CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI
-
Upload
code-blue -
Category
Technology
-
view
165 -
download
1
Transcript of CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI
![Page 1: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/1.jpg)
Embedded Security in the Land of the Rising Sun Ben Schmidt (presenter) // @_supernothing Lord Commander of Security Research @NarfIndustries
Paul Makowski (assistant to the presenter) // @myhndl Director of World Domination @NarfIndustries
![Page 2: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/2.jpg)
this talk: Japanese router hacking ● motivation ● 0knowledge to 0day ● landscape ● attack surface ● vulnerabilities ● exploitation demos ● remediation
![Page 3: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/3.jpg)
why hack Japanese routers? ● comparatively little public research ● who doesn’t loves junk hacking?* ● in seriousness, these routers matter a lot
o there are many listening on WAN o they run notoriously insecure software
* the answer is Dave Aitel: https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html
← top countries with hosts listening on WAN port 1900 (UPnP default). ● Japan is #4 ● more on UPnP later
![Page 4: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/4.jpg)
0knowledge to 0day
* there’s still plenty we don’t know
● when we started, we knew nothing about the Japanese router landscape*
● barriers: language, infrastructure, hardware acquisition & testing
we hope we don’t set ourselves on fire...
![Page 5: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/5.jpg)
0knowledge to 0day ● mostly cultural, few technical obstacles
mitigation enabled? good for us?
full ASLR (including PIE) no
NX / DEP? mostly no
stack or heap cookies mostly yes
safe unlinking / heap hardening sometimes Such security, many lulz, wow
![Page 6: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/6.jpg)
landscape ● a boatload of:
o routers o modems o wifi hotspots o webcams o internet-connected picture frames o … much more
![Page 7: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/7.jpg)
landscape, con’t many manufacturers; this is a small sample
(likely) corp
how to ID models protections good for us?
OKI distributed as .bin, is actually .tar.gz, contains ROOTIMG.BIN which is several JFFS2 partitions
XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX ...
none
![Page 8: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/8.jpg)
landscape, con’t many manufacturers; this is a small sample
(likely) corp
how to ID models protections good for us?
Buffalo binary blob, begins with “bgn” XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX ...
encrypted, (slightly) modified RC4 w/ static key “Buffalo”
Watch https://narfindustries.com/codeblue2014 for more complete list.
![Page 9: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/9.jpg)
attack surface ● HTTP
o frequently LAN-facing
● FTP ● … ● UPnP
o frequently WAN-facing
![Page 10: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/10.jpg)
speaking of UPnP...
Security Flaws in UPnP: Unplug, Don’t Play, Rapid7
![Page 11: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/11.jpg)
Security Flaws in UPnP: Unplug, Don’t Play, Rapid7
speaking of UPnP...
we looked here
![Page 12: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/12.jpg)
● Shodan o 3mil hosts in Japan o almost none anywhere else
● our research o ~200,000 hosts in Japan at
any single time
● What would you do with a 200,000+ botnet?
our favorite UPnP daemon: XXXXXX
![Page 13: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/13.jpg)
our favorite UPnP daemon: XXXXXX ● case study: CompSci security 101 ● every vulnerability you can imagine,
everywhere feasible o stack & heap buffer overflows
! memcpy, strcpy, sprintf, oh my! o path traversal
! download passwords in config files o command injection
! as root, duh
![Page 14: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/14.jpg)
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
attacker controlled
attacker controlled
![Page 15: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/15.jpg)
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
buffer is overflown...
attacker controlled
attacker controlled
![Page 16: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/16.jpg)
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh yeah and here too
buffer is overflown...
attacker controlled
attacker controlled
![Page 17: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/17.jpg)
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here but why try harder?
root command injection...
...here
oh yeah and here too
buffer is overflown...
attacker controlled
attacker controlled
![Page 18: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/18.jpg)
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh yeah and here too
but why try harder?
root command injection...
...here
also here
buffer is overflown...
attacker controlled
attacker controlled
![Page 19: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/19.jpg)
our favorite UPnP daemon: XXXXXX in other words…
● 4 lines ● 4 remotely
exploitable vulnerabilities
![Page 20: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/20.jpg)
demo: UPnP command injection
![Page 21: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/21.jpg)
![Page 22: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/22.jpg)
HTTP: signedness confusion 1. specify a negative Content-Length 2. sanity check does a signed comparison
o the check passes 3. scanf() promotes int to unsigned, copies length
specified 4. overflow heap buffer 5. ??? 6. profit
![Page 23: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/23.jpg)
demo: HTTP signedness confusion import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((“192.168.1.1”, 2869)) s.send('GET AAAA\r\nContent-Length: -34\r\n\r\n') s.close()
![Page 24: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/24.jpg)
HTTP: path traversal 1. http://192.168.1.1:2869/../SuperSecretStuff 2. ??? 3. profit
seriously.
