Security
BruCON: How to take over the world by breaking into embedded systems
On September 24 and 25, the community-oriented security conference BruCON made its second appearance in Brussels. Just like last year, the organizers succeeded in gathering a diverse mix of presentation topics and speakers: from overview talks about GSM security, mobile malware and social engineering, to highly technical talks about how to find backdoors in code, mapping the "malicious web", and analyzing malicious PDF files.
Paul Asadoorian, who is currently Product Evangelist for Tenable Network
Security (the creators of the vulnerability scanning program Nessus), gave a talk with the
provocative title "Embedded System Hacking and My Plot To Take Over
The World
" (slides
[PDF]). His premise is simple: we depend on more and more
embedded systems in our daily lives, and because security is largely an afterthought for embedded systems manufacturers, these systems can be used to take over the world.
Indeed, each time we use our home network, print a document, watch a DVD, and so on, there's an embedded system involved. Because these are mass-produced products that have to be manufactured as cheaply as possible, many manufacturers only think about security after the device has been designed—if they think about it at all. This makes embedded systems an attractive vehicle for mounting a large-scale attack on world-wide society. In his talk, Paul looked at some common vulnerabilities in embedded systems, how you can find these vulnerable systems, and what you could gain by exploiting them. His message to device manufacturers was clear: fix this, because the problem is huge!
Before you read further, an obvious warning: much of what Paul suggests may be illegal in some jurisdictions. These are just examples to point out what criminals could do. Don't try this at home unless you are sure you know what you're doing.
How to take over the world
What do you need to take over the world? According to Paul, three things: money, power, and stealth. First, money is needed to get resources, for buying weapons, paying armies, and so on. So how can embedded systems help you to make money? By exploiting devices that have the user's credit card linked to it, such as an entertainment system or a video game console, for example. Another possibility is to break into the user's router and snoop on the network traffic: by getting passwords for their online banking accounts, PayPal, or eBay, an attacker can get access to the user's money. But also think about sensitive information that the user prints or faxes.
Second, embedded systems can also be used to influence and control people, or in other words: gain power. For starters, just think about the adage "information = power": by sniffing people's networks and manipulating what the users see, you have a lot of control over their online life. Just by manipulating a single router, you may be able to influence multiple computers. But it goes even further: embedded systems are integral to many important services, like the power grid, water utilities, and so on. It doesn't take much inspiration to come up with some nasty attack scenarios. Paul referred to research from Josh Wright and Travis Goodspeed along with the paper Advanced Metering Infrastructure Attack Methodology [PDF] from Inguardians.
The third essential element for world domination is stealth: even if you have all the money and power, people will stop you as soon as they know your plans, so your plan is doomed if you don't work in stealth mode. According to Paul, embedded systems are perfect for this purpose:
Combine this practical invisibility with the fact that device vendors focus on profit and leave out security to save resources, and you have an explosive cocktail: a lot of unnoticed vulnerabilities, ready to be exploited, but hidden from view.
Millions of vulnerable devices
The challenge is now to find all these vulnerable devices, Paul says: "Most of the vulnerabilities in embedded systems go unnoticed for a long time because everyone looking for them has just a couple of devices.
" Of course you can use the internet to find devices. Paul showed the web site WiGLE (Wireless Geographic Logging Engine), which collects statistics about wireless networks. Every practitioner of wardriving can add their data to the web site.
The interesting thing is that you can use the statistics on WiGLE to select possible targets. You can see which are the most popular vendors, and use this information to find vulnerabilities in routers of these vendors to maximize the damage. For example, the statistics show that Linksys is the most popular wireless router vendor, with 10.5% of the routers, or more than 2.7 million routers in the WiGLE database. All these routers are also drawn on a map. Just look up your home town to see how many routers there are in your neighborhood, and take into account that many of them are vulnerable to some attack.
And vulnerable they are. Paul pointed to a study last year, where researchers from the Columbia University Intrusion Detection Systems Lab scanning the internet found nearly 21,000 routers, webcams, and VoIP products with an administrative web interface viewable from anywhere on the internet and a default password. Linksys routers had the highest percentage of vulnerable devices in the United States: 45 percent of the 2,729 accessible Linksys routers still had the manufacturer's default administrative password. An attacker who finds such a router can do anything with it, including altering the router's DNS settings or reflashing the firmware.
The researchers have provided ISPs with their findings, in the hope that they would do something to protect their vulnerable customers, e.g. stop providing these devices with a default password and an administrative interface that is publicly accessible. But in general, ISPs are not responsive to these kinds of vulnerabilities.
How to find vulnerable devices
So there are a lot of vulnerable routers out there, but how do you find them? Paul gave some tips. First, just use Google: try to find the popular ISPs that provide cable modem routers to their users, and try to find out which model it is. Then use the ARIN (American Registry for Internet Numbers) database to discover the IP address ranges assigned to those ISPs. After that, you can use the port scanner Nmap to discover all devices that have port 80 open, and try to identify the HTTP banner.
