Hacker News new | past | comments | ask | show | jobs | submit login
RCE on Telia Routers (full-disclosure.eu)
199 points by theshrike79 33 days ago | hide | past | favorite | 49 comments



So this issue affects Telia Lithuania clients. But I wouldn't be surprised if the same (or similar) issue affects clients in Sweden.

The article mentions a leaked password hash from 2014, but as far as I know, there were at least 3 password (not hash!) leaks over the last 10 years.

Generally, I recommend people buy their own routers and never use the "Self Service" for managing passwords.

As for hostility of service providers - the situation isn't that good.

Some years ago, a white hat reported some data leak vulnerabilities in a medical "self service" portal.

Vulnerability: change your personal code/id (SSN for folks in US) to another person's number in the POST, and voila - you get the medical history of another person.

What happened is that the white hat got blamed for "hacking" that system.

Result: Vulnerabilities aren't getting reported. Bad guys are exploiting them left and right. White hats don't bother disclosing them.

I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

EDIT: grammar


>>> I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

I can tell you from experience, the only way to reliably get a vulnerability fixed is to publish on Twitter.

Of course if you've got vulnerabilities in government sites and power plants, you may prefer to not disclose to twitter to avoid harm to the public. Sitting on vulnerabilities in the absence of alternative is a perfectly ethical and reasonable choice.


> I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

Thats what full disclosure is for. Drop the vuln somewhere via Tor, maybe point someone there via some anonymous comunique. Et voila, you made the world a safer and better place.

Imho sitting on vulnerabilities is immoral as long as anonymous full disclosure is possible.


This might be dangerous if you initially planned to disclose responsibly and did the research/testing of the vulnerability without anonymization. In that case if you were to release the vulnerability anonymously and it wasn't exploited before they could still figure out that you did it by examining the logs and finding your early non-anonymous attempts.


Right, and there's no possibility to do research/testing anonymously anyway. You use your personal e-Signature/ID card to logon to government sites, your logon is always tied to you.


It's possible that the programmers who built the system are really bad at security and really good at audit logging but I doubt it. Personally I would take the risk but I understand why others might not want to.


One of the first things I've recommended with systems that deal with PII or secret data is to see if the vulnerability being reported or discovered has been exploited in the past.

Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..

I wouldn't take that risk.


I work for one of the big SaaS providers. Their internal response to this stuff requires me to fill in forms and sign a bunch of shit, as well as exchange emails and enter MFA codes - it ends up taking about 30 mins to 1 hour of back-and-forth (over a period of about a week because timezones - they obviously leave this process management stuff to where labour is cheap).

I did it once, I've found probably 10 other issues with customers, partners and our own products that I won't be reporting since I have to go through that process every time with my employer.

There is no benefit to me for reporting it aside from an automated thank you message when they close a ticket.

I'd submit/advise anonymously but I usually discover this stuff in a way they can trace it back to me.

So instead, my data as well as my customers, colleagues and good peoples data remains accessible to the internet.

I'm sorry for that.


Would the ability to anonymously disclose vulnerabilities help? I fear that disclosures like that would just be ignored, though.


What one should do is to involve the www.NKSC.lt - Nation Cyber Security Center. They have a form to submit vulnerabilities

I did send a few reports from throwaway email accounts, but the issues did not get resolved.

I suspect there's another way to go about it - if you're a Telia customer - send them GDPR Article 33 request.


Do you have the self service thing in Sweden? Granted I’m not a telia customer here in FIN, but have never seen this kind of functionality on my own home routers. Plain router admin always.


Telia routers in Sweden can be managed remotely from Telias web page. I don't mean port forward, but some other channel talk between admin tool on their website and the router. (You can also connect locally on the LAN and admin the router that way.)

Tangentially related Swedish bork:

https://medium.com/@rikardhjort/2-7-medical-calls-breached-i...


It's the same with Telia Estonia.

And they use dropbear to connect to the router to do changes from remote/customer service/online customer portal, if you're curious (you can see it in logs of the router, Inteno ones)


I couldn't find it on the web site, but I found something similar here:

https://apps.apple.com/se/app/telia-smart-wifi/id1459248896

https://play.google.com/store/apps/details?id=com.teliacompa...

They allow login with BankID (Swedish authentication system using Personal Identity Number) or a Telia login, implying I don't need the admin password printed on the back of the router so it ought to use the same type of backdoor I'd expect support personal has and the Lithuanian web site has.

Judging by the comments of both apps though, it seems it doesn't work at all... maybe they need to add more than 5 PHP workers.


