1 / 85

IOT RCE, a Study with Disney

IOT RCE, a Study with Disney. Lilith Wyatt <(^_^)> Vulndev Research Engineer. My Team and I. Research Engineer with the Talos Security and Research Group I'm a member of the Vulndev Team We reverse, we fuzz, we actually read manuals…

mluke
Download Presentation

IOT RCE, a Study with Disney

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IOT RCE, a Study with Disney Lilith Wyatt <(^_^)> Vulndev Research Engineer

  2. My Team and I • Research Engineer with the Talos Security and Research Group • I'm a member of the Vulndev Team • We reverse, we fuzz, we actually read manuals… • Our goal is to find zero day vulnerabilities in third party products. • (But not on Cisco stuff) • We submit the bugs to make third party software more secure, • and by extension, also our customers. • Signatures for our zero-days get put into all of our products. • Youngest member on the team (that’s my excuse), and I’m super lucky and thankful that I’m able to work with such talented people.

  3. My Team and I • Team Members: • Yves Younan • - Research Manager • Research Engineers: • • AleksandarNikolich • • Ali Rizvi-Santiago • • Marcin Noga • • Piotr Bania • • Tyler Bohan • • Cory Duplantis • Lilith Wyatt <('.'<) • Claudio Bozzato • Martin Zeiser Bugs included target vendors such as: - Microsoft - Apple - Oracle - Adobe - Google - IBM, HP, Intel, Lexmark - 7zip, libarchive, NTP - Vmware

  4. Special Thanks A shout out to one team member in particular, Claudio Bozzato, with whom all this Circle research was done. He's one of our embedded device experts, and without him, I probably would have bricked my device twice as many times. He did most of the Foscam bugs, and probably half of the Circle bugs, so I feel sorta bad talking alone up here. Sorta.

  5. The IOT Conundrum (& Cliche)

  6. The IOT Conundrum (& Cliche) Since I'm lazy, a quote from ZDNet about a quote from Cisco: Globally, devices and connections (including M2M connections, smartphones, connected TVs, etc.) are growing faster than the population, Cisco notes. The report projects that the average number of devices and connections per capita will grow globally from two in 2015 to 3.2 by 2020. • ([1] Source: http://www.zdnet.com/article/iot-will-account-for-nearly-half-of-connected-devices-by-2020-cisco-says/) And if the population ends up being 7.5 Billion as projected by the U.S. Census... => 22.4 Billion Projected Devices/Connections (I.e. a few) ([2] Source: https://www.census.gov/population/international/data/idb/worldpopgraph.php)

  7. The IOT Conundrum (& Cliche) Okay, so there's a few IOT devices on the internet, and there's going to be a few more. What characterizes a typical IOT device? - Typically arm/mips 32-bit/64-bit devices running some variant of Linux - Contains sensors not normally found in desktop computers (e.g an accelerometer) • - Talks to other devices on the network/internet/local proximity (Bluetooth/Zigbee).

  8. The IOT Conundrum (& Cliche) • Okay, so there's a few IOT devices on the internet, and there's going to be a few more. • What characterizes a typical IOT device? • - Typically arm/mips 32-bit/64-bit devices running some variant of Linux • - Contains sensors not normally found in desktop computers (e.g an accelerometer) • - Talks to other devices on the network/internet/local proximity (Bluetooth/Zigbee). • Unfortunately, there's also a few other characteristics inherent in most IOT devices…. • Asynchronous Communications (i.e. controlling the device from anywhere) • Lack of firmware updates/Outdated firmware • Autoconfiguration/Ease-of-Setup Mishaps • Exposed Network Ports • Buggy Code • #SetItAndForgetIt

  9. The IOT Conundrum (& Cliche) Case in point: “Internet Chemotherapy” • - Dr Cyborkian a.k.a. janit0r (https://ghostbin.com/paste/q2vq2) Bricker Bot: More than 2 million devices were bricked by a telnet/ssh crawler that logged in using basic and/or factory default credentials. Hikvision/Dahua Devices: 1.1 million internet exposed CCTV and cameras followed suit via a variety of authentication bypasses.

  10. Doing it Wrong: Foscam

  11. Doing it Wrong: Foscam CVE-2017-2805 Foscam IP Video Camera WebService CGI Parameter Code Execution Vulnerability CVE-2017-2848 Foscam IP Video Camera CGIProxy.fcgi DNS2 Address Configuration Command Injection Vulnerability CVE-2017-0327 Foscam IP Video Camera CGIProxy.fcgi Account Creation Command Injection Vulnerability CVE-2017-2849 Foscam IP Video Camera CGIProxy.fcgi NTP Server Configuration Command Injection Vulnerability CVE-2017-2828 Foscam IP Video Camera CGIProxy.fcgi Account Password Command Injection Vulnerability CVE-2017-2850 Foscam IP Video Camera CGIProxy.fcgi Change Username pureftpd.passwd Injection Vulnerability CVE-2017-2829 Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Directory Traversal Vulnerability CVE-2017-2851 Foscam IP Video Camera CGIProxy.fcgi Wifi Settings Code Execution Vulnerability CVE-2017-2830 Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Multi-part Form Boundary Code Execution Vulnerability CVE-2017-2854 Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability CVE-2017-2855 Foscam IP Video Camera webService 3322.net DDNS Client Code Execution Vulnerability CVE-2017-2831 Foscam IP Video Camera CGIProxy.fcgi Query Append Code Execution Vulnerability CVE-2017-2856 Foscam IP Video Camera webService dyndns.com DDNS Client Code Execution Vulnerability CVE-2017-2857 Foscam IP Video Camera webService 9299.org DDNS Client Code Execution Vulnerability CVE-2017-2871 Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability CVE-2017-2832 Foscam IP Video Camera CGIProxy.fcgi Account Deletion Command Injection Vulnerability CVE-2017-2872 Foscam IP Video Camera CGIProxy.fcgi Firmware Upgrade Unsigned Image Vulnerability CVE-2017-2841 Foscam IP Video Camera CGIProxy.fcgi SMTP Test Host Parameter Configuration Command Injection Vulnerability CVE-2017-2873 Foscam IP Video Camera CGIProxy.fcgi SoftAP Configuration Command Injection Vulnerability CVE-2017-2842 Foscam IP Video Camera CGIProxy.fcgi SMTP Test User Parameter Configuration Command Injection Vulnerability CVE-2017-2877 Foscam IP Video Camera devMng Multi-Camera Port 10001 Command 0x0064 Empty AuthResetKey Vulnerability CVE-2017-2843 Foscam IP Video Camera CGIProxy.fcgi SMTP Test Password Parameter Configuration Command Injection Vulnerability CVE-2017-2878 Foscam IP Video Camera CGIProxy.fcgi logOut Code Execution Vulnerability CVE-2017-2844 Foscam IP Video Camera CGIProxy.fcgi SMTP Test Sender Parameter Configuration Command Injection Vulnerability CVE-2017-2879 Foscam IP Video Camera UPnP Discovery Code Execution Vulnerability CVE-2017-2845 Foscam IP Video Camera CGIProxy.fcgi SMTP Test Command Injection Vulnerability CVE-2017-2846 Foscam IP Video Camera CGIProxy.fcgi Gateway Address Configuration Command Injection Vulnerability CVE-2017-2847 Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability CVE-2017-2833 Foscam IP Video Camera CGIProxy.fcgi FTP Startup Configuration Command Injection Vulnerability (prior "coverage) CVE-2017-2832 Foscam IP Video Camera CGIProxy.fcgi Query Parameter Parsing Code Execution Vulnerability

  12. Doing it Right: Amazon Key

  13. Doing it Right: Amazon Key CVE List: - Denial of Service Vuln by Rhino Security Labs (https://www.youtube.com/watch?v=2GSK7cIimFY)

  14. Case Study: Circle With Disney

  15. Case Study: Circle With Disney • Quick Overview: • Allows an administrator/parent to monitor and restrict • usage of the other people on the network. • - Has varying levels of restrictions for different age groups. • - Once plugged in/configured for a network, it starts ARP • Poisoning every other device on the network in order to • monitor and restrict. • Incompatible with any device/application that use SSL Cert • Pinning (since this thing MITM’s SSL traffic too). • Uses Blue Coat Systems to also filter unknown URL domains (including for VPN connections).

