1 00:00:03,600 --> 00:00:04,240 all right 2 00:00:04,240 --> 00:00:07,120 um so hi everybody and uh thank you for 3 00:00:07,120 --> 00:00:08,000 joining me 4 00:00:08,000 --> 00:00:10,800 uh to my talk and thanks confidence for 5 00:00:10,800 --> 00:00:12,639 inviting me to speak here 6 00:00:12,639 --> 00:00:16,400 um well so at this 7 00:00:16,400 --> 00:00:19,039 talk i will present my follow-up 8 00:00:19,039 --> 00:00:19,760 research 9 00:00:19,760 --> 00:00:23,199 on ruckus wireless rockers is a wireless 10 00:00:23,199 --> 00:00:24,400 solution company 11 00:00:24,400 --> 00:00:27,680 owned by comscope and i first noticed 12 00:00:27,680 --> 00:00:28,640 them 13 00:00:28,640 --> 00:00:31,439 when they partnered with blackit for 14 00:00:31,439 --> 00:00:32,479 their 15 00:00:32,479 --> 00:00:35,760 wi-fi conference solution and 16 00:00:35,760 --> 00:00:38,000 uh well in the last year i've been doing 17 00:00:38,000 --> 00:00:39,600 vulnerability research on 18 00:00:39,600 --> 00:00:43,360 robust devices and so far i managed to 19 00:00:43,360 --> 00:00:47,500 find several of critical vulnerabilities 20 00:00:47,500 --> 00:00:48,640 [Music] 21 00:00:48,640 --> 00:00:52,239 yeah so this is my 22 00:00:52,239 --> 00:00:54,559 screenshot from my previous research 23 00:00:54,559 --> 00:00:56,840 that was introduced in 24 00:00:56,840 --> 00:01:00,000 ccc and uh back then in 25 00:01:00,000 --> 00:01:03,120 19 before the coronavirus 26 00:01:03,120 --> 00:01:05,680 uh going to places was a thing so here 27 00:01:05,680 --> 00:01:06,640 you can see me 28 00:01:06,640 --> 00:01:08,400 actually talking at a real conference 29 00:01:08,400 --> 00:01:10,400 which is exciting although online is 30 00:01:10,400 --> 00:01:12,320 good as well 31 00:01:12,320 --> 00:01:15,360 um okay so i'll just would like to 32 00:01:15,360 --> 00:01:16,479 introduce myself 33 00:01:16,479 --> 00:01:19,680 uh really quickly so my name is garlitz 34 00:01:19,680 --> 00:01:20,479 rohr 35 00:01:20,479 --> 00:01:22,880 i'm a research team leader at alf 36 00:01:22,880 --> 00:01:23,520 research 37 00:01:23,520 --> 00:01:27,360 by hcl appscan and i've been 38 00:01:27,360 --> 00:01:30,320 doing uh vulnerability research for some 39 00:01:30,320 --> 00:01:31,920 time 40 00:01:31,920 --> 00:01:34,640 i like to focus on embedded devices 41 00:01:34,640 --> 00:01:37,759 research in particular 42 00:01:37,920 --> 00:01:40,720 and i would also like to do a quick 43 00:01:40,720 --> 00:01:43,280 recap for my previous research 44 00:01:43,280 --> 00:01:46,560 so in that research i demonstrated three 45 00:01:46,560 --> 00:01:47,119 different 46 00:01:47,119 --> 00:01:51,439 ways to execute code on rockers devices 47 00:01:51,439 --> 00:01:54,000 all the vulnerabilities were found on 48 00:01:54,000 --> 00:01:54,560 the 49 00:01:54,560 --> 00:01:57,680 device web interface the first 50 00:01:57,680 --> 00:02:01,119 rce was credential leakage with 51 00:02:01,119 --> 00:02:04,399 ssh jailbreak the second 52 00:02:04,399 --> 00:02:07,520 was unauthenticated stack buffer 53 00:02:07,520 --> 00:02:08,800 overflow 54 00:02:08,800 --> 00:02:11,680 and the third one was command injection 55 00:02:11,680 --> 00:02:13,280 that was reachable without 56 00:02:13,280 --> 00:02:14,400 authentication 57 00:02:14,400 --> 00:02:18,160 by writing a web page 58 00:02:19,200 --> 00:02:22,239 all right and for this talk i 59 00:02:22,239 --> 00:02:26,000 will be using ruckus r 510 60 00:02:26,000 --> 00:02:29,599 unleashed the unleashed version are 61 00:02:29,599 --> 00:02:32,879 access points that don't rely on 62 00:02:32,879 --> 00:02:36,720 a specific wi-fi controller and 63 00:02:36,720 --> 00:02:39,920 moreover all access points in in that 64 00:02:39,920 --> 00:02:40,560 list 65 00:02:40,560 --> 00:02:45,440 are shared the same vulnerable code base 66 00:02:45,440 --> 00:02:47,840 and besides of that i also noticed that 67 00:02:47,840 --> 00:02:49,280 some vulnerabilities 68 00:02:49,280 --> 00:02:53,360 works on the zone director product line 69 00:02:53,360 --> 00:02:56,160 which is the wi-fi controllers for the 70 00:02:56,160 --> 00:02:58,799 access points 71 00:02:59,519 --> 00:03:02,720 okay so uh what's new with this research 72 00:03:02,720 --> 00:03:05,840 so um this research began 73 00:03:05,840 --> 00:03:08,879 right after i downloaded roku's fix 74 00:03:08,879 --> 00:03:12,080 for my previous research i noticed that 75 00:03:12,080 --> 00:03:14,239 they did not fix one of my 76 00:03:14,239 --> 00:03:16,080 vulnerabilities correctly 77 00:03:16,080 --> 00:03:18,879 and i then decided to try to re-enable 78 00:03:18,879 --> 00:03:19,760 it 79 00:03:19,760 --> 00:03:22,879 and um well besides of that my first 80 00:03:22,879 --> 00:03:23,519 research 81 00:03:23,519 --> 00:03:27,280 was done entirely on based on device 82 00:03:27,280 --> 00:03:28,400 simulation 83 00:03:28,400 --> 00:03:32,239 uh now i own an actual device and i can 84 00:03:32,239 --> 00:03:34,879 try to understand if i got something 85 00:03:34,879 --> 00:03:36,720 wrong with the emulation or something 86 00:03:36,720 --> 00:03:39,120 like that 87 00:03:40,319 --> 00:03:43,519 okay uh oops sorry i forgot uh 88 00:03:43,519 --> 00:03:45,840 i forgot the last bullet and um so 89 00:03:45,840 --> 00:03:47,200 before i get into 90 00:03:47,200 --> 00:03:50,080 into the vulnerabilities itself i would 91 00:03:50,080 --> 00:03:51,120 like to introduce 92 00:03:51,120 --> 00:03:54,319 a really cool jitter script that really 93 00:03:54,319 --> 00:03:57,760 helped me with this specific research 94 00:03:57,760 --> 00:04:01,200 so um i'd first like to introduce my 95 00:04:01,200 --> 00:04:01,840 previous 96 00:04:01,840 --> 00:04:06,080 um uh script so in my previous research 97 00:04:06,080 --> 00:04:09,200 i wrote a jirah script that 98 00:04:09,200 --> 00:04:12,159 fetches function name from log strings 99 00:04:12,159 --> 00:04:14,480 that ruckus left in their binaries 100 00:04:14,480 --> 00:04:16,399 here we can see that they provide a lot 101 00:04:16,399 --> 00:04:17,759 of information in their 102 00:04:17,759 --> 00:04:20,798 uh logging and um 103 00:04:20,798 --> 00:04:24,080 this script helped me rename function by 104 00:04:24,080 --> 00:04:26,639 parsing these long lines that contains 105 00:04:26,639 --> 00:04:28,320 the function name 106 00:04:28,320 --> 00:04:31,520 as you can see here on line 38 there's 107 00:04:31,520 --> 00:04:31,840 the 108 00:04:31,840 --> 00:04:33,919 the long number and i just getting i can 109 00:04:33,919 --> 00:04:36,560 fetch the function name from it 110 00:04:36,560 --> 00:04:38,639 we also got a generic version for 111 00:04:38,639 --> 00:04:40,400 already for that script so 112 00:04:40,400 --> 00:04:43,759 feel free to check our uh github for 113 00:04:43,759 --> 00:04:46,960 this script and um well 114 00:04:46,960 --> 00:04:49,040 the thing is that this script really 115 00:04:49,040 --> 00:04:50,240 helped me with 116 00:04:50,240 --> 00:04:53,360 most of the ruckus binaries but there 117 00:04:53,360 --> 00:04:54,800 were some binaries 118 00:04:54,800 --> 00:04:59,919 that were not written by ruckus 119 00:04:59,919 --> 00:05:02,880 so well it's a common thing in embedded 120 00:05:02,880 --> 00:05:04,479 devices vendor to use 121 00:05:04,479 --> 00:05:08,080 open source project in their devices 122 00:05:08,080 --> 00:05:10,960 rockers decided to base their web server 123 00:05:10,960 --> 00:05:11,440 on 124 00:05:11,440 --> 00:05:14,880 a popular project called embed this so 125 00:05:14,880 --> 00:05:17,360 they extended its functionality by 126 00:05:17,360 --> 00:05:18,160 adding 127 00:05:18,160 --> 00:05:21,520 some code to it and since embedded 128 00:05:21,520 --> 00:05:22,560 sources i 129 00:05:22,560 --> 00:05:24,400 are public i don't really need to 130 00:05:24,400 --> 00:05:25,600 reverse the entire 131 00:05:25,600 --> 00:05:28,320 uh web server binary and it was just 132 00:05:28,320 --> 00:05:32,560 easier for me to review the code itself 133 00:05:32,560 --> 00:05:35,039 but the problem is what about the parts 134 00:05:35,039 --> 00:05:36,160 that ruckus 135 00:05:36,160 --> 00:05:38,720 added i would like to be able to mark 136 00:05:38,720 --> 00:05:40,000 them 137 00:05:40,000 --> 00:05:43,199 and see them on gidra 138 00:05:43,199 --> 00:05:45,759 so i'll know i'll have to actually 139 00:05:45,759 --> 00:05:48,400 reverse them 140 00:05:48,560 --> 00:05:51,199 so for that i wrote an additional gitra 141 00:05:51,199 --> 00:05:53,840 script 142 00:05:53,840 --> 00:05:56,479 in my new script i try to extract as 143 00:05:56,479 --> 00:05:58,639 many function name as i can 144 00:05:58,639 --> 00:06:02,319 from the embed this source code 145 00:06:02,319 --> 00:06:05,120 luckily i discovered a debug function 146 00:06:05,120 --> 00:06:06,960 that contains the exact 147 00:06:06,960 --> 00:06:09,680 c file name and line number in the 148 00:06:09,680 --> 00:06:10,560 embedded 149 00:06:10,560 --> 00:06:13,840 sources uh here we can see that for this 150 00:06:13,840 --> 00:06:16,319 unnamed function from the web server 151 00:06:16,319 --> 00:06:17,199 binary 152 00:06:17,199 --> 00:06:20,639 we get that um yeah we get that this 153 00:06:20,639 --> 00:06:21,120 function 154 00:06:21,120 --> 00:06:24,479 appears in server.c file 155 00:06:24,479 --> 00:06:28,400 around the line number one three eight 156 00:06:28,400 --> 00:06:31,120 so if we go to this line number as they 157 00:06:31,120 --> 00:06:32,080 embed these 158 00:06:32,080 --> 00:06:34,960 sources will be able to extract many 159 00:06:34,960 --> 00:06:36,880 function name from it 160 00:06:36,880 --> 00:06:39,440 um yeah and so this is the function in 161 00:06:39,440 --> 00:06:40,000 gidra 162 00:06:40,000 --> 00:06:43,039 after the conversation 163 00:06:43,039 --> 00:06:45,919 and these are actually all the function 164 00:06:45,919 --> 00:06:48,160 name that i was able to extract 165 00:06:48,160 --> 00:06:52,800 from the source code into gitra 166 00:06:53,120 --> 00:06:56,479 and let's have another another example 167 00:06:56,479 --> 00:06:57,599 let's take a look 168 00:06:57,599 --> 00:07:00,000 at this function call graph this 169 00:07:00,000 --> 00:07:00,639 function 170 00:07:00,639 --> 00:07:04,160 called macriae create web server 171 00:07:04,160 --> 00:07:07,120 it's being called from main and as you 172 00:07:07,120 --> 00:07:08,800 can see it calls other 173 00:07:08,800 --> 00:07:12,160 function so on the right side we can see 174 00:07:12,160 --> 00:07:14,160 all the function name i was able to 175 00:07:14,160 --> 00:07:15,520 fetch from the sources 176 00:07:15,520 --> 00:07:19,440 by using the script i just introduced 177 00:07:19,440 --> 00:07:22,800 and on the bottom left side you can see 178 00:07:22,800 --> 00:07:25,919 the function name i was able to fetch by 179 00:07:25,919 --> 00:07:27,520 using the script from my 180 00:07:27,520 --> 00:07:30,560 previous research because rockers still 181 00:07:30,560 --> 00:07:31,599 use their 182 00:07:31,599 --> 00:07:33,360 logging convention that contains 183 00:07:33,360 --> 00:07:35,360 function names 184 00:07:35,360 --> 00:07:37,199 and as you can see they are still 185 00:07:37,199 --> 00:07:38,960 unnamed function 186 00:07:38,960 --> 00:07:41,520 but still the majority of function here 187 00:07:41,520 --> 00:07:42,240 are now 188 00:07:42,240 --> 00:07:45,199 named and this is a very good example of 189 00:07:45,199 --> 00:07:46,080 how these 190 00:07:46,080 --> 00:07:48,560 two function help me get plenty of 191 00:07:48,560 --> 00:07:49,280 information 192 00:07:49,280 --> 00:07:54,559 and save me a lot of time on reversing 193 00:07:55,039 --> 00:07:58,319 so um well now i work on 194 00:07:58,319 --> 00:08:01,360 writing a generic version for that 195 00:08:01,360 --> 00:08:01,919 script 196 00:08:01,919 --> 00:08:04,000 that won't rely on a specific debug 197 00:08:04,000 --> 00:08:05,199 information 198 00:08:05,199 --> 00:08:08,080 and once it's done i'll share it in our 199 00:08:08,080 --> 00:08:08,960 other 200 00:08:08,960 --> 00:08:12,080 github account so meanwhile feel free to 201 00:08:12,080 --> 00:08:12,879 check it 202 00:08:12,879 --> 00:08:15,280 and check other tools we got in this 203 00:08:15,280 --> 00:08:17,840 github as well 204 00:08:17,840 --> 00:08:21,360 okay cool so now we're ready for this 205 00:08:21,360 --> 00:08:25,840 uh for some exploit and this is my first 206 00:08:25,840 --> 00:08:29,039 in this attack i found another stack 207 00:08:29,039 --> 00:08:31,120 buffer overflow that was reachable 208 00:08:31,120 --> 00:08:33,279 without authentication 209 00:08:33,279 --> 00:08:36,640 with a web request and uh 210 00:08:36,640 --> 00:08:40,240 now we're gonna go for uh online live 211 00:08:40,240 --> 00:08:42,719 demo and there are so many things that 212 00:08:42,719 --> 00:08:43,919 can go wrong 213 00:08:43,919 --> 00:08:48,240 so please demo god spare me on this one 214 00:08:48,240 --> 00:08:51,200 okay so let me just open my terminals i 215 00:08:51,200 --> 00:08:52,320 will 216 00:08:52,320 --> 00:08:55,440 use uh and first i would like to 217 00:08:55,440 --> 00:08:58,959 show you guys the uh stock overflow 218 00:08:58,959 --> 00:09:00,080 payload itself 219 00:09:00,080 --> 00:09:03,920 let me just use bi for that okay so as 220 00:09:03,920 --> 00:09:04,959 you can see here 221 00:09:04,959 --> 00:09:09,839 this is uh the payload and um 222 00:09:12,480 --> 00:09:16,160 okay so this is the payload and um 223 00:09:16,160 --> 00:09:19,279 we're going to use a netcat that's going 224 00:09:19,279 --> 00:09:21,440 to create a reverse shell to my machine 225 00:09:21,440 --> 00:09:22,800 this is why i'm using two 226 00:09:22,800 --> 00:09:26,399 uh terminals so in my second terminal 227 00:09:26,399 --> 00:09:29,680 i'll just gonna listen to port 1337 228 00:09:29,680 --> 00:09:34,080 of course okay now i'm listening and 229 00:09:34,080 --> 00:09:37,279 all i have to do is just uh use 230 00:09:37,279 --> 00:09:40,480 wget uh to 231 00:09:40,480 --> 00:09:43,279 send the payload so here we can see i'm 232 00:09:43,279 --> 00:09:43,680 just 233 00:09:43,680 --> 00:09:46,560 using a standard wget that gonna send 234 00:09:46,560 --> 00:09:47,680 this payload 235 00:09:47,680 --> 00:09:50,880 uh to this specific uh page 236 00:09:50,880 --> 00:09:54,640 on this is my my router this is my 237 00:09:54,640 --> 00:09:57,519 router ip address and that's it wish me 238 00:09:57,519 --> 00:09:58,240 luck 239 00:09:58,240 --> 00:10:01,440 oh yeah i think things happen uh let's 240 00:10:01,440 --> 00:10:04,079 see if ls works 241 00:10:04,079 --> 00:10:07,519 awesome so this is a remotely a remote 242 00:10:07,519 --> 00:10:08,320 shell 243 00:10:08,320 --> 00:10:12,560 and i can check that i am 244 00:10:12,560 --> 00:10:15,839 what's my user so i'm the admin and 245 00:10:15,839 --> 00:10:19,440 admin user is part of the 246 00:10:19,440 --> 00:10:22,480 root group which means i 247 00:10:22,480 --> 00:10:26,000 totally own this device awesome and it 248 00:10:26,000 --> 00:10:28,480 went well as well 249 00:10:28,480 --> 00:10:30,800 okay 250 00:10:31,760 --> 00:10:34,800 so before i get into this specific 251 00:10:34,800 --> 00:10:36,160 vulnerability 252 00:10:36,160 --> 00:10:39,440 um here's a quick recap for my previous 253 00:10:39,440 --> 00:10:40,000 talk 254 00:10:40,000 --> 00:10:42,480 just to create the right context so 255 00:10:42,480 --> 00:10:44,560 there are three imported binaries 256 00:10:44,560 --> 00:10:47,600 in the web interface the first one 257 00:10:47,600 --> 00:10:50,560 is slash bin slash webs this is the 258 00:10:50,560 --> 00:10:51,519 actual 259 00:10:51,519 --> 00:10:54,640 embed this web server and it handles 260 00:10:54,640 --> 00:10:55,839 http request 261 00:10:55,839 --> 00:10:58,839 and executes handlers according to its 262 00:10:58,839 --> 00:11:00,240 configuration 263 00:11:00,240 --> 00:11:03,040 and it then sends command through a unix 264 00:11:03,040 --> 00:11:04,000 domain socket 265 00:11:04,000 --> 00:11:07,760 to emfd slash b emfd 266 00:11:07,760 --> 00:11:10,880 is an executable that contains the web 267 00:11:10,880 --> 00:11:11,680 interface 268 00:11:11,680 --> 00:11:15,040 logic it maps function from 269 00:11:15,040 --> 00:11:18,720 web pages to their own function and 270 00:11:18,720 --> 00:11:20,959 it's then implement web interface 271 00:11:20,959 --> 00:11:22,399 commands such as 272 00:11:22,399 --> 00:11:26,959 uh backup network configuration 273 00:11:26,959 --> 00:11:29,120 retrieve system information and much 274 00:11:29,120 --> 00:11:30,160 more 275 00:11:30,160 --> 00:11:33,200 the last one is the library lib emf 276 00:11:33,200 --> 00:11:36,240 this library is used by emfd 277 00:11:36,240 --> 00:11:39,440 for mainly for web authentication input 278 00:11:39,440 --> 00:11:40,320 validation 279 00:11:40,320 --> 00:11:44,399 and sometimes even code execution 280 00:11:44,959 --> 00:11:47,680 just one just one more thing uh please 281 00:11:47,680 --> 00:11:48,079 note 282 00:11:48,079 --> 00:11:50,480 that in my previous research most of the 283 00:11:50,480 --> 00:11:52,320 vulnerabilities 284 00:11:52,320 --> 00:11:55,519 were related to emfd 285 00:11:55,519 --> 00:11:58,160 however now the stack overflow i'm about 286 00:11:58,160 --> 00:12:00,480 to demonstrate or about to talk about 287 00:12:00,480 --> 00:12:04,160 is in the web interface 288 00:12:04,160 --> 00:12:07,360 in the web server and now let's look at 289 00:12:07,360 --> 00:12:08,560 this in a diagram 290 00:12:08,560 --> 00:12:12,160 so first webs listen to http 291 00:12:12,160 --> 00:12:17,200 https if it receives a jsa page request 292 00:12:17,200 --> 00:12:20,480 it uses egs handler to pass a function 293 00:12:20,480 --> 00:12:21,120 name to 294 00:12:21,120 --> 00:12:24,160 emfd emfd 295 00:12:24,160 --> 00:12:26,880 then checks if the function name is map 296 00:12:26,880 --> 00:12:27,600 and if so 297 00:12:27,600 --> 00:12:29,519 it calls the write function function 298 00:12:29,519 --> 00:12:30,880 pointer 299 00:12:30,880 --> 00:12:34,560 eventually emfd runs some kind of 300 00:12:34,560 --> 00:12:38,240 shell command uh for example um 301 00:12:38,240 --> 00:12:41,360 i've config ip tables routes and things 302 00:12:41,360 --> 00:12:43,360 like that 303 00:12:43,360 --> 00:12:46,560 okay and since the web server contained 304 00:12:46,560 --> 00:12:49,920 embed this uh code and rockers code 305 00:12:49,920 --> 00:12:53,519 i decided to mark rutgers function with 306 00:12:53,519 --> 00:12:58,480 rks prefix ruckus has added a new 307 00:12:58,480 --> 00:13:01,680 function that registers new egs 308 00:13:01,680 --> 00:13:02,959 functionality 309 00:13:02,959 --> 00:13:06,639 egs is a handler that runs if the web 310 00:13:06,639 --> 00:13:07,440 server 311 00:13:07,440 --> 00:13:11,519 receive jsp our page request 312 00:13:11,519 --> 00:13:14,720 so here we can see there are 12 313 00:13:14,720 --> 00:13:17,839 functions that were registered each 314 00:13:17,839 --> 00:13:18,880 function 315 00:13:18,880 --> 00:13:21,920 registration needs a function name 316 00:13:21,920 --> 00:13:24,320 and a function pointer now let's 317 00:13:24,320 --> 00:13:26,000 understand how we can reach 318 00:13:26,000 --> 00:13:29,680 these functions with an http request 319 00:13:29,680 --> 00:13:33,279 so for example when sending an http 320 00:13:33,279 --> 00:13:34,240 request to 321 00:13:34,240 --> 00:13:37,200 slash admin slash webpage slash wi-fi 322 00:13:37,200 --> 00:13:38,240 network slash 323 00:13:38,240 --> 00:13:42,560 wlan sys confirm jsp 324 00:13:42,560 --> 00:13:46,480 the web server invokes an egs handler 325 00:13:46,480 --> 00:13:49,440 and on this page we can see that egs 326 00:13:49,440 --> 00:13:50,480 script have 327 00:13:50,480 --> 00:13:54,000 has this special tag and egs functions 328 00:13:54,000 --> 00:13:58,720 are being called from it um 329 00:13:58,720 --> 00:14:02,240 web so webs maps every strings it 330 00:14:02,240 --> 00:14:04,240 received to a function pointer 331 00:14:04,240 --> 00:14:07,519 and then runs it here we can see 332 00:14:07,519 --> 00:14:10,720 that a function called 333 00:14:10,720 --> 00:14:15,120 e escape j str is being called 334 00:14:15,120 --> 00:14:17,680 and here we can see another function 335 00:14:17,680 --> 00:14:18,240 named 336 00:14:18,240 --> 00:14:21,600 s which is also being called and 337 00:14:21,600 --> 00:14:24,959 yeah uh they actually named a function 338 00:14:24,959 --> 00:14:28,399 s i'm serious and yes this is by far 339 00:14:28,399 --> 00:14:31,920 the worst naming convention i ever 340 00:14:31,920 --> 00:14:35,920 see but well naming convention it's not 341 00:14:35,920 --> 00:14:37,120 the only 342 00:14:37,120 --> 00:14:40,399 lousy thing about these functions 343 00:14:40,399 --> 00:14:43,120 when i reviewed these functions i 344 00:14:43,120 --> 00:14:44,000 noticed that 345 00:14:44,000 --> 00:14:47,279 s str escape js and 346 00:14:47,279 --> 00:14:50,880 get cookie value are all using unsafe uh 347 00:14:50,880 --> 00:14:52,880 string copy 348 00:14:52,880 --> 00:14:56,880 whoops uh oh yeah that's okay 349 00:14:56,880 --> 00:15:00,000 that means uh if i can find a web page 350 00:15:00,000 --> 00:15:00,320 that 351 00:15:00,320 --> 00:15:02,560 passes the user inputs to one of these 352 00:15:02,560 --> 00:15:03,519 functions 353 00:15:03,519 --> 00:15:05,519 i will be able to smash the web server 354 00:15:05,519 --> 00:15:07,440 stack 355 00:15:07,440 --> 00:15:10,480 um so to search for an input that leads 356 00:15:10,480 --> 00:15:11,680 to one of this function 357 00:15:11,680 --> 00:15:14,720 i decided to use justprep 358 00:15:14,720 --> 00:15:18,399 i search if there's any calls to one of 359 00:15:18,399 --> 00:15:19,680 this function 360 00:15:19,680 --> 00:15:22,639 with a non-static value it also should 361 00:15:22,639 --> 00:15:23,440 not be a 362 00:15:23,440 --> 00:15:26,399 session related or session evaluated 363 00:15:26,399 --> 00:15:27,120 value 364 00:15:27,120 --> 00:15:29,839 because i might not be able to create 365 00:15:29,839 --> 00:15:31,040 this uh 366 00:15:31,040 --> 00:15:34,959 this session or manipulate this session 367 00:15:34,959 --> 00:15:38,000 so um this is the 368 00:15:38,000 --> 00:15:41,199 regex that make sure s doesn't get any 369 00:15:41,199 --> 00:15:42,079 value 370 00:15:42,079 --> 00:15:45,199 inside a double or a single quote 371 00:15:45,199 --> 00:15:48,639 aka static content i managed to 372 00:15:48,639 --> 00:15:52,399 found two jsp pages one was an 373 00:15:52,399 --> 00:15:55,519 aero page which did not receive any user 374 00:15:55,519 --> 00:15:56,399 input 375 00:15:56,399 --> 00:16:00,440 and the other was this wlan sees 376 00:16:00,440 --> 00:16:03,440 confirm.jsp 377 00:16:03,600 --> 00:16:06,959 so let's have a look at this page 378 00:16:06,959 --> 00:16:10,560 well we saw that s function 379 00:16:10,560 --> 00:16:14,000 receives a non-static value called 380 00:16:14,000 --> 00:16:17,360 content and thankfully the content 381 00:16:17,360 --> 00:16:18,000 variable 382 00:16:18,000 --> 00:16:20,880 is set directly by an http body 383 00:16:20,880 --> 00:16:22,240 parameter called 384 00:16:22,240 --> 00:16:26,320 content key so all i had to do is just 385 00:16:26,320 --> 00:16:29,480 send the write request to wlan 386 00:16:29,480 --> 00:16:30,959 sysconfig.jsp 387 00:16:30,959 --> 00:16:35,120 and this is how i smash the stack 388 00:16:35,120 --> 00:16:40,079 as for exploitation so uh r510 uses both 389 00:16:40,079 --> 00:16:43,199 nx and aslr to overcome 390 00:16:43,199 --> 00:16:45,759 nx i just decided to use a simple rope 391 00:16:45,759 --> 00:16:47,040 gadget 392 00:16:47,040 --> 00:16:50,880 um so these gadgets these two gadgets 393 00:16:50,880 --> 00:16:53,600 run a system with a pointer to my 394 00:16:53,600 --> 00:16:54,720 payload 395 00:16:54,720 --> 00:16:58,880 and uh in this case i was using the 396 00:16:58,880 --> 00:17:01,040 and the netcat to create a reverse shell 397 00:17:01,040 --> 00:17:02,480 to my machine 398 00:17:02,480 --> 00:17:05,839 and for aslr i just decided to 399 00:17:05,839 --> 00:17:08,959 take the brute force approach and 400 00:17:08,959 --> 00:17:12,480 that way i managed to overcome its nine 401 00:17:12,480 --> 00:17:15,520 bits of randomness 402 00:17:15,760 --> 00:17:19,359 okay um so before i continue with my 403 00:17:19,359 --> 00:17:20,319 second attack 404 00:17:20,319 --> 00:17:21,839 i would like to share other 405 00:17:21,839 --> 00:17:24,559 vulnerabilities i 406 00:17:24,559 --> 00:17:28,799 found that i think worth mentioning 407 00:17:28,799 --> 00:17:32,080 so i found a cross-site scripting denial 408 00:17:32,080 --> 00:17:32,799 of service 409 00:17:32,799 --> 00:17:35,840 and information leakage that might lead 410 00:17:35,840 --> 00:17:36,559 to another 411 00:17:36,559 --> 00:17:39,760 jailbreak all of them were finally were 412 00:17:39,760 --> 00:17:40,240 found 413 00:17:40,240 --> 00:17:47,280 either in their web server or in emfd 414 00:17:47,280 --> 00:17:50,480 i discovered uh the cross 415 00:17:50,480 --> 00:17:52,960 site scripting on actually on my first 416 00:17:52,960 --> 00:17:53,520 research 417 00:17:53,520 --> 00:17:55,760 and well it's a pretty straightforward 418 00:17:55,760 --> 00:17:57,520 uh vulnerability 419 00:17:57,520 --> 00:18:01,280 so for every adjusts post request 420 00:18:01,280 --> 00:18:04,799 to let's say slash admin slash 421 00:18:04,799 --> 00:18:09,360 wla cmds.jsp 422 00:18:09,360 --> 00:18:13,280 we have to to send this 423 00:18:13,280 --> 00:18:16,480 updater attribute so 424 00:18:16,480 --> 00:18:19,679 this attribute is simply 425 00:18:19,679 --> 00:18:23,360 reflected without any validation 426 00:18:23,360 --> 00:18:26,720 so all i had to do is just send 427 00:18:26,720 --> 00:18:29,919 the right payload and for each uh 428 00:18:29,919 --> 00:18:33,840 for each request we send to uh cmd.jsp 429 00:18:33,840 --> 00:18:37,200 uh we can run uh in this example this 430 00:18:37,200 --> 00:18:42,080 alert js 431 00:18:42,080 --> 00:18:45,039 okay uh the other vulnerability was 432 00:18:45,039 --> 00:18:46,160 denial of service 433 00:18:46,160 --> 00:18:49,840 so while researching i actually 434 00:18:49,840 --> 00:18:52,880 came across this uh vulnerability 435 00:18:52,880 --> 00:18:55,360 this request that simply crashes the web 436 00:18:55,360 --> 00:18:56,080 server 437 00:18:56,080 --> 00:18:58,960 i must say i find it by i found it by 438 00:18:58,960 --> 00:19:00,720 mistake 439 00:19:00,720 --> 00:19:03,840 and i did not invest too much uh time in 440 00:19:03,840 --> 00:19:04,240 this 441 00:19:04,240 --> 00:19:07,200 uh in this specific vulnerability uh it 442 00:19:07,200 --> 00:19:09,280 seems like a 443 00:19:09,280 --> 00:19:11,679 null pointer and i don't think it's can 444 00:19:11,679 --> 00:19:14,000 be more than a denial of service 445 00:19:14,000 --> 00:19:17,360 um another thing i think it 