Mini-Interview: Matt Jonkman "Ruler of the universe, God of all Snort"
Tech Segment - Attacking A Router: Kyocera-KR1
So, while I was at SANS New Orleans I gave a presentation called "Things That Go Bump In The Network: Embedded Device Security". This will also be my presentation for the upcoming SANS webcast. One thing I will not be able to do in the webcast is give a live demo, which I will demonstration here. When I first want to explore an embedded device, I start by Nmap'ing the crap out of it. For this device it looks as follows:
PORT STATE SERVICE VERSION 80/tcp open http? 49152/tcp open http Intel UPnP reference SDK httpd 1.2 (UPnP 1.0, platform Linux 2.4.26-uc0) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=4.50%I=7%D=1/14%Time=478BD1E8%P=i386-apple-darwin8.11.1%r( SF:GetRequest,EE,"HTTP/1\.0\x20401\x20Unauthorized\r\nServer:\x20Embedded\ SF:x20HTTP\x20Server\x20RK1008\r\nWWW-Authenticate:\x20Basic\x20realm=\"KR SF:1\x20\"\r\nConnection:\x20close\r\n\r\n<HTML><HEAD><TITLE>401\x20Unauth SF:orized</TITLE></HEAD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>401\x20Unauthor SF:ized</H4></BODY></HTML>\n")%r(HTTPOptions,D1,"HTTP/1\.0\x20501\x20Not\x SF:20Implemented\r\nServer:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nCon SF:nection:\x20close\r\n\r\n<HTML><HEAD><TITLE>501\x20Not\x20Implemented</ SF:TITLE></HEAD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>501\x20Not\x20Implement SF:ed</H4></BODY></HTML>\n")%r(RTSPRequest,D1,"RTSP/1\.0\x20501\x20Not\x20 SF:Implemented\r\nServer:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nConne SF:ction:\x20close\r\n\r\n<HTML><HEAD><TITLE>501\x20Not\x20Implemented</TI SF:TLE></HEAD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>501\x20Not\x20Implemented SF:</H4></BODY></HTML>\n")%r(FourOhFourRequest,BF,"HTTP/1\.0\x20404\x20Not SF:\x20Found\r\nServer:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nConnect SF:ion:\x20close\r\n\r\n<HTML><HEAD><TITLE>404\x20Not\x20Found</TITLE></HE SF:AD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>404\x20Not\x20Found</H4></BODY></ SF:HTML>\n")%r(SIPOptions,D0,"SIP/2\.0\x20501\x20Not\x20Implemented\r\nSer SF:ver:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nConnection:\x20close\r\ SF:n\r\n<HTML><HEAD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD>\n<BODY SF:\x20BGCOLOR=\"#ffffff\"><H4>501\x20Not\x20Implemented</H4></BODY></HTML SF:>\n"); MAC Address: 00:15:E9:F3:8C:F2 (D-Link)
So, since I used port 80 to setup the device, its not big news that this port is open. But, more interesting is TCP port 49152. Which you can see from the banner appears to be UPnP, even though Nmap doesn't really know how to fingerprint the service. We can also see the string "Linux 2.4.26-uc0", anyone know what this string is?
So I sniffed the UPnP traffic and found some more interesting stuff:
LOCATION: http://192.168.0.1:49152/gatedesc.xml SERVER: Linux/2.4.26-uc0, UPnP/1.0, Intel SDK for UPnP devices /1.2 ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1 USN: uuid:75802409-bccb-40e7-8e6c-fa095ecce13e::urn:schemas-upnp-org:device:InternetGatewayDevice:1 HTTP/1.1 200 OK CACHE-CONTROL: max-age=1800 DATE: Mon, 14 Jan 2008 22:12:25 GMT EXT:
Now, previous to the I was trying to browse to http://192.168.0.1:49152 and was met with a 404 error. But using a UPnP client tester thinger (from gnucitzens blog posting) I was able to trigger the mechanism (a term I use with my wife ;-) and see that "gatedesc.xml" was the magic filename that contained more information. You can see that it also confirms the kernel version. This appears to be some form of TCP based UPnP.
