 Hello everyone and welcome to my talk with this pretty long title. My name is Alexey and here are just a few things to introduce myself I'm an ex software developer who is now a full-time application security engineer and These acronyms, but for what it's worth. I don't consider myself to be a hardware hacker and today I'm gonna talk to you about hacking devices. So let's dive in a common perception is that application security and Internet of Things are two separate domains But is this really the case? Consider these two examples on the left hand side I have a classic app like a web application displayed in the browser and on the right hand side I am looking at web UI from my home router But from the user's perspective, these two are actually the same there are some code that runs in the browser and there are some code that runs on the server side and Who cares where the server is? In terms of requirements in order to run an application or a device we need a processor and memory We need some network so we can send and receive data We need a very operating system and commonly these days devices run Linux just like many other servers in the cloud We might need some services that will help us do whatever we need to do and Libraries that we can build upon and programming language that we can use to write custom software and software developers who use programming language and libraries to create great things that will run and do whatever We need them to do In terms of security many of us are familiar with a wasp top 10 which is the list of the top 10 security risks in the web applications and Also a couple years ago wasp published at IOT top 10 and although these two lists are not exactly the same there's some correlation like broken authentication and hard-coded passwords and components with outdated components with no vulnerabilities and data exposure because of insecure data transfer and some insecure defaults and So on but I'd like to focus on just couple of things on the right hand side the number two in IOT top 10 refers to software that runs on the device itself and number three refers to the software that runs elsewhere But it's part of the ecosystem. So so the device could function and do useful things and as software These two things can have any of these wasp top 10 issues and more so in reality in My opinion a proper diagram should look like this and I know some of my app sec friends and colleagues are not gonna like it But I think this is the case at least from the attackers perspective One can attack a device either through an application that runs on it or through some other vectors Okay, who remembers March 2020? Of course, we'll do that's when many businesses all over the world started closing their doors because of the mobile pandemic and many organizations and companies had to make very quick changes to go online and Some of these organizations decided to try this new thing for them. That was live streaming So they could Broadcast whatever they need to broadcast and stay connected with their users And I volunteered to help one nonprofit organization set up live streaming But first of all, let's discuss what what live streaming is in a nutshell Basically, you have your video stream and audio stream in some digital form And what many people do is they build a general purpose computer with certain software on it Very popular one is OBS studio And this software just converts, you know, those streams to proper format Like H.264 and sends that stream to one of or many of these services in the cloud So that's what I initially built But the people at that nonprofit organization are not very technically savvy and this computer was kind of weak spot You know, it requires requires maintenance. It requires somebody to operate it and so on So I asked myself a question. Is it possible to replace this computer with something else that maintenance free? And the answer is yes. I did some research and I found that there are these hardware HDMI encoders that are not very expensive and I went ahead and bought one and came in it had HDMI port audio port and Land connectivity and it had this nice web interface where I could set up Different video settings and also specify this URL For the YouTube ingest server that I wanted to stream to and everything worked beautifully like a charm This was actually the final setup that I built here was my audio mixer and bunch of cables and this little box here with the Red light is that is that video encoder? and it worked great like I said and Everybody was happy and that's the end of this presentation. No, not really I quickly realized that I was missing some settings in the device and In particular my camera that I was using did not had a very did not have a very good automatic color balance, so I was wondering if it's possible to Modify balance on the device and I looked in the advanced settings and although there was a lot of them and Nothing documented. I couldn't find The color balance settings So I thought okay, maybe this device has some hidden functionality that is not exposed through the UI Let me look inside so I Opened the box and I looked at this circuit board and it didn't say anywhere Plug here for a free shell, so I just closed it again. I'm not a hardware hacker I don't know what to do with this generally speaking So I decided to approach this as a software server So I quickly ran and the ports can and it found, you know, we should be server RTSP and our team P are the video streaming services that you can use from the device itself. It also had open telnet port I Tried a few obvious passwords like root root admin admin and none of them worked all right, I also you know explored that web UI a little more and there was a Section for firmware upgrade and not only it had firmware upgrade It also had firmware backup and when I pushed on this button It sent me this raw file which is an archive and I placed it on my disk and I unpacked it And extracted a bunch of files this raw archive Was made on Windows 32 doesn't matter And here's the