News items for tag security - Koos van den Hout

I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH with a confirmation from the vendor that this is a device completely out of support. Which confirms the public information I found when I started looking into this device. This was all related to the course in hardware hacking I took and applying the new knowledge.

So now I can look back on this experience and think about my future here. Hardware hacking has serious links to my current job as technical security specialist. In my work I regularly have to look at vulnerabilities and assess the chance and impact of misuse of the vulnerability. With hardware hacking I find vulnerabilities by researching hardware. This helps me understand the chance and impact factor of other vulnerabilities.

There is also a link to my education: part of that was MTS electronics. I learned how to solder, before SMD components were a thing and I think I got some explanation about switching mode power supplies at the end. As I got into computers I didn't do much with this education but the last years in amateur radio have made me get out the soldering iron again.

There is a clear link to my hobby of amateur radio. My interest in amateur radio is linked to wanting to know how things actually work. Hardware hacking is also done with RF signals so I may get into more RF related hardware hacking.

My current thought is that I want to continue in this subject. It's given me joy: getting into a device in new and unexpected ways gives joy! I have learned new things. I noticed I need to feed the brain regularly with new information and actually learning something new is much better brainfood than browsing social media. At the same time social media is the way to learn more about this subject and interact with other people interested in this subject. I ended up on /r/hardwarehacking on reddit and already learned from others and shared some of my own insights!

There is the thing about RFID/NFC security. I have looked into this in the past, mostly by getting the tools to peek into the MiFare classic cards. I am considering going further with this area of hardware hacking. Prices of hacking tools for this area like the proxmark3 or the flipper zero are above the 'nice to try a few things' level. On the other hand I think I could have loads of fun there, and the overlap with amateur radio is very clear.

At the end of this bit of writing: thanks to people who share their hardware hacking experiences on-line! Thanks to Jilles Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal, @Flashback Team on youtube, Make Me Hack on youtube, and Boschko Security for sharing their stories and knowledge.

Ik zag een phishing mail met daarin een qrcode om te volgen. Dat is natuurlijk een manier om te voorkomen dat mailscanners direct de URL herkennen als verdacht. Alleen wilde mijn mailclient die afbeelding niet zomaar inladen want remote, want dat is allang verdacht.

• Afbeelding: https://qr.de/code/ySVDbB.png
• URL uit qrcode: https://qr.de/ySVDbB
• Redirect https://lnkd.in/dqiBJCcD
• Redirect http://bit.do/0214nl85479651
• Redirect https://21981-4426.s3.webspace.re/

En daar is de phishing pagina die om allerlei persoonsgegevens vraagt.

Correctie: was. De pagina is al weg. Maar als een van de redirects bijgesteld wordt door de crimineel gaat een en ander natuurlijk weer verder!

Als ik kijk bij het overzicht Kamer van Koophandel - Fraudehelpdesk zie ik mijn specifieke bericht er niet tussen staan, maar er is keuze genoeg. Allemaal fraudepogingen, dus trap hier niet in!

Update: De qr.de redirect is zelfs weg, dus de crimineel zal nieuwe spam mails moeten versturen.

Somewhere between the digging in the Corinex CXWC-HD200-WNeH I found a vulnerability. A combination of a misconfigured network filter and a default account make it quite easy to get into the device and get full access.

I tried to report this vulnerability before publishing about it. Timeline:

• 24 September 2022 I mailed a general address at Corinex about this
• 29 September 2022 I mailed someone who wrote about Corinex devices in the Netherlands
• 28 October 2022 I tried to contact @CorinexCorp on twitter via a mention

All this got exactly zero response.

Update 2022-11-17: @CorinexCorp responded on twitter: Hi Koos. Apologies for a lack of response. Corinex no longer supports CXWC-HD200-WNeH devices. The company exited the consumer market many years ago.

Because this device is out-of-support for years now and should not be in use anywhere anymore, I think I've invested enough effort in trying to report this vulnerability to the right people and I can now publish this and close this chapter.

On to the actual vulnerability. Like a lot of other vulnerabilities this is a case of multiple things coming together.

