Serve your media right

You love your media, so treat it well. The Media Hub makes it easy to organize, access, and share your digital video, photos, and musicaround your home and around the world (fees may apply1). With massive capacity, intelligent aggregation, and media optimized fileserving capabilities, its an ideal way to manage your material, enjoy your entertainment and share your memories. Show your media how much you love itgive it a Hub.
Store thousands of songs or photos, or hundreds of movies Access your digital music library, photos and videos throughout your home Easy to set up, easy to use

Media Central

Conveniently access and stream your media from a versatile, high-performance storage hub. Multi-stream capability lets you enjoy different media at the same time: watch a movie while your kids listen to music and your spouse browses photos. Elegant Web-based interface makes it simple to browse your media. Intelligent aggregation automatically finds, copies and organizes media from all the UPnP devices on your networkeven collecting songs from the same CD stored in different places into one virtual album.

Media World

Enjoy your media anywhere in the world. Easily configure the Hub to share or accept video, photos, and music via the Internet. Elegant web-based interface makes browsing and organizing your media a snap, from home or away. Watch a movie on the go; DJ at a friends party with your music from home. Upload vacation snapshots for your friends to view, while still on vacationfree your media to be where you want it.

Media Massive

Within its stylish, compact design, the hubs high-capacity can store hundreds of hours of video, hundreds of thousands of photos and songs. With a built-in 500 Gigabyte hard drive and additional drive bay (NMH305), the Hub is set to grow along with your media collection.

Media Safe

Included Automated Backup Software helps preserve your music, movies and memories with manual and continuous backup of all of your computers media material.
A period of Remote Access is included from date of activation. Fees may apply thereafter and are subject to change. Go to www.linksysbycisco.com for further information and details of terms and conditions applicable to the Remote Access service.

Media Hub

NMH305
Home Entertainment Storage

Datasheet

Features
Provides two bays with SATA interface, easy installation and removal: First bay pre-installed with one 500 GB, green-power hard disk drive Second bay available for end-user upgrade Provides two USB ports Supports 10/100/1000 Ethernet connection Supports RAID1/JBOD configurations Share storage with PCs connected to the network through SMB/CIF protocol Provides PC backup with NTI Shadow software: Automatic scheduled backup available On-demand backup via GUI or Backup button Continuous backup option available Provides user easy way to import media content with Linksys Media Importer DLNA 1.5 certified. Also streams content to Xbox 360 or UPnP DMA devices Supports three simultaneous HD streams Automated crawl for UPnP servers to index and aggregate all digital media in the home Supports iTunes server Provides user-friendly, browser-based Media Browser to view JPEG pictures, play MP3, M4A and WMA music, and manage system configuration Media server support for most content formats: Audio: M4A, M4B, MP4, MP3, 3GP, WAV, OGG, FLAC, AAC, MP2, AC3, MPA, MP1, AIF, ASF, WMA, LPCM Photo: PNG, TIF, TIFF, BMP, GIF, JPEG Video: MP1, MP2, MPG, SPTS, MP4, AVI, VOB, DivX, 3GP, VDR, MPE, DVR-MS, Xvid, M1V, M4V, MOV, MPV, MKV, WMV Playlists: M3U, M3U8, PLS, WPL Provides remote access using DDNS in combination with Linksys relaying service to cover up to 100% of all Internet users

Specifications Model Standards Ports Buttons LEDs Drive Bays Certification Cabling Type UPnP able/cert Security Features Hard Disk Included Environmental Dimensions Weight Power Certification Operating Temp. Storage Temp. Operating Humidity Storage Humidity
NMH305 - Media Hub IEEE 802.3, IEEE 802.3u, IEEE 802.3ab One Power, One Gigabit Ethernet (10/100/1000), Two USB 2.0 One Backup, One Reset, One Power One Power, Two Disk 2 SATA DLNA 1.5 UTP CAT5E or Better Discovery, AV Password for System Administration, FTP, and Remote Access One 500 GB SATA 7.80" x 4.37" x 6.61" (198 x 111 x 168 mm) 4.50 lb (2.04 kg) External 12V/5A FCC, CE, UL 32 to 95F (0 to 35C) -13 to 158F (-25 to 70C) 10 to 90% Noncondensing 5 to 95% Noncondensing
Package Contents Media Hub Setup CD-ROM Printed Quick Installation Guide Ethernet Network Cable Power Adapter with Power Cord Minimum Requirements Setup Wizard and Media Importer Require Windows XP, Vista, or Mac OS X 10.4 or Higher Media Hub Automatic Backup Feature Requires Windows XP or Vista* Internet Explorer 6, Firefox 2, or Safari 3 or Higher Required for Browser-Based Configuration Adobe Flash Player 10 or Higher CD/DVD-ROM Drive Network-Connected Ethernet Port (10/100 minimum, Gigabit recommended) Broadband Internet Connection * Automatic backup feature or backup to Media Hub via Apple Time Machine are not supported under Mac OS X.
Cisco Consumer Business Group 121 Theory Irvine, CA 92617 USA www.linksysbycisco.com Linksys, Cisco and the Cisco Logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Other brands and product names are trademarks or registered trademarks of their respective holders. Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Copyright 2009 Cisco Systems, Inc. All rights reserved.
Check the product package and contents for specific features supported. Specifications are subject to change without notice. One gigabyte=1 billion bytes

