Application Security // Database Security
7/5/2012
05:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Seemingly Insignificant SQL Injections Lead To Rooted Routers

Black Hat researcher to show how vulnerable databases with temporary router information can lead to root-level access of Netgear routers

Low-priority databases containing temporary network workload information could be a perfect vector for simple SQL injection attacks, which can lead to outright domination of WiFi routers given the right chain of attack. So warns a Black Hat presenter who, in a few weeks, will show how he used SQL injection attacks to put together attacks that lead to remote takeovers of SOHO routers.

Click here for more of Dark Reading's Black Hat articles.

"I don't want to share too many of the technical details before my presentation, but what I will say is that what I'm doing is combining what you might call a high-exposure but low-value vulnerability with some less-exposed but higher-value vulnerabilities," explains Zachary Cutlip, a security researcher with Tactical Network Solutions. "So the higher-value vulnerabilities you wouldn't be able to get at very easily normally, but if you did you'd have a lot of access."

A researcher who spends considerable time testing the bounds of wireless networking equipment of all types, Cutlip says he has found SQL injection attacks to come into play more often than he would have guessed when he first got into testing WiFi routers. For example, in some cases he has seen routers where the login credentials are stored in a SQL Lite database in such a way that if an attacker can find a SQL injection vulnerability and exploit it, then he can log into the router without credentials.

"One of the main ideas in my paper is, usually we think of SQL injection attacks being against databases that have valuable data," he says. "They think of it as being against a database that you want to compromise or tamper with or exfiltrate in some way. But you might also have a vulnerability database that has temporary workload data that [hackers] may be able to stick into [their] hip pocket to be used later."

In the work he'll showcase at Black Hat, Cutlip found a way to exploit buffer overflows that ended up giving him root-level access to Netgear wireless routers. He also found that he could use SQL injections against these routers to extract arbitrary files from the router file systems, including plain-text passwords. While his work was limited to a subset of routers, he believes the security community could easily use his techniques more broadly on other devices.

His biggest hope is that he can instill on audience members and others in the network device world that low-value database vulnerabilities could have a lot of serious unintended consequences.

"In this case, what I'm hoping audience attendees take away is that you may see a SQL injection vulnerability in your analysis that isn't very valuable, and you might be inclined to dismiss it," Cutlip says, "but combining that with other vulnerabilities can yield a pretty novel attack. In this case, we're going to be exploiting a SQL injection in a database that has very temporary data, but it has no valuable data whatsoever. So it might seem there would be no motivation to attack the database. But by doing so, it's going to give us access to some other vulnerabilities."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.