The internet of $h1t

The internet of $h1T
Or: Root all things (of the internet of things)
By: Amit Serper, ADhD

/bin/whoami
● Now: Lead Mac OSX security researcher @ Cybereason (we’re hiring!)
● Before: ~9 years @ PMO, Lead security researcher, doing mostly embedded
security research in the last 3 years.
● Terrible coder
● Reverse Engineer
● Hardcore Linux guy, Now I use Mac :( and Windows :((
● I like to make stuff that break stuff
● I tweet: @0xAmit

cat /home/amit/agenda.txt
● Our subject: Command execution injection via WebServer
● IoT? - Examples
● Embedded Linux - quick overview
● Firmware - Quick overview
● Embedded webserver command injection - Quick overview
● Case study - Bezeq router
● Exploitation demo

The internet of (shitty) things

~10-15 years ago, a router looked like this

AKA that box with lights that makes the internet work

Why do we care so much about routers?

They’re routing our traffic == they see EVERYTHING

Nobody cares == they’re not monitored

Every one of those little bastards is a computer!
(that handles all of your traffic!)

Ok… So it’s a “computer” - woo-friggin’-hoo
A calculator is also a computer

You’re right. Routers used to have custom RTOS O/S’s
that worked on custom architectures and instruction
sets

But all of a sudden, it wasn’t the standard anymore,
care to guess why?

Linux is built around networking, it’s easy to develop for
and deploy, it’s totally cross platform and ITS FREE!

Plus, it has tons of ALREADY written code that vendors
can use!

Used in Xbox, Cable/SAT STB’s, PS4,
roku, etc...
libdlna:
Used in smartTVs, routers,
streamers, Cable/SAT STB’s,
etc...
A small webserver, used in
almost EVERY router in some
variation.

ALL OF THE PREVIOUSLY MENTIONED SOFTWARE HAVE
BEEN AND IS EXPLOITED ALL THE TIME!

The transition to Linux started a whole wave of vendors
using Linux, some even took pride in it
Linksys WRT54GL

It had a Linux based (HyperWRT) firmware and most of
its code was open sourced

Entire communities of firmware spin-offs were founded
to enhance and add extra features to products

Firmware
● permanent software programmed into a read-only memory. (wikipedia)
● One file which includes a Linux distro consisting of:
○ Bootloader
○ Kernel
○ Root filesystem (userland)
○ Swap (product dependent)

DD-WRT firmware (as illustrated by binwalk)

Firmware (continued)
● Drivers/modules (kernel mode)
● Software and Daemons/Services (User mode) :
○ Busybox
○ DHCP server
○ NTP (server/client)
○ FTP server
○ Telnet/ssh server
○ UPnP server
○ Webserver

Limitations when developing a firmware
● Very little memory - Code has to be really efficient, even on the cost of security
● Very little disk space - No bells and whistles - Just the barebones!
● Very weak cpu
● You think you’re invincible - if it compiles its fine! ← PROBLEM

Let’s talk about security research

We’ve established that those devices have poor security
measures

So let’s map the attack vectors

Attack vectors:
● Backdoors in firmware (a very specific url or service that’s running on a specific
port)
● Physical/Local access - uploading a patched firmware
● Attack from afar - own the webserver!

Enter the webserver:
● It is our common configuration interface with the device
● Everything is controlled through there
● Gives us a direct interface with User-controlled data
● Often listens for connections form the
0.0.0.0 (everywhere!)
● Often badly configured by the vendor/user
● Runs as root!!!!1!!!!!1!

We want to run code/pop a shell on the router

Hooray! Let’s smash the stack!

There’s not necessarily a need to do that...

Emulating this environment is hard

We don’t want to debug stuff

Making gdb run on those thing is not easy...

But what if we can hijack the “instruction pointer” on a
higher level?

http://example.com/viewfile.php?file=bill.txt

; - run this after you’re done
&& - run this if first command exited with status 0
`statement` - run the command between the backticks
and use it as a value

http://example.com/redirect.php?r=info.php;cat /etc/passwd

system(‘/usr/bin/mailer --user %s --password %s --dest %s’)

Sanitation and verification of user input.
Especially special characters such as &, ; and ` (and their http
encoded form)

Netgear VEGN2610
AKA Bezeq n600
ADSL2+ Modem/router

Runs custom compiled Linux kernel version 2.6.30
(Released in June 2009)

Uses a custom version of GoAhead WEBS as its webserver

Has multiple Command Injection Vulnerabilities and even has
an anti CSRF protection with a vulnerability… Amazing.

What we are going to see is how we can execute commands as
root on the router using command injection and turn on it’s
telnetd server.

Oh, the root user on the router has a password (which I don’t
know, but it’s ok)
telnetd -p 2323 -l /bin/sh

The internet of $h1t

More Related Content

What's hot (20)

Similar to The internet of $h1t (20)

Recently uploaded (20)

The internet of $h1t

Editor's Notes