![Page 1: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/1.jpg)
Router Hacking
CHCon 2018
![Page 2: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/2.jpg)
Router Hacking
19/11/2018
![Page 3: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/3.jpg)
$ whoami
▪Ben [zante] @zantedotnz
▪Security Consultant @ Insomnia Security
▪Previously, Digital Forensic Analyst @ NZ Police
▪ Interested in hacking embedded devices. Pulling flash chips off. Finding crazy command injection bugs.
19/11/2018
![Page 4: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/4.jpg)
Motivation
▪Huawei HG659 for iptables access to redirect DNS for US Netflix goodness
▪ Find vulnerabilities in current generation routers
▪ Learn about hardware hacking
19/11/2018
![Page 5: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/5.jpg)
Huawei HG659
▪Well researched, decrypt/encrypt the configuration backup XML to enable telnet and recover root password
▪Original research: https://hg658c.wordpress.com
19/11/2018
![Page 6: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/6.jpg)
New Research
▪Command injection vulnerabilities in three routers:▪ Huawei B618
▪ Huawei B315
▪ [REDACTED]
▪Exploitation requires either web admin or physical access
19/11/2018
![Page 7: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/7.jpg)
[REDACTED]?
▪Vendor told their customer the vulnerability had been patched … it wasn’t though, so it’s still unpatched
▪ Interesting bug I really want to share
▪Keep an eye on Twitter and I’ll post the vulnerability report when I can do so publicly
19/11/2018
![Page 8: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/8.jpg)
Vulnerability Disclosure
▪ I just want to talk about the bugs but it’s more complicated than that
▪Give yourself a long lead time if you want to talk about vulnerabilities publicly
▪ If you’re unknown to an organisation, disclose through a trusted third-party
▪ If you receive vulnerability reports, be kind
▪ If you send vulnerability reports, be respective
19/11/2018
![Page 9: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/9.jpg)
Hardware Hacking
▪Used to assist with vulnerability discovery
▪UART for debug messages
▪BOOT PIN for Huawei firmware reflashing without signature verification
19/11/2018
![Page 10: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/10.jpg)
Hardware Hacking
▪Chip-Off for firmware dump (encrypted firmware image)
▪Huawei B618 uses an non-standard sized BGA flash chip
19/11/2018
![Page 11: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/11.jpg)
Research Methodology
▪Remove the casing and review the hardware
▪Connect to UART, JTAG and any other debug ports
▪Grab the firmware (download or chip-off dump)
▪Enable all the services (SMB, DLNA, VPN, etc)
▪ Look for the low-hanging fruit vulnerabilities
▪ Functionality that gives you some feedback of success
▪Monitor process execution, networking and file system events (strace, fsmon or UART)
19/11/2018
![Page 12: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/12.jpg)
Huawei B618
19/11/2018
UART
BOOT
![Page 13: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/13.jpg)
# written by pptpsetup
plugin "pptp.so"
name vpn1234
pptp_server 10.1.1.1
file /etc/ppp/options.pptp
noauth
nobsdcomp
nodeflate
name zante
plugin /online/firmware1.bin
19/11/2018
root@p750:/etc/ppp/peers # cat vpn1234
new line injection
![Page 14: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/14.jpg)
Exploitation Steps
1. Ensure WAN interface is active
2. Inject a new line into the PPTP VPN config to load a plugin
3. Compile a plugin to load
4. Upload plugin to spawn an ADB shell
19/11/2018
![Page 15: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/15.jpg)
19/11/2018
./demo.sh
![Page 16: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/16.jpg)
Huawei B315
19/11/2018
![Page 17: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/17.jpg)
root@router:/var/samba# cat smb.conf
[global]
workgroup = WORKGROUP
netbios name = huawei.com
server string = samba server
…
dfree command = /var/hax.sh
[hax]
path = /mnt/sdcard/%m/%m/var
valid users = hax
writeable = yes
printable = no
19/11/2018
1 - directory path traversal
2 - execute shell script
![Page 18: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/18.jpg)
Exploitation Steps
1. Create a new SMB share
2. Inject the %m variable into the path
3. Connect to the share with a NETBIOS name of “..”
4. Edit smb.conf to run adbd
19/11/2018
![Page 19: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/19.jpg)
19/11/2018
HACK THE PLANET[1][1]demo
![Page 20: Router Hacking CHCon 2018 - insomniasec · 2020-03-09 · Router Hacking CHCon 2018. Router Hacking 19/11/2018 $ whoami ... Motivation Huawei HG659 for iptables access to redirect](https://reader030.vdocuments.us/reader030/viewer/2022040213/5e9f4e2427df744c1e653438/html5/thumbnails/20.jpg)
:q
19/11/2018