SlideShare a Scribd company logo

How *NOT* to firmware

Download as PPTX, PDF
Amit Serper
Amit Serper

My slides from the March 9th Boston security meetup about the netgear nighthawk vulnerability that was disclosed back in December of 2016.

Software
1 of 27
HOW *NOT* TO FIRMWARE The tale of the vulnerable night hawk, By Amit Serper
$WHOAMI • Principal security researcher @ Cybereason • I LOVE EMBEDDED HACKING (used to make my living off of it) • I was here ~3 months ago talking about command injections • I am going to do that again right now @0xAmit
Background
HTTP REQUESTS – QUICK REMINDER
COMMAND INJECTIONS– QUICK REMINDER
LETS GET BACK TO IT…
YOU KNOW WHAT THAT MEANS… Someone passes a user controlled string to system()
YOU KNOW WHAT THAT MEANS… That user controlled string Is in the friggin URL
YOU KNOW WHAT THAT MEANS… It is actually in the HTTP Request itself
YOU KNOW WHAT THAT MEANS… The server just accepts And executes the Command => no auth
SO WAIT A MINUTE… If a user control string which is the HTTP request itself gets passed as an argument to system(), does this mean what I…? Oh shit.
THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!
QUESTIONS… • Where exactly in the code is the mistake and does it look like what I think it looks like • Are they actually calling system? • Why?! What for and how many times…
IDA PRO TIME…
SO WHAT’S GOING ON? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side •That is a terrible idea. The 90s are over. WTF.
SO WHAT’S ACTUALLY GOING ON HERE? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side • All of those scripts are in the /cgi-bin/ directory • One of those things is to LOG the parameters in the HTTP requests to a file. • The logging is done by doing something roughly like this: • system(“echo %s >/tmp/options_result”, USER_INPUT); • Since any request to cgi-bin/ is being handled that way… That means…
THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!
AS EASY AS http://<ip>/cgi-bin/;command
How *NOT* to firmware

Recommended

The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Иван Новиков «Elastic search»
Иван Новиков «Elastic search»Иван Новиков «Elastic search»
Иван Новиков «Elastic search»Mail.ru Group
 
From Test to Live with Rex
From Test to Live with RexFrom Test to Live with Rex
From Test to Live with RexJan Gehring
 
Git+jenkins+rex presentation
Git+jenkins+rex presentationGit+jenkins+rex presentation
Git+jenkins+rex presentationDwi Sasongko Supriyadi
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming languageVigneshwer Dhinakaran
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Sentry (SF Python, Feb)
Sentry (SF Python, Feb)Sentry (SF Python, Feb)
Sentry (SF Python, Feb)zeeg
 

Recommended

The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Иван Новиков «Elastic search»
Иван Новиков «Elastic search»Иван Новиков «Elastic search»
Иван Новиков «Elastic search»Mail.ru Group
 
From Test to Live with Rex
From Test to Live with RexFrom Test to Live with Rex
From Test to Live with RexJan Gehring
 
Git+jenkins+rex presentation
Git+jenkins+rex presentationGit+jenkins+rex presentation
Git+jenkins+rex presentationDwi Sasongko Supriyadi
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming languageVigneshwer Dhinakaran
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Sentry (SF Python, Feb)
Sentry (SF Python, Feb)Sentry (SF Python, Feb)
Sentry (SF Python, Feb)zeeg
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 
Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)James Titcumb
 
Deployment tales
Deployment talesDeployment tales
Deployment talesAmoniac OÜ
 
Deployment tales
Deployment talesDeployment tales
Deployment talesAleksandr Simonov
 
What's new in Symfony3
What's new in Symfony3What's new in Symfony3
What's new in Symfony3Yuki MAEJIMA
 
Dive into sentry
Dive into sentryDive into sentry
Dive into sentryLeo Zhou
 
Programming The Arduino Due in Rust
Programming The Arduino Due in RustProgramming The Arduino Due in Rust
Programming The Arduino Due in Rustkellogh
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Sinatra: прошлое, будущее и настоящее
Sinatra: прошлое, будущее и настоящееSinatra: прошлое, будущее и настоящее
Sinatra: прошлое, будущее и настоящее.toster
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Loading JavaScript: Even a caveman can do it
Loading JavaScript: Even a caveman can do itLoading JavaScript: Even a caveman can do it
Loading JavaScript: Even a caveman can do itKyle Simpson
 
Linuxday.at - Lightning Talk
Linuxday.at - Lightning TalkLinuxday.at - Lightning Talk
Linuxday.at - Lightning TalkJan Gehring
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL John Anderson
 
How to use miniedit
How to use minieditHow to use miniedit
How to use minieditTakuji IIMURA
 
Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...vsoshnikov
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSkhangtoh
 
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecturevsoshnikov
 
Lighning Talk: composer repositories
Lighning Talk: composer repositoriesLighning Talk: composer repositories
Lighning Talk: composer repositoriesBryan Agee
 
Infrastructure development on windows ldn cd meetup
Infrastructure development on windows ldn cd meetup Infrastructure development on windows ldn cd meetup
Infrastructure development on windows ldn cd meetup Owain Perry
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

More Related Content

What's hot

Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 
Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)James Titcumb
 
Deployment tales
Deployment talesDeployment tales
Deployment talesAmoniac OÜ
 
What's new in Symfony3
What's new in Symfony3What's new in Symfony3
What's new in Symfony3Yuki MAEJIMA
 
