Introduction

The following work was conducted on the Connect Box CH7465LG with the firmware version CH7465LG-NCIP-6.12.18.24-5p8-NOSH running Linux 3.12.14 on a Intel XScale CPU (armv6b). The device was supplied to me in February 2019 by Unitymedia as the default cable modem for new customers.

According to Unitymedia itself there are currently about 1.8 million customers using the Connect Box alone in Germany. ¹ Since the Connect Box is also used by other ISPs such as KabelBW, UPC Austria and more the number of affected customers is even higher.

The device and firmware itself is produced by Compal and only branded by the different ISPs.

It is important to note, that the vulnerability listed below need access to the web interface of the cable modem. This can be achieved in two different ways:

1. Being a client in the local network of the device.
2. Accessing the web interface over the Internet via the remote maintenance feature.

A quick search of devices with open ports revealing the web interface with the help of Shodan shows several thousand affected devices. Not to mention that every single device is vulnerable if local access is available.

Remote Code Execution

The web interfaces offers ping and traceroute functions to test the network connection to other hosts. Although the web interface is protected by a password, most of the APIs do not require any form of authentication.

Vulnerability

Internally the implementation on both functions builds upon calling the ping and traceroute binaries on the shell provided by the operating system. The input parameters are only verified on the client-side in the web interface but not correctly escaped or verified within API endpoint itself. Therefore the endpoint is vulnerable to command injection by manipulating the POST parameters sent to the endpoint by including an escape sequence as well as the desired command(s).

Implementation

The ping and traceroute function both can be found in libhttp_plugin.so² named cbn_http_xml_start_pin and cbn_http_xml_start_tracert. I’ve attached the shared library for readers which may be interested in having a closer look on their own.

Furthermore I’m planning to release a more detailed post about the whole process of:

1. Finding the first vulnerability while examining the web interface.
2. Gaining remote code execution.
3. Dumping the firmware of the device.
4. Further analysis of the firmware and the discovery of more vulnerabilities.

Nevertheless, I would like to point out (even if it should be obvious) that it is essential to always escape and verify the user input arguments when executing commands on the shell. It’s also recommended to avoid invoking the shell in general by using exec() instead of system().

Proof of Concept

A PoC to sent arbitrary commands to be executed on the shell of the device can be found in my GitHub repository. By doing so we can for example start a telnet server on the device and connect to the provided debug CLI.

Timeline

2019-06-25: First message to an employee from Liberty Global.

2019-06-26: First response as well as transfer of my issue to a superior.

2019-06-28: Submission of a written report to Liberty Global. Proposed date for full-disclosure is +90 days.

2019-06-28: Submission of the CVE ID request (CVE-2019-13025).

2019-09-22: I noticed an automatic firmware update (CH7465LG-NCIP-6.12.18.25-2p6-NOSH) on my device, which patches the vulnerability.

2019-09-25: Originally planned date for full-disclosure (90-day deadline) of the vulnerabilities.

2019-10-01: Publication of this article and the GitHub Repository. Contacted CVE team in order to release the CVE entry to the public.

2019-10-02: German news portals report about the found vulnerabilities ³ and publish a statement by Unitymedia, stating that 95% of the affected 2.2 million devices deployed by Unitymedia have been patched.