Any service that allows unauthorized remote control
Cloud
Mobile
Common issues :
Lack of authentication
Lack of authorization
Lacking or weak encryption
Lack of input and output filtering
Lack of anti-rollback mechanisms
Lack of notifications of security changes due to updates
Third-party hardware components from a compromised supply chain
Examples : HeartBleed, Spectre, Meltdown
Copyright to book.redsquad.xyz
Get the IOTGoat .img file.
Squashfs filesystem, little endian, version 4.0, compression:xz
.bin analysis :
It is a squashfs file system so we can use unsquashfs, which will allow us to unpack the squashfs file system:
Use of easily found, publicly available, or unmodifiable credentials, including backdoors in firmware or client software that allow unauthorized access to deployed systems.
Firmwalker
Excerpt :
We have 2 password hashes: root and a user iotgoatuser.
With the user found, we try a bruteforce attack on the ssh service (port 22). We use the mirai-botnet wordlist of SecLists
Credentials : iotgoatuser:7ujMko0vizxv
User's personal information stored on the device or in the ecosystem that is used in an insecure, inappropriate or unauthorized manner.
Firmwalker found a database containing personal information, unsecured since it was stored locally:
This allowed us to extract unsecured sensitive information :\
Unnecessary or unsecured network services running on the device itself, especially those exposed to the Internet, can compromise the confidentiality, integrity/authenticity, or availability of information or allow an attacker to gain unauthorized remote control.
Exposed services
Due to a lack of restriction in network filtering, some services are exposed on the Internet. This can potentially allow an attacker to identify vulnerabilities in services that are often more vulnerable.
2. MiniUPnP 2.1 The MiniUPnP version is vulnerable to these exploits:
Use after free vulnerability (CVE-2019-12106)
Information disclosure vulnerability (CVE-2019-12107)
Multiple DoS vulnerabilities due to NULL pointer dereferences (CVE-2019-12108, CVE-2019-12109, CVE-2019-12110, CVE-2019-12111)
3. dnsmasq 2.73
The version of dnsmasq is outdated and vulnerable to 20 exploits:
Some PoC are available here :
Unfortunately, we were unable to test these exploits because the virtual network interfaces had problems accessing IoTGoat and running the UPnP and Dnsmasq exploits.
4. DropBear 2017.75-7.1\
This version is vulnerable to 4 exploits :
Moreover, a vulnerability is present in the configuration file: the possibility to connect as root via ssh is enabled:
Lack of encryption or access control of sensitive data.
We use the testssl.sh tool, which allows us to check the service of a server on any port for support of TLS/SSL encryptions, protocols as well as recent cryptographic flaws and more.
The cipher suites used (CBC) by the web service are obsolete :
Also:
The certificate does not match the URI provided,
Certificate is self-signed (null trust chain)
No CRL or OCSP URI provided
Moreover, the HSTS header is not implemented on the Web service and no security header is implemented:
The web service is potentially vulnerable to Lucky13 :
2. Finally, running an OWASP ZAP scan on the web service :
The absence of the X-Frame-Options header
Could lead to a ClickJacking attack.
Absence of Anti-CSRF token
Finally, port 25 is open on the machine, allowing the use of telnet, a non-secure communication protocol.
🚪 Root BackDoor - PoC
After having decrypted the password of the iotgoatuser user, we connect to the machine with ssh. Many manual tests have been done to try to escalate privileges and become root (cf. ). For example, we have run Linpeas on the machine in order to try to find points of privilege escalation attempts:
Linpeas allowed us to list the active ports on the machine, this allowed us to see 2 interesting ports open on the machine: 5515 and 65534.
The port 65534 is open on the machine, we try to connect to it with netcat :
We were not able to crack the root password, so this backdoor is not useful because we can only connect as iotgoatuser.
Also, the port 5515 is open. We try to connect to it with netcat :
This reverse shell gives us access as a root so we can change its password in order to access the web interface:
*Since this is an OpenWRT router, the SSH password and the root web interface password are the same.
New root password on the web interface: password
Website Tree (after authentication) :
Use of outdated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.
1. Busybox 1.28.4
This version of Busybox is potentially vulnerable to 14 exploits (cf. )
2. Linux Kernel 4.14.95
This version of Kernel is from 2017. Thus, it is potentially vulnerable to 25 exploit (cf. )
3. pppd version 2.4.7
This version of pppd is vulnerable to a denial of service and arbitrary code execution attack(cf. ).
