28
Device inspection To remote root Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit Where What Who Ruxmon Melbourne Device Inspection to remote root Tim Noise

Device inspection to remote root

  • Upload
    tim-n

  • View
    5.391

  • Download
    1

Tags:

Embed Size (px)

Citation preview

Page 1: Device inspection to remote root

Device inspection To remote root

Uncovering the sekritz of proprietary software on a fixed wireless terminal and weap0nizing them into a remote exploit

Where What Who

Ruxmon Melbourne Device Inspection to remote root

Tim Noise

Page 2: Device inspection to remote root

tIM NOISE

• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]

Internet subscriber and pirate impersonator

Page 3: Device inspection to remote root

Fixed Wireless Terminals

• Linux Based • System on Chip • Provide PoTS and ADSL • 3G/LTE Backhaul • Battery and Solar • Remote Managed • Deployed in Clusters

For people without copper or fiber

Page 4: Device inspection to remote root

External Connectors

• Ether over USB

(DHCP) • Aerial socket • SIM Card slot • 2 RJ11 ports for

ADSL CPE and PoTS

Things we can probe

Page 5: Device inspection to remote root

External Connectors

• SIM Card slot • 2 Management Ethernet Ports (NO DHCP)

• 2 RJ11 power management ports

Things we can probe

Page 6: Device inspection to remote root

Whats Inside?Rub the torx and the genie comes out

CPU

NAND0

NAND1

UART

Removable CF Card for /

Page 7: Device inspection to remote root

Whats Inside?Rub the torx and the genie comes out

Mini PCMCIA3G Modem

Page 8: Device inspection to remote root

Boot ProcessRedboot the buspirate, yarr

GND

RX

TX

VCC / NC

Page 9: Device inspection to remote root

Gaining ROOTalways want that uid 0 - the usual tricks

• Removable root Media • hashcat / jtr

• kernel paramaters • init=/bin/sh • single user mode

• Lucky for us, the root password is

printed on the PCB (not even joking)

Page 10: Device inspection to remote root

MANAGEMENT InTERFACEthe dububdub

Page 11: Device inspection to remote root

MANAGEMENT InTERFACEthe dububdub

Page 12: Device inspection to remote root

Logging INConnecting using the management USB interface

Page 13: Device inspection to remote root

PortsANDProcessessWhats running on this thing?

Page 14: Device inspection to remote root

PortsANDProcessessWhats running on this thing?

Page 15: Device inspection to remote root

PortsANDProcessessWhats running on this thing?

Page 16: Device inspection to remote root

Back to the SourceWhere is this process stored and launched from

Page 17: Device inspection to remote root

DECOMPYLEUsing multiline strings as comments is great!

Page 18: Device inspection to remote root

Vulnerability 1: UNPICKLESerializing objects its so convenient for passing them over a udp socket

Page 19: Device inspection to remote root

Vulnerability 1: UNPICKLESerializing objects its so convenient for passing them over a udp socket

Page 20: Device inspection to remote root

Putting it all Togethermaking use of our discovered vulnerabilities

Page 21: Device inspection to remote root

Putting it all Togethermaking use of our discovered vulnerabilities

Page 22: Device inspection to remote root

Putting it all Togethermaking use of our discovered vulnerabilities

Page 23: Device inspection to remote root

Putting it all Togethermaking use of our discovered vulnerabilities

Page 24: Device inspection to remote root

DEMO

Page 25: Device inspection to remote root
Page 26: Device inspection to remote root

One Step FURTHER

• Connect back payloads • Dial 1900 numbers for profit • UDP broadcast the attack • Intercept data and telephony • Insta-botnet / onion network • Other bad things

For internet bad men

Page 27: Device inspection to remote root

QUESTIONS?

