Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: True tales of (mostly) white-hat hacking

Roger A. Grimes | July 23, 2013
Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security.

I wondered how likely it was that an old Web server was patched against vulnerabilities that were common 10 years ago. My hunch was correct. I was able to access the set-top box using a simple directory traversal attack (such as http://..//..//..//). I was in as root and had complete control of the device. It was running an old flavor of BSD, which was full of vulnerabilities by itself. In short order, we were able to steal porn, steal credit card numbers, and switch the Disney channel out with porn. We had accomplished all our goals, only a few hours in.

Later that week I learned that my success with a directory traversal attack would find its way up to the cable company's CSO and beyond. I was invited to talk about my finding ahead of the official written report. Many of the company's bigwigs flew in for the meeting. When I asked why all the hullabaloo for something they could fix in the new set-top box, I learned that the same Web server and setup was being used in millions of existing cable boxes around the world. I did a scan of the Internet looking for the high TCP port and found tens of thousands of them awaiting anyone's connection and hacking attempt.

That wasn't even the highlight — at least to our penetration-testing team. While attacking the set-top box, we found it contained an HTML firewall log, which had an XSS vulnerability. The log would record all Web packet content details after we raised its debug level. Then we crafted an attack packet containing malicious JavaScript and called the cable company's tech support number.

Posing as a regular customer, we complained that we thought someone was attacking our cable box and asked if the technician could take a look at our device's firewall log to confirm. A few minutes later up popped the technician's shadow and passwd password files. When executed, our encoded malicious JavaScript packet would look for various password and configuration files and, if found, send them back to us. The technician had viewed the firewall log, the XSS had launched, and we ended up with the company's enterprise-wide root password. All of this hacking occurred in about six hours. In less than a day we had fatally compromised the set-top box and pwned the whole company.

That's nothing to say about the hardware mods and component fires we caused during the ensuing days of boredom because we had nothing else to do but wait for our scheduled plane rides back home.

It was pure joy — and one of the most fun hacking days in my life.


Previous Page  1  2  3  4  5  6  7  8  Next Page 

Sign up for Computerworld eNewsletters.