With nearly every embedded device and enterprise management solution serving up a web console for management, we are faced with the question (does that web service properly filter incoming data?). Unfortunately, the answer to that question is No. My research has shown that simple name data is often overlooked. This includes, SSIDs, SNMP sysDesc and Hostnames, just to name a few, which are consumed by the applications and embedded devices without proper filtering. Over the last 4 years I have researched this issue, and discovered that nearly 50% of products tested were vulnerable to injection attacks via this vector. During this presentation I will be discussing these various injection vectors, and the attacks that I have successfully developed against targeted systems using these exploits.
2. Introduction
Deral Heiland
Rapid7 Research Lead “IoT”
• 25+ years of experience in the Information Technology,
15 of that in Security and last 8+ year security
researcher, penetration tester and consulting for
corporations and government agencies
deral_heiland@rapid7.com
@Percent_X
3. Agenda
• Why
• Web technology
• Web security and lack there of
• Injection attack using commonly overlooked methods
• A few examples
• Conclusion
• Questions
4. Why
• Search for simple and obvious attacks vectors
• Machine to machine exchange of data
• The simple is so often overlooked
7. • XSS allows Malicious actors to inject client-side
scripts into web pages viewed by other users.
• Reflective
• Persistent
• CSRF causes a user's web browser to perform
an unwanted action.
• Alter configurations
• Complete a transaction (IE Banking)
Web security and The lack there of !
8. • Format String A format string is an ansi C
specifier that is supplied to a function to tell the
program what the format of the output should
be.
• Format String Vulnerability Incorrectly written
code that does not define the format string
specifiers. Allowing format strings to be passed
within an applications variable, which leads to
the application evaluating the input as code.
Web security and The lack there of !
9. • Filtering input
• Escaping dangerous characters
• Use CSRF tokens
• Conduct regular code reviews
Web security and The lack there of !
10. • Directly targeting web app
• Internet exposed app still often discovered with issues
• Good AppSec program can help mitigate
• Application firewalls can help mitigate Internet exposure
• Off the shelf products and embedded devices still have issues
Web security and The lack there of !
12. Exploit Delivery
• Machine to Machine
• Very often overlooked
• Great for targeting enterprise
• Enterprise management solutions
• Embedded devices
14. SSID
• Service Set Identifier (SSID)
• Purpose of the SSID is to assign human readable names
to an 802.11 wireless network
• The SSID is broadcast in a management frame or Beacon
Frame
15. SSID information element
• Element ID: This is set to ‘0’ to signal that an SSID is being broadcast
• Length: Indicates the length of the information field
• SSID: The human readable station name
16. SSID
• No defined restrictions as to what characters can be
used within an SSID (IEEE Std 802.11™-2012)
• Limited to 32 characters
17. SSID
• Not the first time this attack vector was reported
• Rafael Dominguez Vega of MWR InfoSecurity
• White paper: Behind Enemy Lines July 2008
• BT Home Hub
• DD-WRT
• My research expanded on this and targeted more
enterprise level solutions
18. SSID
• This research work initial disclosed in 2013 Blackhat
Europe
• Multiple vulnerable products
• Wifi Pineapple
• Cisco small business Wifi Wap200 and Wep200
• SonicWall network security appliance
• Aruba Wireless LAN Controllers
• Since then
• Unnamed Wifi Lan Controller
• Enterprise IoT automation solution ( Not Released Yet)
20. SSID
• Format String Injection
• Cisco/Linksys WAP200 & WET200
• Site Survey function: Listens for all APs within range and reports
back their SSID
24. SNMP
ISO (1)
ORG (3)
DOD (6)
INTERNET (1)
Directory (1) Management (2) Experimental (3) Private (4)
25. SNMP
• Management Information Base (MIB) is a file
that contains definitions of management
information so that networked systems can be
remotely monitored, configured, and controlled.
• Object Identifier (OIDs) point to individual
network objects that are maintained within a
database called a Management Information
Base
26. SNMP
• The OIDs that are the most critical include:
• 1.3.6.1.2.1.1.1.0 sysDesc
• 1.3.6.1.2.1.1.4.0 sysContact
• 1.3.6.1.2.1.1.5.0 sysName
• 1.3.6.1.2.1.1.6.0 sysLocation
27. SNMP
• Injection attacks via SNMP data
• Research project started in Fall 2015
• Deral Heiland Matthew Kienow
• Mainly targeting Network Management Systems
• Currently 6 published products advisories
• 5 more to be released prior to Defcon Conference
30. Hostname
• What application and appliances consume hostname?
• What is the impact?
• Do they properly filter and escape data from hostname?
31. • CVE-2015-3626, (XSS) vulnerability in the DHCP Monitor page in the
Web User Interface (WebUI) in Fortinet FortiOS before 5.2.4 on FortiGate
devices allows remote attackers to inject arbitrary web script or HTML via
a crafted hostname
• CVE-2014-4645
• CVE-2014-4727
• CVE-2013-3572
Hostname
32. Hostname
• I am still collecting data on this
• Made a request several months back online
• https://community.rapid7.com/community/infosec/blog/
2016/03/09/it-s-all-in-the-name
• Check out blog and participate
security@rapid7.com (PGP KeyID: 0x8AD4DB8D)