0DAY HUNTING A.K.A.

THE STORY OF A PROPER CPE TESTBalazs Bucsay - Research Director @ MRG Effitas

OSCE, OSCP, OSWP, GIAC GPEN @xoreipeip # http://rycon.hu

BIO / BALAZS BUCSAY

• Hungarian hacker

@xoreipeip

BIO / BALAZS BUCSAY

• Hungarian hacker • Research Director @ MRG Effitas • Strictly technical certificates: OSCE, OSCP,

OSWP and GIAC GPEN • Previously worked as an ethical hacker • Started with ring0 debuggers and

disassemblers in 2000 (13 years old) • Major project in 2009: GI John

@xoreipeip

• Webpage: http://rycon.hu • Twitter: @xoreipeip • Linkedin:

https://www.linkedin.com/in/bucsayb

BIO / BALAZS BUCSAY

@xoreipeip

PRESENTATIONS• Talks around the world: • Atlanta (US)

• Moscow (RU) • London (UK) • Oslo (NO) • Vienna (AT) • Budapest (HU)

• Latest presentation: • Chw00t: Breaking unices’ chroot solutions • https://github.com/earthquake/chw00t • Slides: http://bit.ly/1T78dfM

@xoreipeip

WORK VS PASSION

• This presentation and findings are not related to my daily work • Did all this research in my free time • Don’t like black boxes and closed source • Although if you are interested in testing your device contact us!

@xoreipeip

• None of the vendors care about security • I was afraid of all the juicy RCE bugs are gone now • Truth is: nobody cares, old bugs are there and will be there • Most of the embedded devices are running on old 2.4 kernels • Worked for the second largest mobile operator doing CPE tests • Found several RCE, Auth bypasses, XSSs in different devices

CUSTOMER PREMISES EQUIPMENT - CPE

@xoreipeip

• Not gonna mention the ISP’s name • Huge ISP in Europe, it has subsidiaries at least in 8 EU countries • Distributed to more than 6 million customers around Europe

(based on the ISP’s website) • Mostly covered by the following devices

TODAY’S DEVICE

@xoreipeip

CISCO EPC3925@xoreipeip

CISCO EPC3925 - PWNED@xoreipeip

TECHNICOLOR TC7200@xoreipeip

TECHNICOLOR TC7200 - PWNEDNice walk-through by Peter Geissler (@bl4sty) on Hack in The box Amsterdam: http://bit.ly/215GwaN @xoreipeip

TECHNICOLOR TC7200 - PWNED

• Blasty dumped the memory • Reverse engineered the ESSID and WPA2-PSK generator • PSK generator based on ESSID: http://bit.ly/1UnMvTT

(TC7200 only)

Long story short:

@xoreipeip

UBEE EVW3226 - PWNED??@xoreipeip

UBEE EVW3226 - PWNED??

• People started to play seriously with the device around January of 2016

• 0day exploit released (physical access needed) - did not work for me

• Flash content was dumped and uploaded in the same month • SEC Consult identified overlapping vulns: http://bit.ly/25KdjFK • Yolosec released a tool as well: http://bit.ly/29isodH

@xoreipeip

THE PLAN

• GOAL 0: get the dump of the filesystem • GOAL 1: get full access to the device • GOAL 2: get unauthenticated command/code execution • GOAL 3: get access to the network • … • Profit

@xoreipeip

GOAL 1: GET FULL ACCESS TO THE DEVICE

• Blackbox approach did not succeed • Filesystem dump was released • Device is using lighttpd with a custom .cgi binary • Fired up IDA Pro to look for injection points

@xoreipeip

JUST A FEW TO MENTION

@xoreipeip

JUST A FEW TO MENTION

@xoreipeip

JUST A FEW TO MENTION

@xoreipeip

CAN YOU SPOT IT?

@xoreipeip

RCE AS IT’S BEST

EXPLOITATION

• The code can be invoked by starting a certain feature of the device • Two injection points • ESSID: max 32 ASCII character - although does not accept

everything • PSK: max 64 ASCII character - accepts all necessary characters • Admin must be authenticated and connected to the internal

network

@xoreipeip

*BA DUM TSSS*

@xoreipeip

GOAL 2: FIND UNAUTHENTICATED RCE/BOF

• Although we have full access to the device, we still need an admin user to exploit it

• Authentication bypass can be a solution • Unauthenticated RCE or BOF can help too

@xoreipeip

CAN YOU SPOT IT?

@xoreipeip

VANILLA STACK OVERFLOW

Pros: • Unauthenticated like I wished for • Trivial? vanilla stack overflow

Cons: • Big endian Linux on ARM - no public shell code • No experience with ARM • No qemu-system for big endian ARM, only qemu-user

@xoreipeip

SHELLCODING

• Compiling big endian toolchain with Buildroot • Compiling static gdbserver for the device • Debugging the binary for exploitation • Writing shellcode based on tutorials and others • Linux ARM big endian bind shell code merged into Metasploit

https://github.com/rapid7/metasploit-framework/pull/6959

@xoreipeip

IN THE GDBSERVER

• No next or nexti, must put breakpoints on every instruction • Most of the features are gone • stack is not executable - no features, did not check… • turns off stack randomisation (not vanilla anymore) - had to

write ROP • turns off ASLR (infoleak needed)

@xoreipeip

EPIC FAIL

• Only 11bit is randomised, 1/2048 chance to hit the address • Webserver forked the process, new memory address every time • Watchdog restarts the web server • Then realised that lighttpd filters most of the characters ->

unexploitable

@xoreipeip

AUTHENTICATION BYPASS

• Found by Search-lab • Makes authenticated RCE to unauthenticated • http://www.search-lab.hu/advisories/122-ubee-evw3226-

modem-router-multiple-vulnerabilities

@xoreipeip

GOAL 3: GET ACCESS TO THE NETWORK

• Fallback options: • admin:admin account still could work in default cases • previously generated backup can be downloaded

• We only need access to the internal network to get full access • Let’s dig the binaries

@xoreipeip

BACK OF THE BLACKBOX@xoreipeip

FEW SYMBOLS FROM THE BINARIESSome of these could be interesting

@xoreipeip

WPA2-PSK GENERATION ALGORITHM

@xoreipeip

WPA2-PSK, SSID, WPS PIN GENERATION ALGORITHM

• Based only on MAC address, nothing else • Depends on whether it is 5G or 2.4G • MAC can be sniffed • WPS-PIN generation is based on the same idea • Algorithm released 3rd of July by Yolosec

@xoreipeip

SURPRISE SURPRISE! WPS-PIN ENABLED BY DEFAULT

@xoreipeip

GETTING INTO THE NETWORK

• What if the user changed the SSID?

@xoreipeip

GETTING INTO THE NETWORK

• If the user changed the SSID: you can still get the passphrase

@xoreipeip

GETTING INTO THE NETWORK

• If the user changed the SSID: you can still get the passphrase • What if the user changed the PSK?

@xoreipeip

GETTING INTO THE NETWORK

• If the user changed the SSID: you can still get the passphrase • If the user changed the PSK: let’s generate the WPS-PIN • All of these can be generated from the MAC address • From nothing to root in 2 minutes (default credentials)

@xoreipeip

DEMO

@xoreipeip

THE VENDOR HELPS YOUit’s easier when you have a map - blue dots are the modems

@xoreipeip

Authenticated firmware upgrade^W^W^W buffer overflow

WHO NEEDS MORE?

@xoreipeip

and if you are too lazy to crack a password…

WHO NEEDS MORE?

@xoreipeip

and if you are too lazy to crack a password…

WHO NEEDS MORE?

@xoreipeip

FURTHER VULNERABILITIES

• Previously requested backup can be downloaded without authentication

• Plaintext passwords all over the device (nvram, heap, configs) • Backdoor users in passwd and shadow files • Command injections and buffer overflows

@xoreipeip

IMPACT

• Few million customer is potentially vulnerable • Anybody can access their network, get root in a few minutes • Botnets, jump hosts, tor gateways, etc. • Newest Snowden leaks: secret services use MiTM on routers • You cannot be sure that you don’t have a device like this at home

!

!

@xoreipeip

Balazs Bucsay - @xoreipeip

Thank you for your attention! !

Q&A