To start with, I want to give a huge shout out to the ISE(Independent Security Evaluators) for running the IoT village and the SOHOpelessly Broken challenge at DEFCON 26. I really enjoyed the village, contest, people and the talks! Please keep up what you're doing!

Today, I wanted to discuss the analysis and description of CVE-2018–12313 that was analyzed in this video by ISE researcher Shaun Mirani. An article describing the CVE can also be found here. I would like to thank the researchers at ISE for posting a exploitation video about this CVE. Not only that, but having a progression of how the device was actually tested. I personally find the hardest part of penetration testing to be actually finding the exploitable section, rather than exploiting it. Once the vulnerability is known, I believe it's typically trivial to do. This video gave me so great insight into how applications are actually tested, which is really appreciated! But, this could be an even better video.

I would even ask to take this a step further; to show a live stream of the entire penetration test on the device itself. Even though it would be quite boring and uneventful to do this, I believe this would provide so much benefit to the up-and-coming people in the IoT penetration testing area. Most of the time, I don't even know where to start with a penetration test! In the video, it directly goes into dealing with authentication; but, I'm not sure why they did that. So, by streaming the entire process the community could get a better understanding of the practices of good penetration testing. Even without this, the video was extremely insightful and awesome! I would like to see more videos like this in the future from ISE.

My Thoughts

This video was quite amazing at demonstrating the vulnerability. However, I'd like to set the bar even lower for people/ take notes for myself to use in the future. Below are a few takeaways from the penetration test. To start with, talking about basic terms to understand the situation should be done first.

Terminology

NAS(Network Attached Storage)

A good link for describing a NAS can be found here. Essentially, a NAS is a computer level, file storage system. The network aspect of it gives users access to files, regardless of where they're at.

SNMP(Simple Network Management Protocol)

This article from Microsoft says it really well by "SNMP, which is widely used in local area networks (LANs), lets you monitor network nodes from a management host...Using SNMP, you can monitor network performance, audit network usage, detect network faults or inappropriate access, and in some cases configure remote devices". SNMP allows an easy way to access the file system, while still scaling. The scaling of very large file systems can be very difficult to deal with. So, SNMP can be a very helpful thing.

CGI(Command Gateway Interface)

A CGI is a way to give the user of the product a way to interact with the application. I would say this is quite similar to an API(Application Program Interface), if the readers of this have been in the software development world at all. However, there is somewhat of a difference. An API is protocol specification between the client (person using the site/API) and the server. While at CGI is used for extending the usage of the web interface. Typically, a CGI helps with dynamic content of the page.

Tools/Technology Used

The toolkit of a hacker cannot be understated! Being able to understand what the researcher uses to find and exploit the vulnerability is quite important.

Burp Suite

One of the greatest gifts from the network pen testing community is Burp Suite. Burp is used to intercept, automate and understand network requests that are being made. Every pen tester worth their snuff likely knows how to use Burp. We'll see how useful this ends up being with the rise of HTTPS Everywhere though.

IDA

Can people read binary code? Well, if you really wanted to, then I'm sure we could figure it out. However, there is a much better way to understand the inner workings of any executable file; this is IDA. People use IDA to take a binary file and disassemble it into the lowest possible computer language that humans can understand, assembly. IDA does much more than disassemble the code though! It draws a diagram for the workflow of the code, making it much easier to read. There are a lot of other features in IDA, but that's for a different day.

Shell Scripting

If an exploit is found, then it's awesome to be able to automate the entire process! Because this is a RCE(Remote Code Execution) it's nice to have a reverse shell on the applications server. In order to exploit this, some coding is required in order to exploit it. Because of the tools made for SNMP it made sense to code the exploit in a bash script.

Telnet

Have you ever used SSH(secure shell) to log into a system? Well, Telnet is essentially an unencrypted version of SSH. It's used to remotely login to a system that the user wants to use.

My Takeaways

The exploit itself is actually amazingly simple! Use a setting edit request to the SNMP configuration file, run the command (which is easy because everything in the SNMP is unauthenticated), start telnet then connect to telnet. However, even if the exploit itself is simple to execute, there's a lot more that goes into discovering this.

The Beginning

Understanding the technology and system is the most important thing when trying to find an exploit. So, I'm positive that the ISE researchers knew all the protocols on the device, the access points and everything about the device quite well before even thinking about pen testing it. This is clearly shown by how much the researcher knows about the device while giving the demonstration.

The goal of the team was to get an easy to use remote code execution on the server, which they certainly achieved. A good place to start searching for an RCE is to get access into the system where we're not supposed to have access to. Most people do not create security in layers. So, once the initial layer is broken, it's much more likely to find vulnerabilities. I believe this was a good starting point and I appreciated their reasoning for why they went after the authentication first. To test for the authentication issues, ISE researchers removed all of the cookies and parameters associated with the auth process. This was easily editable and repeatable using Burp suite. I did not realize how amazing Burp suite was until this video. So, to all those hackers out there, download the free version of Burp to get ahead!

The researchers then wrote a quick bash script, and viewed the output to see if the authentication was being done correctly. What they found out was that the SNMP protocol was not doing authentication properly! So, this looked like a good target to pursue.

