I'm afraid we didn't solve it as such but we do seem to have fewer reports of this now so but that could be down to a few things:. So maybe number 2 is a red herring if number 3 is accurate and these possible changes were made at the time we trialed our new way of working. To continue this discussion, please ask a new question. Spiceworks Help Desk. The help desk software for IT. Track users' IT needs, easily, and with only the features you need. Learn More ». Get answers from your peers along with millions of IT pros who visit Spiceworks.
Hi, I know in the current situation many business may now be working the same way as we are currently so we were wondering if anyone else was experiencing similar issues to some of our users. They are always VM Customers Their local general browsing remains fine which leads them to tell us the issue is our end and their VPN Connection does not drop but they have dreadful latency in an RDP session and eventually it gets to the point they lose connection.
Tried device IP Address instead of device name. Tried searching forum after forum for possible solutions. Virgin Media Virgin Media Business 1.
Rockn This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Mindea This person is a verified professional. Dashrender Jul 16, at UTC. Dumping the first handful of bytes from the file using xxd and head showed us that the backup file appeared to be a TAR file with some unknown data appended to the front. Running the venerable binwalk tool confirmed these suspicions, finding a valid TAR file at offset 0x4.
After reverse engineering the file VmRgBackupCfgCgi , the binary responsible for processing the configuration file once it has been uploaded to the router, we discovered the first 4 bytes represent a CRC checksum of the adjacent TAR file.
This is a common way to store configuration information on embedded devices across power cycles. The contents of these files clearly contained various snippets of sensitive configuration information such as the credentials for the administrative interface.
These files will be discussed in more detail later in this post. As we control both the contents of the TAR file and the CRC32 checksum we have all we need to craft our own backup files which will be accepted and parsed by the router. At this point we know how to construct a valid configuration blob and have it processed by the router, but what can we actually do with this knowledge?
Delving back into VmRgBackupCfgCgi tells us how the file is processed and is the starting point of our vulnerability.
This command is very powerful. So what can we overwrite? Whilst this appears at first glance to be an arbitrary file overwrite, we do have some restrictions. The majority of the Super Hub file system is mounted as read-only squashFs. Only a few interesting areas are actually writeable while the hub is running:.
The rcS file is used by the Super Hub router to start key services, setting kernel parameters and other general system setup. It is invoked every time the router powers on. In amongst the various functions of files a section grabbed our attention:. We can now combine our arbitrary file write with this remnant of a script possibly leftover from debugging or individual system customisation to gain full control of the Super Hub.
To test our theory we created a script to drop firewall rules and created a little C program to properly package it for backup. Uploading it appeared to be successful as seen below. After waiting for the system to fully boot we re-scanned the Super Hub to see if our modifications to the firewall rules had the desired effect see below. Attempting to connect showed some unusual behaviour. The connection was accepted by the Super Hub but then immediately torn down before any prompts were displayed.
This was unusual behaviour and we turned to the customised utelnetd binary to find out why. The version present on the Super Hub has been modified from the default open source version to add some new features.
By reverse engineering the binary to find where the connection is accepted we can see one of these modifications:. The top block in this disassembly shows the connection being accepted with a call to the library function accept.
The second basic block of this disassembly is where the code has been modified. The decision as to whether the connection will proceed or be terminated is based on the return value from a function call the BLX instruction. This function call clearly checks some sort of internal status to see if telnet access is allowed. What exactly is it checking and is there any way we can modify this setting from within our malicious script? The implementation of the function in question resides in a shared library that is imported by utelnetd.
The majority of this shared library consists of helper functions to get and set various persistent parameters for the Super Hub. Looking inside some of these files we can see a number of familiar strings such as our administrative username and password. The image above shows the partial contents of one of the configuration files, this one specifically backs the ManagementDb other files back other aspects e.
Each file starts with a byte header in red before being followed by a series of TLVs. Next follows length-bytes of the value in orange. Each record has the configuration details for a certain aspect of the Super Hub. From reversing the various binaries involved in managing the nvram configuration we know that the 10th record is responsible for flagging whether telnet access is available or not.
It is a single byte value and is set to 0 to disable telnet and 1 to enable telnet. The only personal data processed are customer IP addresses and total data usage.
Virgin Media operates a robust data governance programme with dedicated legal and compliance data protection and information security resources that advise on and monitor compliance with applicable law and policy, including safeguards. We monitor the performance of our network using a panel of real Virgin Media customers. Of course, lots of different factors may affect the speeds you get.
You can find it here Checking your Virgin Media broadband performance. If you are still not happy with the speeds you are getting, then you can find more advice and details of how to troubleshoot your connection here. Check service status.
Get help. Sign in. It looks like you are using an out of date version of your browser - due to enhanced securityrequirements protecting customers, we will no longer support this browser version as of June and you will need to update it in order to access virginmedia. Skip to main content.
0コメント