through the looking glass and what eve found there
play

Through the Looking-Glass, and what Eve found there - PowerPoint PPT Presentation

Jan 15, 2023 •154 likes •674 views

Through the Looking-Glass, and what Eve found there http://www.s3.eurecom.fr/lg/ Luca 'kaeso' Bruno <lucab@debian.org>, Mariano 'emdel' Graziano <graziano@eurecom.fr> About us S3 group at Eurecom (FR) - System security

  1. Through the Looking-Glass, and what Eve found there http://www.s3.eurecom.fr/lg/ Luca 'kaeso' Bruno <lucab@debian.org>, Mariano 'emdel' Graziano <graziano@eurecom.fr>

  2. About us • S3 group at Eurecom (FR) - System security – Embedded systems – Networking devices – Critical infrastructures – Memory forensics – Malware research 10/08/2014 2

  3. Outline • Motivations • Intro to looking glasses • Threats • Vulns & incidents • Countermeasures 10/08/2014 3

  4. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – Aim: critical infrastructure – Impact: worldwide – Skill level: low – Goal: break havoc 10/08/2014 4

  5. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Impact: worldwide – Skill level: low – Goal: break havoc 10/08/2014 5

  6. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Traffic routing across ASes – Skill level: low – Goal: break havoc 10/08/2014 6

  7. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Traffic routing across ASes – Basic web skills, google dorks, etc... – Goal: break havoc 10/08/2014 7

  8. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Traffic routing across ASes – Basic web skills, google dorks, etc... – Gaining access to BGP routers 10/08/2014 8

  9. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target A good candidate: LOOKING-GLASS 10/08/2014 9

  10. Outline • Motivations • Intro to looking glasses • Threats • Vulns & incidents • Countermeasures 10/08/2014 10

  11. The Internet • A network of networks, glued by BGP http://www.caida.org/research/topology/as_core_network/2014/ 10/08/2014 11

  12. One routing-table, many routing-tables • BGP is worldwide, each AS routing table is a (partial) local view • What you see depends on where you are http://blog.thousandeyes.com/4-real-bgp-troubleshooting-scenarios/ 10/08/2014 12

  13. Connectivity troubleshooting • NOC tools for troubleshooting: – Distributed BGP probes, eg. RIPE Labs – Private shells exchange, eg. NLNOG – Limited web-access to routers, ie. via looking-glasses 10/08/2014 13

  14. What's in a looking glass • A simple '90s style web-script: – Usually PHP or Perl – Single file, can be dropped in webroot – Direct connection to SSH/telnet router console – Cleartext config file (ie. credentials) 10/08/2014 14

  15. How does it work AS64497 AS64496 Private net Public net Internet NOC NOC AS64498 Public web (looking-glass) Private admin (telnet/SSH) NOC Public IP (data+BGP) 10/08/2014 15

  16. How does it look like 10/08/2014 16

  17. Where to get it • Focus on open-source most common ones: – Cougar LG (Perl) – Cistron LG (Perl) – MRLG (Perl) – MRLG4PHP (PHP) 10/08/2014 17

  18. Outline • Motivations • Intro to looking glasses • Threats • Vulns & incidents • Countermeasures 10/08/2014 18

  19. Targeting humans • Assume bug-proof software • Humans can still mis-deploy it, and forget to: – Enable CGI/mod_php/mod_perl – Protect config files – Protect private SSH keys Exposed routers credentials 10/08/2014 19

  20. Targeting the web-app • Assume some minor bugs may exist in the web frontend • Pwn the LG web interface: – Improper escaping – XSS/CSRF/etc. Cookie stealing for other web services 10/08/2014 20

  21. Targeting the server • Assume some medium severity bugs may exist in the whole package • Pwn the host through LG: – Embedded third-party tools – Forked/modified modules Escalate to the hosting server 10/08/2014 21

  22. Targeting the router • Assume important bugs may exist in the backend • Pwn the router through LG: – Missing input escaping – Command injection to router – Known bugs in router CLI Escalate to router administration 10/08/2014 22

