So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint. [...]
Yes, we’re back with more embedded devices vulnerability research! And yes, we’re also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with GNUCITIZEN in different projects as we’ve had very successful experiences doing so. This time it was Kevin Devine’s turn. [...]
Here is the second version of the ZyXEL routers penetration testing paper. This second part of the paper is also fully practical just like the first one. No theory whatsoever, but rather real juicy attacks which is what we pentesters/whitehats are interested in (after all we need to be aware of what the bad guys can do)!. Unlike the first part of the paper, this one focuses more on attack techniques rather than newly-discovered vulnerabilities. [...]
Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of remote SNMP hacking.
Why SNMP?
2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. [...]
One of the things I like about the hacker/security community is how much ideas exchanging takes place. Most researchers soon realize that there is nothing like a good session of sharing ideas with other peers in order to come up with even more interesting thoughts!
We’re happy to say that GNUCITIZEN will be part of one of the events we were the most interested in: HITB Dubai 2008. [...]
This kind of authentication bypass bug can go easily undetected during a security assessment if not enough attention is paid. In order to understand this type of vulnerability, we need to be familiar with settings pages available on devices’ web interface that allow the admin user to modify settings.
Administrative web interfaces have different sections/menus available to logged-in administrators. Each section is just a HTML page with a form designed to make configuration changes. [...]
A device that is vulnerable to this issue, only performs an authentication check (i.e.: is the password being submitted with a request via basic authentication?) when the request is performed using a certain HTTP method. For instance, most devices have a feature to backup the config file which contains all the configuration settings including admin credentials.
Usually, when accessing a web interface of an appliance, the user is prompted to enter a password if not authenticated already. This could be done via a HTML form on the login page or a basic HTTP authentication prompt (among other methods). Let’s call the authentication stage: A. Once, the admin user enters a username/password combination, the device checks the provided combination against credentials stored in its internal configuration. [...]
Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet! [...]
Embedded devices usually offer different types of services or interfaces so they can be configured by administrators remotely either from the Internet or over the LAN. Some of the most common examples include Telnet, FTP, SSH, HTTP (web console), HTTPS and SNMP.
Provided that such services are allowed to be accessible from the Internet, the embedded device could be configured by an administrator who could be located anywhere on the planet. [...]
