added documentation for revolabs utilities, expanded writeup to include firmware digging
This commit is contained in:
parent
54162416fa
commit
4dc3acc0dd
1
.gitignore
vendored
1
.gitignore
vendored
@ -15,6 +15,7 @@
|
|||||||
debian-binary
|
debian-binary
|
||||||
*.ipk
|
*.ipk
|
||||||
*.extracted
|
*.extracted
|
||||||
|
*.csv
|
||||||
|
|
||||||
# lg binaries
|
# lg binaries
|
||||||
_ipk-*
|
_ipk-*
|
||||||
|
@ -11,4 +11,4 @@ name | description | url
|
|||||||
[HooToo TripMate series](http://www.hootoo.com) | there are lots of problems, some end up at root access | [hootoo](hootoo)
|
[HooToo TripMate series](http://www.hootoo.com) | there are lots of problems, some end up at root access | [hootoo](hootoo)
|
||||||
[Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
|
[Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
|
||||||
[RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
|
[RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
|
||||||
[RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
|
[RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | more than just brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
|
||||||
|
@ -4,7 +4,7 @@ found this device in a conference room, found the IP from an unauthenticated men
|
|||||||
|
|
||||||
## story time
|
## story time
|
||||||
|
|
||||||
from the page that loaded when you first hit `http://<device>`, i noticed `app.js` was being loaded.
|
from the page that loaded when you first hit `http://<device>`, noticed `app.js` was being loaded.
|
||||||
|
|
||||||
in it, i found:
|
in it, i found:
|
||||||
```json
|
```json
|
||||||
@ -15,14 +15,41 @@ in it, i found:
|
|||||||
|
|
||||||
so we can assume that there are only 9999 possibilities, which is definitely small enough to brute force.
|
so we can assume that there are only 9999 possibilities, which is definitely small enough to brute force.
|
||||||
|
|
||||||
there doesn't seem to be any protection/rate limiting, so..
|
there doesn't seem to be any protection/rate limiting - other than the CPU, so.. [bf_login.rb](bf_login.rb)
|
||||||
|
|
||||||
## tools
|
## tools
|
||||||
name | description
|
name | description
|
||||||
-----|-------------
|
-----|-------------
|
||||||
[bf_login.rb](bf_login.rb) | brute forces the PIN on the web interface
|
[bf_login.rb](bf_login.rb) | brute forces the PIN on the web interface
|
||||||
|
[generate_contacts.rb](generate_contacts.rb) | generates potentially malicious contact files to be uploaded
|
||||||
|
|
||||||
## functionality exposed
|
### bf_login.rb
|
||||||
|
|
||||||
|
key | value
|
||||||
|
---------|------
|
||||||
|
single | `./bf_login.rb 192.168.1.1`
|
||||||
|
range | `./bf_login.rb 192.168.1.*`, will hit 1..254
|
||||||
|
|
||||||
|
attempts to connect to an HTTP endpoint, and then attempts to auth until the PIN is found:
|
||||||
|
* valid range is `0000` to `9999`
|
||||||
|
* since possibly set by humans, prioritize progressive/related/repeating combinations
|
||||||
|
|
||||||
|
found PINs are output to a SQLite3 database, `bflogin.db`, and if scanning a host where PIN is already known, they immediately return.
|
||||||
|
|
||||||
|
### generate_contacts.rb
|
||||||
|
|
||||||
|
key | value
|
||||||
|
------|------
|
||||||
|
usage | `./generate_contacts.rb`
|
||||||
|
|
||||||
|
builds potentially (as in untested) malicious contact files, attempting to exploit:
|
||||||
|
|
||||||
|
* too many contacts, currently 100k (2.9mb) (`contacts-huge.csv`)
|
||||||
|
* duplicate name/phone/ID contacts (`contacts-duplicates.csv`)
|
||||||
|
|
||||||
|
more testing and expansion to come.
