Device inspection to remote root

•

0 likes•8,774 views

Tim Noise - Ruxmon 31/07/15 calyptech fixed wirelress terminal exploit source code: https://github.com/dnoiz1/ifwt-remote-root/blob/master/pwrtropic.py

Internet

Device
inspection
To remoteroot
Uncovering the sekritz of proprietary software on a fixed
wireless terminal and weap0nizing them into a remote exploit
Where What Who
Ruxmon Melbourne
Device Inspection to remote
root
Tim Noise

FixedWirelessTerminals
• Linux Based
• System on Chip
• Provide PoTS and ADSL
• 3G/LTE Backhaul
• Battery and Solar
• Remote Managed
• Deployed in Clusters
For people without copper or fiber

ExternalConnectors
• Ether over USB
(DHCP)
• Aerial socket
• SIM Card slot
• 2 RJ11 ports for
ADSL CPE and PoTS
Things we can probe

ExternalConnectors
• SIM Card slot
• 2 Management 
Ethernet Ports (NO DHCP)
• 2 RJ11 power management ports
Things we can probe

WhatsInside?Rub the torx and the genie comes out
CPU
NAND0
NAND1
UART
Removable
CF Card for /

WhatsInside?Rub the torx and the genie comes out
Mini PCMCIA
3G Modem

BootProcessRedboot the buspirate, yarr
GND
RX
TX
VCC / NC

GainingROOTalways want that uid 0 - the usual tricks
• Removable root Media
• hashcat / jtr
• kernel paramaters
• init=/bin/sh
• single user mode
• Lucky for us, the root password is
printed on the PCB (not even joking)

LoggingINConnecting using the management USB interface

PortsANDProcessessWhats running on this thing?

BacktotheSourceWhere is this process stored and launched from

DECOMPYLEUsing multiline strings as comments is great!

Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

PuttingitallTogethermaking use of our discovered vulnerabilities

OneStepFURTHER
• Connect back payloads
• Dial 1900 numbers for profit
• UDP broadcast the attack
• Intercept data and telephony
• Insta-botnet / onion network
• Other bad things
For internet bad men

What's hot

Hacking routers as Web HackerHeadLightSecurity

GadgetsAlexander Rivera

Solnik secure enclaveprocessor-pacsecPacSecJP

A Science Project: Swift Serial Chatyeokm1

Making and breaking security in embedded devicesYashin Mehaboobe

Hardware Hacking PrimerYashin Mehaboobe

Kasza smashing the_jarsPacSecJP

Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity

IoT mit Rust programmierenLars Gregori

BSD Sockets API in Zephyr RTOS - SFO17-108Linaro

Arpwall - protect from ARP spoofingAmmar WK

Operating System fo IoTPradeep Kumar TS

MOVED: RDK/WPE Port on DB410C - SFO17-206Linaro

Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South AfricaJumping Bean

Is Rust Programming ready for embedded development?Knoldus Inc.

PLNOG 21: Ron Broersma - Historical_Perspectives_on_Computing, Networking, Se...PROIDEA

Fedora 12 IntroductionRatnadeep Debnath

Kali linux summarisedSanchit Srivastava

Wiznet Ethernet library for ARM mbedJinbuhm Kim

FOSDEM2015: Porting Tizen:Common to open source hardware devicesPhil www.rzr.online.fr

What's hot (20)

Hacking routers as Web Hacker

Gadgets

Solnik secure enclaveprocessor-pacsec

A Science Project: Swift Serial Chat

Making and breaking security in embedded devices

Hardware Hacking Primer

Kasza smashing the_jars

Уязвимости программного обеспечения телекоммуникационного оборудования Yota

IoT mit Rust programmieren

BSD Sockets API in Zephyr RTOS - SFO17-108

Arpwall - protect from ARP spoofing

Operating System fo IoT

MOVED: RDK/WPE Port on DB410C - SFO17-206

Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa

Is Rust Programming ready for embedded development?

PLNOG 21: Ron Broersma - Historical_Perspectives_on_Computing, Networking, Se...

Fedora 12 Introduction

Kali linux summarised

Wiznet Ethernet library for ARM mbed

FOSDEM2015: Porting Tizen:Common to open source hardware devices

Viewers also liked

Catalogo InspiraflorInspiraflor

медиаобразованиеOlga Shaporina

Отчет. приложение 2.Софья Митрошина

Benefits and struggles of Lean Game DevelopmentBitCake Studio

La informacionyaneth Rodríguez Hinojosa

UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter

Designing Teams for Emerging ChallengesAaron Irizarry

Visual Design with DataSeth Familian

3 Things Every Sales Team Needs to Be Thinking About in 2017Drift

How to Become a Thought Leader in Your NicheLeslie Samuel

SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYDialogueScience

EspcinvestmentgradeauditDarpan Chaudhary

Makanan Tradisionalnurulrosidah

Mapping the NHS - Liverpool, for NHS Citizen NW, 29th of MayNHSCitizen

PortfolioCinzia Spada

ArticoloSilvia Neri

Bubble Narratives - Preston Teeter - Confirmation SpeechPreston B Teeter

Viewers also liked (17)

Catalogo Inspiraflor

медиаобразование

Отчет. приложение 2.

