BsidesRDU 2018 07 - When it rains it pours - Sam Granger

okay let me introduce good all right thank you sir for giving a thumbs up all right our next talk is called when it rains it pours it's about connected devices I cannot hear enough talks about connect your devices honestly seriously I mean I'm being serious not sarcastic because it's just it's a mess you know and I love hearing about how well I'm not gonna steal your thunder I'm excited to hear this so Sam one Sam is a senior security consultant with a passion for connected devices and breaking home automation Sam Granger thank you sir thank you all right can everyone hear me okay okay yes bill good afternoon thank you for coming to my presentation titled when it rains it

pours purpose of this presentation is to take you through the journey that I went through to uncover several critical security vulnerabilities and a popular irrigation system using basic in testing tools and techniques this presentation also serves as the final stage of the responsible disclosure process so first a disclaimer the views presented in this document are my own and they do not represent the position of my employer and secondly all the testing was performed on my own personal device exclusively using exclusively on my own device or using the information generated from my own device so let's look at the agenda first I'll talk a little bit about myself you know talk about what was compromised how it was

compromised the methods used to compromise that device some other stuff and then how it profited so a little bit about me my name is Sam Granger I am a security researcher as you're told I have a passion for connected devices and home automation and my spare time I've built several devices to turn non I Oh T devices into more IOT I guess this is mostly involved the use of radio with on/off keying and the likes of an esp8266 chip to give things Wi-Fi and for those who don't know the esp8266 is like an Arduino with Wi-Fi built-in so let's talk about what was compromised the device is known as a rain machine built by a company called

green electronics and Perley website the rain machine empowers the gardener with the most weather aware iOS and Android capable multi-valve irrigation device on the market now to most people this means that this device will go out to the Internet I will grab some weather data that would download it and ill make some intelligent decisions on how to water your car the time of writing this presentation there were two models out on the market the one in the back there is known as the Mini 8 and the one in the front is the touch HD which comes in a 12 or a 16-valve model the Touch HD in the front runs a Android jelly bean and the Mini 8 and the back

runs open wrt the main application is written in Python except for one component which is the cloud connection daemon which is a compiled binary and one of the features that really attracted me to this device in particular was how developer friend leaders they have a strong community of garden and tech enthusiasts and the company themselves a very promoting of tinkering with their device through the use of their API and the SDK another nifty features you get SSH right out of the box so that's really cool and it is of course cloud enabled this screenshot here is a picture of the cloud interface are you into your email address and your password you get into your device this

is what you're presented with this is the dashboard you have things like the zones down the bottom here which control if you wanna turn the sprinklers on and off you have the program some weather information and a nice little graph in the top left corner which shows you how much water you've saved because you're using a smart irrigation device this works in both the cloud and there's also a local instance as a local instance of it you can just check on your local network this here is the rest API test page this gives you access to the risk commands has you can use this to test out the various commands that it also has the parameters so you know what's

required to actually make these different calls Smith of one I called this generating your own credentials so as I alluded to before getting on the box with SSH as well a feature so once I was in the machine I found the interesting folder called rain machine app and this is where the bulk of the functionality loved so I copied this down to my computer for easier analysis and I don't know if you can see from there but the files are stored in this pyc format and the pyc format is a compiled by code format and in this current state I wouldn't be able to open these files in a text editor and read them that easily

easily being the key word but it doesn't matter the first test I'm going to do anyway it's just a simple string search so bingo if t payday I found some hard-coded FTP credentials and the RM dialogue upload file this particular function is used to upload diagnostic logs to a centralized server say you having issues with the device or something like that but the host and the username were in clear text and the password was Hicks encoded which is just not really any sort of encoding at all but you could just decode it with the likes of burp suite or anything online so what was the impact well I would later find out that the credentials were

shared liberally amongst all of the rain machine devices and it turns out that a miss configuration and the FTP server not only allowed you to download your own logs but also the logs of other users it turns out there was about three thousand odd unique devices that it uploaded logs to the server so what was in there well I started monitoring the my own traffic from my device to see what it was uploading during this process and along with some system and application logs one thing that really caught my eye was it was uploading in certain databases and these were the SQLite databases one of them they really caught my eye was the rain machine settings

database and there's what I had in it it had a geographical location obviously you need a point on a location to do good weather forecasting had the email address of the user registered with the cloud they had local session tokens and a head of course password so this point I was hooked I was like this is really cool I want to see what this device really has to offer but I had a problem I was stuck with these pyc files and I needed to get them back into a readable format so this is where uncompelled out using on compile sex I was able to convert the pyc files back into their platform and I started looking around for interesting