Interesting Initial Thoughts

The methodologies for diving further into the weeds were interesting to me. To start with, he wanted to keep escalating his privileges further until he found a good attack point. The researcher found this with the unauthenticated attack. After this, he kept diving deeper and deeper until he thought it was a viable vector for attack.

Once he chose the SNMP protocol, he decided to see what else he could find on the system. Because there is direct access to the CGI's, or application protocols being ran, Shaun Mirani SSH'ed into the box directly to view the files. Because they ended up being x86_64 binaries, he obviously couldn't read it. So, now what? He did two unique things: used the strings command on it and then took it off the system to use IDA on the binary. The strings command displays all the continuous chain of alphabetic characters in the file. This is used to see all functions, host names, passwords, parameter or anything interesting. The information is very valuable to anyone trying to understand the executable. Secondly, he sent the file to his local machine to do static analysis on it. This gave him the ability to use any of his tools on the file.

Analysis of CGI

Until going to DEFCON, I did not realize how important it was understand assembly! Most, if not all, of the exploits discovered in the IoT village talks relied on dumping the firmware onto their local machine then analyzing the functionality of it. Clearly, understanding assembly is extremely important for exploitation. So, I plan on digging into several books, that were recommended to me by Shaggy, the lead penetration tester of Playstation. Just in case your curious, he recommended Introduction to 64 Bit Assembly Programming for Linux and OS X for learning assembly then Hacking: The Art of Exploitation and The Shellcoder's Handbook: Discovering and Exploiting Security Holes for understanding how to use the knowledge of assembly to exploit flaws. Shaggy believed in buying books to gain the knowledge needed for exploitation. So, I will follow in his footsteps!

Now, it was time to use IDA in order to disassemble the binary. IDA opens up the assembly in a very nice manner, giving the user an easy view to trace the assembly code. Once in the assembly I was surprised where Shaun Mirani started from: the main file. I figured he'd search for interesting functions or keywords. But, he wanted to understand the CGI's flow from the beginning access point. His first walk through was really rough, just going through the workflow of a single set parameter in the URL. But, if he saw anything else interesting then he'd briefly glance at what was going on, then return to the workflow he'd started on.

Control Over What?

Another important asset of the research was understanding what he controlled, as the hacker. By understanding which parameters and inputs were controllable, Shaun Mirani was able to evaluate what the proper attack vectors were.
Takeaway: Understanding what is controlled by the hacker in the application is extremely important for exploitation. These are the areas that a user can manipulate for their own purposes.

Remembering What Is Important

One peculiar thing that I would like to mention were his memory of names being used. He remembered configuration files, parameters, function names and more. This makes sense because the analysis of the names led him to the SNMP protocol config file.
Takeaway: Remembering names from around the applications are important; if the name appears often then it is likely important. But, remembering parameters and other things often give the pen tester a better understanding how the application is using each individual component.

Entering the Exploitation Zone

Understanding the system and how it works is extremely important to being able to write a good exploit. I found the researchers understanding of the system was quite impressive to me; especially the little things such as knowing that the parameter was likely a timestamp. Or In order to add his own entry to the config file, through a parameter, he used a newline character (\n) in order to add a new line to the configuration file. Knowing that the config file was separated by newlines is simple and obvious. But still, having this understanding of the system is quite vital to a successful hack.

Deeper Research

Even though an initial understanding of the system would be awesome to have, that is not usually feasible. Most people are not going to have every single part of the SNMP memorized! So, being able to gather information about the system, quickly ends up being an important skill. The ISE researchers figured out that the config file was editable by any user of the system. So, they dove deeper into how the system is used. Simply by googling "snmpd conf" then searching for "command" he found already existing functionality for executing shell commands within this file. How convenient!
Takeaway: Always research deeper into how the system works. By doing this, the hacker can better understand where the possible exploits may lie.

Other Settings

Exploiting vulnerabilities in a system is quite tedious and difficult to do. Conceptually, we're trying to make the machine act in a way that it was not designed to do! So, this makes complete sense. Shaun is quite tedious checking his work; to positively clarify each parameter, variable, function and call is done perfectly. Otherwise, the exploit will not work. It should also be noted that items set previously, by the system, should just be left alone. For instance, when I was trying to bypass filtering of evil HTML tags. that was being done on the client side, I decided to run post requests in curl. The issue is that the request would just get rejected, no matter how many times I tried to alter it. But, then I realized that I had forgotten a header to set the request header to have an XML request. Then, magically it worked!
Takeaway: Be very cautious, intentional and tedious when making changes to important features of the system. Otherwise, you'll be playing with too many variables and are probably not actually testing the application to way you think.

Fun Part!

Exploit time! Shaun added a telnetd call to the config, ran the command using the built in SNMPwalk then connected to telnet using netcat.Then, boom! bin/sh achieved. In order to automate this process, the researchers wrote a quick bash script to make this work. I highly recommend watching the video of the ISE reseacher walking through the entire process. These are just my personal takeaways, which should not take precedent over the researchers in detail explanation.

Conclusion

Hope you learned something from this! I really enjoyed listening to a professional pen tester go through his mindset when testing something. I look forward to becoming a better pen tester and finding exploits myself!
Cheers from Maxwell Dulin (ꓘ).