Toll fraud comes in many forms: international and domestic revenue sharing, dial-through fraud, traffic pumping, wangiri, and more. And it’s lucrative. According to the Communications Fraud Control Association’s (CFCA) 2017 Global Fraud Loss Survey, international revenue sharing fraud (IRSF) alone accounted for $6.1 billion in losses.
Much of the IRSF loss is the result of private branch exchange (PBX) hacking. Asterisk describes a PBX as, ”the central switching system for phone calls within a business. IP PBX systems handle internal traffic between stations and act as the gatekeeper to the outside world.” Researchers at University of Southampton noted their PBX honeypot received 19 million SIP messages over a 10 day period in 2018. And for good reason. …
The author gives account of himself and the Pi Sniffer. His first inducements to travel. He finds AXIS cameras and maps them. An email is observed.
Back when leaving your house was still a thing, I had the good fortune to present some of my work at BSides Tampa (Feb. 28), BSides NoVA (March 5), and BSides San Diego (March 6). With me on my travels, I brought my Pi Sniffer.
This Lilliputian sits in my pocket and snarfs up all the WiFi it can. Due to it’s inconspicuous nature, the Pi Sniffer is able to venture into areas where conventional WiFi sniffing might not be possible. …
Using the browser to scan a LAN isn’t a new idea. There are many implementations that use XHR requests, websockets, or plain HTML to discover and fingerprint LAN devices. But in this blog, I’ll introduce a new scanning technique using WebRTC ICE servers. This technique is fast and, unlike the other methods, bypasses the blocked ports list. Unfortunately, it only works when the victim is using Chrome.
I’ve written, ad nauseam, about MikroTik routers. I’ve detailed vulnerabilities, post exploitation, and the protocol used by Winbox to communicate to the router on port 8291:
I’ve spent a lot of time reversing and manipulating these systems. So I admit, I don’t love it when my work is met with less than generous responses:
The path to code execution isn’t always a straight line. Sometimes the path is long and winding. Such is the case with a series of vulnerabilities that I reported to MikroTik that was recently patched in 6.45.7. This blog guides the reader down that path, beginning with unauthenticated requests to Winbox and ending with a root busybox shell.
The RouterOS terminal supports the resolve command for DNS lookups.
Under the hood, this request is handled by a binary named resolver. Resolver is one of the many binaries that is hooked into RouterOS’s Winbox protocol. The protocol is closed source, but I’ve presented on it and released quite a few proof of concepts based on the protocol. At a high level, “messages” sent to the Winbox port can be routed to different binaries in RouterOS based on an array-based numbering scheme. …
I was avoiding writing a blog about scanning a few million MikroTik routers when I noticed MikroTik patched a vulnerability. It caught my attention because, initially, only 6.46beta34 received a patch. A patch for Stable was released after I wrote this blog and a patch for Long-term is still pending. I wasn’t the only one to notice the vulnerability either.
The 6.46beta34 release notes contain this line: “system — accept only valid string for “name” parameter in “disk” menu (CVE-2019–15055);”
A quick diff of /nova/bin/diskd yielded a simple patch.
The patch adds two comparisons that can branch to the “bad name” error message. The patch specifically looks for the ‘.’ and ‘/’ characters in a string. The reader can safely assume that this logic filters the name assigned to a mounted disk. Pictured below, I’ve inserted a USB drive into my MikroTik router. …
At DEF CON 27, I presented Help Me, Vulnerabilities! You’re My Only Hope where I discussed the last few years of MikroTik RouterOS exploitation and I released Cleaner Wrasse, a tool to help enable and maintain root shell access in RouterOS 3.x through the current release.
The DEF CON talk also covered past and present post exploitation techniques in RouterOS. I roughly broke the discussion into two parts:
That is what this blog is about. But why talk about post exploitation? The fact of the matter is these routers have seen a lot of exploitation. But with little to no public research on post exploitation in RouterOS, it isn’t obvious where an analyst might look to determine the scope of the exploitation. …
If you can believe Amazon’s customer review system, I’m one of many people to have purchased an Amcrest IP2M-841B IP camera.
Pulling apart the firmware for this device, it’s clear that it’s a rebranded Dahua camera. Dahua has recently been in the news as the US government plans to black list the company due to potential spying concerns.
While Dahua devices have seen some egregious security issues in the past, it’s been several years since anything terrible was disclosed. Which is why I was surprised to find that I could remotely listen to the IP2M-841B’s audio over HTTP without authentication. Essentially, if this thing is connected directly to the internet, it’s anyone’s listening device. …
I recently wrote a CTF challenge for my coworkers. The challenge was written using WebAssembly (WASM), a language I initially knew nothing about. I found the language specification and various API descriptions to be quite good, but, while coding, I still found myself googling nearly everything.
Besides NCCGroup’s excellent Security Chasms of WASM, I haven’t found a writeup describing oddities in WASM that might interest someone like myself. And while I’m no WASM expert, I hope by sharing my experience with the language and toolchain, I can help others explore the weird and wonderful world of WASM.
But before you give this a read, perhaps you want to attempt the challenge yourself? The challenge is browser based, so I’ve hosted it on GitHub here. …
But that isn’t quite what this is about. You see, in the course of my normal background research I discovered Crestron had silently patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000.
The problem being, I had no idea what a WePresent was.
It turns out that Crestron’s AirMedia and Barco’s WePresent are more or less the exact same product. The underlying software was developed by Barco’s subsidiary AWIND.
Oddly, the devices seem to have different patch levels. For example, Barco patched the previously mentioned backdoor in April 2017, but Crestron didn’t release a patch until June 2018. Crestron also failed to notify their users of the patch which lead to Tenable issuing a research advisory. …