Nytro Posted July 18, 2014 Report Posted July 18, 2014 [h=3]Hacking Asus RT-AC66U and Preparing for SOHOpelesslyBroken CTF[/h]So it's finally July, time to pack for DEFCON, follow @defconparties on Twitter and decide which villages to visit and which talks to attend.There's a new hacking competition this year called SOHOpelesslyBroken, presented by ISE and EFF. The objective on Track 0 is to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers. Track 1 will hold a live CTF for the duration of DEFCON. CTFs are always fun and this contest involves hacking real embedded devices, what makes it even more fun.[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Yes, that's my workstation =P[/TD][/TR] [/TABLE] I'm particularly interested on the EFF Open Wireless Router, but they didn't disclose details about the device yet. According to the event rules, the ASUS RT-AC66U (HW Ver. A2) [Version 3.0.0.4.266] is one of the possible targets. As I had a spare RT-AC66U at home, I decided to write a quick guide for everyone interested in participating in this competition CTF.reconThe first thing to do is to find the firmware and its source code. Hopefully, Asus RT-AC66U is GPL'ed and we can easily find its source online. The version used for the contest is an old one, from 2012. In order to perform a better analysis, we are going to grab the sources and the firmware from v3.0.0.4.266 and v3.0.0.4.376.1123 (the most recent one as of this writing).Asus RT-AC66u v3.0.0.4.266 - FirmwareAsus RT-AC66u v3.0.0.4.266 - Source CodeAsus RT-AC66u v3.0.0.4.376.1123 - FirmwareAsus RT-AC66u v3.0.0.4.376.1123 - Source CodeMany firmware versions were published between these two releases, we can review the changelogs to find security issues:http://www.asus.com/Networking/RTAC66U/HelpDesk_Download According to the rules, we have to identify and exploit a 0-day vulnerability. We can combine different flaws with known issues in order to score points. If the vendor had silently patched an issue and you create an exploit for it, that should be scored as a valid 0-day (I'm not going to start discussing terminologies here).Now that we have the source code, it's time to extract and audit it: The CTF Field Guide from Trail of Bits has some good resources on Auditing Source Code. You can use tools like Beyond Compare, Araxis Merge and WinMerge on Windows platforms or Meld if you're more of a Linux user.Let's focus on the "/asuswrt/release/src/router/" directory, comparing these two folders using Meld: There are many security advisories for this router: if you want to find 0-days you should look for disclosed vulnerabilities and exploits to avoid duplicates (believe me, this is the hardest part). Some references:ASUS RT-AC66U Remote Root (Broadcom ACSD)ASUS RT-N66U Router - HTTPS Directory traversal and full file access and credential disclosure vulnAsus RT56U Remote Command InjectionTaking over the ASUS RT-N56U and RT-AC66UDear Asus router user: You’ve been pwned, thanks to easily exploited flaw (Asusgate)OSVDBPoints are deducted from your score if your exploits requires special system configurations and specific information. If you want to score lots of points, you should be targeting default services and processes. The USB application tab on the RT-AC66U allows the user to set up a series of services like FTP, DLNA, NFS and Samba: MiniDLNA is also a nice a target. It should be pretty easy to find vulns for the service using Zachary Cutlip's research, as he broke it multiple times.Another potentially vulnerable service is AiCloud: it links your home network to an online Web storage service and lets you access it through a mobile application: Articol complet: w00tsec: Hacking Asus RT-AC66U and Preparing for SOHOpelesslyBroken CTF Quote
