMD/TERMINAL intrati prin telnet pe router telnet 192.168.1.1 23 user: rdsadmin pass: adu# tastati: enable pentru a configura, pentru comenzi list , va ajuta mult daca vreti sa clonati serialul... si sa folositi un alt router, sau sa treceti singuri pe Bridge. Bafta.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteRP2646
ReplyDeleteSuperadmin login:
192.168.1.1
USER: f9!6b1e1rhO3es~u!p@e#r$a%d^m*i(n
PASS: s)f_U+h|g{u@5h2o1q0b1l
On web is not working "Username or Password Error!"
DeleteSame here...
ReplyDeleteI did it! I could access using the checkResult='0' on console after the break point in if(parseInt(checkResult) == 1 ). I can see all the files but I couldn't add or change the user/password (or any config like port forwarding)
ReplyDeleteHello World Mr Noob here trying his best to get help from kindhearted people here in this community.
ReplyDeleteI am using Fiberhome HG6243C Modem.
Software ver. RP2624
Hardware ver. WKE2.094.278A01
I want to access admin settings kindly help me.
Def. router access is "user" "user1234" which opens only basic settings.
whatsapp: +92 313 190 1000. Please admin don't remove my message. :)
login with normal user , user1234 then after login in menu page add http://ipipipip/management/account_admin.asp it will display admin configuration for change password or to add new admin user.
Delete