![Page 1: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/1.jpg)
Through the LookingGlass,and what Eve found there
http://www.s3.eurecom.fr/lg/
Luca 'kaeso' Bruno <[email protected]>,Mariano 'emdel' Graziano <[email protected]>
![Page 2: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/2.jpg)
210/08/2014
About us
• S3 group at Eurecom (FR) System security
– Embedded systems
– Networking devices
– Critical infrastructures
– Memory forensics
– Malware research
![Page 3: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/3.jpg)
310/08/2014
Outline
• Motivations
• Intro to looking glasses
• Threats
• Vulns & incidents
• Countermeasures
![Page 4: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/4.jpg)
410/08/2014
Motivations – how this started
• Picture yourself as a newbie cybercriminal looking for the next target
–Aim: critical infrastructure
– Impact: worldwide
–Skill level: low
–Goal: break havoc
![Page 5: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/5.jpg)
510/08/2014
Motivations – how this started
• Picture yourself as a newbie cybercriminal looking for the next target
–The Internet
– Impact: worldwide
–Skill level: low
–Goal: break havoc
![Page 6: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/6.jpg)
610/08/2014
Motivations – how this started
• Picture yourself as a newbie cybercriminal looking for the next target
–The Internet
–Traffic routing across ASes
–Skill level: low
–Goal: break havoc
![Page 7: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/7.jpg)
710/08/2014
Motivations – how this started
• Picture yourself as a newbie cybercriminal looking for the next target
–The Internet
–Traffic routing across ASes
–Basic web skills, google dorks, etc...
–Goal: break havoc
![Page 8: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/8.jpg)
810/08/2014
Motivations – how this started
• Picture yourself as a newbie cybercriminal looking for the next target
–The Internet
–Traffic routing across ASes
–Basic web skills, google dorks, etc...
–Gaining access to BGP routers
![Page 9: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/9.jpg)
910/08/2014
Motivations – how this started
• Picture yourself as a newbie cybercriminal looking for the next target
A good candidate:
LOOKINGGLASS
![Page 10: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/10.jpg)
1010/08/2014
Outline
• Motivations
• Intro to looking glasses
• Threats
• Vulns & incidents
• Countermeasures
![Page 11: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/11.jpg)
1110/08/2014
The Internet
• A network of networks, glued by BGP
http://www.caida.org/research/topology/as_core_network/2014/
![Page 12: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/12.jpg)
1210/08/2014
One routing-table, many routing-tables
• BGP is worldwide, each AS routing table is a (partial) local view
• What you see depends on where you are
http://blog.thousandeyes.com/4-real-bgp-troubleshooting-scenarios/
![Page 13: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/13.jpg)
1310/08/2014
Connectivity troubleshooting
• NOC tools for troubleshooting:
– Distributed BGP probes, eg. RIPE Labs
– Private shells exchange, eg. NLNOG
– Limited webaccess to routers, ie. via lookingglasses
![Page 14: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/14.jpg)
1410/08/2014
What's in a looking glass
• A simple '90s style webscript:
– Usually PHP or Perl– Single file, can be dropped in webroot– Direct connection to SSH/telnet
router console– Cleartext config file (ie. credentials)
![Page 15: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/15.jpg)
1510/08/2014
How does it work
Public IP (data+BGP)
Private admin (telnet/SSH)
Public web (looking-glass)
Internet
AS64496
NOC
AS64497
NOC
AS64498
NOC
Private net Public net
![Page 16: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/16.jpg)
1610/08/2014
How does it look like
![Page 17: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/17.jpg)
1710/08/2014
Where to get it
• Focus on opensource most common ones:
– Cougar LG (Perl)– Cistron LG (Perl)– MRLG (Perl)– MRLG4PHP (PHP)
![Page 18: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/18.jpg)
1810/08/2014
Outline
• Motivations
• Intro to looking glasses
• Threats
• Vulns & incidents
• Countermeasures
![Page 19: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/19.jpg)
1910/08/2014
Targeting humans
• Assume bugproof software
• Humans can still misdeploy it, and forget to:
– Enable CGI/mod_php/mod_perl– Protect config files– Protect private SSH keys
Exposed routers credentials
![Page 20: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/20.jpg)
2010/08/2014
Targeting the web-app
• Assume some minor bugs may exist in the web frontend
• Pwn the LG web interface:
– Improper escaping– XSS/CSRF/etc.
Cookie stealing for other web services
![Page 21: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/21.jpg)
2110/08/2014
Targeting the server
• Assume some medium severity bugs may exist in the whole package
• Pwn the host through LG:
– Embedded thirdparty tools– Forked/modified modules
Escalate to the hosting server
![Page 22: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/22.jpg)
2210/08/2014
Targeting the router
• Assume important bugs may exist in the backend
• Pwn the router through LG:
– Missing input escaping– Command injection to router – Known bugs in router CLI
Escalate to router administration
![Page 23: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/23.jpg)
2310/08/2014
Targeting the Internet
• Assume you control multiple routers in multiple ASes
• Pwn the Internet:
– Reroute/blackhole local traffic– Announce bogus BGP prefixes
Chaos ensues :)
![Page 24: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/24.jpg)
2410/08/2014
Outline
• Motivations
• Intro to looking glasses
• Threat model
• Vulns & incidents
• Countermeasures
![Page 25: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/25.jpg)
2510/08/2014
Web issues
• Exposed Credentials:
– Stored in cleartext: IPs, usernames and passwords
– Configuration files at known URLs
• Cookie Stealing:
– XSS vulnerabilities in LG, to target other webapps
![Page 26: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/26.jpg)
2610/08/2014
Web Misconfigurations
• Google Dorks for login credentials:
– Find LG configuration files– Examples:
● "login" "telnet" inurl:lg.conf● "login" "pass" inurl:lg.cfg
![Page 27: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/27.jpg)
2710/08/2014
Google Dorks – Exposing conf files
![Page 28: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/28.jpg)
2810/08/2014
Google Dorks – Exposing conf files
![Page 29: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/29.jpg)
2910/08/2014
Default config paths● Example from Cougar LG root directory:
as.txt CHANGELOG communities.txt COPYING favicon.ico lg.cgi lg.conf makeaslist.pl makedb.pl README
● So just crawl for it:$BASE_LG_URL/lg.conf
![Page 30: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/30.jpg)
3010/08/2014
Best Practices :)
README sometime mentions them:
...still, we've found about 35 exposed cases!
