لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...
so our upcoming speak is gonna be Tremendous neat hunting forward to this and We have got A different Stay demo we're gonna study ways to mess with all your Clever Television set system and I'm guessing most likely make it do things that it wasn't intended to at first is suitable which is excellent exceptional well with any luck , it does every thing that it absolutely was intended for right now right yeah all suitable all proper all set to go all proper properly let us provide a massive significant bash observe welcome to Felix and let's get this factor started all right um can it be on are we however gotta receive the video clip put in place up due to the fact I need to demonstrate Reside how to use the method and so forth so I introduced a box but we must switch to your movie projector between so we remain working on it ok lit up right here we go all right there isn't any audio starts quite perfectly This can be how my story commences who essentially is aware of what it's sorry that's Tata that is a German TV collection It can be a criminal offense series It is really Practically as outdated as Columbo the sole distinction is they remain developing exhibits and It is really even now managing so when some German families it's a tradition that once the weekend is over on Sunday night quarter previous 8 you sit back you switch on the very first TV channel that was ever there and that's even now there so you viewed the clearly show new episode and as it's a tradition It is also a thing that my spouse and I like to do and we moved to a special country a number of years back and unfortunately we were not able to see this display anymore and It is really style of unhappy and that's the start in the story so the place my my identify is Felix Lida and my passion is usually to acquire issues aside and to put other points alongside one another that assistance to consider things aside Aside from which i'd love to be out inside the snow or within the water and to clarify you a bit more what I mean by using points aside I love to hunt bugs and malware and collect them I also wish to research spouse takeovers and countermeasures and i am seriously linked to the unaired venture in the course of my working day job I perform all-around cell risk research at a very awesome business referred to as Blue Coat but this analysis I am presenting is not merely my own work you understand every exploration has some supporters and In this instance It truly is a bunch of men and women from business known as enzymes and they assisted me using this type of Hence the qualifications of your Tale is the fact that we had this box a Western Digital Television everyday living hub I actually have just one on phase here and It is really It really is an incredibly fine piece of hardware basing will make your dumb Tv set intelligent and When you have a smart Television you get far more services and a lot more choices to perform things you see here as HDMI output In addition there are two USB ports it supports Wi-Fi then and unit Television connect a keyboard and stuff like this but what's more interesting is since the second it looks much more like an Apple Tv set or some thing like this it also contains a a person terabyte hard disk drive in there and that's type of neat simply because You'll be able to upload all your motion pictures it's all on just one product you don't require an additional storage like an ass or a little something in order that's pretty handy the processor in there is fairly of slower to MIPS processor but It is also not answerable for enjoying the video basically the codecs are all and components around the procedure and so they Be certain that it is possible to play the Additional hints video clips rapidly ample again towards the story so this box previously has a myriad of products and services on there which might be fairly good like YouTube and Spotify and stuff similar to this and after we didn't have this Television display you're not tada laughter for a long time my spouse essentially reported you already know you might be usually breaking stuff The complete time why don't you for as soon as do some thing beneficial with this particular and set my most loved demonstrate on this box and you know when your wife asks you a thing such as this you greater be sure you make sure you her truly I hope my wife will not be in this article mainly because she would likely comment well what Did you know regarding how to please me very well which is a unique story okay alright so let us start out now ahead of we start out we may also be intending to launch the modifications that We now have done on the firmware so we need a disclaimer This can be for educational or investigation functions only if you need to do what We have now carried out listed here and you also split your box it's not our fault and we will not have persons can't enable You furthermore mght if you employ any type of DRM keys and the like around the Box it isn't really our fault okay a lot of for that disclaimer um starting point 1st endeavor was we did in offline in Investigation in the disk that's in there mainly taken it out plugging it into Pc see what is actually on there and it started pretty very lucky we located a private partition on there but after a few minutes we located around's truly almost nothing practically nothing of relevance on that partition just a few offline storage for Spotify and hope htb and In addition to that there is only the partition that retains all the info the many films that we upload and swap so which was practically nothing however undesirable attempt having some force already from my wife for losing time next stage this box has an update system it immediately reaches out to Western Electronic to check if there's a new firmware and when there is it asks if you need to put in it and it does all of that instantly you can also obtain the firmware manually for those who go to their assist webpage and find out what's within the update so at the time we obtain all this we observed that there is a zip file and inside the zip file We have now five different other files and two that appear to be really fascinating a person is usually a bin file and 1 is known as bi – they are 150 megabytes about and we wish to see if we discover something that we can easily acknowledge in there and fortune we did there's a squash FS filesystem in there but it surely's at offset 32 so I nonetheless need to have many people drinking with me tonight so you can get a beer if you can reply what the initial 32 byte may very well be when you guess correct any Tips what the primary 32 byte ahead of the more file process image our signature very good who stated it 1st all ideal come back later to me out bio bio beer excellent yeah it turns out It is an md5 signature of The entire graphic and so we started out investigating this a little bit more carefully how the pictures appear to be and really That which you see is you might have two diverse photos that compose the whole running technique about the unit it is a Linux process by which a person