IOActive: Breaking WingOS

Video thumbnail (Frame 0) Video thumbnail (Frame 4341) Video thumbnail (Frame 5585) Video thumbnail (Frame 6503) Video thumbnail (Frame 8025) Video thumbnail (Frame 9135) Video thumbnail (Frame 10997) Video thumbnail (Frame 13608) Video thumbnail (Frame 15077) Video thumbnail (Frame 16747) Video thumbnail (Frame 18437) Video thumbnail (Frame 19669) Video thumbnail (Frame 20856) Video thumbnail (Frame 22016) Video thumbnail (Frame 23367) Video thumbnail (Frame 24343) Video thumbnail (Frame 25457) Video thumbnail (Frame 27769) Video thumbnail (Frame 30737) Video thumbnail (Frame 32134) Video thumbnail (Frame 33072) Video thumbnail (Frame 33957) Video thumbnail (Frame 39505) Video thumbnail (Frame 40747) Video thumbnail (Frame 42945) Video thumbnail (Frame 44161) Video thumbnail (Frame 45605) Video thumbnail (Frame 46449) Video thumbnail (Frame 47274) Video thumbnail (Frame 50572) Video thumbnail (Frame 51674) Video thumbnail (Frame 53942) Video thumbnail (Frame 56062) Video thumbnail (Frame 59697) Video thumbnail (Frame 62107)
Video in TIB AV-Portal: IOActive: Breaking WingOS

Formal Metadata

Title
IOActive: Breaking WingOS
Alternative Title
WingOS: How to Own Millions of Devices
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more. Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway. In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection. This OS also uses a proprietary layer 2/3 protocol called MiNT. This protocol is used for communication between WingOS devices through VLAN or IP. This protocol was also reverse engineered and remote heap/stack overflow vulnerabilities were found on services using this protocol and will be shown. As a live demonstration, 2 devices will be used to exploit a remote stack overflow chaining several vulnerabilities as the attacker could do inside an aircraft (or other scenarios) through the Wi-Fi. As there are not public shellcodes for mipsN32 ABI, the particularities of creating a Shellcode for mipsN32 ABI will be also discussed.
Point (geometry) Surface Socket-Schnittstelle Game controller Device driver Streaming media Web 2.0 Architecture Goodness of fit Kernel (computing) Computer network Energy level Information Category of being Wireless LAN Vulnerability (computing) Computer architecture Physical system User interface Game controller Demo (music) Information Surface Interface (computing) Interactive television Computer network Instance (computer science) Category of being Kernel (computing) Extreme programming Website Wireless LAN Family Window
Point (geometry) Game controller Game controller Information Point (geometry) Combinational logic Electronic mailing list Computer network Instance (computer science) Extreme programming Type theory Extreme programming Different (Kate Ryan album) Personal digital assistant Computer network Operating system Physical system Physical system
Point (geometry) Game controller Zoom lens Game controller Enterprise architecture Serial port Point (geometry) Electronic program guide Computer network Extreme programming Local area network Mereology Extreme programming Operator (mathematics) Boom (sailing) Computer network Physical system
Point (geometry) Game controller Regulator gene Different (Kate Ryan album) Internetworking Web service Projective plane Cuboid Instance (computer science) Endliche Modelltheorie Product (business) Physical system
Point (geometry) Enterprise architecture Game controller Building Enterprise architecture Observational study Observational study Building Plastikkarte Computer network Plastikkarte Type theory Internetworking Different (Kate Ryan album) Personal digital assistant Computer network Cuboid Website Website
Point (geometry) Game controller Observational study Workstation <Musikinstrument> Instance (computer science) Data mining Personal digital assistant Different (Kate Ryan album) Web service Internet service provider Personal digital assistant Universe (mathematics) Near-ring Wireless LAN
Point (geometry) Satellite Surface Observational study Service (economics) Observational study Military base Surface Password Computer network Bit Average Connected space Web service Arithmetic mean Personal digital assistant Different (Kate Ryan album) Web service Personal digital assistant Universe (mathematics) UDP <Protokoll> Freezing Wireless LAN Vulnerability (computing)
Satellite Point (geometry) Surface Building Server (computing) MIDI Password Regular graph Internetworking Office suite Information security Modem Vulnerability (computing) Computer architecture Noise (electronics) Information Demo (music) Building Surface Point (geometry) Computer network System call Connected space Linker (computing) Telecommunication Information security Window
Service (economics) Perspective (visual) Word Medical imaging Internet forum Root Einheitswurzel Operating system Gastropod shell Moving average Process (computing) Address space Vulnerability (computing) Form (programming) Vulnerability (computing) Information Interface (computing) Cellular automaton Type theory Root Process (computing) Password Gastropod shell Backdoor (computing) Window Einheitswurzel
Email Default (computer science) Mapping Validity (statistics) Computer file Binary code Content (media) System call Root Root String (computer science) Password Gastropod shell Gastropod shell Backdoor (computing) Cholesky-Verfahren Identity management Reverse engineering Default (computer science)
Point (geometry) Asynchronous Transfer Mode User interface Computer file Code Emulator Befehlsprozessor Operator (mathematics) DDR SDRAM Software framework Loop (music) Computer architecture Content (media) Code Ripping Instance (computer science) Flow separation Root Process (computing) Loop (music) Emulator Buffer solution Order (biology) output Gastropod shell Block (periodic table) Backdoor (computing) Resultant Reverse engineering
