Attacking Embedded Devices (No Axe Required)
-
Upload
security-weekly -
Category
Technology
-
view
565 -
download
9
description
Transcript of Attacking Embedded Devices (No Axe Required)
![Page 1: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/1.jpg)
Attacking Embedded Systems: No Axe Required
Paul Asadoorian
Special thanks to Allison Nixon, Craig Heffner & Robert Kornmeyer
![Page 2: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/2.jpg)
Copyright 2013
Paul Asadoorian
• Day Job: Tenable Network Security Product Evangelist (Primarily Nessus)
• Founder of Security Weekly(weekly podcast, Internet TV)
• Gets hands dirty on penetration tests
• Loves family, embedded devices, cigars, fishing and Kung Fu movies
![Page 3: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/3.jpg)
Attacking Embedded Systems
FACT: Embedded systems security stinks.
![Page 4: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/4.jpg)
Attacking Embedded Systems
GOAL: Give you methods to finding embedded device vulnerabilities easily.
![Page 5: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/5.jpg)
Copyright 2013
Topics We Will Cover
• Why should you care about embedded device vulnerabilities?
• Detection & Enumeration
• Combat Firmware Analysis
• Light Reverse Engineering: Ripping apart firmware, emulating firmware
![Page 6: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/6.jpg)
Why We Care About Embedded Device Vulnerabilities
![Page 7: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/7.jpg)
Copyright 2013
Hacking Like its 1999
• Devices ship with all sorts of vulnerabilities (buffer overflows, command injection, CSRF)
• Small footprint means security it often left out (ASLR, DEP)
• High occurrence of re-use (esp. on Linux devices, someone gets it working once and no one wants to change)
![Page 8: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/8.jpg)
Copyright 2013
No One Pays Attention
• If it ain’t broke...
• Dedicated devices often just work, updates break things
• They receive a lower priority to patching desktops and servers
• They don’t contain sensitive data (dangerous notion!)
• End users don’t even know they can be updated
![Page 9: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/9.jpg)
Copyright 2013
Critical Path (Direct and Indirect)
• Sensitive data passes through devices (printers, WAPs, switches, routers)
• Attackers use them to gain a foothold (proxies, sniff passwords, scan the network)
• Easily allows attackers to monitor (web cameras, video teleconferencing)
Evil Router
![Page 10: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/10.jpg)
Copyright 2013
Getting Worse?
http://securityevaluators.com/content/case-studies/routers/soho_router_hacks.jsp
![Page 11: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/11.jpg)
Copyright 2013
At BlackHat 2009, Felix Lindner explored the feasibility and techniques that could be used to attack commercial grade routers.
In May, 2012, it was disclosed that WiFi Protected Setup (WPS) uses an eight-digit PIN for authentication, and an attacker can determine if the first four digits of an attempted PIN are correct, without regard to the last four
At BlackHat 2012, Phil Purviance (Superevr) demonstrated a cross-site file upload vulnerability in the Linksys WRT54GL.
In January, 2013, DefenseCode released an advisory describing a remote, unauthenticated format string vulnerability in the Broadcom UPnP software that escalated to root shell access.
In January, 2013, HD Moore disclosed that numerous home routers exposed UPnP services, including SSDP Discovery and SOAP, to the Internet (WAN) side of the device.
In March, 2013, Michael Messner disclosed vulnerabilities ranging from minor to critical in D-Link, TP-Link, Netgear, and Linksys routers.
Independent Security Evaluators (ISE), which is a security consultancy based in Baltimore, found that all of the routers they tested could be taken over if the hacker had access credentials. The tested products came from Linksys, Belkin, Netgear, Verizon and D-Link. (April 2013)
Phil Perviance, Application Security Consultant, AppSec Consulting, Inc. discloses 5 vulnerabilities in Linksys routers. Cisco does not issue fixes (April 2013)
Unnamed researcher used a simple, binary technique to take control of more than 420,000 insecure devices including Webcams, routers, and printers running on the Internet (March 2013)
Doomed To Repeat
Primary Source: http://securityevaluators.com/content/case-studies/routers/soho_router_hacks.jsp
![Page 12: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/12.jpg)
Detection & Enumeration
![Page 13: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/13.jpg)
Copyright 2013
Identify The Device: Passive
• DNS Recon - Zone transfer, brute force forward lookups, reverse lookup IPs
• Look for devices with suspicious names (router, camera, video teleconference related)
• Search public sources of information• Forum post: “We just bought a new XYZ device”
• Public web page
• Shodan: “net:<cidr range>”
![Page 14: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/14.jpg)
Copyright 2013
Identify The Device: Active
• Nessus
• I wrote an article: Scanning Embedded Systems In The Enterprise With Nessus (http://bit.ly/10nRtdT)
• Nmap
• nmap -P0 -vv -sS -r -n -p 1-65535 192.168.1.7
• nmap -P0 -T5 -sU -r -n -p 1-1024 192.168.1.7
• Peeper.py (https://github.com/invisiblethreat/peeper)
• Takes screenshots of all web sites in Nessus results
• recon-ng - General purposes recon tool
![Page 15: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/15.jpg)
Copyright 2013
Nessus 5.2: Web Screenshot
![Page 16: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/16.jpg)
• Once you identify the device, see if others have reverse engineered the firmware
• Or disclosed vulnerabilities
• Great resources:
• http://www.devttys0.com
• http://this8bitlife.com/adventures-in-linux-reverse-engineering-firmware/
• http://www.digitalworldz.co.uk/47718-looking-inside-jffs2-images.html
• http://bramp.net/blog/2012/01/hacking-linksys-e4200v2-firmware/
• http://wiki.securityweekly.com/wiki/index.php/Episode320#Interview:_Craig_Heffner < Interview w/ binwalk author
Copyright 2013
Other People’s Research
![Page 17: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/17.jpg)
Copyright 2013
Determine Device Type
• Visit web configuration screen
• Banners:• SNMP
• FTP
• TELNET
• SSH
• Is it running FOSS that has known vulnerabilities?
![Page 18: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/18.jpg)
Copyright 2013
TELNET Exposed
![Page 19: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/19.jpg)
Copyright 2013
Web Interface Exposed
![Page 20: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/20.jpg)
Copyright 2013
Conference Room Exposed
![Page 21: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/21.jpg)
Copyright 2013
RTFM
![Page 22: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/22.jpg)
Copyright 2013
Offline Work
• Visit manufacturers web site:• Read manuals (default passwords? Win!)
• Review software license (GNU software? Runs Linux!)
Download firmware - Starts an entirely new process, we won’t cover debugging with IDA, but quicker wins
![Page 23: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/23.jpg)
Combat Firmware Analysis
![Page 24: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/24.jpg)
Copyright 2013
Basic Analysis: strings
$ strings -8 firmware.bin | grep "^/" | less
/webauth/login.htm
/webauth/login_fail.htm
/webauth/login_fail_held.htm
/webauth/login_full.htm
/webauth/login_success.htm
/webauth/login.htm?oriurl=
Find all lines with 8 characters or more that begin with “/”.
![Page 25: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/25.jpg)
Copyright 2013
Find Authentication Bypass
#!/bin/bash
PAGES=`cat webfiles`
for p in $PAGESdo
wget http://192.168.1.7$pdone
“webfiles” contains all web page URLs dumped from firmware
![Page 26: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/26.jpg)
Copyright 2013
Basic Analysis: hexdump
File system headers, boot devices, firmware type, etc...
![Page 27: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/27.jpg)
Copyright 2013
Basic Analysis: grep
# grep --binary-files=text -bi "vxworks" ram.bin
# grep –binary-files=text -bi -A 50 "password" ram.bin
13899779:username admin password 7 21232f297a57a5a743894a0e4a801fc313899840-
username guest access-level
013899870:username guest password 7 084e0343a0486ff05530df6c705c8bb413899931:
enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
![Page 28: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/28.jpg)
Light Firmware Analysis
![Page 29: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/29.jpg)
Firmware Parts
Boot Loaderu-boot
Kernel File systemnvram nvram
Firmware
Flash Device (MTD)
nvram(1): used to store information for the BIOS (such as booting instructions, e.g. how long to wait)Boot Loader: Boots up the kernel, u-boot, redboot, etc..Kernel: Linux, VxWorks or other OS specific kernel.File System: Squashfs, CramFS, usually compressed, sometimes more than onenvram(2) - Stores device settings permanently on MTD
Reference: http://wiki.openwrt.org/doc/techref/start
![Page 30: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/30.jpg)
Copyright 2013
Basic Firmware Analysis
http://wiki.securityweekly.com/wiki/index.php/Reverse_Engineering_Firmware_Primer
# binwalk DIR-850L_FW_v1.03b02.bin DECIMAL HEX DESCRIPTION-------------------------------------------------------------------------------------------------------------------0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/
1"589 0x24D LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes10376 0x2888 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5034652 bytes1638512 0x190070 PackImg section delimiter tag, little endian size:
12610048 bytes; big endian size: 6995968 bytes1638544 0x190090 Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 6992339 bytes, 2435 inodes, blocksize: 131072 bytes, created: Tue Mar 12 06:45:03 2013
![Page 31: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/31.jpg)
Copyright 2013
Extract File System
# binwalk --dd=squashfs:1 DIR-850L_FW_v1.03b02.bin
# cd _DIR-850L_FW_v1.03b02.bin.extracted/# file 190090.1 190090.1: Squashfs filesystem, little endian, version 4.0, 1778655743 bytes, 2435 inodes, blocksize: 0 bytes, created: Mon Sep 21 17:59:44 2026
Apply this method to several types of firmware to extract file system and mount it.