is the basis filesystem essentially for everything from root downwards it's got an end signature such as the dimensions and at the extremely commencing similar to the gentleman just stated you will find the md5 of The full graphic this md5 is then also appended to the 2nd graphic which is often mounted at /decide which once more has another signature in the really entrance to make sure all of them match jointly and very little's damaged and people two alongside one another fundamentally make up the impression now let's investigate the written content that is a tiny bit bit smaller I realize that so I will demonstrate it about the still left facet the thing is the principle impression the root graphic and it's the same old init procedure which initializes the whole system it's a config file with a few static config and it's One more file with md5sum d5s In this particular presentation seems like Western Digital likes md5 on the right facet there is the OP folder and there was one appealing folder known as Website server which basically looked really exciting so using this there was adequate details to really modify the box but we have been a bit hesitant about regardless of whether we should just modify the firmware and upload a whole new just one for The explanation that we weren't positive should they didn't have far more md5 checks there and it appeared like they had quite a bit so we were a bit hesitant to change the firmware and perhaps just crack that single machine that we had another selection was let's go hunt for many vulnerabilities might take a lot more time but It is also more entertaining proper Okay so a vulnerability finding very first thing was to think about the webserver um this matter includes a webserver let me also swiftly swap to wherever We've Firefox right here We've Firefox which is lifetime within the box now so the thing is that is the entry if you whenever you log in you and also the password is admin by the way any time you log in you obtain a remote control but You may as well change the password etc to make sure that look style of promising and Luckily the PHP that's made use of to alter the many configuration isn't encoded encrypted or nearly anything It truly is just They may be in simple so that's usually a very good commence you are aware of ranging from the net server SQL injection which was the main endeavor and as it is possible to see there's a very good SQL assertion at The underside that is composed of parameters proper from the get requests like entry ID language ID great and that is working with SQLite so here's the statement that may basically create an SQLite databases that is at the same time an SQLite and a valid PHP file does any have any individual right here have experience with the PDO databases driver someone more than in this article what's the condition don't see it PDO only enables a single assertion at a time and we planned to inject five statements in this article so regrettable didn't work and also if it had worked we discovered afterwards that this part of the file systems actually read only so no likelihood in any way bummer ok outside of the webserver observe next point to test was distant file inclusion and what we found out is there is certainly an remote file inclusion or simply a file inclusion risk depending on the language which happens to be stored from the cookie so let me switch again to the internet server and you can see you there You should enter a password and down right here You need to can find the language alright I have a cookie editor up here and if we refresh it you could see there is a language ID of a few in below so we ended up thinking okay can we just modify this incorporating a number of dots incorporating a few slashes they press the right button screens a little bit distant yeah I did so as you'll be able to see now we get an error information saying oh it didn't locate the file open or PHP after which we assumed ok um why not simply upload a file referred to as house dot PHP to the folder that we can easily entry by using SMB after which modify the cookie to point to that and actually can calculate The trail just by looking at the firmware okay I press the incorrect button sorry the cookie editor is absolutely modest and It really is hard to see the monitor actually from listed here alright Wow great now we bought a PHP shell so Those people of you who have labored with PHP shells know that they are suffering in the ass correct so the very first thing you want to do is try out to determine if there is telling it on there and truly tell it was on there so we want to activate it and have on towards the box and I have to confess my background is usually not an excessive amount of the embedded units but extra much like the Personal computer globe and typically once you individual the world wide web server the following matter you do is take into consideration privilege escalation all correct so um exact point below let us go and turn it into the box and to be able to know like from which it depend to him escaped or to obtain the privileges to start with you determine which account you are and oh hey We have now Ruud already this was significantly a lot easier than I envisioned but You may as well see my stupidity to the monitor since truly the PHP shell currently lets you know that you are route okay wonderful so this was only the start mainly because we were being capable to get route but a lesson that I experienced to learn during the working experience is Will not get started with SQL injection Will not get started with a distant file inclusion Will not begin with SQLite privilege a privilege escalation things such as this search for the seriously minimal hanging fruits so investigating the impression label further more I found that truly the guys from Western Digital experienced place up a symlink in the web company root directory appropriate on the disk so it was not even required to upload or to test to exploit the technique and i am not fairly certain if they've just overlooked it or whether or not they preferred to really make it very simple for men and women because if I just say consumer hold or PHP and that's priya authentication no authentication at this point I also have the shell just in a special Listing ah which is great so but I thought properly if It truly is that effortless we in all probability discover a lot more stuff so hum For those who have seen the very first chat this morning hacking 22 issues in 45 minutes it was an excellent speak the blokes have taken a component the Google Television in the past plus they went for UART so we tried out the same we also had a glance around the board and experimented with to figure out where our pins or in which our soloing points wherever we could include some pins and we observed there are two pins that really are candidates you see them the two in the image listed here and a small amount of measuring close to and stuff such as this we found out which the a person within the front that is closer into the chasis that's actually an ordinary u art which can be X there is tx2 ground in addition to a 3.