Computer file Code Coroutine Password Emulator Fluid statics Operator (mathematics) String (computer science) Encryption Logic gate ASCII Key (cryptography) Content (media) System call Arithmetic mean Root Loop (music) Hexagon Personal digital assistant String (computer science) Password Buffer solution Gastropod shell Encryption Backdoor (computing) Resultant Session Initiation Protocol
Fehlererkennungscode Key (cryptography) Code Cellular automaton Password Number Emulator Root Loop (music) Root Operator (mathematics) Password Encryption Gastropod shell Encryption Block (periodic table) Backdoor (computing) Resultant Address space
Slide rule Module (mathematics) Service (economics) Information management Computer file Code Multiplication sign Password IP address Web service Root Encryption Process (computing) UDP <Protokoll> Default (computer science) Module (mathematics) Default (computer science) Information management Key (cryptography) Cellular automaton Instance (computer science) Type theory Arithmetic mean Root Process (computing) Personal digital assistant Password Different (Kate Ryan album) Interface (computing) Gastropod shell Encryption Backdoor (computing)
Dataflow Socket-Schnittstelle Functional (mathematics) Game controller Length Code Source code Maxima and minima Client (computing) Mereology Stack (abstract data type) Host Identity Protocol Revision control Duality (mathematics) Web service Information Website Buffer overflow Link (knot theory) Information Block (periodic table) Sound effect System call Hexagon Personal digital assistant Network socket Buffer solution Revision control Website Fiber bundle Communications protocol Buffer overflow Session Initiation Protocol Reverse engineering Firmware
Game controller Functional (mathematics) Code Multiplication sign Letterpress printing Water vapor Number Mach's principle Crash (computing) Web service Operating system Information Process (computing) Message passing Physical system Graphics processing unit Scripting language Information management Electric generator Inclusion map Process (computing) Web service Network socket Revision control Video game Buffer overflow Row (database) Firmware
Multiplication sign Set (mathematics) Client (computing) Connected space Computer configuration Kernel (computing) Network socket Computer network Cuboid Information Vulnerability (computing) Service (economics) Keyboard shortcut Instance (computer science) Arithmetic mean Process (computing) Internetworking Configuration space Energy level Reverse engineering Point (geometry) Socket-Schnittstelle Game controller Service (economics) Virtual LAN Portable communications device Time domain Internetworking Operating system Energy level Communications protocol Reverse engineering Firmware Address space Wireless LAN World Wide Web Consortium Domain name Game controller Standard deviation Information Client (computing) Computer network Kernel (computing) Personal digital assistant Network socket Family Communications protocol Local ring Window Address space
Point (geometry) Socket-Schnittstelle Game controller Computer file Link (knot theory) Set (mathematics) Client (computing) IP address Area Network socket Computer network Operating system Configuration space Message passing Library (computing) Address space Default (computer science) Authentication Socket-Schnittstelle Game controller Default (computer science) Standard deviation Block (periodic table) Expert system Client (computing) Instance (computer science) Software maintenance Flow separation Network socket Telecommunication Buffer solution Interpreter (computing) Reverse engineering
Game controller Functional (mathematics) Socket-Schnittstelle Service (economics) Graph (mathematics) Link (knot theory) Binary code Opcode Software bug Arithmetic mean Process (computing) Personal digital assistant Web service Statement (computer science) Pattern language Communications protocol Communications protocol
Dataflow Logarithm Functional (mathematics) Game controller Host Identity Protocol Hoax Code Source code Keyboard shortcut Electronic mailing list Singular value decomposition Binary file Personal digital assistant Network socket Buffer solution Statement (computer science) Process (computing) Statement (computer science) Message passing Communications protocol Address space
Revision control Dataflow Game controller Host Identity Protocol Code Crash (computing) Keyboard shortcut Source code Operating system Statement (computer science) Process (computing) Buffer overflow
Ocean current Dataflow Game controller Source code Exploit (computer security) Stack (abstract data type) Metadata Casting (performing arts) Cache (computing) Semiconductor memory Befehlsprozessor Memory management Computer worm Circle Address space Vulnerability (computing) Host Identity Protocol Demo (music) Memory management Stack (abstract data type) Ellipse Inclusion map Cache (computing) Befehlsprozessor Process (computing) Linker (computing) Personal digital assistant Buffer solution Buffer overflow Computer worm Data buffer
Dataflow Functional (mathematics) System call Block (periodic table) Code Exploit (computer security) Control flow Cache (computing) Cache (computing) Causality Function (mathematics) Gastropod shell Circle
Email Functional (mathematics) Code Moment (mathematics) Cellular automaton Parameter (computer programming) Compiler Bit Database Machine code Instance (computer science) Akkumulator <Informatik> Flow separation 32-bit Data model Pointer (computer programming) Internetworking Different (Kate Ryan album) Network socket Circle Speicheradresse Library (computing) Physical system
