Saturday, March 28, 2015

What's in the honeypot? CVE-2014-4019 - Attack on SOHO Router to Download Admin Password

Looking at the honeypots one more time today I found the miscreants searching for an unprotected router configuration that provides the username and password.  By utilizing the router it has been known that they can modify the DNS settings of these routers to conduct man-in-the-middle attacks intercepting or relaying all traffic through their servers.

Below is the log entry that I found:

According to the exploit published by exploit-db located here by requesting, through a GET request, the rom-0 file contains the admin username and password.  Then in the following link are instructions how to decompress the file.

The following CVE's have been recorded for these vulnerabilities that have been identified:
CVE-2014-4018
CVE-2014-4019
CVE-2014-4154
CVE-2014-4155
Also applicable is http://www.exploit-db.com/exploits/33737

Here is an article by SC Magazine about 300,000 SOHO routers that were compromised due to this vulnerability: http://www.scmagazine.com/attackers-alter-dns-configurations-remotely-compromise-300k-routers/article/336792/

I am also interested in the IP Address that touched the honeypot looking for this vulnerability.  IP Address is 95.213.143.180.  Looking at ripe.net the following record is pulled:


When you search for this IP Address on http://www.virustotal.com nothing comes up about this IP Address. 

However, as you search the web you find a history for this IP Address as shown below:

https://twitter.com/atma_es/status/575725495708479488
http://www.blocklist.de/en/view.html?ip=95.213.143.180

If you do a reverse DNS lookup no PTR records are identified.  



No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...