eval exploit and pickle example here: https://github.com/dnoiz1/ifwt-remote-root

1. Device
inspection
To remoteroot
Uncovering the sekritz of proprietary software on a fixed
wireless terminal and weap0nizing them into a remote exploit
Where What Who
Ruxmon Melbourne
Device Inspection to remote
root
Tim Noise

2. tIMNOISE
• twitter/dnoiz1
• github/dnoiz1
• mIRC/dnz
• streetz/notorious D N Z
• tim@drkns.net
Internet subscriber and pirate impersonator

3. FixedWirelessTerminals
• Linux Based
• System on Chip
• Provide PoTS and ADSL
• 3G/LTE Backhaul
• Battery and Solar
• Remote Managed
• Deployed in Clusters
For people without copper or fiber

4. ExternalConnectors
• Ether over USB
(DHCP)
• Aerial socket
• 2 RJ11 ports for
ADSL CPE and PoTS
Things we can probe

5. ExternalConnectors
• SIM Card slot
• 2 Management
Ethernet Ports (NO DHCP)
• 2 RJ11 power management ports
Things we can probe

6. WhatsInside?Rub the torx and the genie comes out
CPU
NAND0
NAND1
UART
Removable
CF Card for /

7. WhatsInside?Rub the torx and the genie comes out
Mini PCMCIA
3G Modem

8. BootProcessRedboot the buspirate, yarr
GND
RX
TX
VCC / NC

9. redboOTcatching a boot loader
• is listening on hardcoded TCP port + Interface
preboot
• holds variables that contain boot parameters

10. GainingROOTalways want that uid 0 - the usual tricks
• Removable root Media
• hashcat / jtr
• kernel paramaters
• init=/bin/sh
• single user mode
• Lucky for us, the root password is
printed on the PCB (not even joking)

11. MANAGEMENTInTERFACEthe dububdub

12. LoggingINConnecting using the management USB interface

13. PortsANDProcessessWhats running on this thing?

14. PortsANDProcessessWhats running on this thing?

15. PortsANDProcessessWhats running on this thing?

16. BacktotheSourceWhere is this process stored and launched from

17. DECOMPYLEUsing multiline strings as comments is great!

18. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

19. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

20. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

21. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

22. Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket

23. Vulnerability2:evalEvaling a concatenated string is a good way to check if its a member of an enum

24. PuttingitallTogethermaking use of our discovered vulnerabilities

25. PuttingitallTogethermaking use of our discovered vulnerabilities

26. PuttingitallTogethermaking use of our discovered vulnerabilities

27. PuttingitallTogethermaking use of our discovered vulnerabilities

28. DEMO

30. BONUS

31. OneStepFURTHER
• Connect back payloads
• Dial 1900 numbers for profit
• UDP broadcast the attack
• Intercept data and telephony
• Insta-botnet / onion network
• Other bad things
For internet bad men

32. QUESTIONS?

33. tIMNOISE
• twitter/dnoiz1
• github/dnoiz1
• mIRC/dnz
• streetz/notorious D N Z
• tim@drkns.net
Internet subscriber and pirate impersonator