Laptop Point (geometry) Graph (mathematics) Code Demo (music) Shared memory Exploit (computer security) Computer network Akkumulator <Informatik> Connected space Internetworking Gastropod shell Vulnerability (computing)
Scripting language Point (geometry) Dataflow Hoax Host Identity Protocol Link (knot theory) Cellular automaton Keyboard shortcut Expert system Electronic mailing list Akkumulator <Informatik> Root Different (Kate Ryan album) Buffer solution Gastropod shell Source code Software testing Routing Buffer overflow Vulnerability (computing)
Computer icon Game controller Information management Link (knot theory) Information Patch (Unix) Structural load Patch (Unix) Point (geometry) Computer network Local area network Density of states Host Identity Protocol Arithmetic mean Extreme programming Computer network Cuboid Process (computing) Communications protocol Wireless LAN
Operating system Information security Window Vulnerability (computing)
good morning everyone so this is Jessup he's got a rather interesting gear here and it's going to work - I know that with that it's just hi guys so thank you for joining to this talk I really hope that you you guys will enjoy it so what I'm going to talk about is this research on how I broke this window s what I'm going to do is to discuss about some interaction about this window as Venus then we will discuss some scenarios and attack surface that we have with this OS and under the biases then I will describe with full technical details some critical vulnerabilities and then I'll try to make a demo with these two devices with an expla that I did trying to exploit one of the vulnerabilities and then after that we will discuss some conclusions so what the hell is this wing OS so basically it's an embedded Linux operating system with its own proprietary stuff in in the kernel like they have their own proprietary drivers they have their own proprietary socket address family and stuff like that so originally was created by Motorola but now it's property of stream networks and we'll discuss about it in a couple of minutes then the the architecture is MIPS and 32 at least the devices that I've been working with during this research were MIPS and 32 mainly is used for wireless access points and wireless controllers and as far as I know there is no public information or previous research and reported vulnerabilities about this OS as far as I know at least so from extreme networks website we can get some high level details about this OS like for instance here saying that it's for WLAN architectures and it's designed for to scale efficiently from the smallest networks to large geographically dispersed deployments and stuff like that so from the website you can get more an idea and high-level details of this OS so we have a about interface typical interface where we can set a lot of stuff I mean the web interface is huge and it also has boner abilities but I didn't want to focus this research about web vulnerabilities so we will we won't discuss web vulnerabilities in during this talk but also we have the
typical command-line interface similar to the C squires where you can I mean you have like different type of commands and combinations of commands where you can set the device and this command line interface is restricted meaning that from here you can't access to the operating system the lineups operating system that it's running in in the background so devices using this wing OS
so III didn't get an official list of devices affected but based on public information for instance from extreme networks website we can see a list of wing access points and controllers that uses this operating system but as this is not official this list could be even bigger in the case of extreme networks
but also we have Motorola devices and serial devices because as I said Motorola created this OS so they have also their devices with this OS and then zebra bought this part of the business - from Motorola and that's why we we also have zebra devices with VSOs and then at the end extreme networks bought this part of the business from zebra so
basically that's why we have Motorola access points Motorola controllers zebra devices and extreme network devices running with this running this operating
system and also we got the control device so this particular one is important because all this research is started because of this this well concern is a company that makes embedded devices for different industries such as the aircraft industry and industry and stuff like that so one of my co-workers in I active doing Santa Marta said hey guys here's an interesting target this is an access point that is widely used in aircraft seen by many airlines around the wall so this could be an interesting target for a research project and then I thought yeah this might be fun and yeah I didn't have been briefed on so basically this is a box that it has some special connectors to to comply with the aircraft regulations they are craft industry regulations but basically inside we got that Motorola ap seventy one thirty one access point so where we
can find these devices as we can see for instance in this picture from the internet from an aircraft they are actually installing the Motorola that model access point at the ceiling of the aircraft so as I was saying it's widely using in aircraft by many airlines around the world we got some other
pictures from the internet where we can see the the control box where inside it's that Motorola particular Motorola access point and yeah it appears that they are installing the these access points at the ceiling off of the aircraft but on of maybe in other types of aircraft they are installing the the access point in other places have an idea so from the extreme networks
