Episode96

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Episode Media

mp3

Mini-Interview: Matt Jonkman "Ruler of the universe, God of all Snort"

Matt is the former project leader of Bleeding Threats, and the currently project leader of Emerging Threats.

The paper that Matt referred to at http://www.honeyblog.org/

Tech Segment - Attacking A Router: Kyocera-KR1

So, while I was at SANS New Orleans I gave a presentation called "Things That Go Bump In The Network: Embedded Device Security". This will also be my presentation for the upcoming SANS webcast. One thing I will not be able to do in the webcast is give a live demo, which I will demonstration here. When I first want to explore an embedded device, I start by Nmap'ing the crap out of it. For this device it looks as follows:


PORT      STATE SERVICE VERSION
80/tcp    open  http?
49152/tcp open  http    Intel UPnP reference SDK httpd 1.2 (UPnP 1.0, platform Linux 2.4.26-uc0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=4.50%I=7%D=1/14%Time=478BD1E8%P=i386-apple-darwin8.11.1%r(
SF:GetRequest,EE,"HTTP/1\.0\x20401\x20Unauthorized\r\nServer:\x20Embedded\
SF:x20HTTP\x20Server\x20RK1008\r\nWWW-Authenticate:\x20Basic\x20realm=\"KR
SF:1\x20\"\r\nConnection:\x20close\r\n\r\n<HTML><HEAD><TITLE>401\x20Unauth
SF:orized</TITLE></HEAD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>401\x20Unauthor
SF:ized</H4></BODY></HTML>\n")%r(HTTPOptions,D1,"HTTP/1\.0\x20501\x20Not\x
SF:20Implemented\r\nServer:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nCon
SF:nection:\x20close\r\n\r\n<HTML><HEAD><TITLE>501\x20Not\x20Implemented</
SF:TITLE></HEAD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>501\x20Not\x20Implement
SF:ed</H4></BODY></HTML>\n")%r(RTSPRequest,D1,"RTSP/1\.0\x20501\x20Not\x20
SF:Implemented\r\nServer:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nConne
SF:ction:\x20close\r\n\r\n<HTML><HEAD><TITLE>501\x20Not\x20Implemented</TI
SF:TLE></HEAD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>501\x20Not\x20Implemented
SF:</H4></BODY></HTML>\n")%r(FourOhFourRequest,BF,"HTTP/1\.0\x20404\x20Not
SF:\x20Found\r\nServer:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nConnect
SF:ion:\x20close\r\n\r\n<HTML><HEAD><TITLE>404\x20Not\x20Found</TITLE></HE
SF:AD>\n<BODY\x20BGCOLOR=\"#ffffff\"><H4>404\x20Not\x20Found</H4></BODY></
SF:HTML>\n")%r(SIPOptions,D0,"SIP/2\.0\x20501\x20Not\x20Implemented\r\nSer
SF:ver:\x20Embedded\x20HTTP\x20Server\x20RK1008\r\nConnection:\x20close\r\
SF:n\r\n<HTML><HEAD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD>\n<BODY
SF:\x20BGCOLOR=\"#ffffff\"><H4>501\x20Not\x20Implemented</H4></BODY></HTML
SF:>\n");
MAC Address: 00:15:E9:F3:8C:F2 (D-Link)

So, since I used port 80 to setup the device, its not big news that this port is open. But, more interesting is TCP port 49152. Which you can see from the banner appears to be UPnP, even though Nmap doesn't really know how to fingerprint the service. We can also see the string "Linux 2.4.26-uc0", anyone know what this string is?

So I sniffed the UPnP traffic and found some more interesting stuff:

LOCATION: http://192.168.0.1:49152/gatedesc.xml
SERVER: Linux/2.4.26-uc0, UPnP/1.0, Intel SDK for UPnP devices /1.2
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:75802409-bccb-40e7-8e6c-fa095ecce13e::urn:schemas-upnp-org:device:InternetGatewayDevice:1
HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1800
DATE: Mon, 14 Jan 2008 22:12:25 GMT
EXT:

Now, previous to the I was trying to browse to http://192.168.0.1:49152 and was met with a 404 error. But using a UPnP client tester thinger (from gnucitzens blog posting) I was able to trigger the mechanism (a term I use with my wife ;-) and see that "gatedesc.xml" was the magic filename that contained more information. You can see that it also confirms the kernel version. This appears to be some form of TCP based UPnP.

