CVE-2015-0558: default WPA key generation algorithm for Pirelli routers
A couple of years ago whether I do not remember badly, I was doing reverse engineering in some Spanish routers deployed by Pirelli as well. After I extracted the firmware and found out a suspicious library with many references to key generation’s functions. Unfortunately, I could not recover the algorithm itself. Principally, because those routers were not using the same algorithm for generating default keys and simply because such algorithm was not explicitly there. Shit happens! However, as I could not reveal the algorithm then decided to try another way to recover keys. Eventually, I realised that these routers were vulnerable to unauthorized and unauthenticated remote access and any adversary could fetch HTML code from our public IP address. Plenty of HTMLs were able to be downloaded without any restriction, meaning a huge leakage. Being vulnerable to a bunch of evil attacks. This remote information disclosure can be seen on this CVE-2015-0554. On the other side, I do not know whether Argentinian routers are also vulnerable to this vulnerability. Feel free to try it out and let me know too.
Just to see how easy was to achieve those keys in the HomeStation(essids-like WLAN_XXXX) in Spain, a simple curl command was enough:
Today I am gonna explain how I reverse engineered a MIPS library in order to recover the default WPA key generation algorithm for some Argentinian routers deployed by Pirelli. Concretely the router affected is the model P.DG-A4001N. First of all, I am neither Argentinian nor live there. Nevertheless, accidentally I observed some stickers from Pirelli routers in a random forum and as an user had already publicly published the firmware for those routers then I decided to give a try. As I still remembered the file where I dug into for the Spanish routers, I rapidly tried to recover the algorithm in these routers. Next writing is the way I followed until to achieve it.
Reverse-engineering the default key generation algorithm
In this section, we are going to reverse engineer a MIPS library, /lib/private/libcms.core, found out in the firmware itself. First of all, let us comment that the firmware was extracted for another user (fernando3k) and subsequently extracted by using Binwalk and firmware-mod-kit. Once was mounted into our system, we found out a function called generatekey. As you have seen, symbols have not been removed in binaries and external function names are still there because dynamic compilation. This help us a lot in our reverse engineering task. On top of that, we rapidly saw how this function was calling to another one called generatekey_from_mac. At this moment, I decided to give a go to this challenge. Before get started, IDA Pro can help us with the cross references (Xrefs to-from in IDA Pro) between functions. Let’s see how functions are called in the library. (Zoom pictures in to see properly)
Really looking great! Now let’s look at the cross references. We have figured out some tips:
Since I attempted to do a responsible disclosure and neither ADB Pirelli nor Arnet Argentina were interested to discuss the problem, I have finally decided to do full disclosure to speed up the process of fixing. It looks like the only way with some vendors, just enforce them to replace routers for avoiding intrusions. Many things can happen whether your router with SSID Wifi-Arnet-XXXX has the default password. For your information, default passwords are located in a sticker at the bottom of routers. If you are owner of these networks, please change your password as soon as possible. You should always change the default passwords, though.
An adversary, within of the wifi range, could access to your network and commit any sort of fraud. Be safe and change the passwords right now!
2014-09-11 Found the algorithm
2014-09-12 Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15 Send a message via website, still looking for a simple mail
2014-09-16 Send another message to Arnet via website.First reply via twitter where they redirect me to the website form.
2014-09-19 Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20 More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23 I assume that Arnet does not care about its clients’ security at all regarding its little interest.
2014-09-24 I send the problem to the vendor ADB Pirelli via website form
2014-09-28 I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05 Full disclosure
This proof-of-concept and many Pirelli default key generation algorithms might be found at my Bitbucket repository. I hope you can use them. Also a copy&paste of the first version can be looked at below.
All information http://ednolo.alumnos.upv.es/?p=1883
Eduardo Novella @enovella_