In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.

There are two elements of this story that I found particularly baffling. First, this botnet infects routers using a vulnerability that was first reported by Defensecode over five years ago, in 2013! The second oddity is the wide range of devices that are vulnerable and are now part of the botnet. Dozens of brands and at least 116 models have been found to be infected.

One of the details of this story hasn’t been reported entirely accurately. The bug is not built into the Broadcom chipset. Unlike Spectre and Meltdown, it’s not actually a hardware fault. Broadcom distributes a Software Development Kit (SDK) that enables device manufacturers like D-Link, TP-Link, and Linksys to quickly develop firmware for routers using Broadcom chips. The vulnerability lies in this code, rather than part of the hardware itself.

UPnP Strikes Again!

The attack vector is the Universal Plug’n’Play (UPnP) protocol. This protocol was first developed by Microsoft for Windows ME. The use case for UPnP is to allow a program on the local network to request an open port for incoming traffic, essentially automating the port forwarding process. Peer to peer traffic like bittorrent, online gaming, and even teleconference applications like Skype require connecting directly to other users. As ISPs began handing out only a single IP address, and NAT routers became more popular, solutions like UPnP were needed to enable these peer to peer applications.

While the idea is a valid one, UPnP has had a storied history full of exploits. In 2013, Rapid7 released a whitepaper looking at UPnP accessible over the internet. They identified over 80 million unique IP addresses that responded to UPnP discovery packets from the internet, and around 20% of those IPs exposed the control port. UPnP is intended for internal network use only, and by definition should not be publicly discoverable. This means that in 2013, 80 million devices were using a broken implementation of UPnP.

After Years in Hibernation

As to why a botnet is only recently capitalizing on this specific vulnerability, DefenseCode realized how large of an issue this could be, particularly in 2013 when the vulnerability was first announced. At that time, there were estimated to be 15 million vulnerable devices across the internet. DefenseCode delayed releasing the full details of the attack until 2017, when they finally opted to publish the full vulnerability details. Once the proof of concept code was available, it was only a matter of time until someone built the self-propagating worm we’re now seeing.

It’s not too hard to find a copy of Broadcom’s SDK that contained this vulnerable code. That SDK was dated 2007, but based on the Linux kernel from 2003, release 2.4.20. This is one of the outstanding problems in the industry. Rather than …read more

Source:: Hackaday