(Too Much) Access Points - Exploitation Roundup presented at SyScan 2010

by Cristofaro Mune,

Tags: Security Access Exploitation

Summary : Embedded devices are getting more and more pervasive, but not so much material is
currently available regarding the exploitation of such devices, and in particular
referring to the Linux/MIPS.
Few vulnerabilities are published and even less regarding the possibility of
executing arbitrary code, while exploits and shellcodes are nearly absent.
Thorough security reviews are rarely performed and release of patches and fixes is
usually lagging behind.
Research has focused mostly on the security of the wireless communications and the
related implementation, or techniques for attacking devices with private
addressing, while not much has been published regarding the actual exploitation,
that may, in some cases, be non-trivial due to specific challenges discussed in
the presentation.In this talk remote arbitrary code execution on Access Points, with specific
reference to Linux/MIPS platform, will be demonstrated by leveraging
vulnerabilities discovered by the author.
Devices from major manufacturers, all loaded with their stock firmware will be
targeted, multiple exploitation demos will be performed and a remote root shell
will be gained on each target.
Different kind of flaws bring different opportunities, depending on the attack
range (eg: can be carried over the Internet or from internal LAN) or the need for
authentication: the proposed vulnerabilities and demos have been chosen and
designed for providing sample of different attacks, scenarios and attack
opportunities.
A "no-auth remote blind" attack will be also demonstrated, providing the first
known example of an attacker gaining a remote root shell over an embedded device,
by using a smartphone as a "reflector" and leveraging it for the actual
exploitation.Outline:u5d4cu5165u5f0fu5100u5668u8d8au4f86u8d8au666eu904duff0cu4f46u76eeu524du4e26u6c92u6709u90a3u9ebcu591au95dcu65bcu653bu64cau9019u4e9bu5100u5668u7684u8cc7u6599uff0cu7279u5225u662fu91ddu5c0dLinux/MIPSu7684u90e8u4efdu3002u53eau6709u5c11u6578u7684u5f31u9edeu88abu767cu8868uff0cu800cu4efbu610fu57f7u884cu4ee3u78bcu7684u53efu80fdu6027u5247u66f4u5c11u88abu767cu8868uff0cu518du4f86u653bu64cau548cshellcodes u66f4u662fu5e7eu4e4eu6c92u6709u3002u5fb9u5e95u7684u5b89u5168u6027u6aa2u9a57u9baeu5c11u88abu57f7u884cuff0cu88dcu6551u6216u4feeu5fa9u7684u767cu4f48u66f4u662fu7d93u5e38u843du5f8cu3002u7814u7a76u8005u7684u91cdu9edeu901au5e38u90fdu653eu5728u7121u7ddau901au4fe1u7684u5b89u5168u6027u548cu5176u76f8u95dcu7684u57f7u884cu4f5cu696duff0cu6216u662fu653bu64cau64c1u6709u79c1u4ebau4f4du7f6eu5100u5668u7684u624bu6cd5uff0cu5f88u5c11u767cu8868u95dcu65bcu5be6u969bu7684uff0cu4e14u5728u4e00u4e9bu6848u4f8bu4e2duff0cu53efu80fdu56e0u9019u6b21u5831u544au4e2du6240u8a0eu8ad6u5230u7684u7279u6b8au6311u6230u800cu4e26u975eu662fu4e0du91cdu8981u7684u653bu64cau3002u8a0eu8ad6u7684u904eu7a0bu4e2duff0cu5728u7121u7ddau57fau5730u53f0u9060u7aefu4efbu610fu57f7u884cu4ee3u78bcuff0cu7279u5225u91ddu5c0dLinux/MIPS u5e73u53f0u7684u90e8u4efduff0cu5c07u6703u900fu904eu5229u7528u4f5cu8005u6240u767cu73feu7684u5f31u9edeu4f86u5448u73feu3002u76eeu6a19u662fu4e3bu8981u88fdu9020u5ee0u5df2u7d93u704cu5165u8edfu4ef6u7684u5100u5668u8a2du5099uff0cu5448u73feu51fau591au7a2eu653bu64cau985eu578buff0cu9060u7aefroot shellu6703u88abu7f6eu5165u6bcfu500bu76eeu6a19u3002u4f9du7167u4e0du540cu7684u653bu64cau7bc4u570d(u4f8b: u53efu900fu904eu7db2u969bu7db2u8defu50b3u905eu6216u662fu5f9eu5167u90e8u5340u57dfu7db2u8def)uff0cu6216u662fu8a8du8b49u7684u9700u6c42uff0cu4e0du540cu7684u7f3au9677u6703u5e36u4f86u4e0du540cu7684u6a5fu6703uff1au9019u908au63d0u51fau7684u5f31u9edeu548cu5448u73feu662fu70bau4e86u63d0u4f9bu4e0du540cu653bu64cau3001u60c5u5883u548cu653bu64cau6a5fu6703u800cu88abu8a2du8a08u548cu6311u9078u51fau4f86u7684u3002u4e5fu6703u5c55u793au4e00u500bu201dno-auth remote blindu201du7684u653bu64cauff0cu63d0u4f9bu4e00u500bu7b2cu4e00u4ef6u653bu64cau8005u5728u5d4cu5165u5f0fu5100u5668u5f97u5230u9060u7aefroot shellu7684u767cu73feu6848u4f8buff0cu5448u73feu7684u65b9u6cd5u6703u4f7fu7528u667au6167u578bu624bu6a5fuff0cu4e26u5229u7528u5b83u4f5cu5be6u969bu7684u653bu64cau3002u67b6u69cb: