Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

BT HomeHub 3.0b Remote (LAN) vulnerability
From: Zachary Cutlip <zcutlip () tacnetsol com>
Date: Tue, 8 Jan 2013 11:48:35 -0500

Vulnerability Report: BT HomeHub 3.0b

***********************

Report Date: 7 December 2012
Version: 1.01 
Prepared by: Zachary Cutlip, zcultip () tacnetsol com
             Tactical Network Solutions, LLC

***********************

Summary:The BT HomeHub 3.0b has a remote[1] vulnerability that can yield to an attacker fully privileged root access.

***********************

Details:The 'bcmupnp' application that is installed and runs on the BT HomeHub 3.0b has a vulnerability in the way it 
processes M-SEARCH SSDP[2] requests.

By specifying a "uuid:" as the URI in the Search Target (ST:) header, the attacker can provide an excessively long 
string in place of a valid UUID.  This will crash the application in a way that yields control of execution to the 
attacker.  'bcmupnp' runs fully privileged on this device, so a successful exploit results in fully privileged 
arbitrary code execution.

***********************

Affected Products:
BT HomeHub 3.0b Firmware version V100R001C01B031SP09_L_B
BT HomeHub 3.0b Firmware version V100R001C01B031SP12_L_B (Latest tested)

***********************

Mitigation:

End user:
The end user does not appear to be vulnerable to attack from the WAN.
The user should ensure that WPA or WPA2 encryption is enabled.  This restricts LAN access to authorized users or those 
users with physical access to the wired network.

If the user's LAN is a hostile network that cannot be restricted to authorized users, use of the affected product 
should be discontinued until the vendor can issue a patch.

Vendor:
The 'bcmupnp' program does not appear to be essential to the affected product's core functionality.  It could 
theoretically be disabled in a firmware update until such a time that it can be patched and re-enabled.

***********************

Exploit:

A proof-of-concept exploit for this vulnerability has been released.
Demonstration here:
https://vimeo.com/52954499

Exploit code here:
https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b

***********************

Credit:

Credit for this discovery goes to Zachary Cutlip <zcutlip () tacnetsol com> and Tactical Network Solutions, LLC
Assistance provided by:

- Craig Heffner <cheffner () tacnetsol com>
- "asbokid" for initial firmware extraction.
- William K. and "dmcdonell" for providing hardware for analysis.
- Forum participants on http://www.kitz.co.uk/

------------
[1] Although this vulnerability only affects the local network (LAN) side of the device, not the Internet (WAN) side, 
it is a remote vulnerability in that it is network based and does not require physical access to the target device.

[2] "UPnP Device Architecture 1.1" http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf


***********************

Revision History:
12/13/2012    Fixed spelling error.
1/9/2013        Updated Credit section.
                        Updated Exploit section.


Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • BT HomeHub 3.0b Remote (LAN) vulnerability Zachary Cutlip (Jan 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]