Codemotion, profile picture
Uploaded byCodemotion
PDF, PPTX132 views

IoT exploitation: from memory corruption to code execution - Marco Romano - Codemotion Rome 2018

The document presents a technical exploration of IoT exploitation, specifically focusing on vulnerabilities in Edimax network cameras, including a stack buffer overflow issue (CVE-2018-8072). It details the methodology for vulnerability assessment and exploitation, including firmware analysis, bypassing protection mechanisms like ASLR, and executing arbitrary code. The findings culminate in a proof of concept that illustrates how to exploit these vulnerabilities for unauthorized access.

Embed presentation

Download as PDF, PPTX
IoT exploitation: from memory corruption to code execution Marco Romano ROME - APRIL 13/14 2018
Marco Romano (In)Security Researcher sometimes for fun, sometimes for profit FIND ME HERE @nemux_ IoT exploitation from memory corruption to code execution © Marco Romano - nemux.org
Independent researches Publicly disclosed vulnerabilities 2015 CVE-2015-7805 Heap-based buffer overflow in libsndfile 1.0.25 2016 CVE-2016-2399 Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 2018 CVE-2018-8072 ???? 2017 © Marco Romano - nemux.org
CVE-2018-8072 EDIMAX Network Cameras Stack Buffer Overflow Models: IC-3140W, IC-5150W, IC-6220DC An issue was discovered on EDIMAX IC-3140W through 3.06, IC-5150W through 3.09, and IC-6220DC through 3.06 devices… © Marco Romano - nemux.org
Stack Buffer Overflow © Marco Romano - nemux.org “2 minutes Crash Course” Stack For the sake of simplicity some stack info are missed
Stack Buffer Overflow © Marco Romano - nemux.org 1) main() calls foo() 2) foo() copies “AA…” in buf[] 3) foo() “return;” —> go back in main() “2 minutes Crash Course” Stack
Stack Buffer Overflow © Marco Romano - nemux.org “2 minutes Crash Course” Stack
Model number: IC-3140W (1) …open-up the box… (2) Information gathering (3) Attack surface mapping DAY 1 TARGET: HD Wireless Day & Night Network Camera © Marco Romano - nemux.org
Your are safe… you can see him… © Marco Romano - nemux.org
…and yell at him © Marco Romano - nemux.org Image courtesy of: edimax.com
…but not at him! (unauthenticated) Remote Code Execution © Marco Romano - nemux.org
Information Gathering & Attack Hardware Best friend: Screwdriver Take note of the components used in the device and collect online resources © Marco Romano - nemux.org
Software Best friend: Google Download everything the vendor allows you to… First of all the firmware! Information Gathering & Attack © Marco Romano - nemux.org
They are 4 interesting holes! UART Pinouts IC-3140W: UART root shell: 3 Wires + 1 USB Serial Adapter + Right baudrate (38400) 1. Tx 2. GND 3. Rx 4. Vcc UART Exploitation © Marco Romano - nemux.org
Get a root shell Goal: UART —> Serial Console —> telnetd & © Marco Romano - nemux.org
Firmware Firmware analysis Best friend: binwalk https://github.com/ReFirmLabs/ binwalk binwalk -M -e IC-3140W_3.05.bin © Marco Romano - nemux.org
Interesting targets Goal: Unauthenticated HTTP Request —> Binary CGI got something to reverse…. © Marco Romano - nemux.org
telnetd.cgi? sounds good! Goal: HTTP Request —> telnetd.cgi —> telnetd & (1) Undocumented “feature” (2) Not available in the admin panel (3) Run telnet daemon through an HTTP GET request …feature, really? (it comes in handy for debugging purpose) © Marco Romano - nemux.org
telnetd.cgi Reverse… Goal: HTTP Request —> telnetd.cgi —> telnetd & Typo here… © Marco Romano - nemux.org
telnetd.cgi Let’s test it! Goal: HTTP Request —> telnetd.cgi —> telnetd & No UART wires and “noise”, from now on… and typo here… so, it works :-) © Marco Romano - nemux.org
Bug Hunting Model number: IC-3140W TARGET: HD Wireless Day & Night Network Camera DAY 2 © Marco Romano - nemux.org
Binary Reverse Best friend: Debugger & Disassembler How it works: CGI manages parameter through environment variables (take note for debugging session) Reverse ipcam_cgi © Marco Romano - nemux.org
Goal: HTTP Request —> public/… —> vulnerability (?) 1) strcpy() —> dest with fixed size (1024) 2) strcpy() —> i can control the source 3) strcpy() —> no check on src size ipcam_cgi © Marco Romano - nemux.org
