post avatar

Agile Hacking: a homegrown telnet-based portscanner

So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Default key algorithm in Thomson and BT Home Hub routers

Yes, we’re back with more embedded devices vulnerability research! And yes, we’re also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!

As you know, we encourage folks in the community to team up with GNUCITIZEN in different projects as we’ve had very successful experiences doing so. This time it was Kevin Devine’s turn. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

ZyXEL Gateways Vulnerability Research (Part 2)

Here is the second version of the ZyXEL routers penetration testing paper. This second part of the paper is also fully practical just like the first one. No theory whatsoever, but rather real juicy attacks which is what we pentesters/whitehats are interested in (after all we need to be aware of what the bad guys can do)!. Unlike the first part of the paper, this one focuses more on attack techniques rather than newly-discovered vulnerabilities. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Exploring the UNKNOWN: Scanning the Internet via SNMP!

Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of remote SNMP hacking.

Why SNMP?

2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

HITB Dubai 2008: we can’t wait!

One of the things I like about the hacker/security community is how much ideas exchanging takes place. Most researchers soon realize that there is nothing like a good session of sharing ideas with other peers in order to come up with even more interesting thoughts!

We’re happy to say that GNUCITIZEN will be part of one of the events we were the most interested in: HITB Dubai 2008. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Holes in Embedded Devices: Authentication bypass (pt 4)

This kind of authentication bypass bug can go easily undetected during a security assessment if not enough attention is paid. In order to understand this type of vulnerability, we need to be familiar with settings pages available on devices’ web interface that allow the admin user to modify settings.

Administrative web interfaces have different sections/menus available to logged-in administrators. Each section is just a HTML page with a form designed to make configuration changes. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Holes in Embedded Devices: Authentication bypass (pt 3)

A device that is vulnerable to this issue, only performs an authentication check (i.e.: is the password being submitted with a request via basic authentication?) when the request is performed using a certain HTTP method. For instance, most devices have a feature to backup the config file which contains all the configuration settings including admin credentials.

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Holes in Embedded Devices: Authentication bypass (pt 2)

Usually, when accessing a web interface of an appliance, the user is prompted to enter a password if not authenticated already. This could be done via a HTML form on the login page or a basic HTTP authentication prompt (among other methods). Let’s call the authentication stage: A. Once, the admin user enters a username/password combination, the device checks the provided combination against credentials stored in its internal configuration. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Holes in Embedded Devices: Authentication bypass (pt 1)

Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet! [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor
post avatar

Holes in Embedded Devices: Desynchronized service acting as backdoor

Embedded devices usually offer different types of services or interfaces so they can be configured by administrators remotely either from the Internet or over the LAN. Some of the most common examples include Telnet, FTP, SSH, HTTP (web console), HTTPS and SNMP.

Provided that such services are allowed to be accessible from the Internet, the embedded device could be configured by an administrator who could be located anywhere on the planet. [...]

» more | » comments rss | posted by Adrian 'pagvac' Pastor