From Shodan to Remote Code Execution #3: Hacking the Belkin N600DB Wireless Router

Our newest post of this interesting series of Shodan to RCE takes us to Belkin routers.

Shodan search:

“Server: httpd” “Cache-Control: no-cache,no-store,must-revalidate, post-check=0,pre-check=0” “100-index.htm”

belkin shodan search

As at the time of writing this post, there were not so many results for the Belkin routers )-:

By navigating to one of the shodan search results, we may get such a dashboard, which in itself may be reported as a security vulnerability? – unauthorized access?, information disclosure?

belkin dashboard_

 

Getting key, method #1

By navigating to the link http://target//langchg.cgi and view the source..

key1_

The key can be clearly seen above, without authentication!

Getting key, method #2

By navigating to the link http://target/adv_wifidef.cgi and view the source..

key2_

Again, the key can be clearly seen above, without authentication!

 

Credits to the exploit author: Wadeek.

 

Advertisements

Blackhat Europe 2017 – conference notes

I had the pleasure to attend the Blackhat Europe 2017 in London – and it was enlightening! In this post, I shall provide links to the slide decks, videos and tools shared during the demonstrations, briefings and various talks. The abstracts for the briefings can be found on the official Blackhat Europe website.

 

1.Black Hat Europe 2017 youtube playlist (continuously being updated):

 

2. Presentation slide decks:

LOST IN TRANSACTION: PROCESS DOPPELGÄNGING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

HOW TO HACK A TURNED-OFF COMPUTER, OR RUNNING UNSIGNED CODE IN INTEL MANAGEMENT ENGINE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

EXPOSING HIDDEN EXPLOITABLE BEHAVIORS IN PROGRAMMING LANGUAGES USING DIFFERENTIAL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf

ATTACKING NEXTGEN ROAMING NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Schmidt-Attacking-Next-Gen-Roaming-Networks.pdf

BLUEBORNE – A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Seri-BlueBorne-A-New-Class-Of-Airborne-Attacks-Compromising-Any-Bluetooth-Enabled-Linux-IoT-Device.pdf

NATION-STATE MONEYMULE’S HUNTING SEASON – APT ATTACKS TARGETING FINANCIAL INSTITUTIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shen-Nation-State%20Moneymules-Hunting-Season-APT-Attacks-Targeting-Financial-Institutions.pdf

SECURITY THROUGH DISTRUSTING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rutkowska-Security-Through-Distrusting.pdf

EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atch-Exfiltrating-Reconnaissance-Data-From-Air-Gapped-Ics-Scada-Networks.pdf

THE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE G2H ESCAPE VULNERABILITIES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf
A PROCESS IS NO ONE: HUNTING FOR TOKEN MANIPULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

A UNIVERSAL CONTROLLER TO TAKE OVER A Z-WAVE NETWORK:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rouch-A-Universal-Controller-To-Take-Over-A-Z-Wave-Network.pdf

ATTACKS AGAINST GSMA’S M2M REMOTE PROVISIONING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Meyer-Attacks-Against-GSMAS-M2M-Remote-Provisioning.pdf

AUTOMATIC DISCOVERY OF EVASION VULNERABILITIES USING TARGETED PROTOCOL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Levomaki-Automatic-Discovery-Of-Evasion-Vulnerabilities-Using-Targeted-Protocol-Fuzzing.pdf
BECOMING YOU: A GLIMPSE INTO CREDENTIAL ABUSE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Burney-Becoming-You-A-Glimpse-Into-Credential-Abuse.pdf

BREAKING BAD: STEALING PATIENT DATA THROUGH MEDICAL DEVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Harit-Breaking-Bad-Stealing-Patient-Data-Through-Medical-Devices.pdf

BREAKING OUT HSTS (AND HPKP) ON FIREFOX IE/EDGE AND (POSSIBLY) CHROME:https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf

BY-DESIGN BACKDOORING OF ENCRYPTION SYSTEM – CAN WE TRUST FOREIGN ENCRYPTION ALGORITHMS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-By-Design-Backdooring-Of-Encryption-System-Can-We-Trust-Foreign-Encryption-Algorithms.pdf