![Page 31: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/31.jpg)
3110/08/2014
Exposed Source Code
![Page 32: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/32.jpg)
3210/08/2014
Exposed Private SSH Keys
• Default path for SSH keys (CVE20143929) in Cougar LG
• Where are SSH private keys stored?
lg.conf:18 → /var/www/.ssh/private_key
![Page 33: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/33.jpg)
3310/08/2014
Exposed Private SSH Keys
![Page 34: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/34.jpg)
3410/08/2014
First steps into the web
• No CAPTCHA anywhere!
• This eases attacker's work:– Automated resource mapping
(pingback and conf dumping)– Automated command injection– Automated attacks from multiple AS
(if bugs are found)
![Page 35: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/35.jpg)
3510/08/2014
XSS
• XSS in <title> via "addr" parameter (CVE20143926)
• LG maybe are not worthy web targets...
– But other NOC services often are under the sameorigin domain!
![Page 36: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/36.jpg)
3610/08/2014
XSS – for the lulz!
![Page 37: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/37.jpg)
3710/08/2014
Router Command Injection
• What if you can run whatever CLI command you want ‽
– CVE20143927 in MRLG4PHP
• 'argument' parameter issue
– HTML escape != sanitization
• Let's look at the code (mrlglib.php:120)
![Page 38: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/38.jpg)
3810/08/2014
Router Command Injection
![Page 39: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/39.jpg)
3910/08/2014
Router Command Injection - PoC
• From HTTP to router CLI, just adding newlines :)
curl --data \'routerid=10&requestid=50&argument=8.8.8.8%0Adate%0Aexit%OA'
![Page 40: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/40.jpg)
4010/08/2014
Remote Memory Corruption
• Sometime LG ships with embedded thirdparty binaries
– CVE20143931 in MRLG(fastping SUID bin)
• ICMP echo reply is used without proper validation
– fastping.c:546 Riempie_Ritardi( *((long *)&(icp->icmp_data[8])) , triptime );
• Let's have a look at the code
![Page 41: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/41.jpg)
4110/08/2014
Remote Memory Corruption
![Page 42: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/42.jpg)
4210/08/2014
Exploitation notes
• 3rdparty, probably not commonly deployed
– WONTFIX by upstream
• Timedependent...
– But you get host time in ICMP echo request!
• Every ICMP reply can overwrite one long word in memory...
– And you have 100 probes on every try
![Page 43: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/43.jpg)
4310/08/2014
Talking about network design
● Routers admin consoles needlessly exposed over globally routable interfaces
![Page 44: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/44.jpg)
4410/08/2014
Outline
• Motivations
• Intro to looking glasses
• Threat model
• Vulns & incidents
• Countermeasures
![Page 45: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/45.jpg)
4510/08/2014
Code-wise
• Understand that exposing router consoles to the web with hardcoded credentials can be dangerous!
• Review all critical webservices written during the wildwest '90s
![Page 46: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/46.jpg)
4610/08/2014
Deployment-wise
• Prefer a dedicated readonly routeserver as LG endpoint
• Check if your private files are reachable over the web (LG config, SSH keys)
• Double check your web server config!(vhost vs. default docroot)
![Page 47: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/47.jpg)
4710/08/2014
Administration-wise
• Setup proper ACL on your routers
• Use strong, unique passwords
• Put admin and outofband services in private VLANs and subnets!
![Page 48: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/48.jpg)
4810/08/2014
Recap
• Bestpractices are often disregarded
• Unaudited, old, forgotten code often sits in critical places
• Attackers go for the weak links...
– and escalate quickly!
Internet core is fragile
![Page 49: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/49.jpg)
4910/08/2014
Fin
Thank you for listening!
Thanks to all the members of NOPS team, who helped in bugfinding
![Page 50: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/50.jpg)
5010/08/2014
Backup – router CLI escalation
● Cracking Cisco weak hashes– Type0, Type5, Type4 (ciscosr20130318type4)
● Exploiting CLI bugs– Cisco, AAA Command Authorization bypass (cisco
sr20060125aaatcl)
– Juniper, Unauthorized user can obtain root access using CLI (JSA10420)
– Juniper, Multiple privilege escalation vulnerabilities in Junos CLI (JSA10608)
![Page 51: Through the looking-glass, and what Eve found there · 2019-12-17 · 10/08/2014 8 Motivations – how this started • Picture yourself as a newbie cyber criminal looking for the](https://reader033.vdocument.in/reader033/viewer/2022050220/5f663cf2112ab35502274b1d/html5/thumbnails/51.jpg)
5110/08/2014
Backup – reported incidents