A look at TR-06FAIL and other CPE Configuration Disasters

all right hi everybody um so I was having chat with somebody about this earlier and before I actually begin the talk I'd like to read you a very famous film quote that really resonates with what I found while I was doing this research if you haven't seen the film you know you probably been living under a rock so um because I can't memorize the bloody quote so this is really will resonate with what you'll see here I've seen things you people wouldn't believe attack ships on fire off the shoulder of Orion watch seab beams glitter in the dark near the taner gate all those moments will be lost in time like tears and Rain time to

die so um that resonates a lot with the subject matter of this um which is a talk about complete [ __ ] train wrecks and disasters that are in your [ __ ] house right now so um hopefully my computer will stop being [ __ ] so who am I um security researcher at zus um one of my favorite things to do is Dick about with embedded stuff um routers switches anything that's a bit weird I like to play with um I've been jabbing at it for ages I mean it's always been a bit of a passion of mine um before this I was a forensic student um I actually qualified in that um so I'm actually a forensic

person allegedly um I can do fingerprints um before that I was a pharmaceutical student and before that I was an internet miscreant causing Havoc which uh led to some consequences but whatever I [ __ ] hate XML um XML can die in a fire which is really unfortunate because just about every single thing that I'm going to talk about today involves XML so it's like I was studying the things I hate so um what I'm actually going to talk about is ti64 um how it's [ __ ] and related stuff vulnerabilities that have been related to it some kind of protocol level issues where the specification specifically makes [ __ ] terrible um you know and why some

really bad things have happened and I'm also going to talk about t69 and why it's a terrible idea I'll go into a bit of back history about some of the stuff that's happened in the past some of the prior art because that was important to you know check that somebody else hasn't done what you're doing first um and then I'll tell you to pop ACS servers take over the world um for little to no effort so if you you want some you know global domination you're going to get it here and there's some other nonsense that's in there in no order um because I'm really crap at ordering slides so it's all in there somewhere so before we begin um I'd like

to point out that there is some brilliant prior art in this field um shahal he was with checkpoint at the time and now he's with celebrite um he gave a couple talks he gave the ihunt tier 069 admin's talk um I think that was Defcon and then there was The Misfortune cookie research that I saw at CCC at 31 Z3 um brilliant pieces of work it's worth checking out and that's kind of the prior Earth that got me interest in t69 again cuz i' looked at it before and I'd kind of gone H I'll look at something else and then shaher was like Hey shit's [ __ ] yo and I was like well of course shit's [ __ ] it's t69 and it

was like no no but you should look at this shit's [ __ ] when I saw his talk and I was like oh oh oh whoa whoa whoa whoa this is bad so I went I look and I saw some things um there's fun stuff there for everyone you can have Cutting Edge research tomorrow if you just take a look at it um also in the slides I'll have a couple links to the specifications of the protocols that I'm going to be talking about and I'd advise reading them I'd advise getting some coffee um they're quite lengthy they're really dull and I'd also advise is like having a counselor or psychiatrist and Co because you'll go [ __ ] mad trying

to make sense of them so yeah have a go for yourself you will find some stuff so what is tor blah blah blah Tor blah blah it's uh protocol specifications they're not rfc's like we know RFC is like all the nonsense Reed to as an RFC like TCP and DNS and all that crap Tor blah blah blah are DSL for specs they're made by a bunch of idiots who like to design things by committee and it's basically a specification for how Broadband works and these were taught up by people who didn't have a Scooby and they made things up by you know having committees and then the subcommittee of the subcommittee of the subcommittee and I think one of them

probably was like working for a vendor that sold an XML Pariser because all of this [ __ ] involves XML um it defines the specs um for the protocols for managing Broadband networks for ISP so this is stuff that I don't think BT use it but a couple of other UK isps use it and we'll get to that in a bit and that's going to be comedy gold so um these are specs that you can follow you can Implement you can ignore you can completely disregard um and they manage a lot of stuff so what I'm going to be interested to say is the 064 and 069 ones there's a whole bunch of others in

