SlideShare una empresa de Scribd logo

Cracking into embedded devices and beyond

A
amiable_indian
Tecnología
1 de 37
Descargar para leer sin conexión
Cracking into embedded devices And beyond! - by Adrian Pastor www.procheckup.com www.gnucitizen.org
Most devices have web interfaces enabled  by default  This applies to consumer and corporate appliances The drive behind this research
The devices are ownable via their web  interface  Not just info theft is possible but also gaining root/admin privileges The drive behind this research (2)
Attack doesn‟t end after owning the  embedded device  If device not properly segmented, we can probe the internal network Why “and beyond”?
Internet -> target device -> LAN   Target device: stepping stone / bouncing point  Not many companies consider DMZing “miscellaneous” devices Why “and beyond”? (2)
Most of what we need to probe the LAN  already on device  i.e.: Axis camera with shell scripting (mish) and PHP support Why “and beyond”? (3)
Who‟s paying attention to printers,  cameras, etc? Anyone?  After all they‟re just primitive devices  Not taking into account as seriously as app / web servers security-wise Why “and beyond”? (4)
Can be exploited reliably   Can be hard to detect by IDS  No need to develop platform-specific shellcode Focus on remotely exploitable web bugs
Devices‟ web interfaces often developed  without parameter filtering in mind ◦ Real example: Linksys WAG54GS [1]  Tons of persistent XSS Lots of possibilities / attack scenarios  Focus on remotely exploitable web bugs (2)
Auth bypass  File retrieval / directory traversal  XSS - reflected and persistent!  CSRF - most devices are affected  Privilege escalation  The juicy bugs!
Any admin setting can be changed   Ideal when web int. NOT enabled on WAN Personal Fav. #1: CSRF + auth bypass
Payload is launched when admin tricked  to visit 3rd-party evil page  Evil page makes browser send forged request to vulnerable device Personal Fav. #1: CSRF + auth bypass (cont)
Web server password-protected but  enabled on WAN interface  Attacker doesn’t need to be authenticated  Malformed request to web server injects malicious payload on logs page Personal Fav. #2: Persistent XSS on logs page
Admin browses vulnerable page while  logged in  Device is compromised – ie: new admin account is added  Example: Axis 2100 IP cameras [2] Personal Fav. #2: Persistent XSS on logs page (cont)
Ironic: security-conscious admins get  owned Personal Fav. #2: Persistent XSS on logs page (cont)
No interaction required from victim admin   Usually simple to exploit. i.e.: ◦ knowledge of “authenticated” URL ◦ Replay request that changes admin setting Personal Fav. #3: Auth bypass + WAN web interface
No need to rely on password   Ideal when web interface only on LAN  Targets the internal user who can “see” the device‟s web interface  Some preauth leaks are WAY TOO GOOD – ie: WEP keys or admin passwords Personal Fav. #4: Preauth leak + XSS on preauth URL
Steal session IDs   Overwrite login form‟s „action‟ attribute  Phishing heaven!  Real example: Pers. XSS on Aruba 800 Mobility Controller's login page [3] – by Jan Fry ◦ You own the controller you own all the WAPs – sweet!  Personal Fav. #4: Pers. XSS on admin login page
Because not needing to rely on cracking a  weak password is great  Let‟s see review a few real examples Love for auth bypass bugs
Password prompt returned when  accessing http://victim.foo/  If creds correct, then redirect to “authed” URL Auth bypass type 1: unprotected URLs
Problem is no auth data (ie:  password/session ID) is transmitted  Simply knowing the admin URLs does the job! - ie: http//victim.foo/admin- settings.cgi  Real example: 3COM APXXXX (vuln not published yet) Auth bypass type 1: unprotected URLs (cont)
Resources (URLs) password protected   However, assumed to be accessed via a certain method – ie : GET  Requesting resource as POST gives the goodies!  Real example: BT Voyager 2091 Wireless ADSL [4] Auth bypass type 2: unchecked HTTP methods
Get config file without password:  POST /psiBackupInfo HTTP/1.1 Host: 192.168.1.1 Connection: close Content-Length: 0 <CRLF> <CRLF> Auth bypass type 2: unchecked HTTP methods (cont)
Admin URLs password-protected correctly   However, admin requests are NOT  Real example: Linksys WRT54GS [5] – by Ginsu Rabbit Auth bypass type 3: unprotected requests
Settings URLs requires password:  GET /wireless.htm Submitting admin request does NOT:  POST /Security.tri Content-Length: 24 SecurityMode=0&layout=en Auth bypass type 3: unprotected requests (cont)
Web server OKs multiple representations  of URL  i.e.: the following URLs could all be valid: ◦ http://victim.foo/path/ ◦ http://victim.foopath ◦ http://victim.foo/path? ◦ http://victim.foo/path. ◦ http://victim.foo/path?anyparameter=anyvalue ◦ http://victim.foo/path/ ◦ http://victim.foo/path// Auth bypass type 4: URL fuzzing
Real example: BT Home Hub and  Thomson/Alcatel Speedtouch 7G [6]  i.e.: the following URL gives you the config file without supplying creds: ◦ http://192.168.1.254/cgi/b/backup/user.ini// Auth bypass type 4: URL fuzzing (cont)
No open tcp/udp ports on WAN interface  by default  Requirement: attack must be remote  Most people would give up at this point  Possible attack vectors, anyone? BT Home Hub hacking challenge
OK, WAN is not an option   How about the LAN interface?  “Didn‟t you say it must be a remote attack?” you must be thinking  BT Home Hub hacking challenge (cont)
Think client side!   Victim user‟s browser his worst enemy  If you can‟t attack via WAN, let the internal user do it via LAN  The aikido way: blend in, take advantage of already-established channels BT Home Hub hacking challenge (cont)
The recipe:  ◦ CSRF ◦ Auth bypass The weapon:  ◦ Simple form retrieved via hidden „iframe‟ BT Home Hub hacking challenge (cont)
The attack:  ◦ Any user in Home Hub‟s LAN visits malicious web page ◦ Web page causes user‟s browser submit interesting request to Home Hub. i.e.: enable remote assistance BT Home Hub hacking challenge (cont)
BT Home Hub hacking challenge (cont)
Demo time!
[1] Persistent XSS and CSRF on Linksys WAG54GS router http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on- wireless-g-adsl-gateway-with-speedbooster-wag54gs [2] Persistent XSS on Aruba 800 Mobility Controller's login page http://www.procheckup.com/Vulnerability_PR07-26.php http://www.securityfocus.com/bid/26465 [3] Multiple vulnerabilities on Axis 2100 IP cameras http://www.procheckup.com/Vulnerability_Axis_2100_rese arch.pdf References
[4] BT Voyager Multiple Remote Authentication Bypass Vulnerabilities http://www.securityfocus.com/archive/1/440405 http://www.securityfocus.com/bid/19057/discuss [5] Linksys WRT54GS POST Request Configuration Change Authentication Bypass Vulnerability http://www.securityfocus.com/archive/1/442452/30/0/threa ded http://www.securityfocus.com/bid/19347 References (cont)
[6] BT Home Flub: Pwnin the BT Home Hub http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-2 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-3 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-4 References (cont)

