Upload
shakacon
View
137
Download
2
Embed Size (px)
Citation preview
0DAY HUNTING A.K.A.
THE STORY OF A PROPER CPE TESTBalazs Bucsay - Research Director @ MRG Effitas
OSCE, OSCP, OSWP, GIAC GPEN @xoreipeip # http://rycon.hu
BIO / BALAZS BUCSAY
• Hungarian hacker
@xoreipeip
BIO / BALAZS BUCSAY
• Hungarian hacker • Research Director @ MRG Effitas • Strictly technical certificates: OSCE, OSCP,
OSWP and GIAC GPEN • Previously worked as an ethical hacker • Started with ring0 debuggers and
disassemblers in 2000 (13 years old) • Major project in 2009: GI John
@xoreipeip
• Webpage: http://rycon.hu • Twitter: @xoreipeip • Linkedin:
https://www.linkedin.com/in/bucsayb
BIO / BALAZS BUCSAY
@xoreipeip
PRESENTATIONS• Talks around the world: • Atlanta (US)
• Moscow (RU) • London (UK) • Oslo (NO) • Vienna (AT) • Budapest (HU)
• Latest presentation: • Chw00t: Breaking unices’ chroot solutions • https://github.com/earthquake/chw00t • Slides: http://bit.ly/1T78dfM
@xoreipeip
WORK VS PASSION
• This presentation and findings are not related to my daily work • Did all this research in my free time • Don’t like black boxes and closed source • Although if you are interested in testing your device contact us!
@xoreipeip
• None of the vendors care about security • I was afraid of all the juicy RCE bugs are gone now • Truth is: nobody cares, old bugs are there and will be there • Most of the embedded devices are running on old 2.4 kernels • Worked for the second largest mobile operator doing CPE tests • Found several RCE, Auth bypasses, XSSs in different devices
CUSTOMER PREMISES EQUIPMENT - CPE
@xoreipeip
• Not gonna mention the ISP’s name • Huge ISP in Europe, it has subsidiaries at least in 8 EU countries • Distributed to more than 6 million customers around Europe
(based on the ISP’s website) • Mostly covered by the following devices
TODAY’S DEVICE
@xoreipeip
CISCO EPC3925@xoreipeip
CISCO EPC3925 - PWNED@xoreipeip
TECHNICOLOR TC7200@xoreipeip
TECHNICOLOR TC7200 - PWNEDNice walk-through by Peter Geissler (@bl4sty) on Hack in The box Amsterdam: http://bit.ly/215GwaN @xoreipeip
TECHNICOLOR TC7200 - PWNED
• Blasty dumped the memory • Reverse engineered the ESSID and WPA2-PSK generator • PSK generator based on ESSID: http://bit.ly/1UnMvTT
(TC7200 only)
Long story short:
@xoreipeip
UBEE EVW3226 - PWNED??@xoreipeip
UBEE EVW3226 - PWNED??
• People started to play seriously with the device around January of 2016
• 0day exploit released (physical access needed) - did not work for me
• Flash content was dumped and uploaded in the same month • SEC Consult identified overlapping vulns: http://bit.ly/25KdjFK • Yolosec released a tool as well: http://bit.ly/29isodH
@xoreipeip
THE PLAN
• GOAL 0: get the dump of the filesystem • GOAL 1: get full access to the device • GOAL 2: get unauthenticated command/code execution • GOAL 3: get access to the network • … • Profit
@xoreipeip
GOAL 1: GET FULL ACCESS TO THE DEVICE
• Blackbox approach did not succeed • Filesystem dump was released • Device is using lighttpd with a custom .cgi binary • Fired up IDA Pro to look for injection points
@xoreipeip
JUST A FEW TO MENTION
@xoreipeip
JUST A FEW TO MENTION
@xoreipeip
JUST A FEW TO MENTION
@xoreipeip
CAN YOU SPOT IT?
@xoreipeip
RCE AS IT’S BEST
EXPLOITATION
• The code can be invoked by starting a certain feature of the device • Two injection points • ESSID: max 32 ASCII character - although does not accept
everything • PSK: max 64 ASCII character - accepts all necessary characters • Admin must be authenticated and connected to the internal
network
@xoreipeip
*BA DUM TSSS*
@xoreipeip
GOAL 2: FIND UNAUTHENTICATED RCE/BOF
• Although we have full access to the device, we still need an admin user to exploit it
• Authentication bypass can be a solution • Unauthenticated RCE or BOF can help too
@xoreipeip
CAN YOU SPOT IT?
@xoreipeip
VANILLA STACK OVERFLOW
Pros: • Unauthenticated like I wished for • Trivial? vanilla stack overflow
Cons: • Big endian Linux on ARM - no public shell code • No experience with ARM • No qemu-system for big endian ARM, only qemu-user
@xoreipeip
SHELLCODING
• Compiling big endian toolchain with Buildroot • Compiling static gdbserver for the device • Debugging the binary for exploitation • Writing shellcode based on tutorials and others • Linux ARM big endian bind shell code merged into Metasploit
https://github.com/rapid7/metasploit-framework/pull/6959
@xoreipeip
IN THE GDBSERVER
• No next or nexti, must put breakpoints on every instruction • Most of the features are gone • stack is not executable - no features, did not check… • turns off stack randomisation (not vanilla anymore) - had to
write ROP • turns off ASLR (infoleak needed)
@xoreipeip
EPIC FAIL
• Only 11bit is randomised, 1/2048 chance to hit the address • Webserver forked the process, new memory address every time • Watchdog restarts the web server • Then realised that lighttpd filters most of the characters ->
unexploitable
@xoreipeip
AUTHENTICATION BYPASS
• Found by Search-lab • Makes authenticated RCE to unauthenticated • http://www.search-lab.hu/advisories/122-ubee-evw3226-
modem-router-multiple-vulnerabilities
@xoreipeip
GOAL 3: GET ACCESS TO THE NETWORK
• Fallback options: • admin:admin account still could work in default cases • previously generated backup can be downloaded
• We only need access to the internal network to get full access • Let’s dig the binaries
@xoreipeip
BACK OF THE BLACKBOX@xoreipeip
FEW SYMBOLS FROM THE BINARIESSome of these could be interesting
@xoreipeip
WPA2-PSK GENERATION ALGORITHM
@xoreipeip
WPA2-PSK, SSID, WPS PIN GENERATION ALGORITHM
• Based only on MAC address, nothing else • Depends on whether it is 5G or 2.4G • MAC can be sniffed • WPS-PIN generation is based on the same idea • Algorithm released 3rd of July by Yolosec
@xoreipeip
SURPRISE SURPRISE! WPS-PIN ENABLED BY DEFAULT
@xoreipeip
GETTING INTO THE NETWORK
• What if the user changed the SSID?
@xoreipeip
GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
@xoreipeip
GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase • What if the user changed the PSK?
@xoreipeip
GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase • If the user changed the PSK: let’s generate the WPS-PIN • All of these can be generated from the MAC address • From nothing to root in 2 minutes (default credentials)
@xoreipeip
DEMO
@xoreipeip
THE VENDOR HELPS YOUit’s easier when you have a map - blue dots are the modems
@xoreipeip
Authenticated firmware upgrade^W^W^W buffer overflow
WHO NEEDS MORE?
@xoreipeip
and if you are too lazy to crack a password…
WHO NEEDS MORE?
@xoreipeip
and if you are too lazy to crack a password…
WHO NEEDS MORE?
@xoreipeip
FURTHER VULNERABILITIES
• Previously requested backup can be downloaded without authentication
• Plaintext passwords all over the device (nvram, heap, configs) • Backdoor users in passwd and shadow files • Command injections and buffer overflows
@xoreipeip
IMPACT
• Few million customer is potentially vulnerable • Anybody can access their network, get root in a few minutes • Botnets, jump hosts, tor gateways, etc. • Newest Snowden leaks: secret services use MiTM on routers • You cannot be sure that you don’t have a device like this at home
!
!
@xoreipeip
Balazs Bucsay - @xoreipeip
Thank you for your attention! !
Q&A