Tuesday, January 31, 2017

Bypassing eCos Embedded Devices Authentication (CVE-2017-1000020)

Disclaimer: Breaking into unauthorized systems and devices are completely illegal. The information provided here is solely for the purpose of sharing knowledge and all I present is my research materials so that the public can remain safe and benefit from my research.

We have heard a lot of stories about routers being vulnerable to hack attacks, routers being a part of botnet, distributing malwares or lately the story about mirai bot. Let's get into my story here...

Lately, I was working with some router setups on TOTOLINK SOHO router. I performed a router setup and updated my password for my administrator login. After some days I thought of changing some settings and was trying to log into the router but unfortunately I forgot my last password. Instead of pressing the reset button and erasing everything and starting with a fresh setup I thought of taking this issue to some extent and looking into it a bit more. I had heard some stories about public exploits being available for totolink routers. I thought of checking all of them for my benefit and for learning purpose but none of them were of my use. At some times, while I tried to access the router login page there was this one thing that would grab my attention. While trying to access the router login page, 'wizard.htm' (the router setup page) would show up for about 1/2 second or so and then would get redirected to 'login.htm' and if I try to access the 'wizard.htm' page the router would not show it and instead show up the login (login.htm) page again. Untill I clear my browser cache and start the same process again, the process would then show up the same results as before. I thought of looking into this issue and ways for possible login bypass in the authentication mechanism. Looking into the page source code in 'login.htm', showed a line with javascript file named 'language_en.js'. I looked inside it and found the internal page names like 'menu.htm', 'password.htm', 'upload.htm', 'route.htm', and all other pages with heavy information that an attacker would need. Okay, that could come handy later because accessing those pages now would return nothing but the login page again.
 
Main Login page for Totolink Router

If you have been into a bit of networking and stuffs, you probably would know about what a three way handshake is. Generally, Transmission Control Protocol (TCP) uses three way handshake to set up a TCP/IP connection over an Internet Protocol(IP) based network prior to its communication or say exchanging data. I won't be telling you an in-depth story of three way handshake and how that works for now. Let's get back into the story again...

"What if I could stop the process right at the 'wizard.htm' page or may be slow down the process and see what I could do around there?" was the question in my mind.
Okay that sounds fun! but how?

How about performing a slow Denial Of Service (DOS) attack with some play and pause with the device reply?

Wow that sounds much better!

Lets get started...

Hping3 came handy this time. If you don't know what it is then, hping3 is a network tool able to send custom TCP/IP packets and to display target replies just like ping program does with ICMP replies.

I then fired the device with SYN flood attack to execute my slow dos with the use of hping3. By the way SYN flood or FIN flood worked just fine and I never thought of trying other flooding options.

hping3 in FIN flood mode


FIN flood attack in action

So, a SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Now, while the flooding is still taking place go back to your browser, clear your cache (required most of the times), enter the router ip followed by the page you want. Example: ip/reboot.htm or ip/menu.htm and so on. It could take some hit and trial as per the router's capability of resisting the attack but as time passes it would finally give us the page we want to be.

Conclusion: eCos Embedded Web Servers used by Multiple Routers, while sending SYN flood or FIN flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass.

Shodan Search Result

What could go wrong?
An attacker can take complete advantage of this bug and take over the device remotely or locally.
At the time of writing, there were 11,887 'eCos Embedded Web Servers' as reported by SHODAN but the numbers of internet users using totolink, greatek and other routers not shown by the shodan are likely higher in numbers than as shown in the result. Totolink and Greatek routers were tested and were found vulnerable.

Possibly changing the dns or changing the ip route or changing passwords or updating rogue firmwares or maybe more zombie devices teaming up with the mirai bot army could be the outcome of such vulnerability.

As always, updating the device to the latest firmware version is highly recommended in case of availability. If you find more information related to this bug then feel free to share or exchange ideas.