Year: 2019

ADVISORIES | October 24, 2019

Buffer Overflow, Cross-Site Scripting / Request Forgery, URI Injection, Insecure SSH Key Exchange in Antaira LMX-0800AG

By Alexander Bolshev & Tao Sauvage

(eight advisories in document) Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a memory corruption vulnerability when processing cookies. An unauthenticated attacker could leverage the vulnerability to take full control over the switch.

It is also affected by a memory corruption vulnerability when processing ioIndex GET parameter values. An attacker with valid credentials for the web interface could leverage the vulnerability to take full control of the switch.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a reflected cross-site scripting (XSS) vulnerability when accessing non-existent paths. An attacker could trick an operator into opening a booby-trapped link and exfiltrate the operator’s credentials or perform actions without the operator’s consent.

It is also affected by multiple cross-site request forgery (CSRF) vulnerabilities. An attacker could trick an operator to visit a malicious page that will perform actions on behalf of the victim without the victim’s knowledge or consent. The attacker could for instance change the settings of the switch or create a rogue user with admin privileges.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely parsing the System Property field from incoming Link Layer Discovery Protocol (LLDP) packets. An attacker in an adjacent network could send malicious LLDP packets that will inject arbitrary clickable links on the web interface’s LLDP neighbors page, which could lead to different social engineering ruses.

It is also supporting weak SSH key exchange methods and ciphers. An attacker could leverage these weaknesses to potentially decrypt traffic or place a rogue computer between the device and the operator.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely storing passwords on the device. The passwords are stored base64-encoded, which can be trivially decoded by an attacker with access to the configuration.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) discloses sensitive information (e.g. stack traces) in the serial console. An attacker with physical access to the device could leverage the information to help discover and develop exploits.

ADVISORIES | August 31, 2019

Reflected Cross-site Scripting in Microsoft Power BI

By Daniel Martinez

The application is vulnerable to reflected cross-site scripting (XSS). The requested data, which contains JavaScript code, is reflected in the response. Attackers could trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. The JavaScript code could be used for several purposes including stealing user cookies or as a second step to hijacking a
user’s session. Another attack plan could include the possibility of inserting HTML instead of JavaScript to change/modify the contents of the vulnerable page, which could be used to trick the client.

WHITEPAPER | August 7, 2019

Arm IDA and Cross Check: Reversing the 787’s Core Network

By Ruben Santamarta

In 2008, the Dreamliner was presented as the world’s first e-Enabled commercial airplane. Boeing certainly introduced an impressive new set of functionalities, enabling the vast majority of the components to be highly integrated with and connected to regular systems, such as onboard maintenance, data-load, and the Crew Information System.

IOActive has documented our detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks. 

Get the White Paper
EDITORIAL | August 1, 2019

Eight Steps to Improving Your Supply Chain Security Program

By John Sheehy

In this second, of a two-part blog series on the supply chain, I’ll discuss how to improve your supply chain security.

Supply chain attacks aren’t anything new, but we’re hearing more about them lately, as threat actors continue to find new ways to breach networks. In fact, the most well-known supply chain attack dates back to 2013 when Target was breached through its HVAC supplier, exposing the credit card data of 110 million customers. In the last two years, NotPetya, Trisis and the more recent Wipro compromise have served as not-so-gentle reminders that supply chain attacks are damaging, costly and present many risks to both businesses and their suppliers.

The fact is: the more secure an organization itself is, the more attractive that organization’s supply chain becomes in the mind of the attacker. An attacker wants to find the easiest pathway to get into the network so oftentimes, it’s the supplier who has an exploitable vulnerability that can get them full access into the original target’s network.

The more secure an organization itself is, the more attractive that organization’s supply chain becomes in the mind of the attacker.

Most threat actors organizations face today are very smart. They know they don’t actually need to leverage a sophisticated, complex supply chain hack to wreak havoc on a network, steal data or intellectual property, or cause catastrophic damage. All they really need to do is look for unpatched servers and systems or send out a simple phishing email. Just look at the recent Wipro breach where dozens of employees’ emails were compromised through a phishing scam that gave the threat actors access to over 100 Wipro computer systems to mount attacks on a dozen Wipro customers.

Phishing and the use of stolen credentials are repeat offenders that keep coming up over and over again. In fact, the 2019 Verizon Data Breach Investigations Report cited that 32 percent of the breaches involved phishing scams and 29 percent involved the use of stolen credentials.

An unsophisticated cyberattack often yields a better outcome for an attacker — saving them time, money and resources while making attribution more difficult, so it’s in their best interest to take the easier path to their goal. We’ve seen many successful breaches where attackers penetrated systems through hardcoded credentials or just poorly patched systems.

That’s why, if you’re not protecting your own network against basic threat actors, doing your due diligence to properly patch, and holding your suppliers accountable for securing their own networks, you have no hope in protecting against nation-states or more capable threat actors. This is where third-party testing comes in handy to trust and verify your suppliers.

