Hacking ISPs with Point-to-Pwn Protocol over Ethernet (PPPoE)
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 85 | |
| Autor | ||
| Mitwirkende | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/62205 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 3058 / 85
24
28
29
47
51
53
59
60
62
70
72
75
80
84
85
00:00
Zusammenhängender GraphRouterSoftwareIn-System-ProgrammierungGeradeModemFlächentheorieHackerLeistung <Physik>DSL-ModemSoftwareschwachstelleMetropolitan area networkGüte der AnpassungÄquivalenzklasseService providerSpywareMapping <Computergraphik>Protokoll <Datenverarbeitungssystem>InternetworkingDoS-AttackeMultiplikationsoperatorInformationDigitalisierungZweiInformationsspeicherungDirekte numerische SimulationQuick-SortEinfache GenauigkeitZentrische StreckungGrundsätze ordnungsmäßiger DatenverarbeitungRPCTabelleTelekommunikationFunktionalVirtuelle MaschineProxy ServerSystemzusammenbruchDatenverwaltungRechter WinkelServerDienst <Informatik>BetriebsmittelverwaltungComputeranimation
07:22
RouterInternetworkingRechnernetzService providerTelekommunikationServerClientDickeLineares KomplementaritätsproblemAnalytische FortsetzungKonfigurationsraumGeheimnisprinzipPunktProtokoll <Datenverarbeitungssystem>GammafunktionDiagrammProzess <Informatik>AuthentifikationMaschinencodeDateiformatKonfiguration <Informatik>DatenkompressionDatenfeldMultiplikationVerschlingungDatentypKlasse <Mathematik>AdressraumLokales MinimumAutorisierungInternetworkingProtokoll <Datenverarbeitungssystem>DatenfeldMaschinencodeHackerMereologieProtokollierungParametersystemDifferenteAuthentifikationValiditätSoftwareKonfiguration <Informatik>MultiplikationsoperatorQuick-SortPhysikalische SchichtNetzadresseDSL-ModemBetriebssystemPunktMaschinenspracheService providerPufferüberlaufTeilmengeClientIn-System-ProgrammierungRahmenproblemKonfigurationsraumGamecontrollerEinfach zusammenhängender RaumServerDateiformatSchnittmengeLokales MinimumSoftwaretestGeheimnisprinzipKomponente <Software>DatenflussDickeRouterZahlenbereichWurm <Informatik>TypentheorieComputerarchitekturTragbarer PersonalcomputerProdukt <Mathematik>Direkte numerische SimulationInterface <Schaltung>Virtuelle MaschineVerschlingungSharewareMessage-PassingTopologieComputeranimation
14:44
Nabel <Mathematik>W3C-StandardWurzel <Mathematik>Direkte numerische SimulationKonfigurationsraumMinimumSharewareZweiWurzel <Mathematik>Arithmetisches MittelSpeicherabzugRadikal <Mathematik>TouchscreenTelnetWurm <Informatik>Nabel <Mathematik>ClientSystemverwaltungSurjektivitätStatechartBinärdatenTypentheorieComputeranimation
16:50
KonfigurationsraumFirmwareW3C-StandardInstallation <Informatik>Physikalisches SystemBinärdatenSystemverwaltungTelnetMereologieZahlenbereichHardwareRouterElektronischer ProgrammführerKonvexe HülleOperations ResearchClientBinärcodeMaschinencodeWeb logKernel <Informatik>CoprozessorTelnetComputerarchitekturFirmwareMAPKonfigurationsraumDifferenteMereologieRouterIn-System-ProgrammierungSoftwareentwicklerProgrammierumgebungMultiplikationsoperatorTragbarer PersonalcomputerVirtuelle MaschineProtokoll <Datenverarbeitungssystem>SpeicherabzugSampler <Musikinstrument>Minkowski-MetrikServerSoftwareschwachstelleSoftwareNabel <Mathematik>Einfach zusammenhängender RaumPhysikalisches SystemTechnische OptikInformationOrdnung <Mathematik>EmulatorExploitSerielle SchnittstelleElektronischer ProgrammführerMultiplikationHardwarePunktWeb-SeiteCybersexRadikal <Mathematik>PlastikkarteEinsCoxeter-Gruppesinc-FunktionComputeranimation
