当（远程）Shell落入同样的陷阱：在攻击者再次得手之前获取DrayTek路由器的root权限.pdf

《当（远程）Shell落入同样的陷阱：在攻击者再次得手之前获取DrayTek路由器的root权限.pdf》由会员分享，可在线阅读，更多相关《当（远程）Shell落入同样的陷阱：在攻击者再次得手之前获取DrayTek路由器的root权限.pdf（41页珍藏版）》请在三个皮匠报告上搜索。

1、#BHEU BlackHatEventsWhen(Remote)Shells Fall Into The Same Hole:When(Remote)Shells Fall Into The Same Hole:Rooting DrayTekRouters Before Attackers Can Do It AgainStanislav Dashevskyi,Francesco La Spina#BHEU BlackHatEventsInformation Classification:GeneralThe researchersStanislav DashevskyiFrancesco L

2、a SpinaPART 1Motivation and Background#BHEU BlackHatEventsInformation Classification:GeneralIts rough around the edges4 Last year we did research on Sierra Wireless gateways and found critical vulnerabilities We also looked at firmware of five different IoT/OT edge routers and it did not look good l

3、ack of binary hardening,outdated software components,known vulnerabilities,“custom”security patches,default credentials Edge devices serve the threat actors as perfect entry points into businesses*https:/ are hereEdge Router#BHEU BlackHatEventsInformation Classification:GeneralIts rough around the e

4、dges(continued)5 We have chosen a vendor,a seemingly bullet-proof target with lots of past research-DrayTek 4 years of active patching and frequent security advisories With proven interest from threat actors Remote unauthenticated root on the host OS via a trivial buffer overflow in the guest And it

5、 took us about a month to do it*https:/ are hereEdge Router#BHEU BlackHatEventsInformation Classification:GeneralWhats DrayTek?A well-known Taiwanese manufacturer of networking equipment and management systems(founded in 1997)From simple SOHO routers to complex VPN concentrators used by businesses6#

6、BHEU BlackHatEventsInformation Classification:GeneralWhy DrayTek?Researchers like it7 13 security advisories since 2018(excluding ours)with over 100 historical CVEs Typically,a sign of a mature security team.Yet,new findings keep popping up Emulate it until you make it!Pwning a DrayTek Router before