  23. Targeting the Internet • Assume you control multiple routers in multiple ASes • Pwn the Internet: – Reroute/blackhole local traffic – Announce bogus BGP prefixes Chaos ensues :) 10/08/2014 23

  24. Outline • Motivations • Intro to looking glasses • Threat model • Vulns & incidents • Countermeasures 10/08/2014 24

  25. Web issues • Exposed Credentials: – Stored in cleartext: IPs, usernames and passwords – Configuration files at known URLs • Cookie Stealing: – XSS vulnerabilities in LG, to target other web-apps 10/08/2014 25

  26. Web Misconfigurations • Google Dorks for login credentials: – Find LG configuration files – Examples: ● "login" "telnet" inurl:lg.conf ● "login" "pass" inurl:lg.cfg 10/08/2014 26

  27. Google Dorks – Exposing conf files 10/08/2014 27

  28. Google Dorks – Exposing conf files 10/08/2014 28

  29. Default config paths ● Example from Cougar LG root directory: as.txt CHANGELOG communities.txt COPYING favicon.ico lg.cgi lg.conf makeaslist.pl makedb.pl README ● So just crawl for it: $BASE_LG_URL/lg.conf 10/08/2014 29

  30. Best Practices :) README sometime mentions them: ...still, we've found about 35 exposed cases! 10/08/2014 30

  31. Exposed Source Code 10/08/2014 31

  32. Exposed Private SSH Keys • Default path for SSH keys (CVE-2014- 3929) in Cougar LG • Where are SSH private keys stored? → /var/www/.ssh/private_key lg.conf:18 10/08/2014 32

  33. Exposed Private SSH Keys 10/08/2014 33

  34. First steps into the web • No CAPTCHA anywhere! • This eases attacker's work: – Automated resource mapping (ping-back and conf dumping) – Automated command injection – Automated attacks from multiple AS (if bugs are found) 10/08/2014 34

  35. XSS • XSS in <title> via "addr" parameter ( CVE- 2014-3926) • LG maybe are not worthy web targets... – But other NOC services often are under the same-origin domain! 10/08/2014 35

  36. XSS – for the lulz! 10/08/2014 36

  37. Router Command Injection • What if you can run whatever CLI ‽ command you want – CVE-2014-3927 in MRLG4PHP • 'argument' parameter issue – HTML escape != sanitization • Let's look at the code (mrlg-lib.php:120) 10/08/2014 37

  38. Router Command Injection 10/08/2014 38

  39. Router Command Injection - PoC • From HTTP to router CLI, just adding newlines :) curl --data \ 'routerid=10 &requestid=50 &argument=8.8.8.8%0Adate%0Aexit%OA' 10/08/2014 39

  40. Remote Memory Corruption • Sometime LG ships with embedded third- party binaries – CVE-2014-3931 in MRLG (fastping SUID bin) • ICMP echo reply is used without proper validation fastping.c:546 – Riempie_Ritardi( *((long *)&(icp->icmp_data[8])) , triptime ); • Let's have a look at the code 10/08/2014 40

  41. Remote Memory Corruption 10/08/2014 41

  42. Exploitation notes • 3 rd -party, probably not commonly deployed – WONTFIX by upstream • Time-dependent... – But you get host time in ICMP echo request! • Every ICMP reply can overwrite one long word in memory... – And you have 100 probes on every try 10/08/2014 42

  43. Talking about network design ● Routers admin consoles needlessly exposed over globally routable interfaces 10/08/2014 43

  44. Outline • Motivations • Intro to looking glasses • Threat model • Vulns & incidents • Countermeasures 10/08/2014 44

  45. Code-wise • Understand that exposing router consoles to the web with hardcoded credentials can be dangerous! • Review all critical web-services written during the wild-west '90s 10/08/2014 45

  46. Deployment-wise • Prefer a dedicated read-only route- server as LG endpoint • Check if your private files are reachable over the web (LG config, SSH keys) • Double check your web server config! (vhost vs. default docroot) 10/08/2014 46

  47. Administration-wise • Setup proper ACL on your routers • Use strong, unique passwords • Put admin and out-of-band services in private VLANs and subnets! 10/08/2014 47

