sireprat
play

SirepRAT Windows IoT Core Abusing a Windows service for RCE About - PowerPoint PPT Presentation

Mar 04, 2024 •215 likes •967 views

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

  1. SirepRAT Windows IoT Core Abusing a Windows service for RCE

  2. About Me ● 7+ years in InfoSec ● Security Researcher @Safebreach ● Presented at DEFCON, DEEPSEC, Hackfest… ● @bemikre

  3. Contents 1. Windows IoT Core 2. Live SirepRAT Demonstration 3. HLK - Hardware Lab Kit 4. Debugging Setup 5. Reverse Engineering the Sirep Protocol 6. Microsoft Coordinated Disclosure 7. SirepRAT Tool Release

  4. Windows IoT Windows 10 Free ARM

  5. Supported Boards DragonBoard 410c MinnowBoard Turbot AAEON Up Squared Raspberry Pi

  6. Usage Stats ● Windows IoT - 2nd largest share in IoT solutions development (22.9%) ● Most IoT solutions in development use ARM architecture ● Security is the top concern for developing IoT solutions April 2018

  7. Core / Enterprise Core Enterprise ARM & x86_x64 x86_x64 UWP UWP & Win32 Digital signage, Industry tablets, Smart buildings, POS, Smart homes, Kiosks, IoT gateways, ATMs, Wearables Medical devices, Thin clients

  8. Stock Image / Custom Image ● OS is installed using a bootable image ● Microsoft provides public stock images, per build ● One may build a custom image with a chosen set of features ● Building a custom image is a non-trivial process aimed for OEMs ○ Purchase a code-signing certificate from a Certificate Authority (CA) ○ Sign the final files “ if you're looking to commercialize your device, you must use a custom FFU to optimize security for your device “

  9. OEMInput.xml Defines features to include

  10. Goal: Remotely Take Control of the Device

  11. Remote Administrative Interfaces Web Device Portal (WDP) http://192.168.3.17:8080/ Requires Administrator credentials (HTTP authentication)

  12. Remote Administrative Interfaces SSH > ssh Administrator@192.168.3.17 Requires Administrator credentials

  13. Remote Administrative Interfaces PowerShell > Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.3.17 > Enter-PSSession -ComputerName 192.168.3.17 -Credential 192.168.3.17\Administrator Requires Administrator credentials

  14. Remote Administrative Interfaces IoT Remote Server (Remote display) 1. Login to WDP on the IoT device 2. Enable Windows IoT Remote Server in the ‘Remote’ tab 3. Install Windows IoT Remote Client app on a Windows 10 machine 4. Connect to device using the installed app Requires Administrator credentials (login to WDP)

  15. Remote Administrative Interfaces Visual Studio Debugging 1. Login to WDP on the IoT device 2. Start the Visual Studio Remote Debugger in the ‘Debugging’ tab 3. Debug an IoT app using Visual Studio on a Windows 10 machine Requires Administrator credentials (login to WDP)

  18. Choose image

  19. Ethernet Recommended

  20. Default Dev Features Enables WDP IOT_WEBB_EXTN Enables SSH IOT_SSH Enables PowerShell IOT_POWERSHELL Enables Remote Display IOT_NANORDPSERVER Enables SIREP service for TShell connectivity IOT_SIREP

  21. Dev friendly == Hacker friendly

  22. Contents 1. Windows IoT Core 2. Live SirepRAT Demonstration 3. HLK - Hardware Lab Kit 4. Debugging Setup 5. Reverse Engineering the Sirep Protocol 6. Microsoft Coordinated Disclosure 7. SirepRAT Tool Release

  23. DEMO

  24. Contents 1. Windows IoT Core 2. Live SirepRAT Demonstration 3. HLK - Hardware Lab Kit 4. Debugging Setup 5. Reverse Engineering the Sirep Protocol 6. Microsoft Coordinated Disclosure 7. SirepRAT Tool Release

  25. HLK Hardware Lab Kit

  26. What is HLK? A testing framework for hardware devices & drivers Targets Windows 10 & Server 2016 HCK (Hardware Certification Kit) successor Windows Hardware Compatibility Program

