Remote Code Execution by reverse engineering an Askey Wifi-Extender

This blog highlights bugs and observations found in the WiFi-extender Askey AP4000W during an Improsec “Nerd Day”. Found bugs are reported to the vendor according to our Responsible Disclosure Policy, but this time in close collaboration with TDC.

Timeline:

  • The vulnerability and observations of firmware “AP4100W_TDC_V1.01.003” were disclosed to Askey on 17th of September 2019. No response received.

  • The vulnerability and observations were disclosed to TDC on 27th of September 2019, as we knew they had customers running the product. TDC agreed to contact hardware vendor on behalf of Improsec, collaborate on getting it fixed, and getting customers updated.

  • During December 2019 TDC tested a new firmware from Askey for these devices.

  • Askey closed the insecure FTP-server 17th of December 2019, but we found it to be online again by 2nd of January 2020.

  • TDC confirms that a new firmware has successfully been deployed to all available devices on 28th of January 2020.

  • Insecure firmware FTP-server confirmed to have been secured on the 3rd of February 2020.

CVE registered:

Path to discovery

Connecting to and scanning the device with NMAP showed the following open ports.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

When doing an NMAP service scan, the service running on port 54188 crashed and a reboot was required to bring it back up. A telnet daemon was also seen on port 23, however, no valid passwords were found for the typical users(root/admin/busybox) in the documentation.

Viewing the circuit board showed no visible UART or JTAG interfaces, but reading the model number for each integrated circuit showed that it contained a Winbond 25Q128FV EEPROM 16mb memory chip with SOP8 pinout.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Remote Code Execution by reverse engineering an Askey Wifi-Extender

By doing a direct EEPROM reading from the Winbond 25Q128FV using a CH341A USB-programmer with a SOIC SOP8 clamp, it was possible to extract raw data from the read-only memory.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

A typical Busybox filesystem was extracted from the the raw data dump by doing multiple runs of Binwalk.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Insecure firmware server

In the ”/web” directory the web-based administration interface was located in the binary file “status.cgi”. Looking at the decompiled functions in Ghidra showed, that the application used ”wget” to fetch a new firmware from a FTP-server hosted by Askey. The credentials “Askeyfota” with the password “d400fota” were used. The new firmware would be saved to “/tmp/” which according to the ”/etc/fstab” file, would be RAM-mounted as R/W during boot.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Unfortunately, our analysis also showed, that the provided FTP-credentials had Read and Write rights to most directories on the manufactures FTP-server. This would allow an attacker to add, delete or modify firmware images for multiple different devices, amongst others, the Askey AP4000W (TDC branded). An attacker could i.e. implant a backdoor into the firmware, as there was no firmware signature validation in the update mechanism.

The mysterious ”bd_svr” service

Looking for the unknown service running on port 54188 the start-up script rcS at ”/etc_ro/” was enumerated. In it, an application called “bd_svr” was found.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Decompiling the “bd_svr” application in Ghidra showed that the main function called ”tcp_svr_create_socket” with the parameter 0xd3ac which was 54188 as a decimal value. This parameter was used to define the receiving TCP socket port 54188.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

After creating the socket, the program enters the ”tcp_svr_select_n_handle” function which runs a ”while” loop waiting for client connections.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

A quick look through the different functions in the program showed, that it possibly worked as a “backdoor” (bd_svr?) into the device. Functions with names like ”cmd_read”, “cmd_send”, “cmd_write” and ”send_file” indicated this. The program had the calls to system functions like ”lseek”, ”write”, ”lstat”, ”open”, “opendir” and “readdir” which were all functions to interact with the filesystem.

Writing to the remote file system

Looking at the ”cmd_n_data_send”, ”cmd_write”, ”cmd_send” and ”cmd_read” functions showed, that by sending a crafted message containing a “magic-signature” allowed any unauthenticated user to write files to the filesystem.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

The crafted message required the following data fields and structure in order to be valid.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

The following python script reads a user-defined local file and writes it to a path on the remote device. Note that most of the filesystem is read-only. Existing files in R/W mounted directories will be overwritten.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Below example overwrites ”/etc/passwd” with a version where both users have the DES-encrypted password set to “improsec”.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

With a known username and password, connecting via telnet was now possible.

Remote code executing without telnet

Looking through binaries in the extracted filesystem showed an application called “cmd_agent”.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Reversing the application showed that it simply created an empty FIFO-file called ”cmd_agent” in ”/tmp/”. The file was constantly read for content, which was executed as console commands.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

Rewriting our above script to ease the execution of commands on the device.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

We already know that wget exists on the device. So using wget to send the first line of ”/etc/passwd” as a path will confirm that we have remote code execution.

Remote Code Execution by reverse engineering an Askey Wifi-Extender

The first line of ”/etc/passwd” containing the DES encrypted password for the root user.

Other research

Following the reverse engineering of the device, CVE-2014-0659 came to my attention. The backdoor described by elvanderb shares a lot of the same concepts as the one found in the Askey device. However, the “magic” signature, command type, functionalities, and service name differs.