![Page 1: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/1.jpg)
Cracking into embedded devices
And beyond! - by Adrian Pastor
www.procheckup.com
www.gnucitizen.org
![Page 2: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/2.jpg)
The drive behind this research
Most devices have web interfaces enabled by default
This applies to consumer and corporate appliances
![Page 3: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/3.jpg)
The drive behind this research (2)
The devices are ownable via their web interface
Not just info theft is possible but also gaining root/admin privileges
![Page 4: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/4.jpg)
Why “and beyond”?
Attack doesn‟t end after owning the embedded device
If device not properly segmented, we can probe the internal network
![Page 5: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/5.jpg)
Why “and beyond”? (2)
Internet -> target device -> LAN
Target device: stepping stone / bouncing point
Not many companies consider DMZing “miscellaneous” devices
![Page 6: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/6.jpg)
Why “and beyond”? (3)
Most of what we need to probe the LAN already on device
i.e.: Axis camera with shell scripting (mish) and PHP support
![Page 7: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/7.jpg)
Why “and beyond”? (4)
Who‟s paying attention to printers, cameras, etc? Anyone?
After all they‟re just primitive devices
Not taking into account as seriously as app / web servers security-wise
![Page 8: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/8.jpg)
Focus on remotely exploitable web bugs
Can be exploited reliably
Can be hard to detect by IDS
No need to develop platform-specific shellcode
![Page 9: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/9.jpg)
Focus on remotely exploitable web bugs (2)
Devices‟ web interfaces often developed without parameter filtering in mind◦ Real example: Linksys WAG54GS [1]
Tons of persistent XSS
Lots of possibilities / attack scenarios
![Page 10: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/10.jpg)
The juicy bugs!
Auth bypass
File retrieval / directory traversal
XSS - reflected and persistent!
CSRF - most devices are affected
Privilege escalation
![Page 11: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/11.jpg)
Personal Fav. #1: CSRF + auth bypass
Any admin setting can be changed
Ideal when web int. NOT enabled on WAN
![Page 12: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/12.jpg)
Personal Fav. #1: CSRF + auth bypass (cont)
Payload is launched when admin tricked to visit 3rd-party evil page
Evil page makes browser send forged request to vulnerable device
![Page 13: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/13.jpg)
Personal Fav. #2: Persistent XSS on logs page
Web server password-protected but enabled on WAN interface
Attacker doesn’t need to be authenticated
Malformed request to web server injects malicious payload on logs page
![Page 14: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/14.jpg)
Personal Fav. #2: Persistent XSS on logs page (cont)
Admin browses vulnerable page while logged in
Device is compromised – ie: new admin account is added
Example: Axis 2100 IP cameras [2]
![Page 15: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/15.jpg)
Personal Fav. #2: Persistent XSS on logs page (cont)
Ironic: security-conscious admins get owned
![Page 16: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/16.jpg)
Personal Fav. #3: Auth bypass + WAN web interface
No interaction required from victim admin
Usually simple to exploit. i.e.:◦ knowledge of “authenticated” URL
◦ Replay request that changes admin setting
![Page 17: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/17.jpg)
Personal Fav. #4: Preauth leak + XSS on preauthURL
No need to rely on password
Ideal when web interface only on LAN
Targets the internal user who can “see” the device‟s web interface
Some preauth leaks are WAY TOO GOOD – ie: WEP keys or admin passwords
![Page 18: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/18.jpg)
Personal Fav. #4: Pers. XSS on admin login page
Steal session IDs
Overwrite login form‟s „action‟ attribute
Phishing heaven!
Real example: Pers. XSS on Aruba 800 Mobility Controller's login page [3] – by Jan Fry◦ You own the controller you own all the WAPs –sweet!
![Page 19: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/19.jpg)
Love for auth bypass bugs
Because not needing to rely on cracking a weak password is great
Let‟s see review a few real examples
![Page 20: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/20.jpg)
Auth bypass type 1: unprotected URLs
Password prompt returned when accessing http://victim.foo/
If creds correct, then redirect to “authed” URL
![Page 21: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/21.jpg)
Auth bypass type 1: unprotected URLs (cont)
Problem is no auth data (ie: password/session ID) is transmitted
Simply knowing the admin URLs does the job! - ie: http//victim.foo/admin-settings.cgi
Real example: 3COM APXXXX (vuln not published yet)
![Page 22: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/22.jpg)
Auth bypass type 2: unchecked HTTP methods
Resources (URLs) password protected
However, assumed to be accessed via a certain method – ie : GET
Requesting resource as POST gives the goodies!