  28. HLK setup ● HLK test server and one or more test systems ● HLK server runs: ○ HLK Controller ○ HLK Studio ● HLK client runs the Sirep service ○ Windows IoT: Communication over TCP port 29820 ○ Windows 10: Communication over TCP port 1771

  29. Connection Types IP over USB Aries Ethernet-to-USB dongle

  30. HLK Proxy Client ● Enables full support for testing on mobile/embedded devices ● May be the same machine as the test server or a dedicated machine

  31. Setup Example #1 - Small Scale

  32. Setup Example #2 - Mid Scale

  33. Setup Example #3 - Large Scale

  34. Contents 1. Windows IoT Core 2. Live SirepRAT Demonstration 3. HLK - Hardware Lab Kit 4. Debugging Setup 5. Reverse Engineering the Sirep Protocol 6. Microsoft Coordinated Disclosure 7. SirepRAT Tool Release

  35. Kernel Debug Setup Ethernet kernel debugging is not supported USB to UART Cable (TTL) Prolific USB To Serial Driver

  36. Kernel Debug Setup [RPi2 or RPi3]: Pin #6 (GND) <-> Black (GND) Pin #8 (TX) <-> White (RX) Pin #10 (RX) <-> Green (TX) > bcdedit /store c:\EFIESP\EFI\Microsoft\Boot\BCD -dbgsettings debugtype serial > bcdedit /store c:\EFIESP\EFI\Microsoft\Boot\BCD -dbgsettings baudrate 921600 > bcdedit /store c:\EFIESP\EFI\Microsoft\Boot\BCD -dbgsettings debug on

  37. CPU Overheat Transistor-to-transistor logic (TTL), according to WhatIs.com: “TTL is characterized by high switching speed, and relative immunity to noise. Its principle drawback is the fact that circuits using TTL draw more current than equivalent circuits .” RasPi CPU temp > 85° Celsius = downclocking or shutting down

  40. CREATIVITY OVER 9000

  41. Contents 1. Windows IoT Core 2. Live SirepRAT Demonstration 3. HLK - Hardware Lab Kit 4. Debugging Setup 5. Reverse Engineering the Sirep Protocol 6. Microsoft Coordinated Disclosure 7. SirepRAT Tool Release

  42. The Sirep Protocol aka TShell aka WPCon

  43. Network Signature HKLM\...\FirewallPolicy\FirewallRules: ● Sirep-Server-Protocol2 REG_SZ v2.28|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=29820|App=%systemroot%\System32\svchost. exe|Name=Sirep Server (Protocol 2)|Desc=Sirep Server (Protocol 2)|EmbedCtxt=Sirep Server| ● Sirep-Server-Ping REG_SZ v2.28|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=29819|App=%systemroot%\System32\svchost. exe|Name=Sirep Server (Ping)|Desc=Sirep Server (Ping)|EmbedCtxt=Sirep Server|

  44. Network Signature ControllerWSA::NameBroadcasterThread ControllerWSA::SendBroadcastForDevice ws2_32!sendto WS2_32!sendto: 7730b260 e92d4ff0 push {r4-r11,lr} 0: kd> db r1 L?0x74 0324f7e0 00 c0 ff ee 42 00 38 00-32 00 37 00 45 00 42 00 ....B.8.2.7.E.B. 0324f7f0 33 00 44 00 42 00 44 00-39 00 36 00 00 00 00 00 3.D.B.D.9.6..... 0324f800 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0324f810 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0324f820 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0324f830 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0324f840 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0324f850 00 00 00 00 .... 0: kd> k # Child-SP RetAddr Call Site 00 0324f7c0 711b7cb8 WS2_32!sendto 01 0324f7c0 711b7e3c testsirepsvc!ControllerWSA::SendBroadcastForDevice+0xd0 02 0324f880 711b7abc testsirepsvc!ControllerWSA::NameBroadcasterThread+0xb0 03 0324fad8 77ae97e2 testsirepsvc!ControllerWSA::NameBroadcasterThreadProc+0xc 04 0324fae0 00000000 ntdll!RtlUserThreadStart+0x22

  45. HLK on Windows IoT Service DLL: C:\Windows\System32\testsirepsvc.dll

  46. Network Signature Device Advertisement: ● Periodic gratuitous UDP packets ● Unique device ID ● Ethernet connected subnets

  47. Network Signature PING: ● Listens on the Sirep-Server-Ping (29819) port ● Responds with a “PING” payload to every incoming TCP connection ● Terminates the connection with RST

  48. Network Signature Service TCP Banner (“Handshake”): ● Listens on the Sirep-Server-Protocol2 (29820) port ● Responds with a GUID string to every incoming TCP connection ● This is the 0x10 bytes long SirepProtocolVersionGuid SirepProtocolVersionGuid = 2a 4c 59 a5 fb 60 04 47 a9 6d 1c c9 7d c8 4f 12

  49. Core Functionality Incoming Connection Authorization: ● Listens on the Sirep-Server-Protocol2 (29820) port ● ControllerWSA::IsConnectionAllowed ● No authentication ● No identification

  50. Core Functionality Incoming Connection Authorization:

  51. Core Functionality Incoming Connection Authorization: How come that the authorization criterion is so permissive?

  52. Protocol Name Ambiguity No official explanation available. Our best guess: Windows Embedded Windows Mobile Windows Phone Windows IoT TShell TShell WPCon Sirep Ethernet IP Over USB IP Over USB Ethernet

  53. Core Functionality Commands Interface: ● A service routine accepts incoming command buffers: SirepPipeServiceRoutine ● Directs execution to right path in code, in a switch manner

  54. Packet Structure TLV 00 01 02 03 04 05 06 07 08 ... <Payload Length> Command Type Payload Length Command Data

  55. Command Structure - Types 1. GetSystemInformationFromDevice 2. GetFileFromDevice 3. GetFileInformationFromDevice 4. PutFileOnDevice 5. LaunchCommandWithOutput

  56. 1. GetSystemInformationFromDevice 00 01 02 03 04 05 06 07 Command Type Payload Length 32 00 00 00 00 00 00 00

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 457 Lecture 20 Transport Layer: UDP and TCP Fall 2011 Topics Principles underlying

CS 457 Lecture 20 Transport Layer: UDP and TCP Fall 2011 Topics Principles underlying

CS 457 Lecture 20 Transport Layer: UDP and TCP Fall 2011 Topics Principles underlying transport-layer services Demultiplexing Detecting corruption Reliable delivery Flow control Transport-layer protocols User

329 views • 28 slides
Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu

Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu

Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. inetd Most U NIX systems ran

581 views • 21 slides
Grid Grid to Grid Grid-to to Ports Clock Routing for to-Ports Clock Routing for Ports Clock

Grid Grid to Grid Grid-to to Ports Clock Routing for to-Ports Clock Routing for Ports Clock

Grid Grid to Grid Grid-to to Ports Clock Routing for to-Ports Clock Routing for Ports Clock Routing for Ports Clock Routing for High Performance High Performance Microprocessor Designs Microprocessor Designs Haitong Tian # , Wai-Chung

310 views • 29 slides
Urban Truck Ports Unlocking the Benefits of High-efficiency Truck Operations SSTI Community of

Urban Truck Ports Unlocking the Benefits of High-efficiency Truck Operations SSTI Community of

Urban Truck Ports Unlocking the Benefits of High-efficiency Truck Operations SSTI Community of Practice Meeting October 9, 2014 Salt Lake City, UT Steve Viscelli Bill Holloway Visiting Assistant Professor Transportation Policy Analyst

452 views • 21 slides
Lecture 10: S Parameters Matthew Spencer Harvey Mudd College E157 Radio Frequency Circuit

Lecture 10: S Parameters Matthew Spencer Harvey Mudd College E157 Radio Frequency Circuit

Department of Engineering Lecture 10: S Parameters Matthew Spencer Harvey Mudd College E157 Radio Frequency Circuit Design 1 1 Department of Engineering Two-Port Networks Matthew Spencer Harvey Mudd College E157 Radio Frequency

482 views • 27 slides
Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements intermission Day 22: Firewalls, NATs, and IDSes Stephen McCamant Intrusion detection systems University of Minnesota, Computer Science &amp;

308 views • 4 slides
Usage of QML Tools Coding, Debugging &amp; Performance Aurindam Jana Digia Who am I ? Aurindam

Usage of QML Tools Coding, Debugging &amp; Performance Aurindam Jana Digia Who am I ? Aurindam

Usage of QML Tools Coding, Debugging &amp; Performance Aurindam Jana Digia Who am I ? Aurindam Jana IRC: #qt #qt-creator: auri__ QML 2 Objective Overview of existing tools Get feedback and feature requests 3 Contents Coding QML/JS

377 views • 33 slides
Reserved: Dissectjng Internet Traffjc on Port 0 Aniss Maghsoudlou Oliver Gasser Anja Feldmann

Reserved: Dissectjng Internet Traffjc on Port 0 Aniss Maghsoudlou Oliver Gasser Anja Feldmann

Reserved: Dissectjng Internet Traffjc on Port 0 Aniss Maghsoudlou Oliver Gasser Anja Feldmann Max Planck Instjtute for Informatjcs Why Port 0? Using port number 0 is not allowed in: TCP [RFC 1340] UDP [RFC 8085] 76 GB of traffjc

234 views • 10 slides
Consistent Reads Using ProxySQL and GTID Santa Clara, California | April 23th 25th, 2018

Consistent Reads Using ProxySQL and GTID Santa Clara, California | April 23th 25th, 2018

Consistent Reads Using ProxySQL and GTID Santa Clara, California | April 23th 25th, 2018 Disclaimer I am not Ren Canna @lefred MySQL Community Manager / Oracle the one who provided a hint for this not the one

1.27k views • 50 slides
Cap Sante North &amp; West Basin Upland Redevelopment Council Briefjng - February 24, 2020

Cap Sante North &amp; West Basin Upland Redevelopment Council Briefjng - February 24, 2020

Cap Sante North &amp; West Basin Upland Redevelopment Council Briefjng - February 24, 2020 Overview Project Process and Purpose Development Plan Site Plan Rationale Event Center Building Design Parking Strategy

840 views • 61 slides
Dataflow Network Programming with Neuron Eric Griffis RacketCon 2018 St. Louis, MO 1 I. Meet

Dataflow Network Programming with Neuron Eric Griffis RacketCon 2018 St. Louis, MO 1 I. Meet

Dataflow Network Programming with Neuron Eric Griffis RacketCon 2018 St. Louis, MO 1 I. Meet Nick 2 Nick cares about cancer 3 Curing cancer is expensive 4 5 6 II. Enter Neuron 7 The Neuron Framework concurrency model messaging API

580 views • 28 slides
FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work

FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work

FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work with Laurent Vanbever &amp; Manya Ghobadi An old story An old story Fan-in causing queue built-up Switch Senders Receivers An

1.04k views • 85 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
NFS Don Porter CSE 506 together as the !handle for a rue. The inode generation number is

NFS Don Porter CSE 506 together as the !handle for a rue. The inode generation number is

NFS Don Porter CSE 506 together as the !handle for a rue. The inode generation number is necessary because the server may hand out an !handle with an inode number of a file that is later removed and the inode J reused. When the original

617 views • 24 slides
Information Management for Business Dr. Tom Acton 1 2 3 Huh? Whats an organisation?

Information Management for Business Dr. Tom Acton 1 2 3 Huh? Whats an organisation?

