Holes In Embedded Devices Authentication Bypass (pt 1)

Thu, 14 Feb 2008 12:13:33 GMT
by pagvac

Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet!

After performing my own research and going through authentication bypass bugs on embedded devices published by other peers in the community, I came to the conclusion that these bugs are usually (or at least quite often) very simple flaws in web interfaces. Once you find one of these bugs they are usually trivial to exploit, and remind you of web vulnerabilities that you would expect finding in the 90s, but not these days.

The fact that embedded devices are very primitive in terms of hardware, ultimately means that the security of the software running on them is also sacrificed. Most of the authentication bypass bugs found on web interfaces of embedded devices fall into one of the following categories:

  • URL fuzzing a.k.a. additional representation of URLs
  • A-to-C attacks a.k.a. knowledge of "post-authentication" URLs
  • Unchecked HTTP methods
  • Unchecked administrative HTTP requests aka unprotected cgi scripts
  • Unprotected redirects

We will go through all these authentication bypass bugs in detail. For this post, we will only cover the first type: URL fuzzing a.k.a. additional representation of URLs<.

Authentication bypass via URL fuzzing

URL fuzzing targets bugs in the web server or server-side scripts that are part of the web console of an embedded device. These bugs could be due to a poorly-written regex, and finding them is all about finding alternative ways to represent a URL that would usually grant access to administrative functionalities. Sometimes, there are multiple ways a URL can be represented which is still understood by the target device, but causes the device to not require the user to enter a password.

For instance, the BT Home Hub, which is the most popular DSL router in the UK is vulnerable to an authentication bypass bug due to the device accepting multiple representations of the same URL as valid, but only checking for password when submitting URLs in their original form. For example, the URL for accessing the firewall settings looks like: http://bthomehub/cgi/b/secpol/cfg/ or http://bthomehub/cgi/b/secpol/cfg/?ce=1&be=1&l0=4&l1=7 (they're both equivalent). However, appending various characters after the directory path allows attackers to completely bypass the authentication prompt:

...and so on. The same technique could be used in this case not only to retrieve administrative settings, but also to make administrative changes. The only difference is that the requests must be submitted as POST rather than GET, but we still append the special characters to the URL the POST request is submitted to.For instance, the following POST request causes the BT Home Hub to call the Internet Office of the Holy See. Notice the double slash in the POST URL:

POST /cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name= HTTP/1.1
Host: bthomehub

0=30&1=00390669893461

Such requests could be submitted by the victim's web browser via a HTML form with a method="POST" attribute:

<html>
<body>
<form name="form" method="POST" enctype="application/x-www-form-urlencoded" action="http://bthomehub/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name=">
<input type="hidden" name="0" value="30"/>
<input type="hidden" name="1" value="00390669893461"/>
</form>
<script>form.submit()</script>
</body>
</html>

Archived Comments

nexactnexact
hey pdp! did I gave you some idea with my auth bypass for airspan prost antenna ? heheh ;) good posts. ;-) btw.. if your able to put your hand on a device with port 23 open and you have the firmware.. disassemble it, check if you can't find a default login/passwd account in it.. i made a found during a pentest, apc battery had a backdoor account.. I've been able to go in debug mode and dump the eeprom then gain access to web interface. gg. :) i know theres a couple of websites around there that giving out default password but you can be *really* surprised if u take a look by yourself.
nexactnexact
s/pdp/ap/ in the last comments
Adrian PastorAdrian Pastor
hey nexact, thanks for your feedback! just for the record the BT Home Hub auth bypass mentioned as an example was published in Oct 2007 (http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub) and found a month before that. Needless to say, URL fuzzying is nothing new. The point of this post series is to show that embedded devices can be susceptible to *very* trivial auth bypass bugs. You're so right, that we shouldn't just rely on documented default accounts when trying to find a valid username/password combination. Reverse-engineering the firmware is definitely the way forward!
apap
correction: "that we shouldn't just rely" -> "we shouldn't just rely"
NurBoNurBo
good shez Adrian Pastor keep it up I like all 3 parts!
joephantomjoephantom
nice photo. differential equations and gauss's divergence are your best friends.
spenserspenser
Never mind a ups. There is a $30K+ "enterprise unified threat management" appliance that seems to have a hard coded backdoor super admin account that is not documented to purchasers. It certainly is not mentioned in the documentation. But, it can be seen plain as day to anyone looking at the firmware. As a matter of fact, in recent years, the newsgroups are rife with complaints from admins that the first thing support wants when called is to be granted admin access from outside the perimeter. Naturally, due to the fact that firewall admins are likely to be somewhat aware of security, this tendency has raised a great deal of derision. The existence of a secret "super admin" account would certainly explain the desire of first level support techs to gain permission to logon.