Hacking again Pirelli routers: ADB Pirelli P.DG A4000N deployed by MEO Portugal
Few months after CVE-2015-0558 full disclosure I was contacted by our reader Kara Davis who identified the same WPA key generation algorithm in the model P.DG A4000N, distributed by Portuguese ISP, MEO. Such routers can be recognized for their ESSID and MAC addresses. The ESSIDs are normally following this pattern: ADSLPT-ABXXXXX and the mac addresses are corresponding to the Pirelli brand. When I verified the information, I gave a chance to dump the firmware and see whether the old vulnerabilities (CVE-2015-0554, CVE-2015-0558) were also in there. From testing and evidence we concluded the existing PoC could also generate the default WPA password for this model. Simple changes such as generating from a different mac address interface and reducing length from 10 to 8 chars had to be implemented. However, the algorithm used was evidently the same as in P.DG A4001N distributed by Arnet in Argentina. Kara Davis and I agreed into a responsible disclosure and decided to investigate further.
First of all, we dumped out the firmware image from the router via an OS command injection in the telnet service. After, we managed to do so, same algorithm was eventually found in there. On top of that, the same unauthorized access was discovered as well. Likely this router has plenty of vulnerabilities as well, simply we decided to stop with this model. Summarizing, the router P.DG A4000N deployed by MEO Portugal presents the following flaws:
Weaknesses on the default WPA key generation algorithm
OS command injection through the telnet service concluding with root in the box
Unauthorized access to almost all the HTML codeProblems and models affected
I wanted to do a responsible disclosure, therefore I contacted the Portuguese ISP MEO and was surprised by a quick reply via Twitter, indicating to forward details to a specific person which I immediately did. Unfortunately from this day, I am still waiting for a reply. ADB/Pirelli and Arnet are aware of the vulnerability since 2014. Eventually, I decided to do full disclosure in the new model identified to speed up fixing the problem and/or replacing the affected routers for avoiding intrusions. Once again, neither the ISPs nor the manufacturer have shown interest in discussing the problem after several contacts.
The vulnerability is considered quite serious, a malicious attacker within the WiFi range can calculate the default password and gain access to the network, compromise and use it for malicious purposes.
I strongly recommend everyone using affected units to immediately change their default WPA password.
The models identified as vulnerable are:
P.DG A4001N – SSID: Wifi-Arnet-XXXX – Arnet Argentina
P.DG A4000N – SSID: ADSLPT-ABXXXXX – MEO Portugal
More countries will be disclosed soon. Pirelli has made the same mistake around the world. http://ednolo.alumnos.upv.es/?p=2008Próximamente se publicará la nueva versión de la app WPAmagickey, por ahora están jugando los betatesters.
PD: Como siempre, en algo, habre metido la pata.