Thursday, April 6, 2017

BroadCom UPnP Format String Preauth Root Exploit Aftermath (Few Years Later)

Hi,

Few years ago, we have discovered a remotely exploitable preauth Format
String vulnerability in Broadcom UPnP implementation used in popular
routers.
Vendors were notified and advisory was published -
http://defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf .
Broadcom fixed the vulnerability in their UPnP implementation and some
router vendors did it also.

Vulnerability was initially discovered on Cisco Linksys (now Belkin)
WRT54GL routers, but as stated before, vulnerable UPnP implementation
was used by many vendors.
Back in the days, Cisco fixed the vulnerability, but we are not sure
about all other router vendors and models because there are too many of
them.

When we initially discovered the vulnerability, Rapid7 also discovered
various overflows in other popular UPnP implementations, and published a
paper about it.
Rapid7 document about vulnerabilities they discovered in UPnP
implementations: https://community.rapid7.com/docs/DOC-2150
When they did the research, there were approx. 15 Million devices with
vulnerable Broadcom UPnP implementation discovered on the Internet,
probably many more in the Intranets.

We have written a paper about detailed exploitation steps for now fixed
Broadcom UPnP Format String vulnerability, but never published it due to
the severity of the bug.
Now, few years later, we feel comfortable to release a full research
paper with vulnerability details and exploitation steps for discovered
Format String vulnerability.
Big issue with routers is that they are rarely updated by users with new
firmware and there could be still a lot of vulnerable routers on the
Internet and in the Intranets.

Full research paper on discovery and exploitation of the Broadcom UPnP
Format String vulnerability can be found on the following link:

http://www.defensecode.com/whitepapers/From_Zero_To_ZeroDay_Network_Devices_Exploitation.txt

Since Broadcom and vendors that use their chipsets ship fixed versions of the UPnP implementation for some time now, the vulnerability isn't a 0day for some time. 

Still, we are sure there are plenty unpatched routers out there.

Regards,
DefenseCode Team

26 comments:

  1. It’s hard to come by experienced people about this subject, but you seem
    like you know what you’re talking about! Thanks

    Java Training in Bangalore
    iOS Training in Bangalore
    Java Training in Bangalore
    http://www.arrowtricks.com

    ReplyDelete
  2. Great Post, thanks for sharing info on BroadCom UPnP Format String Preauth Root Exploit Aftermath. Microsoft Dynamics NAV Training

    ReplyDelete
  3. You need to look at this page for some info on how to write great research project. Maybe it could be helpful for your future

    ReplyDelete
  4. Excellent blog I visit this blog it's really awesome. The important thing is that in this blog content written clearly and understandable. The content of information is very informative.
    Workday HCM Online Training!
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    ReplyDelete
  5. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
    python Training institute in Chennai
    python Training institute in Bangalore

    ReplyDelete
  6. Hello! Someone in my Facebook group shared this website with us, so I came to give it a look. I’m enjoying the information. I’m bookmarking and will be tweeting this to my followers! Wonderful blog and amazing design and style.
    Data Science training in Chennai
    Data Science training in bangalore
    Data Science training institute in bangalore

    ReplyDelete
  7. Astonishing web diary I visit this blog it's incredibly magnificent. Strangely, in this blog content made doubtlessly and sensible. The substance of information is instructive.
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    ReplyDelete
  8. Great post. Thank you for sharing on UPnP Format String
    machine learning with python training

    ReplyDelete
  9. Thanks for taking time to share this valuable information admin.
    remote resource

    ReplyDelete