 Welcome back from lunch. Hope it was delicious. Maybe some tacos. I don't know, it's San Diego. I've had a great time. You're in for another great talk on yet another IoT hack by Joshua Meyer. Please everyone give a warm round of applause to Joshua and welcome in, Torecon. All righty, thanks everyone. So I guess let's dive right in. So a little bit about me, I work at independent security evaluators. We do custom white box security assessments. We look at all kinds of things and we have a particular focus with media entertainment industry. And we also have a large research presence. I guess I'll skip that a little bit. So I just have a couple of slides here and basically we're just going to lay the groundwork for what we're doing today. And then we're going to do a live demonstration of looking at this device here. Sure. Is this better? We had to move it back. Hello? Better? Check? All right. So we're looking at the TerraMaster F2-420. I got the specs here for you, but it's basically a pretty run-of-the-mill network attached storage device that you might find in small homes and businesses and that kind of thing. It's got a web application. It has a nice bird on it. Pretty typical. It's one of those desktop metaphor web applications, so they're kind of neat. It's got all kinds of little services that can run and a lot of them are running by default. We've got your file sharing stuff and we've got some telnet and SSH and that type of thing. And that's all I got. So let's go ahead and roll into actually checking out this device. And I've got the login page up here. So we'll go ahead and sign in. And as you saw in my screenshot, this is kind of what you get. So, like I said, it's your desktop metaphor. You've got your icons and all that good stuff. Strange permission or surprise. It doesn't work. We have folders and that kind of thing. So we've got all kinds of neat little features inside the control panel. And this is where you're going to have your administration type functions. You're going to have, like, creating users, making folders, groups, that kind of thing. And these are exactly the types of actions that we look for when we're assessing these embedded devices because they tend to just be wrappers for commands and functions that run on the operating system level. So they tend to be burned to command injection and we can go from there. So in particular, we've got something like creating a user. So while I'm using this web application, I'm also proxying this through Barbsuite, which is a web proxy software. And maybe I didn't proxy very well. So we can go ahead and we'll try to create a user and we'll see what this request looks like. Oh, boy, I didn't clear out my data. Shame for me. All right, so that was a little sneak preview. There's lots of vulnerabilities in this device. I guess it didn't get cleared properly when we reset it. Okay, so we'll do something a little different, I guess. So we'll try to create a user and we'll give it a username and we'll call it Torcon. And we'll give it a very secure password. What's wrong? So that's done. So, of course, payload is going to go through. I apologize for this. It gets better. Hang on. Okay, I apologize. I did not have the logging turned on. Fun devices. All right, try that again. So here's the actual request we want to look at. So when we create a user, do you guys see that okay? That's very small. Is that a little better? That's a pretty typical looking HTTP request. We can see our username and we can see our password we put in here. So it turns out that when we create these users, it's just getting passed to a command line argument, some sort of utility on the operating system. And this user input is just being passed to it directly. There's no sanitization, so we can do our classic exploits. We can do, I don't know, let's try to create a file. So we'll make a file in temp. And we'll call it Torcon. To close off that. And operation is successful. So if this attack worked, then we should have seen a file created, created in temp. So we can switch to a terminal. And this, I can make big. And I believe we have SSH on it. So we'll use the admin account that we already have. And the IP address. Oh boy. This is one that's on 922. Okay, so we have a shell now. And we can look into slash temp. And our command didn't work. Oh boy. One more time. And there we can see the file that was created through the command injection and user creation. So this is a very typical endpoint that we found in our research on all these devices. We've got devices of all kinds of classes, and they all seem to have these problems in common. So moving on from that, and we can go back here and clear out some of these awful cross-site scripting payloads. This is going to be a little problematic. Let's delete the old ones. That sounds like a good idea. But as I'm sure you're all very astute, you can see that there's going to be cross-site scripting in these shared folder names as well. So what happens when you make that folder name, we can go back into Burp Suite and we'll see what kind of request was generated there. Looks like this one. And again, we've got this similar looking request where we've got the folder name, and I didn't give it descriptions, that's blank, but we've got some various things here. But we think there's going to be a lot of scripting in here, so we can try doing a payload here. We're going to use a... I'm going to type it in here so I can get the URL encoded version first. We're going to do a classic image tag. We're going to give it a file name that probably isn't on the web directory. And then when there's an error, we're going to pop up an alert box with, I don't know, 64. We're going to URL encode this so that way it fits in the post body of our request. We're going to head back here. Operation successful. And then if we refresh this page... Hey, there we go, we got cross-site scripted. So again, we've got these very basic web vulnerabilities, and these... This is a fairly modern device, I believe. Just... You're very typical run-of-the-mill vulnerabilities. So we could continue going like this for hours of just clicking in all of these forms and finding wherever they come up at. But