s o s o h o p h o p e l e s s l y e l e s s l y b b r o k
play

S O S O H O p H O p e l e s s l y e l e s s l y B B r o k o k - PowerPoint PPT Presentation

Aug 30, 2023 •15 likes •515 views

S O S O H O p H O p e l e s s l y e l e s s l y B B r o k o k e n : T h e n : T h e I m I m p l i p l i c a t i c a t i o n s o n s o f P o f P e r e r v a s i a s i v e V e V u l n e r a b u l n e r a b i l i l i t i t i

  1. S O S O H O p H O p e l e s s l y e l e s s l y B B r o k o k e n : T h e n : T h e I m I m p l i p l i c a t i c a t i o n s o n s o f P o f P e r e r v a s i a s i v e V e V u l n e r a b u l n e r a b i l i l i t i t i e s i e s i n S n S O H O O H O R o R o u t e r P r o d u c t s . Jacob Holcomb Associate Security Analyst Independent Security Evaluators

  2. Speaker Information • Who? Jacob Holcomb Twitter: @rootHak42 Blog: http://infosec42.blogspot.com • What? Security Analyst @ ISE • Why? I <3 exploiting computer code

  3. Why is this information relevant to you? • Everyone in the audience is a consumer of SOHO networking equipment. • 100% of routers we evaluated were vulnerable to exploitation.

  4. Acknowledgements • Independent Security Evaluators - Jacob Thompson, Alex Morrow, Stephen Bono, and Kedy Liu • Paul Asadoorian – PaulDotCom - SANS Webcast: Hacking Embedded Systems (No Axe Required) • Craig Heffner - http://www.devttys0.com/ – Great resource for embedded device hacking

  5. READ OUR PAPERS! • Independent Security Evaluators – Exploiting SOHO Routers - http://securityevaluators.com/content/case-studies/routers/ soho_router_hacks.jsp – Exploiting SOHO Router Services - http://securityevaluators.com/content/case-studies/routers/ soho_service_hacks.jsp

  6. Topics • What are SOHO devices • Players in the market • Router Technology • Testing Methodology • Exploit Research and Development • Mitigations

  7. Holy hole in the router, Batman! 1. CVE-2013-0126: Cross-Site Request Forgery 29. CVE-2013-4654: SMB Symlink Traversal 2. CVE-2013-2644: FTP Directory Traversal 30. CVE-2013-4655: SMB Symlink Traversal 3. CVE-2013-2645: Cross-Site Request Forgery 31. CVE-2013-4656: SMB Symlink Traversal 4. CVE-2013-2646: Denial of Service 32. CVE-2013-4657: SMB Symlink Traversal 5. CVE-2013-3064: Unvalidated URL Redirect 33. CVE-2013-4658: SMB Symlink Traversal 6. CVE-2013-3065: DOM Cross-Site Scripting 34. CVE-2013-4659: Multiple Buffer Overflows 7. CVE-2013-3066: Information Disclosure 35. CVE-2013-3365: Multiple Command Injection 8. CVE-2013-3067: Cross-Site Scripting 36. CVE-2013-3366: Backdoor 9. CVE-2013-3068: Cross-Site Request Forgery 37. CVE-2013-3367: Backdoor 10. CVE-2013-3069: Cross-Site Scripting 38. CVE-2013-3516: Cross-Site Request Forgery/Token Bypass 11. CVE-2013-3070: Information Disclosure 39. CVE-2013-3517: Cross-Site Scripting 12. CVE-2013-3071: Authentication Bypass 40. CVE-2013-3093: Cross-Site Request Forgery 13. CVE-2013-3072: Unauthenticated Hardware Linking 41. CVE-2013-3094: Persistent Code Execution 14. CVE-2013-3073: SMB Symlink Traversal 42. CVE-2013-3098: Cross-Site Request Forgery 15. CVE-2013-3074: Media Server Denial of Service 43. CVE-2013-3099: Unvalidated URL Redirect 16. CVE-2013-3083: Cross-Site Request Forgery 44. CVE-2013-3100: Multiple Buffer Overflows 17. CVE-2013-3084: Cross-Site Scripting 45. CVE-2013-3101: Cross-Site Scripting 18. CVE-2013-3085: Authentication Bypass 46. CVE-2013-4855: Symlink Traversal 19. CVE-2013-3086: Cross-Site Request Forgery 47. CVE-2013-4856: Information Disclosure 20. CVE-2013-3087: Cross-Site Scripting 48. CVE-2013-4857: File Inclusion 21. CVE-2013-3088: Authentication Bypass 49. CVE-2013-4848: Cross-Site Request Forgery 22. CVE-2013-3089: Cross-Site Request Forgery 50. CVE-2013-4913: Improper File-system permissions 23. CVE-2013-3090: Cross-Site Scripting 51. CVE-2013-4914: Improper File-system permissions 24. CVE-2013-3091: Authentication Bypass 52. CVE-2013-4915: Improper File-system permissions 25. CVE-2013-3092: Failure to Validate HTTP Authorization Header 53. CVE-2013-4916: Improper File-system permissions 26. CVE-2013-3095: Cross-Site Request Forgery 54. CVE-2013-4917: Improper File-system permissions 27. CVE-2013-3096: Unauthenticated Hardware Linking 55. CVE-2013-4918: Insecure Cryptographic Storage 28. CVE-2013-3097: Cross-Site Scripting 56. CVE-2013-4919: Insecure Cryptographic Storage