that Nam space and they're all terrible like there's tier 111 which is tier 69 but for [ __ ] inside your land like like your smart TV and that's going to be the worst idea in the world and they're pushing to have it implemented and yeah I mean I need to look that in the future because it's a bundle of crap and they're actively pushing to have this pushed out um so yeah t64 to start is called a landside DSL CPE configuration um yeah so the spec outlines this soap based protocol because everyone loves XML and you don't have enough XML because because you just want more [ __ ] XML because XML par is

the most robust piece of software in the world allegedly and so it allows configuration of your CP consumer premise equipment um I.E your router that your ISP shipped to you from the landside so back in the day for those that for at least people you know I'm not sure how it was in the UK but in Ireland when aircom rolled out Broadband you got your router you plugged your router in and you got a CD that ran had a Microsoft Windows executable on that you put into your Windows XP machine because this was when we got Broadband you put it in you ran a program and the program configured your router and gave you internet and Magic you Broadband it

was slightly faster than dialup like just slightly it was like dialup without the noise so it was dialup without the free chip Tunes so um yeah you know t64 was for the uh Broadband setup [ __ ] they shipped to Consumers and the specification is there um download it read it cringe smash your head off the desk um it's a look it's comedy gold so t69 is CP consumer premise equipment one management protocol cwmp and these guys love their [ __ ] acronyms so it outlines how from the ISP end how the ISP manages your router how they access it how when you go hello tech support my router don't work they can log into your router remotely and

they can check [ __ ] and they can go oh you've got like 500 devices connect to your router of course it doesn't bloody work or they can go oh your router's in a fault state turn it off and turn it back on again it's the protocol they use for managing it um it's a management protocol and it's again soap and when you look at it at first you go nope cuz soap means nope just say no it's a bit like string copy just say no it's a gateway drug to bad [ __ ] so um you can download the spec there it's on Amendment [ __ ] five I wouldn't be surprised if they go to Amendment Six

soon and yeah have a look it's hideous so I'm going to start with t64 because t64 kind of hit everybody kind of Blindside of them so it's on the you know it's what they use for the Broadband setup CD stuff and it's how you manage the CPE from the landside you know from inside the trusted Zone it's how you manage the device it's a spec for doing that and it is total read right for like all the config variables on the device so you can overwrite DNS servers or the ntp servers or whatever um wireless security settings you can get and set the keys the SSID all that any of the crap you can access through

the web interface you can access using this in a lot of cases and when I read the spec I did a double take and thought it was hallucinating on some [ __ ] because I saw that it had a section called security about security requirements and I only read the spec after I've been taking a good look at it by reversing something so oh whoa whoa whoa whoa whoa stall the ball there's actually a section here that says security when this shit's [ __ ] so um the T 64 security specification States access to any action that allows configuration changes to the CP must be password protected access to any password protected action must require HTP digest

authentication sensitive information such as passwords must not be readable at all and it's all Al so it doesn't specify in the spec but it's implied that it's only meant to listen on the land side of the network but you know we know where this one goes you you you know you might as well go to Matthews talk about Anonymous credentials and [ __ ] because it's going to be way more complicated than this stuff and it's going to be way more interesting um shout to him he's doing some cool stuff he's in track too so if if you see where the wind's going now and you want to just walk out and vomit and see something cool go to track to um

cuz this it's going to be bad so um yeah I quite like this you know when they say must implementation people go maybe next version uh it's a ticket and Gyra [ __ ] it we'll fix it later so you know dreams in reality will eventually Collide and you know we'll have a nice glorious place where specifications will be followed and words like must can and cannot will mean what they mean in English but the glue sniffing [ __ ] who implement this [ __ ] these words are like vague Notions somewhere the [ __ ] over there where it's like oh most uh maybe we'll stick it as a ticket you know next version or it's

