Skip to main content

FiberHome AN5506-02-F router hack

I recently had to work with a home fiber router that was supplied by the ISP,  the FiberHome AN5506-02-F.

Compared to the previous internet access solution, which was based on a cable modem and required the user to use their own router, the new solution has both advantages and disadvantages. The advantages would be: integrated WiFi, security and firewall. The disadvantages: only one LAN port available (@100Mbps), only 2.4GHz (@150Mbps), outdated software, locked-down interface, no easy way to expose a second router.

The unit is very similar to the AN5506-04 model ( http://flytec.com.py/download/files/AN5506-04F-manual.pdf ), except it has only 2 UTP ports, only 1 phone port and no CATV interface.

Exposing the inner router


To get around the issue of the (old) router not being accessible from outside, the solution is to add that router into the DMZ setting. This is needed for things like web hosting, ftp server, some chat clients, torrents, etc.

You can log in with your supplied standard username and password, no need for admin rights for this. The usual link is http://192.168.1.1 . Write down your old router's MAC address, either from the 'Status -> LAN -> DHCP Clients List' or from its label.

Add the MAC address to the static leases list, just to be sure that the old router will always get the same IP. Might not be needed, but in case something happens you want to be sure that you don't expose the wrong host to the Internet.



Add the IP address from above to the DMZ zone.



Every time your IP will be accessed, the ports exposed to the outside will be the ones on your old router. Assuming the old one is more secure than the new router, this will also improve security.

There are also other ways to do this, but this one is the easiest. Not a hack, just poorly documented functionality.

Studying the firmware


The router home page uses a framed design, with the left frame (./left.asp) consisting on some hardcoded data and JS includes and the right frame being the active UI.



The hardcoded data is a crude state machine to select a different skin or menu structure based on the ISP values.
"checkResult" is the result of the login, with all values except 1,3,4,6,11 being accepted. So you can set it to 0 or 2 to signal the JS that the user is logged in. The check is only done in one place, utils.js, so you can set a breakpoint at the method entry point and override the value:



Each time the script pauses at that line, you can set the checkResult value to a valid one and press continue - most the pages will happily load. You can automate this process with a Tampermonkey script, which could override the security function with a dummy one:
web_access_check = function(i){}

We can already see two critical security problems: only client-side security and unique checkpoint.

Looking further into the request and responses (XHR) I could see that for this version of router/ISP an XML resource is being loaded:




Looks like the menu and submenu layout, this could have been deduced as well by looking at the JS code.
Changing 1.xml to 2.xml yields an advanced menu:



Tracing back how this XML is loaded, leads us back to another semi-hardcoded page:



Long story short, setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.



The exposed menu items are not interesting for a normal user (they don't add features or increase speed or anything else) and can brick the router if modified.

I haven't played much more with this, but I suspect the unit might be susceptible to some basic attacks: directory traversal, RCE, privileges elevation, ...

There are some other topic that are left as an exercise for the reader: switching to different skins and languages, dumping the file system, finding out the admin username/password combo.

Comments

  1. Thank you for the tutorial. I find it very useful. I have enabled the second LAN 2 port and I will test it to see if it works in the future. Or maybe I can switch it to bridge mode and connect the old router.

    ReplyDelete
    Replies
    1. So I have checked LAN 2 and is only working at 100 Mbps. Pretty good if you need it for a Raspberry or TV. In the end I switched it to bridge mode and use my Gigabit router.

      Delete
    2. Hi,

      Did you manage to configure just LAN 2 port in bridge mode ?
      Thanks.

      Delete
  2. It there a more "detailed" step by step on how to do it ? for dummies like me.

    ReplyDelete
  3. Oh, I got access but it's not admin. There is any way to find out the admin user/password ?

    ReplyDelete
    Replies
    1. I haven't tried to find the default admin login or password. It probably requires access to the filesystem and some way of decoding the "/etc/shadow" file. Or perhaps the password is hardcoded in the CGI scripts.

      Delete
  4. hi, i'm currently looking for 2.xml, will you be able to send it over to me please?

    ReplyDelete
  5. I can't access it anymore as admin. Is something changed in the last few days or is just me? Or maybe it had to do with the fact that i changed de log in ”user” and ”pass”?

    ReplyDelete
    Replies
    1. The router might reset to its default user and password after a reset.