24:55
Konvexe HülleFirmwareW3C-StandardDatenverwaltungSoftwareschwachstelleLineares KomplementaritätsproblemProtokoll <Datenverarbeitungssystem>MaschinencodeKonfiguration <Informatik>AuthentifikationInternetworkingRouterRechnernetzService providerMachsches PrinzipExploitExploitNabel <Mathematik>Elektronische PublikationTermRichtungFunktionalDämon <Informatik>RahmenproblemKonfigurationsraumZeiger <Informatik>Quick-SortTelnetAdressraumOpen SourceSoftwareEin-AusgabeUmwandlungsenthalpieTelekommunikationTDMAInhalt <Mathematik>DatenverwaltungPlastikkarteStreaming <Kommunikationstechnik>Maximum-Entropie-MethodeProtokollierungWurm <Informatik>Interface <Schaltung>SpielkonsoleKeller <Informatik>MultiplikationsoperatorFahne <Mathematik>InternetworkingArithmetisches MittelSerielle SchnittstelleMaschinencodeRPCSpeicherabzugProtokoll <Datenverarbeitungssystem>SocketServerRohdatenSoftwareschwachstelleDifferenteEinfach zusammenhängender RaumReverse EngineeringSharewarePhasenumwandlungSoftwareentwicklerDickeFreewareEinfache GenauigkeitKonfiguration <Informatik>GamecontrollerTabelleVirtuelle MaschineBus <Informatik>Rechter WinkelSchreib-Lese-KopfBridge <Kommunikationstechnik>System FIn-System-ProgrammierungComputeranimation
32:59
FirmwareExploitDickeClientGraphiktablettPlastikkarteElektronischer FingerabdruckProdukt <Mathematik>ComputerspielPatch <Software>MailboxComputersicherheitClientZahlenbereichCybersexElektronischer FingerabdruckMultiplikationsoperatorDienst <Informatik>ProtokollierungAdressraumArithmetisches MittelRechenschieberServerKonfigurationsraumRadikal <Mathematik>BroadcastingverfahrenSoftwareschwachstelleOpen SourceDoS-AttackeComputerspielMessage-PassingIn-System-ProgrammierungTypentheorieMaschinencodeSoftwareDatenfeldRouterPufferüberlaufSelbst organisierendes SystemWeb logMereologieRechter WinkelProgrammfehlerRoboterFront-End <Software>Formation <Mathematik>LoginComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
So our next talk is called Hacking ISPs with .2 PON protocol over ethernet, P-P-P-P-O-E. We have Gal. It's his second time at DEFCON. I guess we didn't scare him the first time. But please give him a big cheer, and let's start. All right? Thank you.
00:24
Thank you. All right, so hi everybody, and welcome to my talk on Hacking ISP with P-P-P-O-E, or as the title says, .2 PON protocol over ethernet. And first I'd like to thank DEFCON for having me here
00:42
again this year, and this time in person, so I'm excited. And before I begin, let me share a quick story with you. So on this research, I've been working on and off for the last two years, and as of course, it was during the pandemic, and like everybody else, I had to work from home.
01:02
However, this research involved this device on my kitchen table for almost a year. And let me give you just a quick example how it sounds like. I'm also gonna pray the audio gods that it's gonna work.
01:23
Wait. No audio. Oh damn. Wait, so I got a fallback for that, and I'm just gonna play it from my phone. So this is how the device sounds like. Yeah, so yeah, so before I begin,
01:46
I would especially like to thank my wife, Ortal, that sits here with us today for sharing a single bedroom apartment with me and that device. Yeah, thank you, honey.
