Vulnerabilities / Threats
7/27/2012
11:24 AM
Connect Directly
RSS
E-Mail
50%
50%

Mass Router Infection Possible: Black Hat

Black Hat presenters detail how an HTML5-compliant browser could deliver malicious firmware, bring network-connected hardware under attackers' control.

Routers, switches, printers, firewalls, and other network-attached hardware can be automatically targeted via the Internet and brought under attackers' control, with no user interaction.

That was the takeaway from the "Blended Threats and JavaScript: A Plan For Permanent Network Compromise" session Thursday at the Black Hat conference in Las Vegas. Such an attack hinges on modern browsers' support for HTML5, which allows developers to create complex JavaScript applications that run in the browser.

How could an attacker "own" a router? First, the victim would have to be lured into visiting a malicious website, which would then push JavaScript with instructions to the browser to tell it about all locally connected devices. Second, after learning about the network and finding a device to target, the malicious website would need to launch a brute-force attack and divine login credentials for the device. Then, after gaining access to the device, the website could then send malicious firmware, instructing the browser to install it on the targeted device.

At that point, "you've essentially turned these SOHO [small office/home office] devices into a full-blown Linux attack framework, and, generally speaking, it will still look and act the same way," meaning users would be none the wiser, said presenter Joshua Brashars, a senior penetration tester at AppSec Consulting.

"We're replacing an operating system on a network device and taking complete control of it," said fellow presenter Phil Purviance, an information security specialist at AppSec Consulting.

[ What can the FBI teach you about corporate security? See Black Hat: 6 Lessons To Tighten Enterprise Security. ]

Another upside--for attackers--of this type of an attack is that it could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.

The researchers demonstrated the attack against a widely available type of Linksys router, noting that additional work would be needed to use the attack on a wide scale. According to Purviance, "this is something that can be done, if someone spent enough time and built a large enough toolkit."

One hurdle with the researchers' approach is that such a toolkit first needs to fingerprint--as in, identify--which types of devices were on a targeted network. The researchers said this type of functionality is offered via such free applications as JS-Recon--billed as an "HTML5-based JavaScript network reconnaissance tool," jslanscanner, which has a database of about 200 devices, or sscan. "A determined attacker could fine-tune utilities like jslanscanner and add hundreds of additional devices, and make them so much better," said Purviance.

When it comes to making this type of attack succeed, there several caveats, such as having to discover the access credentials for the device. Then again, while network-connected devices are typically password protected, many consumer devices ship with default usernames and passwords that don't get changed. "If you're able to find out what device they have, you're able to make a pretty good guess about what their password would be," said Purviance, noting that websites such as default-router-password database RouterPasswords.com can help.

In addition, the presenters said the attack would be more likely to succeed against SOHO (a.k.a. small or home office) devices, on which it's easier to update firmware, compared with an enterprise device. Some SOHO devices, for example, can even be instructed to fetch and install new firmware from a designated external website.

After identifying the router or other targeted device and brute-force guessing its account name and password, then pushing the correct type of malicious firmware to the device, installing the firmware would require a restart. Might a targeted user notice a router reboot? That's a possibility, but the researchers said that such behavior could be disguised via a social-engineering attack. One possibility would be to serve the attack via a fake file-sharing website, since users are often accustomed to having to wait for a minute or two before being allowed to download a file. After the router or other device restarted, there would be no indication that it was running malicious firmware.

The presenters said their findings built on previous research, including Black Hat talks in 2006 and 2007 delivered by Jeremiah Grossman and Robert Hansen, which demonstrated a cross-site request forgery attack in which websites could pass code to devices on the internal network. The AppSec researchers said they'd improved on that research by eliminating the need to trick users into revealing network-connected device account names and passwords. Instead, they said their attack could be fully automated, requiring no user interaction.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant