How the Kids Saved Christmas - Holiday Hack ?· How the Kids Saved Christmas ... They found it was build…

Download How the Kids Saved Christmas - Holiday Hack ?· How the Kids Saved Christmas ... They found it was build…

Post on 01-Sep-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • HowtheKidsSavedChristmas

    I'mcertainyou'veheardoftheGrinchandtheWhosHisplottostealChristmasandhiswaytootightshoesButwhatyoudon'tknowisthatafter40ishyearsForChristmasAbrandnewchallengerappears.TheplotwasdiscoveredbytwochildrennamedDosisThevillainwasdealingwithmajorpsychosisTheyhadvowedtodestroyChristmascheerinallhomesWithanarmyoftwomillionlittletoygnomes.FatherDosisbroughthometheweegnomishdollItseemedquiteinnocent,cuddlyandsmallButlaterwhenJoshdidsomenetworkinspectionSomeoddtransmissionswerebroughttoattentionThe.PCAPhegatheredshowedsomethingamissAbnormalpacketstravellingbyDNSThedatafieldcarriedsomebase64SoJoshusedsomePythontofigureoutmoreStraightawayhegotScapydownloadedHeassembledthedata,thengotitdecoded.TheydiscoveredthegnomewasaminiaturespySendingimagesoutfromtheirhomebutwhy?ThenthenextstepfortheduotodoJessdumpedthefirmwarefromthegnome'sCPUBinwalkwasusedtoscanandextractWhilefirmwaremodkitgotthesystemunpackedBrowsingthroughfilesanddirectoriesTheyfounditwasbuildonOpenWRTANode.jsserver,andwhatelsedidtheysee?ANoSQLdatabaseonMongoDB.Loadingthedatabase,soonthekidsfoundTheymightjustbeabletobringthisschemedownThenefariousgnomeplanmightjustbevexedSinceallofthepasswordswerestoredinplaintext!Theyfoundthegnome'sserverintwodifferentwaysThefirmware'shostsfileandthepcapthey'dsavedSo,withtheaddressandtheadminuserTheyfoundanewgnome,butthisonewassuper.

  • SoonJoshandJesswerenothingbutsmilesWhentheyloggedintotheserveranddownloadedsomefilesArmedwiththefirstSuperGnome'sIPaddressTheysetofftoseeiftheycouldfindtherest.PluggingitintotheShodansearchfieldAcustomizedheaderwasswiftlyrevealedThenusingthatstringtoalterthesearchTheyfoundfourmoreSuperGnomesspread'roundtheEarthThefilesthattheygotfromSuperGnomeoneGavethemsomehintsofthedeedbeingdoneButtouncoverthetruththeystillneededmoreSotheysetofftoaccesstheremainingfourAllbutonereusedthesameadmincredentials(Somebodyfailedtheirsecurityfundamentals)Butthoughtheycouldlogin,downloadingwasstoppedThesefourSuperGnomeshadtogetpopped.ThepasswordhadchangedonSuperGnomethreeButbypassingtheloginwassimple,yousee.Theinputnotsanitized,thechildrenwerepleasedTosendsomeJSONandgetloggedinwitheaseTheclientgnomefirmwarecontainedserversource(Seriously,couldtheirsecuritygetanyworse?)SoJoshandJesslookedatthejavascriptcodeForthingstoexamine,exploit,orexplodeForSuperGnomefour,theyfoundtheycouldbreakAfunctionthatcalledeval(),amajormistake!TheyopenedupBurpSuitetoaltertheirpacketsTheserverwrotefilesandthentheycouldsnagitSuperGnometwowasquiteaptlynumberedFortwodifferentissuesthechildrendiscoveredAnuploadingformallowedthecreationOfanydirectorynameintheirimaginationAnotherpagethatIshouldprobablymentionLetthemviewfileswithacertainextensionButthecodecheckedtheentirelengthofthestringRatherthansimplytheendofthething.

  • So,bymakingadirectorynamed".PNG"AndsomeclevertraversalofdirectoriesTheycopiedthefilesoffSuperGnometwoThencheckedonthenextthingthattheyhadtodo.

    SuperGnomefivewasrunningaserviceOnport4242,butwhatwasit'spurpose?ItletthemchoosesomeinfotorevealButahiddencommandopenedaninputfield.Examiningthecode(gottenfromgnomesbefore)TheDosiskidslookedforsomeflawstoexploreTheysawthisonewouldbehardtoattackWithauserchrootjailandcanaryonthestack.TheinputletthemoverflowabufferButgettingmuchfurtherwasgoingtobetougherTheirtimegrewshort,sotheystoppedtofindIftheyhadenoughtounmaskthemastermind.EachSuperGnomeheldapcapwithanemailAndopeningthemrevealedthevillainousfemaleThechildrencouldhardlybelieveitwastrueButtheleaderofATNASwasCindyLouWho!Ontopoftheemails,theyalsodiscoveredFromstaticyfiles,animagerecovered.XORingthepixels,removingeachlayerGraduallyshowedthebossinherchair.