Page 28: Device inspection to remote root

tIM NOISE

• twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • [email protected]

Internet subscriber and pirate impersonator


Remote Underwater Robotic Inspection - NASA Underwater Robotic Inspection Darby Magruder ... Function of Inspection Robot ... •Tethered sonar propelled through pipe work

Remote Underwater Robotic Inspection - NASA Underwater Robotic Inspection Darby Magruder ... Function of Inspection Robot ... •Tethered sonar propelled through pipe work

Documents
0x333hatec Samba Remote Root Exploit 456

0x333hatec Samba Remote Root Exploit 456

Documents
Remote Inspection of Federal Correctional Complex Lompoc · 2020. 8. 6. · PANDEMIC RESPONSE REPORT 20-086 JUL 2020. Remote Inspection of Federal Correctional Complex Lompoc . EVALUATION

Remote Inspection of Federal Correctional Complex Lompoc · 2020. 8. 6. · PANDEMIC RESPONSE REPORT 20-086 JUL 2020. Remote Inspection of Federal Correctional Complex Lompoc . EVALUATION

Documents
REMOTE INSPECTION OF THE IFSF SPENT FUEL STORAGE RACK

REMOTE INSPECTION OF THE IFSF SPENT FUEL STORAGE RACK

Documents
VISUAL INSPECTION: UNMANNED AERIAL VEHICLES · bilfinger salamis uk visual inspection: unmanned aerial vehicles –––––– remote structure analysis

VISUAL INSPECTION: UNMANNED AERIAL VEHICLES · bilfinger salamis uk visual inspection: unmanned aerial vehicles –––––– remote structure analysis

Documents
The Definitive Guide to Remote Visual Inspection

The Definitive Guide to Remote Visual Inspection

Documents
SETUP 1 us > (RBI-RISK BASED INSPECTION) ) Root Cause

SETUP 1 us > (RBI-RISK BASED INSPECTION) ) Root Cause

Documents
Remote Inspection of Internal Delamination in Wind Turbine ... · Remote Inspection of Internal Delamination in Wind Turbine Blades using Continuous Line Laser Scanning Thermography

Remote Inspection of Internal Delamination in Wind Turbine ... · Remote Inspection of Internal Delamination in Wind Turbine Blades using Continuous Line Laser Scanning Thermography

Documents
p67 0x07 ProFTPD With Mod SQL Authentication, Remote Root by Feline Menace

p67 0x07 ProFTPD With Mod SQL Authentication, Remote Root by Feline Menace

Documents
Remote Inspection of Steam Turbines with Turbine Casing in ... · Remote Inspection of Steam Turbines with Turbine Casing in Place ... The camera image is viewed on a video monitor

Remote Inspection of Steam Turbines with Turbine Casing in ... · Remote Inspection of Steam Turbines with Turbine Casing in Place ... The camera image is viewed on a video monitor

Documents
GE Measurement & Control · radiography, computed tomography, remote visual inspection, ultrasound, Electromagnetic, hardness testing ... design optimization, quality control or root-cause

GE Measurement & Control · radiography, computed tomography, remote visual inspection, ultrasound, Electromagnetic, hardness testing ... design optimization, quality control or root-cause

Documents
Recommended Practices Remote Virtual Inspections (RVI)media.iccsafe.org/2020_MarComm/Remote_Video_Insp_FINAL_w...4 3.0 Remote Virtual Inspection Process Recommended Practices for Remote

Recommended Practices Remote Virtual Inspections (RVI)media.iccsafe.org/2020_MarComm/Remote_Video_Insp_FINAL_w...4 3.0 Remote Virtual Inspection Process Recommended Practices for Remote

Documents
REMOTE VALVE INSPECTION

REMOTE VALVE INSPECTION

Documents
Subsea Expo - Remote Riser Cleaning Inspection · Remote Riser Cleaning & Inspection ... company who provide complete deepwater inspection, ... – Horizontal and vertical repair

Subsea Expo - Remote Riser Cleaning Inspection · Remote Riser Cleaning & Inspection ... company who provide complete deepwater inspection, ... – Horizontal and vertical repair

Documents
A Literature Survey on Remote Inspection of Offshore Wind

A Literature Survey on Remote Inspection of Offshore Wind

Documents
Reduced Mandated Inspection by Remote Field Eddy Current ... Library/Research/Oil-Gas/Natural Gas... · DE-FC26-04NT42266 Final Report - GTI Reduced Mandated Inspection by Remote

Reduced Mandated Inspection by Remote Field Eddy Current ... Library/Research/Oil-Gas/Natural Gas... · DE-FC26-04NT42266 Final Report - GTI Reduced Mandated Inspection by Remote

