Hacking

Confraria de Segurança da Informação 27 Nov 2013

root@localhost:~# whoami • Ricardo Mourato

• Pentester @ SysValue • Former SW engineer • Like to:

• Hack Stuff • Code C,Python,Ruby,Java,C# • Slackware! • Drink:

• Stout • Staropramen • Stella Artois

• Hate: • Printers, Unless networked • Perl

root@localhost:~#

Disclaimer: You know, i’m not responsible for your:

What this talk is about:

• An introduction to QNX RTOS

• Where Would You Expect To Find QNX

• QNX in Numbers

• More About QNX

• How it Looks

• QNX Network Services

• QNX Qnet protocol

• Exploiting QNX Weaknesses Remotley & Locally (<- demo )

What is QNX (Neutrino):

• Multiuser & Multitask Mission Critical RTOS;

• Developed by QNX Software, later acquired by

Research in Motion, Now BlackBerry;

• Targets are mostly embedded systems;

• Microkernel driven;

• This means:

• Every failure prone component lives outside

of kernelspace

• Components, such as Drivers, Protocol

Stacks, Filesystems, Applications;

What is QNX Neutrino (cont):

• Runs on Multiple Arch’s: ARM,MIPS, PowerPC, x86,

etc;

• Not Linux nor Unix;

• POSIX standard (1003.1-2001 POSIX.1)

What is QNX Neutrino (cont):

Source: http://www.qnx.com/

Where Would You Expect To Find QNX: “QNX is used in systems where the cost of failure

is very high“

Dan Dodge (QNX CEO)

Where Would You Expect To Find QNX (cont):

• Medical Equipment;

• Industrial Robots;

• Professional DVR’s;

• Storage Appliances;

• Network Equipment; <- Cisco CRS-1

• RAID Controllers;

• Spacecraft & Aircraft;

• Nuclear Power Plants;

Where Would You Expect To Find QNX (cont):

• Blackberry PlayBook, Z10, Z30, Q5, Q10, etc;

• Luxury & High-end Cars (Porshe, Bentley, Lexus,

Mercedes, etc;

• University Students “Quite Expensive" NAS;

• Many Others.

QNX in Numbers: • Shodanhq:

• 2 QNX hosts;

• Internet Census: • ~ 74 Internet Exposed hosts;

• No Nuclear Power Plants, though

• Private/Local networks?

More About QNX:

• Photon (GUI)

• Uses Neutrino messages in order to create highly responsive user experience;

• Made of the following components:

• Photon server;

• graphics subsystem manager and hardware

driver;

• font support;

• input support;

• user applications;

More About QNX (cont):

• Multimedia

• “Media Player Plugins”

• Plays/Decodes:

• MPEG-1, MPEG-2, MPEG-2.5, MP3, WAV,

AIFF

• Widgets Library;

• Etc.

More About QNX (cont):

More About QNX (cont): “By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car” Remember “Media Player Plugins” ?

How it Looks:

How it Looks:

How it Looks (Pentester’s view)

QNX Network Services (Usually Default): • Telnet

• Allows root login, if you know the password • Unprivileged joe account? Try ./KissMyHash

(later on demo) • FTP

• Does not allow root login. You’re able to travel “/”, again, if you know the password.

• QCONN • Kind of remote debug/profiling bridge for

IDE’s • Allows root login, even if you don’t know the

password

QNX Qnet Protocol

• Transparent Distributed Processing Platform;

• Groups QNX systems or CPU’s (nodes) into na integrated network;

• A QNX node can access resources on other nodes, transparently.

• Resources can be:

• Files;

• Devices;

• Processes <-

• Same goes for IPC

Demo

Meet the Live Demo Gremlin, he just sits and waits

Then Leaves…

References: [1] "30 Ways QNX Touches Your Life", Internet: http://www.qnx.com/company/30ways/ [2] "Customers", Internet: http://www.qnx.com/company/customer_stories/http://www.qnx.com [3] "QNX Neutrino RTOS", Internet: http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html [4] "A Look At The Near Future Of In-Car Technology: QNX CAR 2", Internet: http://www.washingtonpost.com/cars/a-look-at-the-near-future-of-in-car-technology-qnx-car-2/2012/09/19/a3266bf0-0262-11e2-9132-f2750cd65f97_story.html [5] "Nuclear plant powers up on real-time OS", Internet: http://www.itbusiness.ca/news/nuclear-plant-powers-up-on-real-time-os/9084 [6] "Review: BlackBerry PlayBook (o verdadeiro tablet 2.0 :))", Internet: http://itweb.com.br/blogs/review-blackberry-playbook-o-verdadeiro-tablet-2-0/ [7] "Pentesting QNX Neutrino RTOS", Internet: http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos [8] "QNX QCONN Remote Command Execution Vulnerability", Internet: http://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec [9] "With hacking, music can take control of your car", Internet: http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car [10] "Transparent Distributed Processing Using Qnet", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/prog/qnet.html [11] "on", Internet: http://www.qnx.com/developers/docs/6.3.2/neutrino/utilities/o/on.html

Q&A