No announcement yet.

SO HOpeleslly Broken: the implications of pervasive vulnerabilities in SOHO router

  • Filter
  • Time
  • Show
Clear All
new posts

  • SO HOpeleslly Broken: the implications of pervasive vulnerabilities in SOHO router

    SOHO networking devices are used in millions of homes and small businesses around the world for network access; these devices are purchased and installed by consumers with the expectation that their network and digital assets will be protected from attackers.

    We discovered and identify critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. Our research is directed at identifying the ubiquity and criticality of vulnerabilities in these devices. We initially evaluated 13 off-the-shelf routers, and demonstrated that 11 of 13 were exploitable by a remote adversary—and that all 13 were exploitable by a local adversary on the (W)LAN. The critical vulnerabilities that persist in this class of devices expose an urgent need for deeper security scrutiny.

    Our attacks demonstrate varying levels of criticality from unauthenticated router take over, to authenticated takeover that requires minimal participation from users. We will demonstrate a great magnitude of root vulnerabilities ISE discovered during the analysis of SOHO router network services and further breakdown the anatomy of exploitation. Attacks include Buffer Overflows, Cross-Site Request Forgery, Command Injection, Directory Traversal, Authentication Bypass, Backdoors and more!

    The primary focus of this presentation will be full router compromise by an adversary and its implications, but we will also discuss the evolution of SOHO device functionality, and how the SOHO industry’s lack of attention to security has left millions of networks vulnerable to exploitation.


    We will demonstrate several of these root exploits and discuss how we found them and the obstacles we had to overcome in order to achieve the glorious # shell!
    —Interesting Exploit Details—

    The Buffer Overflows occur on a MIPS system architecture, so the process of exploitation is different than that of an x86 system. We will discuss finding ROP gadgets to construct a ROP chain to change the programs execution flow and some of the hurdles we had to overcome to achieve code execution.
    Anonymous or limited user access to certain network services allow an attacker to perform a multi-stage attack to perform a privilege escalation attack and then gain a root system shell.
    Misconfiguration of network services (e.g. Samba, HTTP, etc.) introduces critical security vulnerabilities that circumvents access controls.
    In addition to exploiting network services, some of the devices contain intentional back-doors that provide an alternate way to gain root access to the device.
    The plethora of services running on SOHO routers are vulnerable to some form of exploitation and there a several unknown services that probably haven’t been thoroughly investigated by the security community.

    Speaker: Jacob Holcomb
    Vell, WiK's just zis guy