SlideShare a Scribd company logo

Device inspection to remote root

Tim N, profile picture
Tim N

The document discusses the inspection and exploitation of a fixed wireless terminal, focusing on vulnerabilities that allow for remote root access. It details the technical components, management interfaces, and specific vulnerabilities such as unpickling serialized objects, which can be leveraged for malicious activities. The author outlines potential attack methodologies and demonstrates how to exploit these weaknesses for profit, including creating botnets.

Internet
Related topics:
Information Security
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Device inspection To remoteroot Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit Where What Who Ruxmon Melbourne Device Inspection to remote root Tim Noise
tIMNOISE • twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net Internet subscriber and pirate impersonator
FixedWirelessTerminals • Linux Based • System on Chip • Provide PoTS and ADSL • 3G/LTE Backhaul • Battery and Solar • Remote Managed • Deployed in Clusters For people without copper or fiber
ExternalConnectors • Ether over USB (DHCP) • Aerial socket • SIM Card slot • 2 RJ11 ports for ADSL CPE and PoTS Things we can probe
ExternalConnectors • SIM Card slot • 2 Management
 Ethernet Ports (NO DHCP) • 2 RJ11 power management ports Things we can probe
WhatsInside?Rub the torx and the genie comes out CPU NAND0 NAND1 UART Removable CF Card for /
WhatsInside?Rub the torx and the genie comes out Mini PCMCIA 3G Modem
BootProcessRedboot the buspirate, yarr GND RX TX VCC / NC
GainingROOTalways want that uid 0 - the usual tricks • Removable root Media • hashcat / jtr • kernel paramaters • init=/bin/sh • single user mode • Lucky for us, the root password is printed on the PCB (not even joking)
MANAGEMENTInTERFACEthe dububdub
MANAGEMENTInTERFACEthe dububdub
LoggingINConnecting using the management USB interface
PortsANDProcessessWhats running on this thing?
PortsANDProcessessWhats running on this thing?
PortsANDProcessessWhats running on this thing?
BacktotheSourceWhere is this process stored and launched from
DECOMPYLEUsing multiline strings as comments is great!
Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket
Vulnerability1:UNPICKLESerializing objects its so convenient for passing them over a udp socket
PuttingitallTogethermaking use of our discovered vulnerabilities
PuttingitallTogethermaking use of our discovered vulnerabilities
PuttingitallTogethermaking use of our discovered vulnerabilities
PuttingitallTogethermaking use of our discovered vulnerabilities
DEMO
Device inspection to remote root
OneStepFURTHER • Connect back payloads • Dial 1900 numbers for profit • UDP broadcast the attack • Intercept data and telephony • Insta-botnet / onion network • Other bad things For internet bad men
QUESTIONS?
tIMNOISE • twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net Internet subscriber and pirate impersonator

More Related Content

PDF
ifwt remote (sydney ruxmon edition)
Tim N
 
PDF
Git Money
Tim N
 
PDF
Practically DROWNing
Tim N
 
PDF
Unifi'd Ownage
Tim N
 
PDF
Bus Pirate Workshop Ruxcon Hardware Hacking 2017
Tim N
 
PDF
Mototrbo
Tim N
 
PPTX
Uncommon MiTM in uncommon conditions
HeadLightSecurity
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
ifwt remote (sydney ruxmon edition)
Tim N
 
Git Money
Tim N
 
Practically DROWNing
Tim N
 
Unifi'd Ownage
Tim N
 
Bus Pirate Workshop Ruxcon Hardware Hacking 2017
Tim N
 
Mototrbo
Tim N
 
Uncommon MiTM in uncommon conditions
HeadLightSecurity
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 

What's hot (20)

PPTX
Hacking routers as Web Hacker
HeadLightSecurity
 
PPTX
Gadgets
Alexander Rivera
 
PDF
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
PPTX
A Science Project: Swift Serial Chat
yeokm1
 
PPTX
Making and breaking security in embedded devices
Yashin Mehaboobe
 
PPTX
Hardware Hacking Primer
Yashin Mehaboobe
 
PDF
Kasza smashing the_jars
PacSecJP
 
PDF
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
HeadLightSecurity
 
PDF
IoT mit Rust programmieren
Lars Gregori
 
PDF
BSD Sockets API in Zephyr RTOS - SFO17-108
Linaro
 
PDF
Arpwall - protect from ARP spoofing
Ammar WK
 
PDF
Operating System fo IoT
Pradeep Kumar TS
 
PDF
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
PDF
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Jumping Bean
 
PDF
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
PDF
PLNOG 21: Ron Broersma - Historical_Perspectives_on_Computing, Networking, Se...
PROIDEA
 
PDF
Fedora 12 Introduction
Ratnadeep Debnath
 
PPTX
Kali linux summarised
Sanchit Srivastava
 
PPTX
Wiznet Ethernet library for ARM mbed
Jinbuhm Kim
 
PDF
FOSDEM2015: Porting Tizen:Common to open source hardware devices
Phil www.rzr.online.fr
 
Hacking routers as Web Hacker
HeadLightSecurity
 
Gadgets
Alexander Rivera
 
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
A Science Project: Swift Serial Chat
yeokm1
 
