ECE497 Project BoneSAW

From eLinux.org
Jump to: navigation, search

thumb‎ Embedded Linux Class by Mark A. Yoder


Team members: Charles E. Beard and Luke Craig

Grading Template

I'm using the following template to grade. Each slot is 10 points. 0 = Missing, 5=OK, 10=Wow!

00 Executive Summary
00 Installation Instructions 
00 User Instructions
00 Highlights
00 Theory of Operation
00 Work Breakdown
00 Future Work
00 Conclusions
00 Demo
00 Late
Comments: I'm looking forward to seeing this.

Score:  10/100

(Inline Comment)

Naming BoneSAW

Bonesaw.jpg

BoneSAW stands for BeagleBone Search and Analyze Weaknesses. The "SAW" ending is a cop-out name for network scanners, but it quite nicely allows us to have a mascot from the Toby Macguire Spider-Man series See Here. I will note here that the relation to this Marvel character came only after we had decided on the name. However, I think BoneSAW pretty great as a mascot.

Executive Summary

Network utility to detect vulnerabilities in networked BeagleBones. Typically these will be a misconfiguration, old package, or open port. BoneSAW detects these issues and reports them to the user.

Additionally, we used BoneSAW to scan other devices. We developed a python flask server to monitor global beaglebone issues. Our web application connects to the Shodan API and can pull down a list of IP addresses for Beaglebones that are connected to the internet. It can also take an IP address as an input and either send it to the Shodan API and display the information Shodan returns like open ports and headers or use our own scanning utility to check for certain open ports and certain programs and return those results along with a security rating. The security rating is shown by changing the color of that part of the page where red is a high risk, yellow is a medium risk, and green is a low risk.

What does work:

  1. BoneSAW scans ports, reports open ports that should be closed, and informs the user of any issues.
  2. BoneSAW generates proof of concept (POC) exploits for the BeagleBone system that can be sent remotely (not in the public version).
  3. BoneSAW has an early generation of 'agressive' and 'mean' tactics. Agressive tactics are those that would be used by an attacker that didn't fear the reprucussions of an attempted breach. Mean tactics would be used by an attacker whose sole purpose is to disrupt the service.
  4. BoneSAW implements some of the latest research into vulnerable services on the BeagleBone (e.g. DNSMASQ, SSH, HTTPD).

What doesn't work:

  1. Bonesaw does not implement a headless browser solution. We looked at a number of solutions with headless browsers to automate the process in our exploit in port 80 and 3000. These didn't pan out because of how they were handling web sockets.
  2. BoneSAW doesn't utilize tactics that could be easily available on older devices. For example, it could detect older httpd and potentially detect heartbleed vectors.

Packaging

BoneSAW Utility

The BoneSAW Utility can be run on any device that is capable of running python.

Note: While technically this aspect of the project does not require a BeagleBone, the knowledge of services on the bone was essential to developing the service.

Web Application

Since we do not use any special hardware for our project we didn't have any special packaging requirements for the bone. The only criteria we have is that the bone must be able to access power via either usb or the 12 volt power supply and that it must be able to connect to the internet either via IP masquerading or by wifi. As long as those two criteria are met the packaging can be anything the user wants.

Installation Instructions

To install BoneSAW utility

The Easy Way...

For quick and easy installation just run the install.sh scripts contained in this [1]

Manually...

  • Install python 2.6+ on your device.
  • Install the library python-nmap here
  • Install the pwntools library

To install the Web Interface

The install.sh script in the webInterface directory will install all necessary packages for the web application. Those packages are:

  • Python3
  • Flask
  • flask_socketio
  • shodan
  • python-nmap
  • requests

User Instructions

BoneSAW Utility

The BoneSAW utility documents its commands in the below help screen and returns the user to the help screen when a malformed request is sent. Essentially, the IP is a positional, required argument. The arguments 'mean' and 'aggressive' are additional arguments but are not required.

The arguments 'mean' and 'aggressive' are available only when running as root.

Help menu of BoneSAW

For the web application:

navigate to the /bonesaw/webInterface/app/ directory and execute ./webApp then in a web browser navigate to this page. Once at the page press the "Update List" button to see the list of visible Beaglebone IPs under the header "Visible Beaglebone IPs. Type or copy and paste the IP you want more information about into either the field to the left of the "Get More Data About IP" button or the field to the left of the "Scan IP" button and then press the respective button to see either the Shodan output or the scan utility output under their respective headings.

Highlights

BoneSAW Utility

The BoneSAW can detect the use of Cloud9 and Bone101 services and generate proof of concept (POC) exploits for Bone101. These POC exploits would allow an attacker to, theoretically, gain root access on any beaglebone out in the wild.

note: it also provides a fool-proof plan to get back into your bone if you forget a password

A demonstration of the utility is here on youtube here. However, you will need to turn on closed captions since I had trouble with the microphone on the video.

Web Application

The web app successfully connected to the Shodan API and could run our scan utility. Web App demo: youtube

Theory of Operation

BoneSAW Scanner:

We developed a scanner to look at individual IP addresses and report back issues. It checks the condition of the publicly available network resources and reports back. It checks ports 22, 53, 80, and 3000 in the following manner.

