Proof of Concept Attacks

All routers we tested had serious security issues. The following examples illustrate the kind of problems we encountered.

ASUS RT-AC66U

For the ASUS RT-AC66U, insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application, which happened to be root.

From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD service on port TCP/5916. The ACSD service runs by default and cannot be disabled. The service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed-length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code. For the attack to succeed, we utilized ROP to circumvent stack randomization and MIPS system cache incoherency (Figure 5).

Figure 5: RT-AC66U ROP chain.

To create a coherent CPU data cache, our payload utilizes a call to a blocking function, sleep(). We call sleep by first using gadget number one to load the constant value 1 into the argument zero ($a0) register, and then gadget two to load the $t9 register with the address of the sleep function. Gadget two wraps up by jumping to register $t9, which forces a CPU context switch on the target system. The context switch flushes the data cache to RAM.

Next, we use gadget three to adjust the stack pointer register ($sp) to point to our shellcode by adding a constant value to the $sp register and storing the result in the $a1 register. Finally, we use gadget four to direct the program's execution to the $t9 register, which points to our custom shellcode that, when executed, starts an unauthenticated Telnet server by calling the system() function located in the standard C library (Figure 6).

Figure 6: RT-AC66U shellcode.

ASUS RT-N56U

The RT-AC66U again demonstrates how insufficient bounds checking and the router administrators' inability to disable network services allows an attacker to execute arbitrary code with root permissions.

From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. The HTPPD service runs by default for the purpose of router management and cannot be disabled.The HTTPD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In a fashion similar to how ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program's fixed-length buffer. Upon doing so, the attacker will have corrupted the web server's call stack and altered the execution flow of the program.

Like the RT-AC66U, the RT-N56U exploit utilizes ROP to circumvent stack randomization (Figure 7). At the time of code execution, the RT-N56U has already performed a context switch and written the CPU data cache to RAM, so a call to a blocking function such as sleep() is not necessary. Because of this, the RT-N56U exploit utilizes a call to the sched_yield() function, which relinquishes the CPU to a ready-to-run process (if one exists) with a greater than or equal to execution priority of the HTTPD process. As with the ACSD exploit, we used a series of ROP gadgets to perform this function call.

Figure 7: RT-N56U shellcode.

Our attack payload then uses several more ROP gadgets to align the stack and direct the program's execution to our custom shellcode residing in the program's memory. Upon execution, the exploited router creates a network socket, connects back to the attacker's machine on TCP/31337 (Figure 8), and executes a root system shell. We now have the ability to interface directly with the underlying Linux operating system running on the RT-N56U router (Figure 9). The proof of concept code demonstrated in Figure 8 can be found at the Hak42 InfoSec security blog [2].

Figure 8: Exploiting the RT-N56U router.

Figure 9: Interacting with the RT-N56U root shell.