I've recently seen a great Black Hat presentation by Felix (FX) Lindner (see pic 2) and a blog posting by Petko D. Petkov (PDP) (see pic 1) on the subject of hacking routers. What seems to be clear is that they are becoming a bigger target. PDP, of the gnucitizen group, recently hosted a "Router Hacking Challenge", where the idea was to share various attacks against a wide array of routers. In a post to the Full Disclosure mailing list, PDP summarizes the findings:
Here is a quick summary, in no particular order, of the types of vulnerabilities we are exhibiting:
- authentication bypass
- a-to-c attacks
- csrf (cross-site request forgeries)
- xss (cross-site scripting)
- call-jacking - like making your phone dial numbers or even survey room's sound where the phone resides
- obfuscation/encryption deficiencies
- UPnP, DHCP and mDNS problems - although not officially reported, most devices are affected
- SNMP injection attacks due to poor SNMP creds
- memory overwrites - well it is possible to overwrite the admin password while being in memory and therefore be able to login as admin
- stealing config files
- cross-file upload attacks - this is within the group of csrf attacks
- remote war-driving - way cool
- factory restore attacks
- information disclosure
- etc, etc, etc
I had a chance to talk to PDP about the results of the challenge and what he sees in the near future with router hacking:
Nate: PDP, there's a lot of flaws that the challenge uncovered, were there a few that stood out to you as being the most impactful?
PDP: Most of the flaws are quite impactful, but I like those that are different from the others; however, very often these are not the ones that are most severe. The authbypass bugs are most severe, as they give you full access to the device without the need to login. Personally, I like the call-jacking stuff and the SNMP injection stuff, but it could be because I was working on these as well so I might be a bit prejudice.
Nate: Yeah, I read the pages you posted about call-jacking and SNMP injection, very cool stuff. Could you just give me a brief run through of the two attacks?
PDP: The call-jacking is like the old days of phone phreaking. Basically, you can do all sorts of things with VOIP phones; however, not all attacks are related to breaking SIP. In the case of SNOM, the attack consists of exploiting a feature in the web interface which allows attackers to survey the sound in the room where the phone is located. This is pretty cool, and you can do that remotely if the device is visible on the Internet side or if you know where the device is inside and your trick someone to arrive on your malicious page. The SNMP injection and the SIP injection attacks are also very fun. We did not mention any SIP vulnerabilities, but there are few that we found that we are keeping private for now.
As I mentioned, a great talk on the subject of hacking routers was also given at Black Hat Federal this year, by Felix (FX) Lindner. Felix and his company Recruity Labs, are currently working on a tool that will allow much more powerful monitoring, debugging, and post mortem crash analysis on the Cisco IOS than the currently accepted practices. Felix mentions the following in a whitepaper on the subject:
Vulnerabilities in Cisco IOS are as common as with any other functionally rich and widely deployed operating system platform. The architecture of IOS; however, makes exploitation a non-trivial task. In the past, the common operating systems provide soft enough targets to maintain an ongoing stream of new vulnerabilities that could be used to break into the machines directly. Recently, the major operating system vendors, first and foremost Microsoft, increased code security significantly. Additionally exploit mitigation techniques and OS hardening have become the standard on all major platforms.
Cisco IOS, therefore, moves further into the focus, as the bennefits start to measure up to the effort required. Non-publicly operating groups will certainly follow an equivalent path, as infrastructure compromises are still highly rewarding and almost impossible to detect.
During his talk at Black Hat Federal, Felix suggested that it's not a question of if router hacking will become more prevalent, but when will it and more importantly, has it already.