09050610A-JL

Model: NMH305

Black Hat USA 2009

Embedded Management Interfaces: Emerging Massive Insecurity
Hristo Bojinov, Elie Bursztein, Eric Lovett, Dan Boneh
Stanford University Security Laboratory http://seclab.stanford.edu

P REFACE

T he secure embedded management interface project is being conducted at the Stanford Security
Lab. Its objective is to assess the state of the art of embedded management interfaces and develop more secure solutions. This white paper summarizes the result of the rst part of our project: the assessment of the security of current embedded management interfaces. Its results will be used in the second part of the project as a foundation to build more secure management interfaces. The Security Lab is a part of the Computer Science Department at Stanford University. Research projects in the group focus on various aspects of network and computer security.

Stanford Security Lab

http://seclab.stanford.edu

Table of Contents

Introduction
Background 7 2.1 Types of devices. 9 2.2 Vulnerability classes. 11 Methodology 3.1 Threat model. 3.2 Scope of the audit. 3.3 Attack surface measurement 3.4 Tools used. 41
Audit Results Overview 4.1 Vulnerability by Category of Device 4.2 List of Devices by Brand. 4.3 Complete Device Vulnerability List 4.4 Attack Surface Complete List. NAS Audit 5.1 LaCie Ethernet Disk Mini. 5.2 Buffalo LS-CHL. 5.3 Linksys NMH305 Media Hub 5.4 D-Link DNS-323. 5.5 QNAP TS-109 Pro II. Switch Audit 6.1 Netgear FS750T2. 6.2 Allied Telesync AT-FS750/16 6.3 SMC 6128L2. 6.4 TrendNet TEGS811Fi.
Camera Audit 7.1 Linksys Wireless G. 7.2 D-Link Wireless G. 7.3 Panasonic BL-C111A.
Photo Frame Audit 42 8.1 eStarling ImpactV. 43 8.2 Kodak W820. 44 8.3 Samsung SPF-85V. 45
IP Phone Audit 47 9.1 Linksys SPA-942. 48
10 Router Audit 51 10.1 Linksys WRT54G2. Printer Audit 55 11.1 HP LaserJet P2015 Series. 56 11.2 HP LaserJet 4250. 57 11.3 HP LaserJet 9000 Series. LOM Audit 12.1 Intel vPro. 12.2 Dell DRAC 4/P. 12.3 IBM Remote Supervisor Adapter. 61 63
13 Defenses 64 13.1 DIY Auditing and Mitigation. 64 13.2 Browser Defenses. 65 13.3 Web Server Defenses. Related Work 15 Conclusion 16 CSRF testing tool 70

1 I NTRODUCTION

T hese days, virtually all network-capable devices, including simple consumer electronics such
as printers and photo frames, ship with an embedded web interface for easy conguration. The ubiquity of web interfaces can be explained by two key factors. From the user perspective, they are easy to use because the interaction takes place in a familiar environmentthe web browser. For the manufacturer, providing a web-based interface is cheaper than developing and maintaining custom software and installers.

