CVE-2018-7631-RCE in ADB EpiCentro 7.3.2+ httpd

Introduction:
I found an unauthenticated remote code execution vulnerability in the httpd (web server) of the ADB firmware being used in numerous VDSL devices sold by ADB and being used by numerous ISPs world-wide including the countries Austria, Israel, Italy, Slovakia, Argentina, Lithuania, Poland and Chile amongst others.
I informed ADB and A1 Telekom Austria about the vulnerability identified in 2017 allowing them to prepare a fix prior to informing the public. As it was confirmed by the two parties that fixes have been rolled out now to all customers in June 2018, I disclose the vulnerability. I have not tested the updates provided by the manufacturer/ISP and therefore can’t comment on its effectivity.

CVE-2018-7631-RCE in EpiCentro 7.3.2+ httpd

Product: EpiCentro
Vendor: ADB Global
Tested Version: 7.3.2
CVE ID: 2018-7631
Severity: critical
Severity Rating: CVSS v3 Base Score: 10,0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact: Code Execution
Locally Exploitable: no
Remotely Exploitable: Yes

Product Description:
EpiCentro is the firmware name of ADB’s (previously Pirelli) VDSL router/modem products used by many ISPs worldwide including Telekom Austria A1 for providing their customers access to their infrastructure. Citation from the ADB Website: „ADB’s home gateways are equipped with Epicentro®, ADB’s state-of-the-art software platform, which allows service providers to deploy software modules and applications over time via transparent TR-069 remote management, creating opportunities to provide function and service up-selling to the consumer on the same hardware device.“ see https://www.adbglobal.com/devices/broadband-gateways/

CVE Description:
The EpiCentro httpd (web server) providing web based access to the configuration of the devices is susceptible to a Buffer Overflow resulting in remote code execution via a specially crafted GET request.

Technical Details:
Sending an http GET request without a leading “/” and without any authentication allows overwriting a buffer and to overwrite the frame pointer as well as the return address for program execution and finally leading to remote code execution.

The following get request:

Leads to:

 
Where the characters are represented in hexadecimal as following:
A=0x41, B=0x42, C=0x43, D=0x44
1. Our input of B‘s ended up in Register 16
2. Our C‘s ended up in Register 30 (FP)
3. Our D‘s ended up in Register 31 (RA)
4. We did not provide a „/“ in our request and
therefore were hitting a different code
branch than in CVE-2018-7632 -> overwriting the RA

Where the register are as following:
MIPS 32-Bit Prozessor– Big Endian
ra = Return Adresss
$29 = Stack Pointer points to top of stack
$30 = Frame Pointer points to start of stack frame
$31 = ra – denoting address where execution should resume at
epc = address of the instruction that was running when the exception occurred

Where it is well noted that the actual address where the next code is being tried to executed is our input of 4444440d – 1 (see invalid read access from 4444440c). This is specific to the MIPS 32-Bit processor execution architecture.

Additional important information is that the modules being loaded on the firmware are nearly all located at the same memory addresses after reboots allowing to select from a wide variety of already existing instructions for building up an useful instruction chain.

Advertisement
Privacy Settings