Exploiting SOHO Routers Services
Many SOHO routers today incorporate network services and functionality unrelated to routing and switching network traffic. For example, every router contained at least one service for supporting some form of Network Attached Storage (NAS). These services included FTP, SMB, NetBIOS, UPnP Media, and HTTP. Outside of NAS services, SOHO routers also often utilize other miscellaneous network services for optimization and configuration purposes. Though seemingly innocuous, these extraneous services have come at the expense of security by introducing new attack surfaces for compromise. As evidence, ISE has exploited a number of routers by leveraging the existent of such services.
UPDATE:Full technical report (PDF)
UPDATE:Click here to access CNET's new article featuring a high level overview of a handful of these attacks.
INQUIRIES: For more information on this routers project, you can contact us at . For general inquiries, click here to contact ISE.
Introduction
In a previous report, we released a list of SOHO router vulnerabilities and showed proof-of-concept (PoC) attack code for how to exploit them. For many of these routers, those PoCs operated through the main web-based interface. In this follow up study, we addressed only the extraneous, non-router services that were present on the routers. What we found was that of the 10 routers reviewed, all 10 could be compromised from the (wireless) LAN once a router had USB attached storage connected.
Read here for a comprehensive vulnerability catalog.
Read here for our previous study, demonstrating the ubiquity of these vulnerabilities.
Read below for PoC attacks, and interesting vulnerability details.
- All 10 routers evaluated can be taken over from the local network by exploiting non-essential services that are either enabled by default, or enabled once USB storage is attached.
Motivation
Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers. Yet, these devices facilitate the connectivity and protection (we hope) of millions of end-systems. The critical vulnerabilities that persist in these widely used devices demonstrate an urgent need for deeper scrutiny.
Our research indicates that a moderately skilled adversary with LAN or WLAN access can exploit all ten routers through their non-essential features and services.
Summary
The following table summarizes the services that are available on the (wireless) LAN by default, once USB storage is attached.
Router | FTP | Telnet | DNS | HTTP | SMB | HTTPS | UPnP | Total Ports |
Linksys EA6500 | y | y | y | y | y | 30 | ||
Netgear WNDR4700 | y | y | y | y | y | y | y | 29 |
ASUS RT-AC66U | y | y | y | y | 31 | |||
ASUS RT-N56U | y | y | y | y | 23 | |||
TP LINK TL-WDR4300 | y | y | y | y | 17 | |||
TP LINK TL-1043ND | y | y | y | y | y | 15 | ||
TRENDnet TEW-812DRU | y | y | y | y | 22 | |||
Netgear WNR3500 | y | y | y | y | y | 15 | ||
D-LINK DIR-865L | y | y | y | y | y | y | 32 | |
Belkin N900 | y | y | y | y | 10 |
Table 1. Network port summary
The table in Table 2 shows a list of routers evaluated in our study with the specific vulnerabilities that were leveraged to gain root access to the device. These vulnerabilities were found from a hardened configuration, and after USB storage was attached to the device. This chart is not inclusive of all discovered vulnerabilities - only vulnerabilities that were used by ISE to gain root access.
Router | Vulnerabilities | |||||
Buffer Overflow | SMB Symlink | Race Condition | Web Attacks | Backdoor | Improper File Permissions | |
Linksys EA6500 | X | X | X | |||
Netgear WNDR4700 | X | X | X | |||
ASUS RT-AC66U | X | X | X | |||
ASUS RT-N56U | X | X | ||||
TP LINK TL-WDR4300 | X | X | X | |||
TP LINK TL-1043ND | X | X | X | |||
TRENDnet TEW-812DRU | X | X | X | |||
Netgear WNR3500 | X | X | X | |||
D-LINK DIR-865L | X | X | X | X | X | |
Belkin N900 | X | X |
Table 2. Vulnerability summary
Proof of concept attacks
Here we present several proof of concept attacks that demonstrate how these routers can be exploited using combinations of the above vulnerabilities. We assume the adversary is any user on the (wireless) LAN who can contact the router, and that the router is in its hardened state, with USB storage attached.
D-Link DIR-865L
In the case of the D-Link DIR-865L, we demonstrate how improper file permissions, unsecured sensitive data, unauthenticated access to SMB, and a misconfigured SMB service can allow an attacker to recover the device's administrative password, and thereby gain administrative control of the device.
From its hardened state, with USB storage attached, the DIR-865L runs a Samba service on ports TCP/445 , TCP/139 and UDP/137.
- By default, the SMB service does not require authentication, and so an attacker can immediately log in without credentials (no CVE cataloged).
- Due to a misconfiguration in the SMB service, symbolic links can be created to locations outside of the Samba share (CVE-2013-4855). The attacker can create a symbolic link to /, the router's file system root.