Motivation

Though web interfaces are clearly an effective solution from a usability perspective, considerable expertise is required to make them secure [26]. Surprisingly, this widely-adopted technology is almost completely unexplored from a security point of view. Thus, in September 2008, we decided to investigate the security of embedded management interfaces and how it can be improved. Initially we only expected that only a few embedded web interfaces would exhibit security vulnerabilities, as previous work [20] on the subject had been limited in scope. However, our investigation revealed a completely different picture. All of the devices we audited contained signicant vulnerabilities: overall we reported more than 50 vulnerabilities to CERT. This is why we have decided to call our talk Emerging Massive Insecurity the security of embedded devices will likely become a prominent issue in the immediate future. The scope of this issue is not limited to embedded devices, because these devices can be used as stepping stones for more complex attacks. For example, compromising a photo frame in an ofce building can lead to an infection of a web browser connecting to the photo frame. This infection can then subsequently spread to the entire local network. There are three main factors that explain why these devices are currently insecure: The web interfaces long tail: Most security researchers focus on the most prominent software systems, such as Apache, Internet Information Services (IIS), PHPbb, and Gmail because they are massively used and therefore the impact of a single vulnerability is enormous. Accordingly, the long tails of interfaces used only on very specic devices have been almost completely ignored. The complexity of the vulnerabilities: The most interesting vulnerabilities we uncovered came from exploiting the interaction between the different communication channels offered by the devices, such as the interaction between an FTP server and the web interface on a NAS. Accordingly, we have named this type of vulnerability Cross Channel Scripting (XCS). The security of interaction across channels is difcult to assess because something that is innocuous in one channel may well be malicious in another. For example, the string <script>alert(1)</script> is innocuous when embedded in an FTP command but will cause an XSS attack when displayed in an HTTP interface.

IP Camera: Many companies now offer cameras that can be attached to a home network to provide remote monitoring services. These cameras generally provide a web interface through which the owner can congure the camera and view the video captured. For a detailed description and audit results see Section 7.
Photo Frame: Digital photo frames allow users to display a series of digital photos on a single frame. They generally connect wirelessly to home networks and feature web-based interfaces for setup and conguration. For a detailed description and audit results see Section 8.
IP Phone: Many ofce phones are now operated over TCP/IP. Since they are network-connected, they also often offer web-based interfaces for conguration and call log access. For a detailed description and audit results see Section 9.
Router: Home routers generally have a web-based interface that allows users to congure various options, such as network-address translation, wireless encryption, MAC address ltering, and port forwarding. For a detailed description and audit results see Section 10.
Printer: Many ofce printers now feature web-based interfaces through which administrators can remotely view the status of the printer, reboot it, or congure it. For a detailed description and audit results see Section 11.
LOM: Lights-out management (LOM) interfaces now exist in many computers to allow administrators to remotely access the computer, even when it has failed or has been turned off. They generally offer conguration and reboot/recovery options via a web-based interface. For a detailed description and audit results see Section 12.
2.2 Vulnerability classes
During the evaluation of each device, we looked for the following types of vulnerabilities: XSS: As a warm-up we started by testing for Type 2 (stored) cross-site scripting (XSS) vulnerabilities [6], which are common in web applications. Most devices are vulnerable, including those that perform some input checking. For example, the TrendNet switch ensures that its system location eld does not contain spaces, but does not prevent attacks of the form loc");document.write("<script/src= http://evil.com/a.js></sc"+"ript>. XSS attacks are particularly dangerous on embedded devices because they are the rst step toward a persistent reverse XCS, as discussed below. CSRF: Cross-site request forgeries [26] enable an attacker to compromise a device by using an external web site as a stepping stone. We also used CSRF as a way to inject Type 2 (stored) XSS and reverse XCS payloads. File security: For each device, we checked whether it was possible to read or inject arbitrary les. Some devices, such as the Samsung photo frame, allow the attacker to read protected les without being authenticated. On this device, even when the Web interface was protected by a password, it was still possible to access the photos stored in memory by using a specially crafted URL. On other devices, the Web interface could be compromised by abusing the log le. User authentication: Most devices have a default password or no password at all. Additionally, most devices authenticate users in cleartext (i.e. without HTTPS). This was even true for several security cameras, which is surprising given that they are intended to securely monitor private spaces.

