Vulnerabilities / Threats
7/27/2012
11:24 AM
50%
50%

Mass Router Infection Possible: Black Hat

Black Hat presenters detail how an HTML5-compliant browser could deliver malicious firmware, bring network-connected hardware under attackers' control.

Routers, switches, printers, firewalls, and other network-attached hardware can be automatically targeted via the Internet and brought under attackers' control, with no user interaction.

That was the takeaway from the "Blended Threats and JavaScript: A Plan For Permanent Network Compromise" session Thursday at the Black Hat conference in Las Vegas. Such an attack hinges on modern browsers' support for HTML5, which allows developers to create complex JavaScript applications that run in the browser.

How could an attacker "own" a router? First, the victim would have to be lured into visiting a malicious website, which would then push JavaScript with instructions to the browser to tell it about all locally connected devices. Second, after learning about the network and finding a device to target, the malicious website would need to launch a brute-force attack and divine login credentials for the device. Then, after gaining access to the device, the website could then send malicious firmware, instructing the browser to install it on the targeted device.

At that point, "you've essentially turned these SOHO [small office/home office] devices into a full-blown Linux attack framework, and, generally speaking, it will still look and act the same way," meaning users would be none the wiser, said presenter Joshua Brashars, a senior penetration tester at AppSec Consulting.

"We're replacing an operating system on a network device and taking complete control of it," said fellow presenter Phil Purviance, an information security specialist at AppSec Consulting.

[ What can the FBI teach you about corporate security? See Black Hat: 6 Lessons To Tighten Enterprise Security. ]

Another upside--for attackers--of this type of an attack is that it could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.

The researchers demonstrated the attack against a widely available type of Linksys router, noting that additional work would be needed to use the attack on a wide scale. According to Purviance, "this is something that can be done, if someone spent enough time and built a large enough toolkit."

One hurdle with the researchers' approach is that such a toolkit first needs to fingerprint--as in, identify--which types of devices were on a targeted network. The researchers said this type of functionality is offered via such free applications as JS-Recon--billed as an "HTML5-based JavaScript network reconnaissance tool," jslanscanner, which has a database of about 200 devices, or sscan. "A determined attacker could fine-tune utilities like jslanscanner and add hundreds of additional devices, and make them so much better," said Purviance.

When it comes to making this type of attack succeed, there several caveats, such as having to discover the access credentials for the device. Then again, while network-connected devices are typically password protected, many consumer devices ship with default usernames and passwords that don't get changed. "If you're able to find out what device they have, you're able to make a pretty good guess about what their password would be," said Purviance, noting that websites such as default-router-password database RouterPasswords.com can help.

In addition, the presenters said the attack would be more likely to succeed against SOHO (a.k.a. small or home office) devices, on which it's easier to update firmware, compared with an enterprise device. Some SOHO devices, for example, can even be instructed to fetch and install new firmware from a designated external website.

After identifying the router or other targeted device and brute-force guessing its account name and password, then pushing the correct type of malicious firmware to the device, installing the firmware would require a restart. Might a targeted user notice a router reboot? That's a possibility, but the researchers said that such behavior could be disguised via a social-engineering attack. One possibility would be to serve the attack via a fake file-sharing website, since users are often accustomed to having to wait for a minute or two before being allowed to download a file. After the router or other device restarted, there would be no indication that it was running malicious firmware.

The presenters said their findings built on previous research, including Black Hat talks in 2006 and 2007 delivered by Jeremiah Grossman and Robert Hansen, which demonstrated a cross-site request forgery attack in which websites could pass code to devices on the internal network. The AppSec researchers said they'd improved on that research by eliminating the need to trick users into revealing network-connected device account names and passwords. Instead, they said their attack could be fully automated, requiring no user interaction.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.