Vulnerabilities / Threats
7/27/2012
11:24 AM
Connect Directly
RSS
E-Mail
50%
50%

Mass Router Infection Possible: Black Hat

Black Hat presenters detail how an HTML5-compliant browser could deliver malicious firmware, bring network-connected hardware under attackers' control.

Routers, switches, printers, firewalls, and other network-attached hardware can be automatically targeted via the Internet and brought under attackers' control, with no user interaction.

That was the takeaway from the "Blended Threats and JavaScript: A Plan For Permanent Network Compromise" session Thursday at the Black Hat conference in Las Vegas. Such an attack hinges on modern browsers' support for HTML5, which allows developers to create complex JavaScript applications that run in the browser.

How could an attacker "own" a router? First, the victim would have to be lured into visiting a malicious website, which would then push JavaScript with instructions to the browser to tell it about all locally connected devices. Second, after learning about the network and finding a device to target, the malicious website would need to launch a brute-force attack and divine login credentials for the device. Then, after gaining access to the device, the website could then send malicious firmware, instructing the browser to install it on the targeted device.

At that point, "you've essentially turned these SOHO [small office/home office] devices into a full-blown Linux attack framework, and, generally speaking, it will still look and act the same way," meaning users would be none the wiser, said presenter Joshua Brashars, a senior penetration tester at AppSec Consulting.

"We're replacing an operating system on a network device and taking complete control of it," said fellow presenter Phil Purviance, an information security specialist at AppSec Consulting.

[ What can the FBI teach you about corporate security? See Black Hat: 6 Lessons To Tighten Enterprise Security. ]

Another upside--for attackers--of this type of an attack is that it could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.

The researchers demonstrated the attack against a widely available type of Linksys router, noting that additional work would be needed to use the attack on a wide scale. According to Purviance, "this is something that can be done, if someone spent enough time and built a large enough toolkit."

One hurdle with the researchers' approach is that such a toolkit first needs to fingerprint--as in, identify--which types of devices were on a targeted network. The researchers said this type of functionality is offered via such free applications as JS-Recon--billed as an "HTML5-based JavaScript network reconnaissance tool," jslanscanner, which has a database of about 200 devices, or sscan. "A determined attacker could fine-tune utilities like jslanscanner and add hundreds of additional devices, and make them so much better," said Purviance.

When it comes to making this type of attack succeed, there several caveats, such as having to discover the access credentials for the device. Then again, while network-connected devices are typically password protected, many consumer devices ship with default usernames and passwords that don't get changed. "If you're able to find out what device they have, you're able to make a pretty good guess about what their password would be," said Purviance, noting that websites such as default-router-password database RouterPasswords.com can help.

In addition, the presenters said the attack would be more likely to succeed against SOHO (a.k.a. small or home office) devices, on which it's easier to update firmware, compared with an enterprise device. Some SOHO devices, for example, can even be instructed to fetch and install new firmware from a designated external website.

After identifying the router or other targeted device and brute-force guessing its account name and password, then pushing the correct type of malicious firmware to the device, installing the firmware would require a restart. Might a targeted user notice a router reboot? That's a possibility, but the researchers said that such behavior could be disguised via a social-engineering attack. One possibility would be to serve the attack via a fake file-sharing website, since users are often accustomed to having to wait for a minute or two before being allowed to download a file. After the router or other device restarted, there would be no indication that it was running malicious firmware.

The presenters said their findings built on previous research, including Black Hat talks in 2006 and 2007 delivered by Jeremiah Grossman and Robert Hansen, which demonstrated a cross-site request forgery attack in which websites could pass code to devices on the internal network. The AppSec researchers said they'd improved on that research by eliminating the need to trick users into revealing network-connected device account names and passwords. Instead, they said their attack could be fully automated, requiring no user interaction.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.