8/15/2023 0 Comments Buffer overflow in net message![]() If a function requires more than four parameters, it is pushed onto the stack. Function parameters are passed in registers $a0-$a3.It is typically used in embedded systems, such as gateways and routers.īefore we look more closely at this message block, here’s a quick crash course on MIPS central processing units (CPUs): The syntax is written in the Microprocessor without Interlocked Pipeline Stages (MIPS) Assembly language, which is designed to work with the MIPS microprocessor paradigm created by J. More specifically, we were looking for the “Here is a new ping” reference.įigure 4: GET request to ping service on IDA Proįrom here, we jumped directly to the referenced function’s address:Īnd here, we can see a notable message block: To zoom into the details, we launched the IDA disassembler and looked at some string references. The same parameters also appeared in the console message shown in Figure 2. In the following image, we can see the request’s parameters. Next, we looked at outgoing GET requests to the ping service by running a Burp Suite proxy to examine them. What we did find was another interesting activity: When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary.įigure 2: Ping requests invoke a message on the router’s console This was not the case, and we had to rule out the injection attack scenario because we did not find any reference to a system call during static analysis. First we examined command injections because operations such as ping are mostly executed using a Bash shell (Bash is a Unix shell and command language). We started by looking for some common application vulnerabilities. The panel’s security controls may limit character type and number, but nothing stops the user from intercepting requests with a Burp Suite (a graphical tool for testing web application security) proxy and malforming them. They can send packets either to an IPv4 address or to a hostname. However, controls that were placed on the owner’s interface cannot protect the actual router and could allow an attacker to take advantage of that fact.įor example, in the System Tools/Diagnostic tab of the control panel, users have the option to send Internet Control Message Protocol (ICMP) echo requests/response packets via ping. Looking at the software security of the device, it appears that most of the effort to apply controls was put into the web-based interface that users can access to configure the router. In the case of these routers, we found a zero-day buffer overflow vulnerability, one that was not previously reported and that worked for authenticated users, allowing them to take unrestricted remote control of the router. Here, we’ll focus on the TP-Link WR940 device and touch on the software that runs the router - more specifically, TL-WR940N hardware version 3 and TL-WR941ND hardware version 6, both running firmware version 150312. This is the first part in a series of router vulnerability reports. The reason behind examining router security is their omnipresent status and the potential for attackers to use them against internet users and businesses alike, while mostly relying on automated attacks. Looking into commonly used routers, our team of ethical hackers examined some of the models that many consumers use in their homes. Let’s dive into more details about this vulnerability, which has been responsibly disclosed to TP-Link by IBM Security and was subsequently issued patches that appear in the closing words of the article.įigure 1: TP-Link WR940 (Source: TP-Link) Authenticate and Control IBM Security researcher Grzegorz Wypych (aka h0rac) took a closer look at one of the most widespread internet routers in use by consumers nowadays, the TP-Link WR-940, and found that a zero-day buffer overflow vulnerability in the router could allow malicious third parties to take control of the device from a remote location. Internet routers are among the most ubiquitous devices home and business users depend on every day to carry out communications, banking, shopping and commercial transactions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |