Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DC7499
July 03, 2015
Research
0
32
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DEFCON Moscow 9
DC7499
July 03, 2015
Tweet
Share
More Decks by DC7499
See All by DC7499
defcon
0
170
defcon
0
140
defcon
0
210
defcon
1
180
defcon
1
150
defcon
0
170
defcon
0
250
defcon
0
300
defcon
0
300
Other Decks in Research
See All in Research
jnishimu
1
620
izunaga
3
2.6k
mihozono
2
700
karakurist
18
1.9k
umepon
0
180
ikuyamada
6
450
mkimura
5
2.8k
yuukit
4
1.7k
patanamon
1
160
yuawn
0
440
waptech
1
170
tarugoconf
0
1.9k
Featured
See All Featured
lauravandoore
12
1.7k
cromwellryan
104
6.3k
roundedbygravity
242
21k
qrush
285
19k
smashingmag
232
18k
jlugia
217
16k
shpigford
370
42k
mthomps
38
2.4k
pauljervisheath
195
15k
jnunemaker
PRO
40
4.7k
holman
448
140k
reverentgeek
28
2.1k
Transcript
None
Telecommunication Hardware Vulnerabilities
WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, root@0x90.ru •
ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM
TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS
• HYBRiD
VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS
(/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*
VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •
D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13
MODEMZ
3G/4G modems. Made in China by Huawei.
Zero CD
Zero CD-RW
EViL C0NF
OUC.EXE = OUCH LPE
3G/4G MODEM -> CYBERWEAPON
CR0SSPLATF0RM 3G/4G M0D3M R00TKiT
ROUTERZ
SDLC BUBEN DANCiNG
None
BACKUP=FCUKUP
GET HTTP REQUEST
20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •
Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…
21 habrahabr.ru CSRF Evil FTP server Config CSRF
• Network configuration • PPPOE account • SIP account CONFiGURATiON
OLD DAYS…
24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century
AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t
rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!
Huawei HG8245 Jtagulator Huawei 8245 hacking
PLACE 4 FUTURE ViRUSES
PASSWORDS….
How to rob the train in XXI century? Easy!
WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY
• ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274
STAGE 0x00 • Search for train with WiFi • Buy
train ticket • Don’t miss the train
STAGE 0x01 admin
STAGE 0x02
STAGE 0x03
STAGE 0x04
SIP hacking? • Port 5060 + SHODAN • Auth needed?
• Web interface?
CALL TO UID 0
but check! Trust,
Any questions? INFO: @090h root@0x90.ru Links https://github.com/0x90/routerz https://github.com/0x90/modemz
defcon
jnishimu
izunaga
mihozono
karakurist
umepon
ikuyamada
mkimura
yuukit
patanamon
yuawn
waptech
tarugoconf
lauravandoore
cromwellryan
roundedbygravity
qrush
smashingmag
jlugia
shpigford
mthomps
pauljervisheath
jnunemaker
holman
reverentgeek
