>>So, thank you for coming for my talk on travel routers. Uh ,this is something that I just found very exciting to work on. So, my name is Mikhail Sosonkin, I’m the director of data and research at Synack and Synack is a company that leverages the crowds to find uh vulnerabilities in our clients. So, uh if you like discovering vulnerabilities, if you like hacking, uh this is something that you might want to try out because it’s uh, it’s sort of a way to do real world vulnerability discovery and get uh paid to do it. Um, so in the process of doing that, we get to work on a lot of IT devices, and I had a problem, uh I found myself to be a digital nomad for a while and I sort of moving around from an airbnb to a cafe and I had to connect all my devices like laptops, phones, my wife’s laptop and her phones as well, just, it became really annoying to do that, so I was trying to find something that would um solve this problem for me. So, this was the motivation for discovering a whole lot of section of devices that I did not know existed before this um, called the travel routers. In fact, I have one right here, this is about the size of this device. Uh, they’re essentially, there, there are tons of them out there, I picked this uh hootoo travelmate because uh, it is very reasonably priced, there are a whole bunch of reviews out there and people say that it is actually good for you, it’s provides some security, it’s very convenient to use, etcetera, etcetera, etcetera. And I figured okay, I’ll try it out. So, I bought one, it was really useful, uh because I was able to have all my devices connected to it, as, uh using WiFi and then, I would just connect it to the cafe network, uh cafe WiFi and it would sort of just bridge the two together. Uh, it’s small, good for travel, has a battery pack, uh never catches fire, uh and it sort of gives you a little layer of protection. I felt a little bit warm and cozy because I was connecting to my own little network. Uh, you- using uh network casualties translation. So I thought, hmm well this is interesting, I like to hack things, uh, does it actually make me secure, or worse does it make me less secure, and so I started uh doing some analysis. Uh, first thing I did of course was a network scan uh to see what services were available. Uh, I wasn’t that surprised to find uh http port 80 was open, and so this is for the admin interface, however, when I actually looked at the admin interface I found that it had uh two services responding to me. One was lighttpd which is very popular and I was very familiar with that but the other one was called vshttpd. I was a little bit confused for a while,  clearly there is some sort of proxying going on in the background, but what what is this service? So, I went out to Shodan because that is what you would do when you are curious about something uh and I searched for it. I found a few devices, not many of them are out there, but I would expect a lot of them are actually hidden behind private networks, so you wouldn’t be able to see them, but there are still a few of them that kind of come up once in awhile. Uh, primarily in the area of uh Asia, so, Japan, uh, China, um I didn’t find any North Korea but there was some Taiwan devices. So, I knew they were out there somewhere and there was some importance to them. Then I kind of turned uh on the device itself, I decided to start reverse engineering. First, I downloaded the firmware from the hootoo main page, and that was easy you know I just clicked download, uh it turned out to be a RAR archive which you can just extract and what you get back is a shell script. And at the bottom of the shell script, there is a file system attached uh it was uh gc compressed, but you know that’s trivial. Um, once I mounted this I found that it was an EXT2 file system and it had more stuff in there, and primarily there was something called the rootfs. I figured okay that’s interesting it’s a Little Endian Squash Filesystem and um that’s kind of consistent with what you’d expect with the flash based device, so I mounted them and looked at the configuration and I found that it had this ioos service um, in reference from the LI HTTP uh config files, and I thought that this this was what the uh VSH TPD  implementation. So, I didn’t know what else to do, I kind of went around some more I found a shadow file, I saw the hash, I quickly threw it and John the ripper I felt really elite with that one because it took a couple of days to crack it. Uh, but I didn’t know what else to do with it because I didn’t really have any place to use those passwords. Going online I found that there was some research done on other devices, uh from hootoo such as the original Titan and the Nano, they’re all kind of similar in a way. However, I had the Elite and it didn’t have telnet uh anywhere on the device. I thought hmm what are the chances that the vendor would actually make custom firmware for each and everyone of them, it’s probably all the same and they just disable uh telnet on my device to make it a little more secure. And sure enough, when I did a search, on the firmware, I found that it had open telnet dot sh script that would actually enable telnet on my device. But, I still didn’t have any way to run it. Until I realized that I could just fake an update of the firmware and I can tell it to execute the file and enable telnet for me. Uh, but I, when I tried that, even though there were no signatures and no, no real validation done, on this firmware, for some reason it did not execute, and I didn’t really know what else to do I just kind of continued on reverse engineering.  Uh throwing, throwing the ios, ioos service into ida, I eventually found this function called check firmware 2. Which apparently does a uh checksum validation on the firmware that you applaud. And of course there was no signature or anything like that,  so I said okay I can just generate my own checksum. So I did that, I just put it up there and uh the f, the firmware, the device was very happy to accept it, uh and it just executed open telnet dot sh for me. It said there was an error in updating the device because I didn’t exit once so it automatically means that there was a problem. However, doing this action enabled telnet and I was able to receive a shell, I was able to execute commands and essentially do dynamic analysis uh download a debugger attached to uh any services etcetera. So this was very happy news for me, uh in the course of reverse engineering I also found that uh the developer thought they were writing nc plus plus because most of the internal state was uh in the in the structures that looked awfully like objects. Uh there will be buffers inside, there was internal state and it would usually be followed by function  
