Abstract
SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited due to the lack of input specification, lack of routers’ internal running states, and lack of testing environment recovery mechanisms. Moreover, existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper, we propose a solution ESRFuzzer to address these issues. It is a fully automated fuzzing framework for testing physical SOHO devices. It continuously and effectively generates test cases by leveraging two input semantic models, i.e., KEY-VALUE data model and CONF-READ communication model, and automatically recovers the testing environment with power management. It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities. With the guidance of the two semantic models, ESRFuzzer can work in two ways: general mode fuzzing and D-CONF mode fuzzing. General mode fuzzing can discover both issues which occur in the CONF and READ operation, while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors. In total, it discovered 136 unique issues, 120 of which have been confirmed as 0-day vulnerabilities we found. As an improvement of SRFuzzer, ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types, and 23 of them have been confirmed as 0-day vulnerabilities by vendors. The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.
Highlights
More and more end devices, such as laptops, pads, smartphones, smart-home devices, and wearable devices, are used in social life
In the preliminary version of this paper, we propose an automatic fuzzing framework SRFuzzer (Zhang et al 2019) for fuzzing web server of SOHO router (FWSR) based on physical devices to address the above challenges
We present ESRFuzzer, an enhancement of SRFuzzer, to improve the effectiveness of SRFuzzer in three major aspects: (i) Besides generating the seed for general mode fuzzing through the web page by crawlers, ESRFuzzer can generate seeds for D-CONF operation by parsing READ handlers of the backend and obtaining related k-v pairs of a READ handler through static program analysis
Summary
More and more end devices, such as laptops, pads, smartphones, smart-home devices, and wearable devices, are used in social life. In order to generate meaningful test cases in both READ and CONF operation, we design the KEY-VALUE data model to describe the constraints on a single request. Because there are no filter or encode protection mechanism for XSS issues, the info variable can cause a stored XSS issue In such a situation, a single request is not enough to trigger the vulnerability, so we design the CONF-READ communication model to form multiple-requests test input. Making CONF operation through the HTTP request is the most common way to modify the configuration of devices, so the vulnerability triggered in the READ operation relies on the proper CONF operation. For the D-CONF mode fuzzing, it could generate the mutation configurations and commit them to devices as D-CONF operations It generates the corresponding READ operation for triggering the vulnerability. If the key with an empty value, it assigns the key with a random number of payloads selected from a predefined database
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