446 00:19:17,360 --> 00:19:20,240 may be even related to the web server 447 00:19:20,240 --> 00:19:21,360 itself 448 00:19:21,360 --> 00:19:23,280 but again i did not invest too much time 449 00:19:23,280 --> 00:19:26,320 in this specific vulnerability 450 00:19:26,320 --> 00:19:29,360 and um the last one is uh 451 00:19:29,360 --> 00:19:32,640 is the information leakage so ruckus uh 452 00:19:32,640 --> 00:19:35,840 they consider the device serial number 453 00:19:35,840 --> 00:19:38,640 as a sensitive information in my 454 00:19:38,640 --> 00:19:39,760 previous research 455 00:19:39,760 --> 00:19:43,200 i came across some functions that 456 00:19:43,200 --> 00:19:47,200 um some function in rocker cli 457 00:19:47,200 --> 00:19:50,320 that rely on the this device 458 00:19:50,320 --> 00:19:53,760 uh serial number to escape to uh 459 00:19:53,760 --> 00:19:56,960 to busy box to get a uh to jabric 460 00:19:56,960 --> 00:20:00,600 and uh in this research i noticed that 461 00:20:00,600 --> 00:20:02,480 upnp.jsp page 462 00:20:02,480 --> 00:20:05,679 is reachable without authentication and 463 00:20:05,679 --> 00:20:08,480 well this page gives many useful 464 00:20:08,480 --> 00:20:10,080 information on the device 465 00:20:10,080 --> 00:20:12,240 and well it can be used for 466 00:20:12,240 --> 00:20:14,480 fingerprinting 467 00:20:14,480 --> 00:20:17,679 but the best part it can could be used 468 00:20:17,679 --> 00:20:20,960 uh well we get the the serial number and 469 00:20:20,960 --> 00:20:23,200 we could use it for potentially 470 00:20:23,200 --> 00:20:26,480 jailbreak the device again 471 00:20:26,799 --> 00:20:30,000 awesome so um this is 472 00:20:30,000 --> 00:20:33,360 this is the time for my second rc 473 00:20:33,360 --> 00:20:36,240 and this attack i found a way to reuse 474 00:20:36,240 --> 00:20:37,360 my 475 00:20:37,360 --> 00:20:40,480 command injection vulnerability from 476 00:20:40,480 --> 00:20:43,520 previous research i then had to find a 477 00:20:43,520 --> 00:20:45,760 new way to bypass authentication 478 00:20:45,760 --> 00:20:48,159 and i did it by overwriting admin 479 00:20:48,159 --> 00:20:50,720 credentials 480 00:20:53,760 --> 00:20:57,520 okay so let's first understand 481 00:20:57,520 --> 00:21:00,000 how the command injection used to work 482 00:21:00,000 --> 00:21:01,679 in my previous research 483 00:21:01,679 --> 00:21:04,960 so emfd execute code in a really messy 484 00:21:04,960 --> 00:21:05,919 way 485 00:21:05,919 --> 00:21:09,600 emfd sometimes uses libmf 486 00:21:09,600 --> 00:21:14,639 other time calls a shell script called 487 00:21:14,840 --> 00:21:16,080 syswrapper.sh 488 00:21:16,080 --> 00:21:18,640 and sometimes it's just execute the 489 00:21:18,640 --> 00:21:22,559 command itself by using lipstick 490 00:21:23,039 --> 00:21:25,360 these are all the different functions 491 00:21:25,360 --> 00:21:27,679 that emfd uses to execute 492 00:21:27,679 --> 00:21:31,840 shell commands and as we can see here 493 00:21:31,840 --> 00:21:35,200 there are many libsy system function so 494 00:21:35,200 --> 00:21:38,480 i had to find a page that uses this 495 00:21:38,480 --> 00:21:42,400 system function without input validation 496 00:21:42,400 --> 00:21:45,039 and luckily i found four functions that 497 00:21:45,039 --> 00:21:45,760 called 498 00:21:45,760 --> 00:21:48,400 uh system and were vulnerable to command 499 00:21:48,400 --> 00:21:49,919 injection 500 00:21:49,919 --> 00:21:52,159 and i will be using uh for the 501 00:21:52,159 --> 00:21:53,280 demonstration 502 00:21:53,280 --> 00:21:57,120 uh i will be using the cmd import avp 503 00:21:57,120 --> 00:22:00,399 ports function 504 00:22:00,799 --> 00:22:03,440 okay so uh to reach the vulnerable 505 00:22:03,440 --> 00:22:04,000 function 506 00:22:04,000 --> 00:22:07,520 i had to send an adjust request to slash 507 00:22:07,520 --> 00:22:08,480 admin slash 508 00:22:08,480 --> 00:22:13,520 underscore cmdstat.jsp 509 00:22:13,520 --> 00:22:17,039 this request uses an emfd 510 00:22:17,039 --> 00:22:21,679 command called import avp port 511 00:22:22,960 --> 00:22:26,400 and when emfd receives its request 512 00:22:26,400 --> 00:22:29,840 it uses another function called cmd 513 00:22:29,840 --> 00:22:32,960 import avp port a function inside 514 00:22:32,960 --> 00:22:36,559 emfd and this function uses 515 00:22:36,559 --> 00:22:40,159 lipsy system lipsy system function 516 00:22:40,159 --> 00:22:44,080 uh just unsafely uh so let's have a look 517 00:22:44,080 --> 00:22:47,600 on the function decompile code 518 00:22:47,600 --> 00:22:51,600 so for my previous research um 519 00:22:51,600 --> 00:22:53,520 uh the command for my previous command 520 00:22:53,520 --> 00:22:55,440 injection all i had to do 521 00:22:55,440 --> 00:22:57,840 is to pass a command injection in the 522 00:22:57,840 --> 00:22:59,760 upload file attribute 523 00:22:59,760 --> 00:23:01,919 and as you can see it just executed 524 00:23:01,919 --> 00:23:05,120 without any input validation 525 00:23:05,120 --> 00:23:08,559 the only problem uh was that i 526 00:23:08,559 --> 00:23:10,880 had to be authenticated to reach this 527 00:23:10,880 --> 00:23:11,679 function 528 00:23:11,679 --> 00:23:14,320 as you can see we must have a valid uh 529 00:23:14,320 --> 00:23:14,960 cookie 530 00:23:14,960 --> 00:23:20,080 and a csrf token and this kind of stuff 531 00:23:20,080 --> 00:23:22,000 okay so now that we understand the 532 00:23:22,000 --> 00:23:23,600 previous command injection 533 00:23:23,600 --> 00:23:26,720 let's have a look on how raku's 534 00:23:26,720 --> 00:23:29,440 uh tried to fix it so they decided to 535 00:23:29,440 --> 00:23:30,080 use 536 00:23:30,080 --> 00:23:33,600 function called is validate input string 537 00:23:33,600 --> 00:23:35,919 that's supposed to validate there's no 538 00:23:35,919 --> 00:23:37,280 injection character 539 00:23:37,280 --> 00:23:41,600 in uh the upload file attribute 540 00:23:41,600 --> 00:23:44,320 and uh and this function so this is an 541 00:23:44,320 --> 00:23:46,000 external util function 542 00:23:46,000 --> 00:23:50,159 found in uh emf in in lib emfd 543 00:23:50,159 --> 00:23:53,039 and this specific uh input validation 544 00:23:53,039 --> 00:23:54,799 function is being used widely 545 00:23:54,799 --> 00:23:58,000 for input validation in uh in 546 00:23:58,000 --> 00:24:01,440 the entire system okay 547 00:24:01,440 --> 00:24:03,840 so let's have a look at this validation 548 00:24:03,840 --> 00:24:05,919 function 549 00:24:05,919 --> 00:24:08,720 here are all the forbidden characters 550 00:24:08,720 --> 00:24:09,120 for 551 00:24:09,120 --> 00:24:12,720 a given input at first this validation 552 00:24:12,720 --> 00:24:15,919 seems pretty solid however 553 00:24:15,919 --> 00:24:18,159 some