Pervasive vulnerabilities in SOHO routers
Proof of Concept Attacks
All routers we tested had serious security issues. The following examples illustrate the kind of problems we encountered.
ASUS RT-AC66U
For the ASUS RT-AC66U, insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application, which happened to be root.
From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD service on port TCP/5916. The ACSD service runs by default and cannot be disabled. The service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed-length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code. For the attack to succeed, we utilized ROP to circumvent stack randomization and MIPS system cache incoherency (Figure 5).
To create a coherent CPU data cache, our payload utilizes a call to a blocking function, sleep()
. We call sleep
by first using gadget number one to load the constant value 1 into the argument zero ($a0
) register, and then gadget two to load the $t9
register with the address of the sleep function. Gadget two wraps up by jumping to register $t9
, which forces a CPU context switch on the target system. The context switch flushes the data cache to RAM.
Next, we use gadget three to adjust the stack pointer register ($sp
) to point to our shellcode by adding a constant value to the $sp
register and storing the result in the $a1
register. Finally, we use gadget four to direct the program's execution to the $t9
register, which points to our custom shellcode that, when executed, starts an unauthenticated Telnet server by calling the system()
function located in the standard C library (Figure 6).
ASUS RT-N56U
The RT-AC66U again demonstrates how insufficient bounds checking and the router administrators' inability to disable network services allows an attacker to execute arbitrary code with root permissions.
From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. The HTPPD service runs by default for the purpose of router management and cannot be disabled.The HTTPD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In a fashion similar to how ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program's fixed-length buffer. Upon doing so, the attacker will have corrupted the web server's call stack and altered the execution flow of the program.
Like the RT-AC66U, the RT-N56U exploit utilizes ROP to circumvent stack randomization (Figure 7). At the time of code execution, the RT-N56U has already performed a context switch and written the CPU data cache to RAM, so a call to a blocking function such as sleep()
is not necessary. Because of this, the RT-N56U exploit utilizes a call to the sched_yield()
function, which relinquishes the CPU to a ready-to-run process (if one exists) with a greater than or equal to execution priority of the HTTPD process. As with the ACSD exploit, we used a series of ROP gadgets to perform this function call.
Our attack payload then uses several more ROP gadgets to align the stack and direct the program's execution to our custom shellcode residing in the program's memory. Upon execution, the exploited router creates a network socket, connects back to the attacker's machine on TCP/31337 (Figure 8), and executes a root system shell. We now have the ability to interface directly with the underlying Linux operating system running on the RT-N56U router (Figure 9). The proof of concept code demonstrated in Figure 8 can be found at the Hak42 InfoSec security blog [2].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.