Default Port 22: SSH

Port 22 runs SSH. Many, many, many beaglebones run with either the default password or no password. These are the configurations checked:

  • root/
  • root/'temppwd'
  • debian/
  • debian/'temppwd'

Default Port 53: DNSmasq Port 53 runs DNSmasq. The version currently on this bone is 2.76. From what I can see from exploitdb.com all versions before 2.78 are vulnerable to a *several* remote code execution exploits. I have a couple POC exploits in [dnsmasq](dnsmasq) folder. Both of these I got to work on a webserver. However, I did not get it working on the bone. Though, I didn't spend much time on this. This is exploited, but not an exploit specific to the bone. Additionally, it is easily fixable by updating DNSmasq.

Default Port 80: Webserver

Port 80 runs a web service *as root* with bonescript. Bonescript is a useful piece of JavaScript that runs client side and communicates using socket.io with the bone. Bonescript contains two functions that can easily be used for an exploit:

  • digitalWrite(pin, value, [callback])
  • writeTextFile(filename, data, [callback])

The idea here is that if this service is exposed it is trivial to gain root on this device. This is accomplished by accessing the device over Port 80, executing [webservice.js](webservice.js) on the device to modify any file on the system, and taking advantage of the changes made.

Examples of files that could be exploited:

  • /etc/passwd
  • /etc/shadow
  • /etc/ssh/authorized-keys/%u
  • /etc/ssh/sshd-config

From this setup you can install keys, change passwords, or leak passwords and gain root.

Default Port 3000: Cloud9

Here we check to see if Cloud9 is running on the bone. If so, it alerts the user. The fact that this is on port 3000 typically means you can use the terminal in Cloud9 for at least user level priviledges. This could quite reasonably set up a system for password cracking, priviledge escalation, or basic botnet behavior.

Web appication High level overview:

[User]--Press-->[Update List Button]--Sends Message-->[Flask Server]--Invokes-->[Shodan API]--Returns Search Results-->[Flask Server]--Sends Messages With Results-->[Visible Beaglebone IPs section of Web Page]

[User]--Press-->[Get More Data About IP Button]--Sends Message With Requested IP-->[Flask Server]--Invokes-->[Shodan API]--Returns Host Information-->[Flask Server]--Sends Messages With Info-->[More Data section of Web Page]

[User]--Press-->[Scan IP Button]--Sends Message With Requested IP-->[Flask Server]--Calls-->[Our Scan Function]--Returns Found Information-->[Flask Server]--Sends Messages With Info-->[Scan Result section of Web Page]

Work Breakdown

Luke:

  1. Vulnerability Research [Luke] - Here I looked into the services running on the device and the exploits available to it.
  2. Exploitation [Luke] - Here I looked at avenues discovered in the initial steps and developed POC exploits
  3. Attempting to better exploitation [Luke] - After I had POC exploits I ensured they were viable on other devices and looked at aspects such as the headless browser to better to expedite the exploit from the command line.
  4. Exploit Amelioration [Luke] - Here I looked into the exploits developed and looked at making recommendations as to how to solve them. In the case of the port 80, I came to the conclusion that the best solution was to disable bone101 by default, not run it as root, and perhaps change it to a different port than 80. Additionally, a fair number of the ports should be accessable only from the 192.168.1.* (local) area.

Chace:

  1. Python Flask Research and Implementation [Chace] - Here I looked into Python's Flask library and learned how to build the back end of our web server.
  2. Shodan API Research and Implementation [Chace] - Here I did some research into the Shodan API and figured out how to integrate it into the Python Flask server.
  3. Front-End Implementaton [Chace] - I wrote the front-end css and html for our web application, this required a fair amount of research into css and html as I had never used them before.
  4. Integrating Luke's Scan Utility into the Application - I made a few modifications to Luke's scan application so that it would integrate nicely into the web application

Future Work

For the scanning application:

  1. I would like to see it automate the exploitation currently in proof of concept through some sort of headless browser.
  2. I would like to see privilege escalations and automation out of the cloud9 interface.
  3. I would like to see more 'mean' tactics in the package.
  4. I would like to see a better grasp of the services on the bone and a check on whether those services are vulnerable. Currently, it only alerts you if it is below a hardcoded value. More specific versions will have specific issues.

For the Web App:

  1. Add option to run autonomously - Add a check box to the page that will set the script to run once a day or week and scan each of the IPs returned to it by Shodan and store those scan results in a file.
  2. Set up a system to notify owners/admins of risks - set up a system that figures out the appropriate person to contact about the security issue with each bone and automatically email them about the the security risks.

Conclusions

BoneSAW Utility

I believe the BoneSAW as a network utility is incredibly useful. The rise in IoT hacks all over the world proves the necessity for a utility like this one. It needs more features like noted before, but making something like this commonplace might just make the BeagleBone stand out for security in the IoT market.

I believe that while the bone is not marketed as an Internet of Things (IoT) device that fact that it comes with networking capability means that it should be secure and secure by default. For those reasons I recommend the following:

  1. The Bone101 service not be run as root. (or that it switch from root quickly)
  2. The Bone101 service not be run by default.
  3. The Bone101 service not be run on port 80. This one, in particular, will absolutely change the difficulty involved here. Switching port 80 and 8080 currently would help significantly.




thumb‎ Embedded Linux Class by Mark A. Yoder