4 AUDIT R ESULTS OVERVIEW
4.1 Vulnerability by Category of Device
Table 1 summarizes which classes of vulnerabilities were found for each type of device. We use the symbol when one device is vulnerable to this class of attacks and when multiples devices in the class are vulnerable. The second column from the left indicates the number of devices tested in that category. Type LOM NAS Photo Frame Router IP Camera IP Phone Switch Printer Num XSS CSRF XCS RXCS File Auth 4 3
Table 1: Type of vulnerabilities found by devices
This table shows that the NAS category exhibits the most vulnerabilities, which can be expected given the complexity of these devices. We were surprised by the large number of vulnerabilities in photo frames, which are relatively simple devices. A possible explanation is that vendors rushed production in order to grab market share with new features. Indeed, in the Kodak photo frame, half the Web interface is protected against XSS while the other half is completely vulnerable. IP cameras and routers are more mature, and therefore tend to have better security features. Table 1 also shows that even enterprise-grade devices such as switches, printers, and LOMs are vulnerable to a variety of attacks, which is a concern as they are usually deployed into sensitive environments such as server rooms.
4.2 List of Devices by Brand
Table 2 lists which types of devices were tested for each brand. As one can see we did test devices from vendors specialized in one type of product such as Buffalo, and from vendors that have a wide range of products such as D-link. Brand Allied Buffalo D-Link Dell eStarling HP IBM Intel Kodak LaCie Linksys Netgear Panasonic QNAP Samsung SMC TrendNet Camera LOM NAS Phone Photo Frame Printer Router Switch
Table 2: List of devices by brand
Allied Telesis: Formerly Allied Telesync, is a telecommunications company specialized in networking hardware. Buffalo Inc: Is one of the of the 14 subsidiaries of Melco Holdings Inc., initially founded as an audio equipment manufacturer, the company entered the computer peripheral market in 1981 with an EEPROM writer. It is well known for its NAS product. D-Link Corporation: was founded in 1986 in Taipei as Datex Systems Inc. It began as a network adapter vendor and has gone on to become a designer, developer, and manufacturer of networking solutions for both the consumer and business markets such as IP cameras, routers, and NAS. Dell, Inc: A multinational technology corporation that develops, manufactures, sells, and supports computers system and other computer-related products. The build their own LOM interface. Stanford Security Lab http://seclab.stanford.edu Black Hat USA 2009
eStarling: A brand that belong to the startup PF Digital Inc created in 2006. It is specialized in photo frame with advanced features. HP: A multinational technology corporation that develops, manufactures, sells, and supports computers system, networking products and other computer-related products. They embedded web interface in printer and server for LOM for example. IBM/Lenovo: A multinational technology corporation that develops, manufactures, sells, and supports computer systems. The IBM server systems can be congured with a LOM module, which has an embedded web interface. Intel: The worlds largest semiconductor chip maker, based on revenue. The company is the inventor of the x86 series of microprocessors. Intel embeds a web interface in all recent Core2 chipsets to allow a remote administration (as part of the vPro/AMT technology stack). Kodak: Eastman Kodak Company is a multinational American corporation which produces imaging and photographic materials and equipment. Kodak uses web interfaces in photo frames. LaCie: LaCie is a computer hardware company specializing in external hard drives, RAID arrays, optical drives, and computer monitors. Linksys: Founded in 1988 and acquired by Cisco Systems in 2003, is a major provider of home and small ofce network products. Linksys deploys web interfaces in almost all its products from routers, to NAS, to IP phones and cameras. Netgear: Founded in 1996, is a US manufacturer of computer networking equipment and other computer hardware. It deploys web interfaces in almost all of its products from routers, to switches, NAS, and cameras. Panasonic: Formerly known as Matsushita Electric Industrial Co., Ltd., is a multinational corporation based in Kadoma, Japan. Its main business is in electronics manufacturing and produces products under a variety of names including Panasonic and Technics. Panasonic deploys web interfaces in IP cameras, for instance. QNap: A company specializing in NAS devices. Samsung: Samsung Electronics is the worlds largest electronics company, headquartered in Seoul, South Korea. Samsung Electronics is a global vendor in more than 60 consumer electronics product series. SMC Networks: Is a hardware manufacturer of equipment such as network cards, switches, wireless routers, broadband routers, VDSL, network attached storage servers, and IP cameras. TrendNet: A telecommunications company specialized in networking hardware. They use embedded web interfaces in their line of switches and IP cameras. Stanford Security Lab http://seclab.stanford.edu Black Hat USA 2009

