| New SOHO router vulnerabilities discovered "Rogue small office, home office (SOHO) wireless routers could offer a side channel for attackers targeting enterprise networks through a new vulnerability to be presented by a researcher at Black Hat later this month. The talk will highlight a newly discovered attack technique using SQL injection against a database containing router files that can be tied together with more critical vulnerabilities to eventually escalate into an attacker gaining full root access to the router.":
»www.networkcomputing.com/data-ne···75c00672 |
|
| Sounds like the attack is against a bundled, accessory application in the firmware, possibly a USB file or printer sharing application. Netgear routers were called out.
--
Scott Brown Consulting |
|
| Once the details are released, it may turn out that other manufacturers' products are vulnerable, also. Hard to say at this point. |
|
| reply to daveinpoway
While Cutlip is keeping some of the technical details of his talk close to the vest until Black Hat,
what he is divulging is that much of his work centered on databases containing temporary files from Netgear routers.
Regards |
|
1 edit | reply to daveinpoway
HELLFIRE  , that is the premise of SQL injection exactly. The compromise happens through a web interface, where a handler fails to securely sanitize untrusted user input, allowing targeted attack code to penetrate to the underlying database. In this case the web administration interface faced out by the router firmware.
Details here »www.darkreading.com/database-sec···ers.html suggest the attack may involve buffer overflowing an embedded SQLite dbms, which seems reasonable. |
|
| reply to daveinpoway
If that is what the discussion is about... and if it is the vulnerabilty...
in some cases he has seen routers where the login credentials are stored in a SQL Lite database in such a way
:facepalm:
Regards |
|
|
|
OmagicQPosting in a thread near you
join:2003-10-23
Bakersfield, CA
kudos:1 Reviews:
 ·Bright House
 ·voip.ms
| said by HELLFIRE:If that is what the discussion is about... and if it is the vulnerabilty...
in some cases he has seen routers where the login credentials are stored in a SQL Lite database in such a way I haven't done any web work for awhile now, but insert comment of "cheap, fast, perfect, pick two." :facepalm: Regards Theres a spanish language saying.. "Bueno, Bonito y Barato". Basically Good, Pretty and Cheap.
--
...Who, What, When, Where, How... Why? Why Not? |
|
 JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | Actually, that would translate as "good, handsome, and cheap", in the masculine form. 
--
Better to have it and not need it, then need it and not have it. |
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | reply to daveinpoway
So, I wonder... if you did a reboot of the router (not a reset), after making changes, if this would clear the temp memory?
I'm not sure, but I think it would.
--
Better to have it and not need it, then need it and not have it. |
|
| Not if changes were committed to NVRAM. |
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | Well, if the vulnerability isn't linked between the temp mem, and the NVRAM as an access point, then how is it done?
I'm trying to imagine a scenario for this.
--
Better to have it and not need it, then need it and not have it. |
|
| This is what I guess but we'll have to wait until the presentation comes out later this month. The attack payload is a crafted SQL injection passed as a query or post parameter to a vulnerable handler in the web interface exposed by the firmware, possibly in an accessory application module as opposed to in the primary administration screens. The injection can traverse the web handler because it does not properly sanitize the user input. The database query the injection will ride on is seemingly innocuous but due to a known buffer overflow exploit in SQL Lite, the attacker is able to execute arbitrary code as a privileged user. The code that is executed modifies ACLs allowing access to the system to be opened to the attacker.
--
Scott Brown Consulting |
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | OK, I get it.
Now, in your opinion, if the scenario you stated was indeed the case, would simply unplugging the router from the modem while making changes negate this attack, until a fix was put in place? Or, is there another vector to run from?
--
Better to have it and not need it, then need it and not have it. |
|
| In this scenario the attacker would need LAN access to the router, since that's where the web interface is exposed, unless it was configured to the WAN too, which is an irregular and generally insecure configuration. But this and the above are all guesswork.
--
Scott Brown Consulting |
|
JuggernautIrreverent or irrelevant?Premium
join:2006-09-05
Kelowna, BC
kudos:2 | That's what I figured. Thanks for all your input! |
|
dminer
join:1999-12-11
San Francisco, CA | reply to daveinpoway
Mr. Cutlip's presentation has been published online. The vulnerability is in the DLNA Media Server in Netgear SOHO routers. Presumably disabling that feature solves the problem until updated firmware is released. Even with the feature enabled, I think the router is only vulnerable if the hacker either has access to the LAN or physical access to the router's USB port.
Here is a link to the full presentation:
»media.blackhat.com/bh-us-12/Brie···n_WP.pdf |
|
| The exploits are against MiniDLNA, an accessory application packaged with the firmware. LAN access to the router's web administration interface is a prerequisite.
The author discovers what would by itself represent a medium severity SQL injection vulnerability coming from upnphttp.c. Untrusted user input is not sanitized, allowing a classic SQL INSERT injection. The vulnerability can be used to insert arbitrary values in certain database tables.
The affected table values are referenced by a module that serves the contents of a filesystem file on the fly. And, all modules of the MiniDLNA application run as root. As such he shows that a properly formed injection and subsequent request can be used to extract any file, including /etc/passwd with the cleartext root password, from the router.
He then goes on to the coup de grace, using the injection exploit to create the conditions in the database to buffer overflow object code coming from upnpsoap.c. The development of the buffer overflow seemed extremely intensive, quite impressive. With the successful buffer overflow attack, remote code execution is possible. The author demonstrates a reverse TCP connect-back payload.
Vulnerable routers in the authors testing included the Netgear WNDR3700v3, WNDR3800, WNDR4000, and WNDR4500, on current and recent firmware revisions, packaging MiniDLNA 1.0.18 and 1.0.19.
The presentation includes example python code demonstrating the file extraction exploit, and example modules used in the buffer overflow exploit.
--
Scott Brown Consulting |
|
| The current version of MiniDLNA is 1.0.25, released 7/13/2012. Nothing in the changelog since 1.0.18 / 1.0.19 says anything about fixing the injection vulnerabilities.
»sourceforge.net/projects/minidln···/1.0.25/
Inspecting upnphttp.c of the current version, I see the injection vulnerability remains present in function SendResp_albumArt() at line 1445, called from line 1029 the same way as described in the presentation.
--
Scott Brown Consulting |
|