- The DIR-865L allows world-readable access to several system folders (CVE pending), including /var/, which contains the passwd file. Through a symbolic link traversal from 2, an attacker can obtain this file.
- The DIR-865L passwd file contains a cleartext administrator password (CVE pending). Once the attacker obtains this from 3, he can log in to the web interface as an administrator.
- The attacker logs in using the credentials obtained in 4.
- The web interface of the DIR-865L contains a PHP File Inclusion vulnerability (CVE-2013-4857) in the router_info.xml file. The file takes the argument .section. that is intended for including other XML files. An attacker can upload a file containing chosen PHP code to the Samba share (e.g., /tmp/storage/<sharename>/test.xml), and then request router_info.xml while setting the section variable to .../../tmp/storage/<sharename>/<uploaded_file>. which is automatically concatenated with the extension ..xml. and processed.
- When the DIR-865L receives certain configuration changes through the web interface, it creates shell scripts in the directory /var/run/ and then executes them as a separate step, creating a race condition (no CVE cataloged, not intrinsically a vulnerability). For instance, a command can be issued from the web interface to restart NTP, which creates the script /var/run/ntp_run.sh, and then subsequently executes the script. An attacker can leverage the PHP file inclusion vulnerability from 6 to repeatedly execute PHP code to overwrite /var/run/ntp_run.sh with a different script, while at the same time restarting the NTP service in the hopes of exploiting the race condition, and executing the attacker written ntp_run.sh, rather than the official version.
- Eventually, winning the race condition from 7 happens, and an unauthenticated Telnet service with root privileges listens on port 23. The attacker can access this service to obtain a root shell.
A full script for launching this attack against a D-Link DIR-865L can be found here.
Linksys EA6500
In the case of the Linksys EA6500, we demonstrate how improper file permissions, unauthenticated access to SMB, and a misconfigured SMB can allow an attacker to execute arbitrary commands on the router, thereby granting the attacker a root shell.
From its hardened state, with USB storage attached, the EA6500 runs a Samba service on ports TCP/445, TCP/139 and UDP/137, UDP/138.
- By default, the SMB service does not require authentication, and so an attacker can immediately log in without credentials (no CVE cataloged).
- Due to a misconfiguration in the SMB service, symbolic links can be created to locations outside of the Samba share (CVE-2013-4658) The attacker can create a symbolic link to /, the router's file system root.
- The EA6500 allows universal read/write access to its /tmp/ directory (CVE pending), where it stores scripts that run according to a cron schedule. Once per minute, the EA6500 runs the scripts found in the folder /tmp/cron/cron.everyminute/ as root. Through the symbolic link traversal from 2, the attacker can put an utelnetd binary in /tmp/, and a script that runs utelnetd in /tmp/cron/cron.everyminute/.
- Eventually, the script from 3 is activated, and an unauthenticated Telnet service with root privileges listens on port 23. The attacker can access this service to obtain a root shell.
A full script for launching this attack against a hardened EA6500 with USB attached storage can be found below.
|
ASUS RT-AC66U
For the ASUS RT-AC66U, we demonstrate how insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application.
From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD system configuration service on port TCP/5916
- The ACSD service runs by default, and cannot be disabled (no CVE cataloged).
- The ACSD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code.
For the attack to succeed we utilize return oriented programming (ROP) to avoid stack randomization and MIPS system cache incoherency. In order to create a coherent data cache, our payload utilizes a call to a blocking function, sleep(), which effectively pauses program execution and gives CPU cycles to other executing system processes. When the sleep() function returns, the MIPS CPU flushes the data cache and continues program execution. Finally, we direct the programs execution to our custom shellcode that starts an unauthenticated Telnet server by calling the system() function located in the standard C library.
A full script for launching this attack against an ASUS AC66U can be found here.
TRENDnet TEW-812DRU
For the TRENDnet TEW-812DRU, we demonstrate how vulnerabilities in web applications could lead to a direct compromise of the underlying operating system. For this attack, we demonstrate how insufficient input sanitization and lack of CSRF protection could allow an attacker to execute arbitrary system commands with the same permissions as the vulnerable web application.
From its hardened state, with or without USB storage attached, the TRENDnet TEW-812DRU contains a web server on port TCP/80 that serves a web application for configuration purposes.
-
- The web server running on TCP/80 runs by default and cannot be disabled by an administrator (no CVE cataloged).
- The TEW-812DRU web interface is susceptible to CSRF attacks (CVE pending). A remote attacker can construct a CSRF exploit that causes chosen actions to be performed on behalf of the administrator.
- The web application served by the TEW-812DRU's web server is vulnerable to multiple command injection attacks (CVE-2013-3365) during the process of performing configuration updates. An attacker with access to these pages can inject commands into the pages shown in the table below, which are executed when the input is sent to the server.