Recomendados

Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 

Recomendados

Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress PluginsLarry Cashdollar
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5AppSec_Labs
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Brent Shaffer
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
10 common cf server challenges
10 common cf server challenges10 common cf server challenges
10 common cf server challengesColdFusionConference
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Accidente
AccidenteAccidente
Accidentejosemorales
 
Me And My Cousins
Me And My CousinsMe And My Cousins
Me And My Cousinsjumpback
 

Más contenido relacionado

La actualidad más candente

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 

La actualidad más candente (20)

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
 
10 common cf server challenges
10 common cf server challenges10 common cf server challenges
10 common cf server challenges
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 

Destacado

Me And My Cousins
Me And My CousinsMe And My Cousins
Me And My Cousinsjumpback
 
Deseos En Esta Navidad 1877
Deseos En Esta Navidad 1877Deseos En Esta Navidad 1877
Deseos En Esta Navidad 1877steffens
 
Presentation Of The Subject
Presentation Of The SubjectPresentation Of The Subject
Presentation Of The Subjectpascual1
 
Belarus / What do we teach about our neighbours?
Belarus / What do we teach about our neighbours?Belarus / What do we teach about our neighbours?
Belarus / What do we teach about our neighbours?neighbours.vsb.lv
 

Destacado (6)

Accidente
AccidenteAccidente
Accidente
 
Me And My Cousins
Me And My CousinsMe And My Cousins
Me And My Cousins
 
Suegra
SuegraSuegra
Suegra
 
Deseos En Esta Navidad 1877
Deseos En Esta Navidad 1877Deseos En Esta Navidad 1877
Deseos En Esta Navidad 1877
 
Presentation Of The Subject
Presentation Of The SubjectPresentation Of The Subject
Presentation Of The Subject
 
Belarus / What do we teach about our neighbours?
Belarus / What do we teach about our neighbours?Belarus / What do we teach about our neighbours?
Belarus / What do we teach about our neighbours?
 

Similar a Cracking into embedded devices and beyond

Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkAngela Bowman
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfcyberhacker7
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 

Similar a Cracking into embedded devices and beyond (20)

Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you check
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly application
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 

Más de amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Tellingamiable_indian
 

Más de amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
 

Último

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Cracking into embedded devices and beyond