02:01
Yeah, yeah. Tough year, the pandemic. All right, okay, so enough about that. So, okay, so let's begin. My name is Gal, and I've been causing rockers on embedded device for quite some time. And as I said, this is a two years long research,
02:23
and I actually started working at it when I used to work at Aleph Research, and I ended it in Cyberarc Labs, where I work today as a research manager. And today we're gonna talk about three subjects. First, I'll introduce the idea and motivation
02:41
behind hacking internet service providers, ISPs. After that, we'll do a crash course in layer two communication protocols, and I present some cool vulnerabilities I found. And lastly, I'll share how I was able to research this kind of equipment, and hopefully I might convince you
03:01
that at the end of the day, big ISP network equipment, it's not that different from small home router research. Okay, so let's begin with pwning internet service providers. So we all know how a classic remote attack is executed.
03:22
Usually, attacker looks for a victim on the internet, maps the attack surface by discovering what protocol the target uses, and then try to use O-day or N-day, and hopefully get RC on the target. Ironically, many of these classic attacks
03:40
are nowadays taking place on home routers. So the idea is that ISP network equipment, it's not that different. Instead of the internet, we got our ISP network accessible from our local modem, and instead of the internet server, we got the ISP equipment that provides us services.
04:04
So all we have to do is to map the attack surface, find an O-day, and hopefully get an RC on the ISP network equipment. But why attacking ISP? Well, if I was the proud pwner of Evilcom LTD,
04:21
I might be able to do some of the following stuff. For start, the obvious denial of service and other ransom activities, like shutting down the network and asking for money to stop doing it. But I can also execute DNS hijack for the entire network, AKA become man in the middle for all subscribers by redirect their DNS to my own Evil DNS server.
04:45
And another interesting idea is to target a specific subscriber by their actual identity, AKA the actual name and other information the ISP stores on them. I also might be able to, might be connected
05:01
to the internet backbone for IP allocation, so I might be able to execute this crazy scale distributed denial of service. And lastly, I can execute all sorts of attacks by abusing common protocol and technologies used by the ISP. Okay, so to understand what we are about to attack,
05:22
let's understand how basic ISP network operates. Keep in mind that this is a simplified example for DSL-based network, but other tunneling protocols such as PPPoE, L2TP, GPON, they all follow more or less the same concept.
05:41
So when you get your router from your ISP, it has two roles. One is to provide network services, such as ethernet and wifi to your home premise, and the other role is DSL modem functionality. The DSL modem basically uses the good old telephone line to connect you to your ISP and then to the internet.
06:02
Your modem is hooked up to a phone line and the telephone company connect the other end of the line to something called DSLAM. DSLAM is basically a multiplexer that extracts digital information from analog signals by sends from multiple modems over the telephone lines.
06:23
Okay, the DSLAM is then connected to a broadband remote access server, or BRAS, which is basically a big router that routes traffic to and from the DSLAM to the ISP network. So we can abstractly think that our modem is connected
06:41
with a layer two cable directly into the BRAS itself. And we can also bridge the modem traffic to our own evil machine. So now we can think abstractly that our malicious machine is connected with a very long ethernet cable directly to the BRAS.
07:01
So if the BRAS is the ISP's front line router and we are connected to it with a network connectivity, then hacking this BRAS is the equivalent of hacking the ISP's home router. All right, and this is where home router takes the power back.
07:21
They can attack the BRAS in the same way hackers can attack them from the internet. Once we control the BRAS, attackers can execute some of the attacks I mentioned before or attack other ISP network equipment.
07:40
All right, so for this research, I decided to target Redback Network Smart Edge Equipment. Back in the 2000s, Redback were a big player in ISP equipment. They were actually involved in defining some of the protocols I'll show you today. In 2007, they were acquired by Ericsson
08:00
that continues to manufacture new products under the Redback brand. Some of these devices are pretty big and can support up to half a million subscribers. For example, the one that you see at the bottom right. And they all use custom NetBSD operation system called SEOS, Smart Edge OS.
08:23
And they also use a PowerPitch C architecture. Okay, so now that we have a target and we see it's worth hacking to it, let's understand what kind of protocol can be used to attack ISPs. All right, so let's start with point-to-point protocol
08:43
over Ethernet or PPPoE, which is a layer two encapsulation protocol. This is a common protocol to connect to ISPs. And in our case, the PPPoE server is the ISPs brass.
