Background
The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other
computers or even as a bot in a botnet.
A port scan of the the modem revealed that it has one TCP port exposed to the Internet, port 7547. Port 7547 is running as part of the TR-069 protocol. TR-069 a.k.a CPE WAN Management Protocol a.k.a. CWMP is a protocol that ISPs like Eir use to manage all of the modems on their network.
When Eir’s technical support want to manage the modem – maybe to reset the Wi-Fi password, they instruct the ACS (Access Control Server – the server used to manage the modems) to connect to the modem on port 7547 and send it a “connection request” command. The modem then connects to the ACS and Eir’s technical support can change whatever settings they want.
What is not very well known is that the server on port 7457 is also a TR-064 server.
This is another protocol related to TR-069. It is also known as “LAN-Side CPE Configuration”. The idea behind this protocol is to allow the ISP to configure the modem from installation software supplied with the modem. The protocol is not supposed to be accessed from the WAN side of the modem but in the D1000 modem, we can send TR-064 commands to port 7547 on the WAN side. This allows us to “configure” the modem from the Internet.
There are many TR-064 commands, some useful ones are:
DeviceInfo/GetInfo: This gives general information about the modem including serial number,
firmware version, device description etc...
WLANConfiguration/GetSecurityKeys: This returns the Wi-Fi key
WLANConfiguration/GetInfo: This returns the SSID and MAC address Time/SetNTPServers:
