Getting Root Access on Verizon FIOS-G1100

Friday, September 1, 2017 🌐中文

Preface

I wrote this post in September last year. Back in July, our team lead brought in a router and handed it to an intern to work on. He couldn’t crack it and eventually stopped. Later, when I had some free time, I continued, but the decryption part still wasn’t finished—halfway through I got pulled onto other work. So this is an unfinished post.

There are three firmware variants for the FIOS-G1100, and the files in their directories are mostly the same:

Frontier
Verizon
0.x.x
1.x.x.x.x
01.x.x.x

G1100 runs a CPE service as a backdoor and exposes port 4567. Verizon controls the device via the TR-069 protocol. If we set up a local ACS and modify the config to point the ACS URL to our local ACS, we can enable an SSH service with root privileges on the WAN interface.

Setting up a local ACS

GenieACS

GenieACS is an open-source TR-069 remote management system that supports device provisioning.

It requires Node.js, MongoDB, and Redis. DockerHub provides prebuilt images, so you can bring it up quickly. Install genieacs globally:

sudo npm install -g genieacs

Enter the npm module directory and run the services:

cd /usr/lib/node_modules/genieacs

Start the ACS service (default port 7547):

genieacs-cwmp

Start the GUI REST API service (default port 7557):

genieacs-nbi

GenieACS GUI

Download from GitHub and install dependencies:

git clone https://github.com/zaidka/genieacs-gui.git
cd genieacs-gui
cp config/graphs-sample.json.erb config/graphs.json.erb
cp config/index_parameters-sample.yml config/index_parameters.yml
cp config/summary_parameters-sample.yml config/summary_parameters.yml
cp config/parameters_edit-sample.yml config/parameters_edit.yml
cp config/parameter_renderers-sample.yml config/parameter_renderers.yml
cp config/roles-sample.yml config/roles.yml
cp config/users-sample.yml config/users.yml
bundle
rails s

You may see a JSON version error here. In Gemfile, replace it with 1.8.4 like below:

gem 'json', '~> 1.8.4'

Modifying the configuration file

Encryption/decryption scripts (general-purpose scripts for decrypting FIOS config files):

https://gist.github.com/laanwj/5343bbb48759c8813b5807b43fd01fb6
https://gist.github.com/jameshilliard/7112235b62dd929d69d7980c979ae7c0
https://gist.github.com/jameshilliard/99191b2a2877220041dc8789fa07339a

The config file is encrypted. By analyzing /sbin/frontier4 (called bhr4 in firmware version 0.x), we can see the config file is encrypted via a function getEncryptedBase64Backup(): it uses OpenSSL’s EVP_aes_256_cbc and then Base64-encodes the result. As long as you extract the key and IV, you can decrypt it. idapro_base64

TODO

Although the key is fixed, it is generated at runtime rather than hard-coded. You need to obtain it dynamically in a QEMU environment. I’m leaving a note here; I didn’t have time to finish it.

Find the management_server.url section:

{
    "name": "net.tr69_client.management_server.url",
    "type": "string",
    "value": {
        "value": "https://cpe-ems0271.verizon.com/cwmpWeb/CPEMgt"
    }
}

Change the URL to your local ACS address:

http://192.168.1.241:7547

Upload the modified config file, and it will reboot automatically. upload_configfile

Enabling SSH

Enable temporary SSH

From /etc/cwmp/cwmp.xml, we can see the device supports enabling SSH. tr069_ssh_config

Open the GenieACS GUI and you should see the device online. device_status

To control the device, you need to log in first (username/password: admin/admin). login

Get the list of configuration parameters: genieacs_config

Set X_D4A928_SSH_State to SSH_REMOTE, which means enabling remote access on the WAN interface:

InternetGatewayDevice.X_D4A928_SSH_State

Then refresh the value of X_D4A928_SSH_Session_Password (this is a one-time password):

InternetGatewayDevice.X_D4A928_SSH_Session_Password

After refreshing, SSH to port 22222 to log in. You can only log in once; if it fails, you need to disable SSH (SSH_REMOTE -> SSH_OFF) and repeat the two steps above.

Enable persistent SSH and modify firewall settings

The default SSH ports on the G1100 are 22 and 8022, but the firewall blocks them by default so you can’t access SSH directly. The web UI option for SSH firewall configuration was removed; you can use Burp to modify the request and disable the firewall block. burp

The G1100’s SSH service is customized. On boot, it generates its config file under /tmp/ssh from the template /etc/ssh/sshd_config.t.

By default it only allows admin to log in and chroots into /chroot. Modify it to allow any user to log in and remove the chroot; after reboot you’ll be able to connect.

Protocol 2
PidFile /var/run/sshd.pid
Subsystem       sftp    /libexec/sftp-server
Port (SSHD_PORT_1)
Port (SSHD_PORT_2)
SyslogFacility local4
PermitRootLogin yes
PermitEmptyPasswords yes
AllowUsers *

burp

References

FIOS-G1100 Github

Genieacs API

Hardware SecurityVerizonFIOSGenieacs
Table of Contents

Approaches to Finding the Origin Server Behind a CDN

HackRF GPS Spoofing Notes