  8. Subject Background • What are SOHO network devices? – Networking equipment used in small networks – Supplemental equipment (e.g., enterprise networks) • Who uses SOHO networking devices? – Small Businesses – Home Users – Large Enterprises

  9. Players in the SOHO Market • Vendors – Linksys, Belkin, Netgear, ASUS, Actiontec, D-Link, TP-Link, TRENDnet • Consumers – Ma and Pa (Home Users) – KWIK-E Mart (Small Businesses) – Large Enterprises

  10. Evaluated SOHO Products • ASUS: RT-AC66U and RT-N56U • TRENDnet: TEW-812DRU • TP-LINK: TL-WDR4300 and TL-1043ND • Linksys: EA6500 and WRT310Nv2 • Netgear: WNR3500 and WNDR4700 • Belkin: N900, N300, and F5D8236-4v2 • D-Link: DIR-865L • Verizon Actiontec: MI424WR-GEN3I

  11. Why did we choose these routers? • Popular brands • Popular models • New router technology

  12. Is this a Router or a Millennium Falcon? • 21 st Century SOHO Router Technology – Ability to stream digital content – Ability to backup networked computers – Network Attached Storage (NAS) – Network Printing – Cloud Ready file access

  13. Security Risks • Larger attack surface • Insecure by default • Assumption of security on the (wireless) LAN • Poor security design and implementation

  14. Testing Methodology • Information Gathering • Scanning and Enumeration • Gaining Access • Maintaining Access

  15. Information Gathering • Administration Settings – Default credentials – Management interface • WLAN Settings – SSID and wireless encryption • Network Service Settings – DHCP, DNS, SNMP, UPnP, SMB, FTP, etc.

  16. Scanning and Enumeration Cont. Banner Grab Netcat: nc –nv <X.X.X.X> <port> Port Scan TCP: nmap –sS –Pn –sV –p T:1-65535 X.X.X.X UDP: nmap –sU –Pn –p U:1-65535 X.X.X.X

  17. Gaining Access • Service Investigation – Analyze web applications – Analyze servers (e.g., FTP, SMTP, SMB, HTTP) – Source Code Review (Static Code Analysis) – Fuzz Network Services (Dynamic Analysis)

  18. Analyzing Web Applications • Understand the application – Programming languages used • Server side (e.g., PHP, .NET, Python, ASP, Ruby on Rails) • Client side (e.g., JavaScript, HTML, JSON, Flash) – Protocols and APIs used (e.g., SOAP, REST) – Internet Media Type/MIME (e.g., JavaScript, HTML) • Toolz – Web proxy (i.e., Burpsuite) – Firebug (JavaScript debugger, HTML inspection) – Web Crawler

  19. Analyzing Web Applications Cont. Burpsuite Firebug

  20. Analyzing Servers • Authentication – Type (e.g., Password, Certificate) – Anonymous access/Weak or no credentials – Misconfigurations (e.g., Directory listing, permissions) • Encryption – SSL/TLS? – SSH (AES, 3DES)?

  21. Static Code Analysis • If source code is available, GET IT! • Things to look for: – Logic flaws (e.g., authentication, authorization) – Functions not performing bounds-checking – Backdoors

  22. Static Code Cont. Vulnerable code *Code from the TRENDnet TEW-812DRU – network.c

  23. Fuzzing (Dynamic Analysis) • What happens if peculiar input is introduced? – A{-G42!BBB}}}}}}/\/\/}}}}}}+=-_-1234d`~~((.)_(.))$ – AAAAAAAAAAAAAAAAAAAAAAAAAA • Fuzzers – SPIKE: generic_send_tcp X.X.X.X 21 ftp.spk 0 0 – BED: ./bed.pl -s HTTP -t X.X.X.X -p 80 – Metasploit Framework – Python!