Information Management for Business Dr. Tom Acton 1 2 3 Huh? Whats an organisation? What do businesses do anyway? What are the parts of a business, and what has technology got to do with any of it? And hold on , whats

197 views • 16 slides
Management Nima Honarmand (Based on slides by Don Porter and Mike Ferdman) Fall 2014 :: CSE 506

Management Nima Honarmand (Based on slides by Don Porter and Mike Ferdman) Fall 2014 :: CSE 506

Fall 2014 :: CSE 506 :: Section 2 (PhD) Page Frame Management Nima Honarmand (Based on slides by Don Porter and Mike Ferdman) Fall 2014 :: CSE 506 :: Section 2 (PhD) Recap and background Page tables: translate virtual addresses to physical

366 views • 24 slides
Buying Service Wisconsin Retirement System etf.wi.gov Randall Porter Presenter The Department

Buying Service Wisconsin Retirement System etf.wi.gov Randall Porter Presenter The Department

Buying Service Wisconsin Retirement System etf.wi.gov Randall Porter Presenter The Department of Employee Trust Funds has made every effort to ensure that this webinar is current and accurate. However, changes in the law or processes since 1

470 views • 18 slides
The Evolution of Early-Type Galaxies across the Fundamental Plane Lauren Porter University of

The Evolution of Early-Type Galaxies across the Fundamental Plane Lauren Porter University of

The Evolution of Early-Type Galaxies across the Fundamental Plane Lauren Porter University of California, Santa Cruz Collaborators: R. S. Somerville, D. Croton, G. Graves, M. D. Covington, S. M Faber, J. R. Primack August 11, 2011 How do

597 views • 22 slides
Identifying the Challenges March 15, 2018 Symposium on Making Safe, Clean, Affordable and

Identifying the Challenges March 15, 2018 Symposium on Making Safe, Clean, Affordable and

Identifying the Challenges March 15, 2018 Symposium on Making Safe, Clean, Affordable and Accessible Water a Reality Katie e Leo Porter, er, PE, ENV SP Staff Engineer, California Urban Water Agencies 1 California Urban Water Agencies (CUWA)

209 views • 10 slides
Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

Sangman Kim , Michael Z. Lee, Alan M. Dunn, Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking - Bug-prone, hard to maintain Parallelism - OS provides poor support Coarse-grained locking - Reduced

536 views • 34 slides
Correlations in p-p Collisions Jeff Porter Firenze, IT July 7, 2006 Outline low-Q 2 partons in

Correlations in p-p Collisions Jeff Porter Firenze, IT July 7, 2006 Outline low-Q 2 partons in

Correlations in p-p Collisions Jeff Porter Firenze, IT July 7, 2006 Outline low-Q 2 partons in p-p collisions Parton fragments in single-particle spectra Two-particle fragment distributions on rapidity Jet angular autocorrelations

451 views • 18 slides
INDUSTRY ANALYSIS Dr.M. Thenmozhi Professor Department of Management Studies Indian Institute

INDUSTRY ANALYSIS Dr.M. Thenmozhi Professor Department of Management Studies Indian Institute

INDUSTRY ANALYSIS Dr.M. Thenmozhi Professor Department of Management Studies Indian Institute of Technology Madras Chennai 600 036 E-mail: mtm@iitm.ac.in INDUSTRY ANALYSIS AND COMPETITOR ANALYSIS Scanning of Environment is complete only

647 views • 19 slides
Hope McLean Akila Subramaniam Jared Roberts Blake Porter Mentor: Kim Hoover What has to happen

Hope McLean Akila Subramaniam Jared Roberts Blake Porter Mentor: Kim Hoover What has to happen

Hope McLean Akila Subramaniam Jared Roberts Blake Porter Mentor: Kim Hoover What has to happen when patient seen in ED or for a consult Note in IMPACT Sometimes a dictation Email to Tracy, Dalana, Gyn team Pt entered in Quant

159 views • 12 slides
Chaos, Fractals, and the Arts Ralph Abraham www.ralph-abraham.org Porter College 34B, UCSC

Chaos, Fractals, and the Arts Ralph Abraham www.ralph-abraham.org Porter College 34B, UCSC

Chaos, Fractals, and the Arts Ralph Abraham www.ralph-abraham.org Porter College 34B, UCSC Winter 2016 Winter 2015, Series #10 Dedicated to HH the 14th Dalai Lama for his 80th birthday July 5/6, 2015 Symmetric Chaos Tentative Syllabus by

416 views • 26 slides

More recommend