through the looking glass and what eve found there
play

Through the Looking-Glass, and what Eve found there - PowerPoint PPT Presentation

Jan 15, 2023 •154 likes •674 views

Through the Looking-Glass, and what Eve found there http://www.s3.eurecom.fr/lg/ Luca 'kaeso' Bruno <lucab@debian.org>, Mariano 'emdel' Graziano <graziano@eurecom.fr> About us S3 group at Eurecom (FR) - System security

  1. Through the Looking-Glass, and what Eve found there http://www.s3.eurecom.fr/lg/ Luca 'kaeso' Bruno <lucab@debian.org>, Mariano 'emdel' Graziano <graziano@eurecom.fr>

  2. About us • S3 group at Eurecom (FR) - System security – Embedded systems – Networking devices – Critical infrastructures – Memory forensics – Malware research 10/08/2014 2

  3. Outline • Motivations • Intro to looking glasses • Threats • Vulns & incidents • Countermeasures 10/08/2014 3

  4. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – Aim: critical infrastructure – Impact: worldwide – Skill level: low – Goal: break havoc 10/08/2014 4

  5. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Impact: worldwide – Skill level: low – Goal: break havoc 10/08/2014 5

  6. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Traffic routing across ASes – Skill level: low – Goal: break havoc 10/08/2014 6

  7. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Traffic routing across ASes – Basic web skills, google dorks, etc... – Goal: break havoc 10/08/2014 7

  8. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target – The Internet – Traffic routing across ASes – Basic web skills, google dorks, etc... – Gaining access to BGP routers 10/08/2014 8

  9. Motivations – how this started • Picture yourself as a newbie cyber- criminal looking for the next target A good candidate: LOOKING-GLASS 10/08/2014 9

  10. Outline • Motivations • Intro to looking glasses • Threats • Vulns & incidents • Countermeasures 10/08/2014 10

  11. The Internet • A network of networks, glued by BGP http://www.caida.org/research/topology/as_core_network/2014/ 10/08/2014 11

  12. One routing-table, many routing-tables • BGP is worldwide, each AS routing table is a (partial) local view • What you see depends on where you are http://blog.thousandeyes.com/4-real-bgp-troubleshooting-scenarios/ 10/08/2014 12

  13. Connectivity troubleshooting • NOC tools for troubleshooting: – Distributed BGP probes, eg. RIPE Labs – Private shells exchange, eg. NLNOG – Limited web-access to routers, ie. via looking-glasses 10/08/2014 13

  14. What's in a looking glass • A simple '90s style web-script: – Usually PHP or Perl – Single file, can be dropped in webroot – Direct connection to SSH/telnet router console – Cleartext config file (ie. credentials) 10/08/2014 14

  15. How does it work AS64497 AS64496 Private net Public net Internet NOC NOC AS64498 Public web (looking-glass) Private admin (telnet/SSH) NOC Public IP (data+BGP) 10/08/2014 15

  16. How does it look like 10/08/2014 16

  17. Where to get it • Focus on open-source most common ones: – Cougar LG (Perl) – Cistron LG (Perl) – MRLG (Perl) – MRLG4PHP (PHP) 10/08/2014 17

  18. Outline • Motivations • Intro to looking glasses • Threats • Vulns & incidents • Countermeasures 10/08/2014 18

  19. Targeting humans • Assume bug-proof software • Humans can still mis-deploy it, and forget to: – Enable CGI/mod_php/mod_perl – Protect config files – Protect private SSH keys Exposed routers credentials 10/08/2014 19

  20. Targeting the web-app • Assume some minor bugs may exist in the web frontend • Pwn the LG web interface: – Improper escaping – XSS/CSRF/etc. Cookie stealing for other web services 10/08/2014 20

  21. Targeting the server • Assume some medium severity bugs may exist in the whole package • Pwn the host through LG: – Embedded third-party tools – Forked/modified modules Escalate to the hosting server 10/08/2014 21

  22. Targeting the router • Assume important bugs may exist in the backend • Pwn the router through LG: – Missing input escaping – Command injection to router – Known bugs in router CLI Escalate to router administration 10/08/2014 22

