Inside Siemens Gigaset SX76x aka Orcon Homehub

Siemens Gigaset SX76x series is a all-in-one home gateway based on Infineon Amazon chipset. It runs linux.

Router is vulnerable for remote intrusion if configuration interface turned on to the WAN side, as while administrators password would be necessary for login, routers /etc/passwd file looks like the following:

/etc # cat passwd.orig

root:$1$Ti.t2P/E$OU3Xr59k2OjkeVluaQpkB/:0:0:administrator:/home/administrator:/bin/sh
administrator:$1$7WIPsS/.$QJSJt3IxzFigawX/g2pQf0:0:0:administrator:/home/administrator:/bin/mngmt
operator:$1$VhqoGai6$EdkaKBpVSaBsIuretrYc61:1:1:operator:/home/operator:/bin/mngmt
subscriber:$1$W5QC0pwK$QI0Ql99GxZ7xEP6wR8O5A0:2:2:subsrciber:/home/subscriber:/bin/mngmt

that is 4 user and from those only administrator user password can be changed via web interface, it is good to notice that even root password is hardcoded into router firmware.

When we try to log into router it only asks a password:

SX763 login

But if we try to send that form while checking with for example Tamper Data Firefox addon we see:

If we replace admin_role_name fields value with operator and your_password field value with operator and send the form we got inside. We can activate ssh by remote code executing bug at web interface's firewall setup and once we there we can log in via ssh to get some information out of device.

Memory:

/etc # cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  30236672 29474816   761856        0  1687552 10248192
Swap:        0        0        0
MemTotal:        29528 kB
MemFree:           744 kB
MemShared:           0 kB
Buffers:          1648 kB
Cached:          10008 kB
SwapCached:          0 kB
Active:          12856 kB
Inactive:         8756 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        29528 kB
LowFree:           744 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Committed_AS:    33236 kB
VmallocTotal:  1048560 kB
VmallocUsed:      2108 kB
VmallocChunk:  1046004 kB

Processor:

/etc # cat /proc/cpuinfo
system type             : AMAZON
processor               : 0
cpu model               : unknown V6.4
BogoMIPS                : 234.29
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes
VCED exceptions         : not available
VCEI exceptions         : not available
AMAZON_CHIP_VERSION     : 3
AMAZON_CHIP_PART_NUMBER : ed
AMAZON_CHIP_MANID       : 41

Filesystems:

Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 5056      5056         0 100% /
tmpfs                      512       184       328  36% /tmp
tmpfs                     1024       392       632  38% /var
tmpfs                       64         8        56  13% /mnt/usbmsd
/dev/mtdblock/2            896       536       360  60% /config

What really intresting is /config what is a jffs2 partition storing routers settings

/config # ls -l
-rw-r--r--    1 root     administ   164412 Mar 22 11:21 active_configfile
-rw-r--r--    1 root     administ        0 Jul 29  2009 active_configfile2
-rw-r--r--    1 root     administ       66 Jan  1  2000 aes_keyfile
drwxr-xr-x    2 root     administ        0 Jun 23  2009 apps
-rwxr-xr-x    1 root     administ     4096 Jan  1  2000 arteep.bin
-rw-r--r--    1 root     administ        0 Jan  1  2000 attributes
-rw-r--r--    1 root     administ      804 Jul 29  2009 bf.conf
drwxr-xr-x    3 root     administ        0 Jan  1  2000 certs
-rw-r--r--    1 root     administ   115542 Jan  1  2000 default_configfile
drwxr-xr-x    2 root     administ        0 Mar 25 12:31 dhcp
drwxr-xr-x    2 root     administ        0 Jan  1  2000 diag
-rw-r--r--    1 root     administ       21 Dec  9  2008 first_use_date
-rw-r--r--    1 root     administ       21 Jan  1  2000 fwupdate.log
-rw-r--r--    1 root     administ      173 Dec  9  2008 fwupdate_old.log
-rw-r--r--    1 root     administ       18 Mar 25 13:20 fwupdate_timer
-rw-r--r--    1 root     administ      158 Dec  9  2008 macaddresses
-rw-r--r--    1 root     administ   116412 Jan  1  2000 previous_configfile
drwxr-xr-x    2 root     administ        0 Mar 23 17:34 scripts
-r-S--xr--    1 root     administ       89 Dec  9  2008 software_upgrade
-rw-r--r--    1 root     administ      211 Mar 22 11:21 system_configfile_f
-rw-r--r--    1 root     administ      276 Mar 22 11:21 system_configfile_r
-rw-r--r--    1 root     administ       13 Jan  1  2000 system_settings
-rw-r--r--    1 root     administ      271 Mar  7 09:25 tmond.log
drwxr-xr-x    2 root     administ        0 Feb  2 09:28 user

