Too Many Cooks - Exploiting the Internet-of-TR-069-Things

Presented at 31C3 (2014), Dec. 28, 2014, 9:45 p.m. (60 minutes)

TL;DR We unravel the story of a bug that would become one of the most important vulnerabilities released this year. Also, we have free cookies. The findings we published earlier this year demystified the voodoo that is TR-069, demonstrated how mass pwnage can be achieved via server-side attacks, and proved the landscape is ripe for harvesting. We will continue where we left off to explore TR-069 client-side vulnerabilities; we analyze client implementations, pour some insight into mysterious results from our internet-wide scans, and follow to mass pwnage through remote code execution on millions of online devices. again. TR-069 is the de-facto standard remote management protocol that ISPs surreptitiously use to control consumer-premises equipment (these would be your home routers, set-top boxes, VoIP phones etc.), rumored to be a well-thought conspiracy devised by Internet Service Provider secret societies since the 17th century. Since its establishment in 2004, there has been a growing trend of endorsement and deployment of the CWMP/TR-069 protocol in global carriers and service providers. Despite the rising popularity of this black magic, it is often overlooked in penetration tests and security assessments of Internet gateway device attack surfaces, and wrongly so. Would they reconsider if they knew TR-069 the second most popular service openly listening on the Internet (after HTTP)? This talk will begin by describing our previous efforts presented this summer (DEF CON 22 & more), where our group revealed critically vulnerable TR-069 server deployments and discussed the incomprehensible asymmetry between the trust instated in this protocol and the measures taken to protect it (or lack thereof). Subsequently, we decided to go after clients – exposing a critical attack surface by design, listening on 0.0.0.0 with a publicly available IP address. While centralized servers are rather easily patched to close security holes, clients may take more effort… We will conclude with the shocking unveiling of one of the year's security stories, walking the audience through the discovery and exploitation of a memory corruption vulnerability in an extremely popular client implementation. Our weapon of choice this round would be embedded device reverse engineering (some soldering required), leading us all the way to remote code execution on millions of devices.

Presenters:

• Shahar Tal
  Shahar Tal leads a team of vulnerability researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar is a proud father, husband and a security geek who still can't believe he's getting paid to travel and speak at awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.
• Lior Oppenheim
  Lior is a vulnerability researcher in the Malware & Vulnerability Research group at Check Point Software Technologies. Lior was trained and served in an elite technological unit performing security research in the IDF. In his spare time, Lior loves tap dancing, reversing, playing his guitar and pwning home routers.

Links:

• https://fahrplan.events.ccc.de/congress/2014/Fahrplan/events/6166.html
• https://www.youtube.com/watch?v=W455bd6js0s

Similar Presentations:

• Still Hacking Anyway (SHA2017) / A look at TR-06FAIL and other CPE Configuration Management Disasters
• ShmooCon XI (2015) / Come to the Dark Side - We Have (Misfortune) Cookies
• DEF CON 22 (2014) / I Hunt TR-069 Admins: Pwning ISPs Like a Boss