Bijna 10 jaar geleden deed ik mee aan een CTF: Ik heb meegedaan aan de hackcontest ter ere van 20 jaar SURFcert. En daar won ik een Samsung tablet. Die is dus ondertussen ook 10 jaar oud, bevat Android 4.2.2 met Linux kernel 3.0.31 en krijgt geen updates meer.

Recent bedacht ik me dat ik die tablet misschien nog als scherm zou kunnen gebruiken voor mijn thuis grafana server. Maar die server is alleen bereikbaar met https en daar heb ik een LetsEncrypt certificaat voor waarbij ik alleen de chain gebruik vanaf de ISRG Root X1 en niet meer vanaf de DST Root CA X3 omdat dat op andere plekken problemen geeft.

Daarmee werkt het gewoon niet. Ik heb nog pogingen gedaan om de ISRG Root in de certificaten van de tablet te krijgen maar als .pem, .crt of .cer file worden deze niet gezien als certificaat door de tablet.

De tablet is daarmee gewoon afgeschreven en niet meer bruikbaar. Ik heb deze tablet een aantal jaar gebruikt en daarna is deze vooral gebruikt door mijn zoon om spelletjes op te spelen en youtube filmpjes te kijken.

One of my oldest certificate signing request files was still using a sha1 hash and LetsEncrypt started rejecting it. As soon as I realized it used the old hash I redid it and wondered why it was still accepted in 2022.

This also mean the private key of this service is showing age. Maybe time to regenerate it.

The announcement is at Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs - API Announcements - Let's Encrypt Community Support.

My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH I ordered similar gear as used in the hardware hacking course to do my own hardware hacking. It arrived this week and today I had some time to play with it.

Using the techniques from the course I found the serial console interface again. The CPU board has 4 through-holes, that is a likely candidate. Next step is finding which pin is which using a multimeter. Ground pin has continuity to any other shield. One pin is at 0 volts without continuity to ground: the receive data pin (from the viewpoint of the chip), another pin has a varying voltage near the maximum voltage, this is the transmit data pin (again from the viewpoint of the chip) and the fourth one has the constant maximum voltage, which was 3.3 volts in this case.

I switched my USB to serial interface to 3.3 volts and connected the TX on the system to the RX on the serial interface and the RX on the system to the TX on the serial interface. I used Dupont cables to make this connection. With minicom as communications program I opened the right interface: minicom -D /dev/ttyUSB0.

After powering the router I got unreadable characters on the screen, I had to adjust the serial port rate. This router has a serial console at 57600 bps, 8 bits, no parity, 1 stopbit.

And messages came out:

U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F

Officially the "Corinex CXWC-HD200-WNeH" cable modem is out of support for years and deployments should have migrated to newer solutions. That is the reason I got my hands on one: it was replaced by a docsis-based modem. For as far as I can tell these modems are based on homepna or homeplug, over coax networks (the tools on the router don't tell what kind of standards the coax side uses).

I'd like to know if any of these are still used in the wild. If you find this post because you got bored and looked at the underside of the wifi box in your holiday park, get in touch!

My e-mail address is at the bottom of this page and I'm on twitter as @khoos.

This week I was attending a course in hardware hacking: HackLab: Hardware Hacking at the Deloitte office in Den Haag.

How to find the right pins to get a commandline on a router-like device was part of this course, and the last day there was an option to Bring Your Own Device, to hack it. So I brought this router as I thought it was an ideal target to get access to it, since on the earlier try I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.

So this time I took out the screwdriver, voided the warranty of the device by breaking the little sticker on the side and opening it. It has a board with the powersupply and cable interface parts. The powersupply is shielded with some plastic.

There is a smaller board with the main chip which contains the processor, ram, wifi module. The first task was to find the uart interface which should give a serial console. That's a skill I learned in the hacklab: first find out which pins have continuity to ground with the device switched off. With a simple multimeter which has a beeping continuity meter this is simple. The beep makes it possible to test the device without looking at the meter.

After that it's a matter of switching the multimeter to voltage and checking other pins for voltage. Usually there are 4 pins on a uart port: ground which is physically connected to the device ground, receive data and send data and a reference voltage. On measuring the pins the reference voltage will be at the steady maximum voltage, the data transmitting from the device will be varying and the pin where the device expects data will be at 0 volt.

Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices. 5 and 3.3 volt are the most common. USB serial interfaces that support 5 and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are somewhat more expensive (10 euro).

