Black Hat Defcon: Can you hack a Linux Powered SOHO Router with DLNA?
From the 'Truth in Advertising' files:
LAS VEGAS.Security researcher Zachary Cutlip (my pic left) took the stage at both Black Hat and Defcon conferences this weekend.
His talk was about doing SQL Injection on MIPS Powered SOHO routers - and in particular he aimed at the Linux powered Netgear WNDR3700.
After sitting through an hour of this guy's presentation at Black Hat (I didn't bother to see it a second time at Defcon) the answer is:
Cutlip was able to determine that these Netgear routers have the DLNA (media streaming stuff) tech on them and it is possible to perform a SQL Injection against that tech. He also argued that since the device is running Linux, it makes it almost easier to exploit and control since many security researchers understand Linux and there are a lot of common tools on the OS itself.
Now with an exploit of DLNA, the only direct information available to the attacker is information about music and videos. By way of a ROP (return oriented programming) technique however, Cutlip said it would be possible to find the admin password for the router - and then full shell/root pwnage from there.
BUT WAIT. There is a catch.
One of the best things about being at a conf like Black Hat (and Defcon) is that the audience is typically very skeptical and typically as smart as the presenters themselves. A member of the audience correctly pointed out that DLNA only listens by default on the LAN.
That means that a remote exploitation of DLNA is somewhat unlikely.
Cutlip noted that there is the Rebind attack, that was first demoed at Black Hat in 2010. With Rebind it is possible in some cases to trick a router into giving a remote user, local LAN access. Cutlip admitted however that he had not tested the technique with his DLNA vulnerability.