The security of any network is only as strong as its weakest link. What if that weak link is so fundamental that most of us may not even consider it to be faulty? Increasingly bad actors have been targeting common routers, the backbone of the Internet, as the new playground for mischief online.
According to researchers at SEC Consult the “USB over IP or NetUSB function contains a buffer overflow vulnerability. This flaw is present in most modern Small Office Home Office (SOHO) routers including those from D-Link, Netgear, TP-Link, Trendnet, and ZyXEL.”
As part of the connection initiation, the researchers wrote in their blog, “the client sends his computer name. This is where it gets interesting: The client can specify the length of the computer name.”
“By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. Easy as a pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow.”
Their advisory contains a complete list of about 92 affected products from 28 vendors. Some vendors have started pushing out patches.
Even non-vulnerable routers are suspect. Late last year researcher Eloi Vanderbeken reported a secret backdoor on his Linksys WAG200G router. After forgetting his admin interface password, he scanned the router to gain access and in the process discovered TCP port 32764 was wide open.
This same router backdoor was found to be present in other popular routers such as those from Netgear, Belkin, and Cisco. A list on GitHub defines specific makes and models, although it is no longer being maintained.
While the initial vulnerability was patched soon after the public disclosure, Vanderbeken reported last month that Sercomm, which manufacturers many brands of common routers, had introduced a new vulnerability with the same effect.
Unpacking the patched firmware version 1.1.0.55 of Netgear DGN1000 using the binwalk tool he found a file named “scfgmgr” th with a new option “-l” that limits the backdoor to the processes running on the same device. Through reverse engineering, he also found a tool called “ft_tool” which he said could re-activate the TCP backdoor.
This is only the latest in a long list of recent disclosures affecting both broadband and home routers.
In January of 2015 a number of Asus routers were vulnerable to attack as were routers using Zyxeltech’s ZynOS firmware used in D-Link’s DSL-2740R ADSL router and DSL routers from TP-Link and ZTE.
Also in January, Threatpost reported that security researcher Eduardo Novella had uncovered a remotely exploitable vulnerability in home routers produced by Pirelli and distributed by Movistar Telefonica in Spain.
The exploit could allow the attacker to access files on the device, stealing data or producing a denial-of-service attack.
Last December, US-CERT at the Department of Homeland Security warned broadband router manufacturers of a common vulnerability, dubbed “Misfortune Cookie.” This vulnerability had actually been patched more than 10 years ago, but was still present on many deployed devices.
And last October, the firm Rapid7 warned that more than 1 million plus SOHO routers were potentially vulnerable to remote attacks. A vulnerability in the implementation and configuration in NAT-PMP features, Rapid7 said in a warning, could remotely access private internal network traffic.
Having a vulnerable router creates a number of possibilities. None of them good.
Last month security vendor Incapsula reported that 85 percent of the compromised routers from Ubiquiti Networks and located in Thailand and Brazil were running a new global botnet. “Ubiquiti Networks tried to do a good thing and bring internet connection to third world regions this year,” Incapsula said in an e-mail statement to The Security Ledger.
“Unfortunately it’s just been discovered that their routers are being actively exploited by hackers to field massive DDoS attacks, due to an overlooked exploit.”
In January 2015 research from KrebsOnSecurity revealed that the hackers from the Lizard Squad –a group famous for attacking Sony and Microsoft over the Christmas holiday in 2014—had used a botnet of compromised systems, including home Internet routers.
And last September security researchers from Sucuri found that a web-based attack launched from the site of a popular Brazilian newspaper was actually targeting home broadband routers.
Clearly more security research is called for regarding the integrity of home and broadband routers. And manufacturers of these devices need to make patching easier, or at the very least make the owner aware that a new version of the firmware exists.
Currently firmware patches may exist but the end-user has no idea when or how to install them. As for the recurring backdoor in SOHO routers, Eloi Vanderbeken has no idea why it continues to exist.
This was cross-posted from the Dark Matters blog.
Copyright 2010 Respective Author at Infosec Island