How the Kids Saved Christmas - Holiday Hack ?· How the Kids Saved Christmas ... They found it was build…
Post on 01-Sep-2018
212 views
Embed Size (px)
TRANSCRIPT
HowtheKidsSavedChristmas
I'mcertainyou'veheardoftheGrinchandtheWhosHisplottostealChristmasandhiswaytootightshoesButwhatyoudon'tknowisthatafter40ishyearsForChristmasAbrandnewchallengerappears.TheplotwasdiscoveredbytwochildrennamedDosisThevillainwasdealingwithmajorpsychosisTheyhadvowedtodestroyChristmascheerinallhomesWithanarmyoftwomillionlittletoygnomes.FatherDosisbroughthometheweegnomishdollItseemedquiteinnocent,cuddlyandsmallButlaterwhenJoshdidsomenetworkinspectionSomeoddtransmissionswerebroughttoattentionThe.PCAPhegatheredshowedsomethingamissAbnormalpacketstravellingbyDNSThedatafieldcarriedsomebase64SoJoshusedsomePythontofigureoutmoreStraightawayhegotScapydownloadedHeassembledthedata,thengotitdecoded.TheydiscoveredthegnomewasaminiaturespySendingimagesoutfromtheirhomebutwhy?ThenthenextstepfortheduotodoJessdumpedthefirmwarefromthegnome'sCPUBinwalkwasusedtoscanandextractWhilefirmwaremodkitgotthesystemunpackedBrowsingthroughfilesanddirectoriesTheyfounditwasbuildonOpenWRTANode.jsserver,andwhatelsedidtheysee?ANoSQLdatabaseonMongoDB.Loadingthedatabase,soonthekidsfoundTheymightjustbeabletobringthisschemedownThenefariousgnomeplanmightjustbevexedSinceallofthepasswordswerestoredinplaintext!Theyfoundthegnome'sserverintwodifferentwaysThefirmware'shostsfileandthepcapthey'dsavedSo,withtheaddressandtheadminuserTheyfoundanewgnome,butthisonewassuper.
SoonJoshandJesswerenothingbutsmilesWhentheyloggedintotheserveranddownloadedsomefilesArmedwiththefirstSuperGnome'sIPaddressTheysetofftoseeiftheycouldfindtherest.PluggingitintotheShodansearchfieldAcustomizedheaderwasswiftlyrevealedThenusingthatstringtoalterthesearchTheyfoundfourmoreSuperGnomesspread'roundtheEarthThefilesthattheygotfromSuperGnomeoneGavethemsomehintsofthedeedbeingdoneButtouncoverthetruththeystillneededmoreSotheysetofftoaccesstheremainingfourAllbutonereusedthesameadmincredentials(Somebodyfailedtheirsecurityfundamentals)Butthoughtheycouldlogin,downloadingwasstoppedThesefourSuperGnomeshadtogetpopped.ThepasswordhadchangedonSuperGnomethreeButbypassingtheloginwassimple,yousee.Theinputnotsanitized,thechildrenwerepleasedTosendsomeJSONandgetloggedinwitheaseTheclientgnomefirmwarecontainedserversource(Seriously,couldtheirsecuritygetanyworse?)SoJoshandJesslookedatthejavascriptcodeForthingstoexamine,exploit,orexplodeForSuperGnomefour,theyfoundtheycouldbreakAfunctionthatcalledeval(),amajormistake!TheyopenedupBurpSuitetoaltertheirpacketsTheserverwrotefilesandthentheycouldsnagitSuperGnometwowasquiteaptlynumberedFortwodifferentissuesthechildrendiscoveredAnuploadingformallowedthecreationOfanydirectorynameintheirimaginationAnotherpagethatIshouldprobablymentionLetthemviewfileswithacertainextensionButthecodecheckedtheentirelengthofthestringRatherthansimplytheendofthething.
So,bymakingadirectorynamed".PNG"AndsomeclevertraversalofdirectoriesTheycopiedthefilesoffSuperGnometwoThencheckedonthenextthingthattheyhadtodo.
SuperGnomefivewasrunningaserviceOnport4242,butwhatwasit'spurpose?ItletthemchoosesomeinfotorevealButahiddencommandopenedaninputfield.Examiningthecode(gottenfromgnomesbefore)TheDosiskidslookedforsomeflawstoexploreTheysawthisonewouldbehardtoattackWithauserchrootjailandcanaryonthestack.TheinputletthemoverflowabufferButgettingmuchfurtherwasgoingtobetougherTheirtimegrewshort,sotheystoppedtofindIftheyhadenoughtounmaskthemastermind.EachSuperGnomeheldapcapwithanemailAndopeningthemrevealedthevillainousfemaleThechildrencouldhardlybelieveitwastrueButtheleaderofATNASwasCindyLouWho!Ontopoftheemails,theyalsodiscoveredFromstaticyfiles,animagerecovered.XORingthepixels,removingeachlayerGraduallyshowedthebossinherchair.
