 So, my name is Pedro Joaquin and I will be talking about some recent attacks and vulnerabilities on the Twire Residential Gateway. First of all, info about me. I was born in Cozumel Island, which is in the Mexican Caribbean, near Cancun. I have worked as a forensic investigator, malware analyst and an incident response. My personal webpage is Hakim.ws and my forums that I opened like about eight years ago are underground.org.mx. Over the past few years, I have been researching on residential router vulnerabilities focusing primarily on the Twire Residential Gateway. This is the Twire Residential Gateway, like the one I brought right here. It's a modem and router which has different functions such as firewall capabilities, home networking and many others. It also comes in black and it's available in many different countries. Actually, yesterday we went limo wire driving and we saw many two wires around here also. Of course, it's provided by many different providers, including Telmex in Mexico, which is where I based all my research upon. In Mexico, we used to have only one telecommunications company. It was a big monopoly. Up until like recent years, many other, well, some other companies have tried to enter the market. But primarily, Telmex has the most amount of users out there in Mexico. This is their main device for connecting to the Internet. I'm going to talk about vulnerabilities in the web interface of the Twire modem. Typical cross-site request forgery, authentication bypass, some denials of service and others. This is the web interface of the modem. As you can see, it's pretty simple. The firewall, the home networking, and I don't know if you can see it, but the speed is almost four megabytes. That is the fastest DSL speed a corporate user in Mexico can get. A home user can only get about three megabytes, and they never actually give you that speed. It's for about $90 a month. Yeah, well, to enter this configuration interface, you can use the default IP or the default domain, which is gateway.twire.net. And there's also an advanced configuration interface, which is the management and diagnostic console. It has several advanced functions, including a DNS name table, which acts just as a normal host table like any operating system. You know, it points a domain to a specific IP. Of course, all of these vulnerabilities are client-side, which means that you have to force the client to perform a request to the modem in order to change certain configuration. There are many ways of doing this. The typical ways are like by sending some kind of file or by visiting a web page, which has many different ways of doing it. But that's not the scope of this presentation, so I'll just go on. The first vulnerability I'm going to talk about is cross-site request forgery. You can see from the first example, it's pretty simple. What it does, it disables the wireless encryption. So if you have a WEP or WPA or whatever, you visit a web page, and it gets disabled. And the second one, it's the popular one. What it does is actually it adds a domain to the host table. I have a quick video here. Let's see if it works. It's a simple demonstration. I'm trying to look up the domain Prueva, Prueva.ola, and it doesn't exist. So I visit this web page, a malicious web page, which actually only contains HTML image tag with the code I just showed you before, and it gets added to the host table. So next time you try to resolve the domain, you get the IP. Of course, I tried telling the wire about this and my provider, and I got no response. So I made it public, and in about a month, it got like 50,000 views. And of course, it was used on the wire to perform router farming. This is a typical example, which is quite funny, because you got an email which had HTML in it from a greeting card service, right? The greeting card's name is gusanito.com, which actually means little worm. And it's for the domain gusanito actually exists, and it's for greeting cards. It contains HTML code with the typical image tag that redirected the domain Banamex to that IP. Banamex is one of the largest banking banks in Mexico. Simantec reported this as being the first case of dry-by-farming. Their example showed, of course, a fake email that came from a known news agency in Mexico, and when you click the link, it sends you to a web page, and in that web page, you've got your router far known. Next time you try to access Banamex, you go to the fake website. The only kind of response I got from my provider was that right now you can download from their site a router DNS cleaning guide. But it suggests that you remove the domain Banamex from your router, and also my domain. But thankfully this got patched. Well, not thankfully, because actually the patched opened a bigger vulnerability. Yeah, we thought that if you had a password set in your modem, you were fine, because in order to perform the request, you needed a valid session. So it was easy to just create a page that forced you to set a password. So this page was so good at setting a password that it even set the password if it was already set. So all the routers that had a password set and we thought were safe, well, with the patch, now they are all vulnerable. Yeah. But this got patched like two or three months after that. So we thought that there was no other way to reset the password, except for the real function of resetting the password, which was, oh well. This was also used on the wild. For example, in the attack for the authentication bypass, they used a shockwave flash. You know