
WRT120N fprintf Stack Overflow - pedro84
http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/
======
brandon
You'll have to forgive me for the awful presentation format and pacing, but
here's a fun trick for bypassing the auth system on the Asus WL-700gE circa
2007:

[http://www.toaster-of-doom.com/~brandon/no_crawl/router/](http://www.toaster-
of-doom.com/~brandon/no_crawl/router/)

Spoiler alert: it makes the WRT120N look like Fort Knox. These companies have
come a long way over the years.

~~~
bobbles
I clicked the link expecting not to understand what was happening.. but wow..
thats insane

~~~
BorisMelnik
same here - I thought it was gonna have like 10 bash shells open with some
crazy buffer flow

------
zdw
Use OpenWRT people. Modern kernel. Good security. Can be configured with
devops tools like Ansible (assuming you have the flash to load Python).

[https://openwrt.org](https://openwrt.org)

~~~
ojii
how safe is it to install OpenWRT? What are the chances of me bricking my
router if I have no clue what I'm doing?

My model is sort of listed in their supported hardware section (it's the
Japanese version of the Buffalo WZR-600DPH2, though the "2" at the end is
missing in their database).

------
meowface
Note this is technically a stack buffer overflow, not a stack overflow.

------
Osiris
This is why I only buy routers that are known to be compatible with open
source firmwares like Tomato, DD-WRT, or OpenWRT. I have never trusted OEM
firmware, not only for security but they tend to be really buggy.

------
Morgawr
I'm far from an expert security pentester but I know my basics... and I'm
always amazed at how simple these exploits are. Guys, come on, it's 2014, if
you're writing C and using strcat/strcpy/sprintf/fprintf/etcetc with non-
sanitized input, you're pretty much asking for it.

Even a rookie would spot such mistake and exploit it, it's always among the
first obstacles to bypass at local CTFs and it's the #1 exploit that people
think about when they think about a "security vulnerability".

~~~
ksk
Well, its not quite that easy for a rookie as you say. Just because you can
trigger a buffer overflow bug does not mean you can exploit it. Most modern
processors will allow disabling execution with an IP-on-Stack test. Thats
assuming you can actually control the IP... , and assuming you can actually
deliver the payload in the corrupted program state and not crash the program,
etc etc..

~~~
annnnd
Even a rookie would spot this mistake, but he would need to learn a lot before
exploiting it. But with a nice target like this one... :)

~~~
ksk
I don't agree that this is a valuable target. AFAIK most consumer routers
disable access to the web interface from outside the LAN range (by default).

~~~
Stamy
Yes but you can break almost any routers wifi password in 24hrs.

~~~
sp332
But you have to be in range of the wifi to do it. This isn't something that's
going to be a widespread problem.

------
api
In other news, it's 2014 and people still use non-bounds-checked string
libraries in C to deal with unvalidated and unauthenticated inputs from a
network.

~~~
sitkack
The answer is to stop using C. It doesn't even have to be in Haskell. Hell Lua
stops this class of bugs.

~~~
laichzeit0
If you're building these things it depends what your target market is. How
much you want to pay for flash, RAM, packaging, etc. When flash space is a
premium (I'm talking 2MB) it becomes a tradeoff between using a tiny C
webserver and having a few extra functions or adding a Lua interpreter and
dropping those tools. We're talking operating in a margin of a few hundred
kilobytes.

Also, some of these firmwares are based on an existing code base, it's just
cheaper to hack it than replace it.

~~~
justincormack
openwrt runs Lua, and runs on many of these boxes. It is pretty small and you
can cut it down further - eLua runs happily on microcontrollers.