Of course scanning big IP address ranges is slow, even if you limit it to one port, but with the right tuning of Nmap parameters it is doable: Paul showed a scan of 2.7 hours for half a million IP addresses and a scan of 37.5 hours for 2.2 million IP addresses. You can then manually poke through the results or write a script to find vulnerabilities, exploit them, or upload custom configurations and firmware.
It's not always necessary to scan a whole IP address range to find computers. NTP can be used to identify devices, as has been shown by Metasploit creator HD Moore. For example, by executing:
ntpdc -c monlist <ntpserver>
you get a list of all recent clients from the NTP server. So choosing, for example, Apple's NTP server gets a list of Apple devices.
Paul also gave the example of Netgear routers that were shipped in 2003 with a hardcoded NTP server. After a while this had been patched, but now if you use HD Moore's trick on this particular NTP server, you can still find Netgear routers that query this server and thus don't have the firmware fix. That's an easy way to find outdated routers, which probably have a lot of vulnerabilities. For example, the open source penetration testing framework Metasploit has this test.
Or you can brute-force DNS subdomains. Paul referred to a method to hunt for Linksys IP cameras on the net. Some IP cameras can use dynamic domain names, and by using the tool dnsmap an attacker can brute-force subdomains to discover these cameras. Of course this can be enhanced with an automatic check for default credentials or the ability to anonymously view the video stream.
Another interesting resource is SHODAN, a search engine to find computers. You can search for computers or routers running specific software or filtered by geographic location. If you want to attack the internet infrastructure of a specific country, this is the place to begin your search. Google is also useful for this purpose: just query content that is unique to a target device.
Example vulnerabilities
For the rest of the talk, Paul ran through a lot of example vulnerabilities he has encountered and how easy it is to exploit them. For example, too many wireless routers have just default, weak, or even missing passwords. Paul even found a Zyxel router that had the password already filled in on the publicly accessible web interface. He only had to click "Login" to gain administrative access.
Paul also found some publicly accessible multifunction printers that didn't use authentication. He showed how he got access to the printed documents on a Lanier printer: he could download all documents that were printed recently, without any authentication. The type of espionage enabled by this vulnerability is perfect for social engineering purposes: he found the person's name, company, department, what applications he runs, and so on. The same printer allowed anyone to copy data from an SD card that is accidentally left in the SD card slot.
HP scanners were especially nasty: they have a webscan feature that is turned on by default with no security whatsoever: everyone can scan a confidential document that is left on the scanner and retrieve it via a web browser, because the URLs used for scanned documents are completely predictable. This is a perfect tool for corporate espionage.
More recently, HD Moore discovered several flaws in the VxWorks embedded operating system, scanned 3.1 billion IP addresses and found 250,000 vulnerable systems accessible on the internet. And then there's the DNS rebinding attack that Craig Heffner discovered in several routers, allowing attackers to gain control of the administrative interface.
Luckily, some vendors are learning from their vulnerabilities. The Linksys WET610N wireless router's setup program forces the user to change the default password "admin" to something different on the first log in. However, Paul's happiness ended quickly when he saw the next screen where Linksys recommended saving the password in a text file.
How to fix this
Paul didn't talk about all these security exploits to spoon-feed the bad
guys. He wants to convince embedded systems vendors to create safer
devices. They could start just by implementing some elementary, but too
often ignored, security measures: don't use a default password ("Why
does the concept of a default password even exist?
") but force the
user to choose a password, allow the user to disable protocols, and by
default only enable secure management protocols like HTTPS and
SSH. Moreover, Paul wants ISPs to block the inbound port 80—though it
makes it hard for anyone wanting to run a web server—and to take responsibility for keeping the devices of their users secure.
To raise awareness about obvious security failures and to try to change the industry to implement better security on devices, Paul has started the website www.securityfail.com, which is a public wiki where people can point out the ways in which their devices are not secure. It's a promising initiative, but your author fears that this is not sufficient to change the industry: as Bruce Schneier has been saying for years, vendors will not improve their software's security until it is in their financial interest. A wiki will not change that, so it looks like we'll remain in the situation where anyone with enough dedication can take over the world.
Brief items
Zombie cookie wars: evil tracking API meant to "raise awareness" (ars technica)
Ars technica looks at evercookie, a way for web applications to store multiple cookies that can be rather difficult to get rid of. "So, when you delete the cookie in one, three, or five places, evercookie can dip into one of its many other repositories to poll your user ID and restore the data tracking cookies. It works cross-browser, too—if the Local Shared Object cookie is intact, evercookie can spread to whatever other browsers you choose to use on the same machine. Since most users are barely aware of these storage methods, it's unlikely that users will ever delete all of them."
