[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] BT HomeHub 3.0b Remote (LAN) vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] BT HomeHub 3.0b Remote (LAN) vulnerability
From: Zachary Cutlip <zcutlip@xxxxxxxxxxxxx>
Date: Tue, 8 Jan 2013 11:48:35 -0500

Vulnerability Report: BT HomeHub 3.0b

***********************

Report Date: 7 December 2012
Version: 1.01 
Prepared by: Zachary Cutlip, zcultip@xxxxxxxxxxxxx
             Tactical Network Solutions, LLC

***********************

Summary:The BT HomeHub 3.0b has a remote[1] vulnerability that can yield to an 
attacker fully privileged root access.

***********************

Details:The 'bcmupnp' application that is installed and runs on the BT HomeHub 
3.0b has a vulnerability in the way it processes M-SEARCH SSDP[2] requests.

By specifying a "uuid:" as the URI in the Search Target (ST:) header, the 
attacker can provide an excessively long string in place of a valid UUID.  This 
will crash the application in a way that yields control of execution to the 
attacker.  'bcmupnp' runs fully privileged on this device, so a successful 
exploit results in fully privileged arbitrary code execution.

***********************

Affected Products:
BT HomeHub 3.0b Firmware version V100R001C01B031SP09_L_B
BT HomeHub 3.0b Firmware version V100R001C01B031SP12_L_B (Latest tested)

***********************

Mitigation:

End user:
The end user does not appear to be vulnerable to attack from the WAN.
The user should ensure that WPA or WPA2 encryption is enabled.  This restricts 
LAN access to authorized users or those users with physical access to the wired 
network.

If the user's LAN is a hostile network that cannot be restricted to authorized 
users, use of the affected product should be discontinued until the vendor can 
issue a patch.

Vendor:
The 'bcmupnp' program does not appear to be essential to the affected product's 
core functionality.  It could theoretically be disabled in a firmware update 
until such a time that it can be patched and re-enabled.

***********************

Exploit:

A proof-of-concept exploit for this vulnerability has been released.
Demonstration here:
https://vimeo.com/52954499

Exploit code here:
https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b

***********************

Credit:

Credit for this discovery goes to Zachary Cutlip <zcutlip@xxxxxxxxxxxxx> and 
Tactical Network Solutions, LLC
Assistance provided by:

- Craig Heffner <cheffner@xxxxxxxxxxxxx>
- "asbokid" for initial firmware extraction.
- William K. and "dmcdonell" for providing hardware for analysis.
- Forum participants on http://www.kitz.co.uk/

------------
[1] Although this vulnerability only affects the local network (LAN) side of 
the device, not the Internet (WAN) side, it is a remote vulnerability in that 
it is network based and does not require physical access to the target device.

[2] "UPnP Device Architecture 1.1" 
http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf


***********************

Revision History:
12/13/2012    Fixed spelling error.
1/9/2013        Updated Credit section.
                        Updated Exploit section.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Multiple vulnerabilities in TinyBrowser
Next by Date: [Full-disclosure] Context Advisory - .NET 1.1 through .NET 4.5 Elevation of Privilege
Previous by thread: [Full-disclosure] Multiple vulnerabilities in TinyBrowser
Next by thread: [Full-disclosure] Context Advisory - .NET 1.1 through .NET 4.5 Elevation of Privilege
Index(es):
- Date
- Thread