| As the key nodes of network connection,routers provide data transmission service between different networks.Once an attacker controls the router,he can attack other devices inside the network,causing significant damage to users.Therefore,the vulnerability discovery of routers is very important.There are many difficulties in router vulnerability discovering approaches.The software and hardware architecture of the device is different from traditional platforms.The computing and storage of the hardware is limited,and vendors usually do not disclose the source codes and documents of software.Under this circumstance,symbolic execution can hardly be applied to routers,taint analysis can only be applied to specific programs,and traditional fuzzing has great blindness.In order to solve these problems,this thesis presents a novel approach for discovering vulnerabilities in router firmware and implemented our automated framework FIRMFHF.A large number of historical vulnerabilities exist in Form Handling Function(FHF)of routers,but there is lack of research about FHF in previous approaches.This thesis specially studies the characteristics of FHFs,and designs a method to locate FHFs.Later,vital information of each form interface is extracted from corresponding FHF,and the information is used to guide the generation of fuzzing input data.This approach eliminates the blindness of fuzzing to some degree,while maintaining its simplicity and rapidity,improving the efficiency of vulnerability discovery.This thesis combines static analysis and fuzzing.The first step is disassembling the Web server binary.Later,all the FHFs inside the binary are located,and form interface and parameter names are extracted.Then,the information is filled into the session rule files of fuzzer.Finally,the parameters of forms are mutated,and all the form interfaces are tested to discover vulnerabilities in the corresponding FHFs.This thesis collected a real-world dataset of firmware images through crawlers and network packet capture.After decryption and unpacking,2,202 Web server binaries are extracted for analysis.The experiment used automatic framework to discover vulnerabilities.Finally,it discovered 17 new vulnerabilities,including stack overflow and command execution,and received 7 CVEs after reporting them to relevant vendors and platforms.These results demonstrated the efficiency of the approach,and promoted the improvement of network security protection of vendors. |
PDF Full Text Request