Pervasive vulnerabilities in SOHO routers
Proof of Concept Attacks
All routers we tested had serious security issues. The following examples illustrate the kind of problems we encountered.
ASUS RT-AC66U
For the ASUS RT-AC66U, insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application, which happened to be root.
From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD service on port TCP/5916. The ACSD service runs by default and cannot be disabled. The service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed-length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code. For the attack to succeed, we utilized ROP to circumvent stack randomization and MIPS system cache incoherency (Figure 5).
To create a coherent CPU data cache, our payload utilizes a call to a blocking function, sleep()
. We call sleep
by first using gadget number one to load the constant value 1 into the argument zero ($a0
) register, and then gadget two to load the $t9
register with the address of the sleep function. Gadget two wraps up by jumping to register $t9
, which forces a CPU context switch on the target system. The context switch flushes the data cache to RAM.
Next, we use gadget three to adjust the stack pointer register ($sp
) to point to our shellcode by adding a constant value to the $sp
register and storing the result in the $a1
register. Finally, we use gadget four to direct the program's execution to the $t9
register, which points to our custom shellcode that, when executed, starts an unauthenticated Telnet server by calling the system()
function located in the standard C library (Figure 6).
ASUS RT-N56U
The RT-AC66U again demonstrates how insufficient bounds checking and the router administrators' inability to disable network services allows an attacker to execute arbitrary code with root permissions.
From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. The HTPPD service runs by default for the purpose of router management and cannot be disabled.The HTTPD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In a fashion similar to how ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program's fixed-length buffer. Upon doing so, the attacker will have corrupted the web server's call stack and altered the execution flow of the program.
Like the RT-AC66U, the RT-N56U exploit utilizes ROP to circumvent stack randomization (Figure 7). At the time of code execution, the RT-N56U has already performed a context switch and written the CPU data cache to RAM, so a call to a blocking function such as sleep()
is not necessary. Because of this, the RT-N56U exploit utilizes a call to the sched_yield()
function, which relinquishes the CPU to a ready-to-run process (if one exists) with a greater than or equal to execution priority of the HTTPD process. As with the ACSD exploit, we used a series of ROP gadgets to perform this function call.
Our attack payload then uses several more ROP gadgets to align the stack and direct the program's execution to our custom shellcode residing in the program's memory. Upon execution, the exploited router creates a network socket, connects back to the attacker's machine on TCP/31337 (Figure 8), and executes a root system shell. We now have the ability to interface directly with the underlying Linux operating system running on the RT-N56U router (Figure 9). The proof of concept code demonstrated in Figure 8 can be found at the Hak42 InfoSec security blog [2].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.