Pervasive vulnerabilities in SOHO routers
Proof of Concept Attacks
All routers we tested had serious security issues. The following examples illustrate the kind of problems we encountered.
ASUS RT-AC66U
For the ASUS RT-AC66U, insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application, which happened to be root.
From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD service on port TCP/5916. The ACSD service runs by default and cannot be disabled. The service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed-length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code. For the attack to succeed, we utilized ROP to circumvent stack randomization and MIPS system cache incoherency (Figure 5).
To create a coherent CPU data cache, our payload utilizes a call to a blocking function, sleep()
. We call sleep
by first using gadget number one to load the constant value 1 into the argument zero ($a0
) register, and then gadget two to load the $t9
register with the address of the sleep function. Gadget two wraps up by jumping to register $t9
, which forces a CPU context switch on the target system. The context switch flushes the data cache to RAM.
Next, we use gadget three to adjust the stack pointer register ($sp
) to point to our shellcode by adding a constant value to the $sp
register and storing the result in the $a1
register. Finally, we use gadget four to direct the program's execution to the $t9
register, which points to our custom shellcode that, when executed, starts an unauthenticated Telnet server by calling the system()
function located in the standard C library (Figure 6).
ASUS RT-N56U
The RT-AC66U again demonstrates how insufficient bounds checking and the router administrators' inability to disable network services allows an attacker to execute arbitrary code with root permissions.
From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. The HTPPD service runs by default for the purpose of router management and cannot be disabled.The HTTPD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In a fashion similar to how ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program's fixed-length buffer. Upon doing so, the attacker will have corrupted the web server's call stack and altered the execution flow of the program.
Like the RT-AC66U, the RT-N56U exploit utilizes ROP to circumvent stack randomization (Figure 7). At the time of code execution, the RT-N56U has already performed a context switch and written the CPU data cache to RAM, so a call to a blocking function such as sleep()
is not necessary. Because of this, the RT-N56U exploit utilizes a call to the sched_yield()
function, which relinquishes the CPU to a ready-to-run process (if one exists) with a greater than or equal to execution priority of the HTTPD process. As with the ACSD exploit, we used a series of ROP gadgets to perform this function call.
Our attack payload then uses several more ROP gadgets to align the stack and direct the program's execution to our custom shellcode residing in the program's memory. Upon execution, the exploited router creates a network socket, connects back to the attacker's machine on TCP/31337 (Figure 8), and executes a root system shell. We now have the ability to interface directly with the underlying Linux operating system running on the RT-N56U router (Figure 9). The proof of concept code demonstrated in Figure 8 can be found at the Hak42 InfoSec security blog [2].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.