| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Apr 2017 17:48:24 +0200 From: DefenseCode <defensecode@...ensecode.com> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, pen-test@...urityfocus.com, security-basics@...urityfocus.com, websecurity@...appsec.org Subject: [FD] [DefenseCode WhitePaper]: BroadCom UPnP Format String Preauth Root Exploit Aftermath (Few Years Later) Hi, Few years ago, we have discovered a remotely exploitable preauth Format String vulnerability in Broadcom UPnP implementation used in popular routers. Vendors were notified and advisory was published - http://defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf . Broadcom fixed the vulnerability in their UPnP implementation and some router vendors did it also. Vulnerability was initially discovered on Cisco Linksys (now Belkin) WRT54GL routers, but as stated before, vulnerable UPnP implementation was used by many vendors. Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them. When we initially discovered the vulnerability, Rapid7 also discovered various overflows in other popular UPnP implementations, and published a paper about it. Rapid7 document about vulnerabilities they discovered in UPnP implementations: https://community.rapid7.com/docs/DOC-2150 When they did the research, there were approx. 15 Million devices with vulnerable Broadcom UPnP implementation discovered on the Internet, probably many more in the Intranets. We have written a paper about detailed exploitation steps for now fixed Broadcom UPnP Format String vulnerability, but never published it due to the severity of the bug. Now, few years later, we feel comfortable to release a full research paper with vulnerability details and exploitation steps for discovered Format String vulnerability. Big issue with routers is that they are rarely updated by users with new firmware and there could be still a lot of vulnerable routers on the Internet and in the Intranets. Full research paper on discovery and exploitation of the Broadcom UPnP Format String vulnerability can be found on the following link: http://www.defensecode.com/whitepapers/From_Zero_To_ZeroDay_Network_Devices_Exploitation.txt Since Broadcom and vendors that use their chipsets ship fixed versions of the UPnP implementation for some time now, the vulnerability isn't a 0day for some time. Still, we are sure there are plenty unpatched routers out there. # About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application sourcecode. ThunderScan performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com/ Twitter: https://twitter.com/DefenseCode/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists