How a modified USB ethernet adapter can steal credentials, a new compression algorithm from Facebook that might be legit & the terrible terrible security of a consumer NAS.

Plus great questions, our answers, a fun roundup & much, much more!

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Modified USB ethernet adapter can steal windows and mac credentials

  • “Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).”
  • Thesis: “If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out”
  • “The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it’s connected to.”
  • “The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. This means that even if a system is locked out, the device still gets installed”
  • “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
  • “When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the PC credentials needed to install the device. Fuller’s modified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology. The researcher’s modified device also includes a LED that lights up when the credentials have been recorded.”
  • So, just like in a spy movie, you plug in the device, wait until the light comes on, and you have stolen the credentials
  • “An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.”
  • The attack was tested against versions of Windows as far back as Windows 98 SE, and as modern as Windows 10 Enterprise and OS X El Capitan
  • The device pretends to be an ethernet adapter, and provides access to a ‘network’, where a DHCP server tells you to install this proxy configuration
  • “This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others”
  • It gives you the hashes password for the logged in user, which you can then crack offline, and return later and login with the known password
  • Researcher blog

Zstandard, a new compression algorithm from Facebook

  • Unlike the new Dropbox algorithm that is designed specifically for jpeg images, this is a general purpose algorithm, designed to replace gzip
  • “Today, the reigning data compression standard is Deflate, the core algorithm inside Zip, gzip, and zlib. For two decades, it has provided an impressive balance between speed and space, and, as a result, it is used in almost every modern electronic device (and, not coincidentally, used to transmit every byte of the very blog post you are reading). Over the years, other algorithms have offered either better compression or faster compression, but rarely both. We believe we’ve changed this.”
  • There are three standard metrics for comparing compression algorithms and implementations:
    • Compression ratio: The original size (numerator) compared with the compressed size (denominator), measured in unitless data as a size ratio of 1.0 or greater.
  • Compression speed: How quickly we can make the data smaller, measured in MB/s of input data consumed.
  • Decompression speed: How quickly we can reconstruct the original data from the compressed data, measured in MB/s for the rate at which data is produced from compressed data.
  • “The type of data being compressed can affect these metrics, so many algorithms are tuned for specific types of data, such as English text, genetic sequences, or rasterized images. However, Zstandard, like zlib, is meant for general-purpose compression for a variety of data types. To represent the algorithms that Zstandard is expected to work on, in this post we’ll use the Silesia corpus, a data set of files that represent the typical data types used every day.”
  • The post compares the best of the modern compression algorithms, lz4 (what ZFS uses), zstd (Facebook’s new thing), libz (gzip, what your browser uses for webpages), and xz (what most unix distros have switched to for compressing tar and log files)
  • In the comparison, LZ4 does not compress the data as much, but does so at almost 450 MB/s, while zlib compresses more, but only 23 MB/s. XZ compresses even better, but at only 2.3 MB/s
  • zstd gets about the same compression as zlib, but at almost 6 times the speed (136 MB/s)
  • Decompression is similar: LZ4: 2165 MB/s, zstd: 536 MB/s, zlib: 281 MB/s, xz: 63 MB/s
  • When comparing the command line tools, zstd is about 5x faster at compression, and 3.6x faster at decompression
  • As with gzip and xz, zstd also supports different ‘levels’ of compression. Although instead of having a range from 1 to 9, it instead offers a range of 1-22 (which suggests that additional levels might be added in the future)
  • It looks like it can get xz levels of of compression if turned up high enough
  • “By design, zlib is limited to a 32 KB window, which was a sensible choice in the early ’90s. But, today’s computing environment can access much more memory — even in mobile and embedded environments.

Zstandard has no inherent limit and can address terabytes of memory (although it rarely does). For example, the lower of the 22 levels use 1 MB or less. For compatibility with a broad range of receiving systems, where memory may be limited, it is recommended to limit memory usage to 8 MB. This is a tuning recommendation, though, not a compression format limitation.”

I forgot the password for my consumer grade NAS

  • “I got my WD My Book World Edition II NAS out of the closet. The reason it went in the closet is that I locked myself out of SSH access, and in the meantime I forgot most of its passwords.”
  • “I miraculously still remember the password to my regular user, but the admin password is nowhere to be found and you need the old one to change it. So I start poking around to see if there is any way to recover it.”
  • “One of the most common vulnerabilities on these thingies is allowing anyone to download a “config backup” that includes all the juicy passwords, and indeed, this screen looks promising”
  • The download was just base64 encoded random data. Definitely encrypted
  • “Mandatory Open Source releases usually have LICENSE files or some other indication of what libraries are being used, so he’s hoping to find some clue on what they used.”
  • Apparently WD releases everything, including the php script that generates the config download
  • “Looks like it’s a tarball encrypted with something called encodex and a fixed password”
  • “So we got the config file. Is it over? Nope. No passwords in it. This system does everything wrong. it’s unsalted MD5. Then it is stored a second time as a plain MD5 anyway”
  • I have never seen anyone do that before. I didn’t even know that would work…
  • So they reversed the process and uploaded a new configuration file with the hash of a known password (faster than brute forcing). Why is this allowed by a non-admin user anyway?
  • “Great. Fun. Is it enough? No! I locked myself out of ssh access too, by adding an unmatchable AllowUsers directive to my sshd_config.”
  • “First realization, the whole webgui runs as root. Look at ChangeWebAdmin above, it calls passwd and reads /etc/shadow!”
  • So, when you upload a new config, it just decrypts it and runs the untar, as root
  • “plus the fact that it’s probably a BusyBox implementation of tar might mean that the oldest trick in the book works: creating an archive with a fully-qualified /etc/sshd_config file in it and hope it gets extracted directly at the absolute path.”
  • “No luck. Second try: we see that it’s extracted in /tmp, what if we call it ../etc/sshd_config? No luck with that neither.”
  • “But hey… we can extract as much as we want in /tmp and nothing will get deleted between a run and the next! So let’s try with a convenient symlink :). First we plant a root => / symlink, and now that /tmp/root points to / we try calling our file root/etc/sshd_config and hope it gets extracted inside the symlink”
  • And, we’re in. The sshd_config has been replaced with one uploaded by a unprivileged user.
  • “This is all nice, but I started from a vantage point: I remembered a user login. Can we do something from scratch?”
  • “For example, extracting the config… It didn’t look like that PHP file had any access control, is it possible that… Oh God.”
  • “If we can crack any user password from the MD5, we can go from zero to root”
  • “All actions are actually unauthenticated. If you are not logged in the NAS will answer with a HTTP 302 Redirect… AND THEN PROCEED HANDLING THE REQUEST and sending the output. As if you were logged in. That’s a first for me.”
  • “Let me repeat this: if you are not logged in, the only thing the system will do is add a redirect to the login page in the HTTP Headers and carry on, obeying whatever you are telling it to do.”
  • Most browsers will respect the header, and redirect you to the login page, and ignore the excess content that was included in the response (like a config backup, or downloading a file, or doing any action what-so-ever
  • “So with the admin password reset trick above, we can get a full escalation from unauth to admin+root. Pwn’d. (The hardest thing was emulating the browser request with curl well enough to upload the file.)”
  • “So yeah, don’t expose these thingies on the Internet and don’t worry too much if you lose the passwords ;-)”
  • And in the end, the mystery was solved: “Turns out all the password fields except the login form have maxlength=16, so when resetting the password I pasted it from the password manager and it got cut without me knowing”


Round Up:

Question? Comments? Contact us here!