Friday, December 22, 2017

Steam Link Security - Remotely Insecure SSH - Part #2

Continuing from Part #1, the next goal would be taking advantage of the truncated default password remotely over the internet.

As most home users will have IPv4 NAT, it's unlikely that the user will have intentionally exposed port 22/TCP on the internet for us. (Un)fortunately, sshd binds to all IPv6 addresses and gives us a publicly accessible target!

# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1256/connmand
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1280/sshd
tcp        0      0 ::1:53                  :::*                    LISTEN      1256/connmand
tcp        0      0 :::22                   :::*                    LISTEN      1280/sshd

Now, blindly guessing an IPv6 address is next to impossible, so we're going to have to be a bit smarter than that. Luckily the Steam Link has IPv6 stateless address autoconfiguration enabled by default, which makes entropy much less of a problem.

Known information:

- The MAC vendor will be E0:31:9E (Valve)
- The target's home modem/router /64 prefix (e.g. 2a03:2880:f112:8333::/64)*

* There's a couple easy tricks on how to get this without a foothold, outside the scope of this post though.

Unknown:

- The remaining unique MAC (24 bits)

This means we have to probe about 16 million addresses for 22/TCP. While that might sound like a lot, it doesn't take more than a few hours* with a modified version of zmap with IPv6 support.

* While you could try probing at a few million packets per second to get the job done in seconds, that will probably DoS a consumer modem/router.

Once zmap finds the Steam Link, we can simply SSH into it with root:steamlin.

mbp:steamlink dave$ ssh [email protected]:2880:f112:8333:e231:9eff:fe00:1337
The authenticity of host '2a03:2880:f112:8333:e231:9eff:fe00:1337 (2a03:2880:f112:8333:e231:9eff:fe00:1337)' can't be established.
ECDSA key fingerprint is SHA256:L+mNIo3LTgLXtpSaiEJRXxIVRQ3GY1Nzun7MsdMLzLc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '2a03:2880:f112:8333:e231:9eff:fe00:1337' (ECDSA) to the list of known hosts.
[email protected]:2880:f112:8333:e231:9eff:fe00:1337's password:
/home/steam
# whoami
root

Summary: If SSH is enabled on the Steam Link, it's accessible by default on the internet via IPv6 with an insecure password.

Update #1: CVE-2017-17877 has been assigned.

1 comment:

  1. You do realise that there is no difference between IPv4 or IPv6 when you don't use a firewall.
    The CVE should be ammended by stating you can only reach the ssh port if you don't have a firewall. Which actually points it to the real problem: Why don't you have an IPv6 firewall.
    So in my case: if SSH is enabled it's by default not accessible on the internet via IPv6 as I have a firewall. As everybody has.

    ReplyDelete