functions and this is where I came across one called the totp now the totp stands for time-based one-time password and this particular code is a six digit code that you would give the likes of an irrigation installer or a contractor to give them access to your device without having to give them your real password in this way you'd also have to give them your email address as well so they could log in through the cloud now there's only one account on the rain machine and there's the administrator account so giving someone the totp is actually as good as giving them administration control to your device there is a caveat though you have a six-hour window that

you can use as TOTP in which to most people as probably plenty of time so I pulled apart the function and this is a popping screen here and I noticed that the totp used the password to generate this code except when I started actually tracing through the different calls I was making I realized that it wasn't actually the password used to generate this code but in fact the password hash and this is shown in the third image down the bottom where you can see it's making a select statement to the SQLite database so let's just recap for a second I've learned that I can access thousands of these password hashes through the 60p server I can also get

the corresponding email addresses associated with those password hashes I have the source code to generate my own password equivalent and I only need that password hash to generate that equipment so I man in the top there this is me creating my own totp function and I can give it a hash and it will generate me a one-time code and for comparison I've shown the same code that you get if you make the request to the rain machine device itself so this definitely didn't work and it did work through the cloud as well so this was my first CVA this is CVA 2018 601 one the time-based one-time password function and the application logic of the rain machine uses the administrator

password hash to generate a six digit passcode that can be used for remote and local access aka the use of a password hash instead of a password for authentication issue this is exploitable by someone that can get hold of that hash value somehow so there's a really great to have access to thousands of rain machine devices you could probably cause some mischief flood some lawns make some water bills go up great but really it doesn't give you access to the local network and that's what we're really interested in so I started looking around the UI for injection opportunities and I came across this really neat function called the add new weather data source now I'll

back up a little bit what makes an irrigation system or smart irrigation system so great is the ability it has to go out to the internet and look up with the data information whether it's historical or forecast pause their information and then turn it into something useful that can make decisions on how to water your garden with now the certain situations where maybe the data you have isn't supported by the rain machine yet for example if you own your own personal weather station or maybe you just live in a location that doesn't have support yet in these instances the rain machine team was really generous and they give you the ability to upload your own custom

weather data Pazza and this is in the form of a Python script now I don't know about you but anywhere I see that you can upload your own Python script alarm bells start ringing so today's forecast Cloudy with a Chance of code execution I grabbed the most simple reverse Python shell that you could probably find on the Internet and even though it says is an error and uploading it as you can see I was clearly able to get shell out of it so there you go CVA 2018 601 to the weather service feature of the green electronics rain machine allows an attacker to inject arbitrary Python code by the add new with a data source upload function

so there you have it you got your irrigation botnet army to do whatever you want with but why stop there let's see house we're gonna take this thing let's look at some web attacks this device has self stored cross-site script due to a lack of input sanitization combined with a lack of appropriate response hitters such as specifying the content type is Jason you can post a self stored cross-site script in this particular instance I've created a new program and I have changed the field name to not a good name but that of a malicious script alert one seem like a good name to me and I was able to trip this by then looking up that program

that I just created there's some other vulnerable locations as well like these own creation pretty much the same thing and also this diagnostic blog page if you modify the email address that's registered with the cloud service you can also trip a cross-site scripting issue so this was CVE 20 18 6 906 assistant cross-site scripting vulnerability in the rain machine web application allows an attacker to inject a virtue JavaScript via the REST API will save cross-site request forgery in this particular instance I would make some super attractive looking link that I would convince someone to click on this would return some JavaScript which would in turn make a post request to actually upload a cross-site self cross-site

scripting in this case I'd do it via the email address I've modified the email address of the user and then I would have that JavaScript on their malicious page to redirect to the diagnostic log page which would then trip the cross-site scripting bugs in this particular instance I've had that cross-site scripting then make a call to get the TOTP function which is the give all as the grand code that I'm always after and also pull out the email address of the user and this sends it to the attacking server by a get request so in this way I'm able to steal credentials and then log back in to the device through the web portal through

the cloud this is CVA 20 18:6 907 a cross-site request forgery vulnerability in the rain machine web application allows an attacker to control the rain machine device via the REST API worse they've put checking in this particular instance the setup is actually very similar there before so you would use possibly across our quiz forgery to trick to upload a self cross-site scripting bug and rather than doing a redirect to get the cross-site scripting to get executed you might try convince the user to click on a fancy-looking button like click to win and it's got a hidden iframe which would essentially trip their cross-site scripting obviously the previous method is way way more effective but this does