not a critical issue was sorted out later so um the reality of this [ __ ] and why I call t06 fail is pass protecto [ __ ] no I've only seen a couple of devices that actually [ __ ] support having passwords for t64 those are Fritz box and some other [ __ ] that was a bit weird um that bit about not being able to read your passwords Ah that's really hard you know you can actually just pull the creds from the box so um Wi-Fi keys are readable in plain text if you send the right soap request that lead me into something funny in a bit uh oh and that bit about

you know um not listening on onean you know only listening on it [ __ ] no 0.0.0.0 is where we bind our services all access all the time maximum portability oh and it just so happens that because a bunch of this crap calls out the shell we've got bonus command injection bugs cuz you know we want the whole OS top 10 it's bug Bingo baby so obvious outcome where does this end you know what happens you know what happens when you put this [ __ ] on the internet at scale where pretty much most of you people in this [ __ ] audience have a box in your house with this [ __ ] on it right [ __ ] now in your trusted

Network a lot of your clients will have this [ __ ] in their trusted Zone you know it'll be in the you know it's oh y it's inside our land it's cool no [ __ ] that this shit's listening the internet so what's the outcome what happened this was like somebody had gotten like a big pile of Flamel ship poured petrol on it and then put a sign saying smoking area beside it it was an accident waiting to happen and guess what [ __ ] happened [ __ ] happened so um El regge wrote this beautiful thing so the first kind of indicator that stuff was going deeply wrong with the Internet was when DEA Telecom had some issues

when like a million people suddenly can't connect to the internet in Germany a country that's quite well connected he got some problems cuz uh some stuff happened and people kind of twigged this isn't just going to happen in Germany but it was too [ __ ] late it was already game over game was over a long time ago but it happened talk talk post office aircom in Ireland my home country uh my favorite ISP have been stuck with forever cuz nobody else service my area uh demon um basically every [ __ ] who ships [ __ ] routers to people had some issues so stuff was getting wrecked um outages outages everywhere worm you know I got

really excited and kind of giggled a bit about this and probably nearly wet myself because some somebody had written a [ __ ] worm that did worm things you know and it was hilarious just just the scale of the chaos this caused and it was you'll we'll get to why in a minute but yeah the the complete [ __ ] Mayhem that this accident waiting to happen cause this accident did [ __ ] happen and it probably affected some people in this room so who did it where's the attribution parody can I roll my Dice and say North Korea was it Russia was it Iran was it China no mate script kitties it was scrub

Lords who want to DDS things and they accidentally took out the internet for shitloads of people kind of bonus win you try build a butet to packet people and you accidentally you know [ __ ] the internet for loads of people instead so happened was um yeah that's pretty difficult to read cuz La syntax highlighting Etc but basically you send a soap request within spec saying change the ntp server you're using to back to some [ __ ] commands here and it'll run the commands and because it's internet as [ __ ] it'll run it as rout cuz there ain't no user but route um see you know the predictable happened Somebody went this is trivially

exploitable I'll make botet um and yeah the the expected occurred so here we've got because uh you have to have a screenshot of V Pro if you're talking about malware worms otherwise no [ __ ] takes it seriously Ida Pro screenshots are how people know that you know what you're [ __ ] talking about in this industry so here we've got a screenshot of Ida Pro that tells you absolutely nothing except that the thing is sending a soap request so malware happened that's the proof I opened it up an Ida so this ain't the first time either you know Ida is like the [ __ ] when it comes to attributions so this wasn't the first

time we had some problems with the particular piece of software rumage that caused this accident to occur so before tier 06 fail which is what I named it there was Misfortune cookie it affected the same rum pager piece of software except affected the 069 component it allowed remotely accessing the device with no Au cuz [ __ ] off um due to what was effectively like the bug with um Misfortune cookie was actually really fascinating when shaher was giving his presentation he didn't give the game away he didn't tell you how to exploit the bug you know cuz there were still trying to get it fixed and it was a global problem but me and one of the

guys who ran a workshop earlier were sitting in the talk and we saw that it was what he was describing was a right whatw you could clobber Global variables used by the device by sticking [ __ ] in a cookie so you'll see what I mean in a second I got somebody far smarter than me wrote a reliable exploit for it um and this is all you send you send this like a snippet from the proof of concept exploit that Kenzo wrote now Kenzo is an interesting chat because I've no idea who he is he discovered the other vulnerability as well he's some Irish dude um I've no idea who he is Ireland's a pretty small country so we all kind of

