Date post: | 19-Feb-2017 |
Category: |
Software |
Upload: | amit-serper |
View: | 1,158 times |
Download: | 2 times |
The internet of $h1TOr: Root all things (of the internet of things)
By: Amit Serper, ADhD
/bin/whoami●Now: Lead Mac OSX security researcher @ Cybereason (we’re
hiring!)
●Before: ~9 years @ PMO, Lead security researcher, doing mostly embedded security research in the last 3 years.
●Terrible coder
●Reverse Engineer
●Hardcore Linux guy, Now I use Mac :( and Windows :((
●I like to make stuff that break stuff
●I tweet: @0xAmit
●Public speaker, publisher (Wired, SC mag, DigitalWhisper, etc…):○ HackngTeam research: http://ht.amit.wtf
cat /home/amit/agenda.txt●Our subject: Command execution injection via WebServer
●IoT? - Examples
●Embedded Linux - quick overview
●Firmware - Quick overview
●Embedded webserver command injection - Quick overview
●Case study - Bezeq router
●Exploitation demo
The internet of (shitty) things
A chain of revolutions...
~10-15 years ago
Now
A router!
~10-15 years ago, a router looked like this
A router!
AKA that box with lights that makes the internet work
Why do we care so much about routers?
They’re routing our traffic == they see EVERYTHING
Nobody cares == they’re not monitored
They’re always on!
Specs as you see them
Specs as I see them
Every one of those little bastards is a computer!
(that handles all of your traffic!)
Ok… So it’s a “computer” - woo-friggin’-hoo
A calculator is also a computer
You’re right. Routers used to have custom RTOS O/S’s that worked on custom architectures and instruction sets
But all of a sudden, it wasn’t the standard anymore, care to guess why?
Linux is built around networking, it’s easy to develop for and deploy, it’s totally cross
platform and ITS FREE!
Plus, it has tons of ALREADY written code that vendors can use!
Used in Xbox, Cable/SAT STB’s, PS4, roku, etc...
libdlna:Used in smartTVs, routers, streamers, Cable/SAT STB’s, etc...
A small webserver, used in almost EVERY router in some variation.
ALL OF THE PREVIOUSLY MENTIONED SOFTWARE HAVE BEEN AND IS EXPLOITED
ALL THE TIME!
The transition to Linux started a whole wave of vendors using Linux, some even
took pride in it
Linksys WRT54GL
It had a Linux based (HyperWRT) firmware and most of its code was open sourced
Entire communities of firmware spin-offs were founded to enhance and add extra
features to products
Firmware●permanent software programmed into a read-only memory.
(wikipedia)
●One file which includes a Linux distro consisting of:○ Bootloader
○ Kernel
○ Root filesystem (userland)
○ Swap (product dependent)
DD-WRT firmware (as illustrated by binwalk)
Firmware (continued)● Drivers/modules (kernel mode)
● Software and Daemons/Services (User mode) :○ Busybox
○ DHCP server
○ NTP (server/client)
○ FTP server
○ Telnet/ssh server
○ UPnP server
○ Webserver
Limitations when developing a firmware●Very little memory - Code has to be really efficient, even on the cost
of security
●Very little disk space - No bells and whistles - Just the barebones!
●Very weak cpu
●You think you’re invincible - if it compiles its fine! ← PROBLEM
Let’s talk about security research
We’ve established that those devices have poor security measures
So let’s map the attack vectors
Attack vectors:●Backdoors in firmware (a very specific url or service that’s running
on a specific port)
●Physical/Local access - uploading a patched firmware
●Attack from afar - own the webserver!
Enter the webserver:●It is our common configuration interface with the device
●Everything is controlled through there
●Gives us a direct interface with User-controlled data
●Often listens for connections form the0.0.0.0 (everywhere!)
●Often badly configured by the vendor/user
●Runs as root!!!!1!!!!!1!
We want to run code/pop a shell on the router
Wait, user controlled data?
Hooray! Let’s smash the stack!
There’s not necessarily a need to do that...
Emulating this environment is hard
We don’t want to debug stuff
Making gdb run on those thing is not easy...
But what if we can hijack the “instruction pointer” on a higher level?
What is injection?
http://example.com/viewfile.php?file=bill.txt
;&&`
; - run this after you’re done&& - run this if first command exited with
status 0`statement` - run the command between
the backticks and use it as a value
http://example.com/redirect.php?r=info.php;cat /etc/passwd
Another example
system(‘/usr/bin/mailer --user %s --password %s --dest %s’)
How can we avoid that?
Sanitation and verification of user input.Especially special characters such as &, ; and `
(and their http encoded form)
DEMO
Netgear VEGN2610AKA Bezeq n600
ADSL2+ Modem/router
Runs custom compiled Linux kernel version 2.6.30
(Released in June 2009)
Uses a custom version of GoAhead WEBS as its webserver
Has multiple Command Injection Vulnerabilities and even has an anti CSRF protection with a
vulnerability… Amazing.
What we are going to see is how we can execute commands as root on the router using
command injection and turn on it’s telnetd server.
Oh, the root user on the router has a password (which I don’t know, but it’s ok)
telnetd -p 2323 -l /bin/sh
Ok ok, demo! :)
Thank you!(Questions?)