Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

65,063 views

Published on

Презентация эксперта Positive Technologies Тимура Юнусова

Published in: Internet

Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

  1. 1. How to build Big Brother With blackjack and h--kers Yunusov Timur, Senior expert, Head of dept
  2. 2. How to build Big Brother With blackjack and h--kers With 3G modems and hackers Yunusov Timur, Senior expert, Head of dept
  3. 3. How to build Big Brother When/Who/Where/And why??? • 2014-2015
  4. 4. How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world
  5. 5. How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world • Cause nobody cares(((
  6. 6. How to build Big Brother Boring numbers
  7. 7. How to build Big Brother Boring numbers • >10 (8 diff) 3G/4G modems/routers • 75% vulns to RCE/fw modification • 60% RCE are 0days
  8. 8. How to build Big Brother Boring numbers • ~60 000 devices/1M/Telco • 5000 devices/1W/SecurityLab • 100% vulns to RCE/fw modification
  9. 9. How to build Big Brother How?
  10. 10. How to build Big Brother How? +
  11. 11. How to build Big Brother How? 1. Identification 2. Code injection 3. Data interception 4. SIM cloning / GSM Attacks 5. Host Infection 6. APT 7. Return to 1.
  12. 12. How to build Big Brother Identification
  13. 13. How to build Big Brother Identification • WHOIS?
  14. 14. How to build Big Brother Identification <img src="http://192.168.0.1/img/1.png" style="height:0;width:0;" onload="set('1')"> <img src="http://192.168.0.1/img/2.jpg" style="height:0;width:0;" onload="set('2')"> <img src="http://hostname/img/3.png" style="height:0;width:0;" onload="set('3')"> <img src="http://127.0.0.1:5000/request" style="height:0;width:0;" onload="set('4')">
  15. 15. How to build Big Brother Identification • GeoIP?
  16. 16. How to build Big Brother Code Injection • Public exploits + old FW • Blackbox • FW Access + FW RE + IDA • FW modification + Arbitrary upload
  17. 17. How to build Big Brother Code Injection • Public exploits + old FW
  18. 18. How to build Big Brother Code Injection • Blackbox • ?action=ping||shutdown –r 0|| • ?date=;ping blahblah.com;
  19. 19. How to build Big Brother Code Injection • Blackbox
  20. 20. How to build Big Brother Code Injection • FW Access + FW RE + IDA • Greetings: • Kirill Nesterov, • Dmitry Sklyarov
  21. 21. How to build Big Brother Code Injection • FW modification + Arbitrary upload
  22. 22. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
  23. 23. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS)
  24. 24. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS) • Local upload (diag mode)
  25. 25. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
  26. 26. How to build Big Brother FW Integrity Control • FW encrypted via RC4 • RSA Digital Signature +SHA1
  27. 27. How to build Big Brother FW Integrity Control
  28. 28. How to build Big Brother FW Integrity Control • FW encrypted via RC4
  29. 29. How to build Big Brother FW Integrity Control • FW encrypted via RC4 • Constant keystream FAIL • Part1 XOR Part2 FAIL • FW1 XOR FW2 FAIL • Lot of plaintext (CDROM) FAIL
  30. 30. How to build Big Brother FW Integrity Control • FW encrypted via RC4 FAIL
  31. 31. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • AR: !<arch>: • FW • pkginfo: <7742526> • Sign=RSA(SHA1(FW[0..7742526]))
  32. 32. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1
  33. 33. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
  34. 34. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 FAIL • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
  35. 35. How to build Big Brother FW upload/CSRF http://blog.kotowicz.net/2011/04/ how-to-upload-arbitrary-file-contents.html
  36. 36. How to build Big Brother FW upload/ XSS • HUAWEI PSIRT 436642 (2015-05-29) http://www1.huawei.com/en/security/psirt/security- bulletins/security-notices/archive/hw-436642.htm
  37. 37. How to build Big Brother Data interception • Cell ID • WiFi • SMS • HTTP • SSL
  38. 38. How to build Big Brother Data interception • Cell ID • http://opencellid.org/ + XSS
  39. 39. How to build Big Brother Data interception • WiFi
  40. 40. How to build Big Brother Data interception • SMS
  41. 41. How to build Big Brother Data interception • HTTP • ARP-spoofing • DNS-spoofing
  42. 42. How to build Big Brother Data interception • SSL • Host RCE
  43. 43. How to build Big Brother SIM Cloning • Fake BTS + Binary SMS • GEO(!) • IMSI https://media.blackhat.com/us-13/us-13-Nohl-Rooting- SIM-cards-Slides.pdf
  44. 44. How to build Big Brother SIM Cloning • Use The Force
  45. 45. How to build Big Brother SIM Cloning • Diag mode
  46. 46. How to build Big Brother SIM Cloning • Send AT commands • AT+CMGF=0
  47. 47. How to build Big Brother GSM Attacks • Huawei: Remote(!) osmocomm for beggars • VxWorks on baseband hi6920 ― Loaded by Linux ― Packed on flash ― dmesg => load vxworks ok, entey 0x50d10000 ― Cshell • OS communication • Builtin debuger ― Nearly all names of objects/functions ― POSIX + documentation
  48. 48. How to build Big Brother Host Infection • BadUSB • Fake diagnostic tools/CDROM • HTML Injection + 0day • Even real diagnostic tools =))
  49. 49. How to build Big Brother Host Infection • BadUSB • Android gadget driver (supported_functions patching) • HID Gadget onboard! • Lots of boring stuff
  50. 50. How to build Big Brother Host Infection • Drive By Download • CDROM
  51. 51. How to build Big Brother Host Infection • HTML Injection + 0day
  52. 52. How to build Big Brother Host Infection • Kudos to @cyberpunkych • Lots of other stuff at yota.hlsec.ru • But nobody cares(((
  53. 53. How to build Big Brother APT
  54. 54. How to build Big Brother APT
  55. 55. How to build Big Brother APT • Subscribers attacks Subscribers • LISTEN 0.0.0.0:80 • Firewalls
  56. 56. How to build Big Brother Boring numbers
  57. 57. How to build Big Brother Fun numbers • Remote Code Execution via WEB: 5 dev • Arbitrary FW modification (rem/loc): 6 dev • CSRF: 5 dev • XSS: 4 dev
  58. 58. How to build Big Brother DEMO
  59. 59. How to build Big Brother Kudos • @cyberpunkych • D. Sklyarov • K. Nesterov • Al. Osipov • @SCADASL
  60. 60. Stay secure! Questions?

×