  24. SPIKE Spike Template (*.spk)

  25. SPIKE Cont. Fuzzing

  26. Analyze Fuzzing Results • Toolz – Debugger (i.e., GDB) – System Call Tracer (i.e., strace) *Debugging ASUS RT-AC66U exploit

  27. Gaining Access Cont. • Reverse Engineering – Router Binaries • Simple RE Toolz and Techniques – Strings – Hexdump – Grep – Open source? Perform static analysis! • Exploit Development

  28. Reverse Engineering Toolz and Techniques • Strings: strings –n <INT> <FILE> *TP-Link TL-1043ND Firmware

  29. Reverse Engineering Toolz and Techniques • Grep: grep –R <string> * *Code from the TRENDnet TEW-812DRU

  30. Exploit Development • Cross-Site Request Forgery • Command Injection • Directory Traversal • Buffer Overflow

  31. Cross-Site Request Forgery #define: CSRF is an attack that forces an unsuspecting victim into executing web commands that perform unwanted actions on a web application. Jad (Victim) Gimppy (Attacker)

  32. Testing for Cross-Site Request Forgery • Anti-CSRF Tokens? • HTTP referrer checking?

  33. Cross-Site Request Forgery Countermeasures • Users – Logout of web applications – Do NOT save credentials in your browser • Developers – Implement Anti-CSRF tokens AND HTTP referrer checking

  34. Command Injection #define: Command Injection is a form of attack where operating system specific commands are injected into a vulnerable application for execution.

  35. Testing for Command Injection • Survey the application – Look for application features that could call underlying system functionality(e.g., ping, traceroute) – Source code? Static analysis! • Test Examples – ifconfig ; cat /etc/passwd ß Linux – dir | ipconfig ß Windows/Linux – ls /var/www/`<cmd>` or $(<cmd>) ß Linux* *Command substitution

  36. Command Injection – Vulnerable Code <?php $dig=shell_exec("dig {$_GET['Domain']}"); echo($dig); ?>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Social Media Users Group 7/14/16 | Brynhild Haugland | 9:00-11:00 Agenda Introductions (9:30 -

Social Media Users Group 7/14/16 | Brynhild Haugland | 9:00-11:00 Agenda Introductions (9:30 -

Social Media Users Group 7/14/16 | Brynhild Haugland | 9:00-11:00 Agenda Introductions (9:30 - 9:40) Updates (9:40 9:50) Patching websites reminder Compliance scanning Drupal 8 Screen capture software Broken link

117 views • 9 slides
Links Student Web Presence Guidelines Summary 1. The Purpose of Links 2. Worst Links 3. Best

Links Student Web Presence Guidelines Summary 1. The Purpose of Links 2. Worst Links 3. Best

Links Student Web Presence Guidelines Summary 1. The Purpose of Links 2. Worst Links 3. Best Links 4. Writing Meaningful Links 5. Using internal links 6. Using External links 7. Link Rot and dead links 8. Preventing link rot 1. The

497 views • 13 slides
Full Year Results Presentation For the period ended 30 June 2019 29 August 2019 Important notice

Full Year Results Presentation For the period ended 30 June 2019 29 August 2019 Important notice

Full Year Results Presentation For the period ended 30 June 2019 29 August 2019 Important notice This presentation has been prepared by Link Administration Holdings Limited ( Company ) together with its related bodies corporate ( Link Group ).

843 views • 57 slides
Lessons from 2,715 Links The Authority SEO Pillar Links as a Ranking Factor Penguin 4.0 How

Lessons from 2,715 Links The Authority SEO Pillar Links as a Ranking Factor Penguin 4.0 How

Lessons from 2,715 Links The Authority SEO Pillar Links as a Ranking Factor Penguin 4.0 How Links Help Websites Link Juice Domain &amp; Page Authority General domain authority The strength of the domain as a whole Individual

617 views • 42 slides
Website Project Update Anit ita Rao, , Department of f In Inform rmatio ion Technolo logy

Website Project Update Anit ita Rao, , Department of f In Inform rmatio ion Technolo logy

