In this article, I will present about a buffer overflow vulnerability in a modem of a ISP in Viet Nam. This is one of the many vulnerabilities that  I have found in this modem device. Currently, this vulnerability has not been fixed by ISP and modem manufacturer so I just provide some basic information about device.

0x00 Overview

The vulnerability appears in the modem’s portal_Form. This vulnerability allows attackers to conduct Remote Code Execution in a modem without the requirement to administer the modem’s web portal. However, this vulnerability can only be conduct when an attacker has a modem’s wifi connection or is executed via a CSRF attack with a wifi user.

Some basic information about the vulnerability is as follows:

  • Type of Device: GPON Router
  • Linux Operating System: linux 2.6+
  • Application: WebMgr manages the web portal of the modem.
  • Protection mechanisms: No DEP, ASLR, Stack Canary

Buffer overflow vulnerability appears in  portal_Form of modem. Portal_Form is accessed with the following connection:

Here is the poseudo-code of the portal_Form function:

The portal_Form function as follows:

  1. Handling the request sent by the client, taking the value of the marginal actiontype in the body of the request.
  2. copy the value of actiontype to a buffer in .data section (address of buffer 0x356e4)
  3. If the value of actiontype is “ping” or “traceroute”, and the state of the WAN is 1 then call diag_check. Otherwise, it returns “WAN NOT UP” or an vulnerability notice to the client.
  4. The diag_check function, if called, will do ping or traceroute work by the system () command.
  5. Finished, the portal_Form function returns the result of diag_check.

A buffer overflow vulnerability occurred because of copying the value of actiontype without checking the length. This results in some values ​​being overwritten and enabling remote code execution on the device.

We can see that the diag_check function implements the system () command with the input parameter as a memory address 0x3577c in the poseudo-code of the diag_check function below. We can do command injection if you change the value of 0x3577c.

0x02. Exploit the ISP Modem

With the above buffer overflow we can overwrite the 0x3755c memory area with the following request:

However,  with the above request, the value of wan_state (which is in the memory cell 0x35768) is also overridden to “AAAA”, which results in the command not being implemented by system () in the diag_check function.

To implement the command, we need the memory layout as follows (setup the layout of memory):

Requiring wan_state = 0x00000001 will generate null-bytes during data copying using strcpy. Based on the static characteristics of the .DATA memory area, I use the trick below to setup the memory layout and implement the command.

I send 4 requests as follows:

The 1st request: Setup the layout of memory:

 

At this time, the value of 0x3577c contains the command content to execute.

The 2nd request:

Overwrite the 4th byte of the memory cell 0x35768 to 0x00. The contents of memory cell 0x35768 are 0x696969

The 3rd request:

Continue overwriting the third byte 0x00 with the contents of the request with

Value of wan_state = 0x6969

 

The 4th request:

With the 4th  request, I was able to set the contents of wan_state at address 0x35768 to 0x00000001. And the command was executed after the end of the 4th  request.

So, I have presented a basic buffer overflow vulnerability on my ISP modem.

This vulnerability, attackers can access the modem by implementing the commands without having to have the modem’s login credentials.

Thank you for reading.

We would be glad to receive feedback from you, if you have any suggestions or comments contact: contact@vsec.com.vn.

Best Regards,

A member of VReT

Credits

  1. My old brother: KienManowar
  2. The VReT Team on the Vietnamese Security Network.
No Comments
Post a Comment