4.3 Complete Device Vulnerability List
The following table lists, for each device, which types of vulnerabilities we found. Note that nearly all devices were vulnerable to CSRF attacks. Those that werent either didnt have features that could be vulnerable to CSRF attacks or seemed to implement some sort of referrer header validation, rather than secret validation tokens. Additionally, every single device had authentication vulnerabilities. Only a few devices allowed HTTPS access to the web interface, and none of them restricted users to HTTPS only. Every device had an easy-to-guess default password, and in all cases but one the password was common across units worldwide, rendering it completely useless unless changed during initial setup.
Device DCS-920 Wireless G BL-C111A SPA-942 DRAC RSA2 vPro Linkstation DNS-323 Ethernet Disk NMH-305 TS-109 ImpactV EasyShare w820 SPF-85v HP P2015 HP 4250 HP 9000 WRT54G2 AT-FS750 FS750T2 SMC6128L2 TEG-S811Fi Manufacturer D-Link Linksys Panasonic Linksys Dell IBM Intel Buffalo D-Link Lacie Linksys QNAP eStarling Kodak Samsung HP HP HP Linksys Allied Telesync Netgear SMC TrendNet Type Camera Camera Camera IP Phone LOM LOM LOM NAS NAS NAS NAS NAS Photo Frame Photo Frame Photo Frame Printer Printer Printer Router Switch Switch Switch Switch XSS CSRF XCS RXCS File Auth
4.4 Attack Surface Complete List
Table 3 lists, for each device, what the vulnerable attack surface is. Nearly every device is vulnerable in four of the ve categories. For instance, many devices have CSRF vulnerabilities that allow an attacker to create a user account or change the administrator password. Thus, if an attacker can exploit this single CSRF vulnerability, they have gained access to the device, can write new data to the device or change settings (integrity), and in some cases can continually reset the device, making it unusable. Given that most devices do not keep system logs, a single CSRF vulnerability therefore makes a device vulnerable across many criteria.
Device DCS-920 Wireless G BL-C111A SPA-942 DRAC RSA2 vPro Linkstation DNS-323 Ethernet Disk NMH-305 TS-109 ImpactV EasyShare w820 SPF-85v HP P2015 HP 4250 HP 9000 WRT54G2 AT-FS750 FS750T2 SMC6128L2 TEG-S811Fi Manufacturer D-Link Linksys Panasonic Linksys Dell IBM Intel Buffalo D-Link Lacie Linksys QNAP eStarling Kodak Samsung HP HP HP Linksys Allied Telesync Netgear SMC TrendNet Type Camera Camera Camera IP Phone LOM LOM LOM NAS NAS NAS NAS NAS Photo Frame Photo Frame Photo Frame Printer Printer Printer Router Switch Switch Switch Switch Cond Integrity Avail Access Attrib
Table 3: Attack surface device by device

Filename XCS

Using the SMB command-line interface, a malicious user can rename les. When these constructed lenames are later viewed by an administrator, arbitrary script injection will occur, executing on the administrators machine with administrative privileges on the device. To exploit this vulnerability, the attacker must be able to login to the FTP interface of the device, though the attacker need not have full administrative access to the device.

5.2 Buffalo LS-CHL

Vendor: Buffalo Product ID: LS-CHL Firmware version: 1.00 URL: http://www.buffalotech.com/products/ network-storage/linkstation/ linkstation-live-ls-chl/

P2P XCS

Figure 7: An XCS attack via torrent. The text underlined in green is the attack and its results.
Using the BitTorrent download feature of this device, a malicious user can insert malicious scripts onto the device. When carefully constructed torrents inserted and the BitTorrent download feature is later viewed by an administrator, arbitrary JavaScript will be executed on the administrators machine with administrative privileges on the device. To exploit this vulnerability, the attacker must be able to login to the device.
5.3 Linksys NMH305 Media Hub
Vendor: Linksys Product ID: NMH305 Firmware version: 4.4.9 URL: http://www.linksysbycisco.com/US/en/ products/NMH305
Using the SMB or FTP command-line interfaces, a malicious user can add and rename les on the device. When carefully constructed lenames are later viewed by an administrator, arbitrary script injection can occur, executing JavaScript on the administrators machine with administrative privileges on the device. To exploit this vulnerability, the attacker must be able to login to the FTP interface of the device, though the attacker need not have full administrative access to the device.

File Access

On this device, when the administrator username and password are changed, the event and new values are recorded in the system log. However, viewing the system log does not require logging in to the device, allowing an attacker to see the current username and password, as well as all former usernames and passwords, in the clear without authenticating to the device. To exploit this vulnerability, the attacker needs to know the IP address of the device.

