Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201565425
HistoryAug 06, 2015 - 12:00 a.m.

Linksys WRT54G router overflow vulnerability analysis-operating environmental remediation-vulnerability warning-the black bar safety net

2015-08-0600:00:00
佚名
www.myhack58.com
27
JSON

This excerpt from the secret home router 0day vulnerability Mining Technology of Wu Shaohua editor, Wang Wei, Zhao Xu, EDS., Publishing House of electronics industry 2 0 1 5 年 8 月 publication.
In this Chapter the experimental test environment described in Table 1 3-1 shown in Fig.
Table 1 3-1
The test environment
Note
Operating system
Binwalk 2.0
File system extraction tool
Ubuntu 12.04
The debugger
IDA 6.1
The use of code interpreter
Python 2.7
13.1 vulnerability description
The Linksys WRT54G is a SOHO Wireless Router, the function, stability, dual-antenna signal coverage aspects have been user acceptance. It also supports third-party firmware, making it more powerful. Many users buy the Linksys WRT54G router is to brush the third party firmware, the router has customizable function. Linksys WRT54G v2 version of the router exposed a vulnerability, the CVE number for CVE-2 0 0 5-2 7 of 9 9 of. In the Cisco official network http://tools.cisco.com/security/center/viewAlert.x?alertId=9722 you can get the following figure shows the information. From the vulnerability announcement, we can see that the vulnerability exists in the WRT54G routerWeb serverof the program HTTPD apply. cgi processing script, since to send the POST request did not set enough boundaries with the Content-Length check, when an unauthenticated remote attacker to router apply. cgi page to send a Content-Length greater than 1 0 0 0 0 bytes of POST request, it can trigger a buffer overflow. This vulnerability would allow an unauthenticated user on the affected Router with root privileges to execute arbitrary commands. The vulnerability is covering the buffer zone is not on stack, therefore, the overflow does not result on the stack data overwritten, but the direct cover to the vulnerability of the program . data segment, in this case the vulnerability is the use of ways and before different. In this case, the control of the overflow data coverage . extern section The function call address, hijacking the system function call, is. The vulnerability is the use of this use of the way, and in hijacked system function call after the vulnerability program execution the previous section in writing of the Reverse_tcp Shellcode.
! [](/Article/UploadPic/2015-8/2 0 1 5 8 6 2 1 0 5 8 5 9 2. png)
Hardware and software analysis environment described in Table 1 3-2 shown in Fig.
Table 1 3-2
Description
Note
Model
WRT54G
Linksys
Hardware version
V2. 2
Firmware version
V4. 0 0. 7
Command system
MIPSEL
The small end of the machine format
QEMU
1.7.90
Processor simulation software
13.2 vulnerability analysis
Following a detailed analysis of this vulnerability causes and the use of the method.
13.2.1 firmware analysis
Download the Linksys WRT54G router 4. 0 0. 7 version of the firmware, the download link is http://download. pchome. net/ driver/network/route/wireless/down-129948-2.html, unzip after get firmware WRT54GV3. 1_4. 0 0. 7_US_ code. bin. Using Binwalk firmware in the file system is extracted, as shown below.
“src=”/Article/UploadPic/2015-8/2 0 1 5 8 6 2 1 0 5 8 5 8 1. png">
The vulnerability is a core component of the as /usr/sbin/httpd, as shown in Fig.
! [](/Article/UploadPic/2015-8/2 0 1 5 8 6 2 1 0 5 8 8 3 7. png)
13.2.2 repair the operating environment
From the vulnerability announcement, we already know that when the router HTTPD apply. cgi processing script receives a length greater than 1 0 0 0 0 bytes of the POST request will trigger a buffer overflow vulnerability. The vulnerability of testing of the POC is as follows. Source wrt54g_test.py
1 import sys
2 import urllib2
3 try:
4 target = sys. argv[1]
5 except:
6 print “Usage: %s” % sys. argv[0]
7 sys. exit(1)
8 url = “http://%s/apply.cgi” % target
9 buf = “\x42”*1 0 0 0 0+“\x41”*0x4000 # POST parameter name
1 0 req = urllib2. Request(url, buf)
1 1 print urllib2. urlopen(req). read()
Line 8: access to the presence of vulnerability apply. cgi processing script.
Line 9: to construct more than 1 0 0 0 0 bytes of data, where we construct a sufficient period of data.
When we use the emulator QEMU to run the router in the application such as herethe Web server, often encounter a problem-the simulator of the lack of hardware simulation, the program cannot execute. You need to perform theWeb serveris that the application is trying to use the NVRAM in the information to configure the parameter, but unable to find the device causing the error to occur. In the router, the common NVRAM dynamic library libnvram. so provides nvram_get() function and nvram_set()function to get and set configuration parameters. If you use the simulator to run the application in the call to nvram_get() function fails, causing applications not to run because the simulator there is no NVRAM in. Use the following command to run the HTTPD, as shown in Fig.
$ cp $(which qemu-mipsel) ./
$ chroot ./ ./ qemu-mipsel ./ usr/sbin/httpd
$ netstat-an|grep 8 0
! [](/Article/UploadPic/2015-8/2 0 1 5 8 6 2 1 0 5 8 1 1 5. png)
In the running process can be seen, the program, error message prompt cannot find /dev/nvram to a file or directory, and use the netstat command to view the current system of open ports when not found 8 0 port, theWeb serverfailed to start.
1. Fix NVRAM
Use zcutlip a nvram-he to repair the NVRAM. nvram-he although is a simple dynamic library, but you can use LD_PRELOAD to hijack libnvram Library of function calls. We just need to a ini configuration file is written in a reasonable NVRAM configuration, you can make theWeb server

[1] [2] [3] [4] next

JSON