09:01
And the PPP client is our DSL modem or malicious machine. And remember that we just saw that abstractly the client is connected with an Ethernet cable to the brass. So as the name of the protocol suggests, by using PPPoE, we can encapsulate PPP sessions over Ethernet frame.
09:21
Okay, great, but what is PPP? All right, so PPP stands for point-to-point protocol. It is also a layer two protocol, which is mainly used to tunnel ISP packets to and from the modem, and by doing so, enabling the internet connectivity.
09:42
So PPP negotiation is where the clients authenticate to the server and get its configuration parameters. And if all goes smoothly, a PPP tunneling interface is created on the client side. At this point, the client receives DNS configuration and usually an internet-facing IP address.
10:01
So at the end of negotiation, our router or machine should end up with an interface similar to this one. All right, also at any time, both the client or the server can terminate the session.
10:20
Yeah, and that's it. Now that we understand the general flow of the protocol, I'd like to focus on PPP, and especially on the session negotiation part of PPP. So PPP is a layered protocol that has three components.
10:42
First, there's an encapsulation component that is used to transmit datagrams over a specific physical layer. I'll soon go over on the specific format and how it looks like. The encapsulation is used to transmit something called
11:01
link control protocol, LCP. This protocol establish, configure, and test link as well as negotiate settings, options, and use of features. And lastly, after the connection is established, different protocol can be used to negotiate and facilitate a layer three network layer.
11:23
In our case, to tunnel IPv4, and we use for that the IP control protocol or IPCP. Since PPP is relatively big and have many protocol layers, I decided to focus on LCP, and this is why I did that.
11:45
Well, this is the first protocol used in PPP. It's used to set and receive different configurations, and no authentication is needed.
12:01
Okay, so to really understand PPP, let's understand the encapsulation format. So first, we got an ethernet frame with a PPPoE payload. The PPP encapsulates a PPP payload, and in this example, the encapsulated PPP packet
12:22
is LCP type of packet. Now let's understand how LCP packet looks like. LCP packet contains an option payload to pass different parameters, for example, authentication protocol, magic number,
12:40
maximum receive units, et cetera, and each option has a code number, length, and data. For example, here we see that LCP packet that contains parameter for maximum receive units, authentication protocol, and a magic number.
13:04
And yeah, this is a different option values for all these fields. All right, and there are all sorts of other parameters defined in the protocol, but the one I found most interesting was actually the last one, code number 19, endpoint discrimination option.
13:25
I don't have enough time to get in what this option does, and actually soon you'll see it doesn't really matter. But yeah. But I discovered that although the RFC defines that the parameter length should not exceed 20,
13:44
in the smart edge devices, it actually handles packet with bigger length, and it also has no validation on the data field. Also, I noticed that when the PPP log is enabled in the smart edge device, I get long entries
14:01
similar to these. Here we see the different LCP parameters written to the log. For example, this is the authentication protocol used, and this is the magic number, and this is the AA as part of the endpoint discrimination field.
14:22
So I'm writing a log entry with any data I wish, and with a bigger length than accepted. Yeah, I think you all know what's coming next. Yeah, vanilla stack overflow in the smart edge log entry. And this is a great time for demo time.
14:44
Okay, so for this demo I will be using four terminals. The bottom blue terminal is only a monitor terminal connected to the smart edge device. Yeah, this is the monitor. And the red and the green terminals on the left
15:01
will act as the stdin and stdout listeners for the reverse shell. And on the black terminal I will execute my attack connected as a DSL subscriber. Okay, so now I'm running netcat to listen to stdin and stdout on two ports.
15:22
Yeah, here I'm using the first one and the second. All right, and now I will execute my attack by piping bean as sage to two telnet clients. So here I'm piping the stdin to port 1337
15:44
and then pipe bean as sage and stdout to the other port. Okay, fire away. So now I'm sending the first two PPPoE session,
16:02
creating a PPPoE session by sending two packets. And this is the LCP payload, malicious payload. And you can see on the monitor screen that I got a core dump, meaning that I managed to smash the stack. And now I'm using my stdin netcat to send commands.