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Hardware Hacking Primer
Yashin Mehaboobe
 
Kasza smashing the_jars
PacSecJP
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
HeadLightSecurity
 
IoT mit Rust programmieren
Lars Gregori
 
BSD Sockets API in Zephyr RTOS - SFO17-108
Linaro
 
Arpwall - protect from ARP spoofing
Ammar WK
 
Operating System fo IoT
Pradeep Kumar TS
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
Secrets of a linux ninja Software Freedom Day 2013 Johannesburg, South Africa
Jumping Bean
 
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
PLNOG 21: Ron Broersma - Historical_Perspectives_on_Computing, Networking, Se...
PROIDEA
 
Fedora 12 Introduction
Ratnadeep Debnath
 
Kali linux summarised
Sanchit Srivastava
 
Wiznet Ethernet library for ARM mbed
Jinbuhm Kim
 
FOSDEM2015: Porting Tizen:Common to open source hardware devices
Phil www.rzr.online.fr
 
Ad

Viewers also liked (17)

PDF
Catalogo Inspiraflor
Inspiraflor
 
PPTX
медиаобразование
Olga Shaporina
 
DOCX
Отчет. приложение 2.
Софья Митрошина
 
PDF
Benefits and struggles of Lean Game Development
BitCake Studio
 
PPTX
La informacion
yaneth Rodríguez Hinojosa
 
PDF
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
PDF
Designing Teams for Emerging Challenges
Aaron Irizarry
 
PDF
Visual Design with Data
Seth Familian
 
PDF
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
PDF
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
PPTX
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
DialogueScience
 
PDF
Espcinvestmentgradeaudit
Darpan Chaudhary
 
PPTX
Makanan Tradisional
nurulrosidah
 
PPTX
Mapping the NHS - Liverpool, for NHS Citizen NW, 29th of May
NHSCitizen
 
PDF
Portfolio
Cinzia Spada
 
DOCX
Articolo
Silvia Neri
 
PPTX
Bubble Narratives - Preston Teeter - Confirmation Speech
Preston B Teeter
 
Catalogo Inspiraflor
Inspiraflor
 
медиаобразование
Olga Shaporina
 
Отчет. приложение 2.
Софья Митрошина
 
Benefits and struggles of Lean Game Development
BitCake Studio
 
La informacion
yaneth Rodríguez Hinojosa
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Designing Teams for Emerging Challenges
Aaron Irizarry
 
Visual Design with Data
Seth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
DialogueScience
 
Espcinvestmentgradeaudit
Darpan Chaudhary
 
Makanan Tradisional
nurulrosidah
 
Mapping the NHS - Liverpool, for NHS Citizen NW, 29th of May
NHSCitizen
 
Portfolio
Cinzia Spada
 
Articolo
Silvia Neri
 
Bubble Narratives - Preston Teeter - Confirmation Speech
Preston B Teeter
 
Ad

Similar to Device inspection to remote root (20)

PDF
Docking stations andy_davis_ncc_group_slides
NCC Group
 
PDF
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
PPTX
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
PDF
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
DevOps4Networks
 
PDF
Republic of IoT 2018 - ESPectro32 and NB-IoT Workshop
Alwin Arrasyid
 
PPTX
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
PDF
Bh fed-03-kaminsky
Dan Kaminsky
 
PDF
IOT Exploitation
Cysinfo Cyber Security Community
 
PDF
Introduction to SDN
Muhammad Moinur Rahman
 
PPTX
28c3 in 15
antitree
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
PDF
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
PPTX
Security Onion
johndegruyter
 
PDF
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
PPTX
Steelcon 2015 - 0wning the internet of trash
infodox
 
PDF
Keeping your rack cool with one "/IP route rule"
Faelix Ltd
 
PDF
Keeping your rack cool
Pavel Odintsov
 
PDF
Insecure Obsolete and Trivial - The Real IOT
Price McDonald
 
PDF
What is SDN and how to approach it with Python
Justin Park
 
PPSX
2018 all lens bag of tricks v1.2
Len Noe
 
Docking stations andy_davis_ncc_group_slides
NCC Group
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
DevOps4Networks
 
Republic of IoT 2018 - ESPectro32 and NB-IoT Workshop
Alwin Arrasyid
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
Bh fed-03-kaminsky
Dan Kaminsky
 
IOT Exploitation
Cysinfo Cyber Security Community
 
Introduction to SDN
Muhammad Moinur Rahman
 
28c3 in 15
antitree
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
Security Onion
johndegruyter
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Steelcon 2015 - 0wning the internet of trash
infodox
 
Keeping your rack cool with one "/IP route rule"
Faelix Ltd
 
Keeping your rack cool
Pavel Odintsov
 
Insecure Obsolete and Trivial - The Real IOT
Price McDonald
 
What is SDN and how to approach it with Python
Justin Park
 
2018 all lens bag of tricks v1.2
Len Noe
 

Recently uploaded (20)

PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Funds Management Learning Material for Beg
NKKumar16
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Internet___Basics___Styled_ presentation
poonam62133
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 

Device inspection to remote root