A Look at TR-06FAIL and Other CPE Configuration Disasters

Explore the critical security vulnerabilities in CPE devices and their widespread impact in this conference talk from Security BSides London. Dive into the TR-064 misconfiguration disclosed in late 2016 that allowed remote device takeovers and led to significant internet outages. Examine the exploitation of these vulnerabilities by botnets and investigate related TR-069 protocol implementation issues. Learn about the technical details of these attacks, including command injection, XML vulnerabilities, and stack overflows. Discover the implications for ISPs and their customers, with specific examples from Deutsche Telekom and Irish networks. Gain insights into the disclosure timeline, exploitation techniques, and potential defenses against these threats. Understand the importance of proper CPE configuration, SSL/TLS implementation, and XML security in preventing large-scale router takeovers. Analyze various attack surfaces, fuzzing techniques, and payload limitations in exploiting these vulnerabilities. Explore ongoing research in this field and learn about potential solutions to mitigate these risks in CPE devices and network management protocols.

Introduction
Who am I
Landside DSL
CWMP
Heros Explore
Heroesx Security
Must Implementation
Posture Protect
Outcome
Deutsche Telekom
Ireland
Who did it
Bonus Win
Ida Pro
Miss Fortune Cookie
Exploit
DSL Forum Certification
SSL TLS
XML
Threat Model
Hacking
Audit
Disclosure Timeline
FreeACS
Postit
Postit screenshots
We want preoff
Attack Surf
Test Fuzzing
XML NEX
BaseField
XSS
Payload Limitations
Remote Script
Admin User
Stack Overflow
Stack Overflow exploit
Game over
Script kiddie
OpenACS
JBoss
Misc Configuration Server
CSP
CSP in the wild
CSP in Java
CSP in PHP
Laravel Autoloading
Exploitable
Solutions
Defenses
Ongoing research
Thanks