Rogue small office, home office (SOHO) wireless routers could offer a side channel for attackers targeting enterprise networks through a new vulnerability to be presented by a researcher at Black Hat later this month. The talk will highlight a newly discovered attack technique using SQL injection against a database containing router files that can be tied together with more critical vulnerabilities to eventually escalate into an attacker gaining full root access to the router.
While at first blush it might seem that Zachary Cutlip's work finding these vulnerabilities in SOHO routers wouldn't be of much concern to enterprises, he warns that these type of devices often find their way onto corporate networks.
"It's certainly not unheard of and probably not even uncommon to see these SOHO-type devices on commercial, larger-enterprise networks," says Cutlip, a security researcher at Columbia, Md.-based Tactical and scheduled Black Hat speaker. The convention will be held July 21-26 in Las Vegas. "Sometimes they're legitimate, sometimes they're not, but it's easy to forget that they represent a side door into your network because you unpack them, you plug them in, maybe do just enough configuration to get it working and kind of forget it's there. They work pretty reliably, but they also do represent a soft target."
While Cutlip is keeping some of the technical details of his talk close to the vest until Black Hat, what he is divulging is that much of his work centered on databases containing temporary files from Netgear routers.
"In this case, we're going to be exploiting a SQL injection vulnerability in a database that has very temporary data, but it has no valuable data whatsoever," he says. "By doing so, if we do it in just a certain way, it's going to give us access to some other vulnerabilities. Combining that with other vulnerabilities, the attack can be pretty successful."
The technique's success gives an attacker root-level access to the router, along with the ability to extract arbitrary files from the router file systems, including plain-text passwords. Cutlip says the specific vulnerabilities he uses in this particular attack wouldn't likely be found in enterprise routers, but the techniques he plans to demonstrate could likely yield successful attacks against a larger class of routers given some more work by security researchers or less benevolent hackers.
"This specific vulnerability that I'm going to be talking about is in an application on the device I don't think you would find on an enterprise device," he says. "That said, the exploit technique is more broadly applicable. I think once the audience sees how I'm combining this unlikely vulnerability with this other higher-value vulnerability, I think that's the kind of thing you're likely to see in much broader applications."
In addition to taking away some lessons about how high-exposure, low-risk vulnerabilities can be easily combined to get at low-exposure, high-risk vulnerabilities, Cutlip says he believes audience members will learn how important it is to not only poke and prod their applications before deployment, but also test the limits of their networking equipment and firmware.