  48. Recap • Best-practices are often disregarded • Unaudited, old, forgotten code often sits in critical places • Attackers go for the weak links... – and escalate quickly! Internet core is fragile 10/08/2014 48

  49. Fin Thank you for listening! Thanks to all the members of NOPS team, who helped in bug-finding 10/08/2014 49

  50. Backup – router CLI escalation ● Cracking Cisco weak hashes – Type-0, Type-5, Type-4 (cisco-sr-20130318-type4) ● Exploiting CLI bugs – Cisco, AAA Command Authorization by-pass (cisco- sr-20060125-aaatcl) – Juniper, Unauthorized user can obtain root access using CLI (JSA10420) – Juniper, Multiple privilege escalation vulnerabilities in Junos CLI (JSA10608) 10/08/2014 50

  51. Backup – reported incidents 10/08/2014 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Through the Looking Glass Alice found there . . . and what Alice found there Frank Mittelbach

Through the Looking Glass Alice found there . . . and what Alice found there Frank Mittelbach

Through the Looking Glass ... and what Through the Looking Glass Alice found there . . . and what Alice found there Frank Mittelbach TUG Conference 2017, Bachotek Introduction Dynamic programming Frank Mittelbach Algorithms

819 views • 71 slides
Through the looking glass, and what Joseph found there Joseph Wright L A T EX Project The xfp

Through the looking glass, and what Joseph found there Joseph Wright L A T EX Project The xfp

Through the looking glass, and what Joseph found there Joseph Wright L A T EX Project The xfp package Floating Point Unit The L A T EX3 Project Released 2018-05-12 This package provides a L A T EX 2 document-level interface to the L A

386 views • 24 slides
3. A vacuum Glass Catch attachment for broken glass GLASS OTHERS HOME $2.35 Million

3. A vacuum Glass Catch attachment for broken glass GLASS OTHERS HOME $2.35 Million

3. A vacuum Glass Catch attachment for broken glass GLASS OTHERS HOME $2.35 Million Emergency visits for unintentional cuts or piercings in US in 2015 Existing solutions Not best solution Glass shards get stuck Damages vacuum

292 views • 10 slides
The Glass Menagerie Jadn S. &amp; Claire B. Symbolism Lauras Glass Menagerie The Glass

The Glass Menagerie Jadn S. &amp; Claire B. Symbolism Lauras Glass Menagerie The Glass

The Glass Menagerie Jadn S. &amp; Claire B. Symbolism Lauras Glass Menagerie The Glass Unicorn Blue Roses The Fire Escape Motifs Abandonment Words and Images seen on the screen Music Themes The Difficulty of Accepting Reality The

349 views • 10 slides
Knowledge Seminar Series : High Performance Glass October 18, 2017 Jim Larsen Director,

Knowledge Seminar Series : High Performance Glass October 18, 2017 Jim Larsen Director,

Knowledge Seminar Series : High Performance Glass October 18, 2017 Jim Larsen Director, Technology Marketing Cardinal Glass Divisions FG: flat glass TG: tempered (safety) glass CG: coated glass (low-E) LG: laminated glass

403 views • 37 slides
3M Glass Bubbles iM16K 3M Glass Bubbles iM16K 3M Glass Bubbles and Other Additives

3M Glass Bubbles iM16K 3M Glass Bubbles iM16K 3M Glass Bubbles and Other Additives

3M Glass Bubbles iM16K 3M Glass Bubbles iM16K 3M Glass Bubbles and Other Additives Classified by Aspect Ratio 3M Glass Bubbles Talc Glass Fiber 0.46 0.6 g/cc 2.8 g/cc 2.5 g/cc 20 m 20 m 20 m Low Hig h 1:1 20:1 30

663 views • 30 slides
SCULPTURE MATERIALS SCULPTURE MATERIALS PATTERNS PLATE GLASS GLASS BOTTLES GLASS BOTTLES

SCULPTURE MATERIALS SCULPTURE MATERIALS PATTERNS PLATE GLASS GLASS BOTTLES GLASS BOTTLES

SCULPTURE MATERIALS SCULPTURE MATERIALS PATTERNS PLATE GLASS GLASS BOTTLES GLASS BOTTLES ILLUMINATION ILLUMINATION (TOP &amp; INTERIOR) CAST GLASS (DURABLE) CAST GLASS (VARIETY OF FORMS) GLASS BLOCK ILLUMINATION SOLAR CELLS ILLUMINATION

