Hello dear reader!

Today we start with the fact that at one point I decided, instead of training on vulnerable machines, to test my own Wi-Fi router for the vulnerabilities that I received back in 2015. Then there was a very popular tariff with Beeline, when along with the Internet connection, the Wi-Fi router itself went for rent for 1 ruble, which I decided to test.

Smart Box router, the latest firmware version is 2.0.38 (2017 firmware release), since then no updates have been received.

image

Start


By default, the router has 2 admin and SuperUser accounts, few people know about it, but there is information about it in open sources. The password for the SuperUser user is the serial number of the router and can be found in the settings in the “Advanced settings > Information ”or on the sticker under the router. Accordingly, the SuperUser user has more options for setting up the router.

image
User admin/SuperUser

The router has several types of user, administrator and manufacturer accounts, respectively, they have different privileges in terms of the configuration of the router and we take note of this.

OS Command Injection


Yes, the router has a command injection vulnerability.

First, we log in and go to “Advanced Settings > Others > Diagnostics ”and we can implement Ping, nslookup and traceroute, using the built-in router functions. Let's try ping and thus execute another command.

image
Client Side Protection

As we can see, we are warned that the address is incorrect, but this protection only works on the client side. If we intercept the request and modify it, we will bypass this protection. And I will do it with the Burp Suite pro tool.

imageWe intercept the request and change it

image
Result

As we can see, a completely different command was executed instead of ping, which we indicated when we intercepted the request. Here we see that the router has 3 accounts (SuperUser, User, admin), I created the User user myself. By default there will be only 2 users (SuperUser and admin). Here with the help of this vulnerability, I learned about the SuperUser user, then I was very surprised and it became very interesting to me.

This vulnerability is present in both nslookup and traceroute and is exploited in the same way by intercepting a request. Below I attach a PoC video with exploitation of vulnerabilities.

Ping

Nslookup

Traceroute


Помните в начале мы брали на заметку, что есть 3 типа учетных записей? Так вот, независимо от типа учетной записи, команды выполняются с привилегиями SuperUser, что дает нам больше возможностей. И да, уязвимость присутствует в любой типе учетной записи (Пользователь, администратор и производитель).

Уязвимые сервисы


У роутера есть 3 сервиса “OpenSSH 5.2, FTP vsftpd 3.0.2 и Samba 3.0.22”. Сервисы старых версии и в них найдено множество уязвимостей за все время. Чтобы вы понимали, на момент написания статьи, последние версии сервисов (OpenSSH 8.2, FTP vsftpd 3.0.3 и Samba 4.12.0). Я отобрал пару эксплойтов к этим сервисам для теста и начнем мы по порядку.

OpenSSH (5.2)


Уязвимость CVE-2016–6515 позволяет вызвать отказ в обслуживании DoS.

Я авторизовываюсь в системе роутера по SSH и с помощью команды top мониторим нагрузку на процессор и смотрим на поле (CPU) и эксплуатируем уязвимость.

image
В обычном состоянии

image
После эксплуатации уязвимости

В итоге веб-страницы могут долго грузится и даже в какой то момент роутер может намертво зависнуть и даже уйти в перезагрузку. Но у меня был забавный случай, когда во время эксплуатации этой уязвимости, мой компьютер ушел в перезагрузку с синим экраном смерти (Грустный смайлик), это было очень неожиданно и странно:D

Ниже прикладываю PoC видео с эксплуатацией этой уязвимости.

Эксплуатация CVE-2016–6515


Samba (3.0.22)


Уязвимость smb loris, которая позволяет вызвать отказ в обслуживании DoS. Данную уязвимость можно эксплуатировать с помощью metasploit, находится она по пути “auxiliary/dos/smb/smb_loris”. В итоге роутер уйдет в перезагрузку.

Ниже прикладываю PoC видео с эксплуатацией уязвимости.

Эксплуатация SMB_Loris


FTP (vsftpd 3.0.2)


Уязвимость CVE-2015–1419, позволяет обойти ограничения доступа. Эксплоит к сожалению я не нашел, но тоже имеет место быть.

https


Да, у роутера есть возможность включения безопасного соединения. Как я понял, используется протокол шифрования SSL 2.0 или 3.0 и сертификат является самоподписанным, что вполне нормально для локальных роутеров. И в плане безопасности, SSL уже давно устарел и небезопасен. Сейчас используются более безопасные варианты, как TLS 1.3

Other weaknesses


During authentication in the router, the username and password are encoded in base64, which is not difficult to decode them. Given the fact that the https protocol is not used by default for an encrypted connection, the encoding of the login and password is at least some kind of protection.

It is better to let the data be transmitted in an encoded state than completely in the open. Frankly, at first, this moment led me astray and only after a while I realized that the data is encoded.

image
Username and password are encoded

image
After decoding

Below I apply PoC video with decoding.

Base64 decode


It will not be difficult for attackers to listen to the network and, using traffic analysis, identify the username and password and decode them.

Beeline appeal


Initially, I turned to them using an online chat and they recommended that I call and ask all the questions there, which I did.

I just asked a couple of questions and this is the result: The Smart box router is no longer relevant and updates will no longer go to it. And as I wrote at the very beginning, it stopped updating since 2017, then it was its last update. As the operator Alexey mentioned (if you read this, a big hello to you) that the Smart box one router is still supported and if anyone finds a vulnerability in it, it can safely call and the information will be passed to the security service. As I understand it, Smart box one is the next model after Smart box.

Summary


The router itself is good, but unfortunately it is outdated in terms of security. If you use it, it is recommended to disable services such as SSH, FTP and Samba, since they are old versions and they have found many vulnerabilities and it is not safe to use them, especially on the global network. It will be even better to change the router to a newer model (It doesn’t matter which vendor) which will be supported in terms of security updates.

Finally, let's go to Shodan and see how many Smart box routers are available on the global network.

image

As we can see, a total of 79 devices were found, and this is taking into account the fact that I have an account with the free version, without a subscription. Accordingly, with a subscription there will be much more results and opportunities. It’s also worth considering that in the global network Smart box of routers of different models is available, as we see on the right. So, most Smart box routers (It doesn’t matter from the router model) use the same versions of vulnerable services that I wrote about above and they are available on the global network, and this poses a security risk.

Vulnerabilities OS Command Injection assigned CVE identifier “CVE -2020-12246 ”.

At the end of the article, I would like to give a couple of tips to readers:

  1. Update the firmware of your routers
  2. Disable unused services
  3. Keep track of activity on your network

The security of the router is really important, because many devices are connected to it, and these devices can become the targets of attackers to compromise.

Article taken from my blog .

Source