Router Fail

back story i do information assurance for somebody and i got lucky and i got on a job to do some hipaa work for a company their routers suck because the predecessor didn't do their job so they needed to go buy routers while i had my nice buffaloes on order so the routers are coming in and i was like all right go buy the cheapest router you can at walmart we'll patch it will make it do until the nice buffalos come in and they went and they bought the route at walmart i won't say the manufacturer and they installed it we got it going on and i'm able to do what i need to do but

due diligence says that i will check the firmware and then i will make sure it's up to date that's that's my part if we go to court and it's on the manufacturer i did my part so i did what i did and i logged on to the router webpage which we'll do right now again these are names we shall not say but if you're smart you'll figure it out okay come on linux

okay so you go to the dashboard and you scroll down it looks a little different when you're connected to the internet and you go to advanced settings and somewhere in here firmware update the first issue i noticed um when you click now this this box is actually patched for firmware but when you click check for new firmware it was two versions behind it said i was good to go i went on the manufacturer's website and it was not good to go um come to find out it's broken across their whole single router is vulnerable to this so even if they push out the update if the person implementing this router only goes this far they think they're good to go and

they're patched and they're not all right so that's cool so let's go to the home page so the way this router works you're either locked or you're unlocked right now we're unlocked so what we're going to do is we're going to put a password on it and we're going to use password as the password all right set password okay so now all the attackers they might be on the land it's the this type of router you're going to see your mom and pop store um your bars your whatever it's a real company wouldn't use this router but you're going to find this in the wild so you're going to scroll down you're going to see it's locked we're

going to try to unlock it you're going to put some nonsense in let me in can't see it okay we're locked out all right so you scroll down and you go to router details and the first thing i noticed when i looked at this was the fact that the password was obfuscating so password right now for the router is password and granted i'm on can you not hear no okay sorry i'll point with the mouse so when i looked at the web gui the first thing i noticed was the password is obfuscated i didn't bother counting the dots but i saw that and i'm like even though i'm on the landing even though i have permission

and obviously i have a password to have the password to be on the land that's not right something's wrong here so what i did i decided to curl because curl is your friend and if you curl 192 168 2.1 dashboard.hdm and we'll pipe it to less oh oh there we go and we'll scroll up where does she be

okay so i looked into the web gui and it was obfuscated and i looked at it in curl and i guess they didn't do a javascript or whatever high level controls and right there in curl it shows password as a password so that was my first hint that this router is all jacked up so i went online and i did some some research and it turns out that there was a cve back in 2014 on this very router and when you go to cve through miter 2014 2962 and you pull it up because that's the first thing you do when you want to exploit something right we go to our cds public knowledge 2014 2962 tells you about a cgi bin

vulnerability what this allows you to do is directory traversal right so we can see etsy pass wd that type of fun stuff so what we'll do is we'll pull up our cgi string and i am trying to burn through this because i know we're low on time and we'll go right here and boom so the firmware i have is 2x whatever the hell it is right firmware one was when this was when this was disclosed and the vendor still hasn't passed it why because they don't care they don't they don't care about you me mom and pop nobody cares until you take money out of their pocket then they care all right so you'll see root x x tells

us it's shadowed so we're going to go to shadow right now this is all public knowledge we haven't gotten to the fun stuff so shadow and we go to shadow and we see this right here dollar one dollar tells you it's indy five sum if you actually grab this value and you do some googling you find out that that value in md5 is root right so the next stage to do is is to do an nmap scan right see what's on this router turns out by default this router really sucks and telnet 192.168 okay oh well there we go demo gods be with me okay root and root and now we're in we got rude

shell in a box right so that's kind of cool i mean that's how there anybody can find that i played around with this thinking i could pawn the router at the command line level i couldn't it's a read-only file system of slash var is the only read write system but it's actually tar xf'd at boot time so whatever you do to var read write when it's rebooted it has no effect so there's nothing i could do there so i kept playing around and i finally was like all right let's see what's you know let's try to do some html magic so we'll go here and i'm not gonna bring up burp suite um jason gave an awesome talk on burp suite