So, then the web interface lets you export the firmware file. Using my super 31337 reverse engineering skillz I was able to gleen some information:
pdc-6:~/KR1-hacking paulda$ strings config.bin #777 #777 admin zehcnasytrid user Virtual Server FTP Virtual Server HTTP Virtual Server HTTPS Virtual Server DNS Virtual Server SMTP Virtual Server POP3 Virtual Server Telnet IPSec PPTP NetMeeting Virtual Server FTP Virtual Server HTTP Virtual Server HTTPS Virtual Server DNS Virtual Server SMTP Virtual Server POP3 Virtual Server Telnet IPSec PPTP NetMeeting Battle.net 6112 Dialpad 51200-51210 ICU II 2000-2085 MSN Gaming Zone 28800-29000 PC-to-Phone 12120-12122 Quick Time 4 6970-6999 Battle.net 6112 Dialpad 51200-51210 ICU II 2000-2085 MSN Gaming Zone 28800-29000 PC-to-Phone 12120-12122 Quick Time 4 6970-6999 -08:00 time.nist.gov time.nist.gov ntp1.dlink.com WLAN1 iwantabeardjustlikemikepoor WLAN2 Realtek AP2
You can see that the username is "admin" and the password is listed below. Also you can see the string "iwantabeardjustlikemikepoor", which is the WPA key. Note: encrypt you firmware backups. A popular web camera and other devices run the same OS.
Stories of Interest
Bank Social engineering - [Larry] - Fake a badge, buy a secure cash bag and uniform. Show up an hour early and claim you are filling in for the regular guy. Collect $350,000. My question is, how did noone notice that he did not get in to an armored car? How would you authenticate this type of process? (note that this didn't get reported to authorities for nearly 11 hours)
UPNP Attacks! - [Paul] - This is totally awesome. So uPnP has no authentication, and its enabled on most routers. Now, this attack entices a user to click on a link, that accesses upnp (which is just a SOAP connection), which changes the router configuration. This can be done two ways, one using Flash, and one using XMLHTTPRequest with DNS pinning. Freakin SEXY!
Retail WiFi security bad - [Larry] - AirDefense did some scanning, and found lot of issues with retail wireless - WEP, no encryption, you know the deal. Of course, some of those comprise of rogues, legacy gear and mis-configurations. What is scary is, look at the PCI self assessment (lots of wireless questions) - if you answer no to any on the self asessment, you are out of compliance!
iPwnage! Apple released patches for iPhone/iTouch - [Paul] - This is so great, two Safari vulnerabilities and a way to bypass passcode lock. I hope exploits for these vulnerabilities are released in the wild.
Porn Sites spanked... - [Larry] - Too Much Media, a company that provides back end referral tracking software (called NUTS...er, NATS) for an estimated 45% of porn websites was compromised, and had all of the administrative usernames and passwords stole for their clients. Sign agreements, audit your vendors, password storage, defense in depth....
Dutch Transit RFID cloning - [Larry] - So, not only can we clone Kari Byron's verichip, some Dutch researchers have been able to clone the disposable transit passes - you buy one, and are allowed to travel twice. The travel count is contained on the card, and the Mifare tag is not encrypted! By resetting the clone to the original state, one can travel allegedly indefinitely. Research into the non-disposable passes revealed that they are encrypted - but that encryption was recently broken...
RFID secured drive - [Larry] - We talked about the smart card and pin last week, now here is one with RFID security....see last RFID story, see cloning EN 410X tags with RFidiot. The tag in the picture looks like one of my EN410X tags dipped in plasti-dip. Easily cloneable.
Multi-function printer lockdown? - [Larry] - Solidcore makes software to run on XP Embeded to only allow certain software to run, where AV tools were relied on previously. So, more software to fix the problem of insecure software. How about fixing the original problems, and practice defense in tepth on these devices - firewalls, AV, ACLS...the list goes on. One of the qotes form teh article:
"Meanwhile, Robert Graham, CEO of Errata Security, notes that it's unlikely that attackers would purposely target a printer. "However, more and more of them contain Windows XP Embedded. This means that hackers might break into it thinking it's a normal Windows desktop computer without even realizing it's a printer," he says. "Thus, while normally I would suggest that only paranoid organizations [such as DOD and intelligence organizations] worry about their printers, it has now become something that all organizations need to worry about."
AMEN! I have some experience with this - remember Nachi/Welchia? Guess what was vulnerable? Unpatched XP Embedded printers...
MacSweeper...MacMalware? - [Larry] - I only mention because it is new to the mac....
Prisoners 'to be chipped like dogs' [byte_bucket] - "Ministers are planning to implant "machine-readable" microchips under the skin of thousands of offenders as part of an expansion of the electronic tagging scheme that would create more space in British jails."
iPhone 1.1.3 and QuickTime 7.4 - [securethoughts] Two updates released on Tuesday at the Macworld Keynote. iPhone fixes include Safari issues and a passcode lock bypass. QuickTime 7.4 fixes several vulnerabilities where a maliciously crafted file could lead to remote code execution.
For Your Enjoyment
Beer Of The Week
Something like this of interest? [securethoughts]