very important characters were 554 00:24:18,159 --> 00:24:19,200 missing from 555 00:24:19,200 --> 00:24:23,360 that list and something i like to do 556 00:24:23,360 --> 00:24:25,600 when reviewing a validator 557 00:24:25,600 --> 00:24:28,640 i try to create a set of all the 558 00:24:28,640 --> 00:24:32,400 printable non-alpha numeric characters 559 00:24:32,400 --> 00:24:37,039 that can pass this specific validator 560 00:24:37,039 --> 00:24:40,159 and uh after some trial and error i 561 00:24:40,159 --> 00:24:40,960 realize 562 00:24:40,960 --> 00:24:44,400 that shebang sign which is a pound key 563 00:24:44,400 --> 00:24:45,600 followed by 564 00:24:45,600 --> 00:24:49,039 exclamation mark is a valid input 565 00:24:49,039 --> 00:24:52,720 and i could also use the slash 566 00:24:52,720 --> 00:24:56,240 so i could actually create a shebang 567 00:24:56,240 --> 00:24:57,440 slash bin 568 00:24:57,440 --> 00:25:01,200 sh well that was good 569 00:25:01,200 --> 00:25:04,080 uh but not good enough i couldn't just 570 00:25:04,080 --> 00:25:04,640 append 571 00:25:04,640 --> 00:25:07,760 this uh shebang payload to uh 572 00:25:07,760 --> 00:25:11,120 command and and to system command and it 573 00:25:11,120 --> 00:25:11,840 won't just 574 00:25:11,840 --> 00:25:15,679 runs it and this is because 575 00:25:15,679 --> 00:25:19,520 shebang has to be in a line of its own 576 00:25:19,520 --> 00:25:22,480 luckily i could also use a new line 577 00:25:22,480 --> 00:25:23,600 character 578 00:25:23,600 --> 00:25:25,600 yeah that's actually true newline 579 00:25:25,600 --> 00:25:26,720 character as 580 00:25:26,720 --> 00:25:29,520 a parameter input was not being 581 00:25:29,520 --> 00:25:30,720 validated 582 00:25:30,720 --> 00:25:33,840 not in the web server in emfd anywhere i 583 00:25:33,840 --> 00:25:34,640 can just 584 00:25:34,640 --> 00:25:38,799 send a new line and well the result of 585 00:25:38,799 --> 00:25:42,400 shebang plus new line is 586 00:25:42,400 --> 00:25:45,440 a match made in exploit heaven 587 00:25:45,440 --> 00:25:50,480 uh okay so that was great news 588 00:25:50,480 --> 00:25:53,360 i can now replace my injection with a 589 00:25:53,360 --> 00:25:54,640 shebang 590 00:25:54,640 --> 00:25:57,919 but there's uh one last thing left to 591 00:25:57,919 --> 00:25:59,600 solve 592 00:25:59,600 --> 00:26:03,120 space characters was well the space 593 00:26:03,120 --> 00:26:04,159 character was not 594 00:26:04,159 --> 00:26:07,279 valid input so i decided to replace 595 00:26:07,279 --> 00:26:11,360 spaces with uh thefts 596 00:26:11,360 --> 00:26:17,039 so here we can look on the new payload 597 00:26:17,279 --> 00:26:21,120 as you can see semicolon was 598 00:26:21,120 --> 00:26:25,279 replaced by shebang 599 00:26:25,279 --> 00:26:28,960 and spaces were replaced by tabs 600 00:26:28,960 --> 00:26:31,520 and that's it this is how i was able to 601 00:26:31,520 --> 00:26:32,799 re-enable 602 00:26:32,799 --> 00:26:35,840 my old command injection 603 00:26:35,840 --> 00:26:39,039 the last thing i had to complete 604 00:26:39,039 --> 00:26:42,000 i had to do to complete this exploit was 605 00:26:42,000 --> 00:26:42,480 to 606 00:26:42,480 --> 00:26:45,440 bypass authentication again because 607 00:26:45,440 --> 00:26:47,840 raku's already fixed all the bypass 608 00:26:47,840 --> 00:26:50,840 authentication i found in my first 609 00:26:50,840 --> 00:26:52,880 research 610 00:26:52,880 --> 00:26:56,559 okay so now i would like to 611 00:26:56,559 --> 00:26:59,679 explain how the admin credentials are 612 00:26:59,679 --> 00:27:02,559 stored on the device 613 00:27:02,559 --> 00:27:07,120 so there's this system.xml 614 00:27:07,120 --> 00:27:09,200 and this is the device general 615 00:27:09,200 --> 00:27:10,720 configuration file 616 00:27:10,720 --> 00:27:13,120 it contains the admin credentials as 617 00:27:13,120 --> 00:27:14,240 well as other 618 00:27:14,240 --> 00:27:17,520 important configuration and 619 00:27:17,520 --> 00:27:20,320 here we can see that the admin xml 620 00:27:20,320 --> 00:27:21,440 element 621 00:27:21,440 --> 00:27:24,559 uh so we can see that in xml element 622 00:27:24,559 --> 00:27:25,360 itself 623 00:27:25,360 --> 00:27:28,559 and we can also see that its password 624 00:27:28,559 --> 00:27:32,840 is being stored in the x password 625 00:27:32,840 --> 00:27:35,679 attribute 626 00:27:35,679 --> 00:27:37,600 another thing while i was working on 627 00:27:37,600 --> 00:27:39,120 this specific exploit 628 00:27:39,120 --> 00:27:42,320 i noticed that rukus has decided to use 629 00:27:42,320 --> 00:27:45,679 the most secure mechanism for storing 630 00:27:45,679 --> 00:27:46,840 sensitive 631 00:27:46,840 --> 00:27:50,159 password so uh if you look at this 632 00:27:50,159 --> 00:27:52,880 x password attribute you might think 633 00:27:52,880 --> 00:27:53,360 that 634 00:27:53,360 --> 00:27:55,840 there uh that my password for this 635 00:27:55,840 --> 00:27:58,159 specific device is 636 00:27:58,159 --> 00:28:01,760 two three four five bcd however this is 637 00:28:01,760 --> 00:28:02,880 not the case 638 00:28:02,880 --> 00:28:05,360 because the real password is one two 639 00:28:05,360 --> 00:28:06,240 three four five 640 00:28:06,240 --> 00:28:10,240 abc and yes uh ruckus 641 00:28:10,240 --> 00:28:12,799 for some reason are offer skating the 642 00:28:12,799 --> 00:28:13,600 password 643 00:28:13,600 --> 00:28:17,279 by adding uh one to each character 644 00:28:17,279 --> 00:28:20,480 and well if you don't get it neither do 645 00:28:20,480 --> 00:28:20,880 i 646 00:28:20,880 --> 00:28:23,919 i got no idea why would they do that but 647 00:28:23,919 --> 00:28:27,840 that's how it is yeah 648 00:28:28,399 --> 00:28:32,559 okay um but enough about that 649 00:28:32,559 --> 00:28:35,760 um now let's have a look at 650 00:28:35,760 --> 00:28:38,799 slash admin slash underscore 651 00:28:38,799 --> 00:28:42,399 wla underscore conf jsp page 652 00:28:42,399 --> 00:28:45,279 uh we can see that this page calls for 653 00:28:45,279 --> 00:28:46,320 two functions 654 00:28:46,320 --> 00:28:50,240 in emfd uh without login access check 655 00:28:50,240 --> 00:28:53,440 and adjust conf please note 656 00:28:53,440 --> 00:28:56,480 that we must first pass the login 657 00:28:56,480 --> 00:28:58,000 without access check 658 00:28:58,000 --> 00:29:00,799 function to get to the vulnerable adjust 659 00:29:00,799 --> 00:29:01,279 conf 660 00:29:01,279 --> 00:29:03,760 function 661 00:29:04,559 --> 00:29:07,919 so without login access check expects 662 00:29:07,919 --> 00:29:11,039 an adjust request xml 663 00:29:11,039 --> 00:29:14,720 that contains either setconf 664 00:29:14,720 --> 00:29:17,760 or do cmd action 665 00:29:17,760 --> 00:29:20,960 the do cmd action in this case was very 666 00:29:20,960 --> 00:29:21,520 limited 667 00:29:21,520 --> 00:29:24,399 in its functionality so i just decided 668 00:29:24,399 --> 00:29:25,840 to focus on the 669 00:29:25,840 --> 00:29:29,120 setconf action 670 00:29:29,200 --> 00:29:32,480 and so the setconfection uses an 671 00:29:32,480 --> 00:29:35,600 eme emfd function called 672 00:29:35,600 --> 00:29:39,760 check reset credentials conf para 673 00:29:39,760 --> 00:29:43,039 this function expects an admin 674 00:29:43,039 --> 00:29:46,080 xml element with following uh 675 00:29:46,080 --> 00:29:49,039 with these following attributes and this 676 00:29:49,039 --> 00:29:49,600 function 677 00:29:49,600 --> 00:29:51,600 only validates there are eight 678 00:29:51,600 --> 00:29:53,200 attributes 679 00:29:53,200 --> 00:29:55,840 and it only checks that the attribute 680 00:29:55,840 --> 00:29:56,640 names 681 00:29:56,640 --> 00:30:00,640 not the value also they don't check you 682 00:30:00,640 --> 00:30:00,960 got 683 00:30:00,960 --> 00:30:04,159 any permission so that means i only need 684 00:30:04,159 --> 00:30:04,960 to 685 00:30:04,960 --> 00:30:07,679 to keep a certain format and i can 686 00:30:07,679 --> 00:30:09,279 overcome this 687 00:30:09,279 --> 00:30:12,159 specific function 688 00:30:12,559 --> 00:30:15,919 okay so here we can see a valid adject 689 00:30:15,919 --> 00:30:16,480 request 690 00:30:16,480 --> 00:30:19,840 with admin element 691 00:30:19,840 --> 00:30:22,080 so this request has all the right 692 00:30:22,080 --> 00:30:23,520 attribute names 693 00:30:23,520 --> 00:30:26,640 and it can reach to the vulnerable adjux 694 00:30:26,640 --> 00:30:29,679 conf function 695 00:30:31,039 --> 00:30:33,039 and now let's talk about adjective so 696 00:30:33,039 --> 00:30:35,840 adjust conf is a big function 697 00:30:35,840 --> 00:30:38,320 that does all sorts of things one of 698 00:30:38,320 --> 00:30:39,440 them is using 699 00:30:39,440 --> 00:30:42,480 an adapter called adapter setconf 700 00:30:42,480 --> 00:30:46,080 to update different configuration files 701 00:30:46,080 --> 00:30:49,880 and in particular it can update the main 702 00:30:49,880 --> 00:30:53,679 system.xml configuration 703 00:30:53,919 --> 00:30:56,640 as we saw without login access check 704 00:30:56,640 --> 00:30:57,600 forces me 705 00:30:57,600 --> 00:31:00,640 to use a specific xml element 706 00:31:00,640 --> 00:31:03,039 but thankfully this is the admin 707 00:31:03,039 --> 00:31:04,320 credentials element 708 00:31:04,320 --> 00:31:07,840 so uh let's understand how the 709 00:31:07,840 --> 00:31:11,760 adapter set conf works 710 00:31:12,320 --> 00:31:15,840 uh okay so uh this is how the adapter 711 00:31:15,840 --> 00:31:19,039 setconf function looks like 712 00:31:19,039 --> 00:31:21,760 it receives the request component 713 00:31:21,760 --> 00:31:24,240 attribute 714 00:31:24,240 --> 00:31:28,640 and the adjust request itself 715 00:31:28,640 --> 00:31:30,960 i also realized that if the component 716 00:31:30,960 --> 00:31:32,000 equals to 717 00:31:32,000 --> 00:31:34,640 system then it can only update a 718 00:31:34,640 --> 00:31:35,519 specific 719 00:31:35,519 --> 00:31:39,279 xml element which was not the admin 720 00:31:39,279 --> 00:31:42,080 element that i was hoping to actually 721 00:31:42,080 --> 00:31:43,039 change 722 00:31:43,039 --> 00:31:46,080 so i can't just override the admin 723 00:31:46,080 --> 00:31:49,678 credentials with a simple request 724 00:31:50,000 --> 00:31:52,960 however if the component attribute it's 725 00:31:52,960 --> 00:31:54,559 not equal to system 726 00:31:54,559 --> 00:31:57,679 it uses a function called repo get 727 00:31:57,679 --> 00:32:01,760 curve child and this function 728 00:32:01,760 --> 00:32:05,360 gets a component name and looks for 729 00:32:05,360 --> 00:32:09,840 an xml configuration file with that name 730 00:32:09,840 --> 00:32:13,279 so in other words i can access 731 00:32:13,279 --> 00:32:17,279 any xml file in the air spider directory 732 00:32:17,279 --> 00:32:20,000 which is the configuration directory 733 00:32:20,000 --> 00:32:20,720 well 734 00:32:20,720 --> 00:32:24,080 i can access every 735 00:32:24,080 --> 00:32:28,799 every xml file except for system.xml 736 00:32:28,799 --> 00:32:31,679 because as i said before adapter set 737 00:32:31,679 --> 00:32:32,399 conf 738 00:32:32,399 --> 00:32:35,679 make sure it it's excluded but the 739 00:32:35,679 --> 00:32:37,360 credentials i want to override 740 00:32:37,360 --> 00:32:40,960 is in system.xml which sucks 741 00:32:40,960 --> 00:32:42,460 s 742 00:32:42,460 --> 00:32:44,399 [Music] 743 00:32:44,399 --> 00:32:47,600 yeah so this is where slash 744 00:32:47,600 --> 00:32:50,480 come to our rescue i noticed that if i 745 00:32:50,480 --> 00:32:51,039 add 746 00:32:51,039 --> 00:32:53,600 a slash at the beginning of the of the 747 00:32:53,600 --> 00:32:55,279 component attributes 748 00:32:55,279 --> 00:32:58,000 it's no longer a system component it's 749 00:32:58,000 --> 00:32:58,399 now 750 00:32:58,399 --> 00:33:01,519 a slash system component 751 00:33:01,519 --> 00:33:03,679 and this way i was able to pass the 752 00:33:03,679 --> 00:33:06,080 system attribute check 753 00:33:06,080 --> 00:33:09,760 and now repo get current child function 754 00:33:09,760 --> 00:33:14,640 we look for the file system.xml 755 00:33:14,640 --> 00:33:17,519 which is totally fine since in posix we 756 00:33:17,519 --> 00:33:19,840 can add as many slashes as we want and 757 00:33:19,840 --> 00:33:20,799 we'll still get 758 00:33:20,799 --> 00:33:24,799 the right file 759 00:33:24,799 --> 00:33:27,760 okay and um so this is it adapter 760 00:33:27,760 --> 00:33:29,120 setconf has 761 00:33:29,120 --> 00:33:31,799 replaced the admin credentials in 762 00:33:31,799 --> 00:33:33,200 system.xml 763 00:33:33,200 --> 00:33:36,840 which means i was able to override admin 764 00:33:36,840 --> 00:33:38,080 credentials 765 00:33:38,080 --> 00:33:40,159 now i just need to chain these two 766 00:33:40,159 --> 00:33:43,279 vulnerabilities together 767 00:33:43,279 --> 00:33:47,120 so first the overwrite 768 00:33:48,240 --> 00:33:50,799 then command injection to pop a shell on 769 00:33:50,799 --> 00:33:52,799 the device 770 00:33:52,799 --> 00:33:54,720 and well since i tried to be a polite 771 00:33:54,720 --> 00:33:57,279 person after getting a shell i can 772 00:33:57,279 --> 00:33:59,600 obtain the original credentials 773 00:33:59,600 --> 00:34:02,720 by grabbing slash var slash 774 00:34:02,720 --> 00:34:05,840 run slash rpm key 775 00:34:05,840 --> 00:34:09,280 by the way this uh this specific 776 00:34:09,280 --> 00:34:12,320 file was the one i licked 777 00:34:12,320 --> 00:34:14,800 in my first research to get 778 00:34:14,800 --> 00:34:16,719 