5.4 D-Link DNS-323

Vendor: D-Link Product ID: DNS-323 Firmware version: 1.05 URL: http://www.dlink.com/products/?pid=509
Figure 8: An XSS attack in the system description eld that embeds the Stanford Security Lab logo.
On this device, XSS attacks are possible that allow an attacker to store arbitrary JavaScript code on the device to be executed by any user who subsequently visits the administration interface, due to a complete lack of input validation. This vulnerability can be exploited simply by storing a particular string in any of the unchecked input elds. The attack does require that the attacker know the IP address assigned to the NAS and requires access credentials.

Device AT-FS750 FS750T2 SMC6128L2 TEG-S811Fi
Manufacturer Allied Telesync Netgear SMC TrendNet
Type Switch Switch Switch Switch

6.1 Netgear FS750T2

Vendor: Netgear Product ID: FS750T2 Firmware version: V1.1.URL: http://www.netgear.com/Products/ Switches/SmartSwitches/FS750T2.aspx
Figure 10: An XSS attack in the system name eld.
An XSS attack is possible that allows an attacker to store arbitrary JavaScript code on the device to be executed by any user who subsequently visits the administration interface, due to a complete lack of input validation. This vulnerability can be exploited simply by storing a particular string in an unchecked input eld. The attack does require that the attacker know the IP address assigned to the switch and requires access credentials.
A CSRF attack is possible that allows an attacker to force the device to reboot, due to a complete lack of request validation. This vulnerability can be exploited without access credentials, simply by forcing an authenticated administrator to view malicious content consisting of a particular URL request, thereby acting on behalf of the administrator. By simply repeating the request, the attacker can perform a denial of service attack on the device. The attack does require that the attacker know the IP address assigned to the switch. The attack can also be used to reset the device to factory defaults.
6.2 Allied Telesync AT-FS750/16
Vendor: Allied Telesync Product ID: AT-FS750/16 Firmware version: 1.0.0.30 URL: http://www.alliedtelesyn.com/products/ detail.aspx?pid=56&lid=15
A CSRF attack is possible that allows an attacker to force the device to reboot, due to a complete lack of request validation. This vulnerability can be exploited without access credentials, simply by forcing an authenticated administrator to view malicious content consisting of a particular URL request, thereby acting on behalf of the administrator. By simply repeating the request, the attacker can perform a denial of service attack on the device. The attack does require that the attacker know the IP address assigned to the switch.
An XSS attack is possible that allows an attacker to store arbitrary JavaScript code on the device to be executed by any user who subsequently visits the administration interface, due to a complete lack of input validation. This vulnerability can be exploited simply by storing a particular string in an unchecked input eld. The attack does require that the attacker know the IP address assigned to the switch and have access credentials.

A CSRF attack is possible that allows the modication of the administrator password or the disabling of IP-based security ltering, because of a complete lack of request validation. This vulnerability can be exploited without access credentials, simply by forcing an authenticated administrator to view malicious content consisting of a suitable request. The attacker is then able to act on behalf of the administrator. The attack does require that the attacker know the IP address assigned to the switch.

7 C AMERA AUDIT

P cameras, a type of CCTV cameras, have been growing in popularity in recent years as an easy way for people to remotely monitor their homes. They can also be used by businesses as a replacement for standard analog CCTV cameras. A major contribution to their popularity is that they can simply be connected to an existing home or corporate network and monitored from commodity computers. The popularity of IP cameras will likely continue to grow as video quality improves and new features, such as motion detection, become common across all cameras. In order to view the video output and congure settings, nearly all cameras feature a built-in web server.
Device DCS-920 Wireless G BL-C111A
Manufacturer D-Link Linksys Panasonic
Type Camera Camera Camera

7.1 Linksys Wireless G

Vendor: Linksys Product ID: WVC54GCA Firmware version: V1.21, JUL 07, 2006 URL: http://www.linksysbycisco.com/US/en/ products/WVC54GCA
A CSRF attack is possible that allows the creation of new users or the modication of the admin username and password, because of a complete lack of request validation. This vulnerability can be exploited without access credentials, simply by forcing an authenticated administrator to view malicious content consisting of suitable forms. By then submitting these forms automatically, the attacker is acting on behalf of the administrator. The attack does require that the attacker know the IP address assigned to the camera.