here's the content it had some configuration files some libraries engine X server the web directory Had a bunch of static files like HTML and CSS and JavaScript. It had some common utilities It also had password file But the largest file in this firmware is this one box that v400 underscore HDMI and this file happens to be an Compiled executable and I thought well if nothing else matches that this is probably the one that actually runs on the device and controls everything And I was right, but first I need to get on shell to get a shell So the question is how do I get there? so I looked at this password file that was in the firmware backup and it had one-way hash and I Try to crack it. I I used some simple password lists But I couldn't find a match quickly and I thought well That's not actually a problem because what I can do is I can replace this password file with my own password file and upload the new firmware and Have my own password to log into the device and that's exactly what I did I used open SSL Utility to generate hash for password root. I use Windows RAR utility to Repackage the firmware. I uploaded it to the device rebooted it and beautiful thing I am in On the device as root by the way Great now that I'm on the device as a super user. I can do a lot of recon So I looked at like for example, what Linux version it runs and it runs a Linux from high silicone Hi silicone happens to be a subsidiary of Huawei that Specialized on video surveillance devices and system and chips like IP cameras and different kinds of like video processing equipment And they have their own Linux distribution I also looked at the open ports nor surprises here the same ports that I saw with nMap But most of these ports are owned by this box executable which confirms that this is actually the workhorse that kind of does everything I also looked at the Processes and I quickly reverse engineered the boot sequence That started a couple of scripts and then at the very end this last step it started this box executable So I wanted to have like a Like a clean device when I log in without this application running So I modified the boots so this application doesn't run so I could run it myself and play with it And let me show you how it looks. So here is the oh by the way, I need to connect it first So here's one of these devices That I acquired. It's not the original one I had several of these and here's the inside pretty pretty neat, but I don't really need it I just need to connect either net port either net cable. Sorry and give it some power lights up It's gonna take a few seconds to boot. I'm gonna put it aside because we don't need to touch it anymore And let me try to tell that okay it booted I'm in now I go to TMP directory where this box executable lives after Up to the boot. So not only can I start this application in on the console It also prints a lot of useful information on the console for which is very helpful for for debugging Okay, what else do we need? Okay, let me go to the browser and Go to this encoder, of course, I need to provide my credentials and I'm in and I see that it spit out a lot of Information in the console Here is the web interface Cool, what else do I need? I would like to see all the request and responses going between back and forth between the browser and the device and So I'm used to burp suite. This is a tool to intercept HTTP requests So that's what I used here and here is one of such requests to get the the root page Which just returns some HTML, but you can see that it's using a certain authentication scheme We just called digest authentication keep that in mind and Yeah, I can also run curl against it But curl did not return anything. So let me look at the headers that are returned and It actually says I'm authorized of course because I did not provide my credentials for the current command So we'll do it later Let me go back to the slides Okay, now that I have console I'm on the device I also want to take a look at this executable and it's binary and binary is not very easy to work with so we need to reverse engineer it and This tool came out was released by NSA a couple years ago And I wanted to give it a try since then and I thought this was a perfect opportunity for that So I got this tool called Ghidra I Ran it I gave it that executable file it analyzed it and it showed me Disassembly and on the right hand side it shows you the decompile which is basically some C code and It's it's a lot easier to read than assembly so you can make a lot more sense out of it okay, and By this time I was no longer interested in modifying settings on the device some voice inside me told me that I should look for vulnerabilities and I have no idea how I got there, but Yeah, I started looking for those vulnerabilities and the first issue. I found was a backdoor in the application I decided to start attacking it through authentication function since I knew that the authentication was using admin for the username and you could not change it It must have been hard-coded and it was not in any Configuration file so I I did a string search in Ghidra and I found exactly one occurrence of string admin and It's referenced in several in a couple of functions and one of them is here and it does look like The authentication so we compare a parameter against admin and then we compare the second parameter against a String and this string looks really strange. What is this? And it immediately looked at me and As and said, hey, I'm in the backdoor. So first of all, let me rename this Function to box that indicate that's what Ghidra lets you do by the way. It's very useful You can refactor on the fly. So we first compare the Password to new new orange and bunch of eights and then if there is no matter if it if there's a match We succeed and return if not if not, then we compare it to the real password To confirm my assumptions. I entered this password in the browser and it didn't work That's not okay. That's interesting. It should work right here. I Also noticed when I was looking at the admin