website and some case studies that we can find on in the internet we can see that these devices are also using other different scenarios and industries such as smart buildings smart cities healthcare government obviously small and big enterprises networks you know in a lot of different scenarios let's see
some examples quickly this is for instance a Motorola case study were we can see that the AP 7161 and this the 9500 controller ie are used in more than 200 subway stations in the near city subway to provide Wi-Fi to to the passengers then also we got container port glow on a global annex manufacturers such as isola in this case and different facilities universities such as this one also even in minds this case study from zebra explains how these devices are used in the Westmoreland coal company in mines I know Saigon City in Vietnam where they have more than 1500 access points installed to provide Wi-Fi casinos resorts 19
University in China another example
hospitals MWR facilities case study even apparently military bases as we can see in this case study so as you can see in
a lot of different scenarios and industries so for the attack surface and scenarios I divide it to and this is mainly because the aircraft freeze scenario it's a little bit different and it has some particularities and the other scenario it's basically the rest of this nervous that we got so all of this stuff is focusing the remote implicated Boone realities that I found and the vulnerabilities that we will discuss later so first we have the the attack surface of the ethnic cable meaning like if the attacker has physical access to the access point he can just connect the cable to the to the device to any poor or to a to an administrative port and then he could if he can reach the vulnerable UDP service and mean services then technically the the attacker could exploit the issues of course in the case of the aircraft this is less likely because if the the access points at the ceiling are no I think that's an unlikely I don't know still it's a possibility but also these vulnerabilities are technically technically technically possible to exploit or the air through the Wi-Fi connection and also in the aircraft scenario we got another attack surface which is pivoting from the satellite modern to the access point from the ground let me explain this a little bit
so enough if you guys are familiar with my co-workers ruin santa marta research he recently spoke about this in in blackhat the last call for SATCOM security so basically he was able from the internet yes you're using a regular regular internet connection nothing special to hack and compromise satellite modems of aircrafts that are running there are actually flying on the air so then based on that we we saw that based on so information that we saw on the internet that the attacker should be able to reach from the satellite modem the the access point which is running the window s so this could be another attack surface and of course i must say that the safety of the aircraft in this attacks and stuffing for the wing noise and everything the safety of the aircraft is not at risk at risk it's only the communications so this is one
of the architectures and this is a satellite modern that ruin compromise and this is the access point running the wing OS and these are connected through the SMU server so we are pretty sure that it should be possible to reach the access point from the satellite modern and exploit the window s vulnerabilities then the other scenarios basically are the rest like outdoor access points or indoor access points so again the other attack surfaces again if the attacker has physical access to the access point just connect the ethernet cable and the sit and this is more likely in outdoor access points but also possible in interactive points if the attacker is inside of the office or the building or whatever but again through the Wi-Fi it's also technically possible as we'll see in the demo to exploit some of these issues and also if the attacker is somehow inside the internal network and if if the attacker has connectivity to some of these devices then obviously he can it could try to explore the issues
so let's start with the vulnerabilities the first one is not a really critical one but it was a really important one for the research because it's a hidden roots kind of backdoor so and yeah when when you get a root cell the process of the research it makes easier that this process I mean the research so but it's a kind for it's a kind of privileged distillation vulnerability because you need access to these command-line interface to get that root shell so from the Turkish perspective yeah if the attacker somehow has access to the kamala interface is good you can do a lot of stuff but if the attacker good I get a root shell then we can say that the the device is completely compromised so here we can see and this picture some in some forums from some guys asking about this services stuff so command that gets you into the native operating system but he says that Motorola made not disclose they required password to more customers so I was trying to find
information about this start cell command so all I got was like forms like that people asking about it but that's that's all I got even if if we read the window as manual we can see that yes we have a star cell command which provides access but that's all all you get so when you execute this command you get this like last password used password with this MAC address and then this password prompt asking to the user to type the password so one of you guys might think here like okay so it's telling me what what is the LastPass were used so I'm gonna try password in lowercase letters but obviously it's not gonna work here so then since we we got access to the finger image then we are going to start to statically
