Journey to Command Injection: Hacking the Lenovo ix4-300d

with all of those chores being said it was interesting grow up in college my roommate and I had a 1 terabyte Nass and it was awesome because you could minister it over this thing called a web interface you could use Netscape like wow and what he didn't know it's already broke into it reversed the firmware and made it such that every random copy of a file off the device greater than 20 Meg's would result in it being replaced with a Broadway show or having very inappropriate items being sent across to him at which point it took him a few days to realize that it wasn't him but the storage devices said we need to get

a new one and after for warranty repairs he finally realized it wasn't them but me so there's part about this talk is you get to learn exactly how to do this with us one specific Lenovo device but albeit in a different manner and nice part is you get to learn some stuff along the way so take it on right alrighty thanks man so I'm gonna be looking down a little bit so like light a super blinding but I'm paying attention to all of you just understand that anyways so my name is Rick I'm Guardian like John said it's right there this is a weird one and the name of my talk is introduction to or intro to vulnerability chains and

I'm gonna show you how you can get command injection on this device the reason why I wrote this talk is because I work in the research team at independent security evaluators or the people that paid for me to be here and that we do a bunch of cool research and when I started learning about these things a couple years ago I always thought that was very mysterious how you can like exploit all these devices and my co-workers made it sound like it was just like very complex things where I needed to like write very long buffer overflows and look at all this hex code and all these other things when our reality it's much more simple

than that so first a little bit about myself I like web application hacking it's my thing awesome jewelry reverse engineering mobile applications and cryptography and I am a security analyst at independent security evaluators independent secret evaluators for those people where based out of Baltimore Maryland we have an office in San Diego California we do all sorts of web application and other types of assessments so if you have a thing you need somebody to look at just let me know and I'm happy to look at it we do things from the white-box perspective black box and everything else in between there are like I mentioned the reasons why I'm presenting its I want to also for people

to get the feel of understanding that hacking things is not exclusively looking up what the necess results are for something and clicking on the buttons so that you can sort them by severity it's also not about just like looking at Metasploit four modules that somebody else already wrote there is somebody in the background that's actually writing those and you can be that person - I enjoy reverse engineering and there's a lot that goes into looking at these devices and considering that most of you most likely have a router or an AZ device in your house you can probably start doing this too if you want it to sweet so our goal today is going to be that we have an

adze of ice like it just think about it if you want to like similarly more if you have a router home and there's an Ethernet device that allows you to get to the admin page or the administrative pay or whatever else you want to call it we want to see what we can do to compromise this device because of that exposed tech surface and we want to make it remotely accessible so what that means is that I want to send it a individual command where I want to set up something so that whenever a bit can visit it there a device will ultimately be compromising I can get a shell on it so the outline for the talk is just

those four things we're going to talk about what the Lenovo is we're gonna look at the attack surface we're going to find some bones and then we're gonna write an exploit there are finding bones and writing expert part is going to be a little bit more live so your guys are gonna see how I go through that process and how I build them myself full disclosure I already know what the vulnerabilities are because you've responsibly exposed them but the writing the exports is gonna be a little bit more difficult than you guys can see how it is that I'm trying to stack these things together that's why I talk is called chaining vulnerabilities this is

our guest of honor I thought I'd have something taller so there you guys can see it but since you don't there's a picture of it there and it's in a device just like any other Lenovo made the device I guess in 2016 it's also marketed by I Omega a much version this doesn't say Lenovo on it it is a it has a whopping 1.3 gigahertz dual-core processor wait 512 megabytes of memory and some SATA Drive bays and all that as well the more important part is that it has two rj45 that allows it to just connects really straight to your network over Ethernet these are the details that I want you to keep in mind

while we're doing this and that's that there are internal threats so internal threats or people that already on your network they can access a network service that is only accessible over the network so if you have a router at home you probably have noticed that there's an option for you to turn on the ability to interact with the device over the LAN as soon as your enable that you can go to the devices IP address or the IP address that your ISP has assigned to you which is probably the best idea if you're considered about the security of your network because then after somebody can access it from the outside from the inside though that it doesn't mean