know each other and this wild card comes out of the blue and starts like writing sploits for all the things and just causes havoc and then disappears off the face of the Earth so what's interesting with Misfortune cookie is that so you've got these key value pairs in cookies we all know how cookies work now with Misfortune cookie the key in the cookie was basically represented an offset to clobber and the value was what the [ __ ] you want to clobber the offset with so it's the most trivially exploitable bug of all time all you do is take apart the firmware find the binary go oh here's where the bit that says requires a password to log in lives

and clobber it with ah n mate it's all fine or authentication successful so you know it yeah pretty grim and this particular value here will exploit the blah blah blah rebranded zix lpce a c that aircom ship everyone there's one in my parents house I looked at and I was like oh my parents actually got hit by the tier 064 worm um aircom sent out an advisory told their customers saying um yo you might want to change your wireless password Cu uh somebody jacked it some be reporter went to talk talk with a 100 talk talk customers Wi-Fi keys that got stolen and got dumped online and went yo um yeah uh you're customers not only does their internet

not work anymore but their Wi-Fi passwords have been jacked and talk talk being talk talk just said no no no didn't happen didn't happen didn't happen only 100 of them only 100 of them we've only seen a 100 I've seen the dump I stumbled across it by asking and begging and going who the [ __ ] did this [ __ ] and eventually I got a hold of it there 77,000 talk talk customers who you can just connect to their Wi-Fi because the creds are on the [ __ ] internet um those creds also incidentally happen to be the admin passwords for a lot of the routers is because L talk talk um you know we kind

of know what to expect from talk talk I mean you know SQL ey in 2016 and now we've got this you know it's the norm uh I feel sorry for them though they're kind of [ __ ] Legacy stuff or they're implementing what they're told to implement because best practice so with 069 069 again is a DSL Forum specification it again has a little bitten about you know doing security um because apparently you have to put in a little notice saying do and you know so people can ignore it so at least it's there but 069 is a bit more it supports TLS it supports authentication the protocol is a mess um as I've said before I'm not going to

complain about that much more it's just a disaster um it's basically like everyone in their mom brought the technology they liked to the table and when they were they were designing the protocol they said okay we'll keep you all happy we'll put all of it in you know will make it do everything the kitchen sinks in there so you've got the SL TLS it's optional um some setups are decent you can have mutual Al you can have client you can have client side CTS you can have CT pinning all this other gobbin and other people just you know YOLO plane text because [ __ ] crypto crypto's HED you can do WTH as well so um in a lot of cases

the router to the ACs the ACs is the device at the ISP that controls all of the [ __ ] it's like the best command and control server in the world because it's designed to do that um you can use basic OD so you can authenticate your clients or you can use the shared secret or you can use client Sears or whatever in a lot of cases I found um the CP ACS bit is kind of irrelevant what they're interested in is they'll have a static password for all their customers and the username will be an identifier the username will be a per device ID so they can you know go oh this is Joe blog's

router oh he's having a bit of a problem it's out of sync we'll just reboot it remotely um or we can snoop his traffic etc etc because there's a lot of undocumented [ __ ] in some of the implementations but you know it's not as if they're going to spy on you but TI 69 um it's XML it's soap but it's got other XML [ __ ] as well because you know if you want if you're doing stuff with XML you might as well put more XML so you've got stun you've got soap you've got UPnP you've got xmpp and you've got basically any protocol you can think of that involves a bit of soap or a bit of XML

they'll probably jam it in which means you've got the world's greatest attack surface cuz I looked at this [ __ ] and I went whoa I don't even know where to start with fuzzing this you know this is this is a bit too much this is too hard to handle so we know the CP and we all know that embedded device and routers are [ __ ] you know routers are routers they're going to route you know they're going to have Hoda creds blah blah blah they're going to get wrecked by dny blah blah blah but you know okay they ship crap devices to Consumers but surely the ISP CU they do billing and stuff they're

