
RCE on Telia Routers - theshrike79
https://full-disclosure.eu/reports/2019/FDEU-CVE-2019-10222-telia-savitarna-backdoor.html
======
ice3
So this issue affects Telia Lithuania clients. But I wouldn't be surprised if
the same (or similar) issue affects clients in Sweden.

The article mentions a leaked password hash from 2014, but as far as I know,
there were at least 3 password (not hash!) leaks over the last 10 years.

Generally, I recommend people buy their own routers and never use the "Self
Service" for managing passwords.

As for hostility of service providers - the situation isn't that good.

Some years ago, a white hat reported some data leak vulnerabilities in a
medical "self service" portal.

Vulnerability: change your personal code/id (SSN for folks in US) to another
person's number in the POST, and voila - you get the medical history of
another person.

What happened is that the white hat got blamed for "hacking" that system.

Result: Vulnerabilities aren't getting reported. Bad guys are exploiting them
left and right. White hats don't bother disclosing them.

I personally know at least 5 exploitable vulnerabilities in some government
websites, but I won't be disclosing them, since that will land me in a lot of
trouble.

EDIT: grammar

~~~
waihtis
Do you have the self service thing in Sweden? Granted I’m not a telia customer
here in FIN, but have never seen this kind of functionality on my own home
routers. Plain router admin always.

~~~
jacobush
Telia routers in Sweden can be managed remotely from Telias web page. I don't
mean port forward, but some other channel talk between admin tool on their
website and the router. (You can also connect locally on the LAN and admin the
router that way.)

Tangentially related Swedish bork:

[https://medium.com/@rikardhjort/2-7-medical-calls-
breached-i...](https://medium.com/@rikardhjort/2-7-medical-calls-breached-in-
sweden-and-its-pure-comedy-b93c1af95e06)

~~~
scblzn
It's the same with Telia Estonia.

And they use dropbear to connect to the router to do changes from
remote/customer service/online customer portal, if you're curious (you can see
it in logs of the router, Inteno ones)

------
ecmascript
Telia is just horrible. I use them because I have no other option where I
live, which is very unusual in Sweden. Their support is absolute horse shit.
You can't get a static ip unless you have a company and it regularly goes down
for hours.

If you login on your account on their homepage you get this popup 1 time each
day:

[https://imgur.com/Y0Gx8EY](https://imgur.com/Y0Gx8EY)

Where they utilize a dark pattern to make users check the boxes and have their
customers web traffic data monitored and analyzed for ad purposes. The only
other option is "Svara senare" which translates to "Answer later". If you
login after 24 hours, the same popup will be shown until you tick those boxes.

This should be illegal.

~~~
bjoli
Oh, and they sold data about torrent users. That's right. A Swedish ISP
selling personally identifiable information. Not giving it out because of a
court order.

I have steered many people away from them over the years. They would have to
have at least a decade of good behaviour and a sun shining out of their ass
before I would pick them.

~~~
swinglock
> Oh, and they sold data about torrent users. That's right. A Swedish ISP
> selling personally identifiable information. Not giving it out because of a
> court order.

Very interesting, can you please say more or point to somewhere? I couldn't
parse if the last sentence was about you or Telia.

~~~
bjoli
This is surprisingly hard to find info about, but here is one part of it:
[https://www.svd.se/salde-uppgifter-till-
porrutpressare](https://www.svd.se/salde-uppgifter-till-porrutpressare)

------
CapriciousCptl
Wow. It's a complete tragic comedy.

> And, yes, it turns out that Telia's client does not attempt to verify the
> remote server's [customer's router] public key ...and then... Using
> malicious SSH server to trigger server side RCE !!

> First, Telia did not have a PGP key and did not know how to use it, so
> instead they asked us to ZIP the report with password and send the password
> over a separate email (private GMail). I hope Telia's engineers will be
> reading this article, so I would like to explain why the report should be
> encrypted. !!

> Thank you for the information. We will continue to check whether you made
> your report legally without violating any law. And we will ensure that no
> fake information will be published that could do any harm to the company's
> reputation and to the critical part of Lithuanian network infrastructure. !!

> And finally, we found that the hash was cracked and was available in the old
> "weakpass" database !!

------
kerpele
Threatening the researcher really is the cherry on top here

------
jutaz
I've known their `ladmin` password for a looong while - it was available
online at least since 2015. And as far as I'm aware - the same password was
used for multiple Telia routers' models (ADB-branded ones) - not just a single
model.