![Page 25: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/25.jpg)
demo: HTTP path traversal
import requests print requests.get('http://192.168.1.1:2869/../mainConfig.xml').text
![Page 26: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/26.jpg)
why this matters ● what to do with 200,000 home routers?
o violate privacy, capture all traffic o impersonate victims o man-in-the-middle, exploit end hosts o use as basis for covert infrastructure, misattributing
further attacks o cripple national infrastructure through DDoS attacks
![Page 27: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/27.jpg)
more Japanese statistics ● 200,000+: number of routers / modems running the
discussed vulnerable UPnP service on WAN ● 500,000+: number of devices running a UPnP daemon
and listening on WAN on the default port o can be used to map internal ports, expose additional vulns
● 1,700,000+: number of devices running an HTTP daemon and listening on WAN on the default port o 93,000+ of these are not running either Apache or IIS
![Page 28: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/28.jpg)
remediation ● patching vulns is a non-starter
o there’s too many, no one cares to find them all
● what we’ve demonstrated is only the beginning o seriously, we ctrl-f’ed for system()... profit
● need to start over
![Page 29: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/29.jpg)
remediation: manufacturers (1/3) ● use modern exploit mitigations
o userspace: NX / DEP, ASLR*, stack / heap hardening
o kernelspace: grsecurity
● fail closed: default settings matter o don’t listen to anything on WAN by default o if remote admin is required by the customer, require
key-based authentication (e.g. SSH, CWMP/TR-069 or similar)
* This means PIE. Binaries that are not PIE are not full ASLR. Anything less than full ASLR is mostly pointless.
![Page 30: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/30.jpg)
remediation: manufacturers (2/3) ● privilege separation
o there is no reason to run everything as root*
● sandbox everything: seccomp_bpf() o Why is your UPnP daemon able to install kernel
modules or read / write outside of its home?
● don’t implement your own HTTP / FTP / UPnP/ Gopher / whatever service o obscurity < audited code * Laziness doesn’t count.
It’s 2014; attackers have a lot to gain, you have a lot to lose and embedded devices are often the lowest hanging fruit.
![Page 31: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/31.jpg)
remediation: manufacturers (3/3) ● deter physical access
o cut unnecessary debug ports, no JTAG, no serial o limited effect on determined attackers
● make analysis difficult o firmware encryption & signing
● scope the set of possible vulnerabilities o if you must write your own software, why not write it
in Python or Ruby?
![Page 32: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/32.jpg)
things that don’t work ● security through obscurity
o yes, someone* has figured out how to extract YetAnotherObscureFileSystem
● outmoded threat models / thinking your software isn’t interesting o attackers target more than end hosts o there is plenty (sometimes more) value in pwning
infrastructure * The contributors and projects behind binwalk (https://github.com/devttys0/binwalk) to be specific.
![Page 33: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/33.jpg)
remediation: end users ● firewall everything
o only sane approach is to assume compromise on seldom-updated embedded devices such as modems and routers
o the catch: many of these embedded devices are between you and the Internet
● whenever possible, run custom firmware o let someone else be the easiest target
![Page 34: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/34.jpg)
conclusions ● there needs to be more (public) research interest in
Japanese infrastructure ● cultural barriers are surmountable even by curious
people in their spare time o we conducted this research from the US, without direct access
to Japanese infrastructure or devices o determined attackers will hardly be slowed
● the fixes are not simple o vulnerabilities are numerous o problems run deep
![Page 35: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/35.jpg)
thanks ● Google translate ● Yahoo! auctions ● Icons licensed under CC BY 3.0:
o router, modem, wifi, webcam, question mark, flame by flaticon.com user Freepik
o picture frame by flaticon.com user Icomoon o thumb’s up by flaticon.com user Amit Jakhu o video camera by flaticon.com user
simpleicon
![Page 36: CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI](https://reader031.fdocuments.in/reader031/viewer/2022020307/55cdebc2bb61ebdb048b481a/html5/thumbnails/36.jpg)
questions?
? Want to learn more? Narf offers custom embedded device security training classes in Japanese & English. Material is licensed & translated from TacNetSol’s world-renowned EDE course. For more information, visit our website: https://narfindustries.com/index.php?id=training