  16. Case Study: Circle With Disney CVE-2017-2864 - Circle with Disney Authentication Bypass Vulnerability CVE-2017-2917 - Circle with Disney configure.xml Notifications Command Injection Vulnerability CVE-2017-2865 - Circle with Disney Firmware Update Command Injection Vulnerability CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability CVE-2017-2866 - Circle with Disney Backup API Command Injection Vulnerability CVE-2017-12084 - Circle with Disney Rclient SSH Persistent Backdoor Vulnerability CVE-2017-2881 - Circle with Disney check_torlist.sh Update Code Execution Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability CVE-2017-2882 - Circle with Disney check_circleservers Code Execution Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability CVE-2017-2883 - Circle with Disney Database Updater Code Execution Vulnerability CVE-2017-12096 - Circle with Disney WiFi Security Downgrade Vulnerability CVE-2017-2884 - Circle with Disney Apid Photo Upload Denial of Service Vulnerability CVE-2017-2889 - Circle with Disney Apid Server Fork Denial of Service Vulnerability CVE-2017-2890 - Circle with Disney Restore API Command Injection Vulnerability CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability

  17. Case Study: Circle With Disney Obligatory Pie Chart/Bug Breakdown Command Injection (9) Misc. (8) String Handling (4) Memory Management (2) Total: 23

  18. Case Study: Circle With Disney But we're not going to cover them all... CVE-2017-2864 - Circle with Disney Authentication Bypass Vulnerability CVE-2017-2917 - Circle with Disney configure.xml Notifications Command Injection Vulnerability CVE-2017-2865 - Circle with Disney Firmware Update Command Injection Vulnerability CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability CVE-2017-2866 - Circle with Disney Backup API Command Injection Vulnerability CVE-2017-12084 - Circle with Disney Rclient SSH Persistent Backdoor Vulnerability CVE-2017-2881 - Circle with Disney check_torlist.sh Update Code Execution Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability CVE-2017-2882 - Circle with Disney check_circleservers Code Execution Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability CVE-2017-2883 - Circle with Disney Database Updater Code Execution Vulnerability CVE-2017-12096 - Circle with Disney WiFi Security Downgrade Vulnerability CVE-2017-2884 - Circle with Disney Apid Photo Upload Denial of Service Vulnerability CVE-2017-2889 - Circle with Disney Apid Server Fork Denial of Service Vulnerability CVE-2017-2890 - Circle with Disney Restore API Command Injection Vulnerability CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability

  19. Case Study: Circle With Disney But we're not going to cover them all...Just these, since they're interesting (imo) CVE-2017-12085 - Circle with Disney Token Routing Vulnerability CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability

  20. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Why Mention it? Because it is a lesser known type of memory corruption that can lead to the classical Use-After-Free vulnerability that we all know and love. What is it? As the name implies, we're allocating memory in the heap, assigning variables to this memory, and then reallocating it after the fact. This can lead to dangling pointers, and UAF conditions.

  21. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Quick refresher on x64 Linux Memory Layout Shared Libs. V D S O Heap Stack Things to note: -If ASLR is turned on, the addresses of the Stack/Shared libraries are randomized. -The heap's location seems to only be based on the code (.text) location, which is only randomized when compiled as a PIE binary. -The stack and the heap grow towards each other. Code Shared Libs. Kernel Mem. Heap Stack 0x0 0x00007fffffffffff 0xffffffffffffffff

  22. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Quick Overview on Uclibc malloc Not allocated/ Not heap (yet) (mmap/mbrk) Shared Libs. Heap Not yet allocated (but still heap) Things to note: - Big allocations (>1MB) get mmap'ed into the area before the shared libraries. Shared Libs. V D S O Heap Stack

  23. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Quick Overview on Uclibc malloc Methods: void *malloc(size_t size); - Allocate a new chunk of memory of designated size. void *calloc(size_t nmemb, size_t size); - same as malloc, but allocates size*nmemb and clears out the memory allocated. void free(void *ptr); - de-allocate a given chunk. void * realloc(void *ptr, size_t size); - re-allocate a given chunk to a desired size. https://www.win.tue.nl/~aeb/linux/hh/hh-11.html

  24. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Back on track, what's this Use-After-Reallocs thing? void * realloc(void *ptr, size_t size); - re-allocate a given chunk to a desired size. Things to note: - If the heap is full, but a small allocation Happens, the size of the heap will increase. - But Big allocations (>1MB) get mmap'ed into the mmap/mbrk area. Example: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x40); Chunk1 (size:0x20) Chunk2 (Size:0x20) Heap Chunk1 (size:0x20) Chunk2 (Size:0x40) Mmap/ mbrk Heap

  25. Chunk1 (size:0x20) Chunk2 (Size:0x40) Mmap/ mbrk Heap Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability For the normal usage of realloc (where both params != Null), It essentially acts as a ‘If (malloc(new_size)!=Null) { free(old_chunk); } Things to note: - realloc(Null,0x20) == malloc(0x20) - realloc(ptr,Null) == free(ptr) Example: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x40); Chunk1 (size:0x20) Chunk2 (Size:0x20) Heap

