Mustafa

Preface

I use Kablonet at home. I am really not happy with their services at all. Since I don’t have any better options, I am stuck with them. I wrote a Turkish blog post about it in my old blog.

Last year, I started to tinker with their modem to find any hidden settings or vulnerabilities. I will try to list my findings in this blog post.

Hardware

My modem is NetMASTER CBW-383ZN. This and other NetMASTER cable modems are produced by CastleNET. Modems use MIPS and the board is designed by Broadcom.

Initial Setup

My first question was how could I download the settings file and analyze its content. Previously these devices had a vulnerability that allowed any user on the network to download the settings without authentication. When I downloaded this file and tried to check its content I found out that is was encrypted. How could I see the content of this file?

GatewaySettings.bin file

When I searched for this file, I found a program called bcm2-utils. I tried to open my settings file but unfortunately, it didn’t work. Thanks to Joseph, we solved this issue. He wrote a new profile for my device so that I could finally see the contents of my settings. During this process, I was able to extract the firmware from my device. I will not write the details of this process. If you want, you can check the repo and see it yourself. What are the things that are hidden in this firmware file? My quest to find the content of firmware started.

Firmware

The firmware file is compressed. In order to extract the firmware, you need Broadcom’s ProgramStore. After we extract the firmware, we need to analyze it. The file system of this firmware was something I never dealt with it before. Most of the time, modems have Squash, JFFS2, etc file systems. After you extract the firmware with tools like binwalk, you try to find the web server executable and possible vulnerabilities. This device is using something called eCoS. Firmware is a single executable and code starts at offset 0.

We will use Ghidra to analyze this file.

In the old days, RCE tools were either so limited or very expensive. Thanks to Ghidra, this has totally changed. Ghidra’s decompiler is so powerful. It helps me to understand different architectures easily.

Open Ghidra, add the firmware file to your project and configure it like below.

  • Click … button next to language and select MIPS|default|32|Big Endian|
  • Click Options and select Base Address as 0x80004000

Before I dive into what I have found, I want to warn you:

Change the default password of Kablonet.

Findings

  • Technician username and password. This username and password allow anyone to access the admin interface. This username and password can be changed remotely by Turksat. They changed these credentials before. You can use these credentials to change the hidden settings of the modem. There are not much hidden settings in the modem. You can change Down Stream frequency if there is a noise in your connection. You cannot use those settings to change your connection speed from 24 Mbps to 100 Mbps.
  • WiFi Network name uses the last 4 characters of modem’s CM MAC address. If your modem’s CM MAC address is 11:22:33:44:55:66, WiFi network name is NetMASTER Uydunet-5566. This information can be seen as insignificant but it is an information leak for the next finding.

  • WiFi password is calculated by using MAC address of WAN. Since WAN and WLAN addresses are sequential, it is possible to calculate WAN MAC address from WiFi MAC address and network name. Since we can see WiFi MAC address and network name without connecting, we can calculate all default passwords of NetMASTER modems. Here is the threat level according to different models:

    • NetMASTER CBW-383ZN, NetMASTER Infinity 401 models’ passwords can be calculated by just WiFi MAC address. Since WiFi MAC and WAN MAC addresses are sequential.
    • NetMASTER CBW-383Z4 model has 256 possibilities. Since MAC addresses are not sequential. However, by using the network name, we can have the 4 characters of the remaining 6 characters. We have to try 0x00-0xFF range to find possible passwords.
    • NetMASTER CBW-700V model has completely different WiFi MAC and WAN MAC addresses. Maybe there is a formula between those addresses but I couldn’t find a relationship. We can call this model relatively safe.

Since the above information can be used maliciously, I won’t share technician credentials or WiFi password algorithm. Please don’t email and ask about it.

You can use the below form to test whether your modem is vulnerable or not.



I am available for new work
Interested? Feel free to reach
View worksGet in touch