After getting a good look at the
Cab.Link CLS-D4E2WX1
from the outside it was time to void the warranty and open the box. The
two screws are hiding under the little rubber feet at the front side and
after removing those two screws the case opens with a bit of jiggling.
This device has an external 12 volt 1 ampere power supply.
Chips found on the board:
Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
I also see an extra board (leftside of the picture, blue) where the u.fl cable
to the wifi antenna starts. It has a few larger chips but those have a label
over them. I guess one of them must be the CPU because I haven't seen a chip
with that function yet.
The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins
labeled J30 (bottom left of the picture) which are a very obvious candidate for
being the uart port. Again the process for find GND, TX, RX and Vcc was done
and the right pins found. With the board in front and the J30 readable the pins
are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from
the view of the system, so I see data transmitted on TX and I send data to RX.
De echte phishing pagina! Eindelijk. Deze stuurt de ingevulde data naar
https://21989-4437.s1.webspace.re/KVK/tmg1.php
Daarna komt een redirect naar https://21989-4437.s1.webspace.re/KVK/2.php en die geeft uiteindelijk een redirect naar
een KVK pagina.
Als ik kijk bij het overzicht Kamer van Koophandel - Fraudehelpdesk
zie ik mijn specifieke bericht er niet tussen staan, maar er is keuze genoeg.
Allemaal fraudepogingen, dus trap hier niet in!
The earlier Ethernet over Cable modem/router I poked at didn't come alone,
from the same source I also got a Cab.Link CLS-D4E2WX1 cable modem/router.
Doing a search for it finds actual listings for trying to order them
wholesale: Buy Wholesale China 7400-eoc Slave Modem, Separate Tv And Ethernet From One Cable, 4 Ethernet Ports Output & 7400-eoc Slave Modem at USD 127 | Global Sources
and Eoc Male Slave 4 Ethernet Port With Wifi - Buy Eoc Esclavo Product on Alibaba.com.
Both listings call it an EOC slave. Given the terminology I expected EOC
master devices to exist as well and I soon found out those exist and can be
pricey. So I'm not going to spend money on this subject, but I may be
interested in recycling an EOC master unit.
The unit has one external wifi antenna, 4 ethernet ports, external power
supply 12V and 9 leds. The cable connection is via 2 female F connectors with
one labeled 'Cable' and one labeled 'TV'. I do notice the case has a lot of
ventilation holes.
On the underside is a label with the manufacturer name, model name, a
default equipment management IP 10.10.1.250, a Wireless Network Name
'wifi' and the EOC and Wifi Mac addresses as numbers and barcodes, and
the serial number as number and barcode. The unit has four little rubber
feet (full LRF support) and two of those are hiding screws to open the unit.
On switching the Cab.Link router on I indeed see a wifi network appear with the
name 'wifi' which on connecting gives me an IPv4 address in the 192.168.1.x
range with the default gateway 192.168.1.1.
Cab.Link CLS-D4E2WX1 router underside
The Cab.Link router has a web interface listening on port 80. It directly asks
for http authorization but using admin/admin for username and
password gets me right in. Up until now I haven't found any reference to PLC or
EOC in the webinterface.
The Cab.Link also has a telnet server running on port 23. It greets me with
an OpenWRT banner but the first few attempts at finding username/password do
not let me in:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
WARNING: telnet is a security risk
OpenWrt login: admin
Password:
Login incorrect
OpenWrt login: root
Password:
Login incorrect
OpenWrt login:
A comment on irc made me have a look at the logs for my haproxy system to get
an idea whether any weird vulnerability scan came by. No special vulnerability
scan showed up, but my attention was drawn to a number of lines like:
If there is one of two of these lines from one address, it is a sign of a
client which can't finish the SSL negotiation. With my site that probably means
and old client which doesn't understand LetsEncrypt certificates without an
extra certification path.
But this is quote a number of SSL errors from the same IPv6 range in a short
time. I wondered what was behind this and did a bit of testing, until I found
it's simple to cause this by doing an SSL test. For example with the famous
Qualys SSL test
or with an ssl scan tool. This is logical: ssltest uses a lot of different
negotiations to test what actually works.
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH
with a confirmation from the vendor that this is a device completely out of
support. Which confirms the public information I found
when I started looking into this device.
This was all related to the course in hardware hacking I took and applying
the new knowledge.
So now I can look back on this experience and think about my future here.
Hardware hacking has serious links to my current job as technical security
specialist. In my work I regularly have to look at vulnerabilities and assess
the chance and impact of misuse of the vulnerability. With hardware hacking
I find vulnerabilities by researching hardware. This helps me understand the
chance and impact factor of other vulnerabilities.
There is also a link to my education: part of that was MTS electronics. I
learned how to solder, before SMD components were a thing and I think I got
some explanation about switching mode power supplies at the end. As I got into
computers I didn't do much with this education but the last years in amateur
radio have made me get out the soldering iron again.
There is a clear link to my hobby of amateur radio. My interest in amateur
radio is linked to wanting to know how things actually work. Hardware hacking
is also done with RF signals so I may get into more RF related hardware
hacking.
My current thought is that I want to continue in this subject. It's given me
joy: getting into a device in new and unexpected ways gives joy! I have learned
new things. I noticed I need to feed the brain regularly with new information
and actually learning something new is much better brainfood than browsing
social media. At the same time social media is the way to learn
more about this subject and interact with other people interested in this
subject. I ended up on /r/hardwarehacking on reddit
and already learned from others and shared some of my own insights!
