I was asked to talk in front of Computer science students at the Bar-Ilan university about "what happens" when you don't care about writing "secured" or "safe" code. A perfect example for that, in my opinion, was the world of embedded computing AKA the IoT. I talked about the history of consumer embedded devices and showed a live demo of an 0day I found in one of the most popular routers in the country.

1. The internet of $h1T
Or: Root all things (of the internet of things)
By: Amit Serper, ADhD

2. /bin/whoami
● Now: Lead Mac OSX security researcher @ Cybereason (we’re hiring!)
● Before: ~9 years @ PMO, Lead security researcher, doing mostly embedded
security research in the last 3 years.
● Terrible coder
● Reverse Engineer
● Hardcore Linux guy, Now I use Mac :( and Windows :((
● I like to make stuff that break stuff
● I tweet: @0xAmit

3. cat /home/amit/agenda.txt
● Our subject: Command execution injection via WebServer
● IoT? - Examples
● Embedded Linux - quick overview
● Firmware - Quick overview
● Embedded webserver command injection - Quick overview
● Case study - Bezeq router
● Exploitation demo

4. The internet of (shitty) things

5. A chain of revolutions...

6. ~10-15 years ago

8. Now

16. A router!

17. ~10-15 years ago, a router looked like this

19. A router!

20. AKA that box with lights that makes the internet work

21. Why do we care so much about routers?

22. They’re routing our traffic == they see EVERYTHING

23. Nobody cares == they’re not monitored

24. They’re always on!

27. Specs as you see them

28. Specs as I see them

29. Every one of those little bastards is a computer!
(that handles all of your traffic!)

30. Ok… So it’s a “computer” - woo-friggin’-hoo
A calculator is also a computer

31. You’re right. Routers used to have custom RTOS O/S’s
that worked on custom architectures and instruction
sets

32. But all of a sudden, it wasn’t the standard anymore,
care to guess why?

34. Linux is built around networking, it’s easy to develop for
and deploy, it’s totally cross platform and ITS FREE!

35. Plus, it has tons of ALREADY written code that vendors
can use!

36. Used in Xbox, Cable/SAT STB’s, PS4,
roku, etc...
libdlna:
Used in smartTVs, routers,
streamers, Cable/SAT STB’s,
etc...
A small webserver, used in
almost EVERY router in some
variation.

37. ALL OF THE PREVIOUSLY MENTIONED SOFTWARE HAVE
BEEN AND IS EXPLOITED ALL THE TIME!

38. The transition to Linux started a whole wave of vendors
using Linux, some even took pride in it
Linksys WRT54GL

39. It had a Linux based (HyperWRT) firmware and most of
its code was open sourced

40. Entire communities of firmware spin-offs were founded
to enhance and add extra features to products

41. Firmware
● permanent software programmed into a read-only memory. (wikipedia)
● One file which includes a Linux distro consisting of:
○ Bootloader
○ Kernel
○ Root filesystem (userland)
○ Swap (product dependent)

42. DD-WRT firmware (as illustrated by binwalk)

43. Firmware (continued)
● Drivers/modules (kernel mode)
● Software and Daemons/Services (User mode) :
○ Busybox
○ DHCP server
○ NTP (server/client)
○ FTP server
○ Telnet/ssh server
○ UPnP server
○ Webserver

44. Limitations when developing a firmware
● Very little memory - Code has to be really efficient, even on the cost of security
● Very little disk space - No bells and whistles - Just the barebones!
● Very weak cpu
● You think you’re invincible - if it compiles its fine! ← PROBLEM

45. Let’s talk about security research

46. We’ve established that those devices have poor security
measures

47. So let’s map the attack vectors

48. Attack vectors:
● Backdoors in firmware (a very specific url or service that’s running on a specific
port)
● Physical/Local access - uploading a patched firmware
● Attack from afar - own the webserver!

49. Enter the webserver:
● It is our common configuration interface with the device
● Everything is controlled through there
● Gives us a direct interface with User-controlled data
● Often listens for connections form the
0.0.0.0 (everywhere!)
● Often badly configured by the vendor/user
● Runs as root!!!!1!!!!!1!

50. We want to run code/pop a shell on the router

51. Wait, user controlled data?

52. Hooray! Let’s smash the stack!

53. There’s not necessarily a need to do that...

54. Emulating this environment is hard

55. We don’t want to debug stuff

56. Making gdb run on those thing is not easy...

57. But what if we can hijack the “instruction pointer” on a
higher level?

59. What is injection?

60. http://example.com/viewfile.php?file=bill.txt

61. ;
&&
`

62. ; - run this after you’re done
&& - run this if first command exited with status 0
`statement` - run the command between the backticks
and use it as a value

63. http://example.com/redirect.php?r=info.php;cat /etc/passwd

65. Another example

67. system(‘/usr/bin/mailer --user %s --password %s --dest %s’)

68. How can we avoid that?

69. Sanitation and verification of user input.
Especially special characters such as &, ; and ` (and their http
encoded form)

70. DEMO

71. Netgear VEGN2610
AKA Bezeq n600
ADSL2+ Modem/router

72. Runs custom compiled Linux kernel version 2.6.30
(Released in June 2009)

73. Uses a custom version of GoAhead WEBS as its webserver

74. Has multiple Command Injection Vulnerabilities and even has
an anti CSRF protection with a vulnerability… Amazing.

75. What we are going to see is how we can execute commands as
root on the router using command injection and turn on it’s
telnetd server.

76. Oh, the root user on the router has a password (which I don’t
know, but it’s ok)
telnetd -p 2323 -l /bin/sh

77. Ok ok, demo! :)

78. Thank you!
(Questions?)