331 views • 15 slides
GOING DIGITAL P r i n c i p l e s BE FOUND If you can't be found, you don't exist. - SEO /

GOING DIGITAL P r i n c i p l e s BE FOUND If you can't be found, you don't exist. - SEO /

GOING DIGITAL P r i n c i p l e s BE FOUND If you can't be found, you don't exist. - SEO / Google My Business - Website - Online content - Social media presence - Media coverage - Reviews/recommendations - Communities STAY FOUND Keep

251 views • 7 slides
Recycling of Glass from Construction &amp; Building Demolition Waste Views from the flat glass

Recycling of Glass from Construction &amp; Building Demolition Waste Views from the flat glass

Recycling of Glass from Construction &amp; Building Demolition Waste Views from the flat glass industry Niels Schreuder Public Affairs AGC Glass Europe AGC corporate profile AGC Glass Europe AGC Group a global company Global annual

575 views • 25 slides
Glass Container Manufacturing &amp; Recycling Overview Scott DeFife President Glass Packaging

Glass Container Manufacturing &amp; Recycling Overview Scott DeFife President Glass Packaging

Carolinas Glass Recycling Summit Why Glass is Important to Your Community Glass Container Manufacturing &amp; Recycling Overview Scott DeFife President Glass Packaging Institute (GPI) December 10, 2019 Wilson, NC Glass Packaging Institute

285 views • 14 slides
An Image Capture Application For The Google Glass Framework Oliver Nina (UCF), Roger Pack (FS)

An Image Capture Application For The Google Glass Framework Oliver Nina (UCF), Roger Pack (FS)

Genealogy Glass An Image Capture Application For The Google Glass Framework Oliver Nina (UCF), Roger Pack (FS) Google Glass Google Glass Google Glass video Google Glass Wearable Computing 640360 prism display 5-megapixel

732 views • 13 slides
RUSSIAN FLAT GLASS COATINGS MARKET OVERVIEW Dmitriy D. Bernt Glass Coating Technology

RUSSIAN FLAT GLASS COATINGS MARKET OVERVIEW Dmitriy D. Bernt Glass Coating Technology

RUSSIAN FLAT GLASS COATINGS MARKET OVERVIEW Dmitriy D. Bernt Glass Coating Technology Pilkington Glass Russia&amp;CIS Pilkington Glass in Russia Architectural flat glass float line in operation since 2006 in Ramensky District Moscow region

578 views • 20 slides
Logic do it! Looking Glass Through the The Looking Glass A mirror which shows the negation of

Logic do it! Looking Glass Through the The Looking Glass A mirror which shows the negation of

IIT Bombay :: Autumn 2020 :: CS 207 :: Discrete Structures :: Manoj Prabhakaran It computers can s so easy even Logic do it! Looking Glass Through the The Looking Glass A mirror which shows the negation of every proposition Reflection

341 views • 10 slides
GLASS 2.0 Dale Henrichs VMware, Inc. ESUG 2011 Edinburgh, Scotland August 22, 2011 GLASS 2.0

GLASS 2.0 Dale Henrichs VMware, Inc. ESUG 2011 Edinburgh, Scotland August 22, 2011 GLASS 2.0

GLASS 2.0 Dale Henrichs VMware, Inc. ESUG 2011 Edinburgh, Scotland August 22, 2011 GLASS 2.0 Overview of GLASS VMware Cloud Foundry tODE demo What is GLASS? A platform for deploying web-based Smalltalk applications in

645 views • 16 slides
Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced

Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced

Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced Concrete (GFRC) is a cement-based composite material reinforced with alkali-resistant fibers. The fibers add flexural, tensile and impact strength

990 views • 58 slides
Glass Packaging Institute Overview and Activity Update Bryan Vickers Glass Packaging Institute

Glass Packaging Institute Overview and Activity Update Bryan Vickers Glass Packaging Institute

