Download - The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability
![Page 1: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/1.jpg)
TCP/32764 backdoor
Or how linksys saved Christmas!
![Page 2: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/2.jpg)
Who?
• Eloi Vanderbeken• @elvanderb• https://github.com/elvanderb• eloi vanderbeken gmail com
• Interested in reverse and crypto.• Don’t like to write reports :D– Angrish is hard!
• Certified Ethical Dauber |Microsoft Paint MVP
@. .
![Page 3: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/3.jpg)
When? Christmas!!!
![Page 4: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/4.jpg)
(1Mb/s) / (10 users * 68dB) =
![Page 5: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/5.jpg)
IDEA !
![Page 6: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/6.jpg)
But… few years ago…
WAG 200G
/me now
/me then
Very long and complex
![Page 7: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/7.jpg)
For the record…
cow
Mothershipcorn
sugar beet
wheat
REALLY NOTHING FAAAAR away, the DSLAM
NOTHING
A little bit of nothing
NOTHING
NOTHING
NOTHING
NOTHING (or a cow)
NOTHING
NOTHING
![Page 8: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/8.jpg)
Challenge:
• No access to the http[s] administration tool.• No admin password anyway…• NEED DA INTERNET!
![Page 9: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/9.jpg)
Nmap
• Few interesting ports:– ReAIM (http://reaim.sourceforge.net/)• Possibly vuln…
– Unkown service listening on TCP/32764• Responds ScMM\xFF\xFF\xFF\xFF\x00\x00\x00\x00 to any
requests.
![Page 10: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/10.jpg)
GO-GO-GADGET GOOGLE
Mister Guessing 2010!
Hmkay. Actually you don’t know...
![Page 11: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/11.jpg)
Let’s get the firmware!http://support.linksys.com/en-us/support/gateways/WAG200G/download
-> FU linksys!
http://community.linksys.com/t5/Cable-and-DSL/WAG200G-FR-firmware-upgrade/m-p/233170
-> Thks users!
http://download.modem-help.co.uk/mfcs-L/LinkSys/WAG200G/Firmware/v1/
-> Thks modem-help & google!
![Page 12: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/12.jpg)
WHER IZ U ƦᴓФŦ-Ƒ$?!
![Page 13: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/13.jpg)
WHER IZ U ƦᴓФŦ-Ƒ$?! Cont’d
ftp://ftp.linksys.com/opensourcecode is now down
![Page 14: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/14.jpg)
Chainsaw time!
• Get LZMA SDK 4.65• Modify squashfs-tools’ Makefile:
• Use your chainsaw on source code:
![Page 15: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/15.jpg)
Found you!
![Page 16: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/16.jpg)
Where’s Waldo^wthe service?
Just use grep and IDA to find the good one
FU, maybe it’s in little endian…
FU!!! Let’s get dirty!
![Page 17: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/17.jpg)
First steps
• No symbols, MIPS:– We’ll have to reverse – I love reversing and MIPS is easy so it’s OK :D
• Very simple binary protocol:– Header (0xC bytes) followed by a payload
• Header structure:
![Page 18: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/18.jpg)
Easy protocol, isn’t it?
Heap based buffer overflow
![Page 19: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/19.jpg)
Messages…
![Page 20: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/20.jpg)
Let’s bruteforce them!
![Page 21: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/21.jpg)
WTF?!
![Page 22: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/22.jpg)
WTFFFFFFUUUUU?!
• NO MOAR INTERNETZ?!
• When we restart the script :
Configuration is reset?!?!!!
![Page 23: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/23.jpg)
![Page 24: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/24.jpg)
Quick messages’ reverse…1. Dump configuration (nvram)
2. Get configuration var – possible stack based buffer overflow (if variable is controlled by the user)
3. Set configuration var –stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack.
4. Commit nvram – set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC
5. Set bridge mode ON (not sure, I didn’t have the time to test it)–nvram_set(“wan_mode”, bridgedonly)–nvram_set(“wan_encap”, 0)–nvram_set(“wan_vpi”, 8)–nvram_set(“wan_vci”, 81)–system(“/usr/bin/killall br2684ctl”)–system(“/usr/bin/killall udhcpd”)–system(“/usr/bin/killall -9 atm_monitor”)–system(“/usr/sbin/rc wan stop >/dev/null 2>&1”)–system(“/usr/sbin/atm_monitor&”)
6. Show measured internet speed (download/upload)
![Page 25: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/25.jpg)
Quick messages’ reverse… cont’d7. cmd (yep, it’s a shell…)
– special commands :• exit, bye, quit -> quit... (alive = 0)• cd : change directory
– other commands :• buffer overflow on cmd output (same buffer again)…
8. write file – file name in payload– root dir = /tmp– directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… )
9. return version
10. return modem router ip – nvram_get(“lan_ipaddr”)
11. restore default settings– nvram_set(“restore_default”, 1)– nvram_commit)
12. read /dev/mtdblock/0 [-4:-2] – dunno what it is, I didn’t have the time to test it
13. dump nvram on disk (/tmp/nvram) and commit
![Page 26: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/26.jpg)
So if you need an access to the admin panel….
![Page 27: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/27.jpg)
Thank you Linksys!!!
You saved my Christmas
![Page 28: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/28.jpg)
Some more lolz…
• I only had 1 day to test my codes/assumptions so the following slides are just some random thoughts/observations…
• It wasn’t tested but it’s probably interesting
![Page 29: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/29.jpg)
In setup.cgi
![Page 30: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/30.jpg)
A little bit further in setup.cgi…
get_rand_key ???
libtea.so
Generate the key used to encrypt Routercfg.cfg (if I’m right)
![Page 31: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/31.jpg)
![Page 32: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/32.jpg)
Again in setup.cgi
Not sure but I think we control this
![Page 33: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/33.jpg)
mini_httpd
Hardcoded 1024bit RSA private key May I show Doge… again?
![Page 34: The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability](https://reader036.vdocuments.net/reader036/viewer/2022062511/54b775004a7959df648b4615/html5/thumbnails/34.jpg)
To be continued…
Backdoor is only confirmed on WAG200G, if you know/find other
concerned hardware, let me know