DEF CON 30 - Gal Zror - Hacking ISPs with Point-to-Pwn Protocol over Ethernet (PPPoE)

Рет қаралды 35,836

Жыл бұрын

Hello, my name is BWL-X8620, and I'm a SOHO router. For many years my fellow SOHO routers and I were victims of endless abuse by hackers. Default credentials, command injections, file uploading - you name it. And it is all just because we're WAN-facing devices. Just because our ISP leaves our web server internet-facing makes hackers think it's okay to attack and make us zombies. But today, I say NO MORE!
In this talk, I will show that if a web client can attack a web server, then an ISP client can attack the ISP servers!
I will reveal a hidden attack surface and vulnerabilities in popular network equipment used by ISPs worldwide to connect end-users to the internet.
BRAS devices are not that different from us SOHO routers. No one is infallible. But, BRAS devices can support up to 256,000 subscribers, and exploiting them can cause a ruckus. Code executing can lead to a total ISP compromise, mass client DNS poisoning, end-points RCE, and more!
This talk will present a high severity logical DOS vulnerability in a telecommunications vendor implementation of PPPoE and a critical RCE vulnerability in PPP. That means we, the SOHO routers, can attack and execute code on the ISP's that connect us to the internet!
Today we are fighting back!

Пікірлер: 27

@renakunisaki Жыл бұрын

Imagine buying this expensive equipment as part of your critical infrastructure and then being told "btw it has a huge security vulnerability which we aren't gonna bother fixing".

@user-qgtoekq Жыл бұрын

That would assume that they would bother telling you there is a vulnerability...

@jfbeam Жыл бұрын

That's the sad reality of the modern world. "We fixed it in the new 250,000$ box." (omitting that there are _other_ bugs in the new box.)

@DrTune Жыл бұрын

I have a Cisco 19" switch in my room here, I had to replace the fans with near-silent ones, was horrendously noisy (but not any more!)

@Mindflayer86 10 ай бұрын

This is so incredibly cool! I would love to do similar research. Thanks for the great presentation! 🤗

@SumanRoy.official Жыл бұрын

Very expensive research, great talk❤

@ChristopherWoods Жыл бұрын

A great talk and presentation. By the way @DEFCONConference there's a few errors in the transcribed subtitles, is there any way I can suggest some edit improvements? (mostly due to misheard sentences, in some cases they make no sense because of the mistyped words)

@D089ify Жыл бұрын

Say P P P one more time 🤣!! Just kidding great talk much appreciated !👍

@imperia777 Жыл бұрын

Aleph Research the author of "Aleph1 smashing the stack for fun and profit"?

@pyrophreak2600 Жыл бұрын

I'm still curious what research or what techniques you used to determine the ISP equipment Brand/Model to begin research? I know there are many options available but curious what your path was.

@tass2001 9 ай бұрын

Sometimes the ISP will include model numbers as part of the host name for the equipment, so a simple trace route can give you a lot of information regarding the network between you and outside ASs. If you have L2 connectivity, you could look at ARP to determine equipment OUIs and link that back to a manufacturer. Nmap scans to reveal any services that might help fingerprint, etc

@lynzoido Жыл бұрын

This is strong Kung Fu!

@TheMatrixcube 9 ай бұрын

Great presentation 👌

@Jango1989 Жыл бұрын

Very cool!

@ixin645 3 ай бұрын

the rick and morty characters were sure necessary

@alexbrown1050 Жыл бұрын

'stop using eol equipment' should be 'vendors should issue security patches in perpetuity'

@jfbeam Жыл бұрын

Not so much "for ever", but yes, for a reasonably long period covering the _actual_ useful lifetime of the product. (eg. I still have 25yo Bay/Nortel/Avaya switches in use. They work, why should I replace them. The Cisco 1760... yeah, the internet is a lot faster than 8Mbps, so that's no longer "useful".) In this case, while it might seem to be a trivial thing to fix -- and should be -- this assume Ericson has the people and assets (code, build env, etc.) to actually make a patch for something two decades old.

@linuxguy1199 Жыл бұрын

@@jfbeam Been to installations where people are still using Cisco 2950s haha