~~~
sitkack
eLua runs on this board, STM32F4DISCOVERY
[http://www.st.com/web/catalog/tools/FM116/SC959/SS1532/PF252...](http://www.st.com/web/catalog/tools/FM116/SC959/SS1532/PF252419)
and is quite easy to setup following instructions from
[http://www.fussylogic.co.uk/blog/?p=1222](http://www.fussylogic.co.uk/blog/?p=1222)

------
userbinator
Every time I see stuff like this (buffer of some convenient fixed length, no
real attention paid to its length) I really wonder whether whoever wrote that
code ever thought of how long a string _could_ be (the entire address space of
your process, basically), what the limits are, etc. If vsprintf() had the same
256-byte limit on its output buffer, there wouldn't be any overflow. If this
fprintf() implementation was documented as to be used for output not exceeding
255 bytes, maybe who wrote the caller code would use "Location: %.243s\n\n"
instead. Although a fully general fprintf() should not have any arbitrary
limits like that, in a special-case embedded system like this it's not
uncommon --- but if it has limits, _they should be documented clearly_.

I think it's not a matter of language or "safety" or "security" or anything
else; it's a very, very, VERY simple matter of _knowing the sizes and limits_
whenever you write code or design anything. Somehow I think all this...
astounding ignorance stems from the misconception that memory is somehow an
infinite resource, or the discouraging "if you need to know the limits, you're
doing it wrong" type of thought. It is _very_ important that you know the
limits, so that you can work within them.

(Capitalising the words "Stack Overflow" is now a bit confusing, thanks to the
site of the same name...)

------
adestefan
For those following along at home remember that MIPS has a delay slot. That's
why the add is listed after the jr even though the add is executed before the
return.

------
est
I still remember HN/reddit bashing Chinese crap router with crap firmware
yesteryear :)

~~~
meowface
It seems that all router/home networking device firmware is universally shitty
and full of holes.

Example:
[http://securityevaluators.com/knowledge/case_studies/routers...](http://securityevaluators.com/knowledge/case_studies/routers/soho_router_hacks.php)

~~~
mariuolo
With consumer gear it's a race to the bottom.

Until customers will demand more security than fancy features this problem
will not be addressed.

~~~
Pxtl
For routers? What fancy features? They want a cheap way to create a wi-fi
network that doesn't crash. Only a small fringe group of consumers have
interest in exotic features in their wifi routers.

------
afhof
Are there ANY hardware manufactures that know how to write software? It seems
like both firmware and hardware were an afterthought to almost any piece of
computer hardware I have seen.

------
laichzeit0
Man having worked on a few router firmware sources I'm surprised there's not
an exploit for every router out there, except maybe for the OpenWRT ones.

There was one router that had a built in backdoor, lets say you hit the router
on a hidden page /sysctrl.html, which gives you essentially a poor-man's
console with an input to send any command as root and it writes the output
into a textarea. I mean it's as simple as launching telnet and then you're on
the router as root.

~~~
mook
I had one like that close to a decade ago (cheap ZyXEL, /syscmd.asp). However,
I treated it as a feature; I think it was my first Linux-based router. That,
and I only found it by exploring the filesystem base on the ping prompt that
(IIRC) was passed to the shell without escaping semicolons...

I _think_ that page was behind auth; either way, anybody who had gotten on my
home router could just have stepped over and unplugged it, so it wasn't an
issue in my case.

------
conradev
This article reminds me of a talk given at 29c3:

[http://youtu.be/f3zUOZcewtA](http://youtu.be/f3zUOZcewtA)

Embedded devices are woefully insecure and no one seems to care!

------
Canada
"I respect myself. That's why I refuse to use sprintf"

hahah. Nice.

~~~
DCoder
It's from [0], which was on HN not too long ago [1].

[0] [http://natashenka.ca/posters/](http://natashenka.ca/posters/) [1]
[https://news.ycombinator.com/item?id=7156405](https://news.ycombinator.com/item?id=7156405)

------
dbbolton
What editor is that?

~~~
etc_passwd
It's a Disassembler - Ida Pro

[https://www.hex-rays.com/products/ida/](https://www.hex-
rays.com/products/ida/)