For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB to serial interface available, so I was able to access the uart port. I connected to the uart port, used a terminal program and searched for the right serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit.

After looking at all the boot messages I was greeted with a root prompt. No more hacking, just full access. The system boots using the U-Boot bootloader. The system runs linux with a 2.6.21 kernel. I looked around on the filesystem and started looking for the configuration for the webserver hoping to find the username/password. I found this in /flash/config so I could get into that interface as well.

I also found it was running a telnet server, but not on the standard port. The port was 32560. Without commands like netstat or ss I had to learn this from /proc/net/tcp. Browsing the iptables listing shows that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts fine.

Chip found: Ralink RT3052F processor with embedded ram and flash and with 2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports.

Things I'd still like to do: copy the entire filesystem to another computer so I can research it and check around the web interface for security issues.

Ik kreeg vandaag een phishing mailtje gericht aan:

Cher(ère) client(e) Maes-Swerts/A.,

Votre abonnement Proxumis a été suspendu, car vous avez fait opposition à un règlement de dette. Tant que le problème n'a pas été résolu, vous ne pouvez utiluser aucune de vos services proxumis.

De resulterende pagina wil een credit-card betaling. Dus verzamelt gewoon credit-card gegevens. Ik zou me bijna afvragen hoe snel er fraude komt als ik daar echte gegevens invullen. Ik denk dat het in de orde van minuten is, maar dat wil ik niet testen.

De spam voor 'Maes-Swerts/A.' is nu al meer dan 10 jaar bezig!

Eerder, eerder, eerder, eerder, eerder, eerder, eerder de originele ontdekking in 2012.

There are always attacks in the logs, but this one caught my eye because someone mentioned it, I saw it in logs and searching for a simple explanation for what I saw gave no answers.

Those are the interesting ones. So here is the logline split into multiple parts in an attempt to make it more readable:

"GET /cgi-bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save&
sel=dynamic&dns_dynamic_chk=on&fdns_dynamic1=128.0.104.18&
fdns_dynamic2=128.0.104.33&fdns_dynamic3=128.0.104.18&
fdns_dynamic4=128.0.104.18&sdns_dynamic1=128.0.104.18&
sdns_dynamic2=128.0.104.33&sdns_dynamic3=128.0.104.18&
sdns_dynamic4=128.0.104.33&userid=&passwd=&mtu=1454&
ip1=192&ip2=168&ip3=254&ip4=2&
sm1=255&sm2=255&sm3=255&sm4=0&
gw1=192&gw2=168&gw3=254&gw4=254&
fdns1=&fdns2=&fdns3=&fdns4=&
sdns1=&sdns2=&sdns3=&sdns4=&static_mtu=150 HTTP/1.1"

Searching for timepro.cgi finds a2004ns-mod/timepro.cgi at master · hklcf/a2004ns-mod · GitHub which seems to be compiled code: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped.

Based on Honware: A virtual honeypot framework for capturing CPE and IoT zero days my best guess is that requests to timepro.cgi attempt to reconfigure a home router. And my next guess is that the attempt is to set the DNS resolvers to 128.0.104.18 and 128.0.104.33. Further searching finds another attempt from the same source IPv4 address which also looks a lot like an attempt to reconfigure DNS settings:

"GET /dnscfg.cgi?dnsPrimary=128.0.104.18&dnsSecondary=128.0.104.33&dnsDynamic=0&dnsRefresh=1 HTTP/1.1"

The theory that this is an attempt to redirect DNS traffic is somewhat confirmed by the fact that 128.0.104.18 indeed runs an open resolver which will give me answers. For the few things I have tried those are valid answers (no clear attempts to redirect traffic to other places). I get no answers from 128.0.104.33 at the moment.

Update: Searching for the string 128.0.104 finds more:

"POST /dnscfg.cgi?dnsPrimary=128.0.104.18&dnsSecondary=128.0.104.18&dnsDynamic=0&dnsRefresh=1&dnsIfcsList= HTTP/1.1"
"POST /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=128.0.104.18&dnsSecondary=8.8.8.8 HTTP/1.1"

Based on the names of the parameters I guess more of the same: attempts to redirect DNS traffic.