funsec mailing list archives

Re: Verizon Service, Actiontec Gateway, and SSL Certifcate

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 29 Apr 2013 22:17:53 -0400

Well, this is not a good sign. I downloaded littleblackbox
(https://code.google.com/p/littleblackbox/), which is a database of
shared private keys. The program connects to the device or servers,
fetches the certificate, and tries to find the private key in its
database:

jeffrey@ubuntu-12-x64:~/littleblackbox-0.1.3/bin$ ./littleblackbox -r
192.168.1.1:443

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDOPa+w/2o5IuWs3eV2MVXEpyqLYfZScbyPpr2mY8zkbdKC6DFq
zG6cBY7S06qobVjXmOgQMkoVoO8ihbD1NB6V/4xyDgMwJJ8uSfpaB/JyzefeoNz9
Gcg+s+wpKoG84PTHyfVy6xMTCwZ+qC26JLGPquu/ucwEljHy0WVYPmb9VQIDAQAB
AoGAYrG+W9M+f+0lP95IKpFdW+grQdw1RirLc2r1oqRrrnynmqGG1HbUD7HRMS69
ojABrdqsYuPN9B+5kCmuDwlMANwIwV3ZwxE7A7Hy1tpi9PgckTjZW8rCl3ciEZkx
Y+Xw9j9QGlSI6Hxthocb/4eCwwMenLrSZDj6oKuZ7DgJUJkCQQDl88c7RJsTS6HN
ztAjFxpKobIgzy9u1AH15WDqqd2rawtJk2FTFcz0GrAy/gawKU42wFqZOKv28iMq
96fGcPN3AkEA5ZpSL+vQD1WAEd7Vv56zqmTOTpEOGoDD5zxfch4gvr8rCgU6hDmz
0Y3UQ7MRJrTNvVwYXpIUoazBBUZUfbpQkwJAagxTBXJOUke/BzspogU1itWnYJos
NeBwRwbR+2b7Y+KqAfSGHdsf+jOUru+YBgYGnBl5rtAD/o8MyPQN2+abYQJABhbD
mzW7vMxdqxunu38v8JLfzcGXCCjmCRnWxiX6ZFSZhZiB5sPI+wOx32G+ULJ2ylDI
7KkfFvKH4+Xrk7H/NQJAJWQusAs1tHhDDddvcvqe4J5q0qvNdOSTs0Cu2CimWPxe
tfcz64o64XWgmCAaFq2pfaN4oC1kaGnIbUEdtIqNXw==
-----END RSA PRIVATE KEY-----

On Mon, Apr 29, 2013 at 2:23 AM, Jeffrey Walton <noloader () gmail com> wrote:

Hi All,

I have Verizon service which provides an Actiontec gateway. The
gateway is model MI424WR, running firmware 40.20.1. ("Firmware Update"
claims its up to date, even though there's been no updates for quite
some time, including patches to dhcp and libupnp).

Can anyone verify the certificate (and key pair) included with the
gateway is unique (or better, static)? Below are the thumbprints and
certificate details from OpenSSL after exporting the certificate (from
Firefox).

Bonus points: does anyone know how to generate a new certificate or
upload a new certificate? The Actiontec manual only mentions SSL
certificates when it says to ignore warnings and proceed because its
safe [1] (seriously!).

Thanks
Jeff

[1] http://support.actiontec.com/doc_files/MI424WR_Vz_User_Manual_4.0.16.1.45.160_v4.pdf

$ openssl x509 -in ORname_Jungo\:OpenRGProductsGroup -noout -fingerprint
SHA1 Fingerprint=43:88:33:C0:94:F6:AF:C8:64:C6:0E:4A:6F:57:E9:F4:D1:28:14:11

$ openssl x509 -in ORname_Jungo\:OpenRGProductsGroup -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, CN=ORname_Jungo: OpenRG Products Group
        Validity
            Not Before: Jun  3 11:11:43 2004 GMT
            Not After : May 29 11:11:43 2024 GMT
        Subject: C=US, CN=ORname_Jungo: OpenRG Products Group
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ce:3d:af:b0:ff:6a:39:22:e5:ac:dd:e5:76:31:
                    55:c4:a7:2a:8b:61:f6:52:71:bc:8f:a6:bd:a6:63:
                    cc:e4:6d:d2:82:e8:31:6a:cc:6e:9c:05:8e:d2:d3:
                    aa:a8:6d:58:d7:98:e8:10:32:4a:15:a0:ef:22:85:
                    b0:f5:34:1e:95:ff:8c:72:0e:03:30:24:9f:2e:49:
                    fa:5a:07:f2:72:cd:e7:de:a0:dc:fd:19:c8:3e:b3:
                    ec:29:2a:81:bc:e0:f4:c7:c9:f5:72:eb:13:13:0b:
                    06:7e:a8:2d:ba:24:b1:8f:aa:eb:bf:b9:cc:04:96:
                    31:f2:d1:65:58:3e:66:fd:55
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:5
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, Code Signing, E-mail
Protection, TLS Web Server Authentication
            Netscape Comment:
                Jungo OpenRG Products Group standard certificate
            Netscape Cert Type:
                SSL Client, SSL Server, SSL CA
    Signature Algorithm: md5WithRSAEncryption
         9e:d6:d6:cd:8f:e4:52:1a:ad:77:99:4d:f9:91:18:da:06:12:
         92:df:5f:5a:88:8b:66:87:7d:86:03:2c:d7:82:3e:24:64:56:
         b9:10:f5:ad:ef:77:c2:f9:45:d4:51:6f:c4:93:a4:cf:63:0b:
         73:47:64:47:4c:f4:fd:6d:fa:cf:b4:f0:ef:2a:49:53:ff:35:
         77:29:ed:6b:dc:88:58:b4:b2:c1:d9:f5:fd:8e:80:ed:5e:81:
         c3:24:05:46:e2:65:83:6f:e7:0c:ff:ad:52:5b:5c:e9:c5:db:
         51:ef:06:75:39:b6:20:04:c0:cc:44:7c:38:a1:91:6c:13:2d:
         5e:ab

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Verizon Service, Actiontec Gateway, and SSL Certifcate Jeffrey Walton (Apr 28)
- Re: Verizon Service, Actiontec Gateway, and SSL Certifcate Jeffrey Walton (Apr 29)
- Re: Verizon Service, Actiontec Gateway, and SSL Certifcate Jeffrey Walton (Apr 29)
  - Re: Verizon Service, Actiontec Gateway, and SSL Certifcate Steve Pirk (Apr 30)
    - Re: Verizon Service, Actiontec Gateway, and SSL Certifcate Jeffrey Walton (Apr 30)