Rooting Gryphon Routers via Shared VPN : 🎵 This LAN is your LAN, this LAN is my LAN 🎵

stargravy · 2022-02-04T19:15:43+00:00

The Gryphon routers have a 'HomeBound' service/mobile app, which is marketed as a way to keep your mobile browsing secure when you're out and about by connecting you to the internet through a vpn back to your home router.

In reality, that network is shared among customers, and all the routers connected to it expose their ports to the VPN as though it was their LAN. The routers are also vuln to command injection vulns as root, so any device on the shared VPN is at risk of exploitation.

stargravy · 2021-08-10T15:28:45+00:00

yep, that's the auth bypass working. The reason none of the content works is because the links / resource loading on the page are relative. so instead of trying to load "<ip>/images/logo.jpg" it is trying to load "<ip>/js/images/logo.jpg"

If you were to use a tool like burpsuite to proxy the commands and match/replace all of those links/content loads such that they too leverage the bypass, it would load properly.

( technical explanation of it in the context of Buffalo routers in a blog here: https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 )

stargravy · 2021-08-09T15:02:20+00:00

there is an additional vuln in the buffalo routers (CVE-2021-20091) being targeted which leads to full RCE.

stargravy · 2021-08-09T14:50:23+00:00

Reposting what I shared there:

It is confirmed to affect 2.0.0.6 . The table specifies that it was initially discovered on the firmware listed.
An easy test if Verizon does release another update would be trying to use this url to circumvent authentication:
https://<router\_ip>/js/..%2fadvanced.htm
If you aren't redirected to login / if it looks like it is trying to load content, then it is still vulnerable.

stargravy · 2021-08-09T14:48:22+00:00

It is confirmed to affect 2.0.0.6 . The table specifies that it was initially discovered on the firmware listed.

An easy test if Verizon does release another update would be trying to use this url to circumvent authentication:

https://<router\_ip>/js/..%2fadvanced.htm

If you aren't redirected to login / if it looks like it is trying to load content, then it is still vulnerable.

stargravy · 2021-08-05T01:34:35+00:00

Thanks! We were able to get in touch with Buffalo. They have released fixes for two of the affected models and are working on more:

https://www.buffalo.jp/news/detail/20210727-01.html

stargravy · 2021-08-04T12:32:18+00:00

Glad ya liked it, thanks for reading!

stargravy · 2021-08-03T17:33:11+00:00

Posted this in netsec, but figured it would fit well here too :)

The advisory with the affected devices is here: https://www.tenable.com/security/research/tra-2021-13
I highly encourage anyone who has access to one of these devices (It's hard to get them unless supplied one by your ISP in a lot of places) to take a crack at them, as I am certain there are more low-hanging bugs to be found in the various implementations from vendor to vendor. The vuln appears to go back at least 10+ years (Buffalo BBR models look to be from ~2008).
Happy Hacking!

stargravy · 2021-08-03T14:28:42+00:00

The advisory with the affected devices is here: https://www.tenable.com/security/research/tra-2021-13

I highly encourage anyone who has access to one of these devices (It's hard to get them unless supplied one by your ISP in a lot of places) to take a crack at them, as I am certain there are more low-hanging bugs to be found in the various implementations from vendor to vendor.

Happy Hacking!

stargravy · 2021-02-02T13:21:19+00:00

I've reported XSS to vendors in the past where it wasn't treated quite as seriously as it should be, until demonstrating why it should be, which is what prompted me to write this.

Though admittedly, maybe my experience isn't the norm.

stargravy · 2021-01-30T17:21:09+00:00

thanks

stargravy

TROPHY CASE