Router RTA04N Backdoor
Responsáveis: * Raphael Bastos aka coffnix * Ewerson Guimarães aka Crash
Colaboração: * Gabriel Lanzi aka Glanzi
Who put the backdoor in my router?
- 1 Research Information
- 2 Abstract
- 3 Detailed Outline
- 4 The device
- 5 Legal
- 6 More strange stuffs..
- 7 Exploring the backdoor
This is a INDEPENDENT research conduced by two freaks:
- Raphael Bastos(Coffnix) - That efectvitly found the backdoor.
- Ewerson Guimarães (Crash): Continue the research, did more device tests and contact with vendors.
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TPLink, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed. Which lead us to question on the research title: “Who put the backdoor in my modem?”
In a recent research on a RTA04N device, supplied by GVT (Brazilian ISP) we have found some intriguing facts:
The vendor’s website does exist, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware
Router GVT from Belo Horizonte-Minas Gerais / Brazil.
Strange default SSID and Password based on MAC Address and S/No.:
Router provided by GVT (Coffnix Home Router):
Router obtained after social engineering in technician GVT (purchased for $ 25):
Click to enlarge:
- Model: RTA04N 1T1R
- ADSL: RTL8672-vK + RTL8271B
- WiFi: RTL8188RE
- ESMT M12L128168A-6T (2M x 16 Bit x 4 Banks Synchronous DRAM = 16Mbytes) - http://www.alldatasheet.com/view.jsp?Searchword=M12l128168a
- RJ45: 4 ports
- RJ11: 1 port
- Features: SNMP agent and TR069 (CWMP)
More infos: http://www.baytec.com.br/produtos.asp
User Manual: http://www.baytec.com.br/RTA04N_User_Manual_V0.1.pdf
Consulting the approved register in ANATEL ( Brazilian National Telecomunication Agency):
Regulate, and supervise grant. Thus can be summarized the main duties of Anatel, developed to fulfill the mission of "promoting the development of telecommunications in the country in order to give it a modern and efficient telecommunications infrastructure capable of providing adequate services to society and diversified prices just around the national territory.
We can see more one company in the process, BAYTEC Technology:
How we can see, this device was approved at end of 2012 and until recent days it is distributed by GVT.
How many people received thos device only in Brazil?
More strange stuffs..
Address: Rua Aluisio Azevedo - 40 - Rocha - Rio de Janeiro-RJ / Brazil - CEP: 20960-050
In the device manger you can see Observa Telecom but....
The device has the mac started by E4:C1:46 referring to the company: Objectivo y Servicios de Valor Anadido – which in the end, refers directly to ObservaTelecom
The vendor’s website “exist”, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware.
Of course, they dont reply emails...
Of course, he dont reply (11)emails...
GVT (Global Village Telecom)
This device is distributed by GVT. A big Brazilian Internet Service Provider player.
According to GVT technical support, this modem/router is not supported by them. Are you serious? Dont belive? Take a look at:
Consulting the BayTec site was possible found the device firmware.
Opening its firmware in hexadecimal we can see that its made by TPLINK.
# strings -n 10 webupload.img > strings.out
# hexdump -C webupload.img > hex.out
The router/modem has two default users created, one is admin and the other user, both with password gvt12345. According to the manual (pages 12 and 71):
Thus, we have two lines of thought:
1 - GVT replaces the original firmware for a proprietary firmware.
2 - The firmware has already been shipped with GVT settings.
And last but not least, when backing it up, as indicated in the manual, we can get the following information:
We can clearly see the flags indicated on lines 548, 555 and 562, with a special emphasis on line 562 which has its value setted as 0x1.
Thus, you can login with admin user using either passwords, furthermore, every user setted with the flag N=”BACKDOOR” V=”0x1” is not shown in the modem/router user list in web admin interface.
Download config: https://www.area31.net.br/downloads/rta04n/config.img
To be sure, we searched for D590airocon password on google and it hasn’t returned any results:
To validate our theory, we bought the same model modem/router.
We found that the backdoor password is composed of:
- Last 4 digits of the MAC addr + airocon string
I think that the MAC Address was choose because it’s sent over the network, facilitating the device invasion.
Searching for the airocon string, we have found a company in which the site no longer exists:
Exploring the backdoor
After running nmap against the router it was possible to login with the password D590airocon
on SSH and telnet in a limited shell.
Login with normal admin user ( admin:gtv12345)
The commands “sh” ans login show dont works.
Login with backdoor user: (admin:4_last_mac_chras+airocon)
You can see that the prompt is different after execute sh command.
And the amount of commands was increased:
The “login show” command shows the backdoor (which is not shown on the web admin interface)
In this shell is possible to have full access to the device’s functionality.
Taking a closer look at the device’s memory it was possible to find some interesting information:
Redirection link to Chinese company:
Even after reset it was possible to retrieve the device’s previous user name:
The device saves neighbour network names:
Sensitive data about GVT credential services:
Furthermore, the admin page for the backdoor user is completely different from the common admin page.
When accessing the following return error 404 file not found (index.html)
Which obviously does not give access to anything. However, trying to force filenames we could identify some files in the router root directory:
Ping screen for normal user:
Ping screen for backdoor user:
Finally, the next question is: “Who put the backdoor in the modem?”
- China Unicon?