Earth2Me Technical Services

home / development / verizon

Verizon and Port 4567

All ActionTec routers from Verizon mysteriously listen on port 4567. This is public knowledge. A webserver is running on that port, but it is protected by an unknown username and password. There is, needless to say, quite a bit of controversy and conspiracy theory regarding this undocumented "feature" of the Verizon FiOS network. Mysteries are meant to be solved. What follows is a log of my experience solving this mystery; it is rather technical and would not please an English teacher. This is a journal that I kept, logging each action and thought involved in the process. It remains unedited. It is mostly chronological.

  • Using laptop running Windows Server 2008 R2 Datacenter x64
  • Googled around a bit for existing info on the port
  • Ran a portscan with nmap on port 4567; open both externally and internally
  • More Googling; got info from around 2007 stating that the username was the MAC address without delimiters and the password was activeVOLUses1. Other users confirmed that this combination did not work.
  • Dumped the configuration file—looks like Verizon smartened up and encoded it. Ran basic decoding attempts, but not worth effort to analyze much further.
  • Telnet into router; all goes well
  • Heard mentions of CWMP in one person's log dump; research identifies it formally as TR-069, a protocol designed for ISPs to maintain hardware configuration
  • In telnet, use "conf print /" command to dump configuration to standard output. Bugger says that dumping the root is disallowed.
  • Figure this has something to do with cwmp, so try "conf print cwmp"--jackpot
  • Got weird username, clearly unencode/unencrypted. Password is encoded/encrypted in some form. Odd set of URLs; one appears to be the ACS.
  • Figure the password encryption/encoding must be the same for the admin account, which I set the password to previously.
  • Guess admin node correctly: "conf print admin"
  • Password is encoded in same format
  • Run "conf set /cwmp/password [encoded-known-pass]"
  • Check output with "conf print /cwmp/password"—appears that non-alphanumeric characters were escaped as some sort of XML-like entity.
  • Tried escaping ampersands and semicolons in input; no luck
  • Discover "conf set_obscure" command—description is cryptic
  • Tried "conf set_obscure /cwmp/password random-text"; read back in the same encoding style as the passwords
  • Through trial and error, discovered that a character's encoding is only affected by preceding characters. That makes brute forcing exponentially easier.
  • Started with "act"; "actiontec" didn't match, but the "act" did.
  • Tried "conf set_obscure /cwmp/password activeVOLUses1", but result was slightly off from original password encoding at the second-to-last character.
  • Assumed the password circulating around the Internet had a typo, and tried activeVOLUser1 instead; perfect match
  • Tried to log in with username and password... denied
  • Tried going to the ACS URL; receive login prompt
  • Enter username and password in the router config. Success! Now have full URL with user/pass.
  • Receive interesting response:
    CPE Servlet responding
    • Active session count = 7
  • Looks like I gained access to the ACS in some way. Not sure how to proceed. Need to think a bit.
  • Interlude: Already 2:10 PM on 6/2/2010; get the hell off the couch, get dressed, and go to coffee shop.
  • Couldn't get myself to stand up, so I Googled the ACS' response and came up with this. Looks like Qwest contracted the exact same ACS. Now all I need to do is find any similarities between the two, definitively ID it, and search for any vulnerabilities. Hopefully, I won't find any, and we'll all be able to sleep better at night.
  • Really getting up now...
  • Back at 3:23—only an hour late. Stereotypical programmer, ftw.
  • Reading up on SOAP, WSDL, and CWMP to see if I can spoof a CPE.
  • Found an XSD, but I need to convert it to a WSDL.
  • Can't seem to find a generic WSDL for CWMP, so I may use XSL to transform the XSD into a WSDL.
  • Going back to identifying the ACS for the time being.
  • A little work on Google came up with this—looks like the ACS is in use elsewhere.
  • Yet more users. Careful, the site is hosted on Tripod, which means (often questionable) popups.
  • "Welcome to CwmpWeb". Why thank you. Now what the hell are you?