Glass Packaging Institute Overview and Activity Update Bryan Vickers Glass Packaging Institute Washington, DC December 12, 2012 Glass is ENDLESSLY Recyclable Glass Packaging Institute The Glass Packaging Institute (GPI) represents the North

345 views • 13 slides
Assessing the impact of pharmacovigilance: Experience at the US Food and Drug Administration

Assessing the impact of pharmacovigilance: Experience at the US Food and Drug Administration

Assessing the impact of pharmacovigilance: Experience at the US Food and Drug Administration Gerald J. Dal Pan, MD, MHS Director Office of Surveillance and Epidemiology Center for Drug Evaluation and Research Workshop: Measuring Impact of

360 views • 18 slides
DISCLAIMER This presentation does not constitute or form part of any advertisement of securities,

DISCLAIMER This presentation does not constitute or form part of any advertisement of securities,

DISCLAIMER This presentation does not constitute or form part of any advertisement of securities, any offer or invitation to sell or issue or any solicitation of any offer to purchase or subscribe for, any shares in the Company, nor shall it or

297 views • 25 slides
Russian experience on capacity-building: The Training-and-Resource Center of FAS, Russia

Russian experience on capacity-building: The Training-and-Resource Center of FAS, Russia

Russian experience on capacity-building: The Training-and-Resource Center of FAS, Russia Intergovernmental Group of Experts Geneva, 10 July 2014 The views expressed are those of the author and do not necessarily reflect the views of UNCTAD

570 views • 19 slides
Q1-2013 Results Wolfgang M. Neumann, President &amp; CEO Knut Kleiven, Deputy President &amp; CFO

Q1-2013 Results Wolfgang M. Neumann, President &amp; CEO Knut Kleiven, Deputy President &amp; CFO

Q1-2013 Results Wolfgang M. Neumann, President &amp; CEO Knut Kleiven, Deputy President &amp; CFO April 24, Stockholm Rezidor Q1 2013 Highlights L/L RevPAR up by 5.7%prior to March 22 (beginning of Easter holiday) up by 9% +5.7% L/L

441 views • 17 slides
FY18 Half Year Results Presentation Andrew Sudholz Chris Price Managing Director &amp; CEO

FY18 Half Year Results Presentation Andrew Sudholz Chris Price Managing Director &amp; CEO

FY18 Half Year Results Presentation Andrew Sudholz Chris Price Managing Director &amp; CEO Chief Financial Officer Contents Section One Business Performance 3 Section Two Japara Strategy 14 Section Three Outlook 22 Section Four

337 views • 31 slides
UK Power Networks Investor Update Basil Scarsella CEO Patrick Clarke Director of Network

UK Power Networks Investor Update Basil Scarsella CEO Patrick Clarke Director of Network

UK Power Networks Investor Update Basil Scarsella CEO Patrick Clarke Director of Network Operations Ben Wilson Director of Strategy, Regulation &amp; CFO Mike Hirst Head of Treasury September 2012 www.ukpowernetworks.co.uk Table of contents 1.

436 views • 26 slides
National Crime Records Bureau Ministry of Home Affairs CRIME AND CRIMINAL TRACKING NETWORK &amp;

National Crime Records Bureau Ministry of Home Affairs CRIME AND CRIMINAL TRACKING NETWORK &amp;

National Crime Records Bureau Ministry of Home Affairs CRIME AND CRIMINAL TRACKING NETWORK &amp; SYSTEMS(CCTNS) RFP FOR SELECTION OF SYSTEM INTEGRATOR AT STATE LEVEL October 01, 2010 Central Programme Management Unit C RIME AND CRIMINAL

807 views • 42 slides
Trial Court Facility Modification Advisory Committee Meeting December 4, 2017 1 Call to Order

Trial Court Facility Modification Advisory Committee Meeting December 4, 2017 1 Call to Order

Trial Court Facility Modification Advisory Committee Meeting December 4, 2017 1 Call to Order and Roll Call Chair Call to Order and Opening Comments Roll Call Trial Court Facility Modification Advisory Committee Chair Trial

625 views • 43 slides

More recommend