16:21
Here I'm using ls. And of course I'm gonna echo my user and see that I am root. And yeah, let's do it again, just to, thank you. Thank you, I can also grab some other configuration like the DNS and I can write and read the DNS configuration
16:43
and the admin for the device itself. But yeah, once I get root, it pretty much ends. Okay, so now that we've seen a full working RCA, let's talk about how to research this kind of equipment.
17:02
So the most interesting conclusion I got from this research is that ISP network equipment is not that different from home routers when it comes to vulnerability research. Let's talk about the differences. So home routers are of course cheaper, usually around 300 bucks,
17:21
while brass entry level is a bit higher. Both of them usually never get updates from the ISP, which is great for hackers, but really bad for everybody else. And as you already heard, brass are way noisier,
17:41
so if you plan to store them on your kitchen table, you should expect to annoy people around you. And probably the hardest part is that setup and configuration part, since ISP equipment usually takes a specific expertise to install. So if you got some extra dollars
18:03
and you're stumbered enough, you could also pwn an ISP network equipment. So based on my experience with this research, I'm thrilled to present my seven easy steps to research and pwn ISP equipment.
18:21
First, firmware emulation. Then setting up debug and development environment, jailbreak if needed, get or buy an actual device, search and hopefully find vulnerabilities, write an exploit,
18:40
and finally celebrate with your favorite beverage. Okay, so first step for every embedded device research is usually getting the firmware. I was lucky enough to find one online, and after a quick binwalk, I realized SmartEdge uses a NetBSD OS
19:01
and a PowerPC architecture. Luckily, up until 2006, Apple were using PowerPC processors with their BSD-based kernel. And this nice fella called Kernai posted a wonderful Reddit blog on how to emulate a very similar system
19:22
to the ones SmartEdge are using. And that way, I was able to emulate the user space of the SmartEdge firmware. Right, now for debug and development. I realized that cross-compilation to a different OS and a different architecture
19:42
is pretty much a nightmare. So I decided to use my QEMU machine to just compile statically tools. I also used this SSH TCP dump trick to sniff packets from my emulated device into my Wireshark host. Well, that was super useful
20:02
to understand the different protocols I'm presenting. But I also had an issue with debugging. My GDB multi-arch on my Ubuntu machine refuses to connect to a PowerPC NetBSD system.
20:20
So instead of spending time solving this issue, I just decided to run the GDB client from my emulated environment. And yeah, this actually was very useful later on when I remotely debug an actual device. So it just saved me some time. Okay, so next step was to understand
20:43
if a jailbreak is needed for debugging an actual device. So as you can expect, SmartEdge are using this exec underscore CLI binary to handle all console commands. So logging from Telnet, SSH, serial ports,
21:03
they all end up with this jail terminal. But exec CLI must run some kind of other binaries. For example, when you use the Telnet command in that shell,
21:21
it executes this SE underscore Telnet binary. By the way, this is the same Telnet client I was using for my exploitation earlier at the POC. Luckily, I found that this Telnet client has an internal Telnet command for just popping up a jail-free sub-shell.
21:45
So yeah, so another thing that, please note that this is a Telnet client. So to run the Telnet internal command to pop the jail-free shell, I use this trick where I do Telnet to run the jail-free shell.
22:03
So I go to my local host, and here you can see the invoke sub-shell command. So all I have to do is just use the exclamation point command and pop myself a jail-free CLI. Now that I know that if I'll get my hands
22:22
on an actual device, I can execute any code I desire. For example, this GDB server that read back was kind enough to live in their firmware. Right, so next I decided to buy an actual device. Theoretically, I could continue my research
22:41
on emulated device and maybe even find vulnerabilities, but I was missing the actual device configuration. I also had to do some serious LD predo Voodoo magic to get the emulation working, which made it limited to specific binaries,
23:01
and it was pretty unstable in general. And also, if I have an actual device, I could develop a full working exploit like the one I demonstrated. Right, so I went to eBay and bought the cheapest device I could find, which is the Smart Edge 100.
