Last Modified: Mon, 16 Sep 2024 04:19:31 +0000 ; Created: Sat, 14 Sep 2024 03:59:21 +0000
An ISP controlled Calix GigaSpire BLAST Model: u6.1 GS4220E router (firmware version 23.3.0.3.57). Running an Nmap scan I found a single open high-number port with an HTTP web server (no TLS) listening.
curl --include http://the-ip-here:60002/ HTTP/1.1 404 Not Found Server: gSoap 2.8.30 / Dimark client v.4.8 [9347] Content—Length: 0 Connection: close Doing some digging into the headers I found this was a TR-069 service. I tried sending a few TR payloads to it via curl but nothing changed the 404. A search on Shodan.io did turn up a number of other devices on the public Internet with this device present. I did get an interesting result from downloading https://github.com/bitfu/sricam-gsoap2.8-dos-exploit/blob/master/Sricam_gSOAP_PoC_exploit.sh for CVE-2019-6973. bash Sricam_gSOAP_PoC_exploit.sh the-ip-here 60002 10000 After running the service on port 60002 was still open but no longer responded. Another Nmap scan from inside the LAN (i.e. behind the router) indicated the port was open, but there were also other ports open on the device. nmap the-ip-here -p 60000-60100 Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-13 22:50 CDT Nmap scan report for the-ip-here (the-ip-here) Host is up (0.88s latency). rDNS record for the-ip-here: the-ip-here.block0.example.com Not shown: 98 closed ports PORT STATE SERVICE 60002/tcp open unknown 60004/tcp open unknown 60016/tcp open unknown Connecting to one of the other ports (from the LAN, Internet was blocked) returned an HTTP server response as below. The response corralated with a TR-069 CPE starting a session to the remote ACS. curl -i http://the-ip-here:60004/ HTTP/1.1 503 Service Unavailable Server: gSoap 2.8.30 / Dimark client v.4.8 [9347] Content-Length: 0 Connection: close curl -i http://the-ip-here:60016 HTTP/1.1 503 Service Unavailable Server: gSoap 2.8.30 / Dimark client v.4.8 [9347] Content-Length: 0 Connection: close At no time did the Internet service incur an interruption. Performing a TCP Nmap scan from the LAN showed some interesting services: Not shown: 65522 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 443/tcp open https 2049/tcp open nfs 5201/tcp open targus-getdata1 30007/tcp filtered unknown 32777/tcp open sometimes-rpc17 32778/tcp open sometimes-rpc19 32780/tcp open sometimes-rpc23 60002/tcp open unknown 60004/tcp open unknown 60016/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12410.41 seconds
The NFS share results sudo showmount -e 192.168.0.1 Export list for 192.168.0.1: /ponsfp_usr 169.254.1.1 /tmp/log/pon 169.254.1.1 An Nmap scan from the LAN side (nmap -sn -oA privnet-scan --stats-every 10 169.254.0.0/16) turned up 169.254.2.1 which was another IP address for the router itself. Attempting to mount the NFS shares sudo mount 169.254.2.1:/ponsfp_usr /mnt/ mount.nfs: access denied by server while mounting 169.254.2.1:/ponsfp_usr' sudo mount 169.254.2.1:/tmp/log/pon /mnt/ mount.nfs: access denied by server while mounting 169.254.2.1:/tmp/log/pon sudo ip address add 169.254.1.1/16 dev eth0 sudo mount 169.254.2.1:/tmp/log/pon /mnt/ sudo mount 169.254.2.1:/ponsfp_usr /mnt2/ The mounts never completed successfully but no access denied error was observed. This Reddit thread talked about support user credentials with 12345!5upporT, but I could not get it to work with a provisioned device. Setting up a bridge and tcpdump of the router WAN port to the ONT uplink revealed a few interesting traffic patterns: Traffic from an AWS EC2 instance IP range (34.210.116.13) to the router on port 60002. Hypertext Transfer Protocol GET /3xFyb0AI HTTP/1.1\r\n User-Agent: Calix Consumer Connect\r\n Host: IP-ADDR-OF-ROUTER-WAS-HERE:60002\r\n Accept: */*\r\n \r\n The response from the router back: HTTP/1.1 401 Unauthorized\r\n WWW-Authenticate: Digest realm="Dimark", qop="auth", nonce="7065d4b300001f2f66e7abbb"\r\n Server: gSoap 2.8.30 / Dimark client v.4.8 [9347]\r\n Content-Type: text/xml; charset=utf-8\r\n Content-Length: 0\r\n Connection: keep-alive\r\n \r\n The remote EC2 instance sent a follow-up request: GET /3xFyb0AI HTTP/1.1\r\n Authorization: Digest username="admin", realm="Dimark", nonce="7065d4b300001f2f66e7abbb", uri="/3xFyb0AI", response="REDACTED", qop=auth, nc=00000001, cnonce="55d856d1432701ff", algorithm=MD5\r\n User-Agent: Calix Consumer Connect\r\n Host: IP-ADDR-OF-ROUTER-WAS-HERE:60002\r\n Accept: */*\r\n \r\n The response: HTTP/1.1 200 OK\r\n Server: gSoap 2.8.30 / Dimark client v.4.8 [9347]\r\n Content-Length: 0\r\n Connection: close\r\n \r\n No further traffic on that clear-text port was observed. This likely only triggers the router to then reach out to the ACS for a config update. |
|