    JoshandJesspickedupthephoneinthehallAndgavesomefederalagentsacallCindyranafoulofseveralstatutesBytransmittingimagesfromthebedroomsofyouts

    Sothereendsourstory,andChristmaswassavedByJoshandJessDosis,socleverandbraveButtothinkthiswholethingmayhavegoneundetectedIftheDosisWiFiwaspasswordprotected!

  • APPENDIX:

    1)WhichcommandsaresentacrosstheGnomescommandandcontrolchannel?

    UsingPythonandScapywefoundthefollowingcommandswereexecuted:

    EXEC:cat/tmp/iwlistscan.txt

    EXEC:START_STATEEXEC:wlan0Scancompleted:

    EXEC:Cell01Address:00:7F:28:35:9A:C7

    EXEC:Channel:1

    EXEC:Frequency:2.412GHz(Channel1)

    EXEC:Quality=29/70Signallevel=81dBm

    EXEC:Encryptionkey:on

    EXEC:ESSID:"CHC"

    EXEC:BitRates:1Mb/s;2Mb/s;5.5Mb/s;11Mb/s;6Mb/s

    EXEC:9Mb/s;12Mb/s;18Mb/s

    EXEC:BitRates:24Mb/s;36Mb/s;48Mb/s;54Mb/s

    EXEC:Mode:Master

    EXEC:Extra:tsf=000000412e67cddf

    EXEC:Extra:Lastbeacon:5408msago

    EXEC:IE:Unknown:00055837335A36

    EXEC:IE:Unknown:010882848B960C121824

    EXEC:IE:Unknown:030101

    EXEC:IE:Unknown:200100

    EXEC:IE:IEEE802.11i/WPA2Version1

    EXEC:GroupCipher:CCMP

    EXEC:PairwiseCiphers(1):CCMP

    EXEC:AuthenticationSuites(1):PSK

    EXEC:IE:Unknown:2A0100

    EXEC:IE:Unknown:32043048606C

    EXEC:IE:Unknown:DD180050F2020101040003A4000027A4000042435E0062322F00

    EXEC:IE:Unknown:2D1A8C131BFFFF000000000000000000000000000000000000000000

  • EXEC:IE:Unknown:3D1601080800000000000000000000000000000000000000

    EXEC:IE:Unknown:DD0900037F01010000FF7F

    EXEC:IE:Unknown:DD0A00037F04010000000000

    EXEC:IE:Unknown:0706555320010B1B

    EXEC:Cell02Address:48:5D:36:08:68:DC

    EXEC:Channel:6

    EXEC:Frequency:2.412GHz(Channel1)

    EXEC:Quality=59/70Signallevel=51dBm

    EXEC:Encryptionkey:on

    EXEC:ESSID:"DosisHome"

    EXEC:BitRates:1Mb/s;2Mb/s;5.5Mb/s;11Mb/s;18Mb/s

    EXEC:24Mb/s;36Mb/s;54Mb/s

    EXEC:BitRates:6Mb/s;9Mb/s;12Mb/s;48Mb/s

    EXEC:Mode:Master

    EXEC:Extra:tsf=00000021701d828b

    EXEC:Extra:Lastbeacon:4532msago

    EXEC:IE:Unknown:000F736F6D657468696E67636C65766572

    EXEC:IE:Unknown:010882848B962430486C

    EXEC:IE:Unknown:030106

    EXEC:IE:Unknown:0706555320010B1E

    EXEC:IE:Unknown:2A0100

    EXEC:IE:Unknown:2F0100

    EXEC:IE:IEEE802.11i/WPA2Version1

    EXEC:GroupCipher:CCMP

    EXEC:PairwiseCiphers(1):CCMP

    EXEC:AuthenticationSuites(1):PSK

    EXEC:Cell03Address:48:5D:36:08:68:DD

    EXEC:Channel:6

    EXEC:Frequency:2.412GHz(Channel1)

    EXEC:Quality=62/70Signallevel=49dBm

  • EXEC:Encryptionkey:off

    EXEC:ESSID:"DosisHomeGuest"

