7.4 C
Friday, November 24, 2017
Home Tags Traceroute

Tag: Traceroute

Not that knowing NSA's sigint locations will actually help you much...
Pwnable any way you like It could be the worst router in the world: a cheapie from China that IOActive reckons is completely pwnable all ways from Sunday. Bought by a travelling staffer, Tao Sauvage, the BHU Wi-Fi router looks almost indistinguishable to a surveillance box.

As Sauvage writes: “An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.” Bad? Wait, there's more: there are hidden users, default SSH with a hard-coded root password, and the box “injects a third-party JavaScript file into all users' HTTP traffic”. To get that, Sauvage extracted the firmware over the UART, and accessed the Linux shell to access the file system. That's where the fun started.

The CGI script running everything reveals the session ID of the admin cookie, for an easy admin hijack, but why bother? The router includes a hard-coded SID, 700000000000000: if an attacker presents that to the router, they get access to “all authenticated features”. Presenting that SID revealed the hidden user, dms:3. And even better, after a bit more work: “whatever SID cookie value you provide, the router will accept it as proof that you’re an authenticated user”.

Goodness. It couldn't get worse, but it does: commands like Traceroute run with root privilege, making escalation a snap, because attackers can run OS commands without authentication. “At this point, we can do anything: Eavesdrop the traffic on the router using tcpdump Modify the configuration to redirect traffic wherever we want Insert a persistent backdoor Brick the device by removing critical files on the router ". The SSH config combines with the root user password – reset to the default value at each reboot, in case a sysadmin tried to change it – to give any outsider access to the device. Not to mention the JavaScript injector, and as a final treat, a kernel module called dns-intercept.ko that Sauvage promises to give a more detailed look in the future. ® Sponsored: 2016 Cyberthreat defense report is a pain, but it's better than 'admin:admin' on the Web anyhow TP-Link, rather than recovering domains it forgot to renew, is going to abandon them. The domains in question are tplinklogin.net and tplinkextender.net.

They offered configuration services for buyers of the company's home routers and Wi-Fi link extenders, and are identified on stickers on some devices (not all: two TP-Link routers in the author's house, one less than three months old, direct users to the more conventional for configuration). The domains got scooped up by a squatter using an anonymous registration service, and according to Amity Dan who first noticed the snafu, they're being offered for sale at US$2.5 million each. The reach of the snafu is, fortunately, likely to be limited, because the stickers were attached to older devices ( Computerworld reported that more modern units point to tplinkwifi.net, but didn't check the domain to see whether it's active; it seems not, since the domain doesn't respond to pings or traceroute). TP-Link forgot to buy the domain https://t.co/kggHaY7XhlExploit can be made, the domain is for sell for 2.5m$ pic.twitter.com/JH7FkHItYU — Amitay Dan (@popshark1) July 1, 2016 The biggest risk is if the domains are swept up by malware scum to snare users who go to the sites to reconfigure devices. ®