      Delete
  6. Hello,

    I have tried exactly what you said ' setting a breakpoint just before Frame.show() and setting curUserType to "2" will load the admin version of the UI.' but it returns an error and the menu/website is empty:
    https://imgur.com/Rx9oq8V
    https://imgur.com/a/5qSzD

    Greetings from Romania :)

    ReplyDelete
    Replies
    1. Strange. Perhaps you need to log in once with the normal user then try the breakpoint and set. Can't remember right now and don't have the router on-hand, but I can walk you through it.
      Otherwise, just set a breakpoint on the line with the error and see what the "request" object looks like. Just type "request" into the console or mouse over the variable.

      Delete
  7. I tried that, but with the same result.
    If you could help me and maybe guide me through it, that would be great.
    I tried to further debug this:
    It seems that it cannot load 2.xml(the file you exposed in your article), I even tried manually accessing the 2.xml file link but it redirects me automatically to the login page. The line at which the error occurs contains the following line: this.data = this._getSubMenus(1, request.responseXML.documentElement);
    I manually tried to see the contents of the responseXML array, setting curUserType=1 and curUserType=2. It seems like if the varriable = 1, then the array contains the menu links, and if the variable = 2, then the array is empty.

    Thanks

    ReplyDelete
    Replies
    1. Try to login first with the normal user, then try the hack. I think it's user/user or user/digi, should be written on the modem or the installation piece of paper.

      Delete
  8. Yep, I did login first with the normal user. Does it make a difference that I changed the default one? :) See printscreens with all the steps I did with descriptions:
    https://imgur.com/a/etnFt
    Thanks

    ReplyDelete
    Replies
    1. I have the same error, exactly like in screenshot. Ligius, you can remotely enter via teamviewer on my computer, or on Alex Stockel PC to try if you don't have a physical router?

      Delete
    2. We can perhaps set up a chat at a certain time, let's say Monday 15 Jan at 21:00 CET. For example https://bloochat.com/rb6ms . We can go further from there with TeamViewer.

      Delete
    3. Any luck resolving this? I'm encountering the same issue as Alex and Vlad. thanks

      Delete
    4. The new firmware has fixed this vulnerability

      Delete
  9. Hello. I have the same router and the folowing setup:
    1. android phone conected to WiFi
    2. samsung TV conected to RJ45 (wired lan) ith DLNA
    Andorid phone doesn't see the TV. Any thoughts on this? I guess the lan ports are filtered?!
    PS: same setup but with different router works.

    ReplyDelete
  10. I've checked it again via vpn, it works. I can make a video/screencast step-by-step but it should be like this:
    1) load the page. Open menu_romania.asp. Set a breakpoint on line 26.
    2) if you have the default user/password you can log in, skip to step 3.
    3) refresh (f5)
    4) no user/pass. Load the page, load the menu_romania.js in debugger.
    5) Set a breakpoint on line 331. Try to log in with any user.
    6) once the script breaks, type checkResult=2 in the console. Hit F8 to resume the script
    7) the script should now break in the asp file, line 26. Type curUserType="2"
    8) resume (F8)
    You should now see the admin menu.

    ReplyDelete
  11. Hi Ligius, I tried to do it with this method but I don't have the menu_romania.js I only have frame_romania.js and it has only 288 lines. I don't know if you can help me.

    ReplyDelete
  12. Hi Ligius,
    Same problem here, as explained by Alex R.
    Can you kindly make a screencast?
    Thanks

    ReplyDelete
  13. Hi, the same problem we don't have menu_romania.js just frame_romania.js

    ReplyDelete
    Replies
    1. Try to save the page: Ctrl+S, "complete" and upload it somewhere so I can take a look at it until I get access to a unit. You can use zippyshare, dropbox or anything else.

      Delete
  14. Write me at my first name @gmail.com . I need access to one of those "new" routers to figure out if anything's changed. Sorry I haven't had time to respond to all replies, new job.

    ReplyDelete
  15. hi, ligius I have a fiberhome an5506-04-gg, I want to know how to open the ports for a dvr

    ReplyDelete
  16. I've went with Claudiu over his router, and, after a remotely-pushed update, the vulnerability above is not present anymore.

    ReplyDelete
  17. Hello.
    I cannot modify the checkResult variable in the console. It always remains 1, and the login validation fails. Any idea why?

    ReplyDelete
    Replies
    1. My method does not work anymore on the newly patched routers.

      Delete

  18. to change the password is: account_user=admin;account_pwd=123456789&account_pwd2=123456789&btnApply1=Apply&curIndex=0

    Your method continues working, but we must add more breakpoints. I did all of these steps before reading your post :( and I tried to do more, I tried to do the requests to change the passwords, but the page that change the password doesn't work.

    The problem is that probably the modem webserver store any type of user login identity that is validated before execute this action.

