Breaking

Autonomic Network Overview – Part 1

Good Evening,

This is a 3-part series which introduces and analyzes Cisco’s implementation for Autonomic Network. In the 1st part, the technology is introduced and we have an overview about communication flow. In the 2nd part, Cisco’s proprietary protocol is reverse engineered 😉 then finally in the 3rd part, multiple vulnerabilities will be disclosed for the first time. If you’re aware of the technology, you can skip directly to part 2 where the action begins! 

Autonomic Network is Cisco’s vision for the future of smart networks. Autonomic systems have the ability to self-manage themselves. In other words, autonomic systems are smart enough to configure and secure themselves, optimize the running processes and re-run the failed processes. Cisco engineers in collaboration with IETF defined the Autonomic Networks main components and features through multiple RFCs found in the ANIMA workgroup. Cisco has deployed the Autonomic Network capabilities on their systems since 2014 and multiple big companies started to integrate and make use of Autonomic Network features within their systems. Continue reading “Autonomic Network Overview – Part 1”

Continue reading
Breaking

Insomni’hack pwn50 write-up

Hi all,

i´ve looked a bit at the Insomni’hack CTF which took place on the 21st January and lasted for 36 hours.
For the sake of warming up a bit for our Troopers workshop Windows and Linux Exploitation,
I decided to create a write-up of the first pwn50 challenge.

To grab your own copy of the presented files you can also find it in our Github repository:

Continue reading “Insomni’hack pwn50 write-up”

Continue reading
Breaking

A short Addendum on the Mirai Botnet Blog Post

While doing heap research on Linux processes (results are going to be published soon), I came across the bot from the Mirai Botnet. As already mentioned in the blog post by Brian, the Mirai bot uses obfuscated configuration data which contains e.g. the CnC server. When now confronted only with a bot (e.g. in the context of a running task or the ELF binary), but without the according source code, the decryption of this configuration data for e.g. incident analysis purposes might not be easily possible (with the python script from the blog post), if the key has been changed.
But in this case that is not a problem at all, because Continue reading “A short Addendum on the Mirai Botnet Blog Post”

Continue reading
Breaking

Analyzing yet another Smart Home device

As you have probably already recognized, some of us here at ERNW are doing research in the area of smart home technologies e.g. KNX. Recently, we took a deeper look into a device which is used to control a smart home system produced by the vendor BAB TECHNOLOGIE GmbH called “eibPort”. This device can be used to control smart home systems based on different technologies e.g. EnoCean or KNX depending on the version of the device. Continue reading “Analyzing yet another Smart Home device”

Continue reading
Breaking

Some Notes from the Lab – BlackNurse in the IPv6 Era

Since BlackNurse was released on 10th of November, we asked ourselves whether this problem does also apply to ICMPv6 traffic. To answer this question, Christian Tanck (one of our students) build a lab with several firewall appliances. Kudos to him for testing and the following blog post.

Continue reading “Some Notes from the Lab – BlackNurse in the IPv6 Era”

Continue reading
Breaking

Research Diary: IP-Cameras Part 2

Hi everybody,
This is the second entry in our research diary on IP cameras. If you haven’t done so yet, you should read the first entry in advance. This time we focused more on analysis and exploitation.

Another entry vector

After running a vulnerability scan on both devices, it was revealed that the M1033 has multiple buffer overflow vulnerabilities (CVE-2012-5958 to CVE-2012-5965), which are readily exploitable via Metasploit. This gave us another shell (in addition to the root shell mentioned in the last post), though this time it was not a root shell. By using the find command, we searched for executables having the setuid or setgid bit set. We hoped to use one of those to escalate privileges. To do so yourself add the parameter -perm -4000 to find and it will search for files having the setuid bit set. If you try that on your own unix-like device, for example it should yield /bin/passwd which is perfectly reasonable as you’re able to change your password without being root.

Continue reading “Research Diary: IP-Cameras Part 2”

Continue reading
Breaking

Research Diary: IP-Cameras

As you probably know we perform research on a regular basis at ERNW. This post is the first entry on our – Benjamin’s and Pascal’s – research diary. You might already have seen Oliver’s post on setting up an research environment or Brian’s posts on IoT botnets (here and here). With that in mind we want to take a look at one of the market leaders for network camera equipment: AXIS.

Continue reading “Research Diary: IP-Cameras”

Continue reading
Breaking

IoT the S is for Secure – Unknown Administration Interface in Wireless Plug

Dear Readers,

just recently i bought a wireless plug on Amazon with the main use of controlling my coffee machine with an app. The installation of the wireless plug was quite easy and only requires me to set my Wifi SSID and my passphrase – that’s it. But what happened behind the scenes? I visited the control interface of my router and saw that along with the other devices there was a new one with the network name HF-LPB100 and a local IP address in my case 192.168.0.235. First of all i wondered about the name itself, but ignored that and kept on looking for open ports.

Continue reading “IoT the S is for Secure – Unknown Administration Interface in Wireless Plug”

Continue reading