[C2] "Reverse engineering Swisscom's Centro Grande modems"
by Alain Mowat

Authors: Alain Mowat (@plopz0r)
Language: English
Country: Switzerland
Date & Time: Wed.. 2, nov. - 11:15 to 12:00

While trying to figure out how Swisscom controls all of it's home-based routers through their own website, we stumbled onto a series of vulnerabilities in the Centro Grande router which when combined could lead to remote code execution.
We started by obtaining the router's firmware to investigate how the CWMP protocol was used to manage them, but quickly moved to other aspects of the firmware in order to discover serious flaws in the web-based management application. The web server essentially just calls one main CGI binary to handle all requests. This MIPS binary turned out to be the starting point of a quest to find a way to execute arbitrary commands remotely. By combining overflows and CSRF flaws, it was possible to achieve this. After reporting the flaw to Swisscom, we learned that the Business version of the router doesn't actually require the CSRF, as it exposes the management interface to the Internet by default. At the time of discovery, many businesses mostly in Switzerland and in Italy were therefore vulnerable to attackers breaking in through their ISP-provided modems.

Biography: Alain is a security engineer and has been working for SCRT, a swiss-based information security company, for the past 8 years. In this function, he spends his time performing intrusion tests, social engineering attacks and giving security-related trainings. With a high interest in web application security, he has discovered several important vulnerabilities in various high profile applications, responsibly diclosing them to get them fixed.