SOHOpelessly Broken
2 likes673 views
The document discusses embedded device security from a hacker's perspective, emphasizing that 100% of evaluated network systems were found vulnerable. It outlines hacking methodologies to exploit these weaknesses, detailing real-world examples and countermeasures. The author urges consumers and vendors to prioritize security in networked devices and product design.
![Command Injection – Vulnerable Code
<?php
$dig=shell_exec("dig {$_GET['Domain']}");
echo($dig);
?>](https://image.slidesharecdn.com/isesecot092015final-150915153332-lva1-app6892/85/SOHOpelessly-Broken-32-320.jpg)
![Directory Traversal– Vulnerable Code
<?php
if ($_GET['file'])
$file = $_GET['file'];
include('/var/www/'.$file);
?>](https://image.slidesharecdn.com/isesecot092015final-150915153332-lva1-app6892/85/SOHOpelessly-Broken-39-320.jpg)
![Buffer Overflow – Vulnerable Code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char * argv[]){
char argument[42];
if (argc < 2){
printf("n[!!!] Please supply a program argument. [!!!]nn");
exit(0);
}
printf("n[*] Gimppy's BOF code examplen");
strcpy(argument, argv[1]);
printf("[*] You supplied '%s' as your argument!n", argument);
printf("[*] Program Completed. n");
return 0;
}](https://image.slidesharecdn.com/isesecot092015final-150915153332-lva1-app6892/85/SOHOpelessly-Broken-43-320.jpg)
SOHOpelessly Broken
- 1. S O H O p e l e s s l y B r o k e n A Hacker’s Perspective on Embedded Device Security
- 2. Who Am I? ISE Confidential - not for distribution Paul Dant Chief Strategist @ ISE 9: First digital product 13: First legit black hat hack 17: First hacker caught 19: First legit white hat hack (p0wned a bank data processing center as part of a compliance audit)
- 3. About ISE • We are: - Ethical Hackers - Computer Scientists • Our clients are: - Fortune 500 Enterprises - Entertainment, Security Software, Healthcare • Our perspective is: – Everything is broken! – White hat testing rules
- 4. Why Should You Listen To Us? • 100% of network systems evaluated were vulnerable to exploitation. • Routers and storage systems are not the only embedded devices with egregious deficiencies. • These systems CAN and ARE being mass exploited.
- 5. #SOHOpelessly Broken HACK ROUTERS AND GET PAID https://sohopelesslybroken.com DEFCON 23, DerbyCon v4.0, BSIDES DC, ToorCon We launched the first IoT Village @ DEFCON 23
- 6. ISE Confidential | Not for Distribution ISE IoT Village DEF CON 23
- 7. Agenda Embedded Device Security Risks Why Do We Care? Hacking Methodology Real World Examples What Can We Do? Summary and Q&A ISE Confidential | Not for Distribution
- 8. Embedded Device Security Risks • Large attack surface • Default configurations are typically not secure at all • Assumption of security on the (wireless) LAN • Poor security design and implementation
- 9. Why Do We Care? • Large attack surface • Insecure by default • Assumption of security on the (wireless) LAN • Poor (or missing!) security design and implementation
- 10. Hacking Methodology • Information Gathering • Scanning and Enumeration • Gaining Access • Maintaining Access
- 11. Information Gathering • Administration Settings – Default credentials – Management interface(s) • WLAN Settings – SSID and wireless encryption • Network Service Settings – DHCP, DNS, SNMP, UPnP, SMB, FTP, etc.
- 12. Scanning and Enumeration • Identifying active hosts • Identifying open TCP/UDP ports • Identifying running services and versions
- 13. Scanning and Enumeration Cont. Port Scan Banner Grab TCP: nmap –sS –Pn –sV –p T:1-65535 X.X.X.X UDP: nmap –sU –Pn –p U:1-65535 X.X.X.X Netcat: nc –nv <X.X.X.X> <port>
- 14. Gaining Access • Service Investigation – Analyze web applications – Analyze servers (e.g., FTP, SMTP, SMB, HTTP) – Source Code Review (Static Code Analysis) – Fuzz Network Services (Dynamic Analysis)
- 15. Analyzing Web Applications • Understand the application – Programming languages used • Server side (e.g., PHP, .NET, Python, ASP, Ruby on Rails) • Client side (e.g., JavaScript, HTML, JSON, Flash) – Protocols and APIs used (e.g., SOAP, REST) – Internet Media Type/MIME (e.g., JavaScript, HTML) • Toolz – Web proxy (i.e., Burpsuite) – Firebug (JavaScript debugger, HTML inspection) – Web Crawler
- 16. Analyzing Web Applications Cont. Burpsuite Firebug
- 17. Analyzing Network Servers • Authentication – Type (e.g., Password, Key Pair) – Anonymous access/Weak or no credentials – Misconfigurations (e.g., Directory listing, permissions) • Encryption – SSL/TLS? – SSH (AES, 3DES)?
- 18. Static Code Analysis • If source code is available, GET IT! • Things to look for: – Logic flaws (e.g., authentication, authorization) – Functions not performing bounds-checking – Backdoors
- 19. Fuzzing (Dynamic Analysis) • What happens if peculiar input is introduced? – A{-G42!BBB}}}}}}///}}}}}}+=-_-1234d`~~((.)_(.))$ – AAAAAAAAAAAAAAAAAAAAAAAAAA • Fuzzers – SPIKE: generic_send_tcp X.X.X.X 21 ftp.spk 0 0 – BED: ./bed.pl -s HTTP -t X.X.X.X -p 80 – Metasploit Framework – Python!
