Combat stack overflow: the three vulnerabilities to get a router-vulnerability warning-the black bar safety net

ID MYHACK58:62201785167
Type myhack58
Reporter 佚名
Modified 2017-04-12T00:00:00


! Written on the front Many a geek who like to toss your own router, for example, in the above to build a NAS, configure the remote download and use the proxy the Internet, these techniques and the relevant software can help everyone in the hard disk to collect a large number of entertainment and educational resources. But everyone in the online to download and use third-party software be careful when you, to be more concerned about software security updates. Long Pavilion security research laboratory in 2016 5 months by Students to Huawei PSIRT report a Thunderbolt firmware Xware multiple vulnerabilities, these vulnerabilities not only exist in the Huawei glory is routed by default to support the remote download function, will also affect the use of Xware other routers or theLinux server. On receipt of the vulnerability report, Huawei official quickly shows repair, Huawei glory routing has long been not affected. However, Thunderbolt official in 2016 2 months has been announced to stop the maintenance of the firmware on github based on the Xware some open source projects too, so discard the pit, for example Xinkai/XwareDesktop and PointTeam/PointDownload it. Currently scattered in the online version of the software is very likely not to get a fix, here suggest that you try to avoid the use of expired and no official support of the Xware software. In this article, The author will give you to share the vulnerability details and the use of ideas. Reading this article does not require any security research experience, you only need a little bit of stack overflow the basic knowledge. Also don't know the stack overflow readers please shift step size kiosk technology columnist of the hands to teach you the stack overflow from getting to the give up of the upper and lower two articles, if you read after the really ready to give up, then try this article, maybe this article can give you a re-selection of opportunities. That point in history Stack overflow attack related concepts the earliest Dating back to 1972 the US Air Force published a study by the Computer Security Technology Planning Study action. In this report, through the overflow buffer to inject code this idea was first put forward. Everyone to get a feel for the earliest description of the original: ! Stack overflow while the concept has long been proposed, but until 1988 there came the first real attack, the Morris worm exploited a Unix operating system in the fingerd program of the gets()function causes the stack overflow for remote code execution. In 1996, Elias Levy (a. k. a Aleph One)in the famous Phrack magazine published an article Smashing the Stack for Fun and Profit on, from the stack overflow vulnerability of the use of technology is widely known. Perhaps some readers will be puzzled, stack overflow such a lower error now also exist? This article will introduce a few 2016 discovered vulnerabilities, the most critical a vulnerability is a stack overflow. From the first to propose this concept in 1972 and now has more than forty years of history, has experienced almost half a century, programmers are still in this seemingly simple question in the fall. This is not the case, in the router of such embedded devices is still widespread, long-kiosk security research laboratory in 2016 Students in the breached Section 10, the router, the use of a vulnerability in most or stack overflow. And even after years of development, the PC end of theoperating system, there is also stack overflow: in Pwn2Own 2017, from the United States Richard Zhu found the Mac operating system in the stack overflow vulnerability. Come 2017, today, in the face of stack overflow, we still can not say give up. The router is doing, what's the harm? Router as a home Internet entrance, its security importance is self-evident. Home all smart devices, PC, all need through the connecting the Internet router, once the router is occupied, the attacker can see all of the plaintext upload and download traffic. Remember the 2016 year of the CCTV 315 party? The program site is demo at WiFi end of the intercepted PHONE App of Internet traffic, which contains the name, phone number, birthday, home address, orders and other privacy information. More seriously, an attacker could also tamper flow further invasion connected to this router device, for example, in you download a a Windows installation package or Android applications APK files, secretly replace it with a backdoor version. Do not open the firewall, the consequences very serious The router has what may be the invasion route? In General, home routers for setting up a HOME Local Area Network(LAN)。 For the public network connected to the WAN port, the router is often configured with a firewall, the prohibition of a public network to the router itself access to the service, so even if the router vulnerability exists, but also is not exposed in the“public”. Long Pavilion security research laboratory in the Students on disclosure through a paragraph in this issue appears on the negligence of the router, which leads to an attacker directly on the public Internet using the router's vulnerability to the invasion of tens of thousands of goals. The invasion route of the two-step For the most Open of the firewall of the router, invasion is the first step in the access router Local Area Network LAN, in this step there are many ways you can try: Wifi master key, crack WEP encryption, crack the WPS PIN code, using a dictionary blasting Wifi password and so on. And for the public of the router, this step is not a problem, the Wifi password is disclosed, anyone can directly access. Access router network, the second step is to use the router's own defect to obtain the router's full control, this article describes cases vulnerability is used in this step. Router the vulnerability is mainly present in its own open software services which, for example, almost every router will have an open 80 port of the Web Management Interface, there are other common services, for example, used to assign IP address service DHCP, Plug and Play UPnP, etc., these services will be listening at a certain TCP/UDP ports, the access router of the network the attacker can get through to these ports to send a particular data packet to implement various types of attacks, such as permissions, bypass, command injection, memory corruption, etc. Finished attack scene, let's go back to this document. If the router comes with or manually configure a thunder remote download function, the Xware software is listening on some port, which contains a processing HTTP Protocol port, on a router on the 9000, this article describes the vulnerabilities with this service. You can here download the official stop maintenance before the release of the last version. A series of vulnerability strikes The official provided the Xware software as well Router the firmware that comes with the Xware software are only the compiled binary file, by reverse analysis, we found three issues, each issue alone can have a serious impact, but the three vulnerabilities through a combination of the use of it can achieve remote arbitrary code execution effect. Vulnerability one: you really will use snprintf?: information leak Learned C language the students know the snprintf function usage, this is the most basic string-handling functions. The basic form is as follows:

int snprintf(char str, size_t size, const char format, ...); As is well known, we can specify snprintf in the second parameter size to prevent buffer overflow occurs, however if you really understand the snprintf return value meaning? We first take a look at the following few lines of code, guess the code The output is nothing:

[1] [2] [3] next