Here are a few key steps you can take today to build a supply chain security program:

  1. Know your suppliers and look upstream as well as downstream. Start with your tier-one suppliers and then identify tier twos and others. Take a full inventory of who you do business with so you can identify any weak links.
  2. Conduct a risk assessment. Once you’ve identified all your partners, you need to properly assess each one’s cybersecurity posture so you know the risks they may pose to your organization. You must consider where each device or component was built and who exactly built it. Is there a possible backdoor or counterfeit part? Or is it just the more likely software quality issues that can result in a breach?
  3. Utilize third-party testing. Hire a third-party firm to test your system, and that of your suppliers, to provide actionable results on what you need to fix first.
  4. Regularly scan and patch all vulnerable systems.
  5. Use strong passwords. Teach your employees about the importance of using strong passwords and not recycling them across accounts.
  6. Ensure your staff has set up multi-factor authentication everywhere possible.
  7. Conduct regular security awareness training to teach employees how to identify phishing scams, update software and become more security-conscious.
  8. Harden the security of the devices connected to your networks.

Make sure you’re not worrying about low-likelihood events like supply chain attacks if you’re not doing the basics of foundational security at your own organization. It’s really quite simple: you need to crawl before you walk, and walk before you run.

EDITORIAL | July 17, 2019

Supply Chain Risks Go Beyond Cyber: Focus on Operational Resilience

By John Sheehy

In this first, of a two-part blog series on supply chain, I’ll discuss the security and operational risk in today’s supply chain.

In the past 20 years, we’ve seen the globalization of the supply chain and a significant movement to disperse supply chains outside national borders. With this globalization comes many supply chain risks — risks that go beyond just cyber attacks and demonstrate a need for stronger operational resilience.

Most organizations want to take advantage of tariff treaties and overall cost savings by outsourcing the manufacturing and production of their goods, resulting in greater operational efficiencies. However, much of this supply chain globalization has actually made our supply chain longer, much more complex and less resilient. Nowadays, a product may have to go through multiple countries before it’s complete, offering more opportunities for things to go wrong from a supply chain risk perspective.

In the last two years alone, the global supply chain has experienced major disruptions from natural disasters, weather-related events and factory fires that have put organizations out of business. One of the most notable supply chain disruptions occurred in the 2000s when the production of hard disk drives produced in Thailand was gravely impacted by significant flooding in the country. The flooding impacted the whole logistics chain including the hardware manufacturers, component suppliers, the transportation of the devices, as well as the manufacturing plants and facilities involved in the hard drive development.

Puerto Rico is home to more than 40 drug manufacturing companies so when Hurricane Maria’s tragic landfall in 2017 caused power outages, loss of life and utter devastation, it also disrupted the island’s biggest export: pharmaceutical and medical devices. Even a year after the hurricane, there were still supply chain disruptions involving a major manufacturing plant supplying IV saline bags to U.S. hospitals.

Another, more direct supply chain risk involves the delivery of sub-standard or altered components — this is when the supplier is seeking enhanced profit by delivering low-cost goods. There are many examples of this over the years including the 2010 Vision Tech scandal where the company was charged with selling 59,000 counterfeit microchips to U.S. Navy.  Driven by profit-seeking behavior, in 2018, the owner of PRB Logics Corporation was arrested and charged with selling counterfeit computer parts. They were repainted and remarked with counterfeit logos and PRB took it a step further to defraud the purchaser of the equipment by falsifying test results when the buyer wanted verification that the components were delivered as specified.

While it’s difficult to predict when disasters, hurricanes or flooding may occur, or to know for certain if a device has been tampered with, there are several steps organizations can take to improve their supply chain management and overall operational resiliency, including:

  1. Don’t just select one risk to manage. Take a holistic view of your entire supply chain and try to identify the weakest links.
  2. Consider all potential disruptions and ways you can build and design your supply chain to keep it operational in the face of any foreseeable and unforeseeable challenges. If the suppliers with whom you deal directly are required to have a supply chain program and they expect the same of their suppliers, this will create a far more resilient supply chain of higher integrity.
  3. Don’t use substandard or modified/altered components and parts to save money. This can result in major issues with supply chain integrity and data integrity down the road.
  4. Trust and verify. Know what’s in your firmware and ensure there are no counterfeit hardware components. You need to verify what you cannot trust, including components from a third-party. You need to trust what you cannot verify. Even if you trust a vendor, there’s always the possibility of a compromise further up the supply chain.
  5. Understand high-order effects within your supply chain. A first-order effect directly impacts that device, whereas a second-order effect is simply the consequence of the first effect of an event.
ADVISORIES | June 17, 2019

Configuration Shell Escape injecting OS/IPV6 commands, and HTML Injection in LLDP Packet System Name Field Leading to Persistent Cross-site Scripting in Antaira LMX-0800AG

By Alexander Bolshev

(two advisories in document) An authenticated malicious user with access to the web interface (with manager privileges) or via SSH/Serial connection (with enable/config privileges) can inject Operating System (OS) commands in ipv6 commands, which will be executed with root privileges on the switch.