authentication bypass 779 00:34:16,719 --> 00:34:20,000 so yeah fortunately as we saw 780 00:34:20,000 --> 00:34:22,960 before rokus insists on saving passwords 781 00:34:22,960 --> 00:34:24,239 as plain text so 782 00:34:24,239 --> 00:34:27,918 thank you for that um okay so all you 783 00:34:27,918 --> 00:34:29,839 have to do is to repeat the attack 784 00:34:29,839 --> 00:34:32,320 with the original credentials and this 785 00:34:32,320 --> 00:34:32,879 is 786 00:34:32,879 --> 00:34:35,679 how we can also avoid leaving any 787 00:34:35,679 --> 00:34:38,879 footprint on the device 788 00:34:39,040 --> 00:34:42,480 okay um so this is the time for my 789 00:34:42,480 --> 00:34:45,679 uh final and second demo uh for this 790 00:34:45,679 --> 00:34:46,239 i'll 791 00:34:46,239 --> 00:34:50,480 only use a single screen terminal 792 00:34:50,480 --> 00:34:53,040 and okay first i would like to show you 793 00:34:53,040 --> 00:34:54,079 guys the 794 00:34:54,079 --> 00:34:57,760 override itself let's open it with vi 795 00:34:57,760 --> 00:35:00,960 okay so as we saw before this is the 796 00:35:00,960 --> 00:35:04,160 admin element xml element and 797 00:35:04,160 --> 00:35:07,920 uh this is the password we can 798 00:35:07,920 --> 00:35:10,960 just use a different password let's go 799 00:35:10,960 --> 00:35:11,920 with 800 00:35:11,920 --> 00:35:14,960 confidence 2020 801 00:35:14,960 --> 00:35:18,240 and uh okay so this is it another 802 00:35:18,240 --> 00:35:20,240 payload i would like to share with you 803 00:35:20,240 --> 00:35:23,200 is the new command injection 804 00:35:23,200 --> 00:35:27,760 uh and here as we saw there's the 805 00:35:27,760 --> 00:35:30,960 upload file and here i'm using the 806 00:35:30,960 --> 00:35:32,800 shebang with a new line 807 00:35:32,800 --> 00:35:36,560 and i'm running a telnet with tabs 808 00:35:36,560 --> 00:35:41,520 that's gonna listen to port 7331 809 00:35:41,520 --> 00:35:45,119 but of course okay so let's start with 810 00:35:45,119 --> 00:35:45,760 the 811 00:35:45,760 --> 00:35:49,040 the credentials override 812 00:35:49,040 --> 00:35:52,800 um yeah okay so again this is a standard 813 00:35:52,800 --> 00:35:53,599 w 814 00:35:53,599 --> 00:35:57,040 get request with the payload to uh 815 00:35:57,040 --> 00:36:00,240 to admin um wla 816 00:36:00,240 --> 00:36:03,280 conf and um 817 00:36:03,280 --> 00:36:06,160 this is it uh the credentials were 818 00:36:06,160 --> 00:36:07,280 override 819 00:36:07,280 --> 00:36:10,320 now i would like to do a standard login 820 00:36:10,320 --> 00:36:10,880 request 821 00:36:10,880 --> 00:36:13,440 so here yeah i already got it saved but 822 00:36:13,440 --> 00:36:14,320 here is the 823 00:36:14,320 --> 00:36:18,240 the new um the new credentials 824 00:36:18,240 --> 00:36:22,000 right admin and confidence 2020 825 00:36:22,000 --> 00:36:24,720 and as we can see i got a cookie and i 826 00:36:24,720 --> 00:36:26,480 got a csrf uh 827 00:36:26,480 --> 00:36:30,079 now i would like to uh to run my command 828 00:36:30,079 --> 00:36:31,040 injection 829 00:36:31,040 --> 00:36:34,640 um so this is it 830 00:36:34,640 --> 00:36:38,079 and i just need to update uh the 831 00:36:38,079 --> 00:36:40,880 right cookie and we'll be good to go so 832 00:36:40,880 --> 00:36:42,400 this is the 833 00:36:42,400 --> 00:36:45,839 this is the cookie and let's uh why not 834 00:36:45,839 --> 00:36:47,040 let's update the 835 00:36:47,040 --> 00:36:50,720 uh csrf token as well okay so this is it 836 00:36:50,720 --> 00:36:52,160 now we're gonna send 837 00:36:52,160 --> 00:36:55,760 uh the payload uh that's gonna run a 838 00:36:55,760 --> 00:36:58,480 telnet on the device 839 00:36:58,480 --> 00:37:01,680 okay seems seems okay all i need to do 840 00:37:01,680 --> 00:37:03,040 now is to telnet 841 00:37:03,040 --> 00:37:06,400 my uh device on seven two two 842 00:37:06,400 --> 00:37:09,839 three three one and yeah as you can see 843 00:37:09,839 --> 00:37:11,200 i got a busy box shell 844 00:37:11,200 --> 00:37:14,480 i am the roots and of course i'm the 845 00:37:14,480 --> 00:37:17,920 yeah of course i'm part of the 846 00:37:18,560 --> 00:37:22,079 roots group and yeah this is it so this 847 00:37:22,079 --> 00:37:23,520 is the other way 848 00:37:23,520 --> 00:37:28,400 we managed to hack the the access point 849 00:37:28,400 --> 00:37:31,760 okay so um in conclusion 850 00:37:31,760 --> 00:37:35,040 today i demonstrated uh two pre-off 851 00:37:35,040 --> 00:37:38,400 rce the first one was pre-off 852 00:37:38,400 --> 00:37:41,440 stack buffer overflow and the second 853 00:37:41,440 --> 00:37:44,160 was command injection with credentials 854 00:37:44,160 --> 00:37:46,079 overwrite 855 00:37:46,079 --> 00:37:49,680 i will also shared my 856 00:37:49,680 --> 00:37:52,160 new and improved guitar script that 857 00:37:52,160 --> 00:37:53,200 really helped me with this 858 00:37:53,200 --> 00:37:56,319 specific research 859 00:37:56,800 --> 00:38:00,000 rockers networks were was informed about 860 00:38:00,000 --> 00:38:01,119 these vulnerabilities 861 00:38:01,119 --> 00:38:04,400 i requested six cvs and they incorporate 862 00:38:04,400 --> 00:38:08,720 them all and in total 863 00:38:08,720 --> 00:38:11,599 in this two research uh these two 864 00:38:11,599 --> 00:38:13,200 research were concluded in 865 00:38:13,200 --> 00:38:17,119 17 cbs that resulted in five different 866 00:38:17,119 --> 00:38:21,359 rc's so as i usually say in my talk 867 00:38:21,359 --> 00:38:24,480 if there are any ruckus users here 868 00:38:24,480 --> 00:38:26,000 you should stop what you're doing and 869 00:38:26,000 --> 00:38:27,520 check that you're running 870 00:38:27,520 --> 00:38:30,640 the latest firmware uh if not 871 00:38:30,640 --> 00:38:34,079 then tough luck 872 00:38:34,079 --> 00:38:37,119 okay so uh well this is it uh 873 00:38:37,119 --> 00:38:40,079 these two research were tons of fun i'm 874 00:38:40,079 --> 00:38:42,240 really glad that i helped ruckus making 875 00:38:42,240 --> 00:38:42,640 their 876 00:38:42,640 --> 00:38:46,000 equipment better by the end of this 877 00:38:46,000 --> 00:38:49,040 week i will post my second blog post 878 00:38:49,040 --> 00:38:52,640 at alif research aleppsecurity.com 879 00:38:52,640 --> 00:38:55,920 uh feel free to check our blog 880 00:38:55,920 --> 00:38:57,599 for my previous research for this 881 00:38:57,599 --> 00:39:00,480 research and other amazing research done 882 00:39:00,480 --> 00:39:02,160 by our group 883 00:39:02,160 --> 00:39:04,880 and this is it thank you very much for 884 00:39:04,880 --> 00:39:05,680 listening 885 00:39:05,680 --> 00:39:08,720 and stay safe and healthy 886 00:39:08,720 --> 00:39:12,839 i think this is the time i passed the 887 00:39:12,839 --> 00:39:15,839 microphone