3 volt pin and This is the warning if you'd like to Do this at your house it's a three.
three volts plus your Computer is 5 volts you could burn off possibly your Computer you may melt away the box or you may burn up there by way of example USB to UART converter I have burned a few there was there was my lesson acquired of not obtaining low-priced stuff from Taiwan so what do you obtain after you connect a serial console so any time you put up you have all sorts of information regarding the program wherever the image is stored what else is where by configurations what's at present loaded which drivers are loaded and actually When you've got the procedure up and managing and see the display screen with the process so you thrust a button within the remote control or some thing it tells you particularly which button you are pressed and which steps are taken so that you can get there so this is ideal debugging great when it absolutely was completed umm the thing is some thing such as this I told you they like md5 so the thing is an md5 and the thing is login what is the password that is an opportunity for winning One more beard tonight male it is not that straightforward it isn't really as simple as hacker as admin as OAM root or a thing these guys like md5 let's have a look sorry md5 fifty percent which at yeah It truly is close but it's not really It really is a little bit more complex essentially I talked to a different male a couple of minutes previously he reported in fact at the least I did one thing proper but let us have a better look so um the shadow file that actually exists in TMP shadow and et Cie shadow is just a hyperlink to that and we located the hash in there and commenced to about the Ripper certainly due to the fact we wish to find out what it can be but that doesn't did not get us extremely far rapidly so we began investigating somewhat closer And that i explained to you the serial line is incredibly valuable for debugging there was essentially a person line saying password for root transformed as you may see in the screenshot there also like other details but like which modules are started out prior to which modules are commenced and loaded after plenty of stuff similar to this so this was actually practical to trace triage which module which software was really chargeable for this there is a Resource referred to as G bus browse serial variety and that is located in a folder that's not inside of the initial firmware image It is truly an encrypted addition on the file program working with AES encryption which can be afterwards total to make use of a neighborhood s pin and below you find some protection by obscurity since it's located in slash property slash file and that's made up of a great deal of intriguing info I have also set the data here the way you can actually extract the AES key but I'm not likely to go into the small print which is a lot more for reference so This is the way it appears to be visually We now have in the house folder a file code file we hold the AES key in ROM and Later on things is extracted to some folder or mounted into a complete a consumer neighborhood s bin and We now have this application and there's also another plan in there which is thirteen megabytes in dimensions identified as DMA OSD due to the fact This can be an encrypted folder we currently believed this is most likely quite passions thing let's have a more in-depth appear but let us get back again to exactly what is the password so the moment we have the program we had been in fact capable to reverse engineer The most affordable beats arena and we discovered It can be accomplishing a process get in touch with some method operate contact not a method simply call wherever the serial numbers made use of the md5 of that is actually created and it's the password How can you obtain the serial quantity Have a very look at the box yeah you can find in fact A simpler way Have got a look at the login screen since the serial number is the md5 suitable in front of login I failed to carry the serial cable or I really introduced a co a cable but given that I blue display my windows a couple of situations While using the serial cable I don't need to test it out listed here we will try out it out with Linux afterwards due to the fact that actually works a lot better but I still wish to demo to you guys how this in fact looks like alright login This is the password will be the password