/299$36c3-talk-10816

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles.
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

========================================================================

The next talk. Don't drag us to heart owning a ruckus AP devices, which will be, I think, one of the more hardcore hacking talks as we like it here to Congress. Please give us Beaker Girl, a warm round of applause. Applause. All right. One minute and I'll be good to go. Oh, that's awesome. Okay. So I'm doing the lifes demo, so I need to just be prepared with some stuff. What is the terminal here? This is always good. And another one. Why not? And. OK. Wait, what? Come on. Scary, right? Yeah. Now I almost good to go. Awesome. Well, thank you and thanks CCC for inviting me to speak here. Before I begin, I would last. We'd like to ask if anybody's familiar with Ruckus Network devices. Raise your hand. All right. Okay. All right. Well, CCC, you're going to hate me for the next slide. But the first time I saw Ruckus Access Point was when I intend that black eyed USA this year. I notice that ruckus provide the conference Wi-Fi. And when I got back home, I was wondering how many vulnerabilities were discovered on Rockies equipment. So I did a quick research on CV details dot com and I saw that truckers had 11 Seabees and five of them were critical. Those TV were posts authenticated command injection. Well, this means no pre of RC were found on Rocker's devices and only post of authentication. So that either means that they are really, really secure or I'll let you answer this question yourself. So wait before I begin. Who am I? My name is God's War. I'm from Tel Aviv, Israel. I'm a research leader at Aleph research by ACL ABS-CBN and I've been doing reversing for around 10 years. And I focus on offensive and embedded devices research and in this talk. I will be using these rockets are 510 unleashed rockets has an unleashed version for every access point they provide. Unleash are X spines that don't rely on Wi-Fi controllers. However, all access points on this list share the same vulnerable code base. And I noticed that sample abilities also work on zone director product l
ine, which is their Wi-Fi controller. The vulnerabilities I will show affect this female version and prayer fuel analysis was pretty much straight forward. No compression, no encryption. And on there are five hundred and ten. You can even get the count of B config from some odd reason. Well, another cool thing about this research is that I did this entire research with device emulation. Only when I actually found a vulnerability I actually bought the device. Now I would like to talk about my device simulation environment. I'm using my simple yet useful emulation doctors on my docker hub. I got pre-built Q immune systems for different architecture such as ARM V 7, ARM V 6, MIPS and Meep cell. And these dockers really helped me emulating and setting up different routers for this research. I used Docker that's wraps and ARM V 7 GMU that's runs Debian Kernel. And now I would like to show you how easy it is to set up an environment and that of course does not work. So let me just. Just a minute. OK. So just two more minutes and I'll show the video. OK. Got it. It's awesome. OK, so here. So here I'm just starting my doctor with PT. 5 5, 7 5 and I am. Yeah. First and foremost because it's not the edit one and he just stars up. It takes a few minutes so I cut it out from the original video. I just. All right. Now I'm gonna go to the filler abstraction folder and just try to squash a fierce root system. And now I can just copy it using FCP to deport the docker map to now. I just turret and then the sage to the doctor and I got the tower gz file. I'm gonna extract it. Getting to the folder. Sorry. Getting to the folder. And just use truth to change my route to this squash a mean any minute. Yeah. All right. So now I'm running Truth's change my route. And now I got the rockers Buner and the busy box. Drop a busy box and I can see they're in it. These scripts, which are the start ups, trips. Okay. This is it for the doctors. And let's start with some exploits. So this is my fir
st RCA in this attack. I will fetch admin credentials without authentication and then pop busy box shell with gel through SS age. And let's start with the live demos, cause that was our fun. And what could possibly go wrong? Right. Just about everything. But yeah. All right. So for this I got my terminal and. Awesome. Let me just do this. Okay, great. So now I'm going to fetch a file from the router. So I'm just using w get and this is my router IP address the on here and I am fetching a five from slash user slash wp s tool. Oh shit. Thank you very much for that. Yeah. Live demos, right. Yeah. They told me not to do that. OK. So this is the right term, you know. And let me just adjust it as well. Got it. So this one you see, right? Yeah. OK. So I'm using w get and I'm just gonna fetch a file from the Roger IP from user wp s tools tool cache slash var slash R P and key dot rev dat. So I probably got a typo here and yeah. So now I got the number eight and I'm now I'm gonna fetch the same file only with eight and piping through strings and dripped something called all powerful logging. And hopefully I got a typo. Okay. Got it for. Logging. Yeah. I'm gonna I'm gonna copy paste the hell out of it with the right number, which is eight, and this is it finally. So those are the IBM credentials. I just fetch them on authenticated just like that. And now to finish my exploit, I will just log in today as a sage using the actual general. I just fetched and now I will enter the debug mode, script mode and use exit command to run being a sage. And as you can see, I got my busy box and I am the admin and I am part of the Roots group and this is it. Thank you. Well. Those are tough. OK. So let's understand what we just saw here. So I started by examining their Web server configuration ruckus uses embed this as its Web server interface. And this is how the configuration file looks. We see that it uses slash web as its Web root directory. And we also see that it uses e.g. a center fo
r dot e.g. yes and DOT GSP extension e.g. s is embedded JavaScript backend language that the web server uses. But the most important thing is what we don't see here. We don't see any file fetching request restriction works. That means I can fetch any file from slash web directory regardless of its file, extension or type. In other words, no access control whatsoever. Yes. So now that I know I can fetch any file, I would like to look for some interesting file to fetch. There are sixty seven files that are not standard web pages. Eight of them are symbolic links. And one in particular is this symbolic link to slash team here. That means every file I will fetch from last year is less WP less underscore to underscore cache. Gonna fetch files from that DMP folder. Yeah. And since I was emulating the road to using QM your system mode, I could run the system in its scripts and I notice that some files are written to slash DMP on system startup. One of them was this one OPM dot log. This log shows that every day the rotor rides a Becca file called our PM key with a different reversion number and that file looks like a really good file to fetch. The problem was that it tried to slash vast slash run. I can only fetch files from slash DMP. Well, it's not a problem. Sense slash Voss LA slash Voss. The shrine is also symbolically linked to slash stamps. Slash Voss the shrine. Yay for me. Right? So now let's see how I was able to fetch this RPI empty file. So yes, less users, less WD B.S. to cache a symbolically linked to DMP. Varon is symbolically linked, symbolically linked to DMP. VAR run now. I was needed to get the RPG reversion. No. Here it's eleven. Well, there is a file called our PM key dot ref that just stored this number. So I first needed to send a request to get this number and after that I can just fetch the right RPI key file. Okay. So now that I fetch these PM file, I notice that it contains some binary data, so I just pipe it into strings. And as you can see here
, this are the admin credentials in plain fucking text, right? Yeah. Okay, great. So to finish my RC, I wanted a busy bookshelf as the sage can be and it can be enabled from the web interface. But the thing is rockers are using their own CLIA. At first I tried to run a busy box with heat and command called exclamation mark v 54 exclamation mark. And as you can see, it's supposed to exit the C Alai and enter the operation system shell. But the problem was that it needed the device serial number and I don't necessarily got this number. So I had to use a different approach. Eventually I used the CLIA debug script mode that was only supposed to run store shelf scripts. However, this exec command is vulnerable to past reversal. So I just use it to run. Being a sage and I got that busy box shell as root. Awesome. So after this beginners level CTF vulnerability, it got me thinking there are probably more vulnerability to discover here and I was wondering in how many ways I can get code execution on those devices. So this is my second RC attack. Here I I'm exploiting a stack overflow vulnerability with an authenticated request to an adjective page. Okay, but before that I would like to talk about that g draw scripts I wrote that really help with a reversing process. So Ruckus has left all the lock strings in the binary. As you can see here, we got debug error info, war and just about everything. And here we can see a G drop the compiled code for a function and its debug log print. What's even? Chatter is that Ruckus also praised the function name for every log print. So I wrote a script that just chose search for this log print and rename the unnamed function with the function from that log print. So here I just updated the name to get Zelda the instead of their undefined function. And here we can see a binary called E MF D. I was able to reduce its undefined function from 15 hundredths to less than 900, which made the reversing process way shorter. Based on that script, ou
