[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Realtek Managed Switch Controller RTL83xx
From: bashis <mcw () noemail ! eu>
Date: 2019-08-20 21:44:03
Message-ID: 27D52D35-098F-420A-94AA-EDB306218148 () noemail ! eu
[Download RAW message or body]
[SOT]
[Subject]
Realtek Managed Switch Controller (RTL83xx) PoC (2019 bashis)
https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller
[Brief description]
1. Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o \
boundary check. (all FW version and vendors affected)
Note: The vulnerability are _not_ from Boa nor Hydra, coming from Realtek additional \
coding 2. Reuse of code between vendors gives almost indentical exploitation of found \
vulnerabilities 3. Two strcpy() vulnerable fixed buffers next to each others in same function \
make it easy for jumping in Big Endian
[Goals for this PoC]
1. One Python PoC for all vendors
Using dictionaries to have one 'template' for each vendor and another dictionary with \
unique details for each target, to be merged on the fly.
The python code will read and use details from dictionary when verifying/exploiting
2. Uniquely identify remote target
ETag - Static and excellent tool for determine remote target, due to non-changing 'last \
modified' in same revision of Firmware
ETag: xxxxx-yyyyy
xxxxx = file size (up to 5 digits)
yyyyy = last modified (up to 5 digits)
3. Reverse shell
MIPS Big Endian shellcode is the only option, as there are no 'netcat/telnet/stunnel.. \
etc' availible
4. add/delete credentials for GUI/CLI
Quite many of the firmware's has the 'option' to add valid credentials by unauthorized \
updating of 'running-config'
For those who has added protection, we can add/delete credentials with an bit interesting \
jumping sequence
[Technical brief]
1. Stack - Read/Write/Executable (Using CMD injection in the PoC to turn off ASLR)
2. Heap - Read/Write/Executable (No need to turn off, ASLR not turned on for heap)
3. fork - Boa/Hydra using forking shellcode, as I want try restart Boa/Hydra to \
avoid DoS after successful reverse shell
Two vulnerable buffers with fixed size in same call, we overwrite $RA with four bytes, and \
overwrite first byte in $RA with second buffers NULL termination, this allows us to jump \
within the binary itself, and passing arguments for the function we jumping to by tailing these \
with the original request
[Basically]
First buffer: [aaaaaaaa][0x58xxxxxx] ('a' and 0x58 will be overwritten by second \
buffer) Second buffer: [bbbbb][bbbbbbbb][0x00xxxxxx] (NULL termination will overwrite 0x58)
[Known targets]
All below is fully exploitable, with following exception:
[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
Not because they are not vulnerable, its because 1) their heap addresses lays at the \
'0x478000-0x47a000' range, and 2) they using obfuscation 'encode' for the password (99 bytes \
max), we can never reach the 'two buffers' jump method. [They are still fully exploitable with \
the Boa/Hydra vulnerability]
Note:
In this PoC I have only implemented few affected versions, in reality there is many more \
models and FW version affected.
$ ./Realtek-RTL83xx-PoC.py --etag help
[*] Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)
[*] RHOST: 192.168.57.20
[*] RPORT: 80
[*] LHOST: 192.168.57.1
[*] LPORT: 1337
[+] Target: List of known targets
[*] ETag: 225-51973 [Cisco Systems, Inc. Sx220 v1.1.3.1]
[*] ETag: 225-60080 [Cisco Systems, Inc. Sx220 v1.1.4.1]
[*] ETag: 752-76347 [ALLNET GmbH Computersysteme ALL-SG8208M v2.2.1]
[*] ETag: 225-21785 [Pakedgedevice & Software Inc SX-8P v1.04]
[*] ETag: 222-71560 [Zyxel Communications Corp. GS1900-24 v2.40_AAHL.1_20180705]
[*] ETag: 14044-509 [EnGenius Technologies, Inc. EGS2110P v1.05.20_150810-1754]
[*] ETag: 13984-12788 [Open Mesh, Inc. OMS24 v01.03.24_180823-1626]
[*] ETag: 218-22429 [PLANET Technology Corp. GS-4210-8P2S v1.0b171116]
[*] ETag: 218-7473 [PLANET Technology Corp. GS-4210-24T2S v2.0b160727]
[*] ETag: 752-95168 [DrayTek Corp. VigorSwitch P1100 v2.1.4]
[*] ETag: 225-96283 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.6]
[*] ETag: 225-63242 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.5]
[*] ETag: 224-5061 [CERIO Corp. CS-2424G-24P v1.00.29]
[*] ETag: 222-50100 [ALLNET GmbH Computersysteme ALL-SG8310PM v3.1.1-R3-B1]
[*] ETag: 222-81176 [Shenzhen TG-NET Botone Technology Co,. Ltd. P3026M-24POE (V3) \
v3.1.1-R1] [*] ETag: 8028-89928 [Araknis Networks AN-310-SW-16-POE v1.2.00_171225-1618]
[*] ETag: 222-64895 [Xhome DownLoop-G24M v3.0.0.43126]
[*] ETag: 222-40570 [Realtek RTL8380-24GE-4GEC v3.0.0.43126]
[*] ETag: 222-45866 [Abaniact AML2-PS16-17GP L2 v116B00033]
[*] ETag: 14044-44104 [EnGenius Technologies, Inc. EWS1200-28TFP \
v1.07.22_c1.9.21_181018-0228] [*] ETag: 14044-32589 [EnGenius Technologies, Inc. EWS1200-28TFP \
v1.06.21_c1.8.77_180906-0716] [*] ETag: 609-31457 [NETGEAR Inc. GS750E ProSAFE Plus Switch \
v1.0.0.22] [*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP \
v6.0.0.45] [*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP \
v6.0.0.37]
[*] All done...
[Other vendors]
These names have been found within some Firmware images, but not implemented as I have not \
found any Firmware images. (However, I suspect they use exact same Firmware due to the traces \
are 'logo[1-10].jpg/login[1-10].jpg')
[*] 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming \
Technology, Wanbroad, Plexonics, Mach Power
[Known bugs]
1. Non-JSON:
'/mntlog/flash.log' and '/var/log/flash.log' not always removed when using \
'stack_cgi_log()'
(Must change value for 'flash.log' that needs to be 0x02, 'flash.log' has value 0x00)
[Responsible Disclosure]
Working with VDOO since early February 2019 to disclosure found vulnerabilities to vendors
https://www.vdoo.com/blog/disclosing-significant-vulnerabilities-network-switches
PoC:
https://github.com/mcw0/PoC/blob/master/Realtek-RTL83xx-PoC.py
Have a nice day
/bashis
[EOT]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic