I really don't get the "Using malicious SSH server to trigger server side RCE" section. The language would do well with being a bit more clear wrt exactly which client and which server, and exactly where the RCE is happening.
> In order to exploit RCE we needed to build a virtual test environment that fully copies Telia's PHP client. Step by step we have gone through the sequence of Telia's commands sent over the SSH. And finally we got a malicious SSH server and a test libssh2 client running in our test lab. With this server we could fully control the protocol and start fuzzing.
> In the first few days of the fuzzing we got some crashes and partially confirmed that RCE may be exploited.
My first understanding of this:
- They eavesdropped on the "requests" (HTTP? Is there TCP tunneling involved?) using a malicious SSH server
- They replicated the HTTP (?) requests using some php code they wrote
- They then caused segfaults/infinite loops in their own PHP code
(Witness the task manager in that screenshot gif running on their own windows machine showing high cpu usage for a PHP process.)
This seems a bit away from an actual "Remote Code Execution on Telia Routers", unless I'm misunderstanding this fundamentally.
Perhaps their high-level thought process is like this?
1. The version numbers in the "php client", triggered by the change-your-wifi-password website, from a trusted IP (10.0.98.251) indicate that this client runs a version of libssh which allows for the password eavesdropping they did, and the php runtime, which is sometimes insecure.
2. Someone could perhaps use the fact that Telia is using PHP to hack their "remote management client" using a malicious ssh server at a customer endpoint.
3. Profit?
This is a very poorly written vulnerability report.
Anyway, @dang - I think the title "RCE on Telia Routers" is pretty incorrect. Suggestion: "Possible Telia consumer router security issue".
I think they ran their own SSH server on the router for the SSH connect-back from Telia's server. SSH password auth sends the password to the server [router here]. This is encrypted over the network, but the server [router] decrypts it, so then you have that password, shared between all the routers. I'm not sure if libssh being vulnerable was relevant to their attack or not, perhaps that's just an aside, given they physically own the router anyway.
SSH pubkey auth would have avoided the problem I guess. Not sure if it would have helped their attitude though.
> Perhaps their high-level thought process is like this?
Yes, I think you're right and it was difficult to understand. The thinking is that, as you can trigger Telia servers to connect to you, using software which appears past its expiration date, you may be able to exploit that software to root their command and control server. Do that and you own Telias whole botnet of customers.
They didn't show it but they did say the old routers share the same password. I can take that at face value, it's easy enough for a Lithuanian researcher to verify by asking a friend, I assume they did.
They say later models allow only pub keys but didn't go into more details. I would assume they all have the same keys in firmware if not shown otherwise.
Either way, the Telia CnC server would know all unique (if so) passwords or keys, so it may make little difference if exploited.
> In order to exploit RCE we needed to build a virtual test environment that fully copies Telia's PHP client. Step by step we have gone through the sequence of Telia's commands sent over the SSH. And finally we got a malicious SSH server and a test libssh2 client running in our test lab. With this server we could fully control the protocol and start fuzzing.
> In the first few days of the fuzzing we got some crashes and partially confirmed that RCE may be exploited.
My first understanding of this:
- They eavesdropped on the "requests" (HTTP? Is there TCP tunneling involved?) using a malicious SSH server
- They replicated the HTTP (?) requests using some php code they wrote
- They then caused segfaults/infinite loops in their own PHP code
(Witness the task manager in that screenshot gif running on their own windows machine showing high cpu usage for a PHP process.)
This seems a bit away from an actual "Remote Code Execution on Telia Routers", unless I'm misunderstanding this fundamentally.
Perhaps their high-level thought process is like this?
1. The version numbers in the "php client", triggered by the change-your-wifi-password website, from a trusted IP (10.0.98.251) indicate that this client runs a version of libssh which allows for the password eavesdropping they did, and the php runtime, which is sometimes insecure.
2. Someone could perhaps use the fact that Telia is using PHP to hack their "remote management client" using a malicious ssh server at a customer endpoint.
3. Profit?
This is a very poorly written vulnerability report.
Anyway, @dang - I think the title "RCE on Telia Routers" is pretty incorrect. Suggestion: "Possible Telia consumer router security issue".