Real example: BT Voyager 2091 Wireless ADSL [4]
![Page 23: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/23.jpg)
Auth bypass type 2: unchecked HTTP methods (cont)
Get config file without password:
POST /psiBackupInfo HTTP/1.1Host: 192.168.1.1Connection: closeContent-Length: 0<CRLF><CRLF>
![Page 24: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/24.jpg)
Auth bypass type 3: unprotected requests
Admin URLs password-protected correctly
However, admin requests are NOT
Real example: Linksys WRT54GS [5] – by Ginsu Rabbit
![Page 25: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/25.jpg)
Auth bypass type 3: unprotected requests (cont)
Settings URLs requires password:GET /wireless.htm
Submitting admin request does NOT:POST /Security.triContent-Length: 24SecurityMode=0&layout=en
![Page 26: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/26.jpg)
Auth bypass type 4: URL fuzzing
Web server OKs multiple representations of URL
i.e.: the following URLs could all be valid:◦ http://victim.foo/path/
◦ http://victim.foo\path\
◦ http://victim.foo/path?
◦ http://victim.foo/path.
◦ http://victim.foo/path?anyparameter=anyvalue
◦ http://victim.foo/path/
◦ http://victim.foo/path//
![Page 27: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/27.jpg)
Auth bypass type 4: URL fuzzing (cont)
Real example: BT Home Hub and Thomson/Alcatel Speedtouch 7G [6]
i.e.: the following URL gives you the config file without supplying creds:◦ http://192.168.1.254/cgi/b/backup/user.ini//
![Page 28: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/28.jpg)
BT Home Hub hacking challenge
No open tcp/udp ports on WAN interface by default
Requirement: attack must be remote
Most people would give up at this point
Possible attack vectors, anyone?
![Page 29: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/29.jpg)
BT Home Hub hacking challenge (cont)
OK, WAN is not an option
How about the LAN interface?
“Didn‟t you say it must be a remote attack?” you must be thinking
![Page 30: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/30.jpg)
BT Home Hub hacking challenge (cont)
Think client side!
Victim user‟s browser his worst enemy
If you can‟t attack via WAN, let the internal user do it via LAN
The aikido way: blend in, take advantage of already-established channels
![Page 31: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/31.jpg)
BT Home Hub hacking challenge (cont)
The recipe:◦ CSRF
◦ Auth bypass
The weapon:◦ Simple form retrieved via hidden „iframe‟
![Page 32: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/32.jpg)
BT Home Hub hacking challenge (cont)
The attack:◦ Any user in Home Hub‟s LAN visits malicious web page
◦ Web page causes user‟s browser submit interesting request to Home Hub. i.e.: enable remote assistance
![Page 33: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/33.jpg)
BT Home Hub hacking challenge (cont)
![Page 34: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/34.jpg)
Demo time!
![Page 35: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/35.jpg)
References
[1] Persistent XSS and CSRF on Linksys WAG54GS routerhttp://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs
[2] Persistent XSS on Aruba 800 Mobility Controller's login page http://www.procheckup.com/Vulnerability_PR07-26.phphttp://www.securityfocus.com/bid/26465
[3] Multiple vulnerabilities on Axis 2100 IP camerashttp://www.procheckup.com/Vulnerability_Axis_2100_research.pdf
![Page 36: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/36.jpg)
References (cont)
[4] BT Voyager Multiple Remote Authentication Bypass Vulnerabilitieshttp://www.securityfocus.com/archive/1/440405http://www.securityfocus.com/bid/19057/discuss
[5] Linksys WRT54GS POST Request Configuration Change Authentication Bypass Vulnerabilityhttp://www.securityfocus.com/archive/1/442452/30/0/threadedhttp://www.securityfocus.com/bid/19347
![Page 37: And beyond! - by Adrian Pastor - OWASPAnd beyond!- by Adrian Pastor . The drive behind this research ... Thomson/Alcatel Speedtouch 7G [6]](https://reader033.vdocuments.us/reader033/viewer/2022041923/5e6cf47be271cb61a905f5a4/html5/thumbnails/37.jpg)
References (cont)
[6] BT Home Flub: Pwnin the BT Home Hubhttp://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hubhttp://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-2http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-3http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4