Simple Vulnerabilities. Big Pay Off.

Toll fraud comes in many forms: international and domestic revenue sharing, dial-through fraud, traffic pumping, wangiri, and more. And it’s lucrative. According to the Communications Fraud Control Association’s (CFCA) 2017 Global Fraud Loss Survey, international revenue sharing fraud (IRSF) alone accounted for $6.1 billion in losses.

Much of the IRSF loss is the result of private branch exchange (PBX) hacking. Asterisk describes a PBX as, ”the central switching system for phone calls within a business. IP PBX systems handle internal traffic between stations and act as the gatekeeper to the outside world.Researchers at University of Southampton noted their PBX honeypot received 19 million SIP messages over a 10 day period in 2018. And for good reason. …

Travels into Several Populated Locations of the US. In Four Parts.

Part I: A Voyage to PHL

The author gives account of himself and the Pi Sniffer. His first inducements to travel. He finds AXIS cameras and maps them. An email is observed.

Back when leaving your house was still a thing, I had the good fortune to present some of my work at BSides Tampa (Feb. 28), BSides NoVA (March 5), and BSides San Diego (March 6). With me on my travels, I brought my Pi Sniffer.

Image for post
Image for post
smol boi

This Lilliputian sits in my pocket and snarfs up all the WiFi it can. Due to it’s inconspicuous nature, the Pi Sniffer is able to venture into areas where conventional WiFi sniffing might not be possible. …

To everything (TURN! TURN! TURN!)

Using the browser to scan a LAN isn’t a new idea. There are many implementations that use XHR requests, websockets, or plain HTML to discover and fingerprint LAN devices. But in this blog, I’ll introduce a new scanning technique using WebRTC ICE servers. This technique is fast and, unlike the other methods, bypasses the blocked ports list. Unfortunately, it only works when the victim is using Chrome.

You can skip my explanation and go straight to the code or the demo page. Otherwise, let’s start with a proof of concept video. Here I am scanning my network.

Network tab visible so you can see no requests are logged. …

Port 8291 Scan Results

I’ve written, ad nauseam, about MikroTik routers. I’ve detailed vulnerabilities, post exploitation, and the protocol used by Winbox to communicate to the router on port 8291:

I’ve spent a lot of time reversing and manipulating these systems. So I admit, I don’t love it when my work is met with less than generous responses:

Image for post
Image for post
You’re a flawed red herring 😭

Rebutting the poster’s seeming assertion that no one opens the router’s port 8291 interface to the internet isn’t easy. …

DNS Request to a Root Busybox Shell

The path to code execution isn’t always a straight line. Sometimes the path is long and winding. Such is the case with a series of vulnerabilities that I reported to MikroTik that was recently patched in 6.45.7. This blog guides the reader down that path, beginning with unauthenticated requests to Winbox and ending with a root busybox shell.

Unauthenticated DNS Requests

The RouterOS terminal supports the resolve command for DNS lookups.

Image for post
Image for post
Requesting to resolve via the command line

Under the hood, this request is handled by a binary named resolver. Resolver is one of the many binaries that is hooked into RouterOS’s Winbox protocol. The protocol is closed source, but I’ve presented on it and released quite a few proof of concepts based on the protocol. At a high level, “messages” sent to the Winbox port can be routed to different binaries in RouterOS based on an array-based numbering scheme. …

Putting CVE-2019–15055 to Work

I was avoiding writing a blog about scanning a few million MikroTik routers when I noticed MikroTik patched a vulnerability. It caught my attention because, initially, only 6.46beta34 received a patch. A patch for Stable was released after I wrote this blog and a patch for Long-term is still pending. I wasn’t the only one to notice the vulnerability either.

Image for post
Image for post
I don’t know. Root is always interesting to me.

The 6.46beta34 release notes contain this line: “system — accept only valid string for “name” parameter in “disk” menu (CVE-2019–15055);”

A quick diff of /nova/bin/diskd yielded a simple patch.

Image for post
Image for post
Pretty diff courtesy of Diaphoria

The patch adds two comparisons that can branch to the “bad name” error message. The patch specifically looks for the ‘.’ and ‘/’ characters in a string. The reader can safely assume that this logic filters the name assigned to a mounted disk. Pictured below, I’ve inserted a USB drive into my MikroTik router. …

Shared Objects, RC Scripts, and a Symlink

At DEF CON 27, I presented Help Me, Vulnerabilities! You’re My Only Hope where I discussed the last few years of MikroTik RouterOS exploitation and I released Cleaner Wrasse, a tool to help enable and maintain root shell access in RouterOS 3.x through the current release.

Image for post
Image for post

The DEF CON talk also covered past and present post exploitation techniques in RouterOS. I roughly broke the discussion into two parts:

  1. Places attackers can execute from.
  2. How to achieve reboot or upgrade persistence.

That is what this blog is about. But why talk about post exploitation? The fact of the matter is these routers have seen a lot of exploitation. But with little to no public research on post exploitation in RouterOS, it isn’t obvious where an analyst might look to determine the scope of the exploitation. …

If you can believe Amazon’s customer review system, I’m one of many people to have purchased an Amcrest IP2M-841B IP camera.

Image for post
Image for post
Totally real, not fake reviews

Pulling apart the firmware for this device, it’s clear that it’s a rebranded Dahua camera. Dahua has recently been in the news as the US government plans to black list the company due to potential spying concerns.

While Dahua devices have seen some egregious security issues in the past, it’s been several years since anything terrible was disclosed. Which is why I was surprised to find that I could remotely listen to the IP2M-841B’s audio over HTTP without authentication. Essentially, if this thing is connected directly to the internet, it’s anyone’s listening device. …

I recently wrote a CTF challenge for my coworkers. The challenge was written using WebAssembly (WASM), a language I initially knew nothing about. I found the language specification and various API descriptions to be quite good, but, while coding, I still found myself googling nearly everything.

Image for post
Image for post
Actual video of me writing the challenge

Besides NCCGroup’s excellent Security Chasms of WASM, I haven’t found a writeup describing oddities in WASM that might interest someone like myself. And while I’m no WASM expert, I hope by sharing my experience with the language and toolchain, I can help others explore the weird and wonderful world of WASM.

But before you give this a read, perhaps you want to attempt the challenge yourself? The challenge is browser based, so I’ve hosted it on GitHub here. …

OEM Vulnerabilities

I recently disclosed 15 vulnerabilities in Crestron’s AM-100 and AM-101 devices.

Image for post
Image for post
You can fit so many bugs in this thing

But that isn’t quite what this is about. You see, in the course of my normal background research I discovered Crestron had silently patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000.

The problem being, I had no idea what a WePresent was.

Image for post
Image for post
This is a WePresent

It turns out that Crestron’s AirMedia and Barco’s WePresent are more or less the exact same product. The underlying software was developed by Barco’s subsidiary AWIND.

Image for post
Image for post
More like src=../../../../../etc/shadow

Oddly, the devices seem to have different patch levels. For example, Barco patched the previously mentioned backdoor in April 2017, but Crestron didn’t release a patch until June 2018. Crestron also failed to notify their users of the patch which lead to Tenable issuing a research advisory. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store