Monday, September 20, 2021

House and small enterprise routers below assault – find out how to see in case you are in danger – Bare Safety

Evan Grant, a researcher at network security scanning company Tenable, recently decided to have a go at hacking a home router.

The idea, it seems, was more to learn about the general techniques, tools and procedures available to router hackers than to conduct a security assessment of any particular product.

Understandably, therefore, Grant picked a router model using two non-technical criteria: was it popular, and was it available in Canada (Grant’s home country)?

After opening up the router casing to get access to the circuit board, Grant made good progress, by quickly:

  • Finding likely pins on the circuit board where a debugging device could be connected.
  • Identifying the correct wiring for the debugging circuity to permit a serial connection.
  • Getting a root shell via a serial line and accessing the files on the device.

Grant’s first stop was to download a binary file (executable program) called httpd, which is the name under which you typically find a home or small business router’s web server, used for managing the device from a browser.

The name httpd stands for HTTP daemon, where HTTP means that the program handles web traffic, and daemon is the Unix/Linux name for what Windows users know as a service: software that runs in the background whether anyone is logged in or not. (The word daemon is properly pronounced “die-moan” or “day-moan”, but many sysadmins just call them “demons”, and you may need to follow suit to avoid causing confusion.)

Bugs found

Disassembling the web server binary revealed critical bugs, caused by programming errors, that Grant was able to chain together to take over the router via its web interface without needing a password.

Firstly, the router had a list of built-in web server subdirectories where authentication was not required, so that “harmless” files such as as http://[router]/images/logo.png would work for everyone.

(A company logo isn’t a secret, so why not let anyone access it, whether they’ve logged in already or are still stuck on the login page?)

But once the router had matched the name of the “harmless” subdirectory, it didn’t bother applying any other security checks such as looking for risky characters in the filename.

This means that Grant could use a filename such as /images/../login.htm in the URL as an unauthenticated equivalent to web pages that would otherwise prompt for a password or block access entirely, such as http://[router]/login.htm.

This sort of bug dates back decades, and is known as a directory traversal vulnerability, because the special directory name .. (two dots) is shorthand for “go up one directory”.

Thanks to the “go up one” component, the file named /images/../login.htm actually refers to a file that sits above the /images subdirectory, not in the directory tree underneath it.

Directory traversal bugs that rely on the “go up one” trick often show up in logs with filenames such as ../../../../../etc/passwd or ../../../../Windows/System32. The trick here is that if you “go up” by more subdirectories than your current depth in the directory tree, you don’t get an error. Once you get to the root directory, every subsequent ../ simply gets ignored, because “one up” from the root directory is just the root directory again. So, a filename preceded by sufficiently many apparently innocent relative pathnames of ../ is equivalent to a dangerous and suspicious absolute filename such as /etc/password (the list of Unix usernames) or C:WindowsSystem32 (the all-important Windows directory where system software lives).