Identifying and exploiting rom-0 vulnerabilities

I will talk about simple, but dangerous vulnerability present on many network devices which are using RomPager Embedded Web Server. Attacker is able to get your ISP password, wireless password and other sensitive information by issuing single HTTP GET request to ‘/rom-0’ URI. Mentioned information disclosure is present in RomPager Embedded Web Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others. Vulnerability was published in 2014 (by looking at CVE), but I see lot of people don’t know about it: mainly because there was no hype about it and most of the popular vulnerability scanners failed in identifying it.

I still think that vulnerability is pretty dangerous: if administration web interface of router is exposed on Internet – that means that anyone on Internet is able to know your ISP password, wireless password and router password by single unauthorized http request. But attacker does not have to stop there – since it knows your router password, attacker can change router settings and redirect your network traffic as he likes (by changing route or DNS settings). Attacker can also expose your LAN to Internet or access your internal services or computers by abusing port forwarding features. So, I hope this vulnerability will get better treatment after this blog post and NSE script.

Identifying vulnerabilities

Vulnerability is easily identifiable by querying /rom-0 via HTTP GET request. If password is not easily readable by looking at the response output, that’s because you need to decompress file first. If you’re impatient, just skip over to the exploitation vulnerabilities section.

If you need to identify mentioned vulnerability on large number of devices, I’ve written NSE script to identify vulnerability:
https://github.com/kost/nmap-nse

There you can also find NSE script to identify known XSS vulnerability on RomPager Web Servers.

Usage of NSE scripts are quite easy, here’s the example:

nmap -p80 -sT -PN --script=./http-rompager-rom0,./http-rompager-xss 192.168.1.1

Starting Nmap 6.49BETA3 ( https://nmap.org ) at 2015-07-05 14:41 CEST
Nmap scan report for 192.168.1.1
Host is up (0.0013s latency).
PORT STATE SERVICE
80/tcp open http
| http-rompager-rom0:
| VULNERABLE:
| /rom-0 information disclosure present in ZTE, TP-Link, ZynOS, Huawei
| State: VULNERABLE
| Information disclosure present in RomPager Embedded Web Server.
| Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others.
| ZTE, TP-Link, ZynOS, Huawei and possibly others are vulnerable to remote credential and information disclosure.
| Attackers can query the URIs "/rom-0" to extract sensitive information.
|
| Disclosure date: 2014-01-11
| References:
| http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/
| http://www.osvdb.org/show/osvdb/102668
| https://dariusfreamon.wordpress.com/tag/rompager/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4019
| http-rompager-xss:
| VULNERABLE:
| URL redirection and reflected XSS vulnerability in Allegro RomPager Web server
| State: VULNERABLE (Exploitable)
|
| Devices based on Allegro RomPager web server are vulnerable to URL redirection and reflected XSS.
| If Referer header in a request to a non existing page, data can be injected into the resulting 404 page.
| This includes linking to an untrusted website and XSS injection.
| Disclosure date: 2013-07-1
| References:
|_ https://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds

Exploiting vulnerabilities

For exploitation, I had best success with rom0_decoder available at
https://github.com/etmatrix/rom0_decoder. It is Java based rom-0 decoder and it can decompress interesting blocks from many different rom-0 files I had access to.

Usage is simple as:
git clone https://github.com/etmatrix/rom0_decoder.git
cd rom0_decoder
java -jar rom0.jar /path/to/rom-0 | less


Exploitation of XSS vulnerability is pretty straightforward, so I will not go into details.

Solution

Most of the vendors issued patch for their routers, but still there are many routers out there where patch is not available. Mitigation in that case would be to firewall http from WAN side, but I would suggest to firewall it from LAN side as well (of course – if possible). Do note that rom-0 file sometimes is served by other protocols as well (including TFTP and FTP).

Final remarks

Note that in this post I’m writing mostly about rom-0 files available on web server via http. Interesting fact is actually that rom-0 sometimes is available on TFTP, FTP or similar services on different routers. But this is something I leave as an exercise to the reader.

References:

How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

http://www.osvdb.org/show/osvdb/102668
https://dariusfreamon.wordpress.com/tag/rompager/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4019

Click to access Advisory_RomPagerXSS.pdf

UPDATE 2015-07-05 18:51CET: Nmap development mailing list post: http://seclists.org/nmap-dev/2015/q3/34