HACKED POTATO! HTTPdHTTP GET getSysteminfo.cgi 2016 ipcam_cgiHTTPd set ENV variables strcpy()ipcam_cgi parse & copy Stack Buffer Overflow Recipe… …result Goal: HTTP Request —> public/… —> vulnerability (?) ipcam_cgi © Marco Romano - nemux.org
ipcam_cgi Let’s test it! Value length > 1024 byte (0x400) Goal: HTTP Request —> public/… —> vulnerability (?) © Marco Romano - nemux.org
ipcam_cgi some math… “action=“ + 1017 + “BBBB” (0x42424242) Invalid Read Access Goal: HTTP Request —> public/… —> vulnerability (!) © Marco Romano - nemux.org
Exploiting Model number: IC-3140W TARGET: HD Wireless Day & Night Network Camera DAY 3 © Marco Romano - nemux.org
Protection Mechanisms Goal: HTTP Request —> ipcam_cgi —> code exec ASLR = Address Space Layout Randomization Randomly arranges the address space positions of key data areas of a process: executable, stack, heap and libraries. (2) Memory Map Stack Base = 0x7fad6000 Stack Base = 0x7fdac000 Partially Enabled (1) Memory Map © Marco Romano - nemux.org
Protection Mechanisms Goal: HTTP Request —> ipcam_cgi —> code exec (2) Memory Map (1) Memory Map W^X = Write XOR Execute  Address space may be either writable or executable, but not both Not Enabled 32bit arch no PAE © Marco Romano - nemux.org
“Exploitation plan” Steps 1) Hijack the control flow 2) Bypass Protections 3) Inject arbitrary code …and jump there! © Marco Romano - nemux.org
Mips Note Goal: Low-level note…MIPS registers Image courtesy of hmc.edu © Marco Romano - nemux.org
Hijack the flow Goal: Overwrite Saved Return Pointer -> Control RA Control “Return Address” register Exception: “Invalid Read Access” = Pointer(s) stored in the Stack = “CONSTRAINTS” Constraints solved… Stack SrP —> 0x46464646 —> RA = SrP Control Flow Hijacked! © Marco Romano - nemux.org
Bypass Stack ASLR Jump there…. where!? Stack + ASLR “Code-Reuse” Attack Bypass Protections Goal: Find a stack pointer © Marco Romano - nemux.org
Bypass Stack ASLR Goal: Find a stack pointer “Code reuse” attack… how it works? Execute the code which is “already” present in the memory Usually used to bypass NX Bypass Protections © Marco Romano - nemux.org
Bypass Stack ASLR Goal: Find a stack pointer “System” applies a restriction… Bypass Protections © Marco Romano - nemux.org
Bypass Stack ASLR Goal: Find a stack pointer …but she’s smart! Bypass Protections Answer is “NO” © Marco Romano - nemux.org
Bypass Stack ASLR Goal: Find a stack pointer “Code reuse” attack… exploitation purpose 1. Libraries: Fixed location in memory 2. Plan: Concatenate “pieces” of (that) code 3. Get a (randomized) stack pointer to defeat ASLR Bypass Protections © Marco Romano - nemux.org
Cache coherence Goal: Defeat cache coherence MIPS CPUs have 2 separate caches (data and instructions) Cache != Protection… but affect exploitation! • Our payload will be in memory as data • Hijack control flow… and Shellcode in D-cache • How to move Shellcode in Main Memory? Bypass Protections © Marco Romano - nemux.org
“Bypass” Cache coherence Cache Flushing… how to 1. Filling the D-cache to force the CPU to write-back 2. cacheflush() systemcall 3. Call a blocking function (like sleep() or similar) Cache != Protection… and we can defeat it! Bypass Protections Goal: Defeat cache coherence © Marco Romano - nemux.org
 put them all together… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 1 - Defeat Cache Inject arbitrary code Hijack Control Flow “Init” Gadget “Double-Jump” Gadget call usleep() set usleep() arg jump next… © Marco Romano - nemux.org
 put them all together… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 2 - Defeat Stack ASLR Inject arbitrary code Move Stack Pointer in $A1 Move $A1 in $V0 Jump to $V0 © Marco Romano - nemux.org
 put them all together… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 3 - Execute Shellcode Inject arbitrary code Ehi! That’s my code… Connect back shell… port 8080 © Marco Romano - nemux.org
Wait for a root shell… Goal: Execute a “connect back” shellcode Execute arbitrary code © Marco Romano - nemux.org
Let’s play the bad guys © Marco Romano - nemux.org Botnet
…while you wait for the crypto miner botnet © Marco Romano - nemux.org Don’t do this at home! :-)
TIMELINE 2016 February 2018 ME —> EDIMAX Proof of concept March 2018 EDIMAX —> ME Private Beta version April 2018 New Firmware (??) CVE-2018-8072 © Marco Romano - nemux.org
Thank you! © Marco Romano - nemux.org https://gitlab.com/nemux/CVE-2018-8072