U.S. Tries to Make It Easier to Wiretap the Internet (New York Times)
The New York Times reports on a bill (proposed law) that the Obama administration plans to submit to Congress that would require communication providers be able to decrypt and provide the data they carry on demand, presumably after a court order. "Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct "peer to peer" messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages." As one might guess, the EFF is particularly worried about the bill: "
The crypto wars are back in full force, and it's time for everyone who cares about privacy to stand up and defend it: no back doors and no bans on the tools that protect our communications."
New vulnerabilities
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2010-2938 CVE-2010-2943 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 29, 2010 | Updated: | March 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the Xen hypervisor implementation when running a system that has an Intel CPU without Extended Page Tables (EPT) support. While attempting to dump information about a crashing fully-virtualized guest, the flaw could cause the hypervisor to crash the host as well. A user with permissions to configure a fully-virtualized guest system could use this flaw to crash the host. (CVE-2010-2938) A flaw was found in the Linux kernel's XFS file system implementation. The file handle lookup could return an invalid inode as valid. If an XFS file system was mounted via NFS (Network File System), a local attacker could access stale data or overwrite existing data that reused the inodes. (CVE-2010-2943) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | Linux | CVE #(s): | CVE-2010-3084 CVE-2010-2955 CVE-2010-3298 CVE-2010-3296 CVE-2010-3297 CVE-2010-2946 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 23, 2010 | Updated: | April 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory: CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could be used to crash the kernel or potentially execute code. CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed. CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso driver. CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver. CVE-2010-3297: Fixed a kernel information leak in the net/eql driver. CVE-2010-2946: The 'os2' xattr namespace on the jfs filesystem could be used to bypass xattr namespace rules. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lib3ds: code execution
| Package(s): | lib3ds | CVE #(s): | CVE-2010-0280 | ||||||||||||||||
| Created: | September 27, 2010 | Updated: | May 19, 2014 | ||||||||||||||||
| Description: | From the CVE entry:
Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted structures in a 3DS file, probably related to mesh.c. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2010-1860 CVE-2010-1862 CVE-2010-1864 CVE-2010-2093 CVE-2010-2094 CVE-2010-2097 CVE-2010-2100 CVE-2010-2101 CVE-2010-2191 CVE-2010-3062 CVE-2010-3063 CVE-2010-3064 CVE-2010-3065 | ||||||||||||||||||||||||||||
| Created: | September 29, 2010 | Updated: | January 11, 2011 | ||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The html_entity_decode function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal call, related to the call time pass by reference feature. (CVE-2010-1860) The chunk_split function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. (CVE-2010-1862) The addcslashes function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. (CVE-2010-1864) Use-after-free vulnerability in the request shutdown functionality in PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-dependent attackers to cause a denial of service (crash) via a stream context structure that is freed before destruction occurs. (CVE-2010-2093) Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function. (CVE-2010-2094) The (1) iconv_mime_decode, (2) iconv_substr, and (3) iconv_mime_encode functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. (CVE-2010-2097) The (1) htmlentities, (2) htmlspecialchars, (3) str_getcsv, (4) http_build_query, (5) strpbrk, and (6) strtr functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. (CVE-2010-2100) The (1) strip_tags, (2) setcookie, (3) strtok, (4) wordwrap, (5) str_word_count, and (6) str_pad functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. (CVE-2010-2101) The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack functions; the (5) ZEND_FETCH_RW, (6) ZEND_CONCAT, and (7) ZEND_ASSIGN_CONCAT opcodes; and the (8) ArrayObject::uasort method in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler. NOTE: vectors 2 through 4 are related to the call time pass by reference feature. (CVE-2010-2191) mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function. (CVE-2010-3062) The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used. (CVE-2010-3063) Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function. (CVE-2010-3064) The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name. (CVE-2010-3065) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
php-nusoap: cross-site scripting
| Package(s): | php-nusoap | CVE #(s): | CVE-2010-3070 | ||||||||||||||||
| Created: | September 27, 2010 | Updated: | January 3, 2011 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
Bogdan Calin at at Acunetix discovered a XSS vulnerability in NuSOAP 0.9.5 | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
quassel: denial of service
| Package(s): | quassel | CVE #(s): | |||||
| Created: | September 24, 2010 | Updated: | September 29, 2010 | ||||
| Description: | From the Ubuntu advisory:
Jima discovered that quassel would respond to a single privmsg containing multiple CTCP requests with multiple NOTICEs, possibly resulting in a denial of service against the IRC connection. | ||||||
| Alerts: |
| ||||||
roundup: cross-site scripting
| Package(s): | roundup | CVE #(s): | CVE-2010-2491 | ||||||||
| Created: | September 23, 2010 | Updated: | September 29, 2010 | ||||||||
| Description: | From the Red Hat bugzilla entry: A deficiency was found in the way Roundup, simple and flexible issue-tracking system, processed PageTemplate templates for named pages. A remote attacker could use this flaw to conduct cross-site scripting (XSS) attacks by tricking a local, authenticated user into visiting a specially-crafted web page. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>