going to you know they're going to have their [ __ ] together they're an internet service provider you think they know something about internet so um of course it's going to be Rock Solid enterprise software you know probably written by I don't know the ibms the articles of the ISP world or whatever and it can't be that bad because you know it's Enterprise and it's used by serious people with billions of dollars involved or billions of pounds or billions of Euros or billions of well quadrillions of Yen you know this there's a [ __ ] ton of money there they use this stuff for Billings so of course it's going to be secure right cuz isps like making money

it's kind of their job so that's what I want to talk about in the second act of this in which we hacked the planet because Rock Solid enterprise software can go [ __ ] itself so um we're going to talk about world domination and this kind of sums it up and this is what you can do right now with the State of Affairs things are because LOL so we're so I you know when I was thinking the threat model of this after Annie happened I sat down and I said to myself what's the realistic threat model and I'd have think through oh it'll be Iran or China or nation state and I thought no s that I'm not man I fire at

I'm not [ __ ] clown strike I'm me so I'm going to think like a 15-year-old script Kitty who wants to make the biggest DDOS botnet on the planet because that's what happened with previous vulnerabilities so we want to own loads of routers everywhere to do some crime right that's the threat model is some idiot going I want to pop all this [ __ ] and I want to do some serious crime so um but we pick a lazy 15-year-old I've been a lazy 15-year-old I I know what the mindsets like it's like oh I could get you know botn net and scan and all these devices one at a time but no mate that's like effort and stuff

and I want this cheap I want this quick I want this easy um I don't want to rent a big box the gigabit pipe to scan because that's a chore my mom's credit card won't stretch that far um on do this on the cheap we want to nail all the [ __ ] in one go so we do so we take so by the way if you're looking for like Advanced memory corruption or stuff I'd advise going somewhere else cuz all the bugs in this are disappointingly hilarious um you're not going to find some Advanced rchain [ __ ] like with browsers this is going to be like entrylevel stuff because my threat model was 15year

old so um you know some of you might have kids you know your kids could probably pull this [ __ ] off overnight faster than me so we want them all one go so we figure you know we have a thing we've got a slightly smart 15-year-old you know who goes okay so I want to hack loads of boxes so I hack the box that has access to all the boxes so we got somebody who's got a bit of a clue we got somebody who can read so we got a literate 15-year-old who's got like enough patience to waigh through a few pages of stuff before they go off [ __ ] this so I started auditing um ACS servers my

free time just kind of a bit of a hobby project initially before I thought I'd give a talk on it I was like this will be fun I'll just have a look for the really low hanging fruit we found I mean I don't you know there's probably a load of fruit in the tree but like your knee deep in low hanging fruit here I have you know you'll see in a minute it's like you're in an orchard and all the apples just drop on your [ __ ] head and you go oh okay then don't even need to pick them they're just there so so far um I've done a quick and dirty audit with the attentions fan of a board

15-year-old of free ACS which is [ __ ] cuz it's written in Java uh open ACS again crap Libra ACS which I found out a bit of time in was actually a fork of open ACS same [ __ ] not maintained bad documentation um terrible Java crap um and then I looked at somebody written a TI 69 server library in PHP using laravel and all this you know PHP developer nonsense so I was like is PHP I mean they're basically glue Sniff and monkeys um I'll find an easy win there um and people might find it a bit funny to look at see yeah I had a quick look I found something within 2 minutes we'll

get to that in a bit so the disclosure timeline for the first bug with free ACS um at some point in the last while I can't remember when I found some bugs um between then and April I worked on weaponizing the bugs um April I disclosed them now they haven't fixed them yet so you can take the exploit from today and run rampant the internet and cause chaos and be the bored 15-year-old that 15-year-old you wanted you to be or something that's a very clunky sentence but you get what I mean so free ACS has been around for a while and you know it it's it's been around the block and I'm not sure if