    EXEC:BitRates:1Mb/s;2Mb/s;5.5Mb/s;11Mb/s;18Mb/s

    EXEC:24Mb/s;36Mb/s;54Mb/s

    EXEC:BitRates:6Mb/s;9Mb/s;12Mb/s;48Mb/s

    EXEC:Mode:Master

    EXEC:Extra:tsf=00000021701d8913

    EXEC:Extra:Lastbeacon:5936msago

    EXEC:IE:Unknown:000F736F6D657468696E67636C65766572

    EXEC:IE:Unknown:010882848B962430486C

    EXEC:IE:Unknown:030106

    EXEC:IE:Unknown:0706555320010B1E

    EXEC:IE:Unknown:2A0100

    EXEC:IE:Unknown:2F0100

    FILE:/root/Pictures/snapshot_CURRENT.jpg

    FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg

    Therestofthetransmissionwasthesnapshotbeingsent.Thisisanexampleofthecodeusedtoobtainthatinformation:

    fromscapy.allimport*importbase64

    hhpcap=rdpcap('./giyhcapture.pcap')

    jpghex=''

    foriinrange(876,1402):try:txt=hhpcap[i].lastlayer().an.rdatapass1=base64.b64decode(txt[1:])pass2=pass1[5:]jpghex+=pass2except:pass

    printjpghex

  • 2)WhatimageappearsinthephototheGnomesentacrossthechannelfromtheDosishome?

    Itappearstobeaphotoofachildsbedroom.Thereisasportstheme,aWeirdAlposterandTVwithgameconsoleattached.Gnomefeetarevisibleintheforeground.

    3)WhatoperatingsystemandCPUtypeareusedintheGnome?WhattypeofwebframeworkistheGnomewebinterfacebuiltin?

    TheGnomerunsOpenWRTonanARMA9CPU.TheWebinterfaceisbuiltwithNode.jsandExpressJS.4)WhatkindofadatabaseengineisusedtosupporttheGnomewebinterface?WhatistheplaintextpasswordstoredintheGnomedatabase?

    ThewebinterfaceisbackedbyMongoDB.Therearetwouseraccounts,admin:SittingOnAShelfanduser:user{ "_id" : ObjectId("56229f63809473d11033515c"), "username" : "admin", "password" : "SittingOnAShelf", "user_level" : 100 }

  • 5)WhataretheIPaddressesofthefiveSuperGnomesscatteredaroundtheworld,asverifiedbyTomHessmanintheDosisneighborhood?

    6)WhereiseachSuperGnomelocatedgeographically?

    SG0152.2.229.189Ashburn,VAUSASG0252.34.3.80Boardman,ORUSASG0352.64.191.71Sydney,AustraliaSG0452.192.152.132Tokyo,JapanSG0554.233.105.81SoPaulo,Brazil

    7)PleasedescribethevulnerabilitiesyoudiscoveredintheGnomefirmware.

    Inthemainwebinterfacefile(/www/routes/index.js):

    Loginfunctiondoesnotverifythattheparameterspassedarestrings.

    FilesUploadfunctioncallstheeval()functionwhichcanallowarbitraryJavaScripttobepassedintoitifnotsanitized

    CameraViewerThisfunctionwasnotexposedintheUI,butaccessibleifoneknewtherightURLtoenter.Thecodeinthefirmwareshowsthatapreviousversioncheckedforthefileextensionanywhereintheparametergiventoit.Inthefirmwaresversionthathasbeencommentedoutanditalwayschecksfor.pngattheendofthestring.

    TheMongoDBdatabasestoredpasswordsinplaintext.

    8)ONCEYOUGETAPPROVALOFGIVENINSCOPETARGETIPADDRESSESFROMTOMHESSMANINTHEDOSISNEIGHBORHOOD,attempttoremotelyexploiteachoftheSuperGnomes.DescribethetechniqueyouusedtogainaccesstoeachSuperGnomesgnome.conffile.YOUAREAUTHORIZEDTOATTACKONLYTHEIPADDRESSESTHATTOMHESSMANINTHEDOSISNEIGHBORHOODEXPLICITLYACKNOWLEDGESASINSCOPE.ATTACKNOOTHERSYSTEMSASSOCIATEDWITHTHEHOLIDAYHACKCHALLENGE.

    SuperGnome01:SimplyrequiredadminuserandpasswordfromtheMongoDB.Initiallygotthepasswordbyrunningstringsagainstthedatabasefile,laterfullyloadedthedatabaseforexploration.

    GnomeSerialNumber:NCC1701Currentconfigfile:./tmp/e31faee/cfg/sg.01.v1339.cfg

  • Allownewsubordinates?:YESCameramonitoring?:YESAudiomonitoring?:YESCameraupdaterate:60minGnomemode:SuperGnomeGnomename:SG01Allowfileuploads?:YESAllowedfileformats:.pngAllowedfilesize:512kbFilesdirectory:/gnome/www/files/

    SuperGnome02:ThekeyvulnerabilitywastheoldversionoftheCameraViewerthatdidntforcethefilepassedtohave.pngappended