- 21. SPIKE Cont. Fuzzing with Spike
- 22. Analyze Fuzzing Results • Toolz – Debugger (i.e., GDB) – System Call Tracer (i.e., strace) *Debugging ASUS RT-AC66U exploit
- 23. Gaining Access • Reverse Engineering – System Binaries • Simple RE Toolz and Techniques – Strings – Hexdump – Grep – Open source? Perform static analysis! • Exploit Development
- 24. Reverse Engineering Toolz and Techniques • Strings: strings –n <INT> <FILE> *TP-Link TL-1043ND Firmware
- 25. Reverse Engineering Toolz and Techniques • Grep: grep –R <string> * *Code from the TRENDnet TEW-812DRU
- 26. Exploit Development • Cross-Site Request Forgery • Command Injection • Missing Function Level Access Control – Authentication Bypass – Authorization Bypass • Directory Traversal • Buffer Overflow
- 27. Cross-Site Request Forgery #define: CSRF is an attack that forces an unsuspecting victim into executing web commands that perform unwanted actions on a web application. Gimppy (Attacker) Jad (Victim) Web Application Attacker Web Server
- 28. Testing for Cross-Site Request Forgery • Anti-CSRF Tokens? • HTTP referrer checking?
- 29. Cross-Site Request Forgery Countermeasures • Users – Logout of web applications – Do NOT save credentials in your browser • Developers – Implement Anti-CSRF tokens AND HTTP referrer checking – Feeling ambitious? Require the user to authenticate before performing a state change
- 30. Command Injection #define: Command Injection is a form of attack where operating system specific commands are injected into a vulnerable application for execution.
- 31. Testing for Command Injection • Survey the application – Look for application features that could call underlying system functionality(e.g., ping, traceroute) – Source code? Static analysis! • Test Examples – ifconfig ; cat /etc/passwd Linux – dir | ipconfig Windows/Linux – ls /var/www/`<cmd>` or $(<cmd>) Linux**Command substitution
- 32. Command Injection – Vulnerable Code <?php $dig=shell_exec("dig {$_GET['Domain']}"); echo($dig); ?>
- 33. Command Injection Countermeasures • Developers – Avoid calling shell commands when possible – If an API does not exist, sanitize user input before passing it to a function that executes system commands. • Python Example – BAD: os.system(‘ls ‘ + dir) – GOOD: os.listdir(dir)
- 34. Missing Function Level Access Control #define: The absence of server-side authentication and authorization checks.
- 35. Testing for Missing Function Level Access Control • Calling privileged API’s as an unprivileged user. • Accessing system resources that do not belong to the attacker. – Insecure Direct Object Reference – Direct Request/Forced Browsing
- 36. Missing Function Level Access Controls Countermeasures • Developers – Perform server-side authentication and authorization checks.
- 37. Directory Traversal #define: Directory Traversal is a form of attack where an attacker can access files and directories outside of the intended directory.
- 38. Testing for Directory Traversal • Enumerate the application – Are there commands or request parameters that could be used for file-related operations? • URL Encoding (Web only) – %2f / – %2e%2e%2f ../ • Test Examples – http://infosec2.blogspot.com/DT.php?file=../../../../etc/passwd%00 – http://JadWebApp.com/DT.php?dir=..%2f..%2fetc%2fpasswd – symlink / rootfs SMB
- 39. Directory Traversal– Vulnerable Code <?php if ($_GET['file']) $file = $_GET['file']; include('/var/www/'.$file); ?>
- 40. Directory Traversal Countermeasures • Developers – Try not to use user input in file system calls – Perform path canonicalization (symlinks, . & .. are resolved) – Properly configure services
- 41. Buffer Overflow #define: Buffer Overflows occur when a program attempts to write data that exceeds the capacity of a fixed length buffer, and consequently, overwrites adjacent memory. Stack Based Buffer Overflow (x86)
- 42. Testing for Buffer Overflows • Testing for overflows – Dynamic Analysis – Static Analysis
- 43. Buffer Overflow – Vulnerable Code #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char * argv[]){ char argument[42]; if (argc < 2){ printf("n[!!!] Please supply a program argument. [!!!]nn"); exit(0); } printf("n[*] Gimppy's BOF code examplen"); strcpy(argument, argv[1]); printf("[*] You supplied '%s' as your argument!n", argument); printf("[*] Program Completed. n"); return 0; }
- 44. Buffer Overflow Countermeasures • Developers – Don’t use unsafe functions – Perform bounds checking – Compile/Link with overflow prevention techniques • Canary/Stack Cookie – gcc –fstack-protector • ASLR – gcc –fPIE || ld -pie • DEP/NX – gcc marks the stack non-executable by default
- 45. Buffalo TeraStation: Hacking Files • Missing function-level access control • Susceptible to command injection • p0wned
- 46. YIKES! What Can We Do? • Consumers – Protect your security & privacy! Harden your networked devices! – Demand that vendors put more emphasis into securing SOHO networking equipment. • Vendors – Consider and integrate security into your product design – Abide by the principal of least privilege – Follow coding best practices – Patch management
- 47. Q & A Thanks for your time! Paul Dant Chief Strategist @ ISE pdant@securityevaluators.com