|
||||||
|
|
||||||
|
## functionality exposed via web interface
|
||||||
* change settings
|
* change settings
|
||||||
* screen brightness, timeout, enable/disable
|
* screen brightness, timeout, enable/disable
|
||||||
* LED colors, enable/disable
|
* LED colors, enable/disable
|
||||||
@ -45,4 +72,69 @@ the SIP password is notably absent from configuration exports, and masked in the
|
|||||||
* once the PIN is known, viewing 'Options'->'SIP settings' from the physical device exposes the plaintext password
|
* once the PIN is known, viewing 'Options'->'SIP settings' from the physical device exposes the plaintext password
|
||||||
* the PIN is masked in the web interface, but only because the <input type='password'>, and since the traffic is running over HTTP, sniffing web traffic while the page is loaded exposes the plaintext password
|
* the PIN is masked in the web interface, but only because the <input type='password'>, and since the traffic is running over HTTP, sniffing web traffic while the page is loaded exposes the plaintext password
|
||||||
|
|
||||||
in a twist on the second issue mentioned above, if any other changes are made on the 'SIP Settings' page (like the display name), when 'Submit' is clicked, your browser will prompt you to save the password. standard saved password recovery tools will expose the plaintext password too
|
in a twist on the second issue mentioned above, if any other changes are made on the 'SIP Settings' page (like the display name), when 'Submit' is clicked, your browser will prompt you to save the password. standard saved password recovery tools will expose the plaintext password too
|
||||||
|
|
||||||
|
### firmware digging
|
||||||
|
|
||||||
|
from Settings-> functionality, `ps.txt` confirmed that the machine is running a small Linux distribution.
|
||||||
|
a quick check of the manufacturers website gave us a copy of the latest firmware [2.6.0.294](https://www.revolabs.com/getmedia/1569b057-96f3-44e0-a521-e1bdeef21831/FLX-UC-1000-1500-Firmware)
|
||||||
|
|
||||||
|
`binwalk`ing the uncompressed file:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ binwalk FLX-UC-1500-2-6-0-294.bundle
|
||||||
|
|
||||||
|
DECIMAL HEXADECIMAL DESCRIPTION
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
138364 0x21C7C CRC32 polynomial table, little endian
|
||||||
|
266272 0x41020 uImage header, header size: 64 bytes, header CRC: 0x4A150CD3, created: 2016-03-11 22:03:35, image size: 1338940 bytes, Data Address: 0xC0008000, Entry Point: 0xC0008000, data CRC: 0x793D4693, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.37+"
|
||||||
|
283460 0x45344 gzip compressed data, maximum compression, from Unix, last modified: 2016-03-11 22:03:34
|
||||||
|
1708064 0x1A1020 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 17871508 bytes, 1007 inodes, blocksize: 131072 bytes, created: 2016-03-11 22:17:40
|
||||||
|
19642065 0x12BB6D1 Zlib compressed data, best compression
|
||||||
|
```
|
||||||
|
|
||||||
|
of particular interest to us is `0x1A1020 Squashfs filesystem..`:
|
||||||
|
|
||||||
|
```
|
||||||
|
# mkdir /squash/
|
||||||
|
# mount -o loop -t squashfs /tmp/1A1020 /squash/
|
||||||
|
# ls /squash/
|
||||||
|
bin dev etc home lib linuxrc mnt nv opt proc root run sbin sys tmp usr var www
|
||||||
|
```
|
||||||
|
|
||||||
|
digging around, there are a number of interesting files:
|
||||||
|
|
||||||
|
file | description
|
||||||
|
----------------------|-------------
|
||||||
|
`/etc/passwd` | list of users
|
||||||
|
`/etc/shadow` | hashes of users passwords
|
||||||
|
`/etc/init.d/S45Revo` | init script for the Revo application
|
||||||
|
`/usr/sbin/telnetd` | telnet server binary
|
||||||
|
|
||||||
|
20 minutes on a modestly provisioned GCP instance with john yields the passwords:
|
||||||
|
|
||||||
|
user | password
|
||||||
|
-----------|---------
|
||||||
|
`default` | `<redacted*>`
|
||||||
|
`revolabs` | `<redacted*>`
|
||||||
|
`root` | `<redacted*>`
|
||||||
|
|
||||||
|
* have not reported any issues documented here to Revo Labs, exercise is left to the reader.
|
||||||
|
|
||||||
|
looking at the `S45Revo` file, a potential avenue to `uid=0`:
|
||||||
|
|
||||||
|
```
|
||||||
|
14 # restmgr will start telnetd if telnet_enabled uboot env does not exist or is set to 1
|
||||||
|
15 restmgr &
|
||||||
|
```
|
||||||
|
|
||||||
|
more to come.
|
||||||
|
|
||||||
|
### log mining and traffic sniffing
|
||||||
|
|
||||||
|
using <dump logs?> functionality, and the high logging levels they provided, was able to determine a number of things:
|
||||||
|
|
||||||
|
* it utilizes the [pjsua](http://www.pjsip.org/pjsua.htm) library/client
|
||||||
|
* it sends a TFTP BOOT request for tftp://<primary SIP registrar>/<static hex string>.xml every 30 seconds
|
||||||
|
|
||||||
|
next step will be combining the information about the `telnet_enabled` kernel parameter, and crafting a TFTP configuration that will do just that.
|
||||||
|
Loading…
Reference in New Issue
Block a user