  • Verizon returns the same thing on some servers, but not on others.
  • Found an interesting ActionTec job offer description. "Ability to propose and develop e non-standard parameters to accommodate features that are not specified in Broadband standards." Proprietary features in CWMP? Uhoh. There's a reason protocols take years of review before their are approved. "Must have understanding of server side equipments and functions of ACS" Good chance that the ACS itself is based on an industry-standard ACS.
  • Let's check out OpenACS.
  • We've got five files: acs.ear, openacs-ds.xml, openacs-service.xml, README, and Running.htm. The EAR file is by far the largest—let's check that out.
  • Binary data. First two characters are "PK", so it's probably a ZIP file. Copy to acs.zip and extract.
  • More files. Meant to run in Apache Ant. Two JARs, a WAR file, and a META-INF folder (the latter indicating that the EAR was probably a JAR). All three have ZIP signature ("PK"), though that's a given for the JARs. Biggest file is acs-war.war; extract to acs-war after copying to acs-war.zip.
  • Ah, here we go! A whole collection of HTML files. Time to look for any goodies...
  • On second thought, let's just scan the whole thing for any occurrence of cwmpWeb, case-sensitive.
  • Nada. Let's extract JARs. Strings should be in plaintext once extracted, but I can always run them through JAD if need be or javap if obfuscated.
  • OpenACS is out.
  • A blog post mentioned something about OpenRG. Should check that out.
  • OpenRG is by Jungo. Was that what ActionTec used for its OS and got into that lawsuit over? Check that.
  • Nope, that was BusyBox. Let's see what BusyBox and OpenRG have to say regarding CWMP.
  • BusyBox homesite marked as dead end.
  • Google turns up some stuff on jungo.com, home of OpenRG.
  • The last link uses DPS (Dimark Provisioning Server) as an example ACS. Let's compare URL structure...
  • ActionTec definitely uses OpenRG.
  • No results on Google for "Dimark Provisioning Server" besides that one link. ...the hell?
  • "Dimark Provisioning System" gets more results; still lacking.
  • Let's see if Dimark, a company specializing in TR-069, has any connections to Verizon.
  • Connection with Fine Point Technologies, Inc. in this article
  • Looks like Fine Point Technologies sells a TR-069 solution. Let's see if we can verify a match.
  • Here's a preview of what Verizon may be able to do if they use DLP in conjunction with Fine Point's ACS.
  • Their solution seems to support raw RPC. That could be bad.
  • Hit dead end. Going back to that forum post. Let's run a web check on that guy and anything associated with him to see if we can find out where he got the ACS.
  • Alias: mert361; Location: Istanbul; ICQ: 93852971; E-mail: mert361@tango5.com; Language: Turkish;
  • Let's try ICQing him.
  • Offline. Mark as dead end for now.
  • Looking for public contracts between ISPs (with the same URL structure for ACS as Verizon) and TR-069 specialists.
  • Eh, what the hell, let's nmap the heck outa that ACS. I'll try both cpe-ems1.verizon.com and cpe-ems79.verizon.com, since they seem to be running different web servers.
  • Nada. Just HTTPS on both.
  • Looks like there aren't many ACSs out there. OpenACS, Zyxel's Vantage, and something from Cisco. Vantage looks like a bad candidate, and OpenACS didn't match. Cisco is the industry standard, so I wouldn't be surprised if that's what they're using. If anyone has an ACS from Cisco that they're willing to donate access to, that'd be great.
  • Heading home; driving is great for thinking.
  • Going to pick a random insecure wireless network or two on the way home and enable remote management; that way, I have a decent way to proxy any activities that might look fishy coming from within the FiOS network. If they really are Cisco fanatics (Mr. Haynie *cough*), then the slightest ripple of trouble will trigger the alarms. Of course, I'm not planning to exploit any of this for purposes other than developing a patch/solution; I just want to avoid any trouble that could arise because my activities resemble those of malicious skript kiddies.
  • Wtf, my car smells like there's been a cow living under the hood.
  • These dots are here because I'm too lazy to type <li></li> each time I make an entry. Copypasta = timesaver.

Copyright ©2010 Earth2Me, LLC. All rights reserved.

Earth2Me the trade name of Earth2Me, LLC.

Valid XHTML 1.1 Valid CSS 3 Valid XHTML 1.0 Strict