Potentially Unsafe 2WIRE and Clear 4G Modems

Your modem is probably not safe. 

This was just something I ran across while scanning my own servers. I own an AT&T 2WIRE gateway/modem/router and a wireless Clear 4G modem for mobile use.  I have seen some questions regarding the open ports on forums, I thought I would dig deeper and provide a detailed analysis. AT&T customers using the standard 2WIRE modem/routers will find that port 443 (HTTPS) is open by default on the modem (to the internet) despite not being added in any port forwarding rule. I found no option or setting in the firmware to modify this or close the port.

Using a /24 subnet, I was able to discover port 443 open on 55 different hosts from the subnet. Extensive testing was done on my own device using default firmware. IP addresses are withheld.

2WIRE

FYI : In these instances I’m using the Nmap flags -sV to determine service and version info, the –script=banner flag to grab additional banner information from the service, the –open flag is handy for only returning hosts with the open port, and the -p for port number.

nmap -sV –script=banner –open xx.xx.xx.1/24 -p 443

Nmap scan report for x-x-x-4.lightspeed.hstntx.sbcglobal.net (x.x.x.4)
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.19 19dec2003

Nmap scan report for x-x-x-5.lightspeed.hstntx.sbcglobal.net (x.x.x.5)
Host is up (0.0077s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.19 19dec2003

Nmap scan report for x-x-x-41.lightspeed.hstntx.sbcglobal.net (x.x.x.41)
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.19 19dec2003

All hosts appear to be running Mini_httpd 1.19 which is the latest and LAST version of the software. Several vulnerabilities are available for version 1.19.
Vulnerability Summary for CVE-2009-4490 : Mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window’s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Sources
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4490
http://www.ush.it/team/ush/hack_httpd_escape/adv.txt

  • The host returned nothing when accessing it via web browser “Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.”  Several of the hosts, (not all of them) returned a 501 Not implemented response code with additional data in the Nmap scan, indicating the web server does not understand or support the current methods being sent to it.
  • Definition : “This error should be very rare in any Web browser. It is more likely if the client is not a Web browser – particularly if the Web server is old. In either case if the client has specified a valid request type, then the Web server is either responding incorrectly or simply needs to be upgraded.”