JoshandJesspickedupthephoneinthehallAndgavesomefederalagentsacallCindyranafoulofseveralstatutesBytransmittingimagesfromthebedroomsofyouts
Sothereendsourstory,andChristmaswassavedByJoshandJessDosis,socleverandbraveButtothinkthiswholethingmayhavegoneundetectedIftheDosisWiFiwaspasswordprotected!
APPENDIX:
1)WhichcommandsaresentacrosstheGnomescommandandcontrolchannel?
UsingPythonandScapywefoundthefollowingcommandswereexecuted:
EXEC:cat/tmp/iwlistscan.txt
EXEC:START_STATEEXEC:wlan0Scancompleted:
EXEC:Cell01Address:00:7F:28:35:9A:C7
EXEC:Channel:1
EXEC:Frequency:2.412GHz(Channel1)
EXEC:Quality=29/70Signallevel=81dBm
EXEC:Encryptionkey:on
EXEC:ESSID:"CHC"
EXEC:BitRates:1Mb/s;2Mb/s;5.5Mb/s;11Mb/s;6Mb/s
EXEC:9Mb/s;12Mb/s;18Mb/s
EXEC:BitRates:24Mb/s;36Mb/s;48Mb/s;54Mb/s
EXEC:Mode:Master
EXEC:Extra:tsf=000000412e67cddf
EXEC:Extra:Lastbeacon:5408msago
EXEC:IE:Unknown:00055837335A36
EXEC:IE:Unknown:010882848B960C121824
EXEC:IE:Unknown:030101
EXEC:IE:Unknown:200100
EXEC:IE:IEEE802.11i/WPA2Version1
EXEC:GroupCipher:CCMP
EXEC:PairwiseCiphers(1):CCMP
EXEC:AuthenticationSuites(1):PSK
EXEC:IE:Unknown:2A0100
EXEC:IE:Unknown:32043048606C
EXEC:IE:Unknown:DD180050F2020101040003A4000027A4000042435E0062322F00
EXEC:IE:Unknown:2D1A8C131BFFFF000000000000000000000000000000000000000000
EXEC:IE:Unknown:3D1601080800000000000000000000000000000000000000
EXEC:IE:Unknown:DD0900037F01010000FF7F
EXEC:IE:Unknown:DD0A00037F04010000000000
EXEC:IE:Unknown:0706555320010B1B
EXEC:Cell02Address:48:5D:36:08:68:DC
EXEC:Channel:6
EXEC:Frequency:2.412GHz(Channel1)
EXEC:Quality=59/70Signallevel=51dBm
EXEC:Encryptionkey:on
EXEC:ESSID:"DosisHome"
EXEC:BitRates:1Mb/s;2Mb/s;5.5Mb/s;11Mb/s;18Mb/s
EXEC:24Mb/s;36Mb/s;54Mb/s
EXEC:BitRates:6Mb/s;9Mb/s;12Mb/s;48Mb/s
EXEC:Mode:Master
EXEC:Extra:tsf=00000021701d828b
EXEC:Extra:Lastbeacon:4532msago
EXEC:IE:Unknown:000F736F6D657468696E67636C65766572
EXEC:IE:Unknown:010882848B962430486C
EXEC:IE:Unknown:030106
EXEC:IE:Unknown:0706555320010B1E
EXEC:IE:Unknown:2A0100
EXEC:IE:Unknown:2F0100
EXEC:IE:IEEE802.11i/WPA2Version1
EXEC:GroupCipher:CCMP
EXEC:PairwiseCiphers(1):CCMP
EXEC:AuthenticationSuites(1):PSK
EXEC:Cell03Address:48:5D:36:08:68:DD
EXEC:Channel:6
EXEC:Frequency:2.412GHz(Channel1)
EXEC:Quality=62/70Signallevel=49dBm
EXEC:Encryptionkey:off
EXEC:ESSID:"DosisHomeGuest"
EXEC:BitRates:1Mb/s;2Mb/s;5.5Mb/s;11Mb/s;18Mb/s
EXEC:24Mb/s;36Mb/s;54Mb/s
EXEC:BitRates:6Mb/s;9Mb/s;12Mb/s;48Mb/s
EXEC:Mode:Master
EXEC:Extra:tsf=00000021701d8913
EXEC:Extra:Lastbeacon:5936msago
EXEC:IE:Unknown:000F736F6D657468696E67636C65766572
EXEC:IE:Unknown:010882848B962430486C
EXEC:IE:Unknown:030106
EXEC:IE:Unknown:0706555320010B1E
EXEC:IE:Unknown:2A0100
EXEC:IE:Unknown:2F0100
FILE:/root/Pictures/snapshot_CURRENT.jpg
FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg
Therestofthetransmissionwasthesnapshotbeingsent.Thisisanexampleofthecodeusedtoobtainthatinformation:
fromscapy.allimport*importbase64
hhpcap=rdpcap('./giyhcapture.pcap')
jpghex=''
foriinrange(876,1402):try:txt=hhpcap[i].lastlayer().an.rdatapass1=base64.b64decode(txt[1:])pass2=pass1[5:]jpghex+=pass2except:pass
printjpghex
2)WhatimageappearsinthephototheGnomesentacrossthechannelfromtheDosishome?