Lack of security updates. This includes lack of firmware validation on the device, lack of secure encryption, lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
OpenWRT Version :\
This version is vulnerable to 21 exploits :\
CVE-2020-7982 - PoC
Unsecured web interfaces, APIs, mobile devices in the ecosystem, can allow the device or its related components to be compromised. The most common issues are lack of authentication/authorization, lack of or weak encryption, and lack of input and output filtering.
CVE-2019-18992 - PoC
OpenWrt 18.06.2 is vulnerable to a stored XSS attack via these fields at the URI /cgi-bin/luci/admin/network/firewall/rules: "Open ports on router", "New forward rule" and "New Source NAT".
An XSS payload has been inserted in /cgi-bin/luci/admin/network/firewall/rules, in the New Forward Rule field.
Then we click on Edit to trigger the XSS :\
This XSS is also present in the New Forward Rule and New Source Nat fields, as well as in Traffic Rules Name.
CVE-2019-18993 - PoC
OpenWrt 18.06.4 is vulnerable to XSS attack stored via the "New port forward" field at the URI /cgi-bin/luci/admin/network/firewall/forwards
This XSS payload has been inserted in /cgi-bin/luci/admin/network/firewall/forwards, in the New Port Forward field:
By clicking on Edit, we trigger the XSS :\
CVE-2019-25015 - PoC
LuCI in OpenWrt versions 18.06.0 to 18.06.4 contains a XSS vulnerability stored via a modified SSID.
An XSS payload was inserted in /cgi-bin/luci/admin/network/wireless/wl0.network1 in the ESSID field.
Then we click on Save & Apply, to trigger the XSS :
We were able to test a brute force attack on the web application folders with the BurpSuite tool. This one does not implement any anti-bruteforce mechanism.\
Command Execution
There is a page cgi-bin/luci/admin/iotgoat on the web service :\
At the root of /iotgoat, we find this hidden page:\
This is a Command Execution vulnerability, allowing us to access the ash shell as root :\
From there, an attacker might be able to take full control of the machine.
DOS - CVE-2019-19945 - PoC
uhttpd in OpenWrt versions up to 18.06.5 and 19.x up to 19.07.0-rc2 has an integer signature error. This leads to an out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered by an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.
Lack of security support on production-deployed devices, including asset management, update management, secure decommissioning, system monitoring and response capabilities.
Logs are not enabled :
In addition, OpenWRT packages are not updated by default.
Devices or systems are shipped with unsecured default settings or lack the ability to make the system more secure by preventing operators from changing configurations.
Using the default root user to log in to the web interface
UPnp enabled by default and without secure mode
# get the iotgoat .img for static analysis and .vmdk for dynamic analysis (run it locally)
https://github.com/OWASP/IoTGoat/releases
# packets
apt update
apt install binwalk
apt install squashfs-tools
# TOOLS
# firmwalker
mkdir tools
cd tools
git clone https://github.com/scriptingxss/firmwalker.git
# testssl
git clone https://github.com/drwetter/testssl.sh.git
# linpeas
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.shCould lead to a CSRF attack via one of the forms.
# Scan to identify code, files and other information
binwalk IOTGoat.img
# Recursively extract the firmware and decompress the file
binwalk -reM IOTGoat.img# extract the .img file and save it as a .bin file
dd if=IoTGoat-raspberry-pi2.img bs=1 skip=29360128 of=iotgoat.bin./firmwalker.sh ../firmware/_IoTGoat.img.extracted/squashfs-root/ ./IoTGoat.txt# in the squashfs folder of the unpacked firmware
cat etc/shadow
# output :
root:$1$Jl7H1VOG$Wgw2F/C.nLNTC.4pwDa4H1:18145:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
iotgoatuser:$1$79bz0K8z$Ii6Q/if83F1QodGmkb4Ah.:18145:0:99999:7:::# We want to filter only on the passwords because the list is of form user:password
awk '{print $2}' /usr/share/SecLists/Passwords/Malware/mirai-botnet.txt > /usr/share/SecLists/Passwords/Malware/mirai_pass.txt
# Bruteforce with Hydra
hydra -f -t 4 -l iotgoatuser -P /usr/share/SecLists/Passwords/Common-Credentials/mirai_pass.txt ssh://137.74.253.251❯ nmap -A -Pn 192.168.197.132
PORT STATE SERVICE VERSION
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
119/tcp open nntp
143/tcp open imap
443/tcp open https
465/tcp open smtps
563/tcp open snews
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
5000/tcp open upnp
5515/tcp open unknown
65534/tcp open unknown<script>alert("HACKED!");</script>