reverse-engineer and some some binaries to find out how this works so based on the strings we can see here the last password you use the string and then here is gonna call this validate map password francium and depending on the return value is gonna rich this basic dock where it's gonna get the root shell so let's in get inside this validate map password
francium then again it's gonna call this another one get last map password Francie on were is gonna open this file et Cie - I miss password file and the content of the file this file is this particular string and this is the default value in every wing OS this string in inside that file then after
that with the content of the file is going to execute these instructions in this loop so to play around with unicorn I am late this code I know if you guys know or are familiar with unicorn but it's an OSHA framework that uses chemo in the background and allows you to emulate several architectures but of course in order to emulate the code you need some previous reverse engineering job or work for instance here you need to know what race star points to to your input the buffer where we have the content of that of that file and also you need to know the the the register that points to the buffer where we will have the result of the operations so I
was using the Python API for unicorn and it's pretty simple so you can emulate the instructions and provide the register values and create your buffer and inside the buffer we have the content of that file and then after the
execution of emulation we are printing out here the the buffer where we have the result which is despites the result so if we look at it carefully we can see that this was the the string that we have inside the file so when the code is reading its ASCII character then we got its hex byte for its ASCII character and after that this is the result that we got after those operations in that loop so we can see that these bytes are this guy's here so basically its meaning that this is hex
then after that is gonna call our C for decryption routine it's gonna try to decrypt the content of the file I mean the D hex by it after those operations in the loop with this static key hi Sabina hardly doing by and nice key and yeah so in this case after the decryption the result is gonna be the password strain in lower case letter which makes sense because we were in the gate last password and that's why I was printing out here like last password use password in lowercase letters then after
that the code is gonna get the the MAC address of the device and then with the MAC address is gonna execute this another instructions in this loop but basically it's doing some operations with a Mac like adding some numbers to each bite of the Mac like here the first byte is add in zero then the second byte is adding one and then two three four and so on and and yeah and then after that what is going to do is call another our support the Klipsch in routine so he's going to deplete password so the which is a result for the last our support decryption but now it's with this key the the MAC address with those operations that we were talking about
and finally after that is gonna execute these another instructions which I also am elated to play around with unicorn but basically these instructions are making sure that the the result is only lowercase letters so here is the emulation as you can see and in my device for my MAC address this is the valid password which is only lowercase letters and then you can finally access to to the root cell then in the code we
can see that after the password is granted is going to open again that file the I miss password file and then it's gonna rc4 encrypt with the same key the high Savina hardly doing key the password that the user type when the password was granted meaning that the next time you you're gonna execute the service star shall command the passwords gonna be different that's why I call this like a kind of a dynamic password because the next time is it's gonna be the same and you will have to do the whole thing to calculate the password so here you have the the overall process in case you later want to to check with the slides and yeah I'm finally in the code also we can see that since we got access to the root cell then creating this file a love root in etc' then you can make it persistent and then all the time that you execute the command is not going to ask for any password again okay so now
since now we have root cell we can start to try to see more stuff about this OS for instance to check what services are running by default and for instance we can see that there are several ports like this 37.99 EDP port which is listening over all the IP addresses so in this case is the rim process there are interface module so we are going to
see a remote prolifically stack overflow of this service but this particular one only effects all their persons of the finger but I wanted to share with you guys this one because it seems that they try to fix it but they made another mistake as you as we will see shortly but yeah so now from here is the typical stuff from protocol reverse engineering so basically we trace the sockets and we know where they call these parts in the users buffer so in this case in this rugby from we we know that the the buffer length is 1000 hex which is pretty big and then just reading the code and following how the code is parsing the the users buffer we can see that there is one particular mercy memcpy were the source and the size are completely controlled by the user and the destination is a stack buffer so it's a typical stack buffer overflow so we we are here here's where we have in this red block the red be from and here's where we have a the the call off to this function where inside we have that particular bundle Wallman cpy so what we need to know to do right now is the typical reverse engineering stuff like to find out how to get from here to there just reading the code and build your own Python client to reach that