  26. Chunk1 (size:0x20) Chunk2 (Size:0x40) Mmap/ mbrk Heap Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability For the normal usage of realloc (where both params != Null), • It essentially acts as a ‘If (malloc(new_size)!=Null) { free(old_chunk); } ¡There’s no guarantee the pointer passed in is the same one! ¡you get back! Chunk1 (size:0x20) Chunk2 (Size:0x20) Heap Things to note: - realloc(Null,0x20) == malloc(0x20) - realloc(ptr,Null) == free(ptr)

  27. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability For the normal usage of realloc (where both params != Null), It essentially acts as a ‘If (malloc(new_size)!=Null) { free(old_chunk); } ¡There’s no guarantee the pointer passed in is the same one! ¡you get back! Chunk1 (size:0x20) Chunk2 (Size:0x20) Example: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x10000000); Heap Chunk1 (size:0x20) Chunk2 (Size:0x10000000) Heap

  28. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability There's 2 conditions in which realloc causes the underlying memory buffer to shift. Example 1: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x10000000); Chunk1 (size:0x20) Chunk2 (Size:0x20) Heap Chunk1 (size:0x20) Chunk2 (Size:0x10000000) Heap

  29. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability There's 2 conditions in which realloc causes the underlying memory buffer to shift. Example 1: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x10000000); Chunk1 (size:0x20) Chunk2 (Size:0x20) Heap Chunk1 (size:0x20) Chunk2 (Size:0x10000000) Heap Example 2: void * chunk2 = malloc(0x20); Void * chunk3 = malloc(0x30); chunk2 = realloc(chunk2, 0x60); Chunk1 (size:0x20) Chunk2 (Size:0x20) Chunk3 (size:0x30) Heap Chunk1 (size:0x20) Chunk1 (size:0x20) Chunk3 (size:0x30) Chunk2 (Size:0x60) Heap Heap

  30. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Which means that all pointers assigned to the buffer need to be updated after the Reallocation, to prevent dangling pointers. Chunk1 (size:0x20) Chunk2 (Size:0x20) Heap output_str Example: void * chunk2 = malloc(0x20); char * output_str = chunk2+0x10; chunk2 = realloc(chunk2, 0x10000000); Chunk1 (size:0x20) Chunk2 (Size:0x10000000) Heap output_str

  31. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability And then, it's a classic UAF situation, if you can allocate around the same address. Chunk1 (size:0x20) Chunk1 (size:0x20) Chunk2 (Size:0x10000000) Heap (After realloc) output_str Example: void * chunk2 = malloc(0x20); char * output_str = chunk2+0x10; chunk2 = realloc(chunk2, 0x10000000); Chunk1 (size:0x20) Chunk1 (size:0x20) Attacker chunk (size:0x20) Chunk2 (Size:0x10000000) Heap output_str

  32. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability TL;DR, we could dump database strings via an HTTP request: # python get_bodied.py [O_O] GOGOGO (Connected to circle...) [~_~] S-s-s-sendding!!!?! len: 0x105d [o_o] gotta response! [O_O] gotta another response! 4:51 GMT Vary: Accept-Encoding, Origin Access-Control-Allow-Origin: lilith@totesnotvalid.com</email Content-Type: application/json Content-Length: 1030 Connection: close [^_^] Thanks for hangin out!<3

  33. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Why Mention it? Because the creative method through which the Circle validated SSL certificates allowed us to intercept sensitive/compromising traffic encrypted over SSL.

  34. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Quick Intermission…

  35. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Quick Intermission… *.meetcircle.com

  36. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability

  37. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability char * X509_NAME_oneline(X509_NAME *xname, char *buf, int bsize); X509_NAME_oneline() prints an ASCII version of the ‘xname’ parameter to ‘buf’. At most ‘bsize’ bytes will be written. If buf is NULL then a buffer is dynamically allocated and returned, otherwise buf is returned. e.g. `/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net` (TL;DR, never use X509_name_oneline)

