Home Router - SOHO
Aprile 2019
Cybercriminals have been hacking into home routers for the last three months, meddling with DNS settings to redirect users surfing the web towards malicious websites.
https://arstechnica.com/information-technology/2019/04/ongoing-dns-hijackings-target-unpatched-consumer-routers/
Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.
https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/
Exploiting SOHO Routers Services
Many SOHO routers today incorporate network services and functionality unrelated to routing and switching network traffic. For example, every router contained at least one service for supporting some form of Network Attached Storage (NAS). These services included FTP, SMB, NetBIOS, UPnP Media, and HTTP. Outside of NAS services, SOHO routers also often utilize other miscellaneous network services for optimization and configuration purposes. Though seemingly innocuous, these extraneous services have come at the expense of security by introducing new attack surfaces for compromise. As evidence, ISE has exploited a number of routers by leveraging the existent of such services.
In a previous report, we released a list of SOHO router vulnerabilities and showed proof-of-concept (PoC) attack code for how to exploit them. For many of these routers, those PoCs operated through the main web-based interface. In this follow up study, we addressed only the extraneous, non-router services that were present on the routers. What we found was that of the 10 routers reviewed, all 10 could be compromised from the (wireless) LAN once a router had USB attached storage connected.
https://securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php
In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers (June 2015).
http://www.computerworld.com/article/2930554/security/new-soho-router-security-audit-uncovers-more-than-60-flaws-in-22-models.html
Security vulnerabilities in SOHO routers
With embedded devices permeating today's home networks, they have begun to attract a higher level of scrutiny from the security community than in previous years. In particular, the members of GNUCitizen have been relentlessly testing routers and wireless access points. Their discovery of multiple vulnerabilities in the BT Home Hub router affected a wide range of home networks in the UK [1], and their Router Hacking Challenge prompted a flurry of vulnerability reports against a variety of popular home routers, including the venerable Linksys WRT54G [2]. Specific vulnerabilities in home routers range from traditional Web attacks, such as XSS and CSRF, to authentication bypass attacks and buffer overflows; it is assumed that the reader has at least a passing knowledge of the attacks described in this paper.
https://www.exploit-db.com/docs/252.pdf
Cybercriminals have been hacking into home routers for the last three months, meddling with DNS settings to redirect users surfing the web towards malicious websites.
https://arstechnica.com/information-technology/2019/04/ongoing-dns-hijackings-target-unpatched-consumer-routers/
Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.
https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/
Exploiting SOHO Routers Services
Many SOHO routers today incorporate network services and functionality unrelated to routing and switching network traffic. For example, every router contained at least one service for supporting some form of Network Attached Storage (NAS). These services included FTP, SMB, NetBIOS, UPnP Media, and HTTP. Outside of NAS services, SOHO routers also often utilize other miscellaneous network services for optimization and configuration purposes. Though seemingly innocuous, these extraneous services have come at the expense of security by introducing new attack surfaces for compromise. As evidence, ISE has exploited a number of routers by leveraging the existent of such services.
In a previous report, we released a list of SOHO router vulnerabilities and showed proof-of-concept (PoC) attack code for how to exploit them. For many of these routers, those PoCs operated through the main web-based interface. In this follow up study, we addressed only the extraneous, non-router services that were present on the routers. What we found was that of the 10 routers reviewed, all 10 could be compromised from the (wireless) LAN once a router had USB attached storage connected.
https://securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php
In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers (June 2015).
http://www.computerworld.com/article/2930554/security/new-soho-router-security-audit-uncovers-more-than-60-flaws-in-22-models.html
1. Observa Telecom AW4062 2. Comtrend WAP-5813n 3. Comtrend CT-5365 4. D-Link DSL-2750B 5. Belkin F5D7632-4 6. Sagem LiveBox Pro 2 SP 7. Amper Xavi 7968 and 7968+ 8. Sagem Fast 1201 9. Linksys WRT54GL 10. Observa Telecom RTA01N 11. Observa Telecom Home Station BHS-RTA 12. Observa Telecom VH4032N 13. Huawei HG553 14. Huawei HG556a 15. Astoria ARV7510 16. Amper ASL-26555 17. Comtrend AR-5387un 18. Netgear CG3100D 19. Comtrend VG-8050 20. Zyxel P 660HW-B1A 21. Comtrend 536+ 22. D-Link DIR-600 The aforementioned vulnerabilities are: - Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20. - Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19. - Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20. - Denial of Service (DoS) on #1, #5 and #10. - Privilege Escalation on #1. - Information Disclosure on #4 and #11. - Backdoor on #10. - Bypass Authentication using SMB Symlinks on #12. - USB Device Bypass Authentication on #12, #13, #14 and #15. - Bypass Authentication on #13 and #14. - Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22.
http://seclists.org/fulldisclosure/2015/May/129
Security vulnerabilities in SOHO routers
With embedded devices permeating today's home networks, they have begun to attract a higher level of scrutiny from the security community than in previous years. In particular, the members of GNUCitizen have been relentlessly testing routers and wireless access points. Their discovery of multiple vulnerabilities in the BT Home Hub router affected a wide range of home networks in the UK [1], and their Router Hacking Challenge prompted a flurry of vulnerability reports against a variety of popular home routers, including the venerable Linksys WRT54G [2]. Specific vulnerabilities in home routers range from traditional Web attacks, such as XSS and CSRF, to authentication bypass attacks and buffer overflows; it is assumed that the reader has at least a passing knowledge of the attacks described in this paper.
https://www.exploit-db.com/docs/252.pdf
