 Right, good afternoon, folks. Welcome. My name's Tim. I'm head of research at Port Kais and my colleague Mike Helped me on this piece of research. So he's gonna be chipping in where he feels I've missed things And I'm gonna be making sure he doesn't get sidetracked by the cats as you'll see later in this presentation So what this topic is what this talks gonna be about what we tested how we tested it what we found and why it's bad So what we actually tested was an off-the-shelf device from a company over in the states a time server it's fair to say that Historically the people who is testing it for might have just installed an MPP package on their system But the way the way they come here is restructured. They no longer have that capability. So they decided they'd buy one Probably not the best decision they ever made and we'll discuss wine a little bit All of these bugs have been disclosed to the vendor In fact the vendor is currently awaiting a conference call with us to discuss What they do next because they eventually Failed to get back to us and we've been forced to publish them. So they're going up on our website today The vendors are learning a bit upset about that, but unfortunately they didn't actually get back to within the requisite six months Was it something stupid like that? Yeah So who would buy a time server? Well, you can see a good list there that's actually taken directly from the vendor's website Unfortunately, we can't tell you who we were testing for But if you think about it anybody that needs to have accurate time whether that's for trading defense Medical purposes, whatever it is the ultimately they need to know that the clocks that they're using for their systems are correct So the attack surface of the device we looked at if you imagine it was a typical 1u system It had USB. It had serial. I had network ports It has some buttons on the front which would quite interesting It had a management network. It had a production network and it has some authorized applications that would allow you to configure the time server Probably I'd say the management interfaces weren't exactly required But if you're buying somebody off the shelf these days people expect to have a fluffy interface So in terms of physical attack surface what we looked at first of all we looked at USB That had a number of interesting properties. It took updates It allowed configurations to occur And it potentially could be used for peripherals if you think about it. It's as you can see there Montevista Linux Ultimately, it's just a standard USB implementation on Linux so physical we looked at What the serial devices were doing at boot time and whether they allowed console access We didn't see anything particularly interesting during boot We have seen devices where for example it's leaked information that allowed us to ascertain how the SLR implementation is functioning And indeed on one particular system We actually managed to see the seat that was being used to see the SLR Which was kind of quite useful when we came to exploit it in this instance. Nothing particularly interesting during boot In terms of console access there was some however In terms of network access there were two ports LAN 1 and LAN 2 LAN 1. I think was the External port and LAN 2 was the management port Different services on both sides. That was actually quite good I mean typically we often see that the same services are present on all interfaces for once They'd actually locked it down. We'll discuss what the attack surface actually looked like in a couple of slides time But it was better than we'd have expected So physical buttons Most devices one you have type will have some kind of buttons on the front Even if it's just to allow you to see the time or to locate the device etc In this particular instance, it gave us the ability to change some settings make backups And indeed it had the property whereby you could set a pin which would lock lock it Unfortunately, that was a kind of a case of it was almost like a physical lock If you didn't remember to lock it it wasn't locked And as you can see based from the configuration dumps because it wasn't locks on the device We were looking at we're actually able to extract the pin which obviously meant that we could then play with play with the interface a bit more detail So logical there was a web interface, which I think Mike's going to talk about in a second There was SSH there was SNMP and it was Postgres Postgres is particularly interesting and Michael explained why in a second Yeah, if you wouldn't necessarily expected to see Postgres listening on the network It's somewhat inadvisable. However in this particular case it was there Yeah, so on the management network there was a web interface as you often find That's what it looks like Like something from the 1990s. We have to blame Jacob Stanzer for this. He's clearly very proud of it His name is everywhere The source code of every page built in credentials as well. We'll come across those later But yeah, that's a rough thing of what it looks like if you go on showdown you can find a few of them about but don't do that Yeah, so it was really good it was fantastic that's that's what we've got there all of these were trivial to exploit There was literally no mitigation against anything So yeah, the list to be honest who cares there's unauthenticated remote route there There's proof of concept on our site or which is literally just a curl command So if you come across one just you're on it. You've done it owned moved on Yeah, it was a little bit of my first PHP application, which is a bit of a shame for a device that ultimately only has one function to tell the time Yeah, semi-colon ID. Oh SSH The SSH implementation was slightly different from what you may have expected if you played around with the UNIX box in the past They had a customized shell But it turns out having done a little bit of digging into how the shell binary works that we could get into an engineering mode And in fact if you see the screen, I'm not sure that you will be able to but essentially we've highlighted There's actually command injection into the into the shell So the shell has a lockdown set of commands you're allowed to run It does include copy so it's not very well locked down But it does have copy but the way that it constructs for example the copy command the way it constructs the IF config Etc. Etc. Etc. Etc means that if you pass in a pass in a semi-colon and a value of your choice you can trivially get command execution and From that you can actually