pointers, um right at the bottom of the structure itself. Uh, usually there would be initialization, there with a sign function pointers to the actual structure and when those uh functions are used, every time it would pass in the pointer to the structure itself. So, it is very much like this pointer in C plus plus. So, that’s kind of cool. In and of itself, it’s not really a problem, however, it uh it just feels very hairy situation when you have uh lots of buffers and function pointers on the navigation next to each other. So immediately I thought okay well what kind of memory protections does it provide? Uh, I found that it had uh partial uh virtual space randomization, so the binary itself and the heap were at sta-static locations, however, the libraries and the stack were uh at randomized, so they moved around. But there was nothing else, there were no stack canaries, there was no heap protections, of course control flow integrity would be way too advanced for this device. Alright, so then I started looking for more abilities, uh started fuzzing, uh I kind of honed in on the fname, uh parameter of the GET uh GET request uh because I saw that fname was actually responding to me verbatim. Whatever I put in there it would come back inside of an xml file. So, I thought, I wonder what happens there. After about 2 seconds I found that there was uh, uh, a buffer overflow and what was happening was that the developer was uh copying the value of the parameter into a, a, buffer on the stack uh using s print f which is of course an unbanded copy essentially and the the you know it just quickly overflowed and I was able to control the um return address on the stack. So, I did that and I was really excited and I thought man I have this vulnerability so quickly I can just exploit and get execution on it cause I can control the um program counter. However, what I found is that even though I can control the program counter, I couldn’t point it anywhere useful. I tried pointing it to uh the main binary and the heap, because they were static and I could and I could predict those addresses, um, but I had to, but those things were allocated on a low memory so I had to uh insert a null somehow into the string. Fortunately, I couldn’t do it literally and I couldn’t use as print as on uh ending null, terminating null, uh for this address. That’s because of this format string that it was using, and then I tried to use uh red2libc attacks and I will see if I can point it at some gadget or directly to the stack because everything was essentially executable. Uh, those things move around so I would have to have uh, some sort of uh information leak attack in order to actually do this, but, I decided to move on. I started fuzzing out the fields, um, for example the cookies field, immediately overflowed for me as well. Um, and this one was a little bit more complex, this was a heap overflow, uh and what was happening was the developer allocated one of those object structures which was called cgi tap, inside there was a buffer of a thousand twenty four bytes. Now, in order to fill the buffer they uh will take the value from the cookie and just use strcpy which was obviously unbound and put in there. Uh immediately I thought okay well if it’s a thousand twenty four buffer, I will just send a thousand thirty six bytes and override one of the function pointers uh of the structure. So, I did that and uh about a hundred or so instructions later, this function would be used, and I was able to overflow and control um the program counter by uh changing the function point of the structure and immediately uh when it would jump to that location I could have the control there. Now, I was really excited about this because there were a lot less restrictions, it was a strcpy, and there w- there was no uh format to deal with. So, what I did is I actually point to this, um back into the into the heap, uh because that’s where the value of the uh processed messages uh body was being stored and post message body is pretty much designed for any sort of data, so I could uh insert pretty much any value and I didn’t have to encode my shellcode and I just uh was able to gain execution that way. Alright, so now I can actually show you a demo of this. I thought, well, if I’m an attacker, and I have this exploit what is it that I can do? So, this demo shows pretty much everything that we’ve talked up to this point. Um, I was able to attach with debugger, I was able to get telnet in there, um and then I attached with the debugging client, gdb. So then I started looking for some coffee, went to this website, and I thought okay everything is working, the device is fine, I throw the exploit and now we kind of just let the program run. We can see it’s working just fine, um and then we see some of the damage that the exploit has done to this device. So, when I refresh the same website, uh we can see that I’m able to inject uh javascript and essentially demonstrate a man in the middle attack. And the way it was done is basically execute in IP Table’s rules that allows me to redirect http traffic to uh somewhere