Hacking the Gateways

HACKING THE GATEWAYS

Onur ALANBELTaintAll

whoamiOnur ALANBEL

• Computer Engineer (IZTECH)

• MSc student (EU)

• Application Security Researcher @TaintAll

• onuralanbel.pro

• @onuralanbel

• https://packetstormsecurity.com/search/?q=onur+alanbel

https://packetstormsecurity.com/search/?q=onur+alanbel

Purpose

• Gathering a variety of valuable information in an effective way.

PurposeMotivation of an APT is obtaining highly valuable

information from one target. In contrast, motivation ofa mass attack is obtaining valuable information from

multiple targets.

Purpose

Purpose

The Plan

• Deciding targets

The Plan


• Finding a vulnerability

The Plan



• Writing (weaponising) the exploit

The Plan




• Writing mass exploitation scripts

The Plan





• Running the attack

The Plan• Deciding targets




• Running the attack

• Analysing results

Attractive Target: Routers

• Directly accessible from the internet.



• Once you own a SOHO router, you can control the whole traffic.




• No log, stealth. (it’s really hard for an investigator to find out what is going on.)




• No log, it’s really hard to find out what is going on (very hard)

• Have a long (long long) update interval.

Easy Target

• Does It have known vulnerabilities?

Easy Target


• Does the Vendor have published any security advisory?

Easy Target


• Does the Vendor have published any security advisory?

• Are there any third party product/device to mitigate exploitation.

AirTies

• Web interface?

AirTies

• Web interface?

• TR-069

AirTies

• Web interface?

• TR-069

• MiniUPNP (CVE-2013-0230

Targets From Turkey

Targets From Turkey

• http://ip:5555/rootDesc.xml

http://ip:5555/rootDesc.xml

PreScan

• masscan / zmap

• +

PreScan

• masscan

• +

• python multiprocessing

• =

The Vulnerability• Stack overflow, may cause to RCE.

• MiniUPNPd runs on WAN interface.

Writing the Exploit• MIPS assembly

• CPU has different data and code caches; so, can’t jump to stack directly.

• Can’t jump into middle of instructions, this reduces the number of alternative gadgets while creating a ROP chain.

• MiniUPNPd process restarts if it crashes or hangs.

Writing the Exploit

• MIPS is far easier than x86

Writing the Exploit


• sleep function may be called to flush caches.

Writing the Exploit



• No ASLR, ROP chains could be used.

Writing the Exploit



• No ASLR, ROP chains could be used.

• ?

Writing the Exploit

• miniupnpd … -P /var/run/miniupnpd.pid

Writing the Exploit

• rm /var/run/miniupnpd.pid

Writing the Exploit


• kill mngr

Writing t


• kill mngr

• fork and execve

Writing t


• kill mngr

• fork and execve

• Details: Developing MIPS Exploits to Hack Routers

• Exploit: AirTies RT Series (MIPS)

Bonus Trick

• Chain remote-mgmt-input (1 references)target prot opt source destinationDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP

Bonus Trick

• iptables -A remote-mgmt-input -p tcp -m multiport —dports 23,

Bonus Trick• cat /etc/passwd

• crypt function

• john rootpass.txt

What Have We

• Free Wifi :)

What Have We

• Free Wifi :)

• Botnet army?

What Have We

• Free Wifi :)

• Botnet army?

• Internet traffic (DNS, GW)

What Have We

• Free Wifi :)

• Botnet army?

• Internet traffic (DNS, GW)

• A big chance to infect connected clients (MITMf)

Next Step

• 0day

Next Step

• 0day

• +

• Persistency

Questions

Technology

Hacking the Gateways