A few months ago we released our free OpenWrt security license, which provides full access to our patented EIV™ (embedded integrity verification) security solution.
In this video, I show how you can make use of our offering to download and deploy Sternum on your OpenWrt device, within just a few minutes. And how, once active, you can use our Attack Simulation kit to see how EIV handles security threats. In this case, a command injection attack.
Hi. My name is Amit Serper and I’m the Director of Security Research at Sternum. In this video I would like to show you how you can easily protect your OpenWrt device from various vulnerabilities and exploits by using the free tier of our Sternum product.
So let’s dive in. So we are now on our OpenWrt device connected to it via an SSH connection. Now I have here in the root home directory, I have our attack simulation kit, which is a tool that you can download off of our website, which I will show you later that can simulate various vulnerabilities and exploits.
Now if we run it, you can see that we have a few scenarios here. We have some heap memory attacks. We have some heap information leaks and we also have command injections.
So in this demo, I would like to focus on the command injections. So what are command injections? Just to quickly have a recap. A command injection is when a user control string is being passed directly into the System C API call. That means that if there is a webpage – for example in your router where you can ping an address to see if it’s responding, to see if your connection is up.
Usually what happens is that the developers are taking the input from that pinged form and they’re taking the input which is the IP address or the host name that you would like to ping and you’re passing it as is, as a parameter via the System C API call and they’re basically running the command ‘ping,’ space, whatever input is in the input box that the user can control.
Now in many cases when this input isn’t being sanitized properly, an attacker can inject an arbitrary system command. So instead of sending a ping, they could run whatever they want with the privileges of the web server simply by adding a semicolon.
So by adding something like semicolon “cat/etc/passwd,” you can run the ping command. The command will get to the semicolon, which will end the previous command and then execute whatever is after the semicolon.
So that means that you can run arbitrary commands on the router. So let’s try to simulate something like that with the attack simulation kit. So we can see that if we run it with three, which is the category of the command injection and then one, which is the simple without sanitation scenario, we can see that a ping is trying to be sent and then once the command is finished, we can see that the contents of /etc/passwd are being printed out to the terminal, which means that the command injection was successful.
So now let’s go to the browser. Let’s install Sternum and sign up and do the whole process and then let’s run this attack again and see what happens.
OK. So we’re now back at the browser. So in order to sign up for the free version of Sternum, you need to go to app.sternum.cloud/signup and you will get this page and after a very, very simple registration process, you would be able to get access.
So I filled in an email address and now I’m going to get a link to my inbox. So let’s meet up again after I finish the whole registration process.
OK. So now that we’ve completed the registration process, we are on this screen where we’re actually getting started with installing Sternum on our OpenWrt device.
So now it’s pretty straightforward. We need to prepare our OpenWrt device. So we’re assuming that you have either one of those versions of OpenWrt. If you do, just click “Next”. In here you need to select the proper architecture for your products.
Right now we support ARM 32 bits or ARM 64 bits. In my case, I am running on an ARM 32 bit device. So I will just pick this button right here and we can see this one liner here which is basically the line that we’re going to paste in our terminal to install Sternum.
So let’s copy this one liner and go to our OpenWrt device. Let’s clear the screen and let’s paste the command. Now what’s going to happen is there’s going to be a few old package updates and old package installs to get all of the dependencies that we need to install Sternum and then the Sternum installer will be downloaded and executed and all in all it’s a fairly quick process which shouldn’t take more than 20 or 30 seconds. So let’s go.
So we can see that things are being downloaded and Sternum is being installed and that’s it. So now let’s go back to the browser. Hit “Next” here and basically we’re ready. We’re ready to monitor our device. So let’s click “Start” and there we go. The device is connected and we can now see it here. Here is our OpenWrt device.
So now we can see here that we have – we can look at the dashboard and we can look at glances which shows us various items and all sorts of information on our device. We will touch on that soon. But now let’s go back to our device and try to run the same attack scenario that we did before.
So let’s do Attack Simulation Kit and do Attack Simulation Kit three and one. So let’s run this scenario. Again the same scenario that we ran before. So three, one. Let’s hit “Enter” and we can see now that it failed. We can see that the ping was not sent and “etc/passwd” was not printed out. This is because Sternum is catching, is detecting, catching that command injection exploitation and stopping it.
Now if we go back to our cloud system here, to the platform, we can see that there are two alerts. So let’s look at those alerts. The first alert is the new IP address. That just means that the device connected and it identified that the device that we have just installed Sternum on has a new IP address.
So this is fine. But we can also see that the command injection was detected. So let’s investigate that one real quick and if we’re looking at those alerts, we can see that there are a bunch of events here. We can see like regular events, regular executions that happen because the device needs to do its thing and run but then we can see here with that yellow circle that there’s a dangerous string, dangerous string and that dangerous string is the one that we were expecting.
The attack simulation kit with the ping command and the semicolon and cat/etc/passwd and you can see here that red circle indicates that the command injection was actually detected and prevented. So that means that the device is properly protected.
Now if you want to play with the Attack Simulation Kit as well, if you go to the dashboard screen right here on the right hand side, there is – this text, this textbox. Learn how to use Attack Simulation Kit and when you click “Learn More,” you can download the proper Attack Simulation Kit to your device whether you’re running on ARM 32 SF, HF or ARM 64 bits.
The text here will change accordingly of course and then you can just copy this one liner, paste it into your shell on your device and download it. You can also download the source code if you want.
Now, as you can properly see here, since this is the free tier, there are a bunch of options that are not open. So for the free tier, there’s only the dashboard screen and the glances screen open. But it still protects your device. It allows you to have up to three devices under that license and install Sternum and protect your device from all sorts of memory attacks and command injections and I will see you in the next video where we will demonstrate some cool memory corruption attacks.
So thank you for being with me.