23:22
It cost around two grand, and all of research was kind enough to fund this purchase. By the way, at that point, I left Aleph Research and moved to Cyber
24:00
by reading this 100 page of basic hardware guide
24:04
to understand how to physically connect stuff. I then had to read this 360 page of basic configuration to understand what configuration I need to do in order to create an ISP-alike setup. And lastly, to work with the CLI,
24:22
I had to use this 900 page manual. And this is how I pretty much felt from all this useless information that I'm gonna use only once. Yeah, okay, so to apply all this information, let's first go over the device SASHI.
24:44
Most of the port on the device are either Ethernet or optical ports. To these ports, the ISP connect other network equipment such as switches, routers, and DSLAM. And most importantly, the subscribers are connected
25:01
through these ports. So my attack should be executed from one of these ports. The other ports are used for managing the device. So we got two Ethernet management ports and a single serial port.
25:21
So there's two ways to configure and manage the device. The most convenient is, of course, the Ethernet ports by using Telnet or SSH. But these ports can also be used for other monitoring such as log monitoring, packet monitoring,
25:40
and even remote debugging with GDB. But the serial port is still very useful since it's foolproof. Meaning that even if I completely messed up the device configuration, I could always reverse it with the serial port. And believe me, I have messed the device configuration
26:01
like a million times. All right, so finally I was able to configure the device with around 200 configuration commands. And I was ready for a full ISP-like installation. My setup included an Ubuntu machine, three network cards, and a single port,
26:23
a single serial port. So I started by connecting a serial port to the foolproof console. I then used one network device to connect to the management device port and then connect another network interface
26:40
to simulate an actual subscriber connected to the bus. This is where I execute my vulnerability through this port. And lastly, I installed the device in our server room and connected my Ubuntu machine to the internet so I won't have to work for my kitchen table no more.
27:02
Okay, so now that I own a smart edge device and I understand how to configure it, and I got myself a server rack, I finally became the proud owner of Evil Communication LTD. So you guys are more than welcome to become my victim's head
27:23
to become my clients, of course, free of charge. All right, but beside becoming an ISP, I finally reached the research phase. So now I had three useful tools to help me with the research.
27:44
The smart edge log, a GDB server, and a Wireshark monitoring. And now let's talk about the daemon itself that handles PPPD. Smart edge is running a daemon called PPPD
28:00
that handles PPP sessions. With some reversing, I realized that incoming PPP packets are being handled by a function called packet receive. Packet receive calls a function called demux input packet. For every packet it receives.
28:23
And this function is a log stream multiplexer for input function. Basically it means it uses function pointers for different log, depends on what sub PPP protocol is being used.
28:40
Here we see three logs protocol functions. For example, the LCP, the IPCP, and the NLCP. And as you guys already know, I was interested in the LCP log. And this is where I discovered that the endpoint
29:01
discriminator log uses this unsafe mem copy to the stack. So if we go back to the LCP options payload example, this is where my mem copy copies the data I control with invalid length to 35 bytes of stack array.
29:23
All right, and finally it's exploit time. So exploit development was very straightforward. There were zero stack mitigation, and I chose to use a single rop gadget to exec V. But when I was using the reverse IP shell in my demo,
29:45
I was making a naive assumption. In the demo I assumed that the brass has some kind of IP connectivity and was able to create a reverse shell to the remote server.
30:03
When the attacker can control the brass by, then the attacker can control the brass by connecting to that remote server. But what if the brass has no IP connectivity, or it blocks by a firewall? How can I get a shell on the device using only layer two?
30:23
So I decided to try and develop a layer two only shell, meaning the entire shell will be executed over ethernet frame without the need for IP protocol, meaning the subscriber can control the device directly.
30:42
So the first problem was that my exploit was limited to command shells only, like we saw on the PLC. So first I had to execute my exploit to deploy a bridgehead. Bridgehead is a term for running a small exploit
31:00
to update a bigger exploit. So if I was looking for a way, sorry, I was looking for a way to execute a shell code that will allow me to upload files using only layer two communication. Luckily I had TCP dump installed on the device,
31:20
and I found this very cool trick to upload a file from a specific MAC address. Here we see that the TCP writes the content of 106 frames to a file called L2 shell. And I also used a filter to only pick up frames
31:42
with a specific magic MAC source address. So now I am no longer limited to a shell command. I can upload any binary I want and execute it by running my exploit again. But since I'm dealing with layer two connection,
32:02
I needed some sort of raw socket functionality. Unfortunately, Smart Edge implemented their own undocumented raw socket, so I couldn't just use it easily. But fortunately, dev slash BPF was installed. And ironically, the only binary using slash dev slash BPF
32:24
was the TCP dump I just abused. So I had to configure BPF with these two flags. The first is telling BPF which interface to listen, and the other flag is just receive the packets immediately.