sqaushfs and cramfs are easier. JFFS2 is a PITA.
![Page 32: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/32.jpg)
Copyright 2013
Firmware Toolkit
• Now we understand at least one building block
• Time to automate!
• Works best with home routers and access points
• Firmware toolkit is a collection of scripts and tools to extract firmware:• Firmware headers
• Kernel
• File system
![Page 33: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/33.jpg)
Copyright 2013
Firmware Magic
# ./extract-ng.sh DIR-850L_FW_v1.03b02.bin Firmware Mod Kit (build-ng) 0.78 beta, (c)2011-2012 Craig Heffner, Jeremy Collakehttp://www.bitsum.com
Scanning firmware...
DECIMAL HEX DESCRIPTION--------------------------------------------------------------------------------------0 0x0 DLOB firmware header, signature=wrgac05_dlob.hans_dir850l, dev=/dev/mtdblock/11638544 0x190090 Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 6992339 bytes, 2435 inodes, blocksize: 131072 bytes, created: Tue Mar 12 06:45:03 2013
Extracting 1638544 bytes of dlob header image at offset 0Extracting squashfs file system at offset 1638544Extracting squashfs files...Firmware extraction successful!Firmware parts can be found in 'fmk/*'
Mounts file systems for you!
![Page 34: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/34.jpg)
Copyright 2013
File System Treasures
• Configuration files
• Password files
• SSL and SSH keys
• Web server pages and code
• Reverse engineer binaries• Load binaries in a debugger
• Run strings against binaries
![Page 35: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/35.jpg)
Copyright 2013
qemu is Your Friend
• Run ARM or MIPS binaries on your i386 system
• Allows you to debug them too
• And run the web server
• Then test using something like Burp
• Test devices without actually having the device!
• Find vulnerabilities pre-purchase# chroot . ./qemu-mips-static sbin/httpd -f var/run/httpd.conf
# ./qemu-mips-static bin/ls
![Page 36: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/36.jpg)
Copyright 2013
Enumerate The Web Pages
• root@ubuntu:/usr/src/firmware-mod-kit-read-only/trunk/fmk/rootfs/htdocs# ls
• cgibin HNAP1 neap phplib upnpdevdesc web webinc
• fileaccess.cgi mydlink parentalcontrols upnp upnpinc webaccess widget
Review source code for vulnerabilities!
![Page 37: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/37.jpg)
Copyright 2013
Metasploit Payloads
• Metasploit now has a MIPS payload• http://bit.ly/ZE9zVN
• Several web command execution vulnerabilities
• Post-exploitation for embedded systems
![Page 38: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/38.jpg)
Copyright 2013
The Sequel?
• We didn’t cover:• Manually extracting parts from unknown firmware
• Manually mounting file systems (tips and tricks)
• Running ARM firmware in full emulation
• Debugging binaries
• Stay tuned...
![Page 39: Attacking Embedded Devices (No Axe Required)](https://reader034.fdocuments.us/reader034/viewer/2022042521/559431ac1a28aba77e8b45a6/html5/thumbnails/39.jpg)
Copyright 2013
Listen: http://securityweekly.com/podcast
Watch: http://blip.tv/securityweekly
Read: http://securityweekly.com/wiki
Participate: http://mail.securityweekly.com