Cracking into embedded devices and beyond!

Ismael Valenzuela — Tue, 22 Apr 2008 20:01:18 +0000

As promised in my previous post, I have just uploaded Cracking into embedded devices and beyond, Adrian Pastor’s presentation at ‘Hack in The Box’ Dubai 2008.

Thanks Adrian for your promptly response when asked for the slides and congratulations for your excellent contribution to the security community. Hope we can share a pint next time I’m in London. Un abrazo!

From HITBSecConf2008 website:

Presentation Title: Cracking into Embedded Devices and Beyond! (pdf)

Presentation Details

The presentation covers cracking into embedded devices by exploiting vulnerabilities present on default software running on the target device.

Most of the vulnerabilities discussed are web bugs that can be exploited remotely. The reason for focusing on such type of flaws, is because I’ve personally had several successful experiences discovering important/critical vulnerabilities. Additionally, the presentation is focused on vulnerabilities that can be exploited remotely.

Some of my personal discoveries will be covered, including vulnerabilities found on Axis IP cameras, Belkin “belkin54g” family of routers, BT Home Hub wireless routers (Thomson/Alcatel Speedtouch 7G), BT Voyager 2091, 3COM APXXXX Dual Radio 11a/b/g Access Point, and Linksys Wireless-G ADSL Gateway (WAG54GS). Some interesting vulnerabilities found on embedded devices by other peers will also be explained.

Not only *real attacks* will be explored, but also the *consequences* of cracking into embedded devices. How nasty can it get after an embedded device has been exploited? How far does the rabbit hole go?

In the case of routers, scenarios include eavesdropping the victim(s)’ Internet connection, controlling the traffic flow, stealing services such as TV streaming and VoIP. In the case of miscellaneous devices such as IP cameras scenarios include replacing the surveillance video stream, and one of my favorites: using the device as a stepping stone to penetrate into the corporate network after the device as been compromised from an attack originated from the Internet.

Classic attacks against embedded devices will also be discussed, although this will be a minor portion of the presentation. Finally, possibilities of exploiting FON, a community-shared Wi-Fi network will be discussed.

About Adrian

Adrian ‘pagvac’ Pastor, BSc (Hons) Computer Engineering, has been part of the security community for about four years, although he has been interested in the hacker culture since an early age. He currently works as a senior pentester and security researcher for ProCheckUp (www.procheckup.com), a leading independent specialist security organization based in London, UK. Additionally, Adrian is an active security researcher at GNUCITIZEN (www.gnucitizen.org), a renowned white-hat hacker think tank where he enjoys breaking things and publishing his findings.

Adrian is currently interested in topics such as web security, eavesdropping techniques, magstripes, and embedded devices. His research has been featured in established magazines and information portals such as BBC, The Washington Post, Wired, Slashdot, PC Pro, The Register, PC World, CNET and many others.

Cerrudo’s talk prompts Microsoft to admit serious flaw on Windows

Ismael Valenzuela — Sun, 20 Apr 2008 21:26:59 +0000

It’s Sunday evening and I have spent the last hour going through the slides of Cesar Cerrudo’s talk at HiTBSecConf 2008 that took place this week in Dubai. I know it’s sad, but the title of this blog is “passionate about information security”, isn’t it?

Let me give you a bit of background before going further. It’s been almost a month since Cesar Cerrudo, security researcher and CEO of Argeniss publicly warned that the latest Microsoft operating system, Windows Server 2008, might not be as secure as it seems. On an advisory released on March 24, he stated:

“The problem discovered by Argeniss results from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services (NETWORK SERVICE and LOCAL SERVICE) to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system.”

This security flaw was reported to affect Windows XP, Vista, Windows Server 2003 and the brand new Windows Server 2008. Although exploitation details were not given at that time, the advisory announced that further details would be given at the upcoming Hack-in-the-Box conference in Dubai (14-17 April 2008).

And it’s right at this point when this becomes really interesting. Microsoft quickly stressed that Cerrudo’s advisory described a “design issue” rather than a new vulnerability. Well, that was before Cerrudo’s paper, entitled “Token Kidnapping”, was presented in Dubai earlier this week. As to rectify is of wise people, Microsoft released on Thursday a pre-patch security advisory (951306) recognizing that they are “investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008”.

Some sources claim that the vulnerability addressed in that security advisory is the same discussed by Cesar Cerrudo in Hack-in-the-Box. This becomes quite evident after reading Thursday’s advisory and Cerrudo’s paper, although I haven’t found any official statement from Microsoft confirming so.

I must admit that this has been of benefit for both Microsoft and the researcher. On one side, Microsoft has had some time to research the problem before public details of exploitation are given, and on the other side, the researcher has created a great expectation on his talk. No doubt a win-win for everyone.

Now the question is, am I affected by this flaw? And in the absence of a security patch, what workarounds are available? Well, the good news is that no exploitation has been seen yet, however it’s worth to keep an eye on this, especially if you are a Web-hosting provider where customers could upload malicious code. Attending to Cerrudo’s paper, the main attack vectors are:

Fully trusted ASP.Net code in IIS,
SQL Server with users that have administrative privileges to load and run code,
Any process with SeImpersonatePrivilege that loads and runs user-provided code, by acquiring a NetworkService token from the Microsoft Distributed Transaction Coordinator (MSDTC) service.

The following are some recommended workarounds (refer to Microsoft’s advisory for more details):

On Windows XP and Server 2003: for IIS 6 don’t run ASP.Net in full trust and if classic ASP is enabled don’t allow users to execute binaries.
On Windows Vista and 2008: for IIS 7, again, don’t run ASP.Net in full trust or don’t run websites (nor services) under NetworkServer or LocalService accounts. Use regular user accounts to run services instead.

Happy Sunday evening!

Further info on: http://www.argeniss.com and http://www.microsoft.com/technet/security/advisory/951306.mspx

PS. Earlier this week I got an email from my friend Adrian Pastor, also known as ‘pagvac‘ saying he was also giving a talk at HiTB 2008 in Dubai (Cracking into Embedded Devices and Beyond!). He is a great security professional and even a better chap. I promise I will post a link to his presentation on this blog when he makes it available.

Granted, I also gave him some tips on where to go in Dubai -views from the 24th floor bar at the Jumeirah Beach Hotel are awesome!-

Passionate about Information Security » Dubai

Cracking into embedded devices and beyond!

Cerrudo’s talk prompts Microsoft to admit serious flaw on Windows