TL;DR We unravel the story of a bug that would become one of the most important vulnerabilities released this year. Also, we have free cookies. The findings we published earlier this year demystified the voodoo that is TR-069, demonstrated how mass pwnage can be achieved via server-side attacks, and proved the landscape is ripe for harvesting. We will continue where we left off to explore TR-069 client-side vulnerabilities; we analyze client implementations, pour some insight into mysterious results from our internet-wide scans, and follow to mass pwnage through remote code execution on millions of online devices. again.
TR-069 is the de-facto standard remote management protocol that ISPs surreptitiously use to control consumer-premises equipment (these would be your home routers, set-top boxes, VoIP phones etc.), rumored to be a well-thought conspiracy devised by Internet Service Provider secret societies since the 17th century. Since its establishment in 2004, there has been a growing trend of endorsement and deployment of the CWMP/TR-069 protocol in global carriers and service providers. Despite the rising popularity of this black magic, it is often overlooked in penetration tests and security assessments of Internet gateway device attack surfaces, and wrongly so. Would they reconsider if they knew TR-069 the second most popular service openly listening on the Internet (after HTTP)? This talk will begin by describing our previous efforts presented this summer (DEF CON 22 & more), where our group revealed critically vulnerable TR-069 server deployments and discussed the incomprehensible asymmetry between the trust instated in this protocol and the measures taken to protect it (or lack thereof). Subsequently, we decided to go after clients – exposing a critical attack surface by design, listening on 0.0.0.0 with a publicly available IP address. While centralized servers are rather easily patched to close security holes, clients may take more effort… We will conclude with the shocking unveiling of one of the year's security stories, walking the audience through the discovery and exploitation of a memory corruption vulnerability in an extremely popular client implementation. Our weapon of choice this round would be embedded device reverse engineering (some soldering required), leading us all the way to remote code execution on millions of devices.
Speakers: Lior Oppenheim Shahar Tal