Multiple Vulnerabilities Found In FiberHome HG6245D Routers
Multiple vulnerabilities have been discovered in the firmware of a popular FiberHome HG6245D router, widely deployed across South America and Southeast Asia.
In a report published last week, security researcher Pierre Kim said he identified a large collection of security issues with FiberHome HG6245D and FiberHome RP2602, two FTTH ONT router models developed by Chinese company FiberHome Networks.
Starting with this issue, Kim detailed a long list of backdoors and vulnerabilities he discovered on the device, which he claims attackers could abuse to take over ISP infrastructure. These issues include the likes of:
- A backdoor mechanism allows an attacker to use the device’s MAC address to initiate a Telnet connection to the router by sending a specially crafted HTTPS request [https://[ip]/telnet?enable=0&key=calculated(BR0_MAC)].
- Passwords and authentication cookies for the admin panel are stored in cleartext in HTTP logs.
- The management interface is secured through a hardcoded SSL certificate stored on the device that can be downloaded and used for MitM and other attacks.
- The web server (management panel) includes a list of 22 hardcoded credentials, which Kim believes were added and in use by different internet service providers.
- The firmware also includes hardcoded credentials for managing the device via the TR-069 protocol.
- There are also credentials in the webserver binary that are encrypted. However, the XOR key to decrypt them is also in the binary, rendering their encryption useless. As Kim notes, this is the same XOR key used in the firmware of C-Data devices, also impacted by similar backdoor issues.
- A hardcoded root password for a Telnet server is also included. This server is disabled by default, though.
- The firmware also includes different sets of hardcoded credentials for a low-level Telnet account. Kim found four.
- A privilege escalation vulnerability in the Telnet daemon allows attackers to escalate their privileges to root level.
- But the Telnet authentication can also be bypassed entirely, via two different methods.
- Or you can use a denial of service bug to crash Telnet entirely.
- Furthermore, various passwords for other router services are stored in cleartext inside the firmware or the router’s NVRAM.
Based on the number and nature of the hardcoded backdoor accounts he discovered inside the device’s firmware, Kim said that he believes “that some backdoors have been intentionally placed by the vendor.”
Kim said he found these issues in January 2020 and had notified the vendor. The researcher couldn’t determine if any bugs have been patched as he hasn’t tested newer versions of the firmware since then.
Furthermore, the researcher also warns that the same backdoor/vulnerability issues could also affect other FiberHome models due to the fact that most vendors tend to reuse or slightly edit firmware between different production series.