Connect Box CH7465LG: Unauthenticated Remote Code Execution (CVE-2019-13025)

October 1, 2019

Introduction

The following work was conducted on the Connect Box CH7465LG with the firmware version CH7465LG-NCIP-6.12.18.24-5p8-NOSH running Linux 3.12.14 on a Intel XScale CPU (armv6b). The device was supplied to me in February 2019 by Unitymedia as the default cable modem for new customers.

According to Unitymedia itself there are currently about 1.8 million customers using the Connect Box alone in Germany. 1 Since the Connect Box is also used by other ISPs such as KabelBW, UPC Austria and more the number of affected customers is even higher.

The device and firmware itself is produced by Compal and only branded by the different ISPs.

It is important to note, that the vulnerability listed below need access to the web interface of the cable modem. This can be achieved in two different ways:

  1. Being a client in the local network of the device.
  2. Accessing the web interface over the Internet via the remote maintenance feature.

A quick search of devices with open ports revealing the web interface with the help of Shodan shows several thousand affected devices. Not to mention that every single device is vulnerable if local access is available.

Remote Code Execution

The web interfaces offers ping and traceroute functions to test the network connection to other hosts. Although the web interface is protected by a password, most of the APIs do not require any form of authentication.

Vulnerability

Internally the implementation on both functions builds upon calling the ping and traceroute binaries on the shell provided by the operating system. The input parameters are only verified on the client-side in the web interface but not correctly escaped or verified within API endpoint itself. Therefore the endpoint is vulnerable to command injection by manipulating the POST parameters sent to the endpoint by including an escape sequence as well as the desired command(s).

Implementation

The ping and traceroute function both can be found in libhttp_plugin.so2 named cbn_http_xml_start_pin and cbn_http_xml_start_tracert. I’ve attached the shared library for readers which may be interested in having a closer look on their own.

Furthermore I’m planning to release a more detailed post about the whole process of:

  1. Finding the first vulnerability while examining the web interface.
  2. Gaining remote code execution.
  3. Dumping the firmware of the device.
  4. Further analysis of the firmware and the discovery of more vulnerabilities.

Nevertheless, I would like to point out (even if it should be obvious) that it is essential to always escape and verify the user input arguments when executing commands on the shell. It’s also recommended to avoid invoking the shell in general by using exec() instead of system().

Proof of Concept

A PoC to sent arbitrary commands to be executed on the shell of the device can be found in my GitHub repository. By doing so we can for example start a telnet server on the device and connect to the provided debug CLI.

Timeline

25 June 2019: First message to an employee from Liberty Global.

26 June 2019: First response as well as transfer of my issue to a superior.

28 June 2019: Submission of a written report to the proposed file sharing platform. Proposed date for full-disclosure is +90 days.

28 June 2019: Submission of the CVE ID request (CVE-2019-13025).

22 September 2019: I noticed an automatic firmware update (CH7465LG-NCIP-6.12.18.25-2p6-NOSH) on my device which patches the vulnerability.

25 September 2019: Originally planned date for full-disclosure (90-day deadline) of the vulnerabilities.

1 October 2019: Publication of this article and the GitHub Repository. Request sent to the CVE team to release the CVE entry to the public.

2 October 2019: German news portals report about the found vulnerabilities 3 and publish a statement by Unitymedia, stating that 95% of the affected 2.2 million devices deployed by Unitymedia have been patched.