Small boxes or why we love 7547
CyberOK's research contains interesting answers to what is located on the interesting port 7547/TCP, which many may be hearing about for the first time. Let's take a look at what kind of danger this port contains and what interesting physical devices live on it. Let's build an attack surface, remember how mercilessly these small boxes caused noise – let's carefully break it all down into atoms – into TP-Links, Keenetics, Mikrotiks, and also analyze how vulnerable it all is. Laets go!
Introduction
In the era of development of such a direction as External Attack Surface Management, we also decided to become fashionable and develop our own domestic Orthodox balalaika SKIPA, which will be able to secure the glorious Runet. This balalaika turned the iceberg upside down and showed interesting and unusual results…
By the way, SKIPA and continuous attack surface monitoring and pentesting services are available to pilots for corporate customers. Free of charge. That is, for nothing. Write to info@cyberok.ru!
The results showed that it turns out that the most common port is neither 80 nor 443 – those same Web ports, but something more mysterious – 7547/TCP! And there are almost 2 million such devices with a port!
We googled a little, researched, studied what was living on this port and it turned out that such an interesting protocol as TR-069 or otherwise CWMP (CPE WAN Management) was running on it. This protocol helps providers remotely manage various small subscriber devices – configure, diagnose and even update CPE devices (small home boxes) using an ACS (configuration server).
We read more news about them and noticed that these home boxes that lie peacefully on your shelves have caused a lot of problems and in general they periodically commit cyber crimes – they run DDoS attacks, attack, and set the Internet on fire.
They often unite into large gangs – botnets, examples of which are the large botnets Meris and Mirai. The latter, for a moment, included more than 3 million devices, many of which were operated via the TR-069 protocol!
This made us think and build an attack surface in RuNet. Having launched our SKIPA, which is capable of identifying a service or software located on a port, we received impressive statistics on the prevalence of devices from such vendors as TP-Link, Mikrotik, Keenetic, Sercomm, Huawei, ZTE, and so on. Below is a visual chart of these statistics.
The numbers are huge and true, but what underpins the danger of such a large number of devices in combination with TR-069? In fact, there are several arguments:
90% of TR-069 services operate over HTTP without SSL encryption.
Basic/Digest authentication protecting the device (simple search of passwords on such volumes?).
Using passwords like: admin:admin, root:root, support:support, …
Outdated software 10+ years old.
We decided to go further and began to study the interaction using the example of ACS and CPE and noticed that the elementary immature information security on the part of some providers is emphasized by the placement on ACS of an outdated release of Nginx version 1.6, the release of which was more than 10 years ago!
In some cases, with some providers, data about your local network device goes somewhere on the Internet. So, using the example below, someone can find out about all sorts of things that live on my network. History is silent about where and how such data can be used and stored, but a fact is a fact.
We decided to explore deeper and went into the forest to get firmware. Finding firmware for a home router turned out to be as easy as shelling pears, and in general you can find versions for every taste – original, custom, of all types and providers.
After poking around a little in the firmware, you can find various hard-wired users, including operator ones, find URLs where they go for updates or something else, and also find out about the built-in super-administrator, for which passwords have actually been available for a long time pure form, which in turn helps you connect to your box and get to know it even closer.
We were encouraged by the passwords we found, but we decided to go even simpler and look towards simple combinations. It turns out that everything was done for us and we can only confirm that the situation has not changed since 2017. And on every 10th device you can authenticate using the TOP 10 passwords.
Determining the software on port 7547/TCP showed that gSOAP takes up the lion's share, especially the majority of them are versions 2.7. This is software released in 2006. It turns out that soon everyone will be celebrating their 20th birthday.
It also has vulnerabilities, but there have been no major incidents involving them. This emphasizes one positive side: if it is vulnerable, it is not always hackable!
An even larger part of port 7547 is occupied by EasyCWMP software – this is an open-source implementation of the CWMP protocol. Our SKIPA managed to identify 76 thousand devices in the Russian Federation, and Shodan, in turn, found 600 thousand in the world. We began to look for known vulnerabilities, but the result was zero, which is very strange, because the software has not been updated for more than 5 years, and it is written in C, a language in which not everyone knows how to develop securely. By the way, Mirai Botnet was built on a vulnerability in RomPager, which appeared unexpectedly and en masse, destroying the Internet, so you should be on your guard!
Increasing the “degree” of the boxes, let’s consider such a large small box, no longer quite homemade – Mikrotik!
This device is relatively inexpensive and small organizations like to install it, but it is often not configured quite correctly.
There are more than 200 thousand such boxes on the RuNet.[SG1] [SV2] . Any network security specialist advises not to expose unused services to the Internet and install services on non-standard ports, however, according to the sign below, not all administrators use this practice.
During mass hacking of devices, attackers are always interested in determining the software version. Mikrotik on more than 120 thousand devices easily allows you to determine the version of RouterOS when sending a specific request to the Winbox service (8291/TCP).
By identifying RouterOS versions on Mikrotik, we created a diagram of outdated, vulnerable devices. Versions earlier than 2022 inclusive were taken into account. From this diagram we can conclude that there are quite a lot of outdated devices and administrators do not really like updating, and more than 12 thousand devices operate on a software version older than 2018.
Additionally, we conducted a safe-check for some “hype” vulnerabilities.
It turned out that in RuNet you can find more than 30 thousand routers susceptible to CVE-2023-30799 (CVSS: 7.1) which allows an authenticated user to be promoted from admin to super-admin. More than 1,400 devices have a vulnerable SNMP service that allows remote code execution (CVE-2022-45315 (CVSS: 9.8)). Well, the third is the most famous critical vulnerability CVE-2018-14847 in the Winbox service, which allows code to be executed on the router.
Conclusion
And here we end this fascinating study of the little boxes that live on your and our Internets. And I would like to draw the following conclusions:
do not forget to update, at least in case of critical vulnerabilities;
implement a strict password policy to force users to not set weak passwords;
do not expose unnecessary services to the Internet – filter ports from intruders.
Also, come visit us at Telegram Stay tuned – there’s still a lot of interesting stuff there!
Artemy Tsetsersky
Penetration testing specialist, CyberOK