r team member Vera Immense and I wrote a generic script for JIRA. This script search for patterns in general the compiled code and rename the function with matches. Now I would like to show you how the script can work, not only on Rocker's code. Here is Deidre. The compiler called for Dropper Executable that was compiled with a trace option. Here we see that its lock screen contains a function name. This is buff get. The ECD is a private game. Our script uses rig X to match the lock front and group. The function name. Then it replaces the function name with the group matches. So this is how we mapped. This is how we manage to retrieve function name for dropper binary as well. Okay. Yeah. So this strip is already available on all of github account. Feel free to use it. It's really useful for many projects. All right. But back to my second attack. So now I would like to present three important binaries in the web interface. The first one is slash being slash webs. This is the actual embed, this web server. It handles HDB request and execute handlers according to the configuration we just saw. It then sends commands through a Unix domain socket to IMF. The IMF is an executable that contains the web interface logic. It maps function from the web pages to its own function. Then implement web interface commands such as backup network configuration, retrieve system information and much more. Libby MF The DOT is so is a library that used by AMFA for web authentication. Some sanitation and some code execution. And now in a diagram. So where does this stand to HDP slash HDP s if it receive J. Say Page, it uses EGF center to pass function to IMF the IMF. The then checks if the function name is mapped and if so, he calls the function pointer and eventually MF deer runs. Some kind of shell command. For example, if config IP tables, road route and etc. I will get back to this later. But look at this carefully because this is where everything messed up. Okay. For example, when I'm
sending an HDTV request to slash admin slash underscore update guest image name dot GSP webs invoke their EGF sender. This handler uses a function called delegate, which sends the commands to MFA through a domain unique socket IMF. Then maps every string it receives to a function pointer and runs it. Here we see that. Yes, handler uses upload verified string to send to MF, DB and MF. Then maps this string to a function also called upload verified. Alright. Next, let's talk about how the authentication mechanism work. So there are four permission levels admin user, f and guest. Here we see that each user has a page where to delegate their function call for example F.M. log in, uses off F M and use log in uses off user. And so on. Once a user is authenticated, his session is stored for a specific period of time. Each GSP page should check if the session is valid before calling order delegate function. Here we see that underscore CND state dodgy B calls session check before he calls the ad agency in this state and that means A checks for a valid session before he runs the object CMB state. All right. So I used crept and got 67 pages that did not perform any kind of check. I then listed all the different function that can be reached without authentication. And one function that looped very interesting was this Ajax restricted CMB state. Here we can see that it does not perform their session check and it can be reached by sending a request to slash still slash underscore our C and D state that GSP. But enough about enough with the talk. Let's go to my second demo, which is the stack overflow exploitation right again of just use my terminal. Yeah. Yeah. Just this image. Just a minute. It's like there was a tough apparently. Okay. Here am I. Yeah. Okay. So now everybody see. Yeah. Awesome. So now first I would like to tell you that my router on port one, two, three, four, five and see that nothing works. Which is you. And now this is my payload. So I'm. This is my overflo
w. And I'm gonna call 10 the D with minus L and minus B. One, two, three, four, five. Okay. And now let me just pose this payload and hopefully I will not have any typos. God help me. Tools and underscore are c these state that GSP. Great. So in a second it should work. Awesome. So I got a message. Okay. Which is a great indication. And now I can just tell that my router on port. One, two, three, four, five. And as you can see, I am the admin. And again, I am the part of the group roots. Yeah. This is it. Thank you. OK, so to understand how I was able to exploit this stack overflow, I would like to explain how the Agitates request works. I was able to run both embed this web server and IMF data on the QM use system emulation. And that's how I was able to insert to inspect a standout web request like that. Here I call the underscore C underscores CND State Dodges B page which is mapped in MFA to a function called Adjuncts CMB. Makes sense as seeing these states receive an action attribute from the request sends. The action is do command. It uses something called adapter command adapter. Do command then calls do command function. The command is a large switch case function that executes different command based on the attribute it gets. In this example, it gets get connect setters which calls a function called CMB, get internet status. Now let's look on a page that do not perform session. Check the IMF. The maps underscore RCMP state state GSP to a function called adjuncts restricted CRM these days. This is where the R stands for the function also called Object C and D state, but with a very limited set of comments. This specific request to pass zapped the to do command and it runs an executable called Zap. This is how Zap Command runs into Shell. We see that we can control its server and client argument by passing the attributes server and client. The thing is, server and client are not sanitized good enough so I can just pass unintended arguments to zap for example D