string in the data section There was another string called basic and I thought maybe this application also supports basic authentication and My assumption was right. I did a little bit more investigation and I was able to use basic authentication Like with this scroll command. Great So now what if I try this password? With basic authentication And it worked Cool, so it's definitely backdoor now. I just got some HTML, but it's not very helpful another function that I could launch is called get sis and get sis returns a bunch of System parameters including the plain text Password and you can just take this password and use it in the browser and get into the device as administrator So that's a big issue Another big issue is on some devices the same password new orange and bunch of aids can be used to telnet into the device on Other devices. It's a different password or rather a couple others. We each are also pretty trivial So that's another Kind of like a backdoor into the device The next serious issue that I found was path traversal that could be used to get any file from the system Let's take a look at where this box of indicate is called from and it's called from this particular function that I Renamed to process request because I realized that it was actually processing all the HTTP requests and In this function, we see this huge if statement that Mentioned these file extensions Basically it compares a string against It searches for these extensions in the string. So it does file matching and If you follow the logic will realize that if If a file matches one of these extensions, then it would be served without authentication So let's give it a try I'm gonna go back to a burp suite and pick a file send it to repeater And first of all, let me remove all the unnecessary headers Just to make it look cleaner And it still has the authorization header. So it's authenticated Now, let me remove the authorization header and resend it and it still works great, but it's a static file There's nothing really wrong with it. It's not a secret of information of any kind But in on the console when it reported the file name, I also noticed these double slashes We suggested that the developer was using some kind of a sloppy string concatenation So I decided to play with this a little bit Like removing the slash and the slash disappeared from here So it looks like the this input is just concatenated with TMP slash web or whatever Which means we can do things like Traversing so we can build a relative path that would return as the same result so you can go all the way back to TMP Slash TMP slash web. Yeah. Now, can I get something more interesting like the password? No, I cannot I get for one unauthorized and that's because Password file does not match one of these extensions. Okay Let's Take another look here and notice that they use the method find and method find of the basic string Is looking for a substring anywhere in the string not just at the end So they basically using the wrong method which Means that if there is a one of these substrings anywhere on the path Like say here It would match So let me try this and Instead of unauthorized we get not found because such file does not exist Well, if only I had a directory with one of these patterns in its name then I could traverse from that directory anywhere and get any file and Apparently on devices from one of these vendors. There is such a directory. So let me open another telnet session and look for search for directory with JPEG and Its name and here is such a directory and this is the only one that matches Now using this I Can build a relative path all the way back to the root and Descend down to any other file and now if I take this to my HTTP request I Should be able to get any file from the system and it totally worked. I could get the password file from the From the system unauthenticated But it's not the most interesting file on this box The more interesting one is called bugs.ini which among other things contains plain text administrative password which you could use and and then for the admin access on that device Let's continue playing with this device or rather with this application the next issue identified was unauthenticated file upload That would lead to remote code execution Going back to Ghidra I decided to just review the entire Function that's processing request to see if there is anything else interesting and right off the bat at the very top of the function I saw this compare against multi-part form data and again if you follow the logic here, we would see that if there is a match then The the the function would be called that would process multi-part data and just return HTTP. Okay, so Yeah, that looks like another unauthenticated process So I'm going to rename Refactor this function to box multi-part for convenience I'm Cool now where is form data used? Let me go back to my burp history and Search for multi-part There is a couple of post requests here and the first one of them is a logo upload Here, that's what I tried on the device What happens is on this device you can upload a logo that would be overlaid on top of your video stream It could be like maybe your company logo, right? Let me try it real quick Upload successful and here is a message in on the console Cool. Now my suspicion is that this is unauthenticated. So I'm gonna send it to repeater again And remove the authorization header and press send and it returned HTTP 200 okay Okay, well, this is really unauthenticated Well, cool, you can upload logo and do some harm But what else can you upload and the other thing that you can upload is actually a firmware update? believe it or not so the up dot bin or up dot rar is Can also be sent completely unauthenticated. So that's a pretty serious issue You can basically create your malicious firmware push it on device without any credentials and have it run it now the problem is in order for this firmware to to run somebody needs to reboot the device and Well, like administrator pushing that button in the web web UI