  23. Targeting the Internet • Assume you control multiple routers in multiple ASes • Pwn the Internet: – Reroute/blackhole local traffic – Announce bogus BGP prefixes Chaos ensues :) 10/08/2014 23

  24. Outline • Motivations • Intro to looking glasses • Threat model • Vulns & incidents • Countermeasures 10/08/2014 24

  25. Web issues • Exposed Credentials: – Stored in cleartext: IPs, usernames and passwords – Configuration files at known URLs • Cookie Stealing: – XSS vulnerabilities in LG, to target other web-apps 10/08/2014 25

  26. Web Misconfigurations • Google Dorks for login credentials: – Find LG configuration files – Examples: ● "login" "telnet" inurl:lg.conf ● "login" "pass" inurl:lg.cfg 10/08/2014 26

  27. Google Dorks – Exposing conf files 10/08/2014 27

  28. Google Dorks – Exposing conf files 10/08/2014 28

  29. Default config paths ● Example from Cougar LG root directory: as.txt CHANGELOG communities.txt COPYING favicon.ico lg.cgi lg.conf makeaslist.pl makedb.pl README ● So just crawl for it: $BASE_LG_URL/lg.conf 10/08/2014 29

  30. Best Practices :) README sometime mentions them: ...still, we've found about 35 exposed cases! 10/08/2014 30

  31. Exposed Source Code 10/08/2014 31

  32. Exposed Private SSH Keys • Default path for SSH keys (CVE-2014- 3929) in Cougar LG • Where are SSH private keys stored? → /var/www/.ssh/private_key lg.conf:18 10/08/2014 32

  33. Exposed Private SSH Keys 10/08/2014 33

  34. First steps into the web • No CAPTCHA anywhere! • This eases attacker's work: – Automated resource mapping (ping-back and conf dumping) – Automated command injection – Automated attacks from multiple AS (if bugs are found) 10/08/2014 34

  35. XSS • XSS in <title> via "addr" parameter ( CVE- 2014-3926) • LG maybe are not worthy web targets... – But other NOC services often are under the same-origin domain! 10/08/2014 35

  36. XSS – for the lulz! 10/08/2014 36

  37. Router Command Injection • What if you can run whatever CLI ‽ command you want – CVE-2014-3927 in MRLG4PHP • 'argument' parameter issue – HTML escape != sanitization • Let's look at the code (mrlg-lib.php:120) 10/08/2014 37

  38. Router Command Injection 10/08/2014 38

  39. Router Command Injection - PoC • From HTTP to router CLI, just adding newlines :) curl --data \ 'routerid=10 &requestid=50 &argument=8.8.8.8%0Adate%0Aexit%OA' 10/08/2014 39

  40. Remote Memory Corruption • Sometime LG ships with embedded third- party binaries – CVE-2014-3931 in MRLG (fastping SUID bin) • ICMP echo reply is used without proper validation fastping.c:546 – Riempie_Ritardi( *((long *)&(icp->icmp_data[8])) , triptime ); • Let's have a look at the code 10/08/2014 40

  41. Remote Memory Corruption 10/08/2014 41

  42. Exploitation notes • 3 rd -party, probably not commonly deployed – WONTFIX by upstream • Time-dependent... – But you get host time in ICMP echo request! • Every ICMP reply can overwrite one long word in memory... – And you have 100 probes on every try 10/08/2014 42

  43. Talking about network design ● Routers admin consoles needlessly exposed over globally routable interfaces 10/08/2014 43

  44. Outline • Motivations • Intro to looking glasses • Threat model • Vulns & incidents • Countermeasures 10/08/2014 44

  45. Code-wise • Understand that exposing router consoles to the web with hardcoded credentials can be dangerous! • Review all critical web-services written during the wild-west '90s 10/08/2014 45

  46. Deployment-wise • Prefer a dedicated read-only route- server as LG endpoint • Check if your private files are reachable over the web (LG config, SSH keys) • Double check your web server config! (vhost vs. default docroot) 10/08/2014 46

  47. Administration-wise • Setup proper ACL on your routers • Use strong, unique passwords • Put admin and out-of-band services in private VLANs and subnets! 10/08/2014 47

  48. Recap • Best-practices are often disregarded • Unaudited, old, forgotten code often sits in critical places • Attackers go for the weak links... – and escalate quickly! Internet core is fragile 10/08/2014 48

  49. Fin Thank you for listening! Thanks to all the members of NOPS team, who helped in bug-finding 10/08/2014 49

  50. Backup – router CLI escalation ● Cracking Cisco weak hashes – Type-0, Type-5, Type-4 (cisco-sr-20130318-type4) ● Exploiting CLI bugs – Cisco, AAA Command Authorization by-pass (cisco- sr-20060125-aaatcl) – Juniper, Unauthorized user can obtain root access using CLI (JSA10420) – Juniper, Multiple privilege escalation vulnerabilities in Junos CLI (JSA10608) 10/08/2014 50

  51. Backup – reported incidents 10/08/2014 51

Recommend

Through the Looking Glass Alice found there . . . and what Alice found there Frank Mittelbach

Through the Looking Glass Alice found there . . . and what Alice found there Frank Mittelbach

Through the Looking Glass ... and what Through the Looking Glass Alice found there . . . and what Alice found there Frank Mittelbach TUG Conference 2017, Bachotek Introduction Dynamic programming Frank Mittelbach Algorithms

819 views • 71 slides
Through the looking glass, and what Joseph found there Joseph Wright L A T EX Project The xfp

Through the looking glass, and what Joseph found there Joseph Wright L A T EX Project The xfp

Through the looking glass, and what Joseph found there Joseph Wright L A T EX Project The xfp package Floating Point Unit The L A T EX3 Project Released 2018-05-12 This package provides a L A T EX 2 document-level interface to the L A

386 views • 24 slides
3. A vacuum Glass Catch attachment for broken glass GLASS OTHERS HOME $2.35 Million

3. A vacuum Glass Catch attachment for broken glass GLASS OTHERS HOME $2.35 Million

3. A vacuum Glass Catch attachment for broken glass GLASS OTHERS HOME $2.35 Million Emergency visits for unintentional cuts or piercings in US in 2015 Existing solutions Not best solution Glass shards get stuck Damages vacuum

292 views • 10 slides
The Glass Menagerie Jadn S. &amp; Claire B. Symbolism Lauras Glass Menagerie The Glass

The Glass Menagerie Jadn S. &amp; Claire B. Symbolism Lauras Glass Menagerie The Glass

The Glass Menagerie Jadn S. &amp; Claire B. Symbolism Lauras Glass Menagerie The Glass Unicorn Blue Roses The Fire Escape Motifs Abandonment Words and Images seen on the screen Music Themes The Difficulty of Accepting Reality The

349 views • 10 slides
Knowledge Seminar Series : High Performance Glass October 18, 2017 Jim Larsen Director,

Knowledge Seminar Series : High Performance Glass October 18, 2017 Jim Larsen Director,

Knowledge Seminar Series : High Performance Glass October 18, 2017 Jim Larsen Director, Technology Marketing Cardinal Glass Divisions FG: flat glass TG: tempered (safety) glass CG: coated glass (low-E) LG: laminated glass

403 views • 37 slides
3M Glass Bubbles iM16K 3M Glass Bubbles iM16K 3M Glass Bubbles and Other Additives

3M Glass Bubbles iM16K 3M Glass Bubbles iM16K 3M Glass Bubbles and Other Additives

3M Glass Bubbles iM16K 3M Glass Bubbles iM16K 3M Glass Bubbles and Other Additives Classified by Aspect Ratio 3M Glass Bubbles Talc Glass Fiber 0.46 0.6 g/cc 2.8 g/cc 2.5 g/cc 20 m 20 m 20 m Low Hig h 1:1 20:1 30