More Related Content

PDF
Digging for Android Kernel Bugs
byJiahong Fang
 
PDF
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
byCanSecWest
 
PDF
CrySys guest-lecture: Virtual machine introspection on modern hardware
byTamas K Lengyel
 
ODP
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
byTamas K Lengyel
 
PDF
OffensiveCon2022: Case Studies of Fuzzing with Xen
byTamas K Lengyel
 
PDF
31c3 Presentation - Virtual Machine Introspection
byTamas K Lengyel
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
byScott K. Larson
 
ODP
Virtual Machine Introspection with Xen on ARM
byTamas K Lengyel
 
Digging for Android Kernel Bugs
byJiahong Fang
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
byCanSecWest
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
byTamas K Lengyel
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
byTamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
byTamas K Lengyel
 
31c3 Presentation - Virtual Machine Introspection
byTamas K Lengyel
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
byScott K. Larson
 
Virtual Machine Introspection with Xen on ARM
byTamas K Lengyel
 

What's hot

PDF
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
PDF
Kernel Recipes 2015: Anatomy of an atomic KMS driver
byAnne Nicolas
 
PDF
Cloud Security with LibVMI
byTamas K Lengyel
 
PDF
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
byNate Lawson
 
PPTX
ShinoBOT Suite
byShota Shinogi
 
PDF
How to Root 10 Million Phones with One Exploit
byJiahong Fang
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
byZoltan Balazs
 
PPTX
VM Forking and Hypervisor-based fuzzing
byTamas K Lengyel
 
PDF
BSides Denver: Stealthy, hypervisor-based malware analysis
byTamas K Lengyel
 
PDF
Pitfalls and limits of dynamic malware analysis
byTamas K Lengyel
 
ODP
Pitfalls of virtual machine introspection on modern hardware
byTamas K Lengyel
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
PDF
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
byDefconRussia
 
PDF
VM Forking and Hypervisor-based Fuzzing with Xen
byTamas K Lengyel
 
PDF
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
byCanSecWest
 
PDF
Virtual Machine Introspection with Xen
byTamas K Lengyel
 
ODP
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
byTamas K Lengyel
 
PDF
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
byCanSecWest
 
PDF
SnakeGX (short version)
byFlavio Toffalini
 
PDF
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
byAnne Nicolas
 
Cloud Security with LibVMI
byTamas K Lengyel
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
byNate Lawson
 
ShinoBOT Suite
byShota Shinogi
 
How to Root 10 Million Phones with One Exploit
byJiahong Fang
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
byZoltan Balazs
 
VM Forking and Hypervisor-based fuzzing
byTamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
byTamas K Lengyel
 
Pitfalls and limits of dynamic malware analysis
byTamas K Lengyel
 
Pitfalls of virtual machine introspection on modern hardware
byTamas K Lengyel
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
byDefconRussia
 
VM Forking and Hypervisor-based Fuzzing with Xen
byTamas K Lengyel
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
byCanSecWest
 
Virtual Machine Introspection with Xen
byTamas K Lengyel
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
byTamas K Lengyel
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
byCanSecWest
 
SnakeGX (short version)
byFlavio Toffalini
 
Shusei tomonaga pac_sec_20171026
byPacSecJP
 

Similar to IoT exploitation: from memory corruption to code execution - Marco Romano - Codemotion Rome 2018

PPTX
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
PDF
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
by44CON
 