particular memcpy so this is one of the Python client to reach that stagger flow as I said this only affects all persons of the finger but based on information that I got from the control website the control devices that are used in aircraft apparently some of them could be vulnerable as as I saw in the website that they were running all their versions of the finger so apparently
they tried to fix this this stack overflow so here in in your persons of the finger so we can see here that they are checking the the size of the lemon cpy which is user control but if it's bigger than this value then it's not going to reach that vulnerable memcpy instead is gonna execute this assert print function that is gonna generate
this crash num and then it's gonna kill the the process so yeah this is a Python
code to to reach that and so yes you can kill the process but the process it will restart immediately but the problem here is that there is a what's in this system that sex if this process is alive because this process apparently is critical for the operating system so if you execute this Python script like two or three times in a row then the water think is gonna check that the the Rin process is not life and then the whole operating system is going to be rebooted that's why I call this like global denial of service
then let's move on to to the main vulnerabilities I mean there are other EDP services with with issues but we don't have time to talk about them so let's move on to to the main issues so when I was reversed and in-ear and some of the bindings then I realized that they were receiving data from from some particular sockets so when tracing these sockets I realized that they were using non-standard value sets for instance the 32x value for the domain value and some references such as this one like local mint address so I wanted to know what
the hell was this mint fin so there's no much information on the internet about this mint fin at least about how it works internally the of course obviously there are information about how to set the devices to to work with mint and stuff like that but yet basically it's a layer 2 layer 3 proprietary protocol or inally also created by Motorola and they have like two levels level one for villain and 11 to 4 IP so mint is used mainly to to communicate devices between them so for instance here we have this access points communicating between them through level 1 mint or this access point to this controller through level 2 mint or these two controllers through level 2 mint as well so yeah when when you stray some of the processes as well you can see some stuff like the socket Al's family which is not a standard AF mint the port and then the mint address which is the four last byte of the MAC address so yeah they they created their own proprietary socket address family in their kernel they have mean in my case at least ours using data gram sockets so the goal here is to be able to create a client so we can communicate with other but devices other devices using using mint so we have three options here is like the first one reverse engineer their kernel and try to make your own client and make it whirring your Linux box which is technically possible then under could be to try to emulate the whole operating system on the kernel and then make your own mint client which is also technically possible that could be a pain in the ass and then the quickest one which is the one I took because I didn't want to spend too much time working on that so find a way to build a client using their their kernel so basically what I'm doing is using a device as the attacker so running my own mint client in the operating system but but again this is not the only option I mean an attacker could use the option one or two ensue and use its own mint lining in its Linux box or whatever so attack scenarios using mint so yeah if the in my case as I'm using advice as the attacker then if the attacker connects its device to the network with I mean physically with the cable or through the Wi-Fi then if he is able to reach other access points or controllers that are using mint then he can exploit a vulnerability and of course other scenario could be that the attacker remotely compromised one device and then since he has access to the result and exploit them in issues to other devices that that connected with and then yes basically attacked the mint services that are running in access points and controllers controllers are also interesting because they are like kind of Windows domain controller meaning that controllers can have like hundreds of access points connected so if the attacker compromised one controller then he could compromise hundreds of access points and not only with the vulnerabilities but also controllers has the ability to change the configuration from only of access points and also even update the firmware of the access points remotely so the way
