SlideShare a Scribd company logo

How *NOT* to firmware

Download as PPTX, PDF
Amit Serper, profile picture
Amit Serper

The document discusses a critical security vulnerability in a web server's handling of HTTP requests, wherein user-controlled strings can be passed to the system() function, allowing unauthorized code execution as root. It highlights the insecure implementation of CGI scripts and their logging mechanism, leading to severe implications for server security. The author emphasizes the outdated practices being used that can be exploited easily by attackers.

Software
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
HOW *NOT* TO FIRMWARE The tale of the vulnerable night hawk, By Amit Serper
$WHOAMI • Principal security researcher @ Cybereason • I LOVE EMBEDDED HACKING (used to make my living off of it) • I was here ~3 months ago talking about command injections • I am going to do that again right now @0xAmit
Background
How *NOT* to firmware
HTTP REQUESTS – QUICK REMINDER
How *NOT* to firmware
COMMAND INJECTIONS– QUICK REMINDER
LETS GET BACK TO IT…
YOU KNOW WHAT THAT MEANS… Someone passes a user controlled string to system()
YOU KNOW WHAT THAT MEANS… That user controlled string Is in the friggin URL
YOU KNOW WHAT THAT MEANS… It is actually in the HTTP Request itself
YOU KNOW WHAT THAT MEANS… The server just accepts And executes the Command => no auth
SO WAIT A MINUTE… If a user control string which is the HTTP request itself gets passed as an argument to system(), does this mean what I…? Oh shit.
THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!
QUESTIONS… • Where exactly in the code is the mistake and does it look like what I think it looks like • Are they actually calling system? • Why?! What for and how many times…
IDA PRO TIME…
How *NOT* to firmware
How *NOT* to firmware
How *NOT* to firmware
How *NOT* to firmware
SO WHAT’S GOING ON? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side •That is a terrible idea. The 90s are over. WTF.
How *NOT* to firmware
How *NOT* to firmware
SO WHAT’S ACTUALLY GOING ON HERE? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side • All of those scripts are in the /cgi-bin/ directory • One of those things is to LOG the parameters in the HTTP requests to a file. • The logging is done by doing something roughly like this: • system(“echo %s >/tmp/options_result”, USER_INPUT); • Since any request to cgi-bin/ is being handled that way… That means…
THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!
AS EASY AS http://<ip>/cgi-bin/;command
How *NOT* to firmware

More Related Content

PPTX
The internet of $h1t
Amit Serper
 
PDF
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow
 
PPTX
Иван Новиков «Elastic search»
Mail.ru Group
 
ODP
From Test to Live with Rex
Jan Gehring
 
PDF
Git+jenkins+rex presentation
Dwi Sasongko Supriyadi
 
PDF
Deep drive into rust programming language
Vigneshwer Dhinakaran
 
PDF
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
KEY
Sentry (SF Python, Feb)
zeeg
 
The internet of $h1t
Amit Serper
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow
 
Иван Новиков «Elastic search»
Mail.ru Group
 
From Test to Live with Rex
Jan Gehring
 
Git+jenkins+rex presentation
Dwi Sasongko Supriyadi
 
Deep drive into rust programming language
Vigneshwer Dhinakaran
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
Sentry (SF Python, Feb)
zeeg
 

What's hot (20)

PDF
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
PDF
Composer Tutorial (PHP Hampshire Sept 2013)
James Titcumb
 
PDF
Deployment tales
Amoniac OÜ
 
PDF
Deployment tales
Aleksandr Simonov
 
PDF
What's new in Symfony3
Yuki MAEJIMA
 
PDF
Dive into sentry
Leo Zhou
 
PPTX
Programming The Arduino Due in Rust
kellogh
 
PPT
Rust Programming Language
Jaeju Kim
 
PDF
Sinatra: прошлое, будущее и настоящее
.toster
 
PPTX
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
PPT
Loading JavaScript: Even a caveman can do it
Kyle Simpson
 
ODP
Linuxday.at - Lightning Talk
Jan Gehring
 
PDF
Automate Yo'self -- SeaGL
John Anderson
 
PDF
How to use miniedit
Takuji IIMURA
 
PPT
Python for pentesters
Rashid feroz
 
PDF
Master-Master Replication and Scaling of an Application Between Each of the I...
vsoshnikov
 
PPT
Resumable File Upload API using GridFS and TUS
khangtoh
 
PDF
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
vsoshnikov
 
ODP
Lighning Talk: composer repositories
Bryan Agee
 
PPTX
Infrastructure development on windows ldn cd meetup
Owain Perry
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
Composer Tutorial (PHP Hampshire Sept 2013)
James Titcumb
 
Deployment tales
Amoniac OÜ
 
Deployment tales
Aleksandr Simonov
 
What's new in Symfony3
Yuki MAEJIMA
 
Dive into sentry
Leo Zhou
 
Programming The Arduino Due in Rust
kellogh
 
Rust Programming Language
Jaeju Kim
 
Sinatra: прошлое, будущее и настоящее
.toster
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
Loading JavaScript: Even a caveman can do it
Kyle Simpson
 
Linuxday.at - Lightning Talk
Jan Gehring
 
Automate Yo'self -- SeaGL
John Anderson
 
How to use miniedit
Takuji IIMURA
 
Python for pentesters
Rashid feroz
 
Master-Master Replication and Scaling of an Application Between Each of the I...
vsoshnikov
 
Resumable File Upload API using GridFS and TUS
khangtoh
 
How to Shrink from 5 Tiers to 2 in a Multitier Microservices Architecture
vsoshnikov
 
Lighning Talk: composer repositories
Bryan Agee
 
Infrastructure development on windows ldn cd meetup
Owain Perry
 
Ad

Similar to How *NOT* to firmware (20)

PDF
Hacking sites for fun and profit
David Stockton
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
PDF
Hacking sites for fun and profit
David Stockton
 
PDF
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PPTX
Mitigating CSRF with two lines of codes
Minhaz A V
 
PDF
H4CK1N6 - Web Application Security
Oliver Hader
 
PDF
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
PDF
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
PPTX
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
PPTX
Hacking routers as Web Hacker
HeadLightSecurity
 
PDF
Security in php
Jalpesh Vasa
 
PDF
Workshop on Network Security
UC San Diego
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PDF
Building real time applications with Symfony2
Antonio Peric-Mazar
 
PDF
Hacking routers as Web Hacker
Михаил Фирстов
 
PPTX
Redesigning Password Authentication for the Modern Web
Cliff Smith
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
PDF
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
PDF
Ruby on Rails Security Guide
ihji
 
Hacking sites for fun and profit
David Stockton
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Hacking sites for fun and profit
David Stockton
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Mitigating CSRF with two lines of codes
Minhaz A V
 
H4CK1N6 - Web Application Security
Oliver Hader
 
Secure all things with CBSecurity 3
Ortus Solutions, Corp
 
BSides Lisbon 2013 - All your sites belong to Burp
Tiago Mendo
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
Hacking routers as Web Hacker
HeadLightSecurity
 
Security in php
Jalpesh Vasa
 
Workshop on Network Security
UC San Diego
 
API SECURITY
Tubagus Rizky Dharmawan
 
Building real time applications with Symfony2
Antonio Peric-Mazar
 
Hacking routers as Web Hacker
Михаил Фирстов
 
Redesigning Password Authentication for the Modern Web
Cliff Smith
 
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
Ruby on Rails Security Guide
ihji
 
Ad

Recently uploaded (20)

PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Introduction Database Management System for Course Database
ReinertYosua
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 

How *NOT* to firmware

  • 1. HOW *NOT* TO FIRMWARE The tale of the vulnerable night hawk, By Amit Serper
  • 2. $WHOAMI • Principal security researcher @ Cybereason • I LOVE EMBEDDED HACKING (used to make my living off of it) • I was here ~3 months ago talking about command injections • I am going to do that again right now @0xAmit
  • 5. HTTP REQUESTS – QUICK REMINDER
  • 8. LETS GET BACK TO IT…
  • 9. YOU KNOW WHAT THAT MEANS… Someone passes a user controlled string to system()
  • 10. YOU KNOW WHAT THAT MEANS… That user controlled string Is in the friggin URL
  • 11. YOU KNOW WHAT THAT MEANS… It is actually in the HTTP Request itself
  • 12. YOU KNOW WHAT THAT MEANS… The server just accepts And executes the Command => no auth
  • 13. SO WAIT A MINUTE… If a user control string which is the HTTP request itself gets passed as an argument to system(), does this mean what I…? Oh shit.
  • 14. THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!
  • 15. QUESTIONS… • Where exactly in the code is the mistake and does it look like what I think it looks like • Are they actually calling system? • Why?! What for and how many times…
  • 21. SO WHAT’S GOING ON? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side •That is a terrible idea. The 90s are over. WTF.
  • 24. SO WHAT’S ACTUALLY GOING ON HERE? • The webserver implements a bunch of server side functionality using ’cgi-bin’ • Cgi-bin is a generic name for scripts that are being processed on the server side using input from the client side • All of those scripts are in the /cgi-bin/ directory • One of those things is to LOG the parameters in the HTTP requests to a file. • The logging is done by doing something roughly like this: • system(“echo %s >/tmp/options_result”, USER_INPUT); • Since any request to cgi-bin/ is being handled that way… That means…
  • 25. THAT MEANS… EVERYONE GETS CODE EXECUTION AS ROOT!