引用本文: |
-
郑炜,许晴晴,李奇,陈翔,孙家泽.TendaAX12路由器0-Day栈溢出漏洞挖掘方法[J].信息安全学报,2024,9(3):157-175 [点击复制]
- ZHENG Wei,XU Qingqing,LI Qi,CHEN Xiang,SUN Jiaze.Tenda AX12 Router 0-Day Stack Overflow Vulnerability Mining Method[J].Journal of Cyber Security,2024,9(3):157-175 [点击复制]
|
|
摘要: |
随着 5G 技术对物联网发展的加速, 预计到 2025 年将会有约 250 亿台物联网设备连接到人们的生活。其中承担物联网设备网络管理角色的路由器使用量非常大, 但是路由器存在众多安全问题, 通过路由器设备进行攻击, 可以非法获取用户信息。为了维护网络安全, 提前发现路由器的漏洞具有重要的研究意义。本文以 Tenda AX12 路由器为研究对象, 从固件入手对其进行0-Day 栈溢出漏洞挖掘研究, 并提出了基于危险函数追踪的逆向分析漏洞挖掘方法。首先从危险函数中分析函数所在前端的对应位置, 将前后端对应; 然后对固件中的 Web 服务进行分析, 对其中可能发生栈溢出的 httpd 二进制代码进行危险函数分析, 该方法使用反汇编代码对危险函数的普通形式和展开形式进行定位, 并对危险函数进行参数分析和动态检测; 接着通过搭建仿真模拟机在模拟机上运行该服务的二进制文件, 并在 Web 前端页面对潜在漏洞位置进行数据包捕捉; 最后根据前期分析的危险函数参数情况对包进行改写并发送, 以此来触发漏洞, 验证漏洞的存在性, 同时验证该危险函数是否发生栈溢出。为了更真实地确定漏洞存在, 我们又在真实设备上验证漏洞的真实存在性和可利用性。实验结果表明了该漏洞的挖掘检测方法的有效性, 我们分别在不同型号的路由器上挖掘到 4 个 0-Day 漏洞, 并且经过与 SaTC 工具进行对比实验结果表明该检测方法能够更准确的定位到出现漏洞的函数位置。 |
关键词: 物联网 路由器 危险函数strcpy 0-Day栈溢出漏洞 SaTC |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.05.11 |
投稿时间:2022-09-07修订日期:2022-11-30 |
基金项目:本课题得到国家自然科学基金专项项目(国家自然重点基金)课题(No. 62141208)、 国家重点研发计划课题 (No. 2020YFC0833105Z1)的资助、国家自然科学基金项目(No. 62272387)、陕西省科技厅重点研发计划项目(No. 2023-YBGY-030)、西安市重点产业链核心技术攻关项目(No. 23ZDCYJSGG0028-2022)。 |
|
Tenda AX12 Router 0-Day Stack Overflow Vulnerability Mining Method |
ZHENG Wei1, XU Qingqing1, LI Qi1, CHEN Xiang2, SUN Jiaze3
|
(1.School of Software Engineering, Northwestern Polytechnical University, Xi’an 710100, China;2.School of Information Science and Technology, Nantong University, Nantong 226019, China;3.School of Computer Science, Xi’an University of Posts and Telecommunications, Xi’an 710121, China) |
Abstract: |
As 5G technology accelerates the development of the Internet of Things, it is expected that there will be about 25 billion IoT devices connected to people’s lives by 2025. Among them, the routers that play the role of network management of IoT devices are used a lot, but there are many security problems in the routers. Attacks through router devices can illegally obtain user information. In order to maintain network security, it is of great research significance to discover the vulnerabilities of routers in advance. This paper takes the Tenda AX12 router as the research object, we start from the firmware, the 0-Day stack overflow vulnerability mining research is carried out, and propose a reverse analysis vulnerability mining method based on dangerous function tracing. First, analyze the corresponding position of the front end of the function from the dangerous function, and correspond the front end and the back end; then analyze the Web service in the firmware, and analyze the dangerous function of the httpd binary code in which stack overflow may occur. The common form and expanded form of the dangerous function are located, and the parameter analysis and dynamic detection of the dangerous function are carried out; then the binary file of the service is run on the emulator by building a simulation machine, and the potential vulnerability location is packaged on the Web front-end page. Capture; finally, rewrite and send the packet according to the dangerous function parameters analyzed in the previous stage, so as to trigger the vulnerability, verify the existence of the vulnerability, and verify whether the dangerous function has a stack overflow. In order to more realistically determine the existence of the vulnerability, we verify the real existence and exploitability of the vulnerability on real devices. The experimental results show the effectiveness of the mining and detection method of this vulnerability. We have mined four 0-Day vulnerabilities on different types of routers, and compared with the SaTC tool, the experimental results show that the detection method can more accurately locate the location of the function where the vulnerability occurs. |
Key words: IOT router dangerous function strcpy 0-Day stack overflow vulnerability SaTC |