Page | Injection Points |
/internet/ipv6.asp | wan network prefix |
/adm/management.asp | remote port |
/internet/wan.asp | pptp username pptp password ip gateway l2tp username l2tp password |
/adm/time.asp | NtpDstStart NtpDstEnd NtpDstOffset |
/adm/management.asp | device url |
Table 3.TEW-812DRU injection points
-
- Leveraging the CSRF vulnerability in 2, and the command
injection
vulnerability in 3, an attacker can execute arbitrary
commands on the
TEW-812DRU. For instance, an attacker can submit the
following HTML as
part of a CSRF attack:
<input type="hidden" name="NtpDstEnd" value=" `count=0; while [ $count -le 25 ]; do iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT; (( count++ )); done;` ">
- Leveraging the CSRF vulnerability in 2, and the command
injection
vulnerability in 3, an attacker can execute arbitrary
commands on the
TEW-812DRU. For instance, an attacker can submit the
following HTML as
part of a CSRF attack:
- After the attack in 4, the TEW-812DRU will have started the router's Telnet daemon and made it accessible from the WAN on TCP/23. The attacker can now access this port to obtain a super user system shell.
The full attack script is given here
Important notes
- Disclaimer. ISE did not exhaustively evaluate these routers, and in no way asserts that other product vulnerabilities do not exist. Many of these routers enable by default—or provide the capability to enable—telnet, ftp, and other services that have not been fully investigated. Our research was directed at assessing the ubiquity of these vulnerabilities, and not the number of issues present in any specific router model, or through any particular service or form of attack.
- Fully updated. Prior to our evaluation, all routers were updated to the latest firmware, and tested with out-of-the-box configuration settings.
Mitigations
Unfortunately, there is little the average end-user can do to fully mitigate these attacks. Successful mitigation often requires a level of sophistication and skill beyond that of the average user (and beyond that of the most likely victims).
Recommendations for Vendors
SOHO networking device VENDORS should take the following actions to help mitigate these issues.
- Prepare and make available firmware upgrades that address these issues.
- Notify registered users of these vulnerabilities, and distribute instructions on how to upgrade device firmware.
- Regularly audit devices for security vulnerabilities, produce and distribute security patches in a timely manner, and notify registered customers.
- Require the manual configuration of these services, rather than enabling them by default, and do not include any services that cannot be disabled.
SOHO networking device VENDORS should incorporate the following design changes in to their product lines.
- Using authenticated (digitally signed, and verifiable by the router) firmware updates.
- Designing a method for automatic firmware updates, that can be opted out of by users.
- Perform regular security audits to ensure devices are as hardened as possible.
Recommendations for Device Administrators
SOHO networking device ADMINISTRATORS should take the following actions to help mitigate these issues.
- DO NOT CONNECT USB STORAGE
- Upgrade your firmware regularly.
- Disable (or do not enable) remote administration.
- Disable (or do not enable) network services that are not utilized within the LAN, e.g., FTP, SMB, UPnP.
- Log out from, and restart, your SOHO networking device after logging in for administrative tasks.
- Clear browser cookies and active logins after logging out from your router.
- Choose a non-standard (wireless) LAN IP address range (subnet), which will make generic automated attacks less effective against your network.
- If possible, enable HTTPS for all administrative connections. For all of the routers we evaluated that had this feature, it was disabled by default.
- Make sure your WLAN is protected using WPA2 encryption and is not left as an open WiFi network or protected with the outdated WPA or WEP standards.
- ONLY install firmware from the router manufacturers website.
- Choose a secure router administration password consisting of upper/lowercase alphanumeric and special characters that is at least 12 characters in length.
- If your SOHO device is behind an additional firewall, restrict inbound access to this device from the greater WAN.
Recommendations for End Users
END-USERS behind SOHO networking devices should take the following actions to help mitigate these issues.
- DO NOT TRUST NETWORK ATTACHED STORAGE provided by these routers.
- Do not discount browser or other software warnings of potential MITM attacks.
- Do not follow links sent through email or by other means, especially ones that are directed to what could potentially be a SOHO networking device (e.g., 192.168.2.1).
- Be diligent, and browse safely.
Disclosures
For all vulnerabilities identified in this research, ISE has disclosed the issues to the product vendors through their typical vulnerability reporting mechanism, as well as any other channels for which we had access. We've given what we believe is adequate time to address the issues disclosed, and to the extent it has been reasonable, we've helped those vendors develop or implement mitigations. We welcome all vendor feedback, and are happy to assist with any additional information that may facilitate a quick resolution to any of these vulnerabilities.
Beyond the vulnerabilities listed in this case study, our research has now brought to light 56 issues that have received Common Vulnerabilities and Exposure (CVE) numbers. They can be found in our vulnerability catalog.
Attribution and Acknowledgments
This research was conducted by Jacob Holcomb, Stephen Bono, Kedy Lui, Alex Morrow, and Jacob Thompson of Independent Security Evaluators.