it's a very small group of developers like two of them or one person or one person with schizophrenia I'm not sure um but you know it seems to be a oneman operation and it says that you know it says a lot of things and it's based on Tom Cat Java and my SQL so I was like okay then things I hate um so they call themselves the most complete tier 069 ACS available for free under the MIT license that's copy past it from their website so most complete to me Rings alarm bells of most attack surface so and by the way with regards attack surface I've not even scratch the surface the surface is pretty much

intact if you go digging for bugs you will find heaps of them you will give up because you will find bugs that make your other bug unexploitable because it's so [ __ ] buggy well we'll get to that in a minute there's bugs in your bugs so how do you install free ACS um so you w get the shell script over plain text HTP you CH mod it and you run it as rout and that's how you install it and then you read chapter 4 do the other 10% of the nonsense to make it work and even then it barely works and this is things that you know you'll see it's it's out there people use this and so I looked and I

created some Showdown Google queries um I did some stuff with census and Bing because there was some default logins admin NEX APS and nobody changes default creds default creds are default you know you leave them you make a new user or something and finding how to change the password took me a few minutes when I set up my local one I was like where the hell is the password change form it's not here it's not here most sisin go yeah screw it it'll be fine um there's quite a few in the internet the lovely people at binary Edge ran some scans and they found quite a few so you know there's a lot of these out there in

production at some quite large isps um on the public internet so you can find them Google Bing whatever um so then I started looking and I thought I'll look at post off first and get a feel for what the application is and what I discovered is it's basically it's like a cross-site scripting test bed that optionally has like an ACS server as a bonus um you can just you stick in any JS anywhere and you'll get some xss out somewhere and these were all postar bugs which I wasn't very interesting but there's some screenshots just just so you can see what kind of stuff I was dealing with so I was like oh okay then we got an alert

box followed by we got another alert box followed by I've stared at number in my [ __ ] alert boxes cuz there's alert box in my alert boxes so um yeah I mean yeah I mean like this would be a really good project for like find a cross-site scripting bug it's like the xss test bed you could probably use it as a good Benchmark for xss finding tools so but we don't care about post off we want preo we don't want to rely on default creds or brute forcing a login or stealing some creds we want preo we don't want to have to deal with silly nonsense like passwords it needs to be remote we don't want any of these

local bugs so this cut down my scope it needs to give us privilege access it needs to either give us root in the box or an admin account in the ACs and needs to be easy because again threat model is Bor 15-year-old you know we want it on the cheap and we want it now so um preo the tax surf is pretty [ __ ] great right so um if you just uh pretend to be a t69 client IE a router ping going hey what's up ISP I'm a router here's my stuff you know you're sending a Big Blob of XML to a probably buggy parser and so I sat down and I hacked about a bit and

I created a valid cwmp notify which is the first message a router sends the ACs so I created one of those messages to fuzz with and so you know like borrowed it from some bits and you know used other people's stuff and created this as kind of my test fuzzing packet and I looked and went oh no oh no not not XML make it stop make it go away no can we not just move to Json at least I can read Json I don't like these angle brackets no mate so no I mean it's hard enough to parse you know with computers I mean the hell with looking at that will give you a headache so I tried

fuzzing the XML and my test box kept falling over which is indicative of a denial of service bug somewhere but it's XML and XML is like denial service bugs with an optional markup language thing that you can put gobbin in so um I got bored really fast and I went nah this XML message stuff is a bit hard this is too much effort for your 15-year-old threat model so I said the XML no too difficult we'll come back to it if we don't find anything else so I looked at the basic go you know there was no Al header in that one and I was like this does some magic with the basic o oh yes it does so the username in the

basic go field is used to denote what device it's a device ID because we use authentication as identification because we don't know our R from our elbow so it's used a unique ID in a lot of cases and free ACS is no different so it's an input it's an input field that we can play with and it turns out basic all lets you put a whole lot of crap in there and it doesn't really care what you do you know you can it's a pretty good fuzz Vector for stuff like this so um this is what I mean by bugs in my bugs so um the basic go username gets popped into a SQL query there's no