CSRF File Access

Figure 16: An CSRF attack that shows the contents of the le /etc/shadow.
A CSRF attack is possible that allows an attacker to view the content of arbitrary les on the device, because of a complete lack of request and input validation. To exploit this vulnerability, an attacker must have access credentials on the device or a way to circumvent the same-origin policy in an authenticated users browser. This attack also requires that the attacker know the IP address assigned to the camera.

type of printer has become extremely popular in recent years: the network-attached corporate laser printer. Because modern laser printers generally have many advanced features, such as support for multiple network and administration protocols, and dont wish to incur the design and build costs of including a large screen and input device on the printer itself, they often feature embedded web servers. Their prevalence in corporate environments makes any vulnerabilities in the interface especially problematic.
Device HP P2015 HP 4250 HP 9000

Manufacturer HP HP HP

Type Printer Printer Printer
11.1 HP LaserJet P2015 Series
Vendor: HP Product ID: P2015 Firmware version: 20070221 URL: http://h10010.www1.hp.com/wwpc/us/en/sm/ WF06b/18972-236251-236263-14638-f51-18455511845552-1845554.html
XSS attacks are possible that allow an attacker to store arbitrary JavaScript code on the device to be executed by any user who subsequently visits the administration interface, due to a complete lack of input validation. This vulnerability can be exploited simply by storing a particular string in any of the unchecked input elds. The attack does require that the attacker know the IP address assigned to the printer and have access credentials, if the administrator has enabled password protection.
A CSRF attack is possible that allow the modication of the administrator password, because of a complete lack of request validation. This vulnerability can be exploited without access credentials, simply by forcing an authenticated administrator to view malicious content consisting of a suitable request. The attacker is then able to act on behalf of the administrator. The attack does require that the attacker know the IP address assigned to the printer.

11.2 HP LaserJet 4250

Vendor: HP Product ID: 4250 Firmware version: 20050304 08.008.6 URL: http://h20316.www2.hp.com/sps/us/en/ catalog/seriesOverview.jsp?series=4250
A CSRF attack is possible that allow the modication of the email control settings, because of a complete lack of request validation. After changing these settings, the attacker can then control the device by sending it emails. This vulnerability can be exploited without access credentials, simply by forcing an authenticated administrator to view malicious content consisting of a suitable request. The attacker is then able to act on behalf of the administrator. The attack does require that the attacker know the IP address assigned to the printer.

13.2 Browser Defenses

In recent work, we have proposed a system called SiteFirewall, which is capable of blocking some types of XCS attacks from being carried out. The system uses a browser extension that acts as a rewall between vulnerable, internal web sites, and those accessed by the user on the open Internet. Optionally, the SiteFirewall architecture can also use a web server module that supplies custom HTTP headers for every page on the embedded web site. These headers can indicate to the users web browser that the page is not supposed to request any outside resources for its operation, possibly excepting a short whitelist of acceptable resources (to accommodate use-cases such as fetching device documentation directly from the vendors web site on the Internet).

13.3 Web Server Defenses

While we believe that security must be implemented in depth and web browsers need to provide comprehensive security options to their users, embedded web server and web site implementations are the source of the problem, so we are planning to extend the concept of a rewall to the server side. We believe that a light-weight framework designed specically for use in building embedded web sites would be extremely effective at eliminating the common vulnerabilities. Because it would be designed for small embedded servers, the framework can be designed with security in mind, rather than high performance. Additionally, standardization and openness in framework use and design will lead to more visibility and inspection, and therefore ultimately better security.

14 R ELATED W ORK

A s stated in the introduction, the security of embedded interfaces is almost a completely unexplored territory, therefore most related work has focused on one of the two following areas: general web security or low-level attacks on devices.
General web vulnerabilities and defenses
Previous interest in web interface security has been predominantly Internet-centric. Indeed, most of todays risks stem from the direct interactions between users and websites for e-commerce, learning, or entertainment. Most of the vulnerabilities we discovered in our audit were of wellknown types that exist in conventional interactions between a users browser and the web server [2, 6]. Many XSS defenses have been proposed in the literature [6, 10, 1, 7, 11, 13, 24, 17, 19, 21, 29, 25], and many of these defenses can help mitigate XCS vulnerabilities if they are properly used by the embedded web application. One of the key novelties of Internet Explorer 8 is an XSS lter that blocks certain reected XSS attacks [23]. However, ways to bypass this lter were found very quickly after its release [14]. The approach used in IE8 was inspired by noscript[16], a popular Firefox extension.

