2016-11-28 19:15:26 -08:00
..
2016-11-28 19:15:26 -08:00

CUJO

TV

name value
model TODO
product TODO
firmware TODO
features TODO
vulnerabilities all phone-home calls are done over HTTP

digging

nmap

from nmap -PN -p 1-65535 -sV <device>, we get:

Nmap scan report for <device>
Host is up (0.0016s latency).
All 65535 scanned ports on <device> are closed

Nmap done: 1 IP address (1 host up) scanned in 321.80 seconds

so.. no open ports. let's try something different

sniffing

watching the network activity of the device (192.168.1.108), noticed it tried to resolve:

  • agent.cujo.io
  • jenkins.getcujo.com

but since the network isn't allowing external traffic, the DNS resolution fails.

the device continues to retry this, but takes no other action.

using dnsmasq, spoof these addresses to something under out control (192.168.1.106), and now we see:

Frame 125229: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: 192.168.1.108 (cc:d3:1e:d0:20:67), Dst: 192.168.1.106 (f4:0f:24:04:2e:8f)
Internet Protocol Version 4, Src: 192.168.1.108 (192.168.1.108), Dst: agent.cujo.io (192.168.1.106)
Transmission Control Protocol, Src Port: 53455 (53455), Dst Port: 9443 (9443), Seq: 0, Len: 0
    Source Port: 53455
    Destination Port: 9443
    [Stream index: 14]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 40 bytes
    Flags: 0x002 (SYN)
    Window size value: 14600
    [Calculated window size: 14600]
    Checksum: 0xaf14 [validation disabled]
    Urgent pointer: 0
    Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
        Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP SACK Permitted Option: True
        Timestamps: TSval 51225, TSecr 0
        No-Operation (NOP)
        Window scale: 5 (multiply by 32)

now we can see it is making some empty TCP request to 9443

impersonating

phone home

standing up a webserver on 9443, we start to see traffic:

\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\xa1\xe1\x9d\x08\x88]*\xce\xe7G
\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03Gg\xed\xa3m\x02\x88\xbd\xf0\xd1\x1eS\xf0\xfbc\xfb\x80K\x8dD\xed\xfb\x9b\x8c\xa0\xb2\xc6C\xc8\x15\x86\xbb\x00\x00\xa0\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0

requests starting with \x16\x03\x01 are almost certainly HTTPS requests coming over HTTP, so try to forge a usable cert:

$ openssl req -x509 -newkey rsa:2048 -keyout agents.cujo.io.pem -out agents.cujo.io.pem -days 365 -nodes
Generating a 2048 bit RSA private key
........................................................................................+++
..........................................................................................................+++
writing new private key to 'agents.cujo.io.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CUJO
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:agent.cujo.io
Email Address []:

$ openssl x509 -text -in agents.cujo.io.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e6:5b:e3:de:c4:4f:13:7e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Los Angeles, O=CUJO, CN=agent.cujo.io
        Validity
            Not Before: Nov 29 01:38:50 2016 GMT
            Not After : Nov 29 01:38:50 2017 GMT
        Subject: C=US, ST=California, L=Los Angeles, O=CUJO, CN=agent.cujo.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B2:33:5E:3A:3D:6E:B8:DC:D8:19:89:A2:B5:67:1C:99:B1:B0:2F:2F
            X509v3 Authority Key Identifier:
                keyid:...
                DirName:/C=US/ST=California/L=Los Angeles/O=CUJO/CN=agent.cujo.io
                serial:...

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        ...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----