And that's not what something the attacker would want attacker would want to execute the code right away Let's take a look and see what else can be uploaded. Maybe there is more I see and on the console this message with file name colon and I'm gonna go to my favorite string search in Ghidra and search for the string and it does find an occurrence of it and It's referenced in this function I'm gonna call this function box upload Because that's the function that processes file upload As you can see it's called from box multipart which in turn is called from box process request all authenticated again now If I when I scroll down this function kind of looking at what's interesting here I see a list of these different compares we see our Familiar load file box that any and some others. So this is basically a white list of allowed file names that One could upload to the device and one of them is UK that roar or UK that bin and it's not the UP that roar Not the original firmware upload upgrade. It's something else. So let me see where UK that roar appears in this executable and It is mentioned in another place that reads as As soon as the file is uploaded to the device, it's unpacked and then UK dot txt That's supposedly present in this file gets Executed by shell. So that's your In instant code execution that we actually need So in other words, we need to build a UK that roar with UK that txt inside that has some malicious code And that's what we're gonna do right now. So I have this File UK that txt that has a single command with not cat listener By the way, not cat is present on the device on the device a very convenient for a hacker Okay, and Make sure I use the correct recommend. I need to use the version to downgrade the archive version Okay, now I have this roar file And I'm gonna send it to the device using curl So I'm sending the curl command Which is a form with a single parameter with content of this file to encoder and Executes the file gets extracted and ideally technically I Should have the process and I do have the process that's running on the device Listening for incoming connections and I can totally connect to it I'm a root on the device and I own it. I can do whatever I want And that's basically it For this vulnerability Now the device is going to reboot automatically, but that's okay Going back to my presentation But this is not all another distinct issue with this file upload is command injection Let's see what else happens there. If we go back to see how UK RR is processed We'll see that it's not the only file that gets special treatment PNG files are also Processed in a certain way we build a command to run this utility to convert PNG to BMP And one of the parameters here just accepts user input, which is the file name and this file name comes from the HTTP request from here By some trial in there I found out that this name has to begin with logo and end with PNG But it can have anything in between like I don't know whatever Including semicolons and if you put a semicolon here, it should become part of the command that runs And Execute it and you'll see that foo is not found. Of course, it's not but what is found on the device as we know is netcat And we can totally execute it and now if I look at the processes on the device I'll see that my netcat listener is here and alive And this is actually the full command that got generated with our injected input And now again, I can connect to the device using netcat and Do whatever I want Up until now I was not looking for any specific vulnerability types I just happened to find some Backdoors and injections and so on but there is a certain category that I wanted to specifically target in this application With C and C++ programs if you're not careful It's very easy to cause a buffer overflow and I thought there must be at least one buffer overflow in this application And did I find one? Well, yeah, I was looking for Functions like sprintf which takes input and combines it into a string and puts the result into a buffer With these kind of functions if you're not Checking all the length It's very easy to get buffer overflow and I found several occurrences of these issues and This is just one of them. There is a bunch but in this particular case we are dealing with Building a response for RTSP RTSP is a video streaming protocol So you basically connect can connect your video player to this device and get video right off the device It's a text-based protocol just like HTTP and it's using a Sequence number here, but in this case the device This application does not really care about the sequence number. It just appends whatever the user gives to it To back to the response and reflects back to the user. Let me show you how it looks Since this is a text-based protocol. I can just tell net to proper port which happens to be 554 I Had to study this product a little bit To build this proof of concept so this is just one command tear down and The sequence number is one and I just get one But if I give it anything else including any string, I will get that any string back to cause buffer overflow I Built this request tear down command with C sequence number of Very long value But before I send it to the device I want to do something else when we are debugging stuff like buffer overflow It's very helpful to have a debugger and the beauty with Linux is You can use all the standard tools including gdb so I have Uploaded a gdb server to this device and I'm gonna run it it attached To this to process of my application and sleep listening on port 2345 now In another another window and I have to copy and paste these commands because they're pretty long I'm starting my debugger on local machine After I started I need to connect to that remote server and I have all the nicely colored information here as you might have noticed I am not using vanilla gdb. I'm using Jeff extension and that's a pretty cool thing to have if you're doing reverse engineering It just makes things a lot more easier Cool now I have debugger I can see what's going on