Well it was designed to be secure as official firmwares are signed and encrypted with AES and device decrypt it on update, but what is more intresting if we check /etc/rcS aka what happens on startup:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin

/bin/mount -a

/sbin/ip addr add dev lo 127.0.0.1/8
/sbin/ip link set dev lo up

grep "/dev/root / nfs" /proc/mounts
if [ $? != "0" ]; then
        /sbin/ip addr flush dev eth1
fi

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/conf/default/forwarding

if [ -f /bin/hostname ]; then
        /bin/hostname localhost.localdomain
fi

/sbin/insmod drv_amazon
/sbin/insmod drv_vinetic
/sbin/insmod duslic
/sbin/insmod amazon_daa
/sbin/insmod hwinfodrv

/bin/mknod /dev/amazon_port c 252 0
/bin/mknod /dev/cpc5621 c 220 11
/bin/mknod /dev/sda b 8 0
/bin/mknod /dev/sda1 b 8 1
/bin/mknod /dev/sdb b 8 16
/bin/mknod /dev/sdb1 b 8 17
/bin/mknod /dev/sdc b 8 32
/bin/mknod /dev/sdc1 b 8 33
/bin/mknod /dev/sdd b 8 48
/bin/mknod /dev/sdd1 b 8 49
/bin/mknod /dev/usb/lp0 c 180 0

/sbin/insmod leddrv.o
/bin/mknod /dev/leddrv c 134 1

/bin/mknod /dev/dk0 c 63 0
/bin/mknod /dev/dk1 c 63 1
/bin/mknod /dev/dk2 c 63 2
/bin/mknod /dev/dk3 c 63 3

/bin/mknod /dev/sip_dev c 233 0
/bin/mknod /dev/sip_conn_dev c 234 0

/bin/mount -n -t tmpfs -o size=512K tmpfs /tmp
/bin/mount -n -t tmpfs -o size=1024K tmpfs /var
/bin/mount -n -t tmpfs -o size=64K tmpfs /mnt/usbmsd

/bin/mount -t jffs2 /dev/mtdblock/2 /config
mkdir -p /config/dhcp
touch /config/dhcp/dhcpd.leases

mkdir -p /var/run /var/log
mkdir -p /var/etc/dhcpc /var/etc/iproute2 /var/dev
mkdir -p /var/state/dhcp
touch /var/state/dhcp/dhcpd.leases
touch /var/etc/resolv.conf
mkdir -p /var/tinydns

if [ ! -e /config/apps ]
then
  mkdir -p /config/apps
fi

logging_ng -d

ln -s /var/dev/log /dev/log
cp /etc/syslog.conf /var/etc/
touch /var/log/cpemsg
syslogd -i linux -i unix -f /var/etc/syslog.conf
cp /etc/passwd.orig /var/etc/passwd

NVRAM_HOST_NAME=`nvram_util get boardid | grep boardid= | sed 's/boardid=//'`
/bin/hostname $NVRAM_HOST_NAME
echo "127.0.0.1 $NVRAM_HOST_NAME localhost.localdomain localhost" > /var/etc/hosts

mkdir -p /var/etc/ppp /var/etc/ppp/ip-up.d /var/etc/ppp/peers /var/etc/ppp/ip-down.d /var/etc/ppp/resolv
touch /var/etc/ppp/pppoe-server-options

/bin/mknod /dev/watchdog c 253 0
/bin/tmond &

scm_app -d 6969 &

SCRIPT_DIR=/config/scripts if [ -d ${SCRIPT_DIR} ]; then for script in ${SCRIPT_DIR}/* do if [ -x "${script}" ]; then echo "user scripts exec $script" ${script} fi done fi 
DBG_ADDONS=/etc/rc.d/init.d/DbgAddons
if [ -e ${DBG_ADDONS} ]; then
echo "including $DBG_ADDONS"
. ${DBG_ADDONS}
fi

So firmware's startup script can and will start scripts/applications in /config/scripts directory, and while we already seen malware on routers think this one could be malware developers dreams as they can place their payload to place where it can survive even hardware reset.

Csaba Bistey's homepage

Inside Siemens Gigaset SX76x aka Orcon Homehub

Search