Tfw you find 0days in a very popular router software but the company your work for won't let you publish about them

tfw you find 0days in a very popular router software but the company your work for won't let you publish about them.

All you need to do is visit a link, and I can send a request to your router that will exploit it and bind a root telnet to its external ip (thanks for the easy way to enable that in the config devs)

The exploit is even cool memory corruption, since the router is shit and has no NX or ASLR (except for the HEAP which is even worse since it doesn't use dynamic memory.. lol)

I can tell you more about the exploit if you are interested.

Just wanted to vent since I can't tell anyone else.

Feel free user, this sounds interesting

Consumer grade or enterprise stuff? Aftermarket or stock firmware?

bampin'

First some background.
This is a pretty popular router (maybe not by choice) used by an ISP.
Well there are 3 router models that all use the same software, although all 3 are different architectures (arm, little endian mips and big endian mips).

The software is based on some company that got bought up a few years a go, but they have some sort of API to let ISPs write custom code on top of it.

The vulnerability I found was in a function that handles the web page when you go to the ip.

Being probably cs students who passed college with a D+, they were shit at writing C, and so to reconstruct an IP for a certain form (which on the webpage consist of 4 text boxes that you can enter the ip into) they used STRCAT to concat them together and then actually parse the ip. STRCAT. This is like 90s level shit code.

Anyway, you can send any amount of data you want and it will just take it all in and fill up this static buffer in the datasection (because again, everything in this firmware is static buffers, not dynamic memory, or even buffers on the stack)

So here I am smashing all of the datasection, just to see what would happen, and lo and behold I get a kernel panic on my serial line (because this shitty router uses the main executable for init, so once it crashed the kernel reported the crash as well. Which was nice for debugging.)

Anyway, I found that I had smashed some sort of linked list of error handlers or something like that. allowing me to control a function pointer, assuming I make a few other fields of the struct valid to prevent other crashes.

At this point since it was a static buffer, I could use the same address specific to the firmware version to locate where the buffer is and cause the program to jump to it.

Just had to write some arm and mips assembly code to force it to call two functions, updateConfig("conf.debug.telnet.remote","enabled") and then flushConfig() before crashing and forcing a restart, also starting the debug root telnet.

are you you a hakcker?

Of course there were a few bumps along the way like arm instruction caching, and how to deploy the payload. The solution to both ended up being with a CSRF attack from some webpage. Basically I tell your browser to submit this html form to 192.168.1.1 that has the ip payload in it. Your browser complies, and exploits your own router. To fix the arm caching, I just had to send the payload twice, only triggering the the second time.

With regards to the firmware offsets, the webserver luckily tells you the version number in the headers, and also fails at CORs, so I can figure out what page you are with an iframe. If your browser blocks that, there is also a way I can throw a bunch of exploits at it, since each version I have looked at has a different length before crashing.

Old news

post POC or fug off LARPer

...

>$telnet
>$shell
>$whoami
>root
top fucking lel

If you are thinking of the command injection in linksys routers, it is not that.

The consulting company talked with the vender, but they said it was "a risk they were willing to take", and then nothing came of it, because the company wants the vender as a client, so they won't let me disclose it.

And I want my job which is why I am not posting the POC

Wait, does your begin with the letter, "A"?

Does what begin with an A?

your first name

sell it to russia

No it doesn't

You're Andrew F., aren't you? kek

The only andrew F I know is that guy who posted on /r/netsec recently. Maybe you are thinking of him.

Yeah I know it's you. It's RSL. You're a moron by the way

Lol I guess some random guys is going to get fucked over. I guess router vulns are more common than you think.

>router vulns are more common than you think
IIRC wasn't that massive DDOS a few months ago caused by IoT devices like consumer routers and set-top boxes that have god-awful security?

I think that once was just used default usernames and passwords. I think the code got released, probably because the feds were onto that guy who wrote it.

>telling people about 0days instead of selling them or using them

Are you NSA trying to cover one of your clients? If not, fuck off and let OP finish.

>just used default usernames and passwords
God that shit makes me sick.

I'm an infrastructure guy so the idea of easily available 200gbps+ botnets is kind of upsetting.

