When (Remote) Shells Fall Into The Same Hole: Rooting DrayTek Routers Before Attackers Can

When (Remote) Shells Fall Into The Same Hole: Rooting DrayTek Routers Before Attackers Can Do It Again

Routers, VoIP gateways, firewalls, WiFi access points and VPN concentrators are ubiquitous in homes, small offices and large business networks. Some vendors manufacture ALL of these devices, which often means they share the same core software components – and thus the same vulnerabilities.

In this talk we will analyze a large vendor of such network equipment – DrayTek. Their devices have been targeted by Chinese threat actors on several occasions since 2018. Within the past four years alone, other researchers have disclosed over 19 critical issues in their products.

To our big surprise, we were able to achieve Remote Code Execution against the latest model of a VPN concentrator manufactured by this vendor. On some devices, this vulnerability is somewhat mitigated by the fact that the router OS runs in an emulated environment. Yet, found an easy way to escape the emulator, and to achieve full control over the device.

The vulnerabilities that we identified during our research affect the entire line of networking devices offered by this vendor, which have now been
successfully patched. We will share the technical details of our research and discuss the potential impact of such issues should they fall into the hands of threat actors.

By:
Stanislav Dashevskyi | Security Researcher, Forescout Technologies
Francesco La Spina | Security Researcher, Forescout Technologies

Full Abstract and Presentation Materials:
https://www.blackhat.com/eu-24/briefings/schedule/#when-remote-shells-fall-into-the-same-hole-rooting-draytek-routers-before-attackers-can-do-it-again-42376Black HatRead More