Well, it is risky hiring workers in Sweden.. if you don’t need them anymore it’s difficult to get rid of them!


This is just plain wrong. There are many ways to handle such a situation. One would be "visstidsanställning" which is employment for a pre-determined period.


Funny how everyone missed the fact I was suggesting firing PHP workers, which are a background processes in PHP servers..


Sure, you can work around the labour laws in many ways, but he is likely referring to a normal full time employment contract as most people do when they talk about employment.

And he's not wrong in the figurative way, the labour laws are quite strict and the unions are in an impossibly strong standing in Sweden.


You can fire people if you don't need them (don't have enough work for them), that's called arbetsbrist and is the most common reason for firing people in sweden. You just can't turn around and hire other people for the same job right after.


Observation: You're using the same kind of approach as the "I almost found a vulnerability" and "but I won't be disclosing them, since that will land me in a lot of trouble" as the submitted post does.


You're absolutely correct. And I completely understand the author's point of view.

By disclosing the vulnerability, I'd be taking a risk of a criminal investigation. This is not a joke. This has already happened at least once in Lithuania.

I have a job, one that has nothing to do with infosec, but I'd be risking that job if I had an ongoing criminal investigation.


That's very irresponsible of you. You just said that someone could read someone elses medical data and there you are sitting on similar vulnerabilities out of principle. Shame.

I know first hand that such big telcos are slow and bureaucratic. But they still need help and patience. They do after all have all the important government contracts.


I think we need the equivalent of the Good Samaritan law for the CFAA for this.


Telia is just horrible. I use them because I have no other option where I live, which is very unusual in Sweden. Their support is absolute horse shit. You can't get a static ip unless you have a company and it regularly goes down for hours.

If you login on your account on their homepage you get this popup 1 time each day:

https://imgur.com/Y0Gx8EY

Where they utilize a dark pattern to make users check the boxes and have their customers web traffic data monitored and analyzed for ad purposes. The only other option is "Svara senare" which translates to "Answer later". If you login after 24 hours, the same popup will be shown until you tick those boxes.

This should be illegal.


Oh, and they sold data about torrent users. That's right. A Swedish ISP selling personally identifiable information. Not giving it out because of a court order.

I have steered many people away from them over the years. They would have to have at least a decade of good behaviour and a sun shining out of their ass before I would pick them.


> Oh, and they sold data about torrent users. That's right. A Swedish ISP selling personally identifiable information. Not giving it out because of a court order.

Very interesting, can you please say more or point to somewhere? I couldn't parse if the last sentence was about you or Telia.


This is surprisingly hard to find info about, but here is one part of it: https://www.svd.se/salde-uppgifter-till-porrutpressare


Telia's consumer business survives (in Sweden) because older people have a very hard to disrupt instinctive brand trust for them. I've been trying to get my mom off them for five years now...

The carrier business is a lot more sane.


And not to speak about their involvement with dictatorships and bribes.

https://www.svt.se/nyheter/granskning/ug/teliasonera-i-milja...


Who are the better alternatives in Sweden ?


Bahnhof is usually suggested as they seem to be more privacy friendly.


That's pretty interesting, because in my experience [1] Telia is by far the best ISP in Estonia. However this is historically the government ISP that Telia purchased, so some of the culture might still be rather different.

To contrast with your experience, I've never had issues with the support, private customers can get static IPs just fine, and my fiber connection and router has uptime measured in years.

Also compared to other local ISPs, the Telia global peering is unmatched. Latency is consistently lower and connections to exotic countries still achieve high bandwidth.

--

[1] I've been a Telia client for over 20 years now at four different locations.


Wow. It's a complete tragic comedy.

> And, yes, it turns out that Telia's client does not attempt to verify the remote server's [customer's router] public key ...and then... Using malicious SSH server to trigger server side RCE !!

> First, Telia did not have a PGP key and did not know how to use it, so instead they asked us to ZIP the report with password and send the password over a separate email (private GMail). I hope Telia's engineers will be reading this article, so I would like to explain why the report should be encrypted. !!

> Thank you for the information. We will continue to check whether you made your report legally without violating any law. And we will ensure that no fake information will be published that could do any harm to the company's reputation and to the critical part of Lithuanian network infrastructure. !!

> And finally, we found that the hash was cracked and was available in the old "weakpass" database !!


Threatening the researcher really is the cherry on top here


I've known their `ladmin` password for a looong while - it was available online at least since 2015. And as far as I'm aware - the same password was used for multiple Telia routers' models (ADB-branded ones) - not just a single model.