  • 1. Cracking into embedded devices And beyond! - by Adrian Pastor www.procheckup.com www.gnucitizen.org
  • 2. Most devices have web interfaces enabled  by default  This applies to consumer and corporate appliances The drive behind this research
  • 3. The devices are ownable via their web  interface  Not just info theft is possible but also gaining root/admin privileges The drive behind this research (2)
  • 4. Attack doesn‟t end after owning the  embedded device  If device not properly segmented, we can probe the internal network Why “and beyond”?
  • 5. Internet -> target device -> LAN   Target device: stepping stone / bouncing point  Not many companies consider DMZing “miscellaneous” devices Why “and beyond”? (2)
  • 6. Most of what we need to probe the LAN  already on device  i.e.: Axis camera with shell scripting (mish) and PHP support Why “and beyond”? (3)
  • 7. Who‟s paying attention to printers,  cameras, etc? Anyone?  After all they‟re just primitive devices  Not taking into account as seriously as app / web servers security-wise Why “and beyond”? (4)
  • 8. Can be exploited reliably   Can be hard to detect by IDS  No need to develop platform-specific shellcode Focus on remotely exploitable web bugs
  • 9. Devices‟ web interfaces often developed  without parameter filtering in mind ◦ Real example: Linksys WAG54GS [1]  Tons of persistent XSS Lots of possibilities / attack scenarios  Focus on remotely exploitable web bugs (2)
  • 10. Auth bypass  File retrieval / directory traversal  XSS - reflected and persistent!  CSRF - most devices are affected  Privilege escalation  The juicy bugs!
  • 11. Any admin setting can be changed   Ideal when web int. NOT enabled on WAN Personal Fav. #1: CSRF + auth bypass
  • 12. Payload is launched when admin tricked  to visit 3rd-party evil page  Evil page makes browser send forged request to vulnerable device Personal Fav. #1: CSRF + auth bypass (cont)
  • 13. Web server password-protected but  enabled on WAN interface  Attacker doesn’t need to be authenticated  Malformed request to web server injects malicious payload on logs page Personal Fav. #2: Persistent XSS on logs page
  • 14. Admin browses vulnerable page while  logged in  Device is compromised – ie: new admin account is added  Example: Axis 2100 IP cameras [2] Personal Fav. #2: Persistent XSS on logs page (cont)
  • 15. Ironic: security-conscious admins get  owned Personal Fav. #2: Persistent XSS on logs page (cont)
  • 16. No interaction required from victim admin   Usually simple to exploit. i.e.: ◦ knowledge of “authenticated” URL ◦ Replay request that changes admin setting Personal Fav. #3: Auth bypass + WAN web interface
  • 17. No need to rely on password   Ideal when web interface only on LAN  Targets the internal user who can “see” the device‟s web interface  Some preauth leaks are WAY TOO GOOD – ie: WEP keys or admin passwords Personal Fav. #4: Preauth leak + XSS on preauth URL
  • 18. Steal session IDs   Overwrite login form‟s „action‟ attribute  Phishing heaven!  Real example: Pers. XSS on Aruba 800 Mobility Controller's login page [3] – by Jan Fry ◦ You own the controller you own all the WAPs – sweet!  Personal Fav. #4: Pers. XSS on admin login page
  • 19. Because not needing to rely on cracking a  weak password is great  Let‟s see review a few real examples Love for auth bypass bugs
  • 20. Password prompt returned when  accessing http://victim.foo/  If creds correct, then redirect to “authed” URL Auth bypass type 1: unprotected URLs