sanitizing sanitizing you know we haven't got there yet these Enterprise Java developers they're still stuck you know before SQL injection was a thing um you know somebody might want to let them know so in theory there's a lovely sequel injection there that's super trivial to exploit um now it turns out this slide's slightly wrong I thought there was a character length limit which was why it was breaking I have no idea anymore it's not a character length limit I've put loads a crap in and you can do the SQL injections just that you don't get immediate output it's blind its second order it's a bit of a chore like the injecting your SQL query is easy the SQL query then executes and

you don't get any output but it doesn't execute immediately it executes some arbitrary time in the future so you'll need some kind of side Channel gobbin or maybe make a really really really well-crafted SQL Creator out a user or something and no but the funny bit is is that if your SQL query syntax is not correct the entire thing shits the bed and falls over and refuses to come back to life I discovered this after resetting the VM revert back to [ __ ] snapshot a lot of times and I got really sick of doing this so I decided to look for something else so as I said username of the basic go it's unsanitized the username that a

router sends the username also pops up in the UI when the ab is in doing admin things in the admin thing and they don't sanitize their sequels so and we know it's basically made of xss so you know I kind of started thinking I might be on a summit here yeah so on or client can send a thing that does EXs in admin land you got some payload limitations I don't think it's actually a character length anymore I have no idea but then I realized your cross-site scripting p payload must not [ __ ] up the SQL injection SQL query gobbin otherwise you screw the box so you got some restrictions there because you've a bug within a bug you've nested

bugs it's bugs all the way down like turtles and disc world or some [ __ ] or not dis World in uh Stephen King's magic Planet World thing of dark Towers um so yeah we got some problems so when the admin logs in they get an alert box cool sweet and then I thought to myself well I've got these weird limitations so I got to do something cool with this xss to do something interesting so I loaded a remote script and it worked fine so test worked so then I thought how do I take over the ACs well I had an admin user because these people haven't heard of crosslite request forgery protections or any of that so this will be easy right

except I'm lazy and I hate JavaScript like I refused to write JavaScript for whatever reason so um I built the exploit by copy and pasting from stock overflow and guess what it works so you send a post request um when you're logged in and it'll add an admin user and again yeah just copy and past it from stack Overflow because I didn't want to write any JS because Sid that I like to occasionally go outside and go to the pub and things and I can't be asked learning JS properly so [ __ ] it stack Overflow mate the JavaScript developer Bible so um I wrote an exploit and it works so so you inject your

crosslite scripting payload and then you wait a bit CIS ad logs in the next day to do ACS things you can trigger the system in logging in with an ISP by maybe ringing up their support hel line and then they'll have to log in to do stuff and then the payload fires and it adds an admin user and then it tells you hey buddy I've added an admin user this ISP is now yours so game over for them and really easy to do so you know you get a lot in that's an admin user and yeah you get at it and is admin flag is set to True blah blah blah so you've just racked that entire ISP and one go

you know you'll have to go clean up your cross- scripting afterwards but that's outside the scope of board 15-year-old they just want access and they want it now so yeah you can log into the ACs and you can play about with things and you can do magic so what do we do next well if we're the script Kitty we scan the internet or we Showdown census Google Bing binary age whatever way you like to find boxes to find the free ACS boxes you spray out your crossy scripting magic payload by the cwmp notify with no off and then on Monday when ISP people come into work they sit down they log in you own them

wrecked game over end Planet hacked so um and then I started looking at you know free ACS cool so I looked at open ACS and Libra ACS which is the world's shortest software audit so the problem with these is the documentation [ __ ] and I could barely get them to work when they worked they'd fall over all the time I couldn't figure out if I was triggering a bug or if it was just software being crap and it was kind of a bit of both so I sat down with the setup guide and for like making sure that testing is repeatable when I set up a piece of [ __ ] software to break it I set it up exactly as they

