Praetorian503 Posted January 31, 2013 Report Share Posted January 31, 2013 A critical security vulnerability that allows a remote unauthenticated attacker to remotely execute arbitrary code under root privileges has been discovered in Broadcom's UPnP software.DefenseCode Security Advisoryhttp://www.defensecode.com/Broadcom UPnP Remote Preauth Root Code Execution VulnerabilityAdvisory ID: DC-2013-01-003Advisory Title: Broadcom UPnP Remote Preauth Root Code ExecutionVulnerabilityAdvisory URL: http://www.defensecode.com/subcategory/advisories-28Software: Broadcom UPnP softwareVulnerable: Multiple router manufacturersVendor Status: Vendors contactedInitial Release Date: 2013-01-15Release Date Postponed To: 2013-01-31Risk: Critical1. General Overview===================During the security evaluation of Cisco Linksys routers for a client,we have discovered a critical security vulnerability that allows remoteunauthenticated attacker to remotely execute arbitrary code under rootprivileges.Upon initial vulnerability announcement a few weeks ago Cisco spokesmanstated that only one router model is vulnerable - WRT54GL.We have continued with our research and found that, in fact, samevulnerable firmware component is also used in at least two other CiscoLinksys models - WRT54G3G and probably WRT310N. Could be others.Moreover, vulnerability turns out even more dangerous, since we havediscovered that same vulnerable firmware component is also used acrossmany other big-brand router manufacturers and many smaller vendors.Vulnerability itself is located in Broadcom UPnP stack, which is used bymany router manufacturers that produce or produced routers based onBroadcom chipset.We have contacted them with vulnerability details and we expect patchessoon. However, we would like to point out that we have sent more than 200e-mails to various router manufacturers and various people, without muchsuccess.Some of the manufacturers contacted regarding this vulnerability areBroadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, US Robotics,and so on.Routers with vulnerable Broadcom UPnP stack are mostly based on BroadcomUPnP chipset. You can check how many manufacturers use Broadcom chipsethere: http://wiki.openwrt.org/toh/start (search for Broadcom, brcmor bcm).We don't know exactly how many of them are affected, since we were unableto contact all of them, but we suspect there are probably tens of millionsvulnerable routers out there.According to separate recent vulnerability disclosure by Rapid7 in anotherUPnP implementation (libupnp):"In all, 73 per cent of problems occur with products based on four SDKs,the report found. These are Portable SDK for UPnP Devices; MiniUPnP; athird, commercial stack that is likely developed by Broadcom; and anothercommercial SDK that could not be tracked to a specific developer."- Rapid7Many routers have their UPnP interface available over the WAN interface,so the vulnerability can also be exploited over the internet. It seemsthat, at the moment, only popular UPnP implementation that's not hit byremote preauth security vulnerability is MiniUPnP.2. Software Overview====================Broadcom UPnP is UPnP (Universal Plug and Play) protocol implementationdeveloped by Broadcom, and often used on routers shipped with Broadcomchipset.Vulnerability described in this advisory is located within wanipc andwanppp modules of Broadcom UPnP stack.Universal Plug and Play (UPnP) is a set of networking protocols thatpermits networked devices, such as personal computers, printers, Internetgateways, Wi-Fi access points and mobile devices to seamlessly discovereach other's presence on the network and establish functional networkservices for data sharing, communications, and entertainment.3. Vulnerability Description============================During the security analysis, we have discovered remote preauth formatstring vulnerability in Broadcom UPnP stack. Vulnerability can beexploited to write arbitrary values to arbitrary memory address, andalso to remotely read router memory. When properly exploited, it allowsunauthenticated attacker to execute arbitrary code under root account.Full exploit was previously demonstrated in the following video on CiscoLinksys WRT54GL, that is also based on Broadcom UPnP stack:http://www.youtube.com/watch?v=cv-MbL7KFKE.Vulnerability is present in SetConnectionType function of wanipc andwanppp modules. Vulnerability itself can be reached with a single SOAPrequest that calls SetConnectionType function.SetConnectionType:------------------<?xml version="1.0"?><SOAP-ENV:Envelope...><SOAP-ENV:Body> <m:SetConnectionTypexmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1" as=""><NewConnectionType>#FORMAT_STRING#</NewConnectionType> </m:SetConnectionType></SOAP-ENV:Body></SOAP-ENV:Envelope>------------------Format string output is available through GetConnectionTypeInfo SOAPrequest as presented below.GetConnectionTypeInfo:------------------<?xml version="1.0"?><SOAP-ENV:Envelope...><SOAP-ENV:Body> <m:GetConnectionTypeInfoxmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"> </m:GetConnectionTypeInfo></SOAP-ENV:Body></SOAP-ENV:Envelope>------------------Format string vulnerability is present because user-input from SOAPrequest is supplied as a format string argument to the snprintf() functionin files wanipc.c and wanpp.c.Vulnerable code lines are located in the following files and code lines:/upnp/igd/wanipc.c:-------------------static int SetConnectionType(UFILE *uclient, PService psvc, PAction ac,pvar_entry_targs, int nargs) { snprintf(psvc->vars[VAR_ConnectionType].value,sizeof(psvc->vars[VAR_ConnectionType].value), ac->params[0].value); return TRUE;}-------------------/upnp/igd/wanppp.c:-------------------int WANPPPConnection_SetConnectionType(UFILE *uclient, PService psvc,PAction ac,pvar_entry_t args, int nargs)/* "SetConnectionType", WANPPPConnection_SetConnectionType, */{ snprintf(psvc->vars[VAR_ConnectionType].value,sizeof(psvc->vars[VAR_ConnectionType].value), ac->params[0].value); return TRUE;}-------------------4. Solution===========Since vulnerability is spread across multiple router manufacturers, andwe were unable to reach all of them on this matter, it's unclear how longit will take certain manufacturers to patch it. Especially those that wewere unable to contact. However, we're open to any questions from vendorsregarding this vulnerability. Moreover, during the contact with oneparticular vendor, we were asked if the vulnerability is in<name-intentionally-removed> function. It wasn't. But that quickly led usto yet another vulnerability in also popular router software, obviouslyalready reported to router manufacturers by someone, but still non-public.ADVISORY UPDATE: That turns out to be libupnp vulnerability disclosed byRapid7.5. The Exploit==============We have developed working exploit as demonstrated in videohttp://www.youtube.com/watch?v=cv-MbL7KFKE, but because of thevulnerability impact and presence of this vulnerability across multiplerouter manufacturers, we won't publish the exploit.6. Credits==========Vulnerability discovered by Leon Juranic and Vedran Kajic.We would like to thank Kost for further help on shellcode development,and Davor Serfez for router debugging.Also, thanks to Armijn Hemel for helping us contacting some routermanufacturers.7. About DefenseCode====================DefenseCode is an information security consultancy company.DefenseCode provides security services and products designed forcomprehensive security assessment of web applications, networkand software products.DefenseCode is specialized in web application security and providesboth static source code security analysis and dynamic web applicationsecurity analysis security products.DefenseCode security products are designed for comprehensive securityaudit of web applications.Audit your web applications for SQL Injections, Cross Site Scripting,Code Execution, File Inclusion, and much, much more.E-mail: defensecode[at]defensecode.comWebsite: http://www.defensecode.comSource: PacketStorm Quote Link to comment Share on other sites More sharing options...
backdoor Posted February 4, 2013 Report Share Posted February 4, 2013 Da, chiar voiam sa postez eu asta ca am citit de curand si mi s-a ridicat parul pe spate , cat de dobitoci pot fi aia de au scris driverul.O masura de securitate pentru detinatori pana apare un update de firmware pt routerele in cauza.... Dezactivati uPNP si folositi port forward pentru aplicatiile care chiar au nevoie . ex torents , remote desktop.Distractie placuta.PS: Din pacate exploitul nu a fost facut public... Quote Link to comment Share on other sites More sharing options...