663 views • 30 slides
SCULPTURE MATERIALS SCULPTURE MATERIALS PATTERNS PLATE GLASS GLASS BOTTLES GLASS BOTTLES

SCULPTURE MATERIALS SCULPTURE MATERIALS PATTERNS PLATE GLASS GLASS BOTTLES GLASS BOTTLES

SCULPTURE MATERIALS SCULPTURE MATERIALS PATTERNS PLATE GLASS GLASS BOTTLES GLASS BOTTLES ILLUMINATION ILLUMINATION (TOP &amp; INTERIOR) CAST GLASS (DURABLE) CAST GLASS (VARIETY OF FORMS) GLASS BLOCK ILLUMINATION SOLAR CELLS ILLUMINATION

331 views • 15 slides
GOING DIGITAL P r i n c i p l e s BE FOUND If you can't be found, you don't exist. - SEO /

GOING DIGITAL P r i n c i p l e s BE FOUND If you can't be found, you don't exist. - SEO /

GOING DIGITAL P r i n c i p l e s BE FOUND If you can't be found, you don't exist. - SEO / Google My Business - Website - Online content - Social media presence - Media coverage - Reviews/recommendations - Communities STAY FOUND Keep

251 views • 7 slides
Recycling of Glass from Construction &amp; Building Demolition Waste Views from the flat glass

Recycling of Glass from Construction &amp; Building Demolition Waste Views from the flat glass

Recycling of Glass from Construction &amp; Building Demolition Waste Views from the flat glass industry Niels Schreuder Public Affairs AGC Glass Europe AGC corporate profile AGC Glass Europe AGC Group a global company Global annual

575 views • 25 slides
Glass Container Manufacturing &amp; Recycling Overview Scott DeFife President Glass Packaging

Glass Container Manufacturing &amp; Recycling Overview Scott DeFife President Glass Packaging

Carolinas Glass Recycling Summit Why Glass is Important to Your Community Glass Container Manufacturing &amp; Recycling Overview Scott DeFife President Glass Packaging Institute (GPI) December 10, 2019 Wilson, NC Glass Packaging Institute

285 views • 14 slides
An Image Capture Application For The Google Glass Framework Oliver Nina (UCF), Roger Pack (FS)

An Image Capture Application For The Google Glass Framework Oliver Nina (UCF), Roger Pack (FS)

Genealogy Glass An Image Capture Application For The Google Glass Framework Oliver Nina (UCF), Roger Pack (FS) Google Glass Google Glass Google Glass video Google Glass Wearable Computing 640360 prism display 5-megapixel

732 views • 13 slides
RUSSIAN FLAT GLASS COATINGS MARKET OVERVIEW Dmitriy D. Bernt Glass Coating Technology

RUSSIAN FLAT GLASS COATINGS MARKET OVERVIEW Dmitriy D. Bernt Glass Coating Technology

RUSSIAN FLAT GLASS COATINGS MARKET OVERVIEW Dmitriy D. Bernt Glass Coating Technology Pilkington Glass Russia&amp;CIS Pilkington Glass in Russia Architectural flat glass float line in operation since 2006 in Ramensky District Moscow region

578 views • 20 slides
Logic do it! Looking Glass Through the The Looking Glass A mirror which shows the negation of

Logic do it! Looking Glass Through the The Looking Glass A mirror which shows the negation of

IIT Bombay :: Autumn 2020 :: CS 207 :: Discrete Structures :: Manoj Prabhakaran It computers can s so easy even Logic do it! Looking Glass Through the The Looking Glass A mirror which shows the negation of every proposition Reflection

341 views • 10 slides
GLASS 2.0 Dale Henrichs VMware, Inc. ESUG 2011 Edinburgh, Scotland August 22, 2011 GLASS 2.0

GLASS 2.0 Dale Henrichs VMware, Inc. ESUG 2011 Edinburgh, Scotland August 22, 2011 GLASS 2.0

GLASS 2.0 Dale Henrichs VMware, Inc. ESUG 2011 Edinburgh, Scotland August 22, 2011 GLASS 2.0 Overview of GLASS VMware Cloud Foundry tODE demo What is GLASS? A platform for deploying web-based Smalltalk applications in

645 views • 16 slides
Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced

Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced

Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced Concrete (GFRC) is a cement-based composite material reinforced with alkali-resistant fibers. The fibers add flexural, tensile and impact strength

990 views • 58 slides
Glass Packaging Institute Overview and Activity Update Bryan Vickers Glass Packaging Institute

