Buses, 802.11, and hilarity.

Ok. Just a short thing I noticed while connecting to “MoovManage” access point today on the bus.

I was sitting there, waiting for the laggy web auth thing to finish, and decided to have a quick look at what GET params I was sending. Sadly, I forgot to run a capture and harvest them, but I did notice that it gave away some interesting bits of data. ** See below, I got em! **

First off, one param was telling me about 10.0.0.1, and another 10.0.0.4. Another parameter contained my MAC address in the format 00-00-00blahblah

There were various other “bits” sent, that looked a bit like cookies, but I quickly realized that those were likely just extra fluff sent by the app. There was also the original request I made (http://www.google.com/) and a redirect to unnamedbuscompany.com (obviously I am redacting some data!)

There was also a reference to port 3306… What runs on 3306? MySQL.. So I am beginning to wonder, should I reconnect later (with a different MAC address – I have 3 wireless interfaces, Macchanger, and some SERIOUS curiosity) and run a sniffer/MITM proxy to see what is going on? Could be all kinds of data leakage there… maybe even connection params to MySQL Server?

Now for the “ideas”. Those GET params… XSS? SQLi? Who knows! A persistent XSS in such an app would allow you to harvest all kinds of data I imagine, like people connecting’s MAC addresses, sites they requested (+ get params associated), and their “intranet” IP. You could also force redirects to ads, malware, or phishing sites – the application already has redirects in place, but using an XSS vuln to introduce a “new” redirect to “facebook.com” or “gmail.com” would be… Fascinating.

Just some random thoughts :) (Its morning and /dev/brain has not mounted fully…)

## Some time later ##

So I got curious. As we all do. So I ran an nmap scan, as I don’t enjoy sharing my network space with unknown devices.

Here be the results… With SSL certs and such redacted because. Well because I felt like it!

user@brokenhost:~$ sudo nmap -sS -sV -A -O -vvv 10.0.0.1

Starting Nmap 6.02 ( http://nmap.org ) at 2012-06-20 09:21 IST
NSE: Loaded 96 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 09:21
Scanning 10.0.0.1 [1 port]
Completed ARP Ping Scan at 09:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:21
Completed Parallel DNS resolution of 1 host. at 09:21, 0.19s elapsed
DNS resolution of 1 IPs took 0.19s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:21
Scanning 10.0.0.1 [1000 ports]
Discovered open port 443/tcp on 10.0.0.1
Discovered open port 22/tcp on 10.0.0.1
Discovered open port 53/tcp on 10.0.0.1
Completed SYN Stealth Scan at 09:21, 7.73s elapsed (1000 total ports)
Initiating Service scan at 09:21
Scanning 3 services on 10.0.0.1
Completed Service scan at 09:22, 13.30s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.1
NSE: Script scanning 10.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 26.50s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 10.0.0.1
Host is up (0.0071s latency).
Scanned at 2012-06-20 09:21:50 IST for 49s
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.2 (protocol 2.0)
| ssh-hostkey: 1024 [REDACTED] (RSA)
|_ssh-rsa
[REDACTED]
53/tcp open domain dnsmasq 2.46
| dns-nsid:
|_ bind.version: dnsmasq-2.46
443/tcp open ssl/http thttpd 2.25b
| sslv2: server still supports SSLv2
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
| ssl-cert: Subject:

[ SOME DATA REDACTED ]

Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 – 2.6.32
TCP/IP fingerprint:
OS:SCAN(V=6.02%E=4%D=6/20%OT=22%CT=1%CU=39626%PV=Y%DS=1%DC=D%G=Y%M=000B6B%T
OS:M=4FE1884F%P=i686-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CA%TI=Z%CI=Z%II=I%TS=
OS:8)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5=M5
OS:B4ST11NW8%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A
OS:0)ECN(R=Y%DF=Y%T=41%W=16D0%O=M5B4NNSNW8%CC=N%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW
OS:8%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S)

Uptime guess: 0.044 days (since Wed Jun 20 08:19:58 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE
HOP RTT ADDRESS
1 7.06 ms 10.0.0.1

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.56 seconds
Raw packets sent: 1073 (47.958KB) | Rcvd: 1032 (41.990KB)

So, it is some kind of embedded Linux box (Debian) running an unusual HTTPd, an odd DNS server, and a ridiculously outdated version of SSH. Which I am sure is probably exploitable.

I also would guess ARM or MIPS/MIPSEL architecture, though do not hold me to that, as that is just a guess. I do not think it is running x86. Further poking was not done lest laws be violated – looking at something is OK, but actually trying to break into it, is NOT OK. Hence, I did not bother search for an exploit or anything. I might analyse the results later and publish ideas on owning these things, but not now.

To be honest, I want to buy one of these devices to poke at it some more, would love to find some vulns in them. They are embedded devices, ergo sexy as fuck!

Ok, so on my return trip I captured the GET it made. Here it is, dissected…

https://portal.moovmanage.com/setup/1082/2?res=notyet

&uamip=[GATEWAY IP] # 10.0.0.1
&uamport=3990 # How interesting, last time it was 3306… Perhaps random?
&challenge=1ae780936302d93e8a408936ab128209 # MD5 hash, have not cracked it… YET!
&mac=[MY MAC ADDRESS] # LOL, as if I was going to expose that ;)
&ip=[MY LAN IP ADDRESS] # 10.0.0.(removed)
&called=[ROUTER MAC ADDRESS] # Don’t track me bro…
&nasid=1082 # No clue what you are… YET
&userurl=http%3a%2f%2fgoogle.com%2f # Oh how nice. Thats where I was going :3
&md=584472E656ADD831B5D3060AA9B35E4B # MD5 hash, have not cracked it… YET!

So, I was wrong about the MySQL Server connection, but it DOES make some kind of connection, likely a “VPN” setup or something, or maybe that is the port my traffic exits the network via. I do not know yet.

2 thoughts on “Buses, 802.11, and hilarity.

  1. Once, I was on Starbucks wifi and it had a site redirect like you described in the auth page and it also passed along your MAC address… all the way to yahoo.com!! If I were to go around the country using Starbucks wifi, it would be trivial to track me, they could even sniff traffic and identify facebooks and associate those with MAC addresses and track around specific people! Bad, bad.

    v0rbis

  2. Oh it is something else for sure… I have often wondered should I check site access logs for MAC addresses along with the silly SQLi and RFI attempts…

    The fact it passes the MAC along like that is a shocking privacy leak – it often also will pass the access point MAC (some variants anyway) so one could use the google maps thing to LITERALLY track someone ;)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>