minus the slash temp slash b crush me please. OK, so I was able to find zapped sources. Online brokers describe it as robust network performance test too. And when I examined the code, I noticed there was a stack overflow in the minus the argument. Here's the code that passes minus the argument. Let's see what he does. So first, it replaces all Coleman's character with spaces. Then it copies every segment to 10 buffer sense. It expects a number. This is a very small buffer. And, well, they try to be secure by using by copying string with SDR and copy, but they use the entire string length for N, so it doesn't really protect the string in any way. And I was able to smash the stack. As for its notation, AR 15 are five hundred and ten uses both an X and SLR to overcome any X I decided to use row gadget. I used to gadget to run system with a pointed to my payload. In this case, I'm using Canada that runs slash being slash the sage as a log in page on port wanted 3 4 5 S4 SLR sense. Zap is 4th from MF D. I can use brute force approach and buy that's overcome. It's 9 beat of randomness. Okay, so now I would like to look at a request that runs Zap Command again. So if I can control the server and the client attributes, why can I just use it for command injection? So to understand this, I need to understand how ZAP command is being executed. Here we can see that. Do Command uses exec C CMB implementation to run the zap to run zap execs. Say, Sam, the implementation is a function in LEAP IMF. This function first call find cease rapper function and then it uses a v fork and exec v to execute the shell command. Let's look on find Cece wrapper decomposed. Could we see it looks for slash being slashed. Cece wrapper on the school wrapper dot Assange. If the script is available. 8 update a global variable that I named c swap her path now. Exec Axis Command implementation. Execute slash beans, last cease. And in our case, it runs zap command with the argument from the abject reque
st as such as server and client. Here we can see the sis wrapper daughter sage. Line count and it's seems like a very big script, but it handles many command. But what's interesting me is the zap execution command. Here we see that slash begins less zap is being executed with up to viral. This variable receive both server and client values from their request. However, UPS get its value with its quotation mark and that stops me from injecting code. And well, that's made my life sucks for a while. To be honest. But what keeps me entertained and motivated was that Ruckus had the weirdest CLIA in their finger. All right. So before I continue to my next attack, I would like to show you other rockers CLIA. So this is the C ally I had to escape for the first attack. This is an entirely different see a lie that also being used by the device. I know this that it can be reach after system startup this year. I also got the hit and command exclamation mark v 50 for its amazing mark. That's also supposed to escape to busy box, but it also needed the device, the serial number, and it was no good to me. However, this V 50 for command uses content from this file slash of all slash ATC system access. The content of the access file was written by another hit and command called Ruckus. I discovered that by passing this string to Ruckus Command, I was able to inject code and escape the shell. But now for the week, for the weird stuff. When I called Rocky's command to save my payload. This is what I got. And this one. And this one. Yeah. What? Bo. Bo and rough. Yeah. Rookies CLIA actually barks at me. Yes. So when I call V. 54 to execute my command injection, I was asked what the chow as in chow chow dogs. What the actual fuck? No, seriously. Well, at the end I was able to run a basic box shell and I didn't really care about those weird Easter eggs, but it was still pretty entertaining. Yeah, well, I still wanted to achieve free off remote code execution by command injection and I just