An unauthenticated attacker located in an adjacent network could send malicious Link Layer Discovery Protocol (LLDP) packets containing JavaScript code embedded in the System Names attribute. It should be noted that LLDP discovery is not enabled by default in firmware v2.8.

ADVISORIES | May 23, 2019

ASUS – ZenUI Launcher AppLockReceiver | AppLockProvider Exposed

By Tao Sauvage

(2) A malicious application without any permission could remove applications and gain read and write access from the list of locked applications configured in AppLock, therefore bypassing the security pattern configured by the user to protect them. (two advisories in document)

ADVISORIES |

ASUS – ZenUI Dialer & Contacts PrivateContactsProvider | BlockListProvider Exposed

By Tao Sauvage

(2) A malicious application without any permission could gain read and write access to the list of Private Contacts and blocked numbers configured in ZenUI Dialer & Contacts. (two advisories in document)

ADVISORIES |

ASUS – ZenUI Messaging PrivateSmsProvider-PrivateMmsProvider | SmsReceiverService Exposed

By Tao Sauvage

(2) A malicious application without any permission could gain read and write access to the private SMS and MMS messages configured in ZenUI Messaging as well as send arbitrary SMS messages to arbitrary phone numbers. (two advisories in document)

RESEARCH | April 25, 2019

Internet of Planes: Hacking Millionaires’ Jet Cabins

By Daniel Martinez

The push to incorporate remote management capabilities into products has swept across a number of industries. A good example of this is the famous Internet of Things (IoT), where modern home devices from crockpots to thermostats can be managed remotely from a tablet or smartphone.

One of the biggest problems associated with this new feature is a lack of security. Unfortunately, nobody is surprised when a new, widespread vulnerability appears in the IoT world.

However, the situation becomes a bit more concerning when similar technologies appear in the aviation sector. Nowadays we can find Cabin Management and In-Flight entertainment systems that can be managed from mobile devices owned by crew members and/or passengers.

The systems I’ve analyzed in the research presented here, are deployed in business jets. The discovered vulnerabilities affect passenger and crew devices.

The Cabin Management System is based on a wireless access point installed onboard the aircraft that provides network connectivity from the mobile devices of passengers and crew members to the cabin server. The Android applications (and their iOS equivalents) for both vendors were developed by Rockwell Collins to manage the available cabin capabilities in the aircraft such as cabin temperature, light intensity and much more.

Manufacturer video promo: https://www.youtube.com/watch?v=pRA3AnPU1dE

The Android apps analyzed in this post are:

  1. Venue Cabin Remote by Rockwell Collins – Android Application Version 2.1.12 (Current Version 2.2.2) (https://play.google.com/store/apps/details?id=com.rockwellcollins.venue.cabinremote)
  2. Bombardier Cabin Control – Android Application Version 2.1.12 (Current Version 2.2.1) (https://play.google.com/store/apps/details?id=com.rockwellcollins.venue.cabinremote.bombardier)
Figure 1. Google Play Store: Bombardier Cabin Control Developed by Rockwell Collins
Figure 2. Google Play Store: Venue Cabin Remote developed by Rockwell Collins

The purpose of this post is to:

  • Provide an overview of the operations of these emergent systems, with a focus on the vulnerabilities that affect the Android mobile apps
  • Provide a detailed explanation on how to exploit them

The main vulnerabilities I’ve discovered in the systems are:

  • ZIP Files: Path traversal / Arbitrary File Write
  • Lack of Legitimacy Checking of the Server
    • Rockwell Collins Venue Cabin Remote Version 2.2.2 – Legit Connectivity AP Emulation https://youtu.be/8QRAlTBOatU
    • Unencrypted Communications

Based on the vulnerabilities found during the research, an attacker could create the following situations:

  • Deploy a rogue aircraft access point and write in the devices of the connected clients. This could lead to a full compromise of the device.
  • Deploy a rogue aircraft access point and capture credentials or application secrets used to get access to protected areas in the application managed by the crew members in the real aircraft access point.
  • Connect to a real aircraft access point and interact with the cabin devices using the application. This could lead to full access to the cabin capabilities via the application if the attacker gets the password to access protected application menus and create situations of discomfort onboard an aircraft by altering the temperature to a higher or lower value or modifying light intensity, switching off or blinking.
  • Connect to a real aircraft access point and multicast other server configuration to force the devices that are connected to the network to get a new configuration file, this could lead to some dangerous situations like:
    • A full compromise of the client’s devices connected to the network.
    • Create situations of discomfort onboard an aircraft by altering the temperature to a higher or lower value or modifying light intensity, switching off or blinking.

Research Timeline:

  • 2018 February: IOActive discovers vulnerability
  • 2018 February: IOActive notifies vendor
  • 2019 April: IOActive advisory published

Dani Martinez – @dan1t0 (https://twitter.com/dan1t0)
Security Consultant

The complete research, including: full systems overview and analysis, vulnerability discoveries with the Android apps, and detailed exploit scenarios, can be found on the Technical Advisory Paper.

Get the Technical Advisory Paper