an easier way to expedite this tends to be to look at the source code for the application. And if we notice up top, we can see a .php extension in the URL. So it's probably a php application. So we can head back to our shell here and we can look and try and find where these php files are. And there's a whole lot of them, but it looks like they're in user www. So something else worth mentioning here is that we cannot get root. So we have a low-privilege shell here even though we're an admin. So at some point, we're going to want to get a root shell so we can have full control over the thing. But heading back here, we can see our php files. This looks like a webroot directory. So we're going to want to take this webroot directory and send it to our own machines so that we can do our own offline analysis of what these source code files are. So I'm going to go ahead and tar up this directory here. We'll call it files.tar. And then in our home directory, we should have this nice tar ball here. So at this point, we're going to head back to my local console here. And I think we can use scp to get this thing off. Let me get this full path here, actually. Just to make sure it's right. Does scp take that argument? Maybe it doesn't. Luckily I have this copy I've already created before. So... Just so I don't have to go click through the web directory and try to find this thing. Save some time. But I've got... I'm not sure we can't do this. We'll have to use some time then. So let's get back into this thing. And we're going to have to find out where the shared folders are for this device. So... I believe they are usually scp files to slash amount. That'll work. So now we should be able to go to the file manager and find them. I don't have permission to do this. This is unfortunate. Does anyone offhand know what the flag for scp is to use a different port? Capital P? No good. After the colon you do it? Oh, in front of it, okay. That sounds right. Success. 10 points. All right. So I'm going to go ahead and look at this here and we can proceed with the rest of this. So now I've got my local copy here. Again, we just took off user slash user slash dot dot dot because that's where we found the web application. So let's go ahead and start taking a look at these files and see if there's anything good. So... I don't know. Includes a good choice. PHP. Yikes. That doesn't look like PHP. Hmm. Well, data. So what's going on here is it turns out that these PHP files have been obfuscated in some way. Perhaps they were encrypted. At any rate, we know that PHP is a scripting language, so it's interpreted. So these files should be in human readable form at some point. Um... So let's run with this idea that they're encrypted. What might be decrypting these files? Um... How about the PHP interpreter? That seems a good guess. So we'll head back into our SSH session here and we will find out where the PHP interpreter lives. Looks like user sbin. And then we'll go ahead and we'll do something and extract it. All right, so now we've got our PHP binary. So at this point we have this PHP binary. We have these encrypted files. Um... We're going to take a guess and say that these files are encrypted using symmetric encryption, so that way there's a key that's already known and they can decrypt these files as needed. So this device seems to be able to do this by itself. There's probably a key floating around somewhere where we can find this decryption key. So we're going to look inside the PHP binary. Of course it's a binary so we're going to have to use something like binaryNinja or IdaPro or something like that. Some disassembler to look inside the binary. So now we've... Let's see if I can make this bigger. That's not quite the same thing. We've got the binary open now on binaryNinja. And we think it's going to be a symmetric encryption thing. So what's a standard symmetric encryption algorithm? Anyone? AES. Good choice. Alright, so we're going to look for the AES function. There's several of them here. Most of them don't look very interesting and you probably can't see any of them. But the last one is called screwAES which is kind of interesting. So we've got this little function here. It's, you know, assembly so this...no one really wants to read this but we're looking for a key. So in theory, binaryNinja will just show it right next to us. Well, we don't see one in this function but we do see over here that it is cross-referenced by another function which means that something is calling the screwAES function and it looks like it's in the middle of this and so let's go back up to where it was originally used. What's this? So is this our key? Probably. But it looks like it's used just before an MD5 function. So we think we might have found our key inside this PHP binary that's using this thing called screwAES so we can head back to our terminal now and so at this point we need to MD5 that key and then we need to use some sort of decryption routine to decrypt all these PHP files for us. So with the help of some of my good colleagues here at IAC we came up with this nice command which will take this string that we have it'll MD5 summit, clean it up a little bit and put it inside a hexadecimal encoding and the reason we want it in a hexadecimal encoding is so that we can use it with the open SSL utility and then we're just going to use that to go ahead and decrypt all these PHP files. So that's the first step and then the second step is to use ooh, looks like it went all by itself. Let me bring that up again. But we have this nice find command here that I had a fun day learning how find works but we're going to look for all of the PHP files and then we're going to run this command here and we're just going to make some assumptions here so that's why we saw a bunch of decrypt errors when I ran this but we're assuming it's just going to be AES 256 with CBC mode because that seems like a typical choice. We're also assuming down here that the initialization initialization vector is 0 so we're going to have some errors on the first block because of this but the good news is if we look now we have these files that end in .dce.php and if we look at upload again hopefully it will be