Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cracking into embedded devices And beyond! - by Adrian Pastor www.procheckup.com www.gnucitizen.org.

Published byRyley Brooke Modified over 10 years ago

Similar presentations

Presentation on theme: "Cracking into embedded devices And beyond! - by Adrian Pastor www.procheckup.com www.gnucitizen.org."— Presentation transcript:

1 Cracking into embedded devices And beyond! - by Adrian Pastor www.procheckup.com www.gnucitizen.org

2 The drive behind this research Most devices have web interfaces enabled by default This applies to consumer and corporate appliances

3 The drive behind this research (2) The devices are ownable via their web interface Not just info theft is possible but also gaining root/admin privileges

4 Why and beyond? Attack doesnt end after owning the embedded device If device not properly segmented, we can probe the internal network

5 Why and beyond? (2) Internet -> target device -> LAN Target device: stepping stone / bouncing point Not many companies consider DMZing miscellaneous devices

6 Why and beyond? (3) Most of what we need to probe the LAN already on device i.e.: Axis camera with shell scripting (mish) and PHP support

7 Why and beyond? (4) Whos paying attention to printers, cameras, etc? Anyone? After all theyre just primitive devices Not taking into account as seriously as app / web servers security-wise

8 Focus on remotely exploitable web bugs Can be exploited reliably Can be hard to detect by IDS No need to develop platform-specific shellcode

9 Focus on remotely exploitable web bugs (2) Devices web interfaces often developed without parameter filtering in mind Real example: Linksys WAG54GS [1] Tons of persistent XSS Lots of possibilities / attack scenarios

10 The juicy bugs! Auth bypass File retrieval / directory traversal XSS - reflected and persistent! CSRF - most devices are affected Privilege escalation

11 Personal Fav. #1: CSRF + auth bypass Any admin setting can be changed Ideal when web int. NOT enabled on WAN

12 Personal Fav. #1: CSRF + auth bypass (cont) Payload is launched when admin tricked to visit 3 rd- party evil page Evil page makes browser send forged request to vulnerable device

13 Personal Fav. #2: Persistent XSS on logs page Web server password-protected but enabled on WAN interface Attacker doesnt need to be authenticated Malformed request to web server injects malicious payload on logs page

14 Personal Fav. #2: Persistent XSS on logs page (cont) Admin browses vulnerable page while logged in Device is compromised – ie: new admin account is added Example: Axis 2100 IP cameras [2]

15 Personal Fav. #2: Persistent XSS on logs page (cont) Ironic: security-conscious admins get owned

16 Personal Fav. #3: Auth bypass + WAN web interface No interaction required from victim admin Usually simple to exploit. i.e.: knowledge of authenticated URL Replay request that changes admin setting

17 Personal Fav. #4: Preauth leak + XSS on preauth URL No need to rely on password Ideal when web interface only on LAN Targets the internal user who can see the devices web interface Some preauth leaks are WAY TOO GOOD – ie: WEP keys or admin passwords

18 Personal Fav. #4: Pers. XSS on admin login page Steal session IDs Overwrite login forms action attribute Phishing heaven! Real example: Pers. XSS on Aruba 800 Mobility Controller's login page [3] – by Jan Fry You own the controller you own all the WAPs – sweet!

19 Love for auth bypass bugs Because not needing to rely on cracking a weak password is great Lets see review a few real examples

20 Auth bypass type 1: unprotected URLs Password prompt returned when accessing http://victim.foo/ If creds correct, then redirect to authed URL

21 Auth bypass type 1: unprotected URLs (cont) Problem is no auth data (ie: password/session ID) is transmitted Simply knowing the admin URLs does the job! - ie: http//victim.foo/admin- settings.cgi Real example: 3COM APXXXX (vuln not published yet)

22 Auth bypass type 2: unchecked HTTP methods Resources (URLs) password protected However, assumed to be accessed via a certain method – ie : GET Requesting resource as POST gives the goodies! Real example: BT Voyager 2091 Wireless ADSL [4]

23 Auth bypass type 2: unchecked HTTP methods (cont) Get config file without password: POST /psiBackupInfo HTTP/1.1 Host: 192.168.1.1 Connection: close Content-Length: 0

24 Auth bypass type 3: unprotected requests Admin URLs password-protected correctly However, admin requests are NOT Real example: Linksys WRT54GS [5] – by Ginsu Rabbit

25 Auth bypass type 3: unprotected requests (cont) Settings URLs requires password: GET /wireless.htm Submitting admin request does NOT: POST /Security.tri Content-Length: 24 SecurityMode=0&layout=en

26 Auth bypass type 4: URL fuzzing Web server OKs multiple representations of URL i.e.: the following URLs could all be valid: http://victim.foo/path/ http://victim.foo\path\ http://victim.foo/path? http://victim.foo/path. http://victim.foo/path?anyparameter=anyvalue http://victim.foo/path/ http://victim.foo/path//

27 Auth bypass type 4: URL fuzzing (cont) Real example: BT Home Hub and Thomson/Alcatel Speedtouch 7G [6] i.e.: the following URL gives you the config file without supplying creds: http://192.168.1.254/cgi/b/backup/user.ini//

28 BT Home Hub hacking challenge No open tcp/udp ports on WAN interface by default Requirement: attack must be remote Most people would give up at this point Possible attack vectors, anyone?

29 BT Home Hub hacking challenge (cont) OK, WAN is not an option How about the LAN interface? Didnt you say it must be a remote attack? you must be thinking

30 BT Home Hub hacking challenge (cont) Think client side! Victim users browser his worst enemy If you cant attack via WAN, let the internal user do it via LAN The aikido way: blend in, take advantage of already-established channels

31 BT Home Hub hacking challenge (cont) The recipe: CSRF Auth bypass The weapon: Simple form retrieved via hidden iframe

32 BT Home Hub hacking challenge (cont) The attack: Any user in Home Hubs LAN visits malicious web page Web page causes users browser submit interesting request to Home Hub. i.e.: enable remote assistance

33 BT Home Hub hacking challenge (cont)

34 Demo time!

35 References [1] Persistent XSS and CSRF on Linksys WAG54GS router http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on- wireless-g-adsl-gateway-with-speedbooster-wag54gs [2] Persistent XSS on Aruba 800 Mobility Controller's login page http://www.procheckup.com/Vulnerability_PR07-26.php http://www.securityfocus.com/bid/26465 [3] Multiple vulnerabilities on Axis 2100 IP cameras http://www.procheckup.com/Vulnerability_Axis_2100_rese arch.pdf

36 References (cont) [4] BT Voyager Multiple Remote Authentication Bypass Vulnerabilities http://www.securityfocus.com/archive/1/440405 http://www.securityfocus.com/bid/19057/discuss [5] Linksys WRT54GS POST Request Configuration Change Authentication Bypass Vulnerability http://www.securityfocus.com/archive/1/442452/30/0/threa ded http://www.securityfocus.com/bid/19347

37 References (cont) [6] BT Home Flub: Pwnin the BT Home Hub http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-2 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-3 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-4

Download ppt "Cracking into embedded devices And beyond! - by Adrian Pastor www.procheckup.com www.gnucitizen.org."

Similar presentations

Remote Replication Example A: Back up the data to a remote QNAP NAS over the IP network.

Remote Replication Example A: Back up the data to a remote QNAP NAS over the IP network.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Similar presentations

Ads by Google