PDF
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
PDF
DefCon 2012 - Rooting SOHO Routers
byMichael Smith
 
PPT
Software security
byRoman Oliynykov
 
PPTX
The internet of $h1t
byAmit Serper
 
PDF
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
byCanSecWest
 
PDF
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
by44CON
 
PPTX
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
PDF
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
byFelipe Prado
 
PPT
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
PDF
Linux Kernel Exploitation
byScio Security
 
PDF
Os Selbak
byoscon2007
 
PPTX
hacking-embedded-devices.pptx
byssuserfcf43f
 
PDF
Hacklu11 Writeup
bynkslides
 
ODP
[Defcon] Hardware backdooring is practical
byMoabi.com
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
PDF
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
by44CON
 
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
DefCon 2012 - Rooting SOHO Routers
byMichael Smith
 
Software security
byRoman Oliynykov
 
The internet of $h1t
byAmit Serper
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
byCanSecWest
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
by44CON
 
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
byFelipe Prado
 
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
Linux Kernel Exploitation
byScio Security
 
Os Selbak
byoscon2007
 
hacking-embedded-devices.pptx
byssuserfcf43f
 
Hacklu11 Writeup
bynkslides
 
[Defcon] Hardware backdooring is practical
byMoabi.com
 
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 

More from Codemotion

PDF
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
byCodemotion
 
PDF
Pompili - From hero to_zero: The FatalNoise neverending story
byCodemotion
 
PPTX
Pastore - Commodore 65 - La storia
byCodemotion
 
PPTX
Pennisi - Essere Richard Altwasser
byCodemotion
 
PPTX
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
byCodemotion
 
PPTX
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
byCodemotion
 
PPTX
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
byCodemotion
 
PPTX
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
byCodemotion
 
PDF
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
byCodemotion
 
PDF
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
byCodemotion
 
PDF
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
byCodemotion
 
PDF
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
byCodemotion
 
PDF
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
byCodemotion
 
PDF
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
byCodemotion
 
PPTX
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
byCodemotion
 
PPTX
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
byCodemotion
 
PDF
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
byCodemotion
 
PDF
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
byCodemotion
 
PDF
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
byCodemotion
 
PDF
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
byCodemotion
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
byCodemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
byCodemotion
 
Pastore - Commodore 65 - La storia
byCodemotion
 
Pennisi - Essere Richard Altwasser
byCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
byCodemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
byCodemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
byCodemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
byCodemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
byCodemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
byCodemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
byCodemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
byCodemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
byCodemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
byCodemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
byCodemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
byCodemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
byCodemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
byCodemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
byCodemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
byCodemotion
 

Recently uploaded

PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PPTX
Real-Time KPI Dashboard Playbook: What to Track Live and What Not To
byvictorworkvebo
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
Workflow and decision Automation with Flowable
bychakib ch
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
apidays New York 2025 | AI in Application Security
byapidays
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Real-Time KPI Dashboard Playbook: What to Track Live and What Not To
byvictorworkvebo
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 

IoT exploitation: from memory corruption to code execution - Marco Romano - Codemotion Rome 2018

