TP-Link WR841N router arbitrary code execution vulnerability analysis-vulnerability warning-the black bar safety net

One, Foreword
Recently, we at TP-Link WR841N V8 router has discovered two vulnerabilities, the use of these two vulnerabilities, we can in this paragraph on the router the implementation of our custom code. With the manufacturers friendly consultations after them in the new router firmware fixes this vulnerability, so we decided to open our research results.
Our team’s main research direction is network embedded device, according to the research results, we have to improve the product, but also in the embedded device production and the security community share the results. WR841N, this device is just us in hardware to attack the course with to the router, it is we in the description of the JTAG-related knowledge when the focus of the presentation object. We are in to this router, found it in the configuration of the service logic processing flow in the presence of a defect, with this defect, we are able to bypass the router’s access control policy, and the ability to reset the router credentials CVE-2017-9466-in. Subsequently, we use get to access, by configuring the service in the presence of a stack overflow vulnerability to achieve a router arbitrary code execution.
In such against the recent attacks, we use the smartphone’s hotspot feature, by a Protocol to reset the router credentials of a new hardware model has been in the firmware removed this Agreement. Unfortunately, although old models may no longer receive official support, but these devices are often in a key position. Fortunately, when we to the TP-Link to report the problem, they immediately agreed on this model to remove the presence of the vulnerability in the Configuration Service.
We’ll share the technical details, we hope that our research can help everyone understand about against the recent attacks, outdated version of the firmware, the encryption logic flow or the presence of a vulnerability in the Configuration Service knowledge.
Readers can directly read the article for the Technical Details section for more information.
Second, the vulnerability summary
The first thing we do is to buy this router, download router firmware and then start analyzing the firmware. We before in the configuration of service vulnerability has been studied, and therefore we look directly and ultimately in the firmware found such a service. This service allows network users read and write system settings. This router requires the user to use based on the username and password of the key to be sent to the router of the command parameters are encrypted, thereby protecting the service of security.
Parameters of the used encryption algorithm is DES algorithm, according to the 8-character block in the form of text to be encrypted. Identify text encryption logic processing defects on our part is not difficult. Because we have from firmware know before encryption of the plaintext version, it is possible to by a router of the service master encrypted ciphertext version, so we can copy the encrypted text, and converts it to a valid argument form back to the router. In addition, not all commands require parameters, which leads to these command functions will be exposed in the public Internet, anyone can access.
! [](/Article/UploadPic/2017-6/2017621181537893. png? www. myhack58. com)
Figure 2. Use IDA Pro reverse analysis router firmware screenshot
In order to use these commands, we first find a does not require the parameters of the command, but this command can still return can be expected after the encrypted text. We copy the encrypted text, the first 8 characters as a feature name to be used. We will smartphone the name of the set to the feature name, and then open the phone’s hotspot function. We through the network to the router sends a command, this command also does not require any parameters, triggers the router to search for nearby hotspots. In the phone name, i.e. the previously mentioned features name added to the end of the“init”string, We to the router request a report containing all the hot spots of the encrypted list, with this feature name in this list to find our that hot. In this list, the encrypted after the“init”will be followed by the feature name. As a result, we will be able to be encrypted“init”as a parameter, passed to the appropriate command, through this command, we can force the router to restore initial settings, these settings contain the default user name and password.
! [](/Article/UploadPic/2017-6/2017621181537931. png? www. myhack58. com)
Figure 3. on iPhone hotspot settings interface
Successful reset the Router User name and password, we the parameters are encrypted, without the use of hotspot technology. If the attacker wants to avoid causing the user of the alert, they can continue to use the hotspot technology, obtain the follow-up exploit is required of the associated encrypted text information. Here, we pass another command to dig a way out from a stack overflow vulnerability, the success of acquiring this on the router custom code execution rights. In order to demonstrate the acquisition of the underlying control ability, we used a homemade code to control the router lights flicker operation through the router lights to Morse coding transfer“Hi Senrio”this information. In real life, an attacker can use this technique, from an isolated network to transmit information, or modify the router settings to redirect traffic to a malicious Server.
If readers don’t understand the technical details can jump directly to the end of the article Summary section.
Third, the technical details
3.1 to obtain access
First of all, we from TP-Link support page and download the hardware model to the latest firmware using binwalk tool to extract the squashfs file system.
! [](/Article/UploadPic/2017-6/2017621181537901. png? www. myhack58. com)
Figure 4. binwalk output information
When we removed the router at the top of the housing, we found a 4pin pin head, through the pin header, we can use the UART interface to access the password-protected console. We try to brute force the file system shadow file for the password hash, but until we discover router vulnerabilities and the completion of exploit technologies, the brute still did not get the plaintext password. However, we managed to interrupt the router startup process to get a console interface, the console was originally used from the outsideFTP serverreceived on the firmware and file system updates. We backed up a squashfs file system, modify the shadow file, add a new root password, and then through our ownFTP serverto update the router’s file system, and ultimately get to a root console access. Through this console, we can observe the debugging output information, and when the target process to crash can be export kernel information to be analyzed.
! [](/Article/UploadPic/2017-6/2017621181537159. png? www. myhack58. com)

[1] [2] next