Host is up (0.080s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/sip mini_httpd/1.19/bhoc 23sep2004 (Status: 501 Not Implemented)
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
Port443-TCP:V=5.21%T=SSL%I=7%D=7/10%Time=51DDF5B6%P=x86_64-unknown-linux-gnu%r(GenericLines,1EA,”\(null\)\x20400\x20Bad\x20Request\r\nServer:\x20m
SF:ini_httpd/1\.19/bhoc\x2023sep2004\r\nDate:\x20Wed,\x2010\x20Jul\x202013
SF:\x2023:59:52\x20GMT\r\nCache-Control:\x20no-cache,no-store\r\nContent-T
SF:ype:\x20text/html;\x20charset=UTF-8\r\nConnection:\x20close\r\n\r\n
SF:L>\n<HEAD><TITLE>400\x20Bad\x20Request</TITLE></HEAD>\n<BODY\x20BGCOLOR
SF:=\”#cc9999\”\x20TEXT=\”#000000\”\x20LINK=\”#2020ff\”\x20VLINK=\”#4040cc
SF:\”>\n<H4>400\x20Bad\x20Request</H4>\nCan’t\x20parse\x20request\.\n<HR>\
SF:n<ADDRESS><A\x20HREF=\”http://www\.acme\.com/software/mini_httpd/\”>min
SF:i_httpd/1\.19/bhoc\x2023sep2004</A></ADDRESS>\n</BODY>\n</HTML>\n”)%r(H
SF:TTPOptions,203,”HTTP/1\.0\x20501\x20Not\x20Implemented\r\nServer:\x20mi
SF:ni_httpd/1\.19/bhoc\x2023sep2004\r\nDate:\x20Wed,\x2010\x20Jul\x202013\
SF:x2023:59:52\x20GMT\r\nCache-Control:\x20no-cache,no-store\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=UTF-8\r\nConnection:\x20close\r\n\r\n<HTML
SF:>\n<HEAD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD>\n<BODY\x20BGCO
SF:LOR=\”#cc9999\”\x20TEXT=\”#000000\”\x20LINK=\”#2020ff\”\x20VLINK=\”#404
SF:0cc\”>\n<H4>501\x20Not\x20Implemented</H4>\nThat\x20method\x20is\x20not
SF:\x20implemented\.\n<HR>\n<ADDRESS><A\x20HREF=\”http://www\.acme\.com/so
SF:ftware/mini_httpd/\”>mini_httpd/1\.19/bhoc\x2023sep2004\n
SF:\n\n”)%r(RTSPRequest,203,”RTSP/1\.0\x20501\x20Not\x20Impl
SF:emented\r\nServer:\x20mini_httpd/1\.19/bhoc\x2023sep2004\r\nDate:\x20We
SF:d,\x2010\x20Jul\x202013\x2023:59:52\x20GMT\r\nCache-Control:\x20no-cach
SF:e,no-store\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nConnectio
SF:n:\x20close\r\n\r\n\n501\x20Not\x20Implemented</<span class=”hiddenSpellError” pre=””>TITL</span>
SF:E></HEAD>\n<BODY\x20BGCOLOR=\”#cc9999\”\x20TEXT=\”#000000\”\x20LINK=\”#
SF:2020ff\”\x20VLINK=\”#4040cc\”>\n<H4>501\x20Not\x20Implemented</H4>\nTha
SF:t\x20method\x20is\x20not\x20implemented\.\n<HR>\n<ADDRESS><A\x20HREF=\”
SF:http://www\.acme\.com/software/mini_httpd/\”>mini_httpd/1\.19/bhoc\x202
SF:3sep2004\n\n\n”)%r(SIPOptions,202,”SIP/2\.0
SF:\x20501\x20Not\x20Implemented\r\nServer:\x20mini_httpd/1\.19/bhoc\x2023
SF:sep2004\r\nDate:\x20Thu,\x2011\x20Jul\x202013\x2000:00:42\x20GMT\r\nCac
SF:he-Control:\x20no-cache,no-store\r\nContent-Type:\x20text/html;\x20char
SF:set=UTF-8\r\nConnection:\x20close\r\n\r\n<HTML>\n<HEAD><TITLE>501\x20No
SF:t\x20Implemented</TITLE></HEAD>\n<BODY\x20BGCOLOR=\”#cc9999\”\x20TEXT=\
SF:”#000000\”\x20LINK=\”#2020ff\”\x20VLINK=\”#4040cc\”>\n<H4>501\x20Not\x2
SF:0Implemented</H4>\nThat\x20method\x20is\x20not\x20implemented\.\n<HR>\n
SF:<ADDRESS><A\x20HREF=\”http://www\.acme\.com/software/mini_httpd/\”>mini
SF:_httpd/1\.19/bhoc\x2023sep2004</A></ADDRESS>\n</BODY>\n</HTML>\n”);

The Vulnerability scan results returned 8 Medium Vulnerabilities and 2 Low, all for port 443 HTTPS.

Vulnerabilities By Plugin
15901 (1) – SSL Certificate Expiry
20007 (1) – SSL Version 2 (v2) Protocol Detection
26928 (1) – SSL Weak Cipher Suites Supported
42873 (1) – SSL Medium Strength Cipher Suites Supported
51192 (1) – SSL Certificate Cannot Be Trusted
57582 (1) – SSL Self-Signed Certificate
42880 (1) – SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
65821 (1) – SSL RC4 Cipher Suites Supported
11219 (2) – Nessus SYN scanner
22964 (2) – Service Detection
10107 (1) – HTTP Server Type and Version
10287 (1) – Traceroute Information
10863 (1) – SSL Certificate Information
11936 (1) – OS Identification
12053 (1) – Host Fully Qualified Domain Name (FQDN) Resolution
19506 (1) – Nessus Scan Information
21643 (1) – SSL Cipher Suites Supported
24260 (1) – HyperText Transfer Protocol (HTTP) Information
25220 (1) – TCP/IP Timestamps Supported
31422 (1) – Reverse NAT/Intercepting Proxy Detection
45590 (1) – Common Platform Enumeration (CPE)
50845 (1) – OpenSSL Detection
54615 (1) – Device Type
56984 (1) – SSL / TLS Versions Supported
62563 (1) – SSL Compression Methods Supported

***************************************************************************************************************

Port 3479/tcp is also commonly found to be open. It may be used for several services including Remote Procedure Call and trojans.

“The 2Wire protocol associated with the system port 3749 is described as a modified XML based RPC which allows HomePortal devices to create a communication link with the datacenter. This communication foundation is used for receiving of contents, updates and programming of related devices. This protocol intends to mitigate communication issues that may hamper effective transmission interface. ”

nmap -sV –script=banner –open xx.xx.xx.6 -p 3479

3479/tcp open unknown
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3479-TCP:V=5.21%I=7%D=7/10%Time=51DDF5B0%P=x86_64-unknown-linux-gnu
SF:%r(GetRequest,CD,”HTTP/1\.0\x20404\x20Not\x20Found\r\nServer:\x202Wire\
SF:x20TR-069\r\nContent-Length:\x200\r\nAllow:\x20GET\r\nWWW-Authenticate:
SF:\x20d=10\x20\x20\x20set_mask=0x4101fe97\x20\x20\x20handle_evt=0x40a0448
SF:d\r\nDate:\x20Wed,\x2010\x20Jul\x202013\x2023:59:45\x20GMT\r\nConnectio
SF:n:\x20Close\r\n\r\n”)%r(FourOhFourRequest,CD,”HTTP/1\.0\x20404\x20Not\x
SF:20Found\r\nServer:\x202Wire\x20TR-069\r\nContent-Length:\x200\r\nAllow:
SF:\x20GET\r\nWWW-Authenticate:\x20d=10\x20\x20\x20set_mask=0x4101fe97\x20
SF:\x20\x20handle_evt=0x40a0448d\r\nDate:\x20Thu,\x2011\x20Jul\x202013\x20
SF:00:00:18\x20GMT\r\nConnection:\x20Close\r\n\r\n”);

Results from vulnerability scan inform us that the remote web server type is :2Wire TR-069 , Remote operating system : Linux Kernel 2.4, Linux Kernel 2.6. From the results we are able to obtain the type of modem in use ‘2WIRE’, the architecture  ‘x86_64-unknown-linux-gnu’, and the remote time ‘Date:\20Thu,\ 2011\20Jul\ 20201320,:00:00:18\20GMT’.

***************************************************************************************************************

 Clear 4G

Clear 4G customers were also found to have port 53 (DNS) and sometimes 49152, 49154 open. If there was a DNS server running, this would be acceptable. Again there is no option to close this port.The only DNS option in the firmware is to enable OpenDNS, which does not require you to run a DNS server.

nmap -sV –script=banner –open -p 53 x.x.x.1/24

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-10 18:12 CDT
NSE: Script Scanning completed.

Nmap scan report for  x-x-x-13.hou.clearwire-wmx.net (x.x.x.13)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped

Nmap scan report for  x-x-x-19.hou.clearwire-wmx.net (x.x.x.19)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped

Nmap scan report for x-x-x-24.hou.clearwire-wmx.net (x.x.x.24)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped

 

Port 53 appears to be open on all of the alive hosts indicating its open on every modem, while 49152 and 49154 are open less often and sometimes both open on the same host. Not really a big deal.

Port 49154 – Xsan Filesystem Access  http://www.speedguide.net/port.php?port=49154
Port 49152 – uTorrent, and Azureus/Vuze p2p torrent clients often use this port.  http://www.speedguide.net/port.php?port=49152

Conclusion? These modems are shipping with firmware that discloses system information, possibly running vulnerable software, I’m testing out a few things such as the Mini_httpd vulnerabilities against the 2WIRE, and will throw a few other things at both the Clear4G and AT&T modems to see if direct access is obtainable.  Several local vulnerabilities and authentication bypasses are available for these modems, however Remote Access is what it’s all about.  I will update this post with results when I have time. Additional information and comments are welcome. My only suggestion is if you are truly paranoid, use your own router and set the Gateway/Modem to Bridged-Mode.

Advertisements