AWS IoT Core: A Compromised Device Perspective

  

TL;DR

I recently spent some time exploring the potential capabilities that an evil IoT device might have within an AWS IoT Core environment. This culminated in the thoughts I've transcribed in this blog post, as well as a command-line tool to help with enumeration and data harvesting during security assessments of products that interact with AWS IoT Core.

Bypassing SELinux with init_module

 

TL;DR

There are two Linux system calls for loading a kernel module - init_module and finit_module. By leveraging init_module, I bypassed a filesystem-based SELinux rule that prevented me from loading a kernel module through traditional means (e.g., insmod). I then disabled SELinux from kernel-space. Proof of concept code can be found on my GitHub.

Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)

TL;DR

The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described below), or to translate to arbitrary code execution from argument injection, file overwrites, etc. Proof of concept code can be found on my GitHub (and here is a list of other tools that can be leveraged in the same way).

[CVE-2022-45028] Unauthenticated Stored XSS in the Arris NVG443B

Update: I reported this vulnerability to MITRE on November 4th, 2022. It has been assigned CVE-2022-45028 with a CVSS score of 6.1 (Medium).

Adding Support for a Flash Chip in FlashcatUSB

Flash Programmers for Dumping Firmware

Blackbox IoT device hacking can be frustrating without any insight into the underlying software implementation(s). For this reason, I usually try to obtain a copy of the device firmware to extract the bootloader, kernel, root filesystem, and any other information that might inform run-time testing and targeted reverse engineering. Unfortunately, device vendors don't always provide access to firmware packages, and even when they do, the firmware blobs can be encrypted or obfuscated in a way that makes them useless without knowledge of the packaging format. Luckily there's another way to obtain device firmware - you can try to dump it directly from device storage (generally a dedicated flash chip).

Information Disclosure in a Cross-game Web API

Update: The vulnerable endpoint was fixed some time before September 7, 2022.

Scenario

I recently spent some time messing with Deus Ex: Mankind Divided, seeing as it's the latest (and possibly last) installment in one of my favorite video game series. At first I did a bit of reverse engineering on the game files; when I got bored of that, I decided to take a look at the game's network traffic. This led me to discover not only a player information disclosure, but techniques for cheating in the semi-online features. Highlights include:

• Unauthenticated access to player email addresses (if the victim has their platform account tied to their Square Enix account)
• The ability to obtain infinite premium currency
• The ability to view and modify other players' characters and inventories

This blog post specifically focuses on the player email disclosure vulnerability.