tell you to do it because that's how most people will do it and it's you know the it's how the developers intended you to do it how God said you should do it it's J boss my squel [ __ ] docks the usual um Step One set up blah blah blah start fuzzing and probing it NOA freaks out and then I stopped and I went hold on a minute this was a total pain in the ass to set up I should look at the config see if there's any problems there yeah there is so it's actually I call it the misconfiguration server because um it's J boss based anybody familiar with J boss will recognize

these URLs these are endpoints to give you remote code execution with no effort so you can wreck them all and it turns out that all the installer docs you end up creating my SQL root user with a blank password which reminds me somewhat of what allegedly happened to a company called Stratford so you're getting [ __ ] if you're using this stuff because it turns out that the blank password bits hardcoded somewhere so you have to go and do some magic to make it work so yeah we were able to pop shells all over the shop when I tested Libra ACS and open ACS and that was a bit boring and I was like who once AED this

[ __ ] so I decided to look at another ACS piece of software because I didn't want to bore you guys with like boring bugs from 10 years ago that still pop up cuz badman's can't badman oh yeah by the way these are in the wild there's a there's a national ISP somewhere that runs this there's a few others um I stopped looking because I'd end up drunkenly popping some isps or something you know testing is it really there so I said no no hands off but these things are on the internet and I think some are getting replaced after emails got sent but I doubt it Legacy stuff in it so I want to break from java

so I decided to look at another piece of ACS crap I didn't want to look at any more Java so I looked this one in PHP that's the GitHub link PHP stuff to do stuff with laravel um to do ACS it's written in PHP so I had a quick look yeah basically this um [ __ ] happens this was yeah you don't just unserialize it once you might as well unserialize it every time and because laravel is basically magic and auto loads a ton of crap in you don't need to look through your application for like a magic pop Gadget or a Constructor Destructor because turns out laravel's autoloading will helpfully do this [ __ ]

for you and give you loads of Pop gadgets to create your PHP chain to get a shell it's like it wants to help you I mean somebody once called PHP the HTP API for remote code execution they're not wrong so yeah I mean it's exploitable there's a couple of ways you can mitigate um but nobody's going to do that cuz PHP devs LOL I mean even if you mitigated it by killing the pop chain you could still use you could you'll find one of a trillion memory Corruptions and unserialized like how pornhob got wrecked by the bug Bounty people um if you use this Library you're getting screwed and people do use this library in production that was written by some

guy's a little hobby project bit like open cell and big mats um you know people's hobby projects become infrastructure so what do we do with the Hacked ACS well the easy one is um change everyone's DNS servers do Mass farming maybe Jack everyone's Wi-Fi Keys maybe change their ntp servers to screw with them maybe reflash their firmware and change the ACs server URL in n v Ram so the only way to unscrew things is for the ISP to ship out new devices or send an engineer to every customer's house or you could mess with billing provision new stuff launch the biggest DDOS button in the world whatever the hell you want to do the world's your oyster you're

basically the poor man's NSA with a cross-site scripting bug and a few config issues and the fact that you know everything's [ __ ] so um the defenses isps use they trais restrict that's a waste of time they do oh it's on a management subnet we pop one customers's router it's game over they do this Mutual sell all stuff oh we just pop one of your customers routers and again you're screwed or they layer these defenses to do defense in derp and you know they still get [ __ ] because they're relying on pieces of crap Hardware that are made for like 20 cents so yeah it's game over mitigations aren't going to work just scrapped a

lot next on the agenda ex this ongoing research um audit more I servers you should all audit an i server there's a load of them out there every tin vendor out there has made one um audit more the CP and stuff um there's some stuff out there it's not romager I know that orange the Telco and France have open sourced their t69 client bit gobbin and it's crap and written in see um I need to look at tier 111 the smart TV stuff um in the future Sky BT virgin any of the crowds who do TV as well as ISP will probably implement this and it's got the same issues so you can you can write

exploits for the future by looking at that you know you you can be a time traveler I know everyone wants to go back in time you know bring an OD day back with them and hack the planet you can do this right now um yeah yeah just thanks to all these people and a whole bunch of others who aren't named um for just help me along with this yeah