necessarily that it's going to be limited exclusively to the people that are on your network there are attacks for example I cross-site request forgery or DNS rebinding where you can use somebody already on the network to issue requests on and issue requests on their behalf which is what we're going to be doing today and authentication I wanted to just remind you very quickly that some vulnerabilities are authenticated so that means that the person does not need to be logged in and you don't need to know their credentials but at the same time if your nobility is authenticated it doesn't mean that you can only issue the X or carry out the attack if you know the person's

credentials if you have attacks that leverage a functionality in for example the browser to issue requests and that's still going to work we're looking for a remote shell and we're gonna combine mostly those two vulnerabilities command injection and cross-site scripting but I will show you why cross-site request forgery is very important for this to work as well the command injection is going to be in the functionality that handles how you can connect to other cloud storage devices which is kind of funny and the cross-site scripting is in the security page for the device which is way more funny than that so let's go ahead and look at that now so here is the admin page I think most

of you saw me logging into it while you while we were getting ready to get things started since that part wasn't recorder we'll do it again the username is admin and the password is just a password that I know the reason so have in mind that in this case we're looking at it from my perspective we want to see what it is that we have access to when you're reverse engineering these devices you will eventually if you buy one or whatever you do know the username and password your goal is to develop an exploit that you can compromise any device without knowing these things so here's the functionality just a normal nad device you can explore content and there's one

called backtick reboot which I will not click on for reasons because it's gonna reboot the device and we don't want that right now and then there's also stuff you can just crawl through it and figure out where everything else is an important detail is that when you create shares and you have names like for example this one's callback click reboot as soon as you create that share there is a shell script that's run that eventually does like allow you to execute commands let's go ahead and create one right now just so you can see what that would look like and we're just going to use a back tick and we're going to open up a neck head board now on

let's do 1 2 3 4 5 and this one's very much just that so as soon as we click that it's going to issue a post request that we're going to look at together I had this is great that the screens huge the share name on the bottom there you can see that it's just like has everything URL encoded that we just sent it's double URL encoded so we're going to take that and drop it in verb Suites automatic decoder Dakota 1 says URL Dakota ty says URL and here you can see that it's just exactly what we type in the back kick and there's a open up in that cut listener the interesting thing

about the share functionality is that if you try to rename something it also does that so if we do 12 is going to be too low so let's do eight nine nine eight and three nines click apply' and let's ssh onto the device so when I was looking for vulnerabilities on this device I was sure there were two main things that I was trying to do one of them was I was trying to create files and see where they are and the other one was I was just trying to see after Asus aging onto the device if anything was running right is checking PS so let's go ahead and do that I already SSH onto this so it

should be one in here somewhere you're gonna associate onto it or not and it's gonna be admin at 10.40 to 0.196 I remember correctly and this one is that password or not so while I remember the password right now we can see that if it's not having it's going to be root and it's going to be a password the manufacturer allows you to set okay that part of the matter we'll just we'll get a shell on it because I don't know the admin password and that's gonna be way better anyways anyway so that's creating sure so there's a so that's part one of finding command injection and there is another one so let's see if we can do this

we're gonna set up a knockout listener and I'm going to show you how I was able to find the other one McCallister is on port one two three four and we're going to find the other command injection right now so they have this thing that I mentioned before that allows you to create a personal store addy personal storage device which is here it's the personal cloud and this one is also just as easy as the last one just type in a personal cloud name which is gonna be test username it's gonna be test password it's gonna be actually passwords one that matters and this time we're going to intercept it so we can see what it looks like

once we issue this request oops want a bit from over here because this is one that's being proxied once we do it from over here we'll see that it's going to allow us to issue requests and we'll see the call requests Reb suits intercepting right now so that's not gonna go through there you go scroll down create a new personal storage device weight inner self on and this time the command injection is actually in the password so I'm just gonna have a just some random data in there for now which is my name and now we're gonna substitute that out for backtick curl 1042 0.1 as I'm sharing my connection and that means out of the

