 |
Company |  |
|
Technical Security Consulting | |
|
Managing Risk | |
 |
Research & Development |  |
|
Forensics | |
|
Security Management | |
|
Media Centre | |
|
PCI DSS | |
 |
 |
Research & Development |
Embedded Systems Security
An embedded system is a special-purpose computer system designed to perform one or a few dedicated functions. The following are examples of embedded systems security research that have been performed by IRM:
Embedded Systems Security Assessments
Embedded Systems Testing Datasheet (PDF 55 KB)
Embedded Systems Testing Methodology (PDF 237 KB)
Cisco IOS Security Research
IRM has performed extensive vulnerability research against Cisco IOS. This section provides a high level summary of some of the results.
Creating Backdoors in Cisco IOS using Tcl
Tcl (Tool Command Language) is a scripting language used extensively in embedded systems, which is easy to use and has some powerful features. The language has been supported by Cisco IOS for some time now and is used, for example, in IOS IVR configuration as well as automating mundane tasks regularly performed by network administrators. This technical briefing document details a technique using Tcl to create a backdoor within IOS that would allow a remote attacker to execute privileged commands on a networking device. The document can be downloaded here:
Creating Backdoors in Cisco IOS using Tcl
IOS Shellcode Videos
The following videos show three different shellcode techniques that have been developed during the research for gaining remote level 15 (root) exec VTY (shell) access to Cisco IOS. Please note that each shellcode (written in PowerPC assembly language) is being launched from GDB within a development environment rather than as the payload to an exploit. The "Development server" is connected to the Cisco router (2600 Series) via a serial cable (for GDB debugging) and via Ethernet (for TCP/IP communications).
It takes a short while for the shellcode to start functioning as it has been hooked into the IOS image checksumming routine that runs every 30-60 seconds. When each starts running, the arbitrary text "<args-warning>" is displayed on the console to indicate successful execution of the shellcode.
Bind Shell
· Requires four hard-coded addresses of functions within IOS
· Creates a new VTY
· Sets a password on the VTY
· Privilege escalates to level 15
Video: Bind ShellReverse Shell
· Requires five hard-coded addresses of functions within IOS
· Creates a new VTY
· Privilege escalates to level 15
· Opens a new TCP connection
· Binds the VTY to the TCP connection
"Two byte rootshell" or Tiny Shell
· Requires up to one (sometimes none) hard-coded addresses within IOS
· Removes the requirement to authenticate to a currently active VTY
· Privilege escalates to level 15
Video: "Two byte rootshell" or Tiny Shell
Previous Cisco Research performed by IRM
IOS Exploitation Techniques
Recent vulnerabilities discovered in IOS
IOS LPD Remote Stack overflow vulnerability
ATM Security Research
IRM performed a collaborative research project with the ATMIA into the security of ATMs. Although the detailed findings remain confidential within the ATM industry, below is a summary of the areas investigated during the research:
Physical Security - can the device be manipulated in any way to provide elevated access to the ATM internals?
A vulnerability was discovered in a well known ATM vendor's machine, whereby using a simple technique, the engineering configuration mode could be activated with the machine still closed and locked (the mode can normally only be activated from within the machine).
Software Attack - Given the ability to install software on the ATM (physical access or remote network exploitation), what could be achieved?
One of the machines tested utilised the XFS (eXtensions for Financial Services) API within Microsoft Windows and a Proof-of-Concept Trojan was developed to demonstrate that cash could potentially be dispensed by the machine using this malware.
Installation and Maintenance Procedures - Do any procedures during installation or regular maintenance impact security?
Authentication credentials were identified to be in a default state and in some cases, engineering maintenance manuals were publicly available on the Internet.
Mobile Device Research
IRM have performed many mobile device reviews including an engagement on behalf of Hutchison 3G, which focussed on the security of the embedded networking software implemented in a range of handsets that they were planning to use with a new service.
The assessment required the development of a tailored assessment methodology along with a range of bespoke testing tools.
An IRM-funded research project investigating mobile handset security resulted in the discovery of several remote vulnerabilities in common handsets.
|
8th Floor Kings Building, Smith Square, London, SW1P 3JJ Tel: +44 (0)20 7808 6420 Fax: +44 (0)20 7808 6421 Email: enquiries@irmplc.com |
Copyright © 2008 IRM Plc. |