have the advantage in there you can take advantage of some of the existing Ajax functions used in the wrist API test page to trip the cross-site scripting issue in just a slightly different way there are some other use cases for clickjacking you might want to try to non SSH or maybe you just did pain in the arse and you just want to turn on their sprinklers without them knowing about it so this was CVA 2018 six nine oh nine a missing extreme options heater and the rain machine web application could be used by a remote attacker for clicked checking as demonstrated by triggering an API page request so what about some sort of indication bypass a

might be interesting I started getting really curious about how how this whole cloud service worked and I learned that there is this cloud connection daemon which sits in the middle of the rain machine web application and the cloud servers and it acts is a very very simple proxy it would basically pass the information virtually unmodified to the device so I decided to fire up SSL splurt and have a look at the traffic and I noticed that it was mostly HTTP but it had a few extra bytes at the start which indicated the message type and the message of length now the only impact this has is there it just made it a little bit harder to sniff this

traffic because some of the proxies out there that expect pure HTTP wouldn't work with the situation but this is where SSL split would shine and so I got curious I was starting to watch the traffic and before I'd even interacted with my device through the cloud I noticed that the cloud service was making requests to the rain machine requesting information that you'd normally need to be an authenticated user to get to get this information out and the funny thing was the rain machine was honoring us and it just treated the cloud service like it was indicated and passed back that information it was giving it things like the version information the machine time and even if

missions about the programs that were on that device so I was really curious how come this cloud service and act like an authenticated user before it's even gone through an authentication process so I took the SSL split logs and I put them through I converted them to a Wireshark format because looking at red and blue is slightly easier than looking in black and white in this case and I noticed that the request made from the cloud service were really really simple in nature but one thing they did have in common is they always specified the host header as localhost the only time I didn't see this was when I actually tried to log into the device itself

through the whip through the cloud portal and in this instance II Hostetter changed to that of the internal IP address of the cloud server and it was the only time I'd ever catch this 401 unauthorized error obviously I watched my password here and that's why I'm an authoress so I looked around the code and I found out that when the device checks to see if the user is authenticated there's a little caveat to the site and the tick's is the client local and it turns out the way your local is if you can specify the host header as localhost so was it really that simple well yeah it actually was so I put together a cool request very very simple

to request the TOTP which is the you know one time code to give me access to everything as an unauthenticated user and i specified the heater as localhost and it first this didn't work and I thought why but I tried playing around with a little bit and I specified a port number as well and suddenly the attack would work and so I could bypass any sort of Athene occation so this was CVE 20 18 6 900 an authentication bypass vulnerability exists in the rain machine web application allowing an unauthenticated attacker to perform an authenticated action on the device via the localhost colon port value in the HTTP host header as demonstrated by retrieving credentials but surely this

is something that developers thought about I mean they actually added it as a feature to the device so having this as being abused by an attackers may be something that came to their mind and truthfully they did they thought about this as an issue but design and execution are not always aligned there is a Services sits in front of the web application which is the light HTTP daemon service which is basically a reverse proxy to the web application and what this does is a taxi host header and it will replace it with the word removed except that's not quite how it works what actually happens in reality is it doesn't replace that with the word

removes depends the word remove to that hitter and so you get a situation like we have down the bottom here we have host hitter whatever I specified comma removed so what impact does this have on the application well digging a little deeper I learned that the way that the device is parsing headers it's performing a split on the colon character now the first part of that split is known as a key and that becomes the hero so in this case it would be the host hitter and the second part of that split becomes the value in this case local host everything else beyond that point any other splits that have occurred I've forgotten about so if

we specify local host : port number essentially we're just specifying local host and so I've demonstrated this on the right this is the information that the application would see and then after it's been processed this is what the final result is and so in this way we have effectively bypassed the earth we've used the local host bypass authentication feature so it's curious could this work through the cloud well for it to work through the cloud two conditions need to be in place the cloud service would have to authenticate directly to the rain machine device itself this would mean that whatever password I typed into that cloud portal would be presented to the rain machine and the rain machine would decide

