 Whoo! Yeah, Defconn! I'm Max. I go by strikeout. So you can see by the backwards K in my hat. This is Hacking the zero nas, however you say that, from the perspective of a noob. So Have you ever felt down? I mean really down. Overwhelmed, tired, not enough. But I At realizing your defeat is a sense of calmness. I don't have to fake my greatness anymore. I can see myself for who I truly am. This Is where growth happens You see my first Defconn last year I spent most of my time at IOT village and I was absolutely horrified of how much everyone knew compared to me But I saw a path that looked awesome. I saw like directions I could go I saw that IOT hacking did I have to be some crazy hardware glitch kind of thing? This could just be a web interface. Which is fairly common. Uh, I started watching the ISE live streams And I went, huh, I can do this. This is something I could actually do And that's why I made it from the perspective of a noob. I had virtually no idea what I was doing Before I started this besides some like software dev background, but I had virtually no experience hacking self So I'm gonna go into a lot of technical details, but One thing I really miss about most presentations is they talk about the exploit But they don't talk about the methodology of how they found it Finding the exploit most of the time the hardest part exploit tends to be the easier thing So to me hacking is understanding And then manipulating so take for example this classic sql injection super common Yeah, you could throw this into a login field and it might work But how does this actually work is what we should actually be asking Uh, so I want to give an actual example of something I found on a site So I'm going to interview. I am so excited. I'm blaring one of my favorite security podcast And all of a sudden I rear end a guy and I am furious my insurance rates go up I have to pay for a bunch of stuff in the guy's car. I missed my interview. I had then have to be uh Taking home by a tow truck Which is another fee in itself and then I get online and I have to pay a freaking ticket That really bothered me really did so what do you do when you're pissed off as a hacker? Probably shouldn't do it But you start looking what you can find on the site There was like a there was a birthday field where you could find your ticket as far as well as your name I just took out the birthday field And saw what happened nothing different happened. So then I casually started taking more and more characters off my name I went from dueling to duly to duel all the way to d until I had a full page of Identifying information And this is where the understanding Really comes in here based upon the query. I I I thought it was going to be a light clause. Who's who don't know A light clause will return anything with a percent sign there will return x Like the letter x in this case the input you give it and then anything else So this will return like xylophone as far as anything else starts with x So I said well, what happens if I put another percent sign here and boom Well, nothing happened. Funny thing. You're supposed to laugh I walked away I came back a couple minutes later and all of the ticket information for every digital ticket had ever been given out by This county was now on the screen. The percent sign wasn't a very normal thing Uh for this but for it was only a classic sql injection by understanding how this worked I was able to manipulate what I wanted to get out of it and side note on the ticketing system or Uh that information you could actually lose use to log in as someone and then like Schedule court dates, uh and send more documents towards you. It's a very subtle thing, but I worked out so Going with my methodology the first thing you have to do is understand how the device works If you don't understand how something works, you can throw payloads at it. You may find stuff We're not going to find very cool things The first thing I always do is like what the hell is a nas? first place This stands for network attack storage device I think of it as a usb drive that you can just connect to from the internet So it really is helps you manage files. There's a bunch of other administrative features on it, but Uh that's pretty much all there is to it So after you kind of research like what is the use case of this? I just start clicking around the site. What's on the site? What is the site meant to do? What kind of user privileges are there? I just I click through every link I can find I start reading through user documentation I start looking at firmware notes because a lot of times you'll add new features or something Uh after that I start looking at the tech stack So what kind of? What kind of web servers is using what kind of language are we using here? Just understanding how the device works One thing I noticed that I thought was fairly interesting was there were two different apis one was for file upload file download and Logging in and then there was an entirely separate api for everything else Understand how they're calling machine what they're doing. It's very important At this point, uh I asked to take you onto the nas because you can do that and I realized they were using uh They're using python, but they were in pyc files So I just grabbed all the pyc files took them off the nas And those you don't know uh stands for python compiled and you can there's actually a tool that will take pyc files Back to python files, and it includes comments and everything. It's incredible On compile 6 in that tool if you're curious Uh, so now I have the source code. Um, I'm looking through it and I noticed that it's running a cherry It's using cherry py, which is a older python kind of thing Now so well, there's information being stored on this What what can I see on here? So I start changing directories I want to know how how the file system works what's on it and I see this file Thank you for laughing this time um Clearly it was going to be nothing secretive in here So you look on it and it was a base 64 encoded admin password Yeah, that's really bad. Don't do that at home. That's you shouldn't be doing that. It's kind of sad Uh, but it was not it was a nice find to find that um Next talk. Yeah, so To build on this, uh, I was just From our constants I just started taking strings that I saw in URLs and started sticking it into google And I found that this thing actually can host a website And that part wasn't done very well and you could actually direct request this file on the person's server And just log in as admin if you wanted to so Looking over everything that's on the device how it works is the most important thing Before you start hacking on something To this point we've talked for a while. There's been no actual hacking involved We've just looked at how something works and that's I mean I probably spent a week just understanding what was going on in the device Now I'm going to some actually hacking So the first thing I thought was kind of odd was I was looking over the normal api calls I noticed that they were using a file name and a function name for all their api calls I know and I learned that just by grepping is a common theme. I use grep a lot Uh just in the file system So I was like, why is it doing that? So I went to the spot where these apis were actually like being called And I found this So anytime you see an eval in anything that doesn't validate user input. It's a pretty good attack factor Um, I'm not that smart though. So I initially tried doing some really crazy directory traversal shit to call whatever I wanted And it took me a while to realize this but this will actually execute python native code It's going controller which had a mvc or model view controller setup The the first parameter is going to be the file name. The second parameter is going to be the function name Uh, so with this knowledge, I said, okay I understand how this request works now is there a way I can manipulate this do whatever I wanted I came to this little sketch of mine So the eval is essentially calling a file in it. There's a file name and function name and then it passes in json as parameters This is this was my understanding of how this request worked And this this took me some time to fully figure out So now what can I do with this? The first thing I try doing is I noticed that there was a file that had the everything imported from os It's just import star. So I was curious if I could call the os package So I called this really simple function and I got into object not callable What the hell does that mean? So I just said I did a similar function and got a string returned Cool, I still don't know what that means and then it hit me like a brick This is returning whatever i'm calling from the os function And then executing it So I knew I had some sort of rca. You had to figure out how to actually weaponize this Next thing I just wanted to understand. I wanted to like completely validate it. So When it returned it gave you like the type but it actually gave you any sort of Feedback when we actually looked like so I wanted to get sort of timing issue So I turned on the yes command. I did os.system with yes And this will just go on forever. Yes. Just prints. Yes forever So I call make the request and burp just freezes Burps because it just doesn't do anything. I log on to the nas And I run ps which shows all processes and I see the yes command So now I figured out that I had a remote code execution. I was very confident Now I wanted to create a back door which it's kind of like the quintessential thing you have to do You know, you put like I own this. Yeah, I ran. Who am I otherwise? It's not real So I was going to show the code for that and then show the exploit So the uh for this api call here This is the backup main which is just the name of the file I'm calling the os package with system And then I just I threw in this back door. I found online like I didn't write this Some really smart guy did that. I just found it put in there Yeah So now I will show this off. Hopefully it works I set up a netcat listener on a server I control then Hope this works cool Who am I? This is when you're supposed to clap. It's an rc. Come on. Thank you. Thank you cool so The simple bug in the routing led to a very uh bad thing But now the next question we should ask that One thing we don't do very well as hackers is we tell people when they've effed up We don't tell them how to fix it. We just kind of assume people know what they're doing So I want to talk about mitigations too In this situation running the eval command is a terrible idea That sort of user input. There should be virtually no scenario where you want to do that However telling them not to use eval is just completely unrealistic because they have to rewrite their entire api from scratch So what I recommended was whitelisting all of their all of their file names and all of their function names so that They wouldn't have an issue Um, they don't want to be able to call anything malicious because it would just be thrown out So the next bug uh was in the package installer, which for some reason lower privileged users can run I don't know why that's the case, but it's not worked So I'm not sure if you guys know but ic runs this place here And they have a bunch of really good live streams a lot of good blog posts And I just started turn on the live streams And one thing they kept showing in their last devices was a bunch of command injection issues with stuff directly interfacing with the os So I went searching for that and I did it in a very very sophisticated way. I just started greping again Like I started greping for exec Um os dot system and I found lots of matches But they're all dead code after like 20 or 30 times of finding dead ends I found one function which was at the very end of my grep list called execute script So I like analogies. I'm going to explain why I think this came about with an analogy. Have you guys ever played telephone? It always goes really well, right? No Telephone never goes well The premise of telephone is you're trying to get like you talk in a circle and you're trying to get Uh the message from the first person to the last person Never gets to the last person And in the correct form this was similar to this vulnerability The execute script function was probably written a long time ago by a developer And then it was six function calls below the api call that was being called That sort of indirection, uh creates Can create a lot of issues because the original developer probably thought we don't need to escape Shell meta characters. Why do I need to do that? Someone