I created the main client in in the US so we have here in the US modified Python interpreter and they have also their own libraries such as this one for sockets and this allows us to through Python to create AF mint sockets so they have some Python compiled files in the operating system and then reverse engineering those compiled files I saw how to create my own Python client took Nate communicate through through min so basically here's them into others which is in decimal but is the four last bytes of the MAC address of the target then the port the buffer and then you can create the F min socket and then send data through through min to the target so one one
important thing about mint is that we can expect you to have mint were in a scenario where we have several access points and controllers because as I said mint is used to communicate communications between devices but also I wanted to check if a standalone access points can also use mint so yes technically as I as I saw during the my test and during the research it's possible as we can see here the the maintenance tunnel on access one is enabled by default because you can set standard access points as built for controllers for instance so the attacker what only needs to to exploit this issues is to know the IP address of the target I mean there's no any kind of authentication so this is the target my the attackers device this Motorola block access point so we only need to like to set controller host and the IP address and then the mint link is established but this is not the only way to establish I mean link as far as I know there are other other ways for instance also if you connect an access point in in in the network then the other access points could detect in automatic way this new access point and establish the main link in automatic way I'm probably there are more more ways because I'm not an expert with this mint thing so yeah
so after that in the attackers device we can see that with the show mean neighbor we can see that the the main link is already established so now we can come
and communicate through Mint so now we just need to get to find bugs in mint services so there are a lot of binaries and a lot of mint services receiving data from from sockets so this example if is from the HSD process so this particular graph is one function which is more or less big receiving data from I mean pork one specific mean port and we can see the typical pattern of the of these that looks like it's we got like switch case statements that probably are switching through an opcode or something for the protocol so one of the first
issues prehistory for it's a again pre off keyboard flow where the user has control of the size and the source and the destination buffers is the hip but the problem that we have here is that to reach that particular Mississippi why we got to go to the to the case here in the switch case statement this function is going to be executed get session by Mac and what it's going to do this function is to check if the MAC address that you have to send in your buffer it's in a list of fanta gated MAC addresses if it's not there then you won't reach that particular memcpy so luckily there is another case in the switch case statement where we can call this session a log function where we can add our fake mark address in in that particular list so first we
we just need to to execute this Python code where we will add this fake MAC address 41 41 41 41 to that particular list and then after that since our fake market resistant already there in that list then we can set we can reach that memcpy they keep your flow bins memcpy and here you can see in our of our buffer we are providing the the fake mark others and the rest is the protocol stuff to treat the dementia py
and then here we have the depress of this Mississippi why this hippo flow which since we don't have modern supply mitigations and the Lipsy version is all in this operating system it shouldn't be too complex to get code execution from this keyboard flow then
we got more hip overflows like this one pretty much the same in another suitcase a statement but basically it's exactly the same that the source user controlled size user control and destinations he
buffer now this is the debonair ad that we I will try to use in the demo so it's an stack overflow through mint as well so it's another memcpy p-- or the destination buffers and stack buffer obviously and the size is also user control but the the size and the source comes from the heap buffer and it's the heat buffer that we were discussing before with the heap overflow so the
problem that we have here is that this is the memcpy that for the stack overflow so if we want to reach the return address in the stack our buffer has to be big enough to reach that so the promised as the source comes from the heap then we'll have to also overflow the heap buffer and also overflow the next chunk and the next chance and metadata and we could have problems with ellipses sanity checks because if if the sanity checks triggers here then it could cross the the process and then it could ruin our exploit but in this case it's not gonna be a problem because in between there are no allocations from frays and so even even crass and we will be able to reach the the stack overflow after the hip or flow so for the exploit as i said that we don't have modern exploit mitigations so we could think ok we just need to jump to our circle and under sit but no so if you guys are familiar with MIPS excavation there's a well known problem is because in currents problem so we got in MIPS CPU with two different castes the instruction cache and the data cache and normally our payload so our circle it could be in the east or it could be stored in the data cache so the problem is that when we tried to jump to our circle in the memory if we circled is still in the data cast and is not flashed then we could end up trying to execute another instructions that are in in the memory so what we just need to do