So, then the web interface lets you export the firmware file. Using my super 31337 reverse engineering skillz I was able to gleen some information:

pdc-6:~/KR1-hacking paulda$ strings config.bin 
#777
#777
admin
zehcnasytrid
user
Virtual Server FTP
Virtual Server HTTP
Virtual Server HTTPS
Virtual Server DNS
Virtual Server SMTP
Virtual Server POP3
Virtual Server Telnet
IPSec
PPTP
NetMeeting
Virtual Server FTP
Virtual Server HTTP
Virtual Server HTTPS
Virtual Server DNS
Virtual Server SMTP
Virtual Server POP3
Virtual Server Telnet
IPSec
PPTP
NetMeeting
Battle.net
6112
Dialpad
51200-51210
ICU II
2000-2085
MSN Gaming Zone
28800-29000
PC-to-Phone
12120-12122
Quick Time 4
6970-6999
Battle.net
6112
Dialpad
51200-51210
ICU II
2000-2085
MSN Gaming Zone
28800-29000
PC-to-Phone
12120-12122
Quick Time 4
6970-6999
-08:00
time.nist.gov
time.nist.gov
ntp1.dlink.com
WLAN1
iwantabeardjustlikemikepoor
WLAN2
Realtek AP2

You can see that the username is "admin" and the password is listed below. Also you can see the string "iwantabeardjustlikemikepoor", which is the WPA key. Note: encrypt you firmware backups. A popular web camera and other devices run the same OS.

Stories of Interest

Bank Social engineering - [Larry] - Fake a badge, buy a secure cash bag and uniform. Show up an hour early and claim you are filling in for the regular guy. Collect $350,000. My question is, how did noone notice that he did not get in to an armored car? How would you authenticate this type of process? (note that this didn't get reported to authorities for nearly 11 hours)

UPNP Attacks! - [PaulDotCom] - This is totally awesome. So uPnP has no authentication, and its enabled on most routers. Now, this attack entices a user to click on a link, that accesses upnp (which is just a SOAP connection), which changes the router configuration. This can be done two ways, one using Flash, and one using XMLHTTPRequest with DNS pinning. Freakin SEXY!

Retail WiFi security bad - [Larry] - AirDefense did some scanning, and found lot of issues with retail wireless - WEP, no encryption, you know the deal. Of course, some of those comprise of rogues, legacy gear and mis-configurations. What is scary is, look at the PCI self assessment (lots of wireless questions) - if you answer no to any on the self asessment, you are out of compliance!

iPwnage! Apple released patches for iPhone/iTouch - [PaulDotCom] - This is so great, two Safari vulnerabilities and a way to bypass passcode lock. I hope exploits for these vulnerabilities are released in the wild.

Porn Sites spanked... - [Larry] - Too Much Media, a company that provides back end referral tracking software (called NUTS...er, NATS) for an estimated 45% of porn websites was compromised, and had all of the administrative usernames and passwords stole for their clients. Sign agreements, audit your vendors, password storage, defense in depth....

Dutch Transit RFID cloning - [Larry] - So, not only can we clone Kari Byron's verichip, some Dutch researchers have been able to clone the disposable transit passes - you buy one, and are allowed to travel twice. The travel count is contained on the card, and the Mifare tag is not encrypted! By resetting the clone to the original state, one can travel allegedly indefinitely. Research into the non-disposable passes revealed that they are encrypted - but that encryption was recently broken...

RFID secured drive - [Larry] - We talked about the smart card and pin last week, now here is one with RFID security....see last RFID story, see cloning EN 410X tags with RFidiot. The tag in the picture looks like one of my EN410X tags dipped in plasti-dip. Easily cloneable.

Multi-function printer lockdown? - [Larry] - Solidcore makes software to run on XP Embeded to only allow certain software to run, where AV tools were relied on previously. So, more software to fix the problem of insecure software. How about fixing the original problems, and practice defense in tepth on these devices - firewalls, AV, ACLS...the list goes on. One of the qotes form teh article:

"Meanwhile, Robert Graham, CEO of Errata Security, notes that it's unlikely that attackers would purposely target a printer. "However, more and more of them contain Windows XP Embedded. This means that hackers might break into it thinking it's a normal Windows desktop computer without even realizing it's a printer," he says. "Thus, while normally I would suggest that only paranoid organizations [such as DOD and intelligence organizations] worry about their printers, it has now become something that all organizations need to worry about."

AMEN! I have some experience with this - remember Nachi/Welchia? Guess what was vulnerable? Unpatched XP Embedded printers...

MacSweeper...MacMalware? - [Larry] - I only mention because it is new to the mac....

Listener Submitted

Prisoners 'to be chipped like dogs' [byte_bucket] - "Ministers are planning to implant "machine-readable" microchips under the skin of thousands of offenders as part of an expansion of the electronic tagging scheme that would create more space in British jails."

iPhone 1.1.3 and QuickTime 7.4 - [securethoughts] Two updates released on Tuesday at the Macworld Keynote. iPhone fixes include Safari issues and a passcode lock bypass. QuickTime 7.4 fixes several vulnerabilities where a maliciously crafted file could lead to remote code execution.

For Your Enjoyment

Beer Of The Week

Something like this of interest? [securethoughts]

http://wiki.pauldotcom.com/wiki/index.php/Beer#Episode96