knew that MF D got to be vulnerable it low. It took me some time, but eventually I made this possible. And this is my last attack where I found that command injection vulnerability and I was able to reach it without authentication by writing a web page. All right. So as I mentioned before, MF, the executed code in a really messy way. MF D sometimes uses Libby MF. Other times called Shell Scripts Cece Wrapper and sometimes he just runs the command itself with Lipski. These are all the different function that MF D uses to execute shell code. He received see that there are one hundred and seven Lipski system function call. So I had to find a page that uses this function called Without Sanitation. I was able to find four function that calls system without that cold system and were vulnerable to command injection. And today I will be showing the last one which is CMB import AVP port. All right. So to reach the vulnerable function, I need to send an object request to slash admin slash under cross score C and D, take the dot GSP and my request should look like this. I'm passing the comment. I'm passing a command with C and D equals import AVP port. This also uses do command to call CMB import 80 people. Function. This function uses Lipski system function unsafely. Here we see the function, the compiled code. All I had to do is to pass a command injection in the upload file attribute and as you can see, it just executes the code, right? So this is a that that's a win. Well, not exactly. I still need it to be authenticated to reach this function. Well, the problem was that seeing these states page check for session and only then it calls the vulnerable function objects seeing this state. All right. So I need a different approach. And what if I could write the page that only calls A.T.M. this state and do not use the session checkable? It might actually work for this. I decided to use that zap executable again. That has a lot of different arguments and we already know that we
can pass unintended arguments to eat without authentication. One of them is set a path for the zaps. Note however, writing a log is not enough for me. I need to control the content for this. I used tagged SAB and note argument. They are a string and just so they get it string and just write it in the log file for some extra information. Here is the log file writing code. It get the flight path directly from minus el. And I can control the law content, bypassing arguments. No tag and set. Okay, great. But there are more problems to solve here. I wanted to write a page and it has to be in the slash web directory. The problem was that slash web is a part of the squash fest file system, which is a read only file system. I needed to find a writer bill passed inside the web directory. Luckily, slash web slash uploaded directory is symbolically linked to slash rivals. Slash it says slash error spider. And this directory is on a right Abilify system. Yay for me. Okay, so now I knew that I can write a file with my content to the web directory. The only problem left to solve was that ZAP executable needed to connect to something called the Peaks station, otherwise it won't write anything to the log file. Since I got zapped sources I could just compile zap d which is that TV station and now I can set zap to connect to station on my computer. Awesome. So this was their request. I needed to send it execute this zap command. Notice that I used two arguments minus s sub and minus d tag to write my delegate call. Finally, Zappos wrote the file to slash web slash upload it slash index dot GSP. Although this fat this page was full of junk. That didn't bother me because what interests me was the delegate calls to the bone vulnerable function. Now I can change those two of on abilities together. First I write a page to slash web slash upload it slash index dot GSP. Now I can send a command injection payload to the page. I just wrote and this is the time for my last demo, which is the
most difficult ones. So good luck to me. OK, so first I will need another terminal. Yep, this is it. And. So in this one, I will run Zap Day, which is that the station and I will listen to poor 444 with Nat Cat. Great. And now for my other terminal. Okay, great. So now I would like to show you the page, create payload. So as you can see here, I'm using the server and set it to my computer and I'm using the minus L to write a page and minus three and minus asked to write the delegate function call to A. CMB state. And now I can just post it. Create it to my rotor, it is slash, tool, slash, underscore our RCMP state that GSP typos and in a minute it will just reply and say, okay, awesome. So now I wrote the page. Next, I would like to show you my command injection payload. So here I am using and see on the router and with their net cat I am just connecting to my computer on port fulfill for 4 4 4 4 4 now with reverse shell and again I will post. This man injection to the rotor. On uploaded slash index top GSP. Oh, shit. Sorry about that. Okay, again, great. And now, uh, hopefully, just hopefully I'll see that I am the root user. One more second. Again. And now. Beirut. Yes. Okay. Okay. Yeah. Wow. That's right, demos. How about that? You know, you don't see them anymore. Okay. In conclusion, I demonstrated three pre of RC today. The first one was credential leakage with CLIA jailbreak. The second while one was stack overflow without authentication and the last one was command injection with authentication bypass. I also shared my docker setup and introduced a very useful g address script that helped with my research and killed can help others. Ruckus Networks was informed about these vulnerabilities. I requested 10 civvies for this research and they confirmed this CVD. If they are any ruckus user here, you should stop what you're doing and go and check that you're running the latest firmware update. If not, you may be victim to some very serious abuse. So again, please
