Device inspection To remote root Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit Where What Who Ruxmon Melbourne Device Inspection to remote root Tim Noise
Device inspection to remote root
Aug 18, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Device inspection To remote root
Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit
Where What Who
Ruxmon Melbourne Device Inspection to remote root
Tim Noise
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]
Internet subscriber and pirate impersonator
Fixed Wireless Terminals
• Linux Based • System on Chip • Provide PoTS and ADSL • 3G/LTE Backhaul • Battery and Solar • Remote Managed • Deployed in Clusters
For people without copper or fiber
External Connectors
• Ether over USB
(DHCP) • Aerial socket • SIM Card slot • 2 RJ11 ports for
ADSL CPE and PoTS
Things we can probe
External Connectors
• SIM Card slot • 2 Management Ethernet Ports (NO DHCP)
• 2 RJ11 power management ports
Things we can probe
Whats Inside?Rub the torx and the genie comes out
CPU
NAND0
NAND1
UART
Removable CF Card for /
Whats Inside?Rub the torx and the genie comes out
Mini PCMCIA3G Modem
Boot ProcessRedboot the buspirate, yarr
GND
RX
TX
VCC / NC
Gaining ROOTalways want that uid 0 - the usual tricks
• Removable root Media • hashcat / jtr
• kernel paramaters • init=/bin/sh • single user mode
• Lucky for us, the root password is
printed on the PCB (not even joking)
MANAGEMENT InTERFACEthe dububdub
MANAGEMENT InTERFACEthe dububdub
Logging INConnecting using the management USB interface
PortsANDProcessessWhats running on this thing?
PortsANDProcessessWhats running on this thing?
PortsANDProcessessWhats running on this thing?
Back to the SourceWhere is this process stored and launched from
DECOMPYLEUsing multiline strings as comments is great!
Vulnerability 1: UNPICKLESerializing objects its so convenient for passing them over a udp socket
Vulnerability 1: UNPICKLESerializing objects its so convenient for passing them over a udp socket
Putting it all Togethermaking use of our discovered vulnerabilities
Putting it all Togethermaking use of our discovered vulnerabilities
Putting it all Togethermaking use of our discovered vulnerabilities
Putting it all Togethermaking use of our discovered vulnerabilities
DEMO
One Step FURTHER
• Connect back payloads • Dial 1900 numbers for profit • UDP broadcast the attack • Intercept data and telephony • Insta-botnet / onion network • Other bad things
For internet bad men
QUESTIONS?
tIM NOISE
• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]
Internet subscriber and pirate impersonator
Related Documents