the classic skip intro page? The main intro page for any website. And that animation, well, that flash, it contained the code to change the password to admin. And then inside the page there was another flash animation that did the cross-site request forgery, the farming. So we thought there was no other way to reset the password, except for the real function, which consisted on using the Web key, the default Web key in order to change the password. You can see from the images that they call it in one page, the system code. It's really little, but it says system code. And in another page, the exact same system code is the default Web key. And I'm going to show you how to obtain the default Web key. Very easy in a few. But this has been changed in modern versions of the firmware. And, of course, it was used on the wild, the password reset with Web key. This is a very complete tool for hacking to wire modems. I'm only showing the part where it resets the password by using the Web key. And there's also denials of service. For example, the first one, this one is for like three years ago. It was published by a friend, and it reboots the complete device. And the second one, I found it like a few months ago, and it only resets the DSL connection. Let's try it. I'm going to tell you this was published like three years ago in BoxTrack, so everybody knows about this. So you can see the modem has two steady green lights. Now, it turned into a blinking red light. You can see how easy it was to perform the denial of service, but guess what? There are also tools to perform this denial of service. Why? I don't know, because it's really easy. I guess these people just have a lot of free time or something. And, of course, it still works, and there are many. I'm just showing you this show so you know how widespread the knowledge of this vulnerability is. Yeah, cross-site scripting. There are many all over the place. I'm not even going to go into details. But the second place I checked was the device's name, and it has a persistent cross-site scripting. But who cares, right? Oh, this one is a good one. It's a configuration disclosure vulnerability. It was first published as being a magic URL. This magic URL contains the complete router configuration, including very important information in plain text, such as the DSL credentials, wireless, MAC, and other information. The guy that published this never gave away the complete URL. He always said that in order to obtain it, you had to sniff the communications when you installed the provider software, which is pretty good. Oh, remember that cross-site scripting nobody cared about? Well, you can use this cross-site scripting in order to remotely, of course, client-side, obtain the complete configuration of the modems. Yeah, you can see here the code. First, I am trying to see where the web interface is by trying to load an image from the IP, and if that doesn't work, I try then loading the domain, the default domain name. Then I get the page, I cut it in little chunks, and I send it via get request, which is kind of loud, well, noisy, but I don't care. It works. So, oh, I'm going to show you a video about this also. So here are the web interface. We visit a page, and you can see it makes some connections to the modem. And for the demo, I made some alert box, so you can see how it pops your username and your password for the DSL connection in clear text. And then you can see the ESS ID and also the custom key. It doesn't matter if it's WPA or WP, and also there's some information about the modem, such as the MAC address, firmware version, et cetera, and other stuff as well. And of course, it locks it in the server. No, there it is. So these were all known vulnerabilities, well, public vulnerabilities. The following one, this one I found about three months ago. I tried contacting TwoWire three months ago, but I got no... Well, I tried to get a private email in order to report this, but they wanted me to post it in their support page or something. So I just waited, and like three weeks ago, I told them again about this vulnerability, and I got no response. So a week ago, I sent them the complete advisory, including the videos and everything, and the only response I got was that the status of the ticket changed to escalated, but that's about it. I didn't get everything. So this works as the typical H04 page that I told you about changes the password, even if the password is set. So here we are trying to get into the interface of the modem. When we try to get into the advanced interface, it asks for a password. So we tried TwoWire as a password. No, the password isn't correct. So we go to our page and also Put TwoWire everywhere. And that's it. But of course, if you change somebody's password, well, next time somebody wants to configure the modem, they probably won't know about my CD35 page, and they won't be able to set a new password. So you might as well just delete the password by using a really long password with more than 512 characters. Next time the person tries to access the modem, they will be prompted by our friendly H04 page in order to set a new password. You'll make me sure. It doesn't let me go into the Management and Diagnostic Console. TwoWire password isn't correct. So we try our long URL. Oh, here, wait. Yeah, I wanted to show you this. It says, if password protection is enabled, enter new password. It's kind of weird. So there we are trying to access it from another session, and there's our H04 page asking us to set a new password. And that's it.