else to some uh proxy that I’ve created. And you might say well, I mean so what it’s of course it’s http it’s vulnerable you know it’s all in clear text, uh doesn’t everybody just use SSL now? Uh, unfortunately not, I mean uh according to google’s transparency report, there’s still tons and tons of uh very popular websites such as CNN dot com and BBC dot co dot UK that still use http for a lot of portions of their website. And really, I just need one that will allow me to inject javascript in there in order to install keyloggers or uh launch browser attacks that way. Uh, so there, there are multiple ways to actually exploit a router and to trigger these vulnerabilities. First, is you can go through the XSRF, let’s say if a attacker visits a web forum  and there is uh some sort of request that has an f name brand in there. Now I, even though I wasn’t able to exploit it for uh this demo, it doesn’t mean that the device doesn’t have any other attacks. And so, if it was susceptible to other overflows, through the unauthenticated get requests, we could potentially do it without even being close to the device itself. The other option is uh from the external WiFi, you know like I said, this is a travel router, it connects to all kinds of networks with questionable cyber hygiene in there, and so there could be a way to be vulnerable to exploitation from there. Uh, and then of course from inside the WiFi itself. Now, what if you connect an Android device that has uh Malware that specifically targets uh the infrastructure. For example, there was one called switcher which would look for routers to attack from the Android device. Alright, so pretty much getting to the end at this point, so this was a lot of fun, I mean these vulnerabilities were reported to the vendor and they were recorded in the cve database, you know the stack overflow was very easy to fix, uh just specifically use snprintf which is bonded, or in more general terms you can use stack canaries, which wouldn’t prevent the vulnerability itself but at least it was terminate the attack vector. And, it wouldn’t be able to take advantage of this. Uh, the heap overflow is a little bit uh, little bit harder to deal with. Uh, basically just use a bonded strncpy, or you can also in more general terms, you can try to encode your function point, such as something that Windows does. Um, but unfortunately, as you can see here the NSA has a patent on that, so we don’t get to use it. Alright, so why would somebody actually try to attack uh travel routers or any sort of infrastructure. I mean, there, there a lot of use cases for this. First one is attribution obfuscation, uh you know if I’m an attacker and I want to hide my, my exploits, you know I may want to blame someone else for it so I can exploit their infrastructure and then use that as a jumping point for my attacks. Uh of course, stealing uh user information, you know authentication tokens, usernames, passwords, pretty much anything that is uh unencrypted I can start collecting uh from this device. And then also I can manipulate the user information, you know, you can,  you saw in the in the demonstration where I was able to inject javascript so that means I can inject exploits, uh I can manipulate what they see, etcetera, etcetera. And, of course, the last one is uh getting a foothold into other networks, you know it’s a travel device so it’s going to be touching a lot of different networks, you know if I want to propagate as fast as possible, I may, I may try to use this device to launch attacks you know into airbnbs, hotels, enterprises, what have you. So, I reported this to the vendor, they were quite happy to receive it, they said, hey, thanks for finding these vulnerabilities however, our entire product team is off on Spring festival [laughter] ha. I said to myself this is kind of cool, I want to be part of that, it sounds like fun. Uh, then it turns out this was actually the Chinese New Year, I didn’t know this, so this was like a really cool cultural thing to learn, um and of course, as soon as the Chinese New Year was over, everyone got back and they promptly responded by sending me a patched version personally, but nothing to anyone else [laughter] and about a couple of, couple of weeks later, I noticed that it wasn’t published on the website, I said hey can you guys like make this public so that people are not exploited by anyone and so, they did. Um, they just said that the release cycle was a little bit slower than to just send me an email. That was cool, they were super nice about it. So, what did we learn from this process? I mean you know the saying, “don’t roll your own crypto” well, I think there should be a saying that says “don’t roll your own custom CGI webserver” cause those things are notoriously complex, there’s a lot of work to be done and there’s a lot of parsing happening in there. And so really, either get a lot of people, get a lot of eyes, or use something that has been tested by the community. Vendors do respond, I had a pretty good experience in this case. Uh, if you can, use something like openWRT just because like I said, it’s been tested and used by other people. Um I mean to me exploiting routers is a lot of fun. I didn’t, I didn’t know mips before this and so it was kind of cool to learn all this process, and to be honest, I was really surprised that people still use strcpys and sprintf s just like they did in 1999. Alright, so, if you enjoyed this and you want to chat about this, I mean thank you for coming, it’s been a real pleasure to be here and if you have more questions, please ask ahead. And if you want to catch me in the hallways or online, uh you can find me there as well, I-I love to talk about this stuff. Um I will also put about 4 different articles on my blog describing all the processes I’ve gone through and more information about reverse engineering at debugtrap dot com. So, thank you for your attention [applause]