Search the Community
Showing results for tags 'routers'.
-
Millions of routers and other embedded devices are affected by a serious vulnerability that could allow hackers to compromise them. The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more. NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. If exploited, this kind of vulnerability can result in remote code execution or denial of service. Since the NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices with the highest possible privilege, the Sec Consult researchers said in a blog post Tuesday. Many vendors integrate NetUSB into their products, but have different names for it. For example, Netgear calls the feature ReadySHARE, while others simply call it print sharing or USB share port. Sec Consult has confirmed the vulnerability in the TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2 and Netgear WNDR4500 routers. However, after scanning firmware images from different manufacturers for the presence of the NetUSB.ko driver, they believe that 92 other products from D-Link, Netgear, TP-Link, Trendnet and ZyXEL Communications are likely vulnerable. The researchers also found references to 26 vendors in the NetUSB.inf client driver for Windows, so they believe many other vendors might also have vulnerable products. They’ve alerted the CERT Coordination Center (CERT/CC), the German CERT-Bund and Austrian CERT, who are working to notify the vendors. On some devices it’s possible for users to disable the feature from the Web-based administration interface or to block access to the port using the firewall feature. However, on some devices, like those made by Netgear, this is not possible, the researchers said. Many devices likely expose the NetUSB service to the local area network only, but there might be implementations that expose it to the Internet as well. Even when restricted to the local network only, the vulnerability still poses a high risk, because attackers can potentially exploit it if they compromise any computer from the local network or if they gain access to the network in some other way—for example, due to weak or no wireless password. As far as the Sec Consult researchers know, only TP-Link has released fixes so far. It has a release schedule for around 40 products. TP-Link, Netgear, D-Link and ZyXEL did not immediately respond to a request for comment. This vulnerability is just the latest in a long stream of basic security flaws found in consumer routers in recent years. “It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level,” said Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, via email. Holcomb has found many vulnerabilities in routers and other embedded devices over the past several years. Security Evaluators organized a router hacking contest at the DefCon security conference last year. The way in which vendors have implemented NetUSB in their products is egregious, Holcomb said. “For instance, hardcoded AES keys, the processing of unvalidated and untrusted data, and kernel integration are all red flags that should have been identified during the early stages of SDLC [software development lifecycle].” Source
-
Feature "It is far more common to find routers with critical flaws than without" - Craig Young "It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. - Peter Adkins Introduction Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate. Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. Customers were found paying to flood targets of choice with gigabits of bandwidth stolen from what the black hats claimed were a fleet of half a million vulnerable and subsequently hacked routers. A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Those routers were hacked through a self-propagating worm (PDF) that researchers had already warned about, but not yet seen. It used a mix of brute force password guessing of web admin consoles, cross-site request forgery, and known un-patched vulnerabilities. Arguably the most infamous hack in recent months was Check Point's so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei. Affected routers could be hijacked with a crafted cookie that allows attackers to meddle with just about everything on the units, from password theft, to alterations to DNS, and infection of connected devices. In October Rapid7 had chipped in with its own research, warning that Network Address Translation Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic. Security is 'abysmal' "Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.” Matherly last month dug up an estimated 250,000 routers used in Spain that were using the same SSH keys, placing those configured a for remote access at heighten risk. He also points to research published two days later by Entrust Solutions hacker Nabin Kc, who found 200,000 home routers contained a firmware backdoor, a flaw replicated across 10 different vendors who seemed to be re-branding a vanilla router. Matherly says badge-engineering seems a common practise for vendors that compete on price over form or function. “It seems that the rate of security problems discovered with routers is only limited by the number of security experts that take the time to analyse the devices,” he says. Source
-
Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Download
-
- credential
- exploits
-
(and 3 more)
Tagged with:
-
A self-replicating program infects Linksys routers by exploiting an authentication bypass vulnerability IDG News Service - A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor's E-Series product line. Researchers from SANS Institute's Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and were scanning other IP (Internet Protocol) address ranges on ports 80 and 8080. On Thursday the ISC researchers reported that they managed to capture the malware responsible for the scanning activity in one of their honeypots -- systems intentionally left exposed to be attacked. The attacks seems to be the result of a worm -- a self-replicating program -- that compromises Linksys routers and then uses those routers to scan for other vulnerable devices. "At this point, we are aware of a worm that is spreading among various models of Linksys routers," said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900." The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie "The Moon," begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses. HNAP -- the Home Network Administration Protocol -- was developed by Cisco and allows identification, configuration and management of networking devices. The worm sends the HNAP request in order to identify the router's model and firmware version. If it determines that a device is vulnerable, it sends another request to a particular CGI script that allows the execution of local commands on the device. SANS has not disclosed the name of the CGI script because it contains an authentication bypass vulnerability. "The request does not require authentication," Ullrich said. "The worm sends random 'admin' credentials but they are not checked by the script." The worm exploits this vulnerability to download and execute a binary file in ELF (Executable and Linkable) format compiled for the MIPS platform. When executed on a new router, this binary begins scanning for new devices to infect. It also opens an HTTP server on a random low-numbered port and uses it to serve a copy of itself to the newly identified targets. The binary contains a hardcoded list of over 670 IP address ranges that it scans, Ullrich said. "All appear to be linked to cable or DSL modem ISPs in various countries." It's not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely. Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday. Ullrich outlined several mitigation strategies in comments to his blog post. First of all, routers that are not configured for remote administration are not directly exposed to this attack. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk, Ullrich said. Changing the port of the interface to something other than 80 or 8080, will also prevent this particular attack, he said. Via Worm 'TheMoon' infects Linksys routers - Network World