please watch his talk awesome um so what's gonna happen is without boring you guys to death and doing this as quick as possible i'm just gonna pull up the string all right talk so what happens is when you do anything on here you can be locked or unlocked if you capture the string you're able to replay it many times down the road any string for any router so what we'll do we'll grab this n150 and while i could go back i could change passwords dns anything you want to do right but that's cool that's all gravy web gui root is what we want right so let's we captured the curl string and how i obtain this if

you look where is it oh there it is i played and played with this and if you look right here i have no doubt what password is equal to there used to be a string and it went the original password in base64 tw tw hash and then the new password so i tried to figure out okay well how can i pawn this router without knowing the old password you can't you have to know the old password to do anything so i was like what happens if we just null the value out all right so let's know the value out copy and right now just to show you guys on this router let's scroll down we're

delete hacks we're on the system let's change some stuff password is going to come up we're going to type something in we can't brute force it we don't know it's not correct so let's go ahead and just paste and press enter and what we want is a zero on the error code and we got it the demo gods are nice there's our error status let's go here and let's press shift f5 and it went from lock to unlocked a zero day it's not known so that was like whoa and there's a bunch of other fun stuff i can change any setting unauthenticated when this router is locked whatever i want just play around with cgi ben so that's

router one for manufacturer which we're not going to mention um let's go to the next router so what i did i went to walmart and i bought the shiniest box i could the nicest most expensive it says on the on the back all the check marks are done you want this router right so let's connect to it pretty much i mean the box screen is blinding you know and there's a lot more to this but i'm really trying to compress this and get this done so everybody can see just how bad this is all right so we're on i'm gonna go ahead and close that out so let's go to here and log in right so now we're on a different router

but the the thing i noticed the the vulnerability is it's the router and the people who this company we won't name hired they really suck they should be fired because they get people that attend these talks a bad name they really should be fired five minutes all right five minutes we're getting three right so this company we won't name um the rocking mini httpd all right and it's very vulnerable how they implemented it right so we log on the router and i couldn't play around with this one as nice as i could the other one but what i found out was after some playing around with it if you just simply type in belkin and this is where

burp suite comes in right api with a slash you can do directory traversal and that's amazing right there's all your cgi then people that are smarter than me understand what you can do with this i'm not that smart but after you click on all this stuff and you see what it does i kept scrolling down and scrolling down and i saw two things i saw reboot router and restore factory default for time purposes i'm not going to reboot it but let's go ahead and re restore it right so right now you see i'm pretty i'm connected to belt uh to router 1 and it's password protected let's go ahead and restore it it's going to tell me weight 30. the

router just rebooted this is remote code execution uh there's about 800 routers in the world right now if you look at showdown excuse me they're vulnerable you can constantly reboot them or you can reset them the minute that you reset them you lose your remote access but if you reboot them you're ddosing them and ddos sucks right so we'll wait and now you're going to see the pop-up happen telling me i've lost access to this network it's been reset there we go i'm the the up here where it would say that i'm connected i'm no longer connected and now we're going to see here we go defaults so there will be a default bell can

disconnect from that guy somewhere in here

so many wi-fi's

there we go so we'll connect back to it the router has been reset so how you would do this let's say you're in a bar or wherever and they're they're swiping their pci dss data you know their password the password is password because they have the sign that says hey join to our wi-fi so what you'll do you wait till 3 a.m when the bar closes down you'll reset them to default you'll set it up just like they had it because they gave their guests access and then you'll point their dns to your server or your time to do this or do that whatever your imagination goes to and we'll go ahead and pop in the

default here and now we'll join about two minutes okay we're joined in and now we'll go back to 2.1 and we're in and the router has been reset and if you go straight to the dashboard come on

there we go okay we're in it's unlocked let's go ahead and set a password so that you know the owner can't do anything we'll set the password set password and boom nobody except us with the password and the owner doesn't care anyways that's why they implemented it this affects things like this affect about four other models every router you buy at walmart is vulnerable to this yeah any questions