  • 1.
    IoT exploitation: frommemory corruption to code execution Marco Romano ROME - APRIL 13/14 2018
  • 2.
    Marco Romano (In)Security Researcher sometimes forfun, sometimes for profit FIND ME HERE @nemux_ IoT exploitation from memory corruption to code execution © Marco Romano - nemux.org
  • 3.
    Independent researches Publicly disclosed vulnerabilities 2015 CVE-2015-7805 Heap-basedbuffer overflow in libsndfile 1.0.25 2016 CVE-2016-2399 Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 2018 CVE-2018-8072 ???? 2017 © Marco Romano - nemux.org
  • 4.
    CVE-2018-8072 EDIMAX Network CamerasStack Buffer Overflow Models: IC-3140W, IC-5150W, IC-6220DC An issue was discovered on EDIMAX IC-3140W through 3.06, IC-5150W through 3.09, and IC-6220DC through 3.06 devices… © Marco Romano - nemux.org
  • 5.
    Stack Buffer Overflow ©Marco Romano - nemux.org “2 minutes Crash Course” Stack For the sake of simplicity some stack info are missed
  • 6.
    Stack Buffer Overflow ©Marco Romano - nemux.org 1) main() calls foo() 2) foo() copies “AA…” in buf[] 3) foo() “return;” —> go back in main() “2 minutes Crash Course” Stack
  • 7.
    Stack Buffer Overflow ©Marco Romano - nemux.org “2 minutes Crash Course” Stack
  • 8.
    Model number: IC-3140W (1)…open-up the box… (2) Information gathering (3) Attack surface mapping DAY 1 TARGET: HD Wireless Day & Night Network Camera © Marco Romano - nemux.org
  • 9.
    Your are safe…you can see him… © Marco Romano - nemux.org
  • 10.
    …and yell athim © Marco Romano - nemux.org Image courtesy of: edimax.com
  • 11.
    …but not athim! (unauthenticated) Remote Code Execution © Marco Romano - nemux.org
  • 12.
    Information Gathering & Attack Hardware Bestfriend: Screwdriver Take note of the components used in the device and collect online resources © Marco Romano - nemux.org
  • 13.
    Software Best friend: Google Downloadeverything the vendor allows you to… First of all the firmware! Information Gathering & Attack © Marco Romano - nemux.org
  • 14.
    They are 4interesting holes! UART Pinouts IC-3140W: UART root shell: 3 Wires + 1 USB Serial Adapter + Right baudrate (38400) 1. Tx 2. GND 3. Rx 4. Vcc UART Exploitation © Marco Romano - nemux.org
  • 15.
    Get a root shell Goal:UART —> Serial Console —> telnetd & © Marco Romano - nemux.org
  • 16.
    Firmware Firmware analysis Best friend:binwalk https://github.com/ReFirmLabs/ binwalk binwalk -M -e IC-3140W_3.05.bin © Marco Romano - nemux.org
  • 17.
    Interesting targets Goal: Unauthenticated HTTPRequest —> Binary CGI got something to reverse…. © Marco Romano - nemux.org
  • 18.
    telnetd.cgi? sounds good! Goal: HTTPRequest —> telnetd.cgi —> telnetd & (1) Undocumented “feature” (2) Not available in the admin panel (3) Run telnet daemon through an HTTP GET request …feature, really? (it comes in handy for debugging purpose) © Marco Romano - nemux.org
  • 19.
    telnetd.cgi Reverse… Goal: HTTP Request—> telnetd.cgi —> telnetd & Typo here… © Marco Romano - nemux.org
  • 20.
    telnetd.cgi Let’s test it! Goal:HTTP Request —> telnetd.cgi —> telnetd & No UART wires and “noise”, from now on… and typo here… so, it works :-) © Marco Romano - nemux.org
  • 21.
    Bug Hunting Model number:IC-3140W TARGET: HD Wireless Day & Night Network Camera DAY 2 © Marco Romano - nemux.org
  • 22.
    Binary Reverse Best friend:Debugger & Disassembler How it works: CGI manages parameter through environment variables (take note for debugging session) Reverse ipcam_cgi © Marco Romano - nemux.org
  • 23.
    Goal: HTTP Request—> public/… —> vulnerability (?) 1) strcpy() —> dest with fixed size (1024) 2) strcpy() —> i can control the source 3) strcpy() —> no check on src size ipcam_cgi © Marco Romano - nemux.org
  • 24.
    HACKED POTATO! HTTPdHTTP GETgetSysteminfo.cgi 2016 ipcam_cgiHTTPd set ENV variables strcpy()ipcam_cgi parse & copy Stack Buffer Overflow Recipe… …result Goal: HTTP Request —> public/… —> vulnerability (?) ipcam_cgi © Marco Romano - nemux.org
  • 25.
    ipcam_cgi Let’s test it! Valuelength > 1024 byte (0x400) Goal: HTTP Request —> public/… —> vulnerability (?) © Marco Romano - nemux.org
  • 26.
