LANrev Vulnerabilities Toorcon 12 2010

Slashdot Article
Slashdot: PA School Spied on Students Via School-Issued Laptop Webcams

LANrev's multiple vulnerabilities come to light

Image by recombinantrecords.net
Huxley's Brave New World vs Orwell's 1984

Brave New World vs. 1984


Method

Wireshark
LANrev packets in Wireshark

Reverse-engineering

TCPDump and Wireshark

OllyDbg

OllyDbg
Reversing LANrev in OllyDbg

Listing 1 is Bruce Schneier's Blowfish compiled and disassembled.

Listing 1: Example OllyDbg Disassembly
CPU Disasm Address Hex dump Command Comments 00401020 /$ 53 PUSH EBX ; LANrev_Server.00401020(guessed Arg1,Arg2) 00401021 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.1] 00401025 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 00401027 |. 55 PUSH EBP 00401028 |. 56 PUSH ESI 00401029 |. 8B71 04 MOV ESI,DWORD PTR DS:[ECX+4] 0040102C |. 57 PUSH EDI 0040102D |. 8B39 MOV EDI,DWORD PTR DS:[ECX] 0040102F |. 3317 XOR EDX,DWORD PTR DS:[EDI] 00401031 |. 8BC2 MOV EAX,EDX 00401033 |. C1E8 10 SHR EAX,10 00401036 |. 25 FF000000 AND EAX,000000FF 0040103B |. 8B8486 000400 MOV EAX,DWORD PTR DS:[EAX*4+ESI+400] 00401042 |. 8BDA MOV EBX,EDX 00401044 |. C1EB 18 SHR EBX,18 00401047 |. 03049E ADD EAX,DWORD PTR DS:[EBX*4+ESI] 0040104A |. 0FB6DE MOVZX EBX,DH 0040104D |. 33849E 000800 XOR EAX,DWORD PTR DS:[EBX*4+ESI+800] 00401054 |. 8BDA MOV EBX,EDX 00401056 |. 81E3 FF000000 AND EBX,000000FF 0040105C |. 03849E 000C00 ADD EAX,DWORD PTR DS:[EBX*4+ESI+0C00] 00401063 |. 8B5C24 18 MOV EBX,DWORD PTR SS:[ARG.2] 00401067 |. 3347 04 XOR EAX,DWORD PTR DS:[EDI+4] 0040106A |. 3303 XOR EAX,DWORD PTR DS:[EBX] 0040106C |. 8BD8 MOV EBX,EAX 0040106E |. C1EB 10 SHR EBX,10 00401071 |. 81E3 FF000000 AND EBX,000000FF 00401077 |. 8B9C9E 000400 MOV EBX,DWORD PTR DS:[EBX*4+ESI+400] 0040107E |. 8BE8 MOV EBP,EAX 00401080 |. C1ED 18 SHR EBP,18 00401083 |. 031CAE ADD EBX,DWORD PTR DS:[EBP*4+ESI] 00401086 |. 0FB6EC MOVZX EBP,AH 00401089 |. 339CAE 000800 XOR EBX,DWORD PTR DS:[EBP*4+ESI+800] 00401090 |. 8BE8 MOV EBP,EAX 00401092 |. 81E5 FF000000 AND EBP,000000FF 00401098 |. 039CAE 000C00 ADD EBX,DWORD PTR DS:[EBP*4+ESI+0C00] 0040109F |. 335F 08 XOR EBX,DWORD PTR DS:[EDI+8] 004010A2 |. 33D3 XOR EDX,EBX 004010A4 |. 8BDA MOV EBX,EDX 004010A6 |. C1EB 10 SHR EBX,10 004010A9 |. 81E3 FF000000 AND EBX,000000FF 004010AF |. 8B9C9E 000400 MOV EBX,DWORD PTR DS:[EBX*4+ESI+400] 004010B6 |. 8BEA MOV EBP,EDX 004010B8 |. C1ED 18 SHR EBP,18 004010BB |. 031CAE ADD EBX,DWORD PTR DS:[EBP*4+ESI] 004010BE |. 0FB6EE MOVZX EBP,DH

Surveilliance Camera watches you

Python

Scapy

Middler

Exploit

Python

Metasploit

Metasploit msfcli waiting for reverse tcp vnc inject

Surveilliance Camera outside my door

VNC

Webcams

Pan/Tilt Surveilliance Camera at HBL

Problems with Remote Administration

Static symmetric keys don't secure, they obsfuscate.

Public Key crypto is difficult to do correctly.

If you need webcams to find laptops, you're doing it wrong.

Data

Demo

Beaker gets lynched on live vlc feed
Pan/Tilt Surveilliance Camera at HBL

Conclusion

Q & A

Joel R. Voss
Leviathan Security
Greets to h1kari, Frank Heidt, Mark, Chad, Kim Zetter, strydehax, Absolute Software, meee, Neg9, my mom, and everyone who has discussed this with me using their critical reasoning skills. This wouldn't have been possible without each of you.

Works Cited

[1] Tridgell, Andrew. How Samba was written. URL: http://samba.org/ftp/tridge/misc/french_cafe.txt
[2] J-Security. "tinc VPN Replay Attack Vulnerability" URL: http://www.juniper.net/security/auto/vulnerabilities/vuln3837.html
[3] Unknown. Intro to Reverse Engineering - Part 2. URL: http://www.ethicalhacker.net/content/view/165/2/
[4] SynJunkie. Metasploit Payloads - msfpayload. URL: http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html
[5] Unknown. Symmetric Encryption Algorithms. URL: http://www.encryptionanddecryption.com/encryption/symmetric_encryption.html
[6] Schneier, Bruce. Applied Cryptography.
[7] Mitre. CVE-2009-3555. URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
[8] Evers, Joris. Getting over laptop loss. URL: http://news.cnet.com/Getting-over-laptop-loss/2100-1044_3-6089921.html
[9] Sacco, Anibal and Ortega, Alfredo. Deactivate the Rootkit. http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Deactivate_the_Rootkit
[10] Clewell, Beatriz C., Campbell, Patricia B., Perlman, Lesley. Good schools in poor neighborhoods. 2007.
[11] Stevens, Tim. 66 OLPC XO '$100 Laptops' Stolen from Poor Kids. URL: http://www.switched.com/2008/06/22/66-olpc-xo-100-laptops-stolen-from-poor-kids/
[12] Ploskonka, Yama. First Ever Objective XO Laptop Usage Research Results. URL: http://www.olpcnews.com/implementation/evaluations/ceibal_objective_research_resu.html
[13] kem06853. "cant keep my hands out the cookie jar". URL: http://www.youtube.com/watch?v=NlCmmUD9eBY
[14] Halderman, J. Alex. "School's Laptop Spying Software Exploitable from Anywhere". URL: http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere

Extra time: About DMCA, Copyright, and Reverse-Engineering