great way and that should work so let's see if we're not catalyst no we're not no so lucky for us I suspected something was going to go wrong and I put it in repeater and here we can see that we have the other one I'm just gonna send this to the another repeater tab and [Music] we'll see in decoder that this was this is gonna be what our final payload looks like it could as URL and it could as your again and it's just gonna it's designed to open up a reverse shell but open up a bind shell that's the Singapore 9000 so we're did some we're not gonna use the we're not gonna insert

use curl so since I'm all done I just became authenticated again we're gonna have to do two things there are two authentication tokens here there is the I Omega cookie and there's also this one up here so see surf allows us to automatically send a request on the user's behalf when the you session tokens as a communication but it doesn't when we don't know the URL parameter so this your uh parameter right now that I have highlighted isn't going to allow us to issue this request that's just for kicks we can try to issue it now it's going to say invalid authentication failure so let's we already know that we can pull these out because we have access to

these from another request so just scrolling through these we'll see that time another post okay so that happened recently there we go pull this value out put in a repeater now I'm just going to issue this request in the browser and the current session and that should give us a shell and then after we're gonna have to work our way backwards and try to figure out well what is it that we need nope no closing okay so let's open back Firefox since I closed that we'll go back to the device which is at 10:42 zero 196 or login login again we'll go to the trader panel four or just we want to issue another request aya gives us the

token that we want the seat open in a parameter let's go through these here's one right here copy it up put it in the request busan repeater and request in the browsers current session everything is good we'll have a show so let's connect to the device it's going to be one and two or 10.40 two of 0.1 96 the port will should be nine thousand tap an ID that was way more stressful than it had to be but there we go we can prove that we rode good again huh anyways so now we gotta figure out let's look at that request again and you guys see that okay that's it that was a yes good

enough for me so like I mentioned these two tokens right now are the problematic ones the cookie we can get through C surf so we're good on that notice that there's no other things inside that post body that we would need to know as an attacker because we can just average we can set those things to whatever they are we want to and it's going to work guys I have 10 minutes left alright so what we need to do is try to figure out how to get that C token let's get that from the browser lucky for us we can look at the browser's own opera we can look at the browser storage and figure out what is it that stops

being stored so click on storage let's try to find out so some session store doesn't have anything what about local storage local store doesn't have anything neither alpha broke up that's why so let's look again through here web developer web console we're gonna look at the storage part we already saw just now we saw the I Omega cookie and then a local storage we see that there's another one so there's that number the 101 here it's very small hard to see and then there should be this 107 so let's look at that request again and see what number was it was 101 so that one's stored in I won't stored in the browser's like local storage so actually

wrote a JavaScript file or a JavaScript thing before this what's called the noble XSS yes which is just a JavaScript file as fjs and here I use JavaScript to pull out the I Omega user cookie from local storage and then after I issue the request with that value that we pulled out so as you can see on this line that's highlighted right now I use JavaScript string from format syntax to pull the value that was get we took out of the Armiger user cookie and put that into the URL that we're gonna issue the request with so let's go ahead and escape from hit this noun alright I was able to exit vim and cool so here is the

other part that's funny which I really hope I can do the next 10 minutes and I'm sure that I can because I believe in myself and so in the security dot HTML page they have a cross-site scripting vulnerability and it's reflective cross-site scripting so if we do this on the fly now

I hope that it works and so that's going to be you make sure to pay how it equals its - there we go cause that scripting so the other the other good part about this now is that we can use this cross side scripting vulnerability to load another file so how about we serve this with pythons simple HTTP server and it's going this is gonna be the name of the file so let's copy that let's try to copy it on well right over here do some fancy script tag stuff or not so fancy script tag stuff is pretty basic sorry lanova and we're gonna do it where you need to get it from somewhere right

so we're gonna do HTTP colon slash slash we are the gateway here so it's gonna be zero one quote port is going to be 8,000 I'm gonna get it from slash Lenovo whatever I have 800 heavens to Betsy and that should be let's script source HTTP and that should be the whole thing that should have worked let's see if it took it I will go and kill it so did they get it so let's open up another tab and let's see if our X oh it worked one night ooh one spork 10.40 2.0 that one 96 ports gonna be 9000 ID that's a fully room would exploit the fully remote exploit it works we're rude hmm

alrighty so that was that's actually the whole thing and Luna was a pretty big company they have pretty good security and well okay one of those is true but um but we found out that it was actually not that bad right so when you start thinking about it that most of these devices are pretty vulnerable and it's probably not like it's 2019 you probably hear everyone talking about how funny it is that IOT devices or anything else that's electronic and connected to the Internet is pretty much a pushover well although it may be funny it's kind of also scary because mostly these devices you really don't how you can say that well the solution is for me

not to buy them but there's also the problem that you don't actually have that option all the time I don't know about you but sometimes I go to buy something and the only option is the Internet connected option and as we as time goes by that's kind of becoming the norm where people are think that it's perfectly okay for this thing to be vulnerable because everyone realizes that it's vulnerable but at the same time this is the one that's vulnerable the only option so and also a lot of manufacturers don't seem to be providing updates for these devices once they already felt like somebody finds vulnerabilities I'm happy to say the Lenovo did do a very good job at pushing

out a former update for this thing after I reported the vulnerabilities so kudos to them but we also found out that out of the 13 devices that we audited some of them cared not all of them so if you are wondering about like what I think would be a good idea if you are wondering about how these things can be fixed or what things should be done here here they are short term experiment of facture it's a chip I have somebody looking at your stuff if you don't want to long term is that if you want to if you are going to continue to be a manufacturer if you don't want somebody to look at your stuff because you think

it's so expensive by your developers some books or something or just send them to training maybe that'll help but it's probably better than me putting a command injection payload into one of the field fields and getting command injection right off the bat all right cool so I didn't see your numbers I'm good uh-huh the appear consumer their short-term is a few are if you're tech savvy and you want to do these things that I listed here you try it out it is kind of funny that all the time people are like we'll use good passwords and update your firmware well I didn't use anyone's password to run this thing and I found the vulnerability in the most recent

firmware so I don't think that really helps does help a little bit but it's not going to stop everything and that kind of lead you into a false sense of security so careful with it I guess you should disable remote access I mentioned that at the beginning of the talk I don't think it's always necessary so if you don't need it please turn it off and if there's a bunch of services that you don't need definitely turn it off your personal cloud feature you couldn't disable and you can't disable the security feature either the one the one that we gotta cross site scripting in so although it may help it's not going to be it's not a perfect solution

a long term is that if you do see a manufacturer having a lot of bad devices you should just ask them to fix it I've had a lot of a lot of luck tweeting at people and saying I've emailed you a hundred times you you're now blocking my IP address can you try to fix yourself and they've actually done it so although it may be kind of public shaming it does get the job done so take a ticket and do whatever you feel is best that's seen of my talk folks I really hope you enjoyed it that was the as realized I could make it you know if you guys do have any questions I'm here and yeah hope you

enjoyed it any questions for this fun little exploit chain I am the fungal explore chain by the way I don't remember off the top of my head but I can say that more than four that's like are it's like greater than five actually cared some of them one of the things that we learned is that a lot of companies with bug bounty programs do not care do not care good they it's good that they have them but someone like yeah just because you have a ball runner program does that make you better than everybody else anyone else

so I when I when we got the device is SH onto it and I pulled up all the binaries and I started looking for things that would allow me to execute code yeah so I looked for that's typically how I do assessments to I start by what will give me the ability to execute code and then move down from there thank you Rick it's been a pleasure all right thank you John [Applause]