Fastgate Modem Login

Fastgate Modem Login

by

Do you ever wonder what secrets lie within the devices that power our internet connections? Well, I stumbled upon some juicy vulnerabilities in the FASTGate modem/router provided by Fastweb, an Italian telecommunications company. These vulnerabilities allowed me to bypass authentication and even execute arbitrary code. Let me share the thrilling details with you!

The Alluring FASTGate Modem

Fastweb, an Italian telecommunications company, introduced the FASTGate modem to its clients. Being a penetration tester, I couldn’t resist the temptation to analyze its web interface and see if there were any vulnerabilities to exploit. My goal for the night? Popping up a shell!

To begin my investigation, I set up Burp Suite as a proxy and started exploring the webpages, capturing requests and responses along the way. My journey started with the login panel, as shown in Figure 1.

Figure 1 - Login panel
Figure 1 – Login panel

The Cracked Authentication Layer

After logging in and navigating through various pages, I noticed something suspicious. The login request didn’t send any cookies or tokens back to the client. This made me question whether any authentication had been implemented at all. And as it turned out, there wasn’t!

The web application simply sent AJAX requests to a cgi binary called status.cgi, using the nvget parameter to specify the action. With just a simple GET request, I could retrieve a list of all devices connected to the router, even in the past. It provided detailed information such as IP addresses, MAC addresses, and hostnames. Check out Figure 2 for a sneak peek.

Figure 2 - Devices enumeration
Figure 2 – Devices enumeration

Unleashing Unauthenticated Command Injection

But wait, there’s more! Upon closer inspection of the login request, I decided to manually fuzz the username and password fields. To my astonishment, the server’s response after inputting a single quotation mark in the password field revealed something intriguing.

Guess what? My controlled input was being used to execute a shell command without any sanitization. It was like a dream come true! Eager to test the waters, I tried executing the ping command, a common utility found in most distributions. And lo and behold, it worked! Check out the confirmation in Figure 3.

Figure 3 - Ping command
Figure 3 – Ping command

By adding the text ‘$(command)’ to the password input, I could effortlessly send arbitrary commands. This vulnerability allowed me to achieve full code execution on the router. However, the privileges I had were still unclear. What I really needed was a shell to interact more effectively with the router.

Getting the Elusive Reverse Shell

Command execution was cool, but I craved more. Could I attain a real shell within the system? Absolutely! Through some diligent enumeration using the command injection, I discovered that the router came with multiple netcat binaries. And luckily, one of them had support for the -e parameter.

Using this particular nc binary, which executes an external program after accepting or making a connection, I was able to achieve a reverse shell. It was like having the keys to the kingdom! Notably, the process ran with root privileges, granting me full access to the device. See Figure 4 for a glimpse of this exploit in action.

Figure 4 - Exploit executed to get a shell
Figure 4 – Exploit executed to get a shell

The Final Act: Conclusions

For the sake of documentation, the vulnerable software version I tested was v1.0.1b, with firmware version 0.00.47_FW_200_Askey2017-05-17 17:31:59. It’s worth noting that to exploit these vulnerabilities, an attacker must be authenticated to the Wi-Fi network, as the admin interface is exposed on the internal network. So, rest easy knowing that unauthorized access isn’t as straightforward as it seems.

My communication with Fastweb regarding these vulnerabilities didn’t go smoothly. Despite multiple attempts to contact them, their communication with me abruptly ceased after an initial acknowledgement. However, a few weeks after my emails, they released a new firmware version that addressed most of the vulnerabilities. Here are the key changes:

  • Login requests now return a session token, used for authenticating all requests to status.cgi. This seemingly fixed the trivial “bypass” vulnerability.
  • They initially introduced CSRF protection by setting a cookie called XSRF-TOKEN. When sending a request, the web application would include both the cookie and a X-XSRF-TOKEN header with the same value. Unfortunately, there was no actual validation on the token value. As long as the cookie matched the token value, the server accepted it.
  • The command injection remained present in some updates but was eventually patched.

At the time, Fastweb didn’t have a responsible disclosure program or a specific security contact. However, they did create one shortly after my initial email. Unfortunately, I wasn’t mentioned on their Hall-of-Fame page.

Bonus: A Taste of Buffer Overflow

As I delved deeper into my exploration, I stumbled upon another intriguing vulnerability. The Server header indicated that the mini_httpd version used was 1.27, released on March 7, 2017. Despite searching for known vulnerabilities, I couldn’t find any public information on this version.

However, since the source code was available, I decided to do some analysis. And to my surprise, I discovered a buffer overflow in the htpasswd.c file. This file contained a custom and simplified version of the original htpasswd utility developed for the Apache HTTP Server. It was used to create and update flat-files storing usernames and passwords for basic authentication of HTTP users.

This simplified version, developed by ACME Laboratories, had a buffer overflow vulnerability. The username parameter, provided through the command line interface, was copied into a buffer without any boundary check. Exploiting this vulnerability allowed an attacker to execute malicious payloads remotely. Upon disclosing the vulnerability to the web server maintainer, an update was released through the developer’s website to address the issue.

Disclosure Timeline of the Buffer Overflow

To provide full transparency, here’s the timeline of events related to the buffer overflow vulnerability:

  • December 1, 2017 – I contacted the developer to inquire about how to report security findings.
  • December 12, 2017 – I sent the vulnerability details to the developer.
  • December 13, 2017 – The developer acknowledged the vulnerability.
  • December 13, 2017 – CVE-2017-17663 was assigned to the vulnerability.
  • February 4, 2018 – An update was released for mini_httpd and thttpd, and an advisory was published for the vulnerability.

Wrapping Up

So there you have it, the juiciest secrets behind the Fastgate modem login! These vulnerabilities allowed me to bypass authentication, execute arbitrary code, and gain full access to the router. While Fastweb eventually fixed most of the issues, it’s essential to remain vigilant when it comes to the security of our internet-connected devices. Stay safe out there!