CALDERA: AUTOMATING ADVERSARY EMULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Miller-CALDERA-Automating-Adversary-Emulation.pdf

CLKSCREW: EXPOSING THE PERILS OF SECURITY-OBLIVIOUS ENERGY MANAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Tang-Clkscrew-Exposing-The-Perils-Of-Security-Oblivious-Energy-Management.pdf

DEALING THE PERFECT HAND – SHUFFLING MEMORY BLOCKS ON Z/OS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Elaassal-Dealing-The-Perfect-Hand-Shuffling-Memory-Blocks-On-ZOS.pdf

DIFUZZING ANDROID KERNEL DRIVERS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf

ENRAPTURED MINDS: STRATEGIC GAMING OF COGNITIVE MINDHACKShttps://www.blackhat.com/docs/eu-17/materials/eu-17-Kropotov-Enraptured-Minds-Strategic-Gaming-Of-Cognitive-Mindhacks.pdf

FED UP GETTING SHATTERED AND LOG JAMMED? A NEW GENERATION OF CRYPTO IS COMINGhttps://www.blackhat.com/docs/eu-17/materials/eu-17-Wong-Fed-Up-Getting-Shattered-And-Log-Jammed-A-New-Generation-Of-Crypto-Is-Coming.pdf

GDPR AND THIRD PARTY JS – CAN IT BE DONE?:https://www.blackhat.com/docs/eu-17/materials/eu-17-Grushcovski-GDPR-And-Third-Party-JS-Can-It-Be-Done.pdf

HEAP LAYOUT OPTIMISATION FOR EXPLOITATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Heelan-Heap-Layout-Optimisation-For-Exploitation.pdf

HIDING PIN’S ARTIFACTS TO DEFEAT EVASIVE MALWARE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Polino-Hiding-Pins-Artifacts-To-Defeat-Evasive-Malware.pdf

HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ma-How-Samsung-Secures-Your-Wallet-And-How-To-Break-It.pdf

HOW TO ROB A BANK OVER THE PHONE – LESSONS LEARNED AND REAL AUDIO FROM AN ACTUAL SOCIAL ENGINEERING ENGAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu17-Crumbaugh-How-To-Rob-A-Bank-Over-The-Phone.pdf

I TRUST MY ZOMBIES: A TRUST-ENABLED BOTNET: https://www.blackhat.com/docs/eu-17/materials/eu-17-Vasilomanolakis-I-Trust-My-Zombies-A-Trust-Enabled-Botnet.pdf

INSIDE ANDROID’S SAFETYNET ATTESTATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mulliner-Inside-Androids-SafetyNet-Attestation.pdf

INTEL ME: FLASH FILE SYSTEM EXPLAINED:https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
JAILBREAKING APPLE WATCH:https://www.blackhat.com/docs/eu-17/materials/eu-17-Bazaliy-Jailbreaking-Apple-Watch.pdf

KEY REINSTALLATION ATTACKS: BREAKING THE WPA2 PROTOCOL:https://www.blackhat.com/docs/eu-17/materials/eu-17-Vanhoef-Key-Reinstallation-Attacks-Breaking-The-WPA2-Protocol.pdf

PASSIVE FINGERPRINTING OF HTTP/2 CLIENTS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients.pdf

RED TEAM TECHNIQUES FOR EVADING BYPASSING AND DISABLING MS ADVANCED THREAT PROTECTION AND ADVANCED THREAT ANALYTICS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX:https://www.blackhat.com/docs/eu-17/materials/eu-17-Donenfeld-Rooten-Apples-Vulnerability-Heaven-In-The-IOS-Sandbox.pdf

SELF-VERIFYING AUTHENTICATION – A FRAMEWORK FOR SAFER INTEGRATIONS OF SINGLE-SIGN-ON SERVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Chen-Self-Verifying-Authentication-A-Framework-For-Safer-Integrations-Of-Single-Sign-On-Services.pdf