Glass Packaging Institute Overview and Activity Update Bryan Vickers Glass Packaging Institute

Glass Packaging Institute Overview and Activity Update Bryan Vickers Glass Packaging Institute Washington, DC December 12, 2012 Glass is ENDLESSLY Recyclable Glass Packaging Institute The Glass Packaging Institute (GPI) represents the North

345 views • 13 slides
Effects of Glass Recycling in the Glass Container Industry Pam Baylor, Director of Purchasing

Effects of Glass Recycling in the Glass Container Industry Pam Baylor, Director of Purchasing

Effects of Glass Recycling in the Glass Container Industry Pam Baylor, Director of Purchasing and Customer Service November 2015 Anchor Glass Container Locations 2 Cullet Impact By Location Elmira, NY Bottle Bill cullet excellent

179 views • 6 slides
Sept 2017 Fast, Safe , clean the Easy Lamination of Glass-Glass CONFIDENTIAL Page 1 Agenda

Sept 2017 Fast, Safe , clean the Easy Lamination of Glass-Glass CONFIDENTIAL Page 1 Agenda

Sept 2017 Fast, Safe , clean the Easy Lamination of Glass-Glass CONFIDENTIAL Page 1 Agenda Robert-Brkle GmbH Motivation Dual-Glass Modules - Process Problems Dual-Glass Process investigation and development Vacuum-Flat-Press Laminator

566 views • 27 slides
Challenges of Glass Recycling in North America Curt Bucey, Executive VP 2015 NERCs Glass

Challenges of Glass Recycling in North America Curt Bucey, Executive VP 2015 NERCs Glass

Challenges of Glass Recycling in North America Curt Bucey, Executive VP 2015 NERCs Glass Forum 0 Agenda History Market Update Glass Quality Overtime Impacts on Dirtier Supply Specifications Alternative shipping

287 views • 18 slides
GGIE::Leveraging IPv6 Glass to Glass Glenn Deen NBCUniversal

GGIE::Leveraging IPv6 Glass to Glass Glenn Deen NBCUniversal

GGIE::Leveraging IPv6 Glass to Glass Glenn Deen NBCUniversal (Glenn.Deen@NBCUNI.COM) March 23, 2017 What is GGIE::Glass to Glass? Scope: Internet

644 views • 13 slides
Russian flat glass market: Advance increase of demand Lev Shakhnes, Union of Glass Companies,

Russian flat glass market: Advance increase of demand Lev Shakhnes, Union of Glass Companies,

Markets &amp; Trends Russian flat glass market: Advance increase of demand Lev Shakhnes, Union of Glass Companies, Alexander Tchesnokov, Elena Cheremkhina, J SC Institute of Glass, Moscow June, 16 Introduction In 2005 we considered

586 views • 30 slides
label Bohemia Crystal or Bohemia glass is in high demand worldwide for its excellence

label Bohemia Crystal or Bohemia glass is in high demand worldwide for its excellence

Our Company OMNIA Glass Ltd. is the Czech wholesalers and exporter of the famous Bohemia glass for home, hotels and other public buildings. The Czech glass with label Bohemia Crystal or Bohemia glass is in high demand worldwide for

532 views • 26 slides
Is the Glass Half Empty or Half Full: The State of Glass Recycling at U.S. MRFs Northeast

Is the Glass Half Empty or Half Full: The State of Glass Recycling at U.S. MRFs Northeast

Is the Glass Half Empty or Half Full: The State of Glass Recycling at U.S. MRFs Northeast Recycling Council Webinar Presentation, Finding Opportunities in MRF Glass, May 16, 2018 Eileen Berenyi, PhD Governmental Advisory Associates, Inc.

511 views • 29 slides
Advanced Vitreous State The Physical Properties of Glass Active Optical Properties of Glass

Advanced Vitreous State The Physical Properties of Glass Active Optical Properties of Glass

Advanced Vitreous State The Physical Properties of Glass Active Optical Properties of Glass Lecture 21: Nonlinear Optics in Glass-Applications Denise Krol Department of Applied Science University of California, Davis Davis, CA 95616

229 views • 18 slides

More recommend