Seemingly Insignificant SQL Injections Lead To Rooted RoutersBlack Hat researcher to show how vulnerable databases with temporary router information can lead to root-level access of Netgear routers
Low-priority databases containing temporary network workload information could be a perfect vector for simple SQL injection attacks, which can lead to outright domination of WiFi routers given the right chain of attack. So warns a Black Hat presenter who, in a few weeks, will show how he used SQL injection attacks to put together attacks that lead to remote takeovers of SOHO routers.
"I don't want to share too many of the technical details before my presentation, but what I will say is that what I'm doing is combining what you might call a high-exposure but low-value vulnerability with some less-exposed but higher-value vulnerabilities," explains Zachary Cutlip, a security researcher with Tactical Network Solutions. "So the higher-value vulnerabilities you wouldn't be able to get at very easily normally, but if you did you'd have a lot of access."
A researcher who spends considerable time testing the bounds of wireless networking equipment of all types, Cutlip says he has found SQL injection attacks to come into play more often than he would have guessed when he first got into testing WiFi routers. For example, in some cases he has seen routers where the login credentials are stored in a SQL Lite database in such a way that if an attacker can find a SQL injection vulnerability and exploit it, then he can log into the router without credentials.
"One of the main ideas in my paper is, usually we think of SQL injection attacks being against databases that have valuable data," he says. "They think of it as being against a database that you want to compromise or tamper with or exfiltrate in some way. But you might also have a vulnerability database that has temporary workload data that [hackers] may be able to stick into [their] hip pocket to be used later."
In the work he'll showcase at Black Hat, Cutlip found a way to exploit buffer overflows that ended up giving him root-level access to Netgear wireless routers. He also found that he could use SQL injections against these routers to extract arbitrary files from the router file systems, including plain-text passwords. While his work was limited to a subset of routers, he believes the security community could easily use his techniques more broadly on other devices.
His biggest hope is that he can instill on audience members and others in the network device world that low-value database vulnerabilities could have a lot of serious unintended consequences.
"In this case, what I'm hoping audience attendees take away is that you may see a SQL injection vulnerability in your analysis that isn't very valuable, and you might be inclined to dismiss it," Cutlip says, "but combining that with other vulnerabilities can yield a pretty novel attack. In this case, we're going to be exploiting a SQL injection in a database that has very temporary data, but it has no valuable data whatsoever. So it might seem there would be no motivation to attack the database. But by doing so, it's going to give us access to some other vulnerabilities."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.