Benefits and struggles of Lean Game Development

La informacion

UX, ethnography and possibilities: for Libraries, Museums and Archives

Designing Teams for Emerging Challenges

Visual Design with Data

3 Things Every Sales Team Needs to Be Thinking About in 2017

How to Become a Thought Leader in Your Niche

SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY

Espcinvestmentgradeaudit

Makanan Tradisional

Mapping the NHS - Liverpool, for NHS Citizen NW, 29th of May

Portfolio

Articolo

Bubble Narratives - Preston Teeter - Confirmation Speech

Similar to Device inspection to remote root

Docking stations andy_davis_ncc_group_slidesNCC Group

D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan

OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar

When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioDevOps4Networks

Republic of IoT 2018 - ESPectro32 and NB-IoT WorkshopAlwin Arrasyid

2017 - LISA - LinkedIn's Distributed Firewall (DFW)Mike Svoboda

Bh fed-03-kaminskyDan Kaminsky

IOT Exploitation Cysinfo Cyber Security Community

Introduction to SDNMuhammad Moinur Rahman

28c3 in 15antitree

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs

DefCon 2012 - Gaining Access to User Android DataMichael Smith

Security Onionjohndegruyter

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik

Steelcon 2015 - 0wning the internet of trashinfodox

Keeping your rack cool Pavel Odintsov

Keeping your rack cool with one "/IP route rule"Faelix Ltd

Insecure Obsolete and Trivial - The Real IOTPrice McDonald

What is SDN and how to approach it with PythonJustin Park

2018 all lens bag of tricks v1.2Len Noe

Similar to Device inspection to remote root (20)

Docking stations andy_davis_ncc_group_slides

D1 t1 t. yunusov k. nesterov - bootkit via sms

OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar

When DevOps and Networking Intersect by Brent Salisbury of socketplane.io

Republic of IoT 2018 - ESPectro32 and NB-IoT Workshop

2017 - LISA - LinkedIn's Distributed Firewall (DFW)

Bh fed-03-kaminsky

IOT Exploitation

Introduction to SDN

28c3 in 15

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...

DefCon 2012 - Gaining Access to User Android Data

Security Onion

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...

Steelcon 2015 - 0wning the internet of trash

Keeping your rack cool

Keeping your rack cool with one "/IP route rule"

Insecure Obsolete and Trivial - The Real IOT

What is SDN and how to approach it with Python

2018 all lens bag of tricks v1.2

Recently uploaded

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther

On Starlink, presented by Geoff Huston at NZNOG 2024APNIC

AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131

Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5

VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights

How is AI changing journalism? (v. April 2024)Damian Radcliffe

Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0

AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁

VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile

Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC

Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe

Recently uploaded (20)

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)

On Starlink, presented by Geoff Huston at NZNOG 2024

AWS Community DAY Albertini-Ellan Cloud Security (1).pptx

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$

Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...

VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room

How is AI changing journalism? (v. April 2024)

Radiant Call girls in Dubai O56338O268 Dubai Call girls

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room

AlbaniaDreamin24 - How to easily use an API with Flows

VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune

Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

Moving Beyond Twitter/X and Facebook - Social Media for local news providers

Device inspection to remote root

1. Device inspection To remoteroot Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit Where What Who Ruxmon Melbourne Device Inspection to remote root Tim Noise

2. tIMNOISE • twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net Internet subscriber and pirate impersonator

3. FixedWirelessTerminals • Linux Based • System on Chip • Provide PoTS and ADSL • 3G/LTE Backhaul • Battery and Solar • Remote Managed • Deployed in Clusters For people without copper or fiber

4. ExternalConnectors • Ether over USB (DHCP) • Aerial socket • SIM Card slot • 2 RJ11 ports for ADSL CPE and PoTS Things we can probe

5. ExternalConnectors • SIM Card slot • 2 Management  Ethernet Ports (NO DHCP) • 2 RJ11 power management ports Things we can probe

6. WhatsInside?Rub the torx and the genie comes out CPU NAND0 NAND1 UART Removable CF Card for /

7. WhatsInside?Rub the torx and the genie comes out Mini PCMCIA 3G Modem

8. BootProcessRedboot the buspirate, yarr GND RX TX VCC / NC

9. GainingROOTalways want that uid 0 - the usual tricks • Removable root Media • hashcat / jtr • kernel paramaters • init=/bin/sh • single user mode • Lucky for us, the root password is printed on the PCB (not even joking)

10. MANAGEMENTInTERFACEthe dububdub

11. MANAGEMENTInTERFACEthe dububdub

12. LoggingINConnecting using the management USB interface

13. PortsANDProcessessWhats running on this thing?

14. PortsANDProcessessWhats running on this thing?

15. PortsANDProcessessWhats running on this thing?

16. BacktotheSourceWhere is this process stored and launched from

17. DECOMPYLEUsing multiline strings as comments is great!

18. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

19. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

20. PuttingitallTogethermaking use of our discovered vulnerabilities

21. PuttingitallTogethermaking use of our discovered vulnerabilities

22. PuttingitallTogethermaking use of our discovered vulnerabilities

23. PuttingitallTogethermaking use of our discovered vulnerabilities

24. DEMO

25.

26. OneStepFURTHER • Connect back payloads • Dial 1900 numbers for profit • UDP broadcast the attack • Intercept data and telephony • Insta-botnet / onion network • Other bad things For internet bad men

27. QUESTIONS?

28. tIMNOISE • twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net Internet subscriber and pirate impersonator

Device inspection to remote root

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to Device inspection to remote root

Similar to Device inspection to remote root (20)

Recently uploaded

Recently uploaded (20)

Device inspection to remote root