also do that for me And by the time it gets to the person who wrote the api, they hadn't they just had no idea that was the assumption that they had made Uh, so this was the what the command looked like. I'll show the exploit in a second But had it was a package installer binary and there was a package name that had to be called And then there was a command that had to be passed into it. The package name had to be uh an actual package Otherwise it was a whitelist thing so couldn't do anything else, but the command had No no filtration whatsoever And that's where the x the uh I put the payload out So I'll go back to the code So again, we have the uh portal main file We have the package name command or this is the function name We throw in the package, which is a valid package and then we have the The actual command here. Sorry, this was package name And this I again just put a shell I found online The one little trickier thing about this is I had to put ticks right here. So so execute slightly out of band I could have put a command and then a semi colon or something This is just the way I chose to do it and then I put an ampersand so it run in the the background So it was uh so it didn't screw up what I was doing in my code So now I'll show this off I have all the function at the bottom here. Just had to calm it down We have root again Talky makes my mouth really dry. So give me a sec So the next thing uh I started looking at actually, oh sorry mitigations Um in order to mitigate this you really should just whitelist those commands for the package installer There was only like four or five commands to do with this even if you couldn't Whitelist like the command itself you could whitelist whitelist characters I doubt you're gonna need back ticks or semi colons and a command name So that's something that was pretty easy to do So this is probably my favorite of the vulnerabilities not because it has the most impact But it was the most interesting and it took me the longest time to figure out So we see arbitrary file share. The first thing is like what the hell's a file share in this in this sort of situation Here we go. So You can view all your files and a file share this actually is a folder that is abstracted with privileges So the music photo and video are shares essentially and you don't see this right now But there's an admin user who has access to other things that you can't see here So there's some sort of boundary between what you control compared to other users All right, so I was uh, I wanted to find a directory or still a cross-site scripting In this page So I was looking through and they did a very good job actually when I was looking through the source code They were checking for the absolute path and see if it was owned by the right person I was very impressed with how good of a job. They did locking this down So when this gray box kind of approach failed, I saw I was going to take a white box approach See if I can find anything in this file And I started looking around and I saw I started seeing functions. I never seen before they're they were very odd to me And one of happening was there was a file that had Or an api that had no usage in the entire UI This is where my this is where my another analogy comes in. I'm the king of analogies. I talk Um, so when you're on a diet and you are like really focusing on protein You're going to get a lot of protein, but you're you may not get enough vitamin C or something that's an issue because in this in my In the actual code here these people focus on securing the api is they actually meant to be public But not the ones they weren't looking at so as soon as I saw this api that had Like that wasn't used at all. I kind of started drooling a bit a little bit because I knew something was going to be wrong with this so This issue though is because this wasn't used I had to reverse the api and this is the actual source code trimmed down a little bit So the first thing is there's an action parameter that I saw This action parameter dictates if you're going to create a folder or rename a file The create folder didn't seem super interesting to me. So I went down the rename rename file path and I followed this down Uh reverse the api added all the proper parameters and eventually I was that I was able to rename files using this I noticed there was no absolute path check Which meant this was likely going to be vulnerable to some sort of a directory traversal So now I have a directory traversal. I can move file from any share probably thinking You're done, right? No, we're near done. This is where I felt like alice and I just went way down the rabbit hole I wanted to make this like a really deadly sort of thing. What if I can move the admin password I just found Into my one of my shares and so then I can just take over everything I want to That was my thought However, whenever I tried moving outside of the shares, it didn't work and that was the most inferior thing I wanted I wanted to understand that so I decided I was going to turn on logging The issue was that it was a read-only partition. Let's power the drive. Um where the code was at I want to bypass that I couldn't figure it out and I tried uh remounting partitions. I tried altering the bash rc Sorry, not that. This is the rc files. I tried altering the boot scripts. No matter what I did I couldn't get any of it to work. If anyone has any ideas, I'd love to talk to. So that'd be something fun to know the whole point though Of this was just get the logging working and then after like four days of banging my head against this I eventually decided I can just Put a python file in the root directory I just called the function I needed to call because I can right there It was a really simple fix, but it just wasn't something I really thought of So I did that and I got erno 18 invalid cross device link You guys know what that is, right? Yeah, you're not you're not really supposed to know what that is I had no idea I googled it and you can't rename files in python 2.7 across partitions It's just something that happens or that happened. I think you can actually do it in three for some reason, but not 2.7 So even though I didn't actually like get all I wanted out of this vulnerability I learned a lot and that's why I actually encourage people to go down