THE APPLE OF YOUR EFI: AN UPDATED ANALYSIS OF THE STATE OF APPLE’S EFI SECURITY SUPPORT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Smith-The-Apple-Of-Your-EFI-An-Updated-Analysis-Of-The-State-Of-Apples-EFI-Security-Support.pdf

THE SPEAR TO BREAK THE SECURITY WALL OF S7COMMPLUS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus.pdf

WI-FI DIRECT TO HELL: ATTACKING WI-FI DIRECT PROTOCOL IMPLEMENTATIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Blanco-WI-FI-Direct-To-Hell-Attacking-WI-FI-Direct-Protocol-Implementations.pdf

ZERO DAYS THOUSANDS OF NIGHTS: THE LIFE AND TIMES OF ZERO-DAY VULNERABILITIES AND THEIR EXPLOITS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ablon-Zero-Days-Thousands-Of-Nights-The-Life-And-Times-Of-Zero-Day-Vulnerabilities-And-Their-Exploits.pdf

Should we be worried? Huawei router …Part II

This is a follow-up of this post...

Good. Now we are at par.

After getting the router config as in the earlier post, I got to comb through the router config. Interesting things, I tell you.

One of the parameters, X_HW_MonitorCollector has a server URL of yjyx.gd.edatahome.com and a tftp port of 6169.

edatahome

As shown above, the setting for this configuration seems disabled as the Enable switch is set at 0, and the number of entries being monitored is set at 0. Maybe we should rest easy?Should we?

A quick whois check of edatahome.com is as below.

edatahome2

Hmmm….should we be worried?

Huawei HG8245H router “privilege escalation”…Part I

This is a prequel to this post here

Well, I got to play around with my router a few weeks ago. My router, a Huawei HG8245H version, is pretty decent for home use.

First things first, the login password is smack on the bottom of router as below.

routerpic

Most routers have a well known default password, infact there are multiple sites dedicated to document that. So I got curious to know what info I could get using these credentials.

A quick google search says that the user root/admin is a normal user with the telecomadmin/admintelecom being the super user. Funny enough, I was unable to log in using the admintelecom/telecomadmin set of credentials. The superuser account allows a user to have access to other options, notably backup configuration settings, edit and load router config file etc.

An explanation I got as to why this is the case is because as soon as the router gets connected to ISP WAN it grabs configuration from ISP and this particular set of admin credentials don’t work. So how do we bypass this?

Proof of concept:

  1. Enter web interface (http://192.168.100.1) using root/admin credentials
  2. Reboot the router.
  3. Disconnect fibre cable as it restarts
  4. As it restarts, try to log in on http://192.168.100.1 as telecomadmin/admintelecom

Voila! You are in, as superadmin, with more options to tweak the router 😀

telecomadmin login

        5. To elevate your normal user root to superadmin status. Download router config file           from System Tools > Configuration File.. This  file named “hw_ctree.xml” is                             encrypted and appears as below:

encrypte

Fortunately, we can decrypt the router config file using any aes decryption tool.

6. Proceed to decrypt as below:

ddecrypt

and here we have our plaintext config file:

interesting users

For this post, our area of concern would be the part highlighted below:

2more users

Notice the different userlevels for the two users (root and telecomadmin), 0 and 1. Now we know userlevel 0 is superadministrator.

        7. Edit the root user line to userlevel 0. Save file and decrypt it

        8. Log in to our web interface, upload the new config file and restart router.

       9.Once restarted, log in as root/admin, and enjoy the new options available  🙂

I called up Huawei to notify them of this and after a rather lengthy discussion they finally emailed me: “We will not track this issue as a vulnerability. If you still have some different option please never hesitate to contact us. Thanks again for your concern about the security problems of Huawei products. If you ever find any potential security issues in Huawei products in the future, we are looking forward to working with you again.”

I would,however like to thank Huawei’s quick response and follow up on their part. Many security researchers would have however have wished that we would fix this issue as we all know how attacks like DDOS are being propagated using default credentials in routers or other IOT devices.

Find Part II here