Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji


Devices hacking research ASMAX AR 804 gu compromise

ASMAX AR 804 gu compromise

Introduction

The following article / disclosure is provided to show an interesting issue concerning network appliances which use web management interfaces. It is clear that such machines can be attacked using XSRF class attacks - resulting even in gaining unathoirized remote full access.

About ASMAX router

ASMAX 804 gu router is a popular SOHO class device in Poland. It provides ADSL / WiFi / Ethernet interfaces.

The router is based on a linux distrubution which runs on MIPS architecture (4KEc processor).

It can be managed via a management console which is on by default. It allows also for local telnet access (including root shell access).

Both of the above management methods are available only from internal network (LAN).

Tested on firmware: 66.34.1 (newest available at the time)

asmax 804gu

Compromise

script script

At the web management interface we located a script, called 'script' which seems to be a sort of maintenance file for the router. The access to the file is not protected (it can be accessed from the LAN without providing any credentials).

 directory listing asmax

One method for obtaining a source of a 'script' script is using a buggy cgi binary webcm.

no validation - asmax

 

Closer inspection shows that it is a shell script, with one interesting paramether called system. The paramether allows for execution of OS commands with root privileges (the http server runs as root).

 

command execution - asmax

Futher inspection shows that one can find useful binaries on the machine - like tftp client or wget... which can be potentially used to download malitious files from the net.

Sample attack scenario

  1. XSRF targetted at internal network and script script
  2. The script is then forced to download a remote reverse shell binary.
  3. Reverse root shell is made.
asmax 804gu sample attack

Sample attack scenario properties

  1. The attack is quite stealth (it is hard to a victim to notice the attack, she only needs to visit a malicious web page).
  2. The attack can be made from the Internet.
  3. It uses pure HTML (like <img> tags) - no JavaScript.
  4. Default NoScript configuration can't prevent the attack.
  5. It needs only one way communication at HTTP level.
  6. It does not need to brute force the router's admin credentials (the attack uses authentication bypass, or rather lack of authentication to a certain resource).
  7. The attack is persistent - a victim can shut down a browser, and reverse root shell is still active.
  8. The attack does not need web management interface to be available from the Internet (it uses XSRF to connect from LAN).
  9. The attack relies on the default IP set for the router.
  10. Note that the generic attack type can be quite devastating when applied to enterprise network appliances.

 Fully working proof of concept attack was presented during Confidence 2009 - @ 15.05.2009.

Quick fixes

  1. Change the IP of the router (attack is still possible but some guessing is needed then).
  2. Playing with proxy settings in a browser (i.e. handling private addresses) - see: FoxyProxy, or Proxy Auto Configuration feature.

Vendor's reaction / issue history

  • The research was performed in late 2008.
  • The vendor was notified on 30.12.08, but no response.
  • Polish distributor of the hardware was then contacted - but also no resonable response.
  • No other information till now (although we sent reminders…)
  • 15.05.2009 - public disclosure

Research / contact

  • We are performing a research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

  • All the information is provided for educational use only.
  • We strongly discourage to use the information for cracking purposes.
  • We are not responsible for damages made to your router - play with your router carefully.
  • The router can be attacked using other methods (like firmware patching, or reopening telnet access from WAN). The method described by us is provided for educational purposes of showing a more generic issue with network appliances using web management consoles.

 

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Darmowy magazyn o ITsec

zine
Subskrybuj RSS:
RSS