vulnerabilities in the software of yota telecommunication ... · •“hacking routers as web...
TRANSCRIPT
![Page 1: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/1.jpg)
Vulnerabilities in the software of Yotatelecommunication equipment
Firstov Mikhail (@cyberpunkych)
HeadLight Security
![Page 2: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/2.jpg)
WHOAMI?
• Security researcher at HeadLight Security
• “Attacking MongoDB” at ZeroNights 2012
• “Database honeypot by design” at Defcon Russia
• Worked at Positive Technologies since 2012 to 2015
• “Hacking routers as Web Hacker” at Defcon Moscow
• Member of DC7499
![Page 3: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/3.jpg)
Modems, routers, mobile routers, phones, etc
WHAT IS 4G IN 2015?
![Page 4: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/4.jpg)
WHAT IS YOTA?
Most used YOTA devices:
Yota Lua (simple usb modem)
Yota Swift (modem + wifi router)
Yota Many (mobile router)
![Page 5: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/5.jpg)
Yota web interface:
WHAT IS YOTA?
![Page 6: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/6.jpg)
Yota software:
WHAT IS YOTA?
![Page 7: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/7.jpg)
• Yota personal cabinet (XSS, CSRF, Info Leakage)
• Yota Many (Sensitive Info Leakage, RCE)
• Yota Swift (RCE)
• Yota Access (Sensitive Info Leakage, RCE)
WHAT CAN WE ATTACK?
![Page 8: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/8.jpg)
• Yota personal cabinet (XSS, CSRF, Info Leakage)
• Yota Many (Sensitive Info Leakage, RCE)
• Yota Swift (RCE)
• Yota Access (Sensitive Info Leakage, RCE)
WHAT CAN WE ATTACK?
![Page 9: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/9.jpg)
Even 1 XSS can compromise all your data
YOTA SERVICES
![Page 10: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/10.jpg)
Even 1 XSS can compromise all your data
…but I found 2 of them ;)
YOTA SERVICES
![Page 11: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/11.jpg)
“XSS is boring, it can’t see my password”
Don’t be so sure, if you save your passwords in FF
YOTA SERVICES
![Page 12: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/12.jpg)
Just another CSRF with password change
Thnx Yota support with this bug ;)
YOTA SERVICES
![Page 13: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/13.jpg)
Get user’s balance by VK id ;)
...and other small bugs with info leakage, but you want smth more cool, isn’t it?
YOTA SERVICES
![Page 14: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/14.jpg)
OK, that’s all is really boring. Go next!
YOTA SERVICES
![Page 15: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/15.jpg)
• Yota personal cabinet (XSS, CSRF, Info Leakage)
• Yota Many (Sensitive Info Leakage, RCE)
• Yota Swift (RCE)
• Yota Access (Sensitive Info Leakage, RCE)
WHAT CAN WE ATTACK?
![Page 16: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/16.jpg)
Just press button and go 4G!
…or insert into USB port
YOTA DEVICES
![Page 17: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/17.jpg)
Web admin panel looks good
It’s using JSONP to update data in real time
Hmm…
YOTA DEVICES
![Page 18: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/18.jpg)
Wow, such referer check, nice protection!
YOTA DEVICES
![Page 19: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/19.jpg)
Not for us!
YOTA DEVICES
![Page 20: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/20.jpg)
Router. Bugs. Hmm. RCE?
Of course!
YOTA DEVICES
![Page 21: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/21.jpg)
Router. Bugs. Hmm. RCE?
We are root. Classic.
YOTA DEVICES
![Page 22: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/22.jpg)
Final result:
Other devices, such as Yota Swift affected too!
YOTA DEVICES
![Page 23: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/23.jpg)
• Yota personal cabinet (XSS, CSRF, Info Leakage)
• Yota Many (Sensitive Info Leakage, RCE)
• Yota Swift (RCE)
• Yota Access (Sensitive Info Leakage, RCE)
WHAT CAN WE ATTACK?
![Page 24: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/24.jpg)
Software? But I’m just web script-kiddie
Wow, web interface on 5000 port. Interesting…
YOTA SOFTWARE
![Page 25: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/25.jpg)
Oh, this web again. I love it.
YOTA SOFTWARE
![Page 26: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/26.jpg)
Send request and wait for reply on :5000/events!
YOTA SOFTWARE
![Page 27: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/27.jpg)
Ok, we can read some data, and so?
My lovely game – playing with parameters & requests!
YOTA SOFTWARE
![Page 28: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/28.jpg)
Change true to false and get all information about your machine!
YOTA SOFTWARE
![Page 29: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/29.jpg)
OK. WHERE IS RCE?!1
YOTA SOFTWARE
![Page 30: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/30.jpg)
Here.
Windows affected too.
YOTA SOFTWARE
![Page 31: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/31.jpg)
Short instruction for OS X:From opening file to full RCE
• $ open ftp://[email protected]/ - will mount ftp to /Volumes/1.1.1.1/• .terminal file could exec any commands after opening• Sometimes you can get root without any exploits! (remember ‘sudo’ feature in OS X )
YOTA SOFTWARE
![Page 32: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/32.jpg)
Video here.
YOTA SOFTWARE
![Page 34: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/34.jpg)
Thnx:
• Oleg Kupreev (@090h)• Sergey Vishnyakov (@n3tw0rk)
• Timur Yunusov (@a66at)• Dmitry Evteev (@devteev)
• Vyacheslav Egoshin (@vegoshin)• Psych0tr1a (@Psych0tr1a)
• DC7499 and 2600 community• Matt Austin (From XSS to RCE)
CONCLUSION
![Page 35: Vulnerabilities in the software of Yota telecommunication ... · •“Hacking routers as Web Hacker” at Defcon Moscow •Member of DC7499. Modems, routers, mobile routers, phones,](https://reader033.vdocuments.mx/reader033/viewer/2022050206/5f593bb306ef9d19e75cb70e/html5/thumbnails/35.jpg)
Thank you for the attention!
@cyberpunkych
BYE!