Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision.
In the news this month were numerous stories about vulnerabilities in Comcast's Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant. Some of the stories made it sound as though owners of Xfinity security systems were now a burglary waiting to happen.
Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference - whether incidental or intentional.
Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically.
Thursday, January 21, 2016
Tuesday, January 19, 2016
Administrator logout flaw in ASUS wireless routers
ASUS wireless routers have an optional feature to log the administrator out after a period of time. That feature was implemented in April 2014, in firmware 3.0.0.4.374_5656, in response to input I gave to their engineering team while correcting a previously reported flaw. Prior to then, if you logged into the router administration UI and did not explicitly log out, your session remained active forever.
While there are scenarios where you might want to keep a logged in session, remaining logged in makes it possible for a malicious hacker to use that session by tricking you into clicking a link. Researcher Bogdan Calin describes this sort of attack in a post he wrote a few years ago. His demo relies on guessing the admin password, but that is not necessary if you are already logged in.
The aforementioned firmware added an optional auto logout feature, so problem solved, right?
Well, not entirely.
Tuesday, January 12, 2016
Gnome in Your Home Conclusion: Meet the Villain
- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Part Five: Sinister Plot and Attribution
- Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?
- Who is the villain behind the nefarious plot.
Prior to launching the challenge in early December, the website showed a clue: "1957 was only the beginning." This being a Christmas-themed event, something immediately came to mind. Dr. Seuss wrote "How the Grinch Stole Christmas" in 1957, so through the first couple of SuperGnomes, I was pretty sure the villain was The Grinch. Upon cracking SuperGnome 04 though, I busted up laughing when the real villain appeared.
Monday, January 11, 2016
Gnome in Your Home Part Four: Pwning the SuperGnomes
- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Part Four: Gnomage Pwnage
Challenges:
- Please describe the vulnerabilities you discovered in the Gnome firmware.
- Attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.
Useful tools: Burp Suite, Wireshark
Each superGnome had a different vulnerability to exploit, and a different way to obtain the gnome.conf flag file. The first four required manipulating web form inputs to make use of foolish design decisions in the web interface. The last one took a different sort of expertise.
Friday, January 8, 2016
Gnome in Your Home Part Three: Hunting Gnomes with Shodan
- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Part Three: Internet-Wide Scavenger Hunt
Challenges:
- What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?
- Where is each SuperGnome located geographically?
Useful tools: Shodan, Burp Proxy
Summary: Using Shodan and a unique HTTP header found on the first SuperGnome, finding all five is a snap.
Summary: Using Shodan and a unique HTTP header found on the first SuperGnome, finding all five is a snap.
Thursday, January 7, 2016
Gnome in Your Home Part Two: Firmware Analysis
- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Part Two: Firmware Analysis for Fun and Profit
Challenges:- What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
- What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
Useful tool: binwalk
Summary: Use binwalk to extract the filesystem from a firmware image, explore the web interface, and view the contents of a NoSQL database, which includes a table with cleartext usernames and passwords.
Wednesday, January 6, 2016
Gnome in Your Home Part One: Wireless Packet Analysis
- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Part One Challenges:
- Which commands are sent across the Gnome’s command-and-control channel?
- What image appears in the photo the Gnome sent across the channel from the Dosis home?
Useful tools: Scapy, Wireshark
Summary: The gnomes communicate with a Command and Control server using covert DNS traffic; the DNS traffic contains base64-encoded commands from the server to the gnome, and a base64-encoded JPG image is sent from the gnome to the server.
Tuesday, January 5, 2016
Gnome in Your Home Prelude: The Quest
This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch Security For Real People.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!
- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Each December, security training and certification company SANS puts together a highly anticipated hacking challenge. These challenges are a variation on Capture the Flag – digital puzzles designed to test our skills (and in many cases, excuses to learn new techniques). In addition to being a fun way to compete with peers, learning new attack techniques is a great first step toward learning how to detect and defend against the same attacks.
This was very much a learning experience for me. By trade, I am skilled in defensive arts - network controls, incident response, forensic analysis and malware analysis. While I am by nature a hacker (in the puzzle-solving tinkerer sense of the word) with a few CVEs to my credit, attack techniques are a very small part of my repertoire. But thanks to challenges such as these, they are a growing part of my toolkit.
The Gnomes are wildly popular electronic toys that just happen to be spying on the families (oddly reminiscent of a Washington Post story suggesting that Elf on the Shelf teaches kids to expect a world of constant surveillance). I am sure it is no coincidence that the gnomes evoke thoughts of Hello Barbie, Mattel's Internet-connected talking doll that has sparked considerable privacy worries this year.
The quest takes place in the imaginary neighborhood of Josh and Jessica Dosis, tech-savvy kids that did what any good hacker would do: they hacked their new Internet-connected toy to see what it was really doing. In the course of the quest, players talk to Josh and Jessica, as well as numerous SANS experts who offer tips on how to help the Dosis kids interpret what they find.