and I'm going to send that huge request to the application and Something happened here. I got segmentation violation and As you can see those ace that were in the sequence value are placed all over the place Cross multiple registers. So there's it's definitely buffer overflow that that can cause The application to a malfunction and you go different route. It definitely causes a crash So the big question is can I get code execution with this because with because with many overflows You can and I went into a very deep rabbit hole and after several nights I concluded that it was not possible in this case mostly because of ASLR and At the time you get overflow the application is very unstable and is likely to just reboot and or crash And you could not try multiple things to get around ASLR But if you combine this with the file disclosure, you can get your base address to go around ASLR Through fight the file disclosure. So that's a possibility But even without that the sole purpose of these devices is to serve video reliably and if an attacker can crash it easily then Then that's a big issue That's a that's basically denial of service In summary, we have several vulnerabilities that I'd like to put in three categories red Green and yellow the two issues in the red category are the intentional vulnerabilities so somebody actually programmed that backdoor on purpose and somebody decided to leave the telnet open with a trivial password This is not good and completely unacceptable The issues in the green category are coding mistakes without any malicious intent We all make mistakes and that's okay. We just need to learn and don't repeat those mistakes again Now this issue With unauthenticated firmware upgrade. It is possible that it's a bad coding But it's also possible that it was there on purpose. So the vendors could update firmware without any credentials I don't really know But these devices are behind net and firewall, right? Well, hopefully most of them are but show them finds almost a thousand of such devices on the open Internet When I did my research initially about a year ago show down found only between three to four hundred of these and Now the number has tripled It's not a huge number, but it is significant and many of these devices could be still vulnerable. I decided to disclose my findings to vendors and I Got all sorts of interesting communication with them from no response to some automated response to Misunderstanding like somebody telling me that their devices are meant to be used by home users and not security companies and even some people thought that I was trying to damage their company's reputation and they Mentioned legal action against me and that's that was not something that I was interested in so I Was pretty discouraged by this and I talked to my ex-co-worker who had some experience with third-party disclosures And he suggested that I get in touch with sort coordination center at Carnegie Mellon These guys help you with third-party disclosure with coordinate disclosures. They do a lot of leg work contacting the vendors following up with them Building, you know publication and everything so it was great Overall, I identified 11 vendors and I confirmed the three of them were vulnerable. I had those devices and could test them Eight others were likely vulnerable based on the information. I could find online Unfortunately, only two vendors responded to our initial requests Too sad, but okay. Meanwhile, I I've got six CEs assigned and eventually This got published a couple days later Huawei issued this statement saying that they produce SDK and chips and SDKs and all user space programs are built by downstream vendors Meanwhile the register picked up the story and published the article and couple weeks later one of the bigger vendors for these devices opri published this advisory and They acknowledged all the issues and told the said that they gonna fix them And they also mentioned the name of the developer for the application new orange Remember what the backdoor password was right? It was new orange and bunch of aids totally makes sense I also like how they use the word maintenance instead of backdoor. Of course, it's all maintenance Fast forward to July 2021. I went ahead and ordered a few of these devices again to see if the issues have been resolved I got these encoders from three different vendors this time the first one that came in Was from Jtech digital and it had the telnet port closed good But the application was not fixed at all. We still had all these vulnerabilities I went to the vendors website and downloaded firmware and it was still the old one with all the issues the two other vendors Uray and ICV actually had the application fixed, but the telnet was open with the trivial password I don't know why they decided to keep that open Other vendors. I did some online research I did not have the devices, but I downloaded some firmware where it was available some of that was fixed other Still had obvious issues, but it's difficult to tell how many Got the fixes out and some of them didn't even have anything for download. So it's a mixed bag, but for the most part I believe that the Developer for the software new orange. They address the issues. It's just a matter of pushing those fixes downstream to all these different vendors Takeaways from this presentation IoT devices are computers and computers run applications and many of us here know How to make applications more secure how to find vulnerabilities and address them? So let's do it because remember the reality is this You can apply your knowledge to other areas and make the world more secure The complete write-up for this research is available on my website and also if you have any of these devices that want to Run a quick test the exploit scripts are on GitHub and exploit DB I would love to hear from you whether you like this presentation or not If you have any questions or suggestions or need help, please let me know. I'll be happy to chat Thank you very much for attending this talk and good luck