  • 21. Problem is no auth data (ie:  password/session ID) is transmitted  Simply knowing the admin URLs does the job! - ie: http//victim.foo/admin- settings.cgi  Real example: 3COM APXXXX (vuln not published yet) Auth bypass type 1: unprotected URLs (cont)
  • 22. Resources (URLs) password protected   However, assumed to be accessed via a certain method – ie : GET  Requesting resource as POST gives the goodies!  Real example: BT Voyager 2091 Wireless ADSL [4] Auth bypass type 2: unchecked HTTP methods
  • 23. Get config file without password:  POST /psiBackupInfo HTTP/1.1 Host: 192.168.1.1 Connection: close Content-Length: 0 <CRLF> <CRLF> Auth bypass type 2: unchecked HTTP methods (cont)
  • 24. Admin URLs password-protected correctly   However, admin requests are NOT  Real example: Linksys WRT54GS [5] – by Ginsu Rabbit Auth bypass type 3: unprotected requests
  • 25. Settings URLs requires password:  GET /wireless.htm Submitting admin request does NOT:  POST /Security.tri Content-Length: 24 SecurityMode=0&layout=en Auth bypass type 3: unprotected requests (cont)
  • 26. Web server OKs multiple representations  of URL  i.e.: the following URLs could all be valid: ◦ http://victim.foo/path/ ◦ http://victim.foopath ◦ http://victim.foo/path? ◦ http://victim.foo/path. ◦ http://victim.foo/path?anyparameter=anyvalue ◦ http://victim.foo/path/ ◦ http://victim.foo/path// Auth bypass type 4: URL fuzzing
  • 27. Real example: BT Home Hub and  Thomson/Alcatel Speedtouch 7G [6]  i.e.: the following URL gives you the config file without supplying creds: ◦ http://192.168.1.254/cgi/b/backup/user.ini// Auth bypass type 4: URL fuzzing (cont)
  • 28. No open tcp/udp ports on WAN interface  by default  Requirement: attack must be remote  Most people would give up at this point  Possible attack vectors, anyone? BT Home Hub hacking challenge
  • 29. OK, WAN is not an option   How about the LAN interface?  “Didn‟t you say it must be a remote attack?” you must be thinking  BT Home Hub hacking challenge (cont)
  • 30. Think client side!   Victim user‟s browser his worst enemy  If you can‟t attack via WAN, let the internal user do it via LAN  The aikido way: blend in, take advantage of already-established channels BT Home Hub hacking challenge (cont)
  • 31. The recipe:  ◦ CSRF ◦ Auth bypass The weapon:  ◦ Simple form retrieved via hidden „iframe‟ BT Home Hub hacking challenge (cont)
  • 32. The attack:  ◦ Any user in Home Hub‟s LAN visits malicious web page ◦ Web page causes user‟s browser submit interesting request to Home Hub. i.e.: enable remote assistance BT Home Hub hacking challenge (cont)
  • 33. BT Home Hub hacking challenge (cont)
  • 35. [1] Persistent XSS and CSRF on Linksys WAG54GS router http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on- wireless-g-adsl-gateway-with-speedbooster-wag54gs [2] Persistent XSS on Aruba 800 Mobility Controller's login page http://www.procheckup.com/Vulnerability_PR07-26.php http://www.securityfocus.com/bid/26465 [3] Multiple vulnerabilities on Axis 2100 IP cameras http://www.procheckup.com/Vulnerability_Axis_2100_rese arch.pdf References
  • 36. [4] BT Voyager Multiple Remote Authentication Bypass Vulnerabilities http://www.securityfocus.com/archive/1/440405 http://www.securityfocus.com/bid/19057/discuss [5] Linksys WRT54GS POST Request Configuration Change Authentication Bypass Vulnerability http://www.securityfocus.com/archive/1/442452/30/0/threa ded http://www.securityfocus.com/bid/19347 References (cont)
  • 37. [6] BT Home Flub: Pwnin the BT Home Hub http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-2 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-3 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt- home-hub-4 References (cont)