32:41
And now BPF listened to a layer two traffic, and if it detects a frame with a specific magic, it extracts and run its codes, the specific commands. And now I'm truly done with exploiting the device. But wait, there's more.
33:04
I would like to share another interesting vulnerability discovered by Omer Tsarfati, one of our researchers at Cyberarc Labs. For this, let me explain how PPPoE session works. So every PPPoE packet has a code field.
33:24
This field sets what type of message is being used in the PPPoE negotiation part. So the first phrase is not mandatory, and it's mainly needed for the client to discover the PPPoE server MAC address.
33:43
It does that by sending an initiation packet and receive an offer from the server. And the next step is mandatory, and in this phase, the client requests the session number to start a session. So the client sends PADAR, AKA request,
34:03
and receive PADAS, AKA session from the server. Also, it's very important to notice that both sides can terminate the session at any time by using PATI, AKA termination. So Omer discovered that when the client sends PADAR request
34:25
with a broadcast as a source address, the SmartEdge PPPoE server sends a session packet with a broadcast as destination address. Since no client expects an FFFF as a destination address,
34:44
it sends it again and again, and if the server is configured with session timeout, it sends a termination packet. But this termination packet has a broadcast as destination MAC address,
35:02
meaning the server asks all the clients to terminate their session. Thank you. Thank you. Thank you. Thank you. There is a bot here. There is a bot here. That this attack, it still depends on the switch policy,
35:23
and whether the DSL endpoints determine, if the ADSL endpoints terminate the session if they receive such kind of a request. I mean a broadcast termination with no session number. But yeah, but anyway, it's a bug for sure,
35:42
and a really cool idea for an attack. Yeah, and now that we managed to pwn our SmartEdge devices, all that's left is to drink rum with the fellas here at Def Con. By the way, this is my noob shot from 2020. All right, and as for fingerprinting,
36:04
so I managed to detect around 500 devices in 55 different organization from 20 different countries using, that were using the SmartEdge devices. But remember folks, these devices are not publicly,
36:22
they're not supposed to be publicly facing. So I'm sure there are many more out there. And I reached out to Ericsson with my finding, and we worked together to reproduce and understand the issues and their severity. Ericsson suggested to handle the CV assignment,
36:43
and they provided a CV number for the stack overflow with a critical CVSS score, and another CV for the denial of service bug, but I haven't updated the slides yet, with a medium CVSS score.
37:01
Ericsson also announced that SmartEdge devices has reached end of life, meaning these vulnerabilities are infinity day. And we also brainstormed together on possible mitigation, and they communicated the issues to their customers. And as for mitigations, well I strongly recommend
37:26
to disable PPP logs on the SmartEdge devices. As for Omer denial of service attack, I believe it can be blocked with switch configuration to block this kind of messages.
37:40
And also SmartEdge, well they are really old devices, they are from the back 2000s, and it's highly recommend just get rid of them and replace them. All right, so to conclude, I hope I convinced you that ISP network devices are not that different
38:02
from home routers when it comes to vulnerability research. That old school is still cool, and a 50 years old network device can still cause a big ruckus. And as always, ISP usually don't pay attention to updates
38:22
when it comes to both their end point and their back end equipment. Right, looking forward, a blog post will be published soon. And I might also look into other attack surfaces I discovered while researching the SmartEdge devices.
38:43
And lastly, I might have a look at other vendors and see if some of those technique works. I mean, the denial of service works. All right, thank you for your time. Feel free to reach out, yeah, thank you. Yeah. Thanks, feel free to reach out to me on Twitter,
39:09
and go see the latest season of Solo Opposites, it's awesome. And if you got any question, feel free to ask.