    Any help I will appreciate so much and sorry for the poor English


    To create a new user or update the password we need to do a request to

    URL: 192.168.1.1/goform/setuser

    Body to create a new user is: account_user=newuser;account_pwd=123456789&account_pwd2=123456789&btnApply1=Apply&curIndex=new

    ReplyDelete
  19. Hi, this is from config file of AN5506-02-F
    Hardware version : WKE2.134.321F1G
    Software version : RP2624
    Minor version : 00.00
    Basic part version : BP2624


    !usermanage config---------------------------------------------
    user add rdsadmin login-password e9c316acd1cf8382adb56b4b491f8754
    user role rdsadmin ADMIN enable-password e9c316acd1cf8382adb56b4b491f8754

    maybe someone will understand the password format. It looks like hex.. of a hash or something. There are 16bytes in hex. Can be AES128?

    ReplyDelete
    Replies
    1. I do not know what hash is this but i found the password by bruteforce telnet.
      user: rdsadmin
      pass: adu#

      This credentials are only for telnet service, and there you can change all the settings of the device. Try not to brick. (sorry for my bad english.)

      Delete
    2. Telnet nu functioneaza la mine. Portul 23 e closed. Tu cum ai intrat pe telnet ?

      Delete
    3. Am rulat telnet în Windows cu ip-ul gateway-ului. ( telnet 192.168.1.1 )
      În win10 trebuie să activezi telnet mai întâi.
      A cerut user și parolă. După astea este afișată o interfață în consolă cu tot felul de opțiuni.
      Pentru 'brute force' la user și parolă se găsesc soft-uri bune în Kali-linux.
      Probabil ai găsit rezolvare până acum.

      Delete
  20. Any news about a working method?I have a fiberhome an5506-02-fg ,and i'm trying from a while to make the 2nd lan port work , so i can connect my 2nd pc to it, but without success..

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. Ca să poți accesa routerul cu telnet NU îl conectezi la fibră , îl conectezi DOAR la portul 1 cu laptop/desktop. etc
    Aşa am reuşit să resetez routerul.....
    userul şi parola sunt ok.
    User : rdsadmin
    pass : adu#

    ReplyDelete
  23. Salut. A reusit cineva sa activeze si cel de-al doilea port din comman line ? Mersi.

    ReplyDelete
  24. Now if you change the curUserType to 2, the request made for http://192.168.1.1/menu/hgu/romania/voipwifi/sip/2.xml will be redirected by redirect2login.asp to the login page, so the page cannot be built because the response doesn't contain responseXML.
    https://imgur.com/a/88iTB0T

    ReplyDelete
  25. Scoateti fibra din router si dati un reset la router, din CMD/TERMINAL intrati prin telnet pe router telnet 192.168.1.1 23 user: rdsadmin pass: adu# tastati: enable pentru a configura, pentru comenzi list , va ajuta mult daca vreti sa clonati serialul... si sa folositi un alt router, sau sa treceti singuri pe Bridge. Bafta.

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. RP2646

    Superadmin login:
    192.168.1.1
    USER: f9!6b1e1rhO3es~u!p@e#r$a%d^m*i(n
    PASS: s)f_U+h|g{u@5h2o1q0b1l

    ReplyDelete
    Replies
    1. On web is not working "Username or Password Error!"

      Delete
  28. I did it! I could access using the checkResult='0' on console after the break point in if(parseInt(checkResult) == 1 ). I can see all the files but I couldn't add or change the user/password (or any config like port forwarding)

    ReplyDelete
  29. Hello World Mr Noob here trying his best to get help from kindhearted people here in this community.
    I am using Fiberhome HG6243C Modem.
    Software ver. RP2624
    Hardware ver. WKE2.094.278A01
    I want to access admin settings kindly help me.
    Def. router access is "user" "user1234" which opens only basic settings.
    whatsapp: +92 313 190 1000. Please admin don't remove my message. :)

    ReplyDelete
    Replies
    1. login with normal user , user1234 then after login in menu page add http://ipipipip/management/account_admin.asp it will display admin configuration for change password or to add new admin user.

      Delete

Post a Comment

Due to spammers, comments sometimes will go into a moderation queue. Apologies to real users.

Popular

Ikea SKARSTA sit/standing desk hack

Floureon BYC17.GH3 thermostat teardown and impression

Non-genuine battery in Lenovo X230

Philips 3200 Coffee Machine - part 1

Zoom G1 guitar effects pedal repair

Racechip tuning box - part 2 - reverse engineering