Website Project Update Anit ita Rao, , Department of f In Inform rmatio ion Technolo logy Greg Lic icamele le, Office ice of Publi lic Affair irs Bo Board of f Su Supervis isors IT IT Su Subcommit ittee Meetin ting May 8, ,

340 views • 23 slides
Should You Use For Your Non-Profit Website? .com (720) 771.3271 1 Presented by: Bethany

Should You Use For Your Non-Profit Website? .com (720) 771.3271 1 Presented by: Bethany

Should You Use For Your Non-Profit Website? .com (720) 771.3271 1 Presented by: Bethany Siegler at http://www.t4gdenver.org/ Slides available at www.UniqueThink.com/t4g Lets Connect: Pinterest:

647 views • 41 slides
Wireless Mesh and Point-to-point Bridging Application (US) Confidential Material Aug 2007 Page:

Wireless Mesh and Point-to-point Bridging Application (US) Confidential Material Aug 2007 Page:

ArrowSpan Wireless Mesh Network Solutions Wireless Mesh and Point-to-point Bridging Application (US) Confidential Material Aug 2007 Page: 1 MeshBackhaul 2600 / MeshAP 3100 Wireless Mesh Point-to-point Bridging Application MA3100 = MB2600

240 views • 9 slides
1 -Introduce presenters and topics. 2 Content that is used by those outside the Dept, for

1 -Introduce presenters and topics. 2 Content that is used by those outside the Dept, for

1 -Introduce presenters and topics. 2 Content that is used by those outside the Dept, for example, utility owners, consultants, and contractors, is put on our Connect site. However, most of it is also used by those within the Department.

1.1k views • 45 slides
Prohibiting Redirection &amp; Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison

Prohibiting Redirection &amp; Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison

Prohibiting Redirection &amp; Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison Redirection of DNS Responses Redirection of DNS Responses Issue Issue Wildcarding of DNS records Provides valid address and routing

217 views • 6 slides
2 Produced by Method Savvy Lenovo Partner Network / The SEO Journey Series Workbook 30-Minute SEO

2 Produced by Method Savvy Lenovo Partner Network / The SEO Journey Series Workbook 30-Minute SEO

Lenovo Partner Network The SEO Journey Series 30-Minute SEO Audit Workbook 2 Produced by Method Savvy Lenovo Partner Network / The SEO Journey Series Workbook 30-Minute SEO Audit 2 Table of Contents How does your website look on Google

726 views • 47 slides
The The Basi Basics cs of of Ut Utah ah St State Nur Nursing Facility cility PA PASRR Tr

The The Basi Basics cs of of Ut Utah ah St State Nur Nursing Facility cility PA PASRR Tr

The The Basi Basics cs of of Ut Utah ah St State Nur Nursing Facility cility PA PASRR Tr Training Fe February 25, 25, 2016 2016 Welcome to the Basics of Utah State Nursing Facility PASRR Web Based Training. This is designed to be a quick

1.05k views • 75 slides
3/17/15 FY2010 FY2011 FY2012 FY2013 FY2014 FY2015 .5

3/17/15 FY2010 FY2011 FY2012 FY2013 FY2014 FY2015 .5

3/17/15 FY2010 FY2011 FY2012 FY2013 FY2014 FY2015 .5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 In Billions Financial Support (appropria8ons) Ad

332 views • 10 slides
FACULTY/STAFF HANDBOOK REVIEW - 1 Committee Members Robert Granfield, Vice Provost for

FACULTY/STAFF HANDBOOK REVIEW - 1 Committee Members Robert Granfield, Vice Provost for

FACULTY/STAFF HANDBOOK REVIEW - 1 Committee Members Robert Granfield, Vice Provost for Faculty Affairs Mark Coldren, Associate Vice President for Human Relations Elaine Cusker, Senior Associate Dean for Undergraduate Education

146 views • 11 slides
An updated Portrait of the Portuguese Web Joo Miranda, Daniel Gomes

An updated Portrait of the Portuguese Web Joo Miranda, Daniel Gomes

An updated Portrait of the Portuguese Web Joo Miranda, Daniel Gomes {joao.miranda,daniel.gomes} @ fccn.pt http://arquivo.pt Summary Introduction Methodology Metrics Conclusions 2/28 3/28 Introduction The Web

428 views • 28 slides
IMT Surveillance and Rail Technology African Ports &amp; Rail Evolution INSTITUTE FOR MARITIME

IMT Surveillance and Rail Technology African Ports &amp; Rail Evolution INSTITUTE FOR MARITIME