is to fill the data cache and then one possibility is to fill the data cache to flush it but it depends on how big it is viscous and the regime could be to call a block infraction function such as sleep using Rob and using Rob because we could think here like okay I'm gonna write an a small shell code which cause sleep and that's it but there we we could and we could have the same problem like the that mini circle could be still at the D cache and then we will we won't be able to reach that so that's why we're using Rob and then after that then the cache will be flushed and we can jump to our circle so for the develop
exploit from the epilogue of the function where we have the stagger flow we can know what registers we have contoured with so this is very useful for the for the wrap obviously and then
this is the the gadgets that I'm using to to execute the slip and then jump to the circle and all of them from the Lib C for the shellcode
I'm using understand our reverse cell called not a big deal but I mean there are on the internet we can find several MIPS cell calls or Linux even Metasploit provides MIPS cell codes but and this particular one is from exploited database but none of these are going to work in this system and far as I know and I try to find cell culture that could work in this system are not going to work and that's why mainly because this is MIPS and 32 so mid-century 2 has some particularities for instance it uses 64 bits racers but uses 32-bit memory addresses but also what it has is different siskel codes that's why the circles are not going to work so it's not a big deal you can just open the Lipsy and check this is called code for its API is that your cell code is calling for instance this is the socket function and this is this is called code for this function and then after that
then you you got your memes and 32 shell code that is gonna work which by the way is big endian so for the exploit yeah so
remember that I'm using the black access point as the attacker and it's going to attack the the white much relax when I have here so this graph represents better the the exploit so you can understand better and I'm gonna exploit it through a mint exploit through through the Wi-Fi so this is the attackers laptop which is my Mac here so I'm gonna connect through the Wi-Fi to the target access point that because the active point is probably a Wi-Fi obviously then I have another neck cable connected to the target device and using the the internet sharing of MCOs filter then now the attackers device can connect have connectivity to the target through through the Wi-Fi and then three basic steps I'm gonna run the net conditioner in my in my laptop then I'm gonna execute them in text but with which will chain three different things as I will explain and then through the Wi-Fi it's gonna exploit the mint vulnerability and then the reverse cell we will connect back to to my listener so let's see if
it works fingers crossed so I'm connected to this
access point motor test which is the the target device and here is the the AP 71 3191 fd-80 which is my the attackers the device so with this command of nice the second place so in neighbors now we can see with this command that the mean link is already established between the target the attackers device on the target then I'm gonna access to the to the root cell so we have this shell script which is gonna execute three different Python scripts the first one is the one that adds our fake market RS in that particular list so we can reach the hip or flow then the second one is gonna trigger the keyboard flow so we are gonna overflow the hip with our cell cover up budgets and then finally we're gonna execute or trigger the stack overflow with that particular means to be white when I get from the heat buffer the D cell called and Arab gadgets you and also I have cured an ethical listener so let's see if it works or not there you go so here we have the the reverse cell and with as a route as you can see and you can see here that this is the the a P 71 31 36 f3 Israel device which is the target because the attacker was the the 91 fd-80 so yeah so this is the expert for one particular min vulnerability over the year through the
Wi-Fi [Applause]
so finally a second question so extreme networks were really responsive to us and they provided fixes and patches for most of the the issues here I'm sharing with you guys the link world you can check the patches and some other information but at the beginning apparently they didn't understand well the the impact of the issues because also they were saying that no not even all this can be directly explicit earlier which is not true as you just saw I'm some other stuff like for the mint boon or at least they were saying that the attacker must have access to a winged device that has already been compromised that's not true I mean I'm using my own device so the attacker can use its own his own device but also the attacker technically could create his own inclining his Linux box so this is not a must but yeah we personally spoke with them and then they they realized that it was wrong and they changed all this information and they are accepting now that they will not this can be exploited over the year and the attacker doesn't need to compromise device to expose them in tissues and some others other stuff so that's good so so yeah
finally I yes I think there is a lot of room room for improvement in this operating system because there are more vulnerabilities in this OS so yeah I know hopefully with this lessons learned they they will fix in a proactive way more issues and then we'll have more secure Windows devices out there so that's it so thank you very much and if you have any questions I'll be around [Applause]
Feedback