There also was a user called `tadmin`, but I wasn't able to figure out the password for that one.


It's exceedingly likely that other ISPs do this exact same thing. I've always, always used my own router and, when possible, my own modem.

Even if it's not a glaring security hole like this one, using the ISP's router makes it easier for them to monitor you and serve you ads using "DNS assistance"-type programs. And most of the time you pay them for it with an extra $5-$10 on your monthly bill!


I really don't get the "Using malicious SSH server to trigger server side RCE" section. The language would do well with being a bit more clear wrt exactly which client and which server, and exactly where the RCE is happening.

> In order to exploit RCE we needed to build a virtual test environment that fully copies Telia's PHP client. Step by step we have gone through the sequence of Telia's commands sent over the SSH. And finally we got a malicious SSH server and a test libssh2 client running in our test lab. With this server we could fully control the protocol and start fuzzing.

> In the first few days of the fuzzing we got some crashes and partially confirmed that RCE may be exploited.

My first understanding of this:

- They eavesdropped on the "requests" (HTTP? Is there TCP tunneling involved?) using a malicious SSH server

- They replicated the HTTP (?) requests using some php code they wrote

- They then caused segfaults/infinite loops in their own PHP code

(Witness the task manager in that screenshot gif running on their own windows machine showing high cpu usage for a PHP process.)

This seems a bit away from an actual "Remote Code Execution on Telia Routers", unless I'm misunderstanding this fundamentally.

Perhaps their high-level thought process is like this?

1. The version numbers in the "php client", triggered by the change-your-wifi-password website, from a trusted IP (10.0.98.251) indicate that this client runs a version of libssh which allows for the password eavesdropping they did, and the php runtime, which is sometimes insecure.

2. Someone could perhaps use the fact that Telia is using PHP to hack their "remote management client" using a malicious ssh server at a customer endpoint.

3. Profit?

This is a very poorly written vulnerability report.

Anyway, @dang - I think the title "RCE on Telia Routers" is pretty incorrect. Suggestion: "Possible Telia consumer router security issue".


I think they ran their own SSH server on the router for the SSH connect-back from Telia's server. SSH password auth sends the password to the server [router here]. This is encrypted over the network, but the server [router] decrypts it, so then you have that password, shared between all the routers. I'm not sure if libssh being vulnerable was relevant to their attack or not, perhaps that's just an aside, given they physically own the router anyway.

SSH pubkey auth would have avoided the problem I guess. Not sure if it would have helped their attitude though.


> Perhaps their high-level thought process is like this?

Yes, I think you're right and it was difficult to understand. The thinking is that, as you can trigger Telia servers to connect to you, using software which appears past its expiration date, you may be able to exploit that software to root their command and control server. Do that and you own Telias whole botnet of customers.


Strictly speaking they didn't show that two separate consumer routers have the same remote management password.


They didn't show it but they did say the old routers share the same password. I can take that at face value, it's easy enough for a Lithuanian researcher to verify by asking a friend, I assume they did.

They say later models allow only pub keys but didn't go into more details. I would assume they all have the same keys in firmware if not shown otherwise.

Either way, the Telia CnC server would know all unique (if so) passwords or keys, so it may make little difference if exploited.


> but they did say the old routers share the same password

Ah, missed that.


Doesn't surprise me. Spectrum has the same thing here in the US. All their devices have telnet or SSH or web access on an internal VLAN, with weak passwords like "T!m3W4rn3rC4bl3" (I'm not joking). A list of passwords was readily accessible to, at least, all SMB customer support technicians in the old TWC areas as of a few years ago.


Thank you for this. The world needs more people like you. Also, well written article and the timeline detail was great!


Misleading title, these are cpe NAT boxes.


Agree - came here concerned Telia backbone routers had an issue...


I came here six hours ago thinking my mom's Telia-connected Macbook Air was at risk. Turns out none of that is true. More active moderation, please.

Edit: Also: Why is all of the technical discussion on this topic at the bottom of the page?


Well if the hackers have root password on the cpe nat gateway the macbook probably is at risk to a mitm, those gateways have iptables probably after all. Plus when youve got a gateway you can do things like screw with the network time to invalidate hsts certificates or inject so many rules firefox forgets the old one and you can mitm with a new https certificate!


You missed the fact that the cpe nat gateway according to the article limited that root access to a particular non-routed IP. So, first you've got to hack that machine at Telia.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: