The team of Information Security Laboratory of Ocean University of China broke through ten famous routers in the 2017 excellent Chinese competition, won a prize of 100000 yuan and was selected into the excellent Hall of fame.
As a young team and rising star in the field of information security in domestic universities, their excellent team is composed of Qu Haipeng from the Department of computer science and technology of the school of information science and engineering, Zhao Hanqing from the 2013 computer information security major and sun Lei from the 2014 computer science and technology major.
In order to prepare for the war, in two months, they have studied and found the security problems of more than ten routers on the market. The competition demonstrated that the designated website can jump to other addresses through DNS hijacking, and DoS attack can not access the website.
Live video
Ten Routers security research Exhibition (team of Ocean University of China) \
This article was written by sun Lei from the information security laboratory of Ocean University of China. Welcome to leave a message and exchange in the comment area.
One
As the center of home network, router plays an important role in the whole home network. If the router is attacked by an attacker and gets the root permission of the router, it will have a huge impact on the security of the home network.
In this competition, router is chosen as the research object. Firstly, the great role of router in home network is considered. Unknown loopholes in router are found to help users access the Internet in a more secure network, prompt users to pay attention to the security of router and prevent attacks by attackers.
Router has been produced for decades, and its code security is not as fast as that of PC and Android phones. Some vulnerability mitigation mechanisms such as NX, alsr and stackcanary are not widely enabled in router. If there is a vulnerability in router, it will be very simple to exploit.
The reasons for choosing router as the research object in this competition also include reminding many router manufacturers to pay attention to the security of router, opening some mitigation mechanisms in router to increase the attack difficulty of malicious attacker.
Two
It took more than two months to get these routers ready for the game. The main work includes choosing and purchasing devices, extracting firmware or downloading firmware from the router's official website, unpacking firmware, analyzing the program, finding the vulnerability of the program, and writing the exploit program. While doing these works, we should also record the specific progress of each brand and model.
Three
1) The posture of firmware acquisition includes downloading from the router's official website, and using UART to connect to the router to download a file separately. For example, firmware download is provided on the router's official website of webware, and firmware download is also provided on Asustek's official website, as well as source code download.
2) The main attack area is the service provided by the router port. Including web services, DNS services, DLNA, telnet services, as well as router manufacturers' own services and so on.
Problems in Web services (port 80): Web server is written by the manufacturer, not using open-source stable server. The most likely problems of server written by the manufacturer include authentication bypass, buffer overflow, command injection, back door, etc. For example, the web server on port 80 of Tenda router is written by Tenda itself, which contains buffer overflow.
The service vulnerabilities provided by other ports are similar to those of port 80.
3) Router vulnerability mining can be divided into several levels.
First, check whether the open service program is open source software. If it is open source software and the version is not the latest version, check whether the current version has CVE vulnerability.
Second, is there any vulnerability in the router configuration, including whether telnetd is turned on and off by default, and whether the root user has a weak password.
Third, the reverse router service program, using IDA analysis. The quick way to find the vulnerability is to locate some functions that are prone to problems, including system, strcpy, sprintf, strncpy, memcpy, and then see where these functions are referenced to see if there is command injection or stack overflow in these places.
4) Compared with the PWN problem in CTF, vulnerability utilization is simpler, because most of the mitigation mechanisms of routers are not turned on, some are turned on, and most of alsr is only turned on to 1, so the heap address is unchanged.
The vulnerability in the router is basically stack overflow. As long as the return address is covered, unlike heap injection, it is a good technique. It only needs to fill the heap with a large number of shellcodes, and then cover the return address to the location of the heap. Other advanced use techniques are return oriented programming. The use of vulnerability exploiter of Tenda router is ROP technology.
IV. safety suggestions
Manufacturer:
1. Do not open the service port to the public network. If there is a vulnerability in the service, it will bring attack surface to the attacker
2. Try to use open-source stable software and do not implement the software by yourself, because there are likely to be problems, and if you use open-source software, you must update to the latest version
3. Use multi-user, web service program uses one user, DNS uses one user, do not use root user to run all programs, so if the attacker attacks the router, he or she can only obtain the permission of one user at most, which will not harm the overall security of the router
4. Enable the mitigation mechanism on the router, such as NX, alsr, stack Canary
5. Set a hard to crack password for the root user of the router
User:
1. Try to buy router with high price and famous brand
2. Do not set the default password of the router too simply
3. Update the firmware of router frequently
Great Carnival recruitment is now underway