the rabbit hole if you're just trying to learn because now I understand how a busybox works a lot more. I learned a lot about How busybox boot busybox boots A lot about how partitioning works. I had no idea how that worked and that rabbit hole was really beneficial for me So now I'll show off my vulnerability, but I'll explain the parameters first So the first thing you see is the url and the url Is just like the command you're calling the json is where the interest is like Black magic starts to happen. So the share in this situation is just photo The photo share is something that the test user has access to The next thing is the action is the rename action, which is what we were talking about The user is the test user because that's the user logged in as in this account The target path is the File file location, but it's actually just the photo like the share With the with the file name and the example I'm going to show I use not dot txt And the interesting thing is the path. So it's a very classic directory for us. So I move Outside of my photo share I go into the admin share and I move the nonce dot txt file into my share So I'll show I'll show that now This this one can be really finicky. So I'm this is the one I've been worried about So don't make fun of me too much if it doesn't work. All right. Just gotta Comment this out That on Cool. So I think that worked then if you gave the okay message I guess I didn't really show you those So this is the admin one if we reset this We'll uh Assume they're still logged in Then you should notice that The nonce dot txt file is now gone And if we go to the regular test user, which is what I've been using for everything else We go to the photo share The nonce dot txt is now there Thank you Cool So again, we should probably talk about mitigations because this is important If you're at uh at my job, that's mostly what I do is I find something that's remotely considered vulnerability I write it up and I tell them how to fix it. That's the important thing the client needs So as far as mitigations go if they were just done an absolute path check checking for privileges Like they were doing it initially that would have worked wonderfully But they just forgot to add that on there. So that would have been that would have been a really easy fix for them There were a couple other things I wanted to talk about that weren't really like Like worthy of their own sections um So the company won't fix this I emailed them and they got back pretty quickly, but they're like, yeah, we don't really care. These are all authenticated And I wanted to bring a light an actual attack scenario. So this site also had no c-serve protection For those who don't know cross stands for cross at request forgery Uh example of this would be if you have facebook.com Uh your cookies when you like make some sort of action on facebook are automatically sent with the request Which we shouldn't you assume and it's really nice but If you make it from a malicious website That's also in your browser that you visit it would it will actually use those cookies even though it's Uh, not the same site you're running on so example would be on it my bad website I may have called a facebook to delete your profile if it's a git request or something Uh, which this is bad. So in theory someone An targeted attack could have a c-serve Based website that would then call this api with the mist or with any sort of user and it could completely take control over it Another interesting note is that there was only there was a cross-site scripting bug But it was I didn't really feel like showing it off because I literally just put script alert script And a description and it worked Wasn't really that cool Um, this was over htp for some reason Don't know why but the web server like you could host it with was over htps Like I don't know why you just make make they clearly knew how they used chosen not to make over htps It's kind of odd The other all the also kind of fun thing was when you turned it on it had the default password admin 1234 And it forced you to reset it like as soon as you got on there But if you knew someone was going to set this up you could potentially just log on there reset the password for the person Uh, it's kind of hypothetical But at the same time like if you know you could really screw with people doing this you kind of fun so Cyber security does not have to be horrifying Everything I did here was with known tools. I even use notepad plus plus people come on I used python burp grep google and the uncompiled six tooled uh Decompiled the the source code other than that though. I used everything that was super basic Um everything I found were very like known vulnerabilities a lot of over in the os top 10 or os top 10. Yeah This is not black magic. Like the key to all the stuff is understanding how stuff works And then manipulating it That's hacking. Thank you. Um, also I work at secure innovation We do we do web app pen testing. We do a fair amount of iot stuff too Uh, amazing company just started working there pretty recently. I just graduated from college So if you're interested about that come talk to me. Um, start to point that out Anybody have any questions or anything? I'd love to talk about stuff I could This is on my all these exploits are on my github. Which is mdoulan 2. Which I didn't put up there But oh, so our other exploits are on github If you want if you want to look at this my github account is mdoulan 2 So go crazy folks I listened to dark net diaries um malicious life And the one I also listened to security now, which I've really only been doing the security thing for like A year and a half maybe two years the most and security now is how like I learned to talk the game Like I just I would suck a two-hour podcast I'd just listen to it walking from my house to school And that was really helpful for me if you're talking along the lingo Any other questions? All right. Well, if there's other questions, uh, I would love to talk afterwards There's a lot of other things you can find this device if you're interested if you want to talk about how to get a job or You're depressed or something. I don't know come talk to me. I'm a pretty happy and chill guy to talk to So if you have any other questions, feel free to come up and talk. Thank you