Itappearstobeaphotoofachildsbedroom.Thereisasportstheme,aWeirdAlposterandTVwithgameconsoleattached.Gnomefeetarevisibleintheforeground.
3)WhatoperatingsystemandCPUtypeareusedintheGnome?WhattypeofwebframeworkistheGnomewebinterfacebuiltin?
TheGnomerunsOpenWRTonanARMA9CPU.TheWebinterfaceisbuiltwithNode.jsandExpressJS.4)WhatkindofadatabaseengineisusedtosupporttheGnomewebinterface?WhatistheplaintextpasswordstoredintheGnomedatabase?
ThewebinterfaceisbackedbyMongoDB.Therearetwouseraccounts,admin:SittingOnAShelfanduser:user{ "_id" : ObjectId("56229f63809473d11033515c"), "username" : "admin", "password" : "SittingOnAShelf", "user_level" : 100 }
5)WhataretheIPaddressesofthefiveSuperGnomesscatteredaroundtheworld,asverifiedbyTomHessmanintheDosisneighborhood?
6)WhereiseachSuperGnomelocatedgeographically?
SG0152.2.229.189Ashburn,VAUSASG0252.34.3.80Boardman,ORUSASG0352.64.191.71Sydney,AustraliaSG0452.192.152.132Tokyo,JapanSG0554.233.105.81SoPaulo,Brazil
7)PleasedescribethevulnerabilitiesyoudiscoveredintheGnomefirmware.
Inthemainwebinterfacefile(/www/routes/index.js):
Loginfunctiondoesnotverifythattheparameterspassedarestrings.
FilesUploadfunctioncallstheeval()functionwhichcanallowarbitraryJavaScripttobepassedintoitifnotsanitized
CameraViewerThisfunctionwasnotexposedintheUI,butaccessibleifoneknewtherightURLtoenter.Thecodeinthefirmwareshowsthatapreviousversioncheckedforthefileextensionanywhereintheparametergiventoit.Inthefirmwaresversionthathasbeencommentedoutanditalwayschecksfor.pngattheendofthestring.
TheMongoDBdatabasestoredpasswordsinplaintext.
8)ONCEYOUGETAPPROVALOFGIVENINSCOPETARGETIPADDRESSESFROMTOMHESSMANINTHEDOSISNEIGHBORHOOD,attempttoremotelyexploiteachoftheSuperGnomes.DescribethetechniqueyouusedtogainaccesstoeachSuperGnomesgnome.conffile.YOUAREAUTHORIZEDTOATTACKONLYTHEIPADDRESSESTHATTOMHESSMANINTHEDOSISNEIGHBORHOODEXPLICITLYACKNOWLEDGESASINSCOPE.ATTACKNOOTHERSYSTEMSASSOCIATEDWITHTHEHOLIDAYHACKCHALLENGE.
SuperGnome01:SimplyrequiredadminuserandpasswordfromtheMongoDB.Initiallygotthepasswordbyrunningstringsagainstthedatabasefile,laterfullyloadedthedatabaseforexploration.
GnomeSerialNumber:NCC1701Currentconfigfile:./tmp/e31faee/cfg/sg.01.v1339.cfg
Allownewsubordinates?:YESCameramonitoring?:YESAudiomonitoring?:YESCameraupdaterate:60minGnomemode:SuperGnomeGnomename:SG01Allowfileuploads?:YESAllowedfileformats:.pngAllowedfilesize:512kbFilesdirectory:/gnome/www/files/
SuperGnome02:ThekeyvulnerabilitywastheoldversionoftheCameraViewerthatdidntforcethefilepassedtohave.pngappended