A-TEMP-009 -1 ISSUE 002 IMT Surveillance and Rail Technology African Ports &amp; Rail Evolution INSTITUTE FOR MARITIME TECHNOLOGY, A DIVISION OF ARMSCOR SOC LTD Andrew Cothill Manager: Above Water &amp; Underwater Sensors &amp; Systems A

988 views • 44 slides
KILBARCHAN AMATEUR ATHLETIC CLUB Robert Hawkins CTO John Rodger Finance Convener VISION

KILBARCHAN AMATEUR ATHLETIC CLUB Robert Hawkins CTO John Rodger Finance Convener VISION

KILBARCHAN AMATEUR ATHLETIC CLUB Robert Hawkins CTO John Rodger Finance Convener VISION To become the leading athletics club in Scotland, strong in all disciplines and working closely with our partners. Key Developments Coaching

592 views • 22 slides
Audit of the BLM LHC system Beam loss interface to machine protection and energy distribution

Audit of the BLM LHC system Beam loss interface to machine protection and energy distribution

Audit of the BLM LHC system Beam loss interface to machine protection and energy distribution The BLECS combiner and survey card Functional test bench for the BLECF and BLECS Jonathan Emery 10 June 2008 1 Audit of the BLM LHC system Beam

775 views • 45 slides
Redwood City Automated Meter Infrastructure Redwood City Service Area Population 86,000

Redwood City Automated Meter Infrastructure Redwood City Service Area Population 86,000

Redwood City Automated Meter Infrastructure Redwood City Service Area Population 86,000 24,000 water service connections AMI in Redwood City Started 2008 in preparation for budget based rates 650 dedicated irrigation accounts fully

412 views • 12 slides
PIPE BREAK ANALYSIS WATER Aldo Ranzani, Public Works and Engineering Department City of Austin

PIPE BREAK ANALYSIS WATER Aldo Ranzani, Public Works and Engineering Department City of Austin

Proceedings CIGMAT-2016 Conference &amp; Exhibition PIPE BREAK ANALYSIS WATER Aldo Ranzani, Public Works and Engineering Department City of Austin , Austin, Texas Executive Summary In an aging Water Distribution system such as that run by

544 views • 15 slides
City of Ann Arbor Sanitary Sewer Improvements Preliminary Engineering (SSIPE) Project

City of Ann Arbor Sanitary Sewer Improvements Preliminary Engineering (SSIPE) Project

City of Ann Arbor Sanitary Sewer Improvements Preliminary Engineering (SSIPE) Project Neighborhood Public Meeting December 5, 2017 OHM-ADVISORS.COM ARCHITECTS. ENGINEERS. PLANNERS. Welcome &amp; Introduction Brian Slizewski City of Ann

920 views • 63 slides
Cured in Place Pipe Underground No-Dig pipeline rehabilitation for pressure pipe application

Cured in Place Pipe Underground No-Dig pipeline rehabilitation for pressure pipe application

Cured in Place Pipe Underground No-Dig pipeline rehabilitation for pressure pipe application A fully structural approach !&quot;#$%&amp;''($ )*++,$-./012.,3$ 4.5$%&amp;''$!.*63$

1.02k views • 35 slides
Importance of Sewer Evaluation Older sewer lines tend to develop deficiencies Sewer line

Importance of Sewer Evaluation Older sewer lines tend to develop deficiencies Sewer line

Importance of Sewer Evaluation Older sewer lines tend to develop deficiencies Sewer line deficiencies can cause: Decreased sewer capacity Leakage of sewage into environment Increased infiltration and inflow Higher treatment

307 views • 15 slides
Domestic Waste Water Issues and Challenges 9/20/2016 Pinellas County Legislative Delegation

Domestic Waste Water Issues and Challenges 9/20/2016 Pinellas County Legislative Delegation

Domestic Waste Water Issues and Challenges 9/20/2016 Pinellas County Legislative Delegation Mary E. Yeargan, PG Director, Southwest District Office Domestic Wastewater Facts DEP regulates about 2,000 wastewater facilities Treated Water

219 views • 18 slides
LEUCADIA WASTEWATER DISTRICT Southern California Association of POTWs Presentation February 12,

LEUCADIA WASTEWATER DISTRICT Southern California Association of POTWs Presentation February 12,

LEUCADIA WASTEWATER DISTRICT Southern California Association of POTWs Presentation February 12, 2015 Presentation Overview Brief Background on Leucadia Leucadias Recent Citizen Lawsuit Experience How It Happened Conditions

285 views • 25 slides

More recommend