  38. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability The Certificate Validation Code: .text:00402A4C jal X509_NAME_oneline .text:00402A54 sw $v0, 0x38+oneline_buff_malloced($fp) .text:00402A58 lw $a0, 0x38+oneline_buff_malloced($fp) .text:00402A5C lui $v0, 0x41 .text:00402A60 addiu $a1, $v0, (aCn_meetcircle_ - 0x410000) # "CN=*.meetcircle.com" .text:00402A64 jal strstr .text:00402A68 nop .text:00402A6C bnez $v0, loc_402A94 .text:00402A70 nop .text:00402A74 li $a0, 3 .text:00402A78 lui $v0, 0x41 .text:00402A7C addiu $a1, $v0, (aInvalidCertifi - 0x410000) # "Invalid certificate\n"

  39. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability The Certificate Validation Code: We get our oneline buffer... .text:00402A4C jal X509_NAME_oneline .text:00402A54 sw $v0, 0x38+oneline_buff_malloced($fp) .text:00402A58 lw $a0, 0x38+oneline_buff_malloced($fp) .text:00402A5C lui $v0, 0x41 .text:00402A60 addiu $a1, $v0, (aCn_meetcircle_ - 0x410000) # "CN=*.meetcircle.com" .text:00402A64 jal strstr .text:00402A68 nop .text:00402A6C bnez $v0, loc_402A94 .text:00402A70 nop .text:00402A74 li $a0, 3 .text:00402A78 lui $v0, 0x41 .text:00402A7C addiu $a1, $v0, (aInvalidCertifi - 0x410000) # "Invalid certificate\n" And then try to find this str inside of it!

  40. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability '/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net' Back to our example from before: 'CN=*.meetcircle.com' So obviously this would not be a match. But the funny thing about certificates, is that there's not many restrictions, in generating certificates…The only limiting factor in generating a certificate is if you can get someone to actually sign it.

  41. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability One Hilarious attack: Create a certificate with another attribute that matches. '/C=US/ST=Sad/L=boop/O=CN=*.meetcircle.com/CN=boopdoop.net' 'CN=*.meetcircle.com' Unfortunately, the Circle has a hardcoded CA cert check too (Comodo/Entrust), and the certificates signed by them had their other attributes overwritten. [>_<] Source: https://langui.sh/2016/01/29/x509-name-oneline/

  42. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2:(And this is honestly just kind of silly...) '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=boopdoop.net' We've established this already.... 'CN=*.meetcircle.com'

  43. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2:(And this is honestly just kind of silly...) '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=boopdoop.net' We've established this already.... 'CN=*.meetcircle.com' '/C=US/ST=Sad/L=boop/CN=<(^_^)>/OU=CN=*.meetcircle.com And no CA is going to sign this...

  44. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2:(And this is honestly just kind of silly...) '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=boopdoop.net' We've established this already.... 'CN=*.meetcircle.com' But what about this? ^_^ '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=*.meetcircle.company And no CA is going to sign this...

  45. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2:TLD Extension Bypasses 'CN=*.meetcircle.com' These are all valid domains that will bypass the SSL domain name check, and will also actually be signed by a CA: CN=*.meetcircle.computer CN=*.meetcircle.company CN=*.meetcircle.community There's generally >= 1 for every common TLD .net → .network .org → .organic • Etc.

  46. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability I realize these weren't the most sophisticated attacks, so I'm not going to spend too much more time here, but the sensitivity and potentially compromising nature of the data that was flowing over these insecurely implemented connections was definitely no joke (even if the exploits were ^_^).

  47. Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Why Mention it? The attack vector for the following bugs were all over unauthenticated WIFI wireless communications. (#IoTWarDriving?)

  48. Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Hopefully this is a fair assessment, but IOT devices are more geared toward “casual consumers” and not your average techie; they mostly try to use a “plug-and-play” and zero-configuration setup. In the case of the Circle with Disney, this manifests in the fact that you only need to configure an ESSID and password for the network that the Circle will be connecting to and managing.

  49. Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability • - Whenever the Circle gets disconnected from your wireless, it will naturally try to • reconnect, as expected. • But it unfortunately only checks/uses the ESSID and Password for this, not the security options of the Access point. • So if you happen to be broadcasting another password-less ESSID with the same name as the ESSID that the Circle is connected to, and then also just happen to deauth the Circle from it's current network....

  50. Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability • - Whenever the Circle gets disconnected from your wireless, it will naturally try to • reconnect, as expected. • But it unfortunately only checks/uses the ESSID and Password for this, not the security options of the Access point. • So if you happen to be broadcasting another password-less ESSID with the same name as the ESSID that the Circle is connected to, and then also just happen to deauth the Circle from it's current network.... You get a free Circle on your network!

More Related