# CUJO

- [device](#device)
- [digging](#digging)
  - [nmap](#nmap)
  - [sniffing](#sniffing)
- [impersonating](#impersonating)
  - [phone home](#phone-home)

## TV
name|value
----|-----
model|TODO
product|`TODO`
firmware|`TODO`
features|TODO 
vulnerabilities|all phone-home calls are done over `HTTP`


## digging

### nmap

from `nmap -PN -sV <device>`, we get:

```
<TODO all ports are closed>
```

### sniffing

watching the network activity of the device (`192.168.1.108`), noticed it tried to resolve:

  * agent.cujo.io
  * jenkins.getcujo.com
  
but since the network isn't allowing external traffic, the DNS resolution fails. 

the device continues to retry this, but takes no other action.

using `dnsmasq`, spoof these addresses to something under out control (`192.168.1.106`), and now we see:

```
Frame 125229: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: 192.168.1.108 (cc:d3:1e:d0:20:67), Dst: 192.168.1.106 (f4:0f:24:04:2e:8f)
Internet Protocol Version 4, Src: 192.168.1.108 (192.168.1.108), Dst: agent.cujo.io (192.168.1.106)
Transmission Control Protocol, Src Port: 53455 (53455), Dst Port: 9443 (9443), Seq: 0, Len: 0
    Source Port: 53455
    Destination Port: 9443
    [Stream index: 14]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 40 bytes
    Flags: 0x002 (SYN)
    Window size value: 14600
    [Calculated window size: 14600]
    Checksum: 0xaf14 [validation disabled]
    Urgent pointer: 0
    Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
        Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP SACK Permitted Option: True
        Timestamps: TSval 51225, TSecr 0
        No-Operation (NOP)
        Window scale: 5 (multiply by 32)

```

now we can see it is making some empty TCP request to `9443`

## impersonating

### phone home

standing up a webserver on `9443`, we start to see traffic:

```
\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\xa1\xe1\x9d\x08\x88]*\xce\xe7G
```

```
\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03Gg\xed\xa3m\x02\x88\xbd\xf0\xd1\x1eS\xf0\xfbc\xfb\x80K\x8dD\xed\xfb\x9b\x8c\xa0\xb2\xc6C\xc8\x15\x86\xbb\x00\x00\xa0\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0
```

requests starting with `\x16\x03\x01` are almost certainly HTTPS requests coming over HTTP, so try to forge a usable cert:

```
$ openssl req -x509 -newkey rsa:2048 -keyout agents.cujo.io.pem -out agents.cujo.io.pem -days 365 -nodes
Generating a 2048 bit RSA private key
........................................................................................+++
..........................................................................................................+++
writing new private key to 'agents.cujo.io.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CUJO
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:agent.cujo.io
Email Address []:

$ openssl x509 -text -in agents.cujo.io.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e6:5b:e3:de:c4:4f:13:7e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Los Angeles, O=CUJO, CN=agent.cujo.io
        Validity
            Not Before: Nov 29 01:38:50 2016 GMT
            Not After : Nov 29 01:38:50 2017 GMT
        Subject: C=US, ST=California, L=Los Angeles, O=CUJO, CN=agent.cujo.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B2:33:5E:3A:3D:6E:B8:DC:D8:19:89:A2:B5:67:1C:99:B1:B0:2F:2F
            X509v3 Authority Key Identifier:
                keyid:...
                DirName:/C=US/ST=California/L=Los Angeles/O=CUJO/CN=agent.cujo.io
                serial:...

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        ...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
```