Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


internet terminal vulnerability threat intelligence report

Posted by fleschner at 2020-03-20

0x00 opening

Nowadays, the intelligent TV in the conference room, the intelligent heating and air conditioning system, the Internet connected lights, the production process controlled by intelligent equipment, smart watches and fitness equipment are almost everywhere. These are just a very small part of the enterprise Internet of things (IOT) today. In the larger part, almost all physical objects can be intelligently connected to the network. Of course, while enjoying the convenience brought by the Internet of things, enterprises should also be alert to hacker attacks and data disclosure. With the changes of the times, the previous network speed can not meet our daily online needs, so the arrival of the optical fiber era, to adapt to the trend of the times. When we use optical fiber to access the Internet quickly, the threat also follows. In recent years, botnet appears frequently. The security of the Internet of things has not been taken seriously in the past, which has experienced a lot. All the targets of Internet of things have become the tools for illegal attackers to make profits. Although many Internet of things manufacturers are improving their security awareness, their products are not effective in terms of security. We can see this phenomenon from the loopholes exposed in recent years.

0x01 terminal threat case

At present, the router and optical cat equipment in China are mainly provided by domestic manufacturers, mainly the following manufacturers are the main router optical cat manufacturers Huawei ZTE beacon bell tp link mercury tendafast

In recent years, these manufacturers have also revealed a lot of loopholes, among which many large traffic DDoS attacks also use intrusion to attack them, so in the current situation, the security situation is not optimistic. (1) Broadband brush drill broadband brush drill also has to be traced back to many years ago, when it was all the rage, in the age of grey pigeons catching chickens. At that time, the brush drill also used the business of a company. When the hacker got the broadband account, he could use the broadband account for consumption, which also caused a lot of economic losses to the user. At the same time, users' personal information can be viewed from the leaked broadband account, which indirectly leads to the leakage of personal information. (2) In a certain area, hackers use the open terminal login port of optical cat to log in and delete their own firmware, resulting in a large number of optical cat devices in a certain area. In the past few years, a hacker organization launched a DDoS reflective attack by using the loopholes of router related protocols. (3) The construction of Botnet hackers use router loopholes to build Botnet, use botnet to launch DDoS attacks on the target, or use routing devices to monitor information, which completely poses a serious threat to personal information. Due to the poor maintainability of terminal equipment, the version can not be effectively upgraded, which also leads to one of the reasons why hackers can get it. (4) With the ferment of some events and the improvement of people's security awareness, many manufacturers also realize the importance of developing security, and upgrade their own products. However, due to the low frequency of terminal equipment replacement, this also leads to the continuous threat of security risks. In backdoor and loophole prone routing devices, manufacturers have a long way to go in order to achieve the relative security of their own devices.

0x02 security analysis example

Next, I will list some problems I found. At present, a large number of optical cat routing devices are exposed to the public network devices. Different models correspond to different devices. Here are two models of devices exposed to the public network.

In order to reduce the risk of attack and easy control of their own equipment, operators put the equipment into the intranet. However, the fact is that it is still insecure in the intranet, the fundamental problem has not been solved, and it is the same everywhere. When it is in the Intranet environment, it may be more harmful than on the public network. We can get our own intranet IP address through the Internet device, and we can get it with the common account permission.

Scan dozens of C segments randomly, and you can see that a large number of devices can log in through the web side, of course, there are telnet login ports.

However, the security of these devices can not be guaranteed. In order to be easy to manage, manufacturers often set up hidden accounts. We can get super control of the devices by hiding accounts.

Of course, some manufacturers will also have a built-in back door with higher authority than super account. The former controls the configuration of optical cat, and the latter controls all the configuration and hardware of optical cat.

Of course, we can also use the device's own vulnerability to attack, even command execution, arbitrary upload, download files, etc. here is the black page hung by arbitrary upload.

Because some optical cat devices do not open Telnet, but they can open telnet devices through their own vulnerabilities.

In order to break away from the shackles of the internal network, users can break through the abuse of optical cat, and then achieve the effect of Internet access outside the network, and break away from the monitoring of operators.

In fact, in the device intranet, we can find other internal networks. Through these internal networks, we can also expand the attack area.

We can also find some enterprise level Internet external devices.

Of course, you can also find the monitoring equipment of the enterprise.

None of the domestic operators tested was spared.

0x03 summary

Most of the three operators use domestic optical cat equipment, and because of the uneven security technology of various manufacturers, some of them have poor security, which directly leads to a loophole killing three operators. At present, the operators begin to pay attention to these problems. However, the abuse of optical cat equipment is not optimistic. Users have their own needs and need to get rid of the internal network. Therefore, through some online optical cat cracking tutorials, the operators can crack the optical cat or purchase a third-party manufacturer to replace the optical cat. The learning cost is very low and the risk is very high.