Universal Plug and Fuzz

Earlier this week I bought a Belkin Netcam HD web camera.  It’s probably the most insecure device I ever tested, or even heard about. With the firmware that comes pre-loaded, the telnet service is wide open as root. There’s also an undocumented web interface. The default password is admin:admin, and it’s hard coded.  This means that regardless of how the user sets the device up, an attacker can simply browse to /apcam/apcam/jsstream.asp and watch the video stream.

These issues were reported to Belkin and are fixed in the latest firmware. In the new firmware release, the web administration pages are gone and telnet is disabled. There may be some vulnerabilities left there, but I decided to look at another vector instead: Universal Plug and Play. Belkin WeMo devices are controlled by UPnP, and it appears that the Netcam supports the full WeMo UPnP API.  This makes the attack surface fairly large and manual fuzzing a bit cumbersome.

UFuzzlogoWith that in mind, I’ve created a new UPnP enumeration and fuzzing framework, called UFuzz (Universal Plug and Fuzz). Since the readme in the github repo is pretty short, this seems like a good time to see how UFuzz works.

In order to fuzz the Belkin Netcam, simply configure the device to connect to your wireless network, and issue the follow command to start UFuzz:

./ufuzz -u -v 4

The -u option starts UPnP mode, and the “-v 4” option changes the verbosity to TRACE. This allows us to see the requests and response summaries during fuzzing.

When UFuzz starts, it will broadcast an MSEARCH via UDP to discover all of the devices on the subnet. It will then download and parse of the XML service description files. Next, template requests will be created for each service accessible via UPnP. It’s a bit dumb right now, so it just uses “1” as the default value for each parameter (though you’re welcome to make it smarter).

Finally, it iterates through each parameter using different fuzz values to produce a fault. A fault in UFuzz can be excessive time delay, as is the case for command injection and blind SQL injection payloads, or the target can be instrumented via telnet, serial or syslog to detect exploitable crashes.  Some example modules have been included for telnet and serial monitors.

I should mention that UFuzz isn’t just a one trick pony. It can also fuzz Burp proxy logs. This raises the obvious question — Why not just use Burp to detect these issues? Burp is a fantastic web security scanner, but it doesn’t detect a lot of issues specific to embedded systems. For example, if I send a long string of A’s to a specific parameter, it could cause a buffer overflow in the HTTP server or another binary that the HTTP server calls. The server might even answer with a “200 OK” in certain scenarios. By instrumenting the system, we can check logs or serial output for strings like “SIGSEGV” and log appropriately.

In the time it’s taken to write the above paragraphs, UFuzz has found another bug in the Belkin Netcam:

[2014-04-04T16:13:43-07:00 EVENT DETECTED] cmd injection - possible cmd injection - "`ping -c 10 127.0.0.1`": delay 9.18

Turns out that’s not a false positive. You can try it out yourself with this Metasploit module. I should also mention — it’s quite possible this affects all Belkin WeMo devices. If someone has a WeMo switch, please try it and let me know.

Until next time, happy bug hunting!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s