Low-level attacks

Low-level attacks on devices usually target vulnerabilities or design oversights in a specic protocol supported by the device. These attacks often yield spectacular results, such as control of at least of a substantial subsystem of the device, if not the whole device [27].
We see these two directions as complementary to our work. We have focused on embedded web servers because they have received less than their fair share of scrutiny, despite the fact that their presence is growing steadily. On the other hand, we have avoided the lower-level exploits because we believe that the most sizeable future threats will come via easily-accessible interfaces that are somehow bridged to the outside world, such as those exposed to the users web browser.

15 C ONCLUSION

In this white paper, we have summarized the results obtained during the rst phase of our secure embedded management interface project. The goal of this phase was to evaluate the current state of the security of embedded interfaces. Our results demonstrate that there are currently many security problems in embedded interfaces. This poses a serious threat because embedded devices are very widely deployed, including in sensitive environments, and are a growing market. Our audit covered 8 different types of devices across 16 vendors and 21 individual products. Overall, we have documented and reported to CERT more that 40 vulnerabilities. In addition to a long list of traditional attacks on embedded management interfaces, we have developed a new category of attacks that we call cross-channel scripting (XCS and Reverse XCS). Network-connected appliances are especially vulnerable to XCS due to the variety of protocols they implement. Alongside these novel attacks, we have presented practical defense recommendations for vendors and end users. The goal of the second phase of our project is to build browser and web server defenses that will help increase the security of these interfaces. Our primary focus will be to build a secure framework that vendors can easily use in their devices, thereby improving security across many devices at once.

R EFERENCES

[1] Davide Balzarotti, Marco Cova, Viktoria Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In IEEE Symposium on Security and Privacy, 2008. 66 [2] A. Barth, C. Jackson, and J. Mitchell. Robust defenses for cross-site request forgery. In proceedings of ACM CCS 08, 2008. 66 [3] Elie Bursztein, Hristo Bojinov, and Dan Boneh. Cross channel scripting attacks, 2009. Manuscript. 12 [4] Desktop and mobile architecture for system hardware (dash) initiative. http://www. dmtf.org/standards/mgmt/dash/. 59 [5] Electronic paper (wikipedia Electronic_paper. 42 article). http://en.wikipedia.org/wiki/

16 CSRF

TESTING TOOL
H ere the source of the tool we used to test device for CSRF. the code is currently congured
for the le access attack on the Linksys Wireless G camera, but is designed to be easy to modify for any similarly repetitive exploration of a CSRF vulnerability. See Figure 25 for a screenshot of the interface. <html> <head> <title>CSRF creator</title> <script type="text/javascript"> function setActions() { var actionStr = document.getElementById(action).value; document.csrfform.action = actionStr; document.getElementById(actionURLSpan).innerHTML = actionStr; } </script> </head> <body onload="setActions()"> <table id="historyTable" border="1"> <tr> <th>Action:</th> </tr> </table> <br /> Set Action: <input type="text" value="http://192.168.1.108/adm/file.cgi" size="50" id="action" onblur="setActions()" /> <br /> Current Action: <span id="actionURLSpan">asdf</span> <br /> <br /> <form method="post" action="" name="csrfform" target="formTarget"> Next File: <input type="text" name="next_file" id="next_file"> <input type="submit" value="test" onclick="addToHistory()"/> </form> Stanford Security Lab http://seclab.stanford.edu Black Hat USA 2009
<input type="button" value="yes" onclick="setFileExists(true)"> <input type="button" value="no" onclick="setFileExists(false)"> <br /> <iframe height="70%" width="90%" name="formTarget"></iframe> <script type="text/javascript"> var historyTable = document.getElementById("historyTable"); function setFileExists(exists) { var td = historyTable.lastChild.lastChild; td.innerHTML = exists ? "yes" : "no"; } function addToHistory() { var tr = document.createElement("tr"); var actionTD = document.createElement("td"); actionTD.innerHTML = document.getElementById(action).value; var nextFileTD = document.createElement("td"); nextFileTD.innerHTML = document.getElementById(next_file).value; tr.appendChild(actionTD); tr.appendChild(nextFileTD); tr.appendChild(document.createElement("td")); historyTable.appendChild(tr); } </script> </body> </html>

Figure 25: A screenshot of the interface.