whether I should be authenticated or not the second piece is that I would need to be able to control the hosts headers or any of the hitters actually all of the HTTP and they would have to be preserved all the way to the device well of those two things the first one is actually how it works when I try to indicate it's the device making the decision but unfortunately the second part doesn't any of the hit as I specified in the cloud portal wouldn't go all the way to the device so no we cannot bypass the authentication through the cloud way did I mention mobile mobile service works in a little bit of a different way the

mobile service will call a subdomain appropriately named proxy finder and this will use my email address to look up the unique ID of my rain machine device once it has this unique ID it will make a call to the API endpoint using my unique ID in the URL in this way it creates a tunnel where I am effectively communicating directly to the device this means that I can control not only the body of the HTTP request but all the headers as well so here's my proof of concept in this first screenshot I'm calling the proxy finder service with my email address and it is returning all the information I need to know about my rain machine device

including that unique ID I then take that unique ID and I contact the API endpoint with the unique ID specified in that red location and the second screenshot and I call the totp function to see if I could get that code back and you can see I've specified the host here as localhost in this particular instance I don't have to deal with the late HTTP daemon so I don't have to worry about any of these extra colons to try trick it into letting me in and the third screenshot here is just a way of me combining the first toda to make it look really easy and you can just give it an email address and you

get some information back so a bit next well I disclosed my findings to the rain machine team and they responded to me within 15 minutes acknowledging that what I had found was a really serious serious security issue they immediately pushed out patches to resolve the issues associated with the cloud services and the FTP servers to block those off from being attacked and they subsequently pushed out some firmware updates to resolve some of the other bugs overall I was really really impressed with how this company responded and you could tell that I took the security of the customers exceptionally seriously so where was a profit well I actually got a free unit out of it they were nice

enough to send me a thank you a touch HD which was an upgrade from my mini 8 so I was very pleased with us and it was with this device that I would demonstrate some of the attacks I've talked about during his presentation as I've mentioned the cloud services have been shut off for these attacks so I can't attack it this way but I can demonstrate some of the attacks by the cross-site request forgery and cross-site scripting attacks so here's my attack chain the user will log into the device the device will return a session cookie the user will click on a malicious link that I made super-attractive somehow and this will return some malicious JavaScript on

a web page and this JavaScript we use web RTC is to identify the local IP address of that device it will then scan the subnet looking for rain machine devices that can attack and I will let you know this there is one unauthenticated call that you can make to the rain machine which will clearly identify as a rain machine device once it finds a rain machine device that can attack it will post a cross-site request forgery to load up some cross-site scripting this is the root program they were then redirect to trip that cross-site scripting attack and in that cross-site scripting attack will go and fish some more malicious JavaScript because I couldn't fit all this on one

line and once that JavaScript has been returned it will do a few things it will first it will upload a Python script so that I can backdoor this device it will also create a WebSockets connection so that it can get feedback about what's happening there is absolutely no practical reason why you do this unless you're taunting the user but for the purpose of the demo it makes it really easy to show what's happening in the backend once the Python script has fetched them once python script was uploaded it will fetch a malicious shell script because shell script was a little bit easy to write in this case don't need to under why and in that shell

script will extract some data send it to the attacker or grab some new tools that will then look for other vulnerable rain machine devices that can use the host hit a bypass feature and if it finds one with an active zone on it he'll turn on a sprinkler and then it will install some malware and will feed all the summation back by WebSockets to the user submits hope this works we get a bit of sound as well is it working no that's disgusting let's do a lot of this tower I came prepared we get sound off this by any chance

[Music]

[Music] all right so this is a blog it's basically cross-site scripting tagless is a WebSocket extracting data from the device it's now searching for other in machine devices that are vulnerable to the Associated bypass if it finds one chick see sprinkles I'd see if anything's active fine zone for turn on the sprinkler it's not done yet so to install a game that's fantastic go check your a machine device to do that so unfortunately the doom sound that goes with it as I'm here but you can get imagine how sad it was good I'm not very good at this game when I plan on this device either about as far as I go

Thanks back to her presentation so yeah it plays so let's get us back up there no no Alice I bet you a play now so yeah a place don't for those that are interested this is the PR boom for Android package this has been modified to fit the rain machine device it has a slightly different file structure sad to mess around with that and recompile it was a right pain so what you take away from this presentation well maybe it's tough you already know but I'll reiterate it anyway connected devices often quick to market with security being overlooked connected devices are a window into our homes officers and our campuses connected devices have been hacked before and they

will be hacked again and the basic techniques are still profitable so I'm now taking in questions and there's my contact information so good all right continue on so thank you guys