Documents
INTELLIGENT BRIDGE INSPECTION USING REMOTE CONTROLLED · PDF fileINTELLIGENT BRIDGE INSPECTION USING REMOTE CONTROLLED ROBOT AND IMAGE PROCESSING TECHNIQUE Byeong Ju Lee*, Dong Hoon

INTELLIGENT BRIDGE INSPECTION USING REMOTE CONTROLLED · PDF fileINTELLIGENT BRIDGE INSPECTION USING REMOTE CONTROLLED ROBOT AND IMAGE PROCESSING TECHNIQUE Byeong Ju Lee*, Dong Hoon

Documents
Introduction to BackTrack Local boot to remote root in just one CD

Introduction to BackTrack Local boot to remote root in just one CD

Documents
Enhanced remote visual inspection of aircraft skin€¦ · Remote and Automated Inspection: ... Visual inspection of aircraft is the most widely used method ... Center for Structural

Enhanced remote visual inspection of aircraft skin€¦ · Remote and Automated Inspection: ... Visual inspection of aircraft is the most widely used method ... Center for Structural

Documents
DEVELOPMENT OF REMOTE CONTROL SYSTEM FOR BRIDGE INSPECTION

DEVELOPMENT OF REMOTE CONTROL SYSTEM FOR BRIDGE INSPECTION

Documents
Robotics Solutions in EN-SMM for Remote Inspection and ... · M. Di Castro, Robotics Solutions in EN-SMM for Remote Inspection and Teleoperation, SLAWG #41, 13.3.2019 10 The only

Robotics Solutions in EN-SMM for Remote Inspection and ... · M. Di Castro, Robotics Solutions in EN-SMM for Remote Inspection and Teleoperation, SLAWG #41, 13.3.2019 10 The only

Documents
Remote Inspection of Metropolitan Detention Center Brooklyn

Remote Inspection of Metropolitan Detention Center Brooklyn

Documents
Remote Visual Inspection - Everest Polska :: Endoskopy

Remote Visual Inspection - Everest Polska :: Endoskopy

Documents
Remote Visual Inspection · Rhythm Visual & Review Database Platform •Turns inspection images into intelligence. •Capture, analyze, share, and archive inspection information

Remote Visual Inspection · Rhythm Visual & Review Database Platform •Turns inspection images into intelligence. •Capture, analyze, share, and archive inspection information

Documents
RE Screw Inspection - Reiloy USAreiloyusa.com/content/upload/files/RE Screw Inspection.pdf · Screw Inspection Report Machine Number: Flight Length: Flight Width. Root Diameter

RE Screw Inspection - Reiloy USAreiloyusa.com/content/upload/files/RE Screw Inspection.pdf · Screw Inspection Report Machine Number: Flight Length: Flight Width. Root Diameter

Documents
Live Flare Tower Remote Access Inspection Solutionsebe03c8d-6d26-4921-92e... · 2020-02-28 · Live Flare Tower -Remote Access Inspection Solutions - Craig Davies +61 8 9410 9300

Live Flare Tower Remote Access Inspection Solutionsebe03c8d-6d26-4921-92e... · 2020-02-28 · Live Flare Tower -Remote Access Inspection Solutions - Craig Davies +61 8 9410 9300

Documents
INTELLIGENT BRIDGE INSPECTION USING REMOTE CONTROLLED ROBOT

INTELLIGENT BRIDGE INSPECTION USING REMOTE CONTROLLED ROBOT

Documents
Guidelines for Remote Inspections under OCIMF programmes...Page 2 of 29 Guidelines on Remote Inspection under OCIMF Programmes – 2nd Ed. 1 Introduction A Remote Inspection under

Guidelines for Remote Inspections under OCIMF programmes...Page 2 of 29 Guidelines on Remote Inspection under OCIMF Programmes – 2nd Ed. 1 Introduction A Remote Inspection under

Documents
GE INSPECTION TECHNOLOGIES REMOTE VISUAL INSPECTION … · Testing Machines Data Management Software ... Hardness Testers System Instrumentation ... GE Remote Visual Inspection

GE INSPECTION TECHNOLOGIES REMOTE VISUAL INSPECTION … · Testing Machines Data Management Software ... Hardness Testers System Instrumentation ... GE Remote Visual Inspection

Documents
GEIT-65027US Remote Visual Inspection

GEIT-65027US Remote Visual Inspection

Documents