Hijacking Your Routers via Control-Hijacking URLs in Embedded Devices with Web Interfaces
Embedded devices start to get into the lives of ordinary people, such as SOHO routers and IP camera. However, studies have shown that the safety consideration of these devices is not enough, which has led to a growing number of security researchers focusing on the exploit of embedded devices. A majority of embedded devices run a web service to facilitate user management, which provides a potential attack interface. But what needs to be pointed out is that unfortunately most vulnerabilities of web service need attackers to provide login credentials to access and exploit, which makes attacking much less practical. This paper presents an automated vulnerability detecting and exploiting model DAEWC (Detect and Exploit without Credentials). Firstly, the DAEWC uses the symbol execution method to find URLs that are not protected by authentication mechanism. Secondly, DAEWC aims at these URLs using fuzzing method, combined with a lightweight dynamic data flow tracking technology to analyze the web server, which can quickly and accurately find easy-to-exploit vulnerabilities. Last but not least, DAEWC implements an automatic vulnerability exploit model, which generates executable custom shellcode, for example, executing system (“/bin/sh”) or read/write arbitrary memory. Using these vulnerabilities, we can attack embedded devices with web services even without the access to the web interface. For example, attackers can control a Wi-Fi router at the airport without login credentials by sending a specially constructed URL request. We applied the DAEWC to the firmware of two embedded device vendors, found 9 unreported 0-day vulnerabilities in four of them and generated highly usable exploit script.
KeywordsFirmware Authentication-bypassing URLs Symbolic execution Lightweight dynamic data tracker Automatic exploit generation
This work is supported in part by National High Technology Research and Development Program of China (No. 2015AA016004), the National Key R&D Program of China (No. 2016QY04W0802).
- 1.Costin, A., Zarras, A., Francillon, A.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 437–448. ACM (2016)Google Scholar
- 3.Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
- 4.Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI, vol. 8, pp. 209–224 (2008)Google Scholar
- 5.Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: AEG: automatic exploit generation. In: Proceedings of the Network and Distributed System Security Symposium, February 2011Google Scholar
- 6.Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 380–394. IEEE (2012)Google Scholar
- 7.Chen, D.D., Egele, M., Woo, M., Brumley, D.: Towards automated dynamic analysis for linux-based embedded firmware. In: ISOC Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
- 8.CVE-2017-9138. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9138
- 9.CVE-2017-9139. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9139
- 10.CVE-2017-11495. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11495