Análise de vulnerabilidades em larga escala nos Roteadores Wi-Fi por meio de Web-Fuzzing

  • Françoa Taffarel ITA
  • Osmany Barros de Freitas ITA
  • Lourenço Alves Pereira Junior ITA
DOI: https://doi.org/10.5753/sbseg.2023.233526

Abstract


Wireless routers have advanced to ensure connectivity between IoT devices and the Internet. This evolution has also increased the importance of security analysis, due to the growing targeted or mass cyberattacks by malicious agents. However, a constraint in conducting these analyses on a large scale is the need for access to the physical device. In this article, we present a semiautomated methodology that combines the emulation of router firmware images with web-fuzzing of the web interface using Nuclei. The initial results were the identification of 6,293 possible flaws, the creation of 27 templates for Nuclei verification, and validation of CVE-2022-46552.

References

ACI (2018). Securing iot devices: How safe is your wi-fi router? [link]. acessado em 31/05/2023.

Analytics, I. (2023). State of iot 2023: Number of connected iot devices growing 16% to 16.7 billion globally. IoT Analytics. Acessado em 25/05/2023.

ANATEL (2023). Ato n° 2436 requisitos mínimos de segurança cibernética. [link]. Acessado em 07/05/2023.

Chen, D. D., Woo, M., Brumley, D., and Egele, M. (2016). Towards automated dynamic analysis for linux-based embedded firmware. In NDSS, volume 1, pages 1–1.

Freitas, O., Corrêa, F., Santos, A., and Junior, L. P. (2023). Caracterização das vulnerabilidades dos roteadores wi-fi no mercado brasileiro. In Anais do XLI SBRC, PA, RS, Brasil. SBC.

GSI-PR (2023). Política nacional de cibersegurança (pnciber). [link]. Acessado em 19 de junho de 2023.

He, H., Xiong, X., and Zhao, Y. (2023). Alemu: A framework for application-layer programs emulation of embedded devices. In 2023 4th ICCEA, pages 406–411.

Helmke, R. and vom Dorp, J. (2022). Towards reliable and scalable linux kernel cve attribution in automated static firmware analyses.

Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., and Kim, Y. (2020). FirmAE: Towards large-scale emulation of iot firmware for dynamic analysis. In ACSAC, Online.

Mitre (2023). CVE-2022-46552. Available from MITRE, CVE-ID CVE-2022-46552. [link].

Qin, C. et al. (2023). Ucrf: Static analyzing firmware to generate under-constrained seed for fuzzing soho router. Computers & Security, page 103157.

Redini, N., Machiry, A., Wang, R., et al. (2020). Karonte: Detecting insecure multi-binary interactions in embedded firmware. In 2020 IEEE SSP, pages 1544–1561.

Solanki, H. V. (2023). Limiting attack surface for infrastructure applications using custom yaml templates in nuclei automation. Master’s thesis, Dublin, National College of Ireland.

Toso, G. and Pereira, L. A. (2021). Enumeração de sistemas operacionais e serviços de firmwares de roteadores sem-fio. In Anais Estendidos do XXI SBSeg, PA, RS, Brasil. SBC.

Wright, C., Moeglein, W. A., Bagchi, S., Kulkarni, M., and Clements, A. A. (2021). Challenges in firmware re-hosting, emulation, and analysis. ACM Comput. Surv., 54(1).

ZDI, Z. D. I. (2023). Tp-link wan-side vulnerability cve-2023-1389 added to the mirai botnet arsenal. Zero Day Initiative Blog. acessado em 30/05/2023.

Zhang, H., Lu, K., Zhou, X., et al. (2021). Siotfuzzer: fuzzing web interface in iot firmware via stateful message generation. Applied Sciences, 11(7):3120.

Zheng, Y., Davanian, A., Yin, H., et al. (2019). {FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation. In USENIX Security 19.
Published
2023-09-18
How to Cite

Select a Format
TAFFAREL, Françoa; FREITAS, Osmany Barros de; PEREIRA JUNIOR, Lourenço Alves. Análise de vulnerabilidades em larga escala nos Roteadores Wi-Fi por meio de Web-Fuzzing. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2023 . p. 540-545. DOI: https://doi.org/10.5753/sbseg.2023.233526.

Most read articles by the same author(s)

1 2 > >>