There is the thing about RFID/NFC security. I have looked into this in the
past, mostly by getting the tools to peek into the MiFare classic cards. I am
considering going further with this area of hardware hacking. Prices of hacking
tools for this area like the proxmark3 or the flipper zero are above the 'nice
to try a few things' level. On the other hand I think I could have loads of fun
there, and the overlap with amateur radio is very clear.
At the end of this bit of writing: thanks to people who share their hardware
hacking experiences on-line! Thanks to Jilles
Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal,
@Flashback Team on youtube,
Make Me Hack on youtube,
and Boschko Security for sharing
their stories and knowledge.
Ik zag een phishing mail met daarin een qrcode om te volgen. Dat is natuurlijk
een manier om te voorkomen dat mailscanners direct de URL herkennen als
verdacht. Alleen wilde mijn mailclient die afbeelding niet zomaar inladen want
remote, want dat is allang verdacht.
Afbeelding: https://qr.de/code/ySVDbB.png
URL uit qrcode: https://qr.de/ySVDbB
Redirect https://lnkd.in/dqiBJCcD
Redirect http://bit.do/0214nl85479651
Redirect https://21981-4426.s3.webspace.re/
En daar is de phishing pagina die om allerlei persoonsgegevens vraagt.
Correctie: was. De pagina is al weg. Maar als een van de redirects bijgesteld
wordt door de crimineel gaat een en ander natuurlijk weer verder!
Als ik kijk bij het overzicht Kamer van Koophandel - Fraudehelpdesk
zie ik mijn specifieke bericht er niet tussen staan, maar er is keuze genoeg.
Allemaal fraudepogingen, dus trap hier niet in!
Update:
De qr.de redirect is zelfs weg, dus de crimineel zal nieuwe spam
mails moeten versturen.
Somewhere between the digging in the Corinex CXWC-HD200-WNeH I found a
vulnerability. A combination of a misconfigured network filter and a default
account make it quite easy to get into the device and get full access.
I tried to report this vulnerability before publishing about it. Timeline:
24 September 2022 I mailed a general address at Corinex about this
29 September 2022 I mailed someone who wrote about Corinex devices in the
Netherlands
28 October 2022 I tried to contact @CorinexCorp on twitter via a mention
All this got exactly zero response.Update 2022-11-17: @CorinexCorp responded on twitter:
Hi Koos. Apologies for a lack of response. Corinex no longer supports CXWC-HD200-WNeH devices. The company exited the consumer market many years ago.
Because this device is out-of-support for years now and should not be in
use anywhere anymore, I think I've invested enough effort in trying to
report this vulnerability to the right people and I can now publish this
and close this chapter.
On to the actual vulnerability. Like a lot of other vulnerabilities this is
a case of multiple things coming together.
Bijna 10 jaar geleden deed ik mee aan een CTF:
Ik heb meegedaan aan de hackcontest ter ere van 20 jaar SURFcert.
En daar won ik een Samsung tablet. Die is dus ondertussen ook 10 jaar oud,
bevat Android 4.2.2 met Linux kernel 3.0.31 en krijgt geen updates meer.
Recent bedacht ik me dat ik die tablet misschien nog als scherm zou kunnen
gebruiken voor mijn thuis grafana server. Maar die server is alleen bereikbaar
met https en daar heb ik een LetsEncrypt certificaat voor waarbij ik alleen
de chain gebruik vanaf de ISRG Root X1 en niet meer vanaf de
DST Root CA X3 omdat dat op andere plekken problemen geeft.
Daarmee werkt het gewoon niet. Ik heb nog pogingen gedaan om de ISRG Root in de
certificaten van de tablet te krijgen maar als .pem, .crt of
.cer file worden deze niet gezien als certificaat door de tablet.
De tablet is daarmee gewoon afgeschreven en niet meer bruikbaar. Ik heb deze
tablet een aantal jaar gebruikt en daarna is deze vooral gebruikt door mijn
zoon om spelletjes op te spelen en youtube filmpjes te kijken.
My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH
I ordered similar gear as used in the hardware hacking course to do my own
hardware hacking. It arrived this week and today I had some time to play with
it.
Using the techniques from the course I found the serial console interface
again. The CPU board has 4 through-holes, that is a likely candidate. Next step
is finding which pin is which using a multimeter. Ground pin has continuity to
any other shield. One pin is at 0 volts without continuity to ground: the
receive data pin (from the viewpoint of the chip), another pin has a varying
voltage near the maximum voltage, this is the transmit data pin (again from
the viewpoint of the chip) and the fourth one has the constant maximum voltage,
which was 3.3 volts in this case.
I switched my USB to serial interface to 3.3 volts and connected the TX on the
system to the RX on the serial interface and the RX on the system to the TX on
the serial interface. I used Dupont cables to make this connection. With
minicom as communications program I opened the right interface:
minicom -D /dev/ttyUSB0.
After powering the router I got unreadable characters on the screen, I had
to adjust the serial port rate. This router has a serial console at 57600
bps, 8 bits, no parity, 1 stopbit.
And messages came out:
U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)
Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F
Weer een verse phishing mail, met dit keer de qrcode inline. Het pad:
Weer een verse phishing mail, met dit keer de qrcode inline. Het pad:
One of my oldest certificate signing request files was still using a sha1 hash and LetsEncrypt started rejecting it. As soon as I realized it used the old hash I redid it and wondered why it was still accepted in 2022. This also mean the private key of this service is showing age. Maybe time to regenerate it. The announcement is at Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs - API Announcements - Let's Encrypt Community Support.
One of my oldest certificate signing request files was still using a sha1 hash
and LetsEncrypt started rejecting it. As soon as I realized it used the old
hash I redid it and wondered why it was still accepted in 2022.
This also mean the private key of this service is showing age. Maybe time to
regenerate it.
The announcement is at