A security researcher has found a bug in a router used by Irish ISPs that could enable an attacker to gain full control of the modem from the internet.
This is not the first time that bugs have been found in Eir modems. Previous firmware versions were vulnerable to CVE-2014-9222, the “Misfortune Cookie” bug. The bug was patched in firmware version 2.00(AADU.5)D0 in 2015.
In a blog post by security researcher Kenzo2017, a D1000 modem router, used by Ireland's largest ISP Eir, could be used to hack into internal computers on the network, as a proxy host to hack other computers or even as a bot in a botnet.
“A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol,” said Kenzo2017. The router also has a TR-064 server, which allows the ISP to configure the modem from installation software supplied with the modem.
“The protocol is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side. This allows us to ‘configure' the modem from the Internet,” the researcher added.
Commands to this server can retrieve wireless security keys and set up an NTP server that disables a firewall and opens up an admin interface on port 80.
“By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command,” said the researcher.
The researcher said that older routers blocked port 7547 to every IP address except the IP addresses of the ISP's management servers, but this safeguard was somehow overlooked on the newer routers.
The researcher also said that there are other bugs in the router's software, but these were quietly patched by the ISP. They warned that the Eir routers were also being used on other ISP networks not managed by Eir and therefore were unlikely to have firmware patches applied to them to fix the problem.
The vulnerability was confirmed by another security researcher, Darren Maryn aka Bobby ‘Tables, in a twitter post.
Well shit. In this screenshot, we have exploitation over LAN.— Bobby 'Tables (@info_dox) November 15, 2016
It also works over WAN, but not wanting to disclose my DDoS digits ;) pic.twitter.com/1KrR2s9kMj
A spokesman for Zyxel told SCMagazineUK.com that Zyxel has sent a firmware patch to Eir to fix the bug and is currently waiting feedback from the ISP.
Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC that from searching on Shodan, he found nearly 4.5 million devices connected to the internet running the RomPager web server – with port 7547 exposed to the Internet, many outside the Irish Republic.
“Not all of them may be vulnerable. However, to the right hacker, 4.5 million devices could generate a DDoS attack with unprecedented volumes of traffic. Widening the search criteria on Shodan, when searching for any device with port 7547 exposed, the search returns with 36 million devices running port 7547,” he said.