Dive into sentry
Dive into sentryDive into sentry
Dive into sentryLeo Zhou
 
Programming The Arduino Due in Rust
Programming The Arduino Due in RustProgramming The Arduino Due in Rust
Programming The Arduino Due in Rustkellogh
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Sinatra: прошлое, будущее и настоящее
Sinatra: прошлое, будущее и настоящееSinatra: прошлое, будущее и настоящее
Sinatra: прошлое, будущее и настоящее.toster
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Loading JavaScript: Even a caveman can do it
Loading JavaScript: Even a caveman can do itLoading JavaScript: Even a caveman can do it
Loading JavaScript: Even a caveman can do itKyle Simpson
 
Linuxday.at - Lightning Talk
Linuxday.at - Lightning TalkLinuxday.at - Lightning Talk
Linuxday.at - Lightning TalkJan Gehring
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL John Anderson
 
Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...vsoshnikov
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSkhangtoh
 
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecturevsoshnikov
 
Lighning Talk: composer repositories
Lighning Talk: composer repositoriesLighning Talk: composer repositories
Lighning Talk: composer repositoriesBryan Agee
 
Infrastructure development on windows ldn cd meetup
Infrastructure development on windows ldn cd meetup Infrastructure development on windows ldn cd meetup
Infrastructure development on windows ldn cd meetup Owain Perry
 

What's hot (20)

Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
 
Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)Composer Tutorial (PHP Hampshire Sept 2013)
Composer Tutorial (PHP Hampshire Sept 2013)
 
Deployment tales
Deployment talesDeployment tales
Deployment tales
 
Deployment tales
Deployment talesDeployment tales
Deployment tales
 
What's new in Symfony3
What's new in Symfony3What's new in Symfony3
What's new in Symfony3
 
Dive into sentry
Dive into sentryDive into sentry
Dive into sentry
 
Programming The Arduino Due in Rust
Programming The Arduino Due in RustProgramming The Arduino Due in Rust
Programming The Arduino Due in Rust
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Sinatra: прошлое, будущее и настоящее
Sinatra: прошлое, будущее и настоящееSinatra: прошлое, будущее и настоящее
Sinatra: прошлое, будущее и настоящее
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
Loading JavaScript: Even a caveman can do it
Loading JavaScript: Even a caveman can do itLoading JavaScript: Even a caveman can do it
Loading JavaScript: Even a caveman can do it
 
Linuxday.at - Lightning Talk
Linuxday.at - Lightning TalkLinuxday.at - Lightning Talk
Linuxday.at - Lightning Talk
 
Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL Automate Yo'self -- SeaGL
Automate Yo'self -- SeaGL
 
How to use miniedit
How to use minieditHow to use miniedit
How to use miniedit
 
Python for pentesters
Python for pentestersPython for pentesters
Python for pentesters
 
Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...Master-Master Replication and Scaling of an Application Between Each of the I...
Master-Master Replication and Scaling of an Application Between Each of the I...
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUS
 
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
 
Lighning Talk: composer repositories
Lighning Talk: composer repositoriesLighning Talk: composer repositories
Lighning Talk: composer repositories
 
Infrastructure development on windows ldn cd meetup
Infrastructure development on windows ldn cd meetup Infrastructure development on windows ldn cd meetup
Infrastructure development on windows ldn cd meetup
 

Similar to How *NOT* to firmware

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerHeadLightSecurity
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Building real time applications with Symfony2
Building real time applications with Symfony2Building real time applications with Symfony2
Building real time applications with Symfony2Antonio Peric-Mazar
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebCliff Smith
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 

Similar to How *NOT* to firmware (20)

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to Burp
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Security in php
Security in phpSecurity in php
Security in php
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Building real time applications with Symfony2
Building real time applications with Symfony2Building real time applications with Symfony2
Building real time applications with Symfony2
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern Web
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 

Recently uploaded

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfAMB-Review
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024Ortus Solutions, Corp
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Krakówbim.edu.pl
 

Recently uploaded (20)

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 

How *NOT* to firmware

  • 1. HOW *NOT* TO FIRMWARE The tale of the vulnerable night hawk, By Amit Serper
  • 2. $WHOAMI • Principal security researcher @ Cybereason • I LOVE EMBEDDED HACKING (used to make my living off of it) • I was here ~3 months ago talking about command injections • I am going to do that again right now @0xAmit
  • 4.
  • 5. HTTP REQUESTS – QUICK REMINDER
  • 6.
  • 8. LETS GET BACK TO IT…
  • 9. YOU KNOW WHAT THAT MEANS… Someone passes a user controlled string to system()
  • 10. YOU KNOW WHAT THAT MEANS… That user controlled string Is in the friggin URL
  • 11. YOU KNOW WHAT THAT MEANS… It is actually in the HTTP Request itself
  • 12. YOU KNOW WHAT THAT MEANS… The server just accepts And executes the Command => no auth
  • 13. SO WAIT A MINUTE… If a user control string which is the HTTP request itself gets passed as an argument to system(), does this mean what I…? Oh shit.
  • 14. THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!
  • 15. QUESTIONS… • Where exactly in the code is the mistake and does it look like what I think it looks like • Are they actually calling system? • Why?! What for and how many times…
  • 17.
  • 18.
  • 19.
  • 20.
  • 21. SO WHAT’S GOING ON? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side •That is a terrible idea. The 90s are over. WTF.
  • 22.
  • 23.
  • 24. SO WHAT’S ACTUALLY GOING ON HERE? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side • All of those scripts are in the /cgi-bin/ directory • One of those things is to LOG the parameters in the HTTP requests to a file. • The logging is done by doing something roughly like this: • system(“echo %s >/tmp/options_result”, USER_INPUT); • Since any request to cgi-bin/ is being handled that way… That means…
  • 25. THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!