    ipcam_cgi some math… “action=“ +1017 + “BBBB” (0x42424242) Invalid Read Access Goal: HTTP Request —> public/… —> vulnerability (!) © Marco Romano - nemux.org
  • 27.
    Exploiting Model number: IC-3140W TARGET: HDWireless Day & Night Network Camera DAY 3 © Marco Romano - nemux.org
  • 28.
    Protection Mechanisms Goal: HTTP Request—> ipcam_cgi —> code exec ASLR = Address Space Layout Randomization Randomly arranges the address space positions of key data areas of a process: executable, stack, heap and libraries. (2) Memory Map Stack Base = 0x7fad6000 Stack Base = 0x7fdac000 Partially Enabled (1) Memory Map © Marco Romano - nemux.org
  • 29.
    Protection Mechanisms Goal: HTTP Request—> ipcam_cgi —> code exec (2) Memory Map (1) Memory Map W^X = Write XOR Execute  Address space may be either writable or executable, but not both Not Enabled 32bit arch no PAE © Marco Romano - nemux.org
  • 30.
    “Exploitation plan” Steps 1) Hijackthe control flow 2) Bypass Protections 3) Inject arbitrary code …and jump there! © Marco Romano - nemux.org
  • 31.
    Mips Note Goal: Low-levelnote…MIPS registers Image courtesy of hmc.edu © Marco Romano - nemux.org
  • 32.
    Hijack the flow Goal: OverwriteSaved Return Pointer -> Control RA Control “Return Address” register Exception: “Invalid Read Access” = Pointer(s) stored in the Stack = “CONSTRAINTS” Constraints solved… Stack SrP —> 0x46464646 —> RA = SrP Control Flow Hijacked! © Marco Romano - nemux.org
  • 33.
    Bypass Stack ASLR Jumpthere…. where!? Stack + ASLR “Code-Reuse” Attack Bypass Protections Goal: Find a stack pointer © Marco Romano - nemux.org
  • 34.
    Bypass Stack ASLR Goal:Find a stack pointer “Code reuse” attack… how it works? Execute the code which is “already” present in the memory Usually used to bypass NX Bypass Protections © Marco Romano - nemux.org
  • 35.
    Bypass Stack ASLR Goal:Find a stack pointer “System” applies a restriction… Bypass Protections © Marco Romano - nemux.org
  • 36.
    Bypass Stack ASLR Goal:Find a stack pointer …but she’s smart! Bypass Protections Answer is “NO” © Marco Romano - nemux.org
  • 37.
    Bypass Stack ASLR Goal:Find a stack pointer “Code reuse” attack… exploitation purpose 1. Libraries: Fixed location in memory 2. Plan: Concatenate “pieces” of (that) code 3. Get a (randomized) stack pointer to defeat ASLR Bypass Protections © Marco Romano - nemux.org
  • 38.
    Cache coherence Goal: Defeatcache coherence MIPS CPUs have 2 separate caches (data and instructions) Cache != Protection… but affect exploitation! • Our payload will be in memory as data • Hijack control flow… and Shellcode in D-cache • How to move Shellcode in Main Memory? Bypass Protections © Marco Romano - nemux.org
  • 39.
    “Bypass” Cache coherence CacheFlushing… how to 1. Filling the D-cache to force the CPU to write-back 2. cacheflush() systemcall 3. Call a blocking function (like sleep() or similar) Cache != Protection… and we can defeat it! Bypass Protections Goal: Defeat cache coherence © Marco Romano - nemux.org
  • 40.
     put them alltogether… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 1 - Defeat Cache Inject arbitrary code Hijack Control Flow “Init” Gadget “Double-Jump” Gadget call usleep() set usleep() arg jump next… © Marco Romano - nemux.org
  • 41.
     put them alltogether… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 2 - Defeat Stack ASLR Inject arbitrary code Move Stack Pointer in $A1 Move $A1 in $V0 Jump to $V0 © Marco Romano - nemux.org
  • 42.
     put them alltogether… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 3 - Execute Shellcode Inject arbitrary code Ehi! That’s my code… Connect back shell… port 8080 © Marco Romano - nemux.org
  • 43.
    Wait for aroot shell… Goal: Execute a “connect back” shellcode Execute arbitrary code © Marco Romano - nemux.org
  • 44.
    Let’s play the badguys © Marco Romano - nemux.org Botnet
  • 45.
    …while you waitfor the crypto miner botnet © Marco Romano - nemux.org Don’t do this at home! :-)
  • 46.
    TIMELINE 2016 February 2018 ME —> EDIMAX Proofof concept March 2018 EDIMAX —> ME Private Beta version April 2018 New Firmware (??) CVE-2018-8072 © Marco Romano - nemux.org
  • 47.
    Thank you! © MarcoRomano - nemux.org https://gitlab.com/nemux/CVE-2018-8072