in plain text and it is so we see this error at the top of the page or this bad block at the top of the page that's okay because we can see now that we've got all our good old PHP code in here. I always like the die function. So now we've got the application source code and again the idea is we're just trying to find a whole bunch of vulnerabilities very quickly so what we can do from here is we're going to look for problematic PHP functions something like exec which calls system processes would be a good choice for that so we're going to recursively grab through this web root and we're going to look for exec. So there's a whole bunch of results I'm not being a little loose here but let's try using this parenthesis. So how many results did we find? 724 instances of exec so that's a lot so potentially each and every one of those could be vulnerable to some sort of command injection vulnerability now a lot of them probably aren't and again maybe my search was not as precise as it could have been but just to give an estimate of how many times shell commands are being called by this web application so we can go back to our list here and I have ahead of times identified a problematic function and it resides within include class plugs.class so again we've got our decryption thing here but this is a PHP class I suppose plugs and we can look through here and just go to the top but we do see exec appears in here several times here it's making a directory here it's running some command I wonder what that could be all kinds of things but one of the interesting ones that I found is a function called logTotal so we can take a quick look at this it's pretty small it looks like it takes in two parameters one called table and one called type and it looks like it's doing something with SQL we see here some SQL statements being prepared and it looks like the way they choose to run them is down here I don't think this decrypted correctly oh right here okay 825 so here we see that it's calling the SQL i3 binary on the operating system and it's providing it with the SQL command so looking at this we can identify that there's a possibility for SQL injection and there's probably a possibility for command injection so SQL injection tends to be tedious to test for but we can probably find a command injection so let's see where this log total function is being used so again we're going to go ahead and search through our files here we're going to look for underscore logTotal and it looks like it is used by logTable so again we'll look through here the first thing we want to point out is right here on line 2 it looks like it's setting this variable called data and it's using the values of your post request so that's important to note and then we'll go ahead and we'll try to find out where logTotal is used it turns out it's used way down here at the bottom and it looks like we're looking to make sure that you send a post request and in there there is a parameter called tab and it's set to getTotal and if that's the case it's going to use this plug function and it's going to run or it's going to run the logTotal function from plugs and it's going to provide it with a post parameter called table the value of it and the value of a post parameter called event so what just happened here we just found a page where it's taking user input and it's storing it directly into this function down here we didn't see any sort of sanitization going on here and we looked in the plugs.php file earlier and we didn't see any sanitization there so if you have something else if you peruse through this file you also notice that there's no authentication being checked here so it looks like there might just be this end point out here that could give you some good results so remembering that we need a tab parameter we need a table and something else we can use that to build a nice little curl command here that will make a post request for us and it will go ahead and populate these so the first thing I have to do is fix this IP address and port number going back here so for those of you who are not familiar with curl what we're doing here is we're specifying the post bodies data so we're using tab and we're supposed to be getTotal so we'll set it to getTotal we're sending table and I have no idea what the database table names are so I'm just going to try my table and see what happens and then we've got this event parameter one of those that got passed to the logTotal function and plugs.php and we're going to do some backticks here and what we're doing here is we're calling user sbin telnetd and we're giving it hyphen l with the path of bin ssh bin ch and we're giving it the port number 1, 2, 3, 4, 5 so what's this do? This starts a telnet listener and if you connect to it on port 1, 2, 3, 4, 5 you should get a shell so let's go ahead and fire off this request all right we got 200 okay did it work? It looks like it did and we finally got root so just like that thank you so again recapping our strategy here we could spend all day poking around at the web application but usually the much faster way to do it is to look at the source code and if we've got something like PHP it should be pretty easy to look through and we know what problematic functions are like exec so this device was interesting because they were doing that AES thing but in the end it didn't matter because they had the key stored in the PHP binary so we can extract that out and decrypt the files and then we found an endpoint which was vulnerable to not only command injection but it also didn't require authentication and it ended up being root command injection on top of that so at this point we have a single curl command that could be applied to any of these TerraMaster devices you don't need authentication you can get a root shell on them effectively they're now your device so if you'll remember from that word count list I printed earlier there was over 700 instances of exec so who knows how many more of these kinds of endpoints are in the device so if you want some free CVEs I highly encourage you to check out those endpoints but I think that's all I have for you today any questions guys? alright thanks for listening everyone