get root because the sudo configuration is itself pretty terrible Copy is allowed to be run as root and it doesn't require a password You know ultimately from a command interface, I guess you might expect that Bear in mind that the back configuration was being applied to the web server perhaps It's difficult. They wanted to run things as root and the moment you want to run things as root You're pretty much boned. So this is the shell breakout. We were talking about so root and engineering That was the bit we extracted from IDA. That was the bit that allowed us to get into the engineering mode Sys took us into a menu that was the system commands as you can see we've got both CP and IF config Both of those ultimately if you have a semi-colon and then slash bin slash batch or wherever Will allow you to execute commands of your choice Yeah, I'm looking at SNMP. There wasn't any right access but with public you could just pull off anything you liked So there's lots of lovely information Kind of a useful attempt to exploit it I don't think we looked as if there were any custom MIPS we couldn't find any or certainly not any that were of any real interest It's something that if you're looking at Embedded devices you could probably be looking for because quite often you'll find that they have features that are part of the standard OID set So we mentioned the Postgres was available over the network And it became a Parry why once we'd compromised the device and we've got the ability to look at things in a bit more detail It turns out that part of the management interface for the web Actually use the Java app look to draw some pretty charts that demonstrated what the statistics on the device will like it Give a moment in time Turns out if you do compile the Java app look the credentials were in there In fact Jake and Sanders credentials were in there and it turns out that it was directly connected back over Postgres, I mean you've got a perfectly good web server. You know, why would you want to use it? Interestingly they also did have another database server on there. They also firebird on there They clearly weren't people that were thinking about minimizing their attack surface in any way shape or form, but um, yeah a Lesson about how not to do things So next we come to NTP. NTP was the only service that was actually listing on the production network That's quite good. I suppose Turns out late NTP really only have one thing to do right make sure that can't be used for denial of service that you can't essentially Send it send in a packet to it, which it then then it then mirrors off to your original target Turns out in this case, they've got that run You know, this is basically what I want one a one if you're running an NTP server You should be aware of this and they've left them on less command enabled So it's safe to say we own the box We own the box pretty quickly We actually got into the box in the first instance through the original dumping of the configuration from the buttons on the front From that we essentially got a copy of ETC, which is how it backs up the configuration We modified that and then re-uploaded it I think it's really worse be stick pointing out the default credentials and their web interface Yeah, the password was already in my John profile I'm don't think this is the first time these have been owned Um, so yeah, so we got it. We got into it fairly trivially And we started to have a look at how the OS have been configured As I said, it was Montevideo Linux at the base But obviously they've done quite a lot of tweaking to make it how they wanted it for an NTP server And we found two good instances of interesting bugs at a Unix level Firstly, we found world-rightable files So that anybody that had access that shell user even if they couldn't get through soon as I could have they could potentially written written files And we found obviously the insecure pseudo configuration itself, which allowed us to Break out and get through I guess Ultimately who cares which I guess is probably the most important bit of this The client clearly cares Perhaps not as much as we'd have expected because their intention is actually not to plug the management interface in at all So they weren't too fast about the web server because yeah, they're never gonna have it physically connected to any copper All of us this particular device whilst I can't say who it was for I can at least say that it was being used to synchronize Domestic devices across the UK So ultimately you can imagine that it if those devices are time sensitive that they need a clock Possibly having an inaccurate clock across the entire UK may have some implications And finally this guy so this guy appears on a mailing list that I'm a member of There may be people up that here at EMF camp will know this main list But anyway, there's a discussion about what would be a good NTP server to to use for an ISP and someone mentioned Symmetricom Curiously, they didn't have good words to say about it We can certainly agree with them. We had the device randomly reboot three or four times Whilst we're working on it for no no apparent reason not even the case that we were necessarily doing anything offensive It did just seem to like to reboot Yeah, there we go Any questions? Did we open the box up? No, unfortunately our client wasn't willing to let us open the box They were intending to put this on the network as I say they have intended not to put the management interface on anyway So they they wouldn't let us open it up. Had they done so we probably would have gone after the usual things But it was ultimately just a PC. So it's gonna be the same attack surfaces. You'd find in your desktop or your laptop So probably not as interesting as it might have been if it had been for example armor mips So the question was does this represent state of art in the time server arena? Well, I think state of art in your time server arena is probably just to install your own time server Red Hat or Debbie and or whatever else In terms of embedded devices, I think it's pretty representative of the kinds of things we see Most of the stuff we do is for large commercial Clients or large governmental clients So most of the stuff we see is quite big eye and embedded stuff You know, maybe fridge-sized devices on common for us to look at and I think yeah The vulnerabilities will vary between vendors and devices depending on the function, but ultimately they'll all have similar kinds of bugs No more questions. Well, thank you very much. Enjoy the rest of the AMF camp