Bienvenido(a), Visitante. Por favor, ingresa o regístrate.
¿Perdiste tu email de activación?
23-09-2017, 22:00 (S?bado)
Inicio Ayuda Reglas Buscar Ingresar Registrarse
Noticias:
Liberada wifislax64-1.1 version final para descargar

Videos Downloader




+  Seguridad Wireless - Wifi
|-+  Desarrollo de scripts y aplicaciones
| |-+  Desarrollo, Comunicados y noticias
| | |-+  CVE-2015-0558: default WPA key generation algorithm for Pirelli routers
0 Usuarios y 1 Visitante están viendo este tema. « anterior próximo »
Páginas: [1] Ir Abajo Imprimir
Autor Tema: CVE-2015-0558: default WPA key generation algorithm for Pirelli routers  (Leído 31694 veces)
buckynet
Colaborador
*
Desconectado Desconectado

Mensajes: 540


Ver Perfil
« : 06-01-2015, 01:27 (Martes) »

CVE-2015-0558: default WPA key generation algorithm for Pirelli routers


A couple of years ago whether I do not remember badly, I was doing reverse engineering in some Spanish routers deployed by Pirelli as well. After I extracted the firmware and found out a suspicious library with many references to key generation’s functions. Unfortunately, I could not recover the algorithm itself. Principally, because those routers were not using the same algorithm  for generating default keys and simply because such algorithm was not explicitly there. Shit happens!  However, as I could not reveal the algorithm then decided to try another way to recover keys. Eventually, I realised that these routers were vulnerable to unauthorized and unauthenticated remote access and any adversary could fetch HTML code from our public IP address. Plenty of HTMLs were able to be downloaded without any restriction, meaning a huge leakage. Being vulnerable to a bunch of evil attacks. This  remote information disclosure can be seen on this CVE-2015-0554. On the other side, I do not know whether Argentinian routers are also vulnerable to this vulnerability. Feel free to try it out and let me know too.

Just to see how easy was to achieve those keys in the HomeStation(essids-like WLAN_XXXX)  in Spain, a simple curl command was enough:

Today I am gonna explain how I reverse engineered a MIPS library in order to recover the default WPA key generation algorithm for some Argentinian routers deployed by Pirelli.  Concretely the router affected is the model P.DG-A4001N.  First of all, I am neither Argentinian nor live there. Nevertheless, accidentally  I observed some stickers from Pirelli routers in a random forum and as an user had already publicly published the firmware for those routers then I decided to give a try.  As I still remembered the file where I dug into for the Spanish routers,  I rapidly tried to recover the algorithm in these routers. Next writing is the way I followed until to achieve it.

Reverse-engineering the default key generation algorithm

In this section, we are going to reverse engineer a MIPS library, /lib/private/libcms.core,  found out in the firmware itself.  First of all, let us comment that the firmware was extracted for another user (fernando3k) and subsequently extracted by using Binwalk and firmware-mod-kit. Once was mounted into our system, we found out a function called generatekey. As you have seen,  symbols have not been removed in binaries and external function names are still there because dynamic compilation. This help us a lot in our reverse engineering task.  On top of that, we rapidly saw how this function was calling to another one called generatekey_from_mac. At this moment, I decided to give a go to this challenge. Before get started, IDA Pro can help us with the cross references (Xrefs to-from in IDA Pro) between functions. Let’s see how functions are called in the library. (Zoom pictures in to see properly)
Really looking great! Now let’s look at the cross references. We have figured out some tips:
   
Problems

Since I attempted to do a responsible disclosure and neither ADB Pirelli nor Arnet Argentina were interested to discuss the problem, I have finally decided to do full disclosure to speed up the process of fixing. It looks like the only way with some vendors, just enforce them to replace routers for avoiding intrusions. Many things can happen whether your router with SSID Wifi-Arnet-XXXX has the default password. For your information, default passwords are located in a sticker at the bottom of routers. If you are owner of these networks, please change your password as soon as possible. You should always change the default passwords, though.

An adversary, within of the wifi range,  could access to your network and commit any sort of fraud. Be safe and change the passwords right now!
Timeline

2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail
2014-09-16  Send another message to Arnet via website.First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients’ security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure
Proof-of-concept

This proof-of-concept and many Pirelli default key generation algorithms might be found at my Bitbucket repository. I hope you can use them. Also a copy&paste of the first version can be looked at below.

All information  Angry Angry
http://ednolo.alumnos.upv.es/?p=1883

Thanks Dudux Grin Eduardo Novella @enovella_
En línea
buckynet
Colaborador
*
Desconectado Desconectado

Mensajes: 540


Ver Perfil
« Respuesta #1 : 06-01-2015, 01:30 (Martes) »

Muy guenas a tod@s !!!

Publicada nueva version de app para android con el nuevo algoritmo WPAmagickey v1.5.  Azn

<a href="http://www.youtube.com/watch?v=8UXB6rmvwzU" target="_blank">http://www.youtube.com/watch?v=8UXB6rmvwzU</a>

http://WPAmagickey.blogspot.com
http://Buckynet.blogspot.com

Un saludo.

PD: Como siempre, en algo, habre metido la pata.
« Última modificación: 06-01-2015, 01:33 (Martes) por buckynet » En línea
vk496
*******
Desconectado Desconectado

Mensajes: 2192



Ver Perfil WWW
« Respuesta #2 : 06-01-2015, 01:40 (Martes) »

Me encanta como lo hacen... Ojala llegue a tener esos conocimientos y habilidades algún día

Salu2
En línea
USUARIONUEVO
Colaborador
*
Desconectado Desconectado

Mensajes: 13730



Ver Perfil
« Respuesta #3 : 06-01-2015, 01:52 (Martes) »

Código:
git clone https://dudux@bitbucket.org/dudux/adbpirelli.git


alli encontrareis el fichero en python

Código:
wifiarnet.py

 Angry
« Última modificación: 06-01-2015, 01:52 (Martes) por USUARIONUEVO » En línea

Páginas: [1] Ir Arriba Imprimir 
« anterior próximo »
Ir a:  


Ingresar con nombre de usuario, contraseña y duración de la sesión

Las cookies de este sitio web se usan para personalizar el contenido y los anuncios, ofrecer funciones de redes sociales y analizar el tráfico. Además, compartimos información sobre el uso que haga del sitio web con nuestros partners de redes sociales, publicidad y análisis web, quienes pueden combinarla con otra información que les haya proporcionado o que hayan recopilado a partir del uso que haya hecho de sus servicios
Si continúa navegando consideramos que acepta su uso. OK Más información | Y más
Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines
SMFAds for Free Forums