check your freeware ASAP. Okay. And well, this research was a lot of fun. It involves all sorts of different vulnerabilities. It was also an excellent opportunity to check our doctor emulation environment, which prove itself very useful. A blog post with all the details will be posted, but since Ruckus asks really nicely, I will wait with my post on 18 January 6. So stay tuned for my blog at Aleph Research Blog. And while you're there, check our amazing research. And this is a thank you very much for listening. Thank you for this great talk. So now we have quite a lot of time for Q and A. So you already know the game. Queue up at the microphones or ask the ask a question on the Internet. We will today start with the Internet. So please. All right. So there are a couple questions here. The first question is, will this work on Unleashed from the offer a close? Yes, we definitely will. Not the latest, but the entire research was conducted on that unleashed version. All right. Now, let's do an Enron question first and microphone number one place. Thanks for the great talk. First then, you mentioned that there were 107 handlers for which called system at some point. And I hope it didn't check them manually. So my question would be, you probably used Jira to search for those. How would that be? Yes. So that the system, the reference counts just gave me a really good indication that they're doing something wrong. And when I actually search for command injection, I first look. What are the reachable pages that uses system? So that narrowed the list to something smaller, which was steered around like 15, 12, 15 or so. So I just. So that the command injection was done pretty much manually with Deidre. No fancy scripts there. So no analyzing of the call of the call train in GDR. No. OK, thanks. All right. Microphone number two, please. First of all, let me just express a what the actual fuck, man? Secondly, from a networking consultant perspective. The quote to one usage in y
our scripts. It's easy. But please don't do it because people tend to use, quote, one as a lead to an IP address in their systems for dummy IP addresses, which is actually a DNS server on the public Internet. And just comment on the extra question is the all your attack? Your attacked vectors are against when you are able to reach this system on layer 3 basis, right? Yeah, correct. So both of the all of the attacks are from both the Internet or the land. But yeah, only there free. So. OK. And in the end, I can only offer you that I have some hardware from an orange vendor. I can offer you if you want to do some further exploration on other vendors. Yeah. Why not? Oh, all right. The Internet has another question. I think print. Right. So Brendan wants to know, is the world cool, smart Zune model too affected? No. Only access point and some of the vulnerabilities. As I said, also work for the zone director. All right. Number two, please. Thanks again for the entertaining talk. And I notice that on some of the slides there was like a hard coded to cross side threat, fast forgery token. So I just wanted to ask, what's up with that? And were you able to find more places where there are basically security boundaries crossed by a hardcoded string like that? Yeah. So we found. So I tried to focus my research more on the low level and like stack overflow and command ejection from the binary analyze. But yeah, we saw some web vulnerabilities. One of them is is is a seraph and another might be with the tokens that it's still hard coded. There are a lot of things to to keep on looking in those fingers. So you didn't report that one know that the hard coded one? Not yet. Okay. Thank you. All right. The Internet. Right. So how much time did you invest in total for wrapping this device into little pieces and so many ways. So it took me one month. The first exploit I found, I found relatively fast. I think it took me around two days. And after that, there the other analyzed took me
around 3 weeks or so. All right. Microphone number two. Thank you for these calls and talk. I really enjoyed it. And the first two first bit of presentation was a little bit fast for me. The darker parts, how do you discover that you can run and the Roxas firmware, your own docker container? Can you can you please repeat your question? How did the cue disco for a date? You can run the Roxas firmware in your own docker container so you can go for all these flows. Yeah. So. So I skipped a few steps. So I basically used being walk and after I extracted so I download the future where you'd been walk and then been work usually extracts squash A which is the thing where filesystem fights is that. So I just copy it to my doctor and because it's our cross architecture doctor, it runs the arm architecture and I was able to actually run the code from the thing where the user space code. Okay. Thank you. Sure. All righty. Any other questions? You have 30 seconds to invent a question. Do you have 30 seconds of content? No. I can do a fancy dance with something like that. All right. Yes. Did not know. I wish I could. I wish I could. All right. Still no questions. Well, then a good night to everyone of you, and I think I speak again, please.