There also was a user called `tadmin`, but I wasn't able to figure out the
password for that one.

------
sleepydog
It's exceedingly likely that other ISPs do this exact same thing. I've always,
always used my own router and, when possible, my own modem.

Even if it's not a glaring security hole like this one, using the ISP's router
makes it easier for them to monitor you and serve you ads using "DNS
assistance"-type programs. And most of the time you _pay_ them for it with an
extra $5-$10 on your monthly bill!

------
tpmx
I really don't get the "Using malicious SSH server to trigger server side RCE"
section. The language would do well with being a bit more clear wrt exactly
which client and which server, and exactly where the RCE is happening.

> In order to exploit RCE we needed to build a virtual test environment that
> fully copies Telia's PHP client. Step by step we have gone through the
> sequence of Telia's commands sent over the SSH. And finally we got a
> malicious SSH server and a test libssh2 client running in our test lab. With
> this server we could fully control the protocol and start fuzzing.

> In the first few days of the fuzzing we got some crashes and partially
> confirmed that RCE may be exploited.

My first understanding of this:

\- They eavesdropped on the "requests" (HTTP? Is there TCP tunneling
involved?) using a malicious SSH server

\- They replicated the HTTP (?) requests using some php code they wrote

\- They then caused segfaults/infinite loops in _their own PHP code_

(Witness the task manager in that screenshot gif running on their own windows
machine showing high cpu usage for a PHP process.)

This seems a bit away from an actual "Remote Code Execution on Telia Routers",
unless I'm misunderstanding this fundamentally.

Perhaps their high-level thought process is like this?

1\. The version numbers in the "php client", triggered by the change-your-
wifi-password website, from a trusted IP (10.0.98.251) indicate that this
client runs a version of libssh which allows for the password eavesdropping
they did, and the php runtime, which is sometimes insecure.

2\. Someone could perhaps use the fact that Telia is using PHP to hack their
"remote management client" using a malicious ssh server at a customer
endpoint.

3\. Profit?

This is a very poorly written vulnerability report.

Anyway, @dang - I think the title "RCE on Telia Routers" is pretty incorrect.
Suggestion: "Possible Telia consumer router security issue".

~~~
swinglock
> Perhaps their high-level thought process is like this?

Yes, I think you're right and it was difficult to understand. The thinking is
that, as you can trigger Telia servers to connect to you, using software which
appears past its expiration date, you may be able to exploit that software to
root their command and control server. Do that and you own Telias whole botnet
of customers.

~~~
tpmx
Strictly speaking they didn't show that two separate consumer routers have the
same remote management password.

~~~
swinglock
They didn't show it but they did say the old routers share the same password.
I can take that at face value, it's easy enough for a Lithuanian researcher to
verify by asking a friend, I assume they did.

They say later models allow only pub keys but didn't go into more details. I
would assume they all have the same keys in firmware if not shown otherwise.

Either way, the Telia CnC server would know all unique (if so) passwords or
keys, so it may make little difference if exploited.

~~~
tpmx
> but they did say the old routers share the same password

Ah, missed that.

------
jfrunyon
Doesn't surprise me. Spectrum has the same thing here in the US. All their
devices have telnet or SSH or web access on an internal VLAN, with weak
passwords like "T!m3W4rn3rC4bl3" (I'm not joking). A list of passwords was
readily accessible to, at least, all SMB customer support technicians in the
old TWC areas as of a few years ago.

------
jaydecus
Thank you for this. The world needs more people like you. Also, well written
article and the timeline detail was great!

------
fulafel
Misleading title, these are cpe NAT boxes.

~~~
LogicX
Agree - came here concerned Telia backbone routers had an issue...

~~~
tpmx
I came here six hours ago thinking my mom's Telia-connected Macbook Air was at
risk. Turns out none of that is true. More active moderation, please.

Edit: Also: Why is all of the technical discussion on this topic at the bottom
of the page?

~~~
drbenway
Well if the hackers have root password on the cpe nat gateway the macbook
probably is at risk to a mitm, those gateways have iptables probably after
all. Plus when youve got a gateway you can do things like screw with the
network time to invalidate hsts certificates or inject so many rules firefox
forgets the old one and you can mitm with a new https certificate!

~~~
tpmx
You missed the fact that the cpe nat gateway according to the article limited
that root access to a particular non-routed IP. So, first you've got to hack
that machine at Telia.

