Pervasive vulnerabilities in SOHO routers
Proof of Concept Attacks
All routers we tested had serious security issues. The following examples illustrate the kind of problems we encountered.
ASUS RT-AC66U
For the ASUS RT-AC66U, insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application, which happened to be root.
From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD service on port TCP/5916. The ACSD service runs by default and cannot be disabled. The service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed-length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code. For the attack to succeed, we utilized ROP to circumvent stack randomization and MIPS system cache incoherency (Figure 5).
To create a coherent CPU data cache, our payload utilizes a call to a blocking function, sleep()
. We call sleep
by first using gadget number one to load the constant value 1 into the argument zero ($a0
) register, and then gadget two to load the $t9
register with the address of the sleep function. Gadget two wraps up by jumping to register $t9
, which forces a CPU context switch on the target system. The context switch flushes the data cache to RAM.
Next, we use gadget three to adjust the stack pointer register ($sp
) to point to our shellcode by adding a constant value to the $sp
register and storing the result in the $a1
register. Finally, we use gadget four to direct the program's execution to the $t9
register, which points to our custom shellcode that, when executed, starts an unauthenticated Telnet server by calling the system()
function located in the standard C library (Figure 6).
ASUS RT-N56U
The RT-AC66U again demonstrates how insufficient bounds checking and the router administrators' inability to disable network services allows an attacker to execute arbitrary code with root permissions.
From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. The HTPPD service runs by default for the purpose of router management and cannot be disabled.The HTTPD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In a fashion similar to how ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program's fixed-length buffer. Upon doing so, the attacker will have corrupted the web server's call stack and altered the execution flow of the program.
Like the RT-AC66U, the RT-N56U exploit utilizes ROP to circumvent stack randomization (Figure 7). At the time of code execution, the RT-N56U has already performed a context switch and written the CPU data cache to RAM, so a call to a blocking function such as sleep()
is not necessary. Because of this, the RT-N56U exploit utilizes a call to the sched_yield()
function, which relinquishes the CPU to a ready-to-run process (if one exists) with a greater than or equal to execution priority of the HTTPD process. As with the ACSD exploit, we used a series of ROP gadgets to perform this function call.
Our attack payload then uses several more ROP gadgets to align the stack and direct the program's execution to our custom shellcode residing in the program's memory. Upon execution, the exploited router creates a network socket, connects back to the attacker's machine on TCP/31337 (Figure 8), and executes a root system shell. We now have the ability to interface directly with the underlying Linux operating system running on the RT-N56U router (Figure 9). The proof of concept code demonstrated in Figure 8 can be found at the Hak42 InfoSec security blog [2].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 48 Debuts New Audio Player
To date, the audio player found within the Gnome desktop has been meh at best, but with the upcoming release that all changes.
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.