Is it BT? They have a history of ignoring vulnerabilities; it wouldn't surprise me in the slightest

Hold on, how do you get to this page where you run your payload?
Do you have to login to the device when you go to the webpage or is the IP address input on the public webpage?

As a represntative of Arris Corp, I assure you we will be notifying your employer and persuing legal actions, based on what you have posted on this forum. We do take security seriously and we keep very detailed logs of who / when we recieve security reports.

BT's routers? (or 'Smart Hubs' as they like to call them)

What's the best way to protect yourself against attacks like this?

Move your LAN onto a very nonstandard network like 10.207.99.0/24 ?

It's Arris isn't it?

I'm not familiar with Arris.
It's Ruckus equipment I take it then?

glad noscript will stop this kind of shit

Some browsers/browser security extensions have prevention from Internet webpages addressing local network that would probably block it.

use a vpn from a internet cafe and report it anonymously. how hard is that?

>has my name in brackets
I don't like this one bit

Yeah, but you can't assume to control every device in your network; so I think multiple approaches need to be combined

Two things:

1. Does this bypass UTM?

2. Can you only perform the exploit from within the internal network or can it be done from outside using the IP granted from the ISP?

Verizon maybe... they do have open source router firmware (look it up), with telnet enabled by default....

---- cap

>LARPing on my Sup Forums
What an awful start for 2017

External webpages can't address local IP's.
It that worked, why bother with a fancy 0day when millions of routers still have "admin" as the default password which most people are still too lazy to change.

so you ran a buffer overflow on a router that caused its software to crash reboot, and open up a telnet console that is used to debug it?

Do you need admin access to run the exploit?

and you accessed this with some sort of form data class object that was in the routers native API? I'm assuming it was some sort of POST request?

>root telnet to its external ip

doesn't this require the computer on the routers LAN to be running a telnet client for it to function?

and if you already have admin access on the router, and the only thing the router gives telnet access to is itself, couldn't you just do whatever it is you wanted to do with telnet with port forwarding instead?

how does being able to address a local IP from an external website help you?

Does it let you run JS code on their machine?

>Do you need admin access to run the exploit?

Reading your post, I guess not, since you can run it from an external website using form data.

but isn't it essentially using your own router as a proxy?

can't you frame the carrier request as coming from another computer on the same LAN using ARP poisoning?

Because of possible inherent dangers of local addressing over the Internet (this very thing) it is fairly common for such to be blocked in browsers and by security addons/antivirus/firewalls.

What it is doing is using your browser to send a message to your router to crash it and open telnet access from the outside.

telnet access to the router, the browser, or the OS?

I mean you are using THEIR router as a proxy. As far as they are concerned, isn't the request coming from the router itself, not an external IP?

Couldn't you spoof you're mac address and IP to make it look like it was coming from a device on their own LAN?

But like I said, even if you have telnet access to the router, does that give you access to the browser or the OS networking protocols? Most OS's don't have telnet enabled by default.

Would it let you run restricted JS code on their browser if your website was able to address your computers local ip directly?

>if your website was able to address *their* computers local ip directly?
apologies

Nazi's have arrived

Damn, shit's terrifying

lol.
cause they are going to totally bust somebody in an anonomous online message forum, validating the exploit and the company it belongs to instead of sending him an email in private, right?

and they are totally going to fire someone who has access to a zero day exploit they are trying to push through production that could give him root access to all their routers client's computers.

No.
He is talking about crafting a website (on the Internet) that has a form with form data in it that is addressed to the likely router IP address (on the local network) so that when you submit the form it will send to the router IP address, crash it and cause telnet to start on the external interface for debugging.

Very interesting read, thanks for sharing! I'm always a bit jelly of people who are able to find this stuff, it takes probably even more skill than the actual programming, or at least a different kind of skill

and i'm saying once you do that, then log onto the routers telnet debugger as a client, whats to prevent you from spoofing you mac address and ip address and sending requests to other computers on their LAN?

Was going to say it sounds like the netgear exploit about a month ago but this sounds different. Thanks for the read.

So the exploit delivery basically something like this?





And it just strcat()s it all into a static buffer, and overflows on a linked list next to it?

>This is a pretty popular router (maybe not by choice) used by an ISP.
>The software is based on some company that got bought up a few years a go

Sounds like a Cisco router from my educated guess.
Is it the EPC3928AD used by Ziggo?