Confidence - (25-26.05 2010 Krakow)
Language: polski | engish

Cristofaro Mune

Cristofaro Mune is an independent security researcher currently focusing, mainly, on Mobile and Embedded security. In the past he has been Security Research Lead for Mobile Security Lab, discovering, with his team, vulnerabilities in mobile devices, applications and services. He is also an author of the “Hijacking Mobile Data Connections” works that have been presented at past important conferences. Among his experiences there are security assessments of IT networks, devices and services for major companies. His main interests are exploitation of embedded architectures, reverse engineering and everything that is “food for (security) thought”

Topic of Presentation: (Too Much) Access Points – Exploitation Roundup

Language: English

Abstract: Embedded devices are getting more and more pervasive, but not so much material is currently available regarding the exploitation of such devices. Few vulnerabilities are published and even less regarding the possibility of executing arbitrary code, while exploits and shellcodes are nearly absent. Thorough security reviews are rarely performed on these devices and release of patches and fixes is usually lagging behind, affecting the overall security level of these devices. Regarding the research side, it has focused mostly on the security of the wireless communications and the related implementation,or techniques for attacking devices with private addressing. On the other hand, not much has been published regarding the actual exploitation of these devices, that may, in some cases, be non-trivial due to the specific challenges (eg: non-x86 architecture, CPU cache incoherency, on-device debugging..)
This talk aims to bring contribution to this field by demonstrating remote arbitrary code execution on Access Points, with specific reference to Linux/MIPS platform, by leveraging many, previously undisclosed, vulnerabilities.
Devices from major manufacturers, all loaded with their stock firmware, are targeted and multiple vulnerabilities allowing remote code execution on the target devices will be proposed, discussed and demonstrated. Different kind of flaws bring also different opportunities, depending on the the attack range (eg: can be carried over the Internet or from internal LAN) or the need for authentication: the proposed vulnerabilities and demos have been chosen and designed for providing sample of different attacks, scenarios and opportunities. A remote root shell on the target device will be achieved in each demo. A “no-auth remote blind” attack scenario, where arbitrary code is run by a remote attacker over the Internet, on a device placed in an internal LAN with private addressing, without the need of any authentication, will be also demonstrated for at least one of the targets. Additional flaws found during research, that allow for remote credentials and keys extraction, command injections and other interesting stuff, will be also proposed.