 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study Assessment of a Mobile Field Agent Handheld PC Industry: Utilities Location: Mainland Europe The subject of the project is a ruggedised handheld PC based on a Microsoft OS which includes a built in network card. Un-trusted field agents use the PC to perform their duties when in the field. The file system of the handheld device should not be readable or writeable except using the limited functions offered by the bespoke application running on the handheld PC. The application limits operations to legitimate application level tasks. When the PC is docked into the corporate LAN it logs into a database to synchronise captured data. The credentials to perform this transfer are stored in the device and should not be available to the un-trusted field agent. As the PC is physically in the possession of field agents it is imperative that it is not vulnerable to local or remote compromise. For example field agents should not be able to install programs in the PC to play games or access the hard disk drive. An engagement model of a penetration project was selected to offer the client the most value from the engagement Attacking the handheld PC locally did not yield any results as it was well protected. The working environment was restricted to only legitimate application level operations. Attacking via the built in network card was more successful, in order for the PC to synchronise when connected to the LAN it ran a DHCP client. When connected to an attacking PC running a DHCP server it took an IP address and could then be attacked via IP The handheld PC was found to be running a FTP server, after discovering an unpublished vulnerability in the FTP server software it was possible to freely peruse the file system over the network. At this point the whole file system is readable and writeable except for a few files used by the OS which are in use. The file system is compromised and database connection parameters used to synchronise the PC are found in a plain text configuration file. It was noticed at this point that certain batch file are executed when particular application level function are called by pushing buttons on the handheld PC touch screen. Using this knowledge it was possible to change the one such batch file which contained the path to a binary so that when the particular application level function was carried out from the touch screen the ‘cmd.exe’ binary was executed. At this point it was now possible to disconnect the attacking PC. As the ‘cmd.exe’ program has been executed using the touch screen the keypad on the device can be used to execute OS level commands from the command shell. At this point the handheld is completely breached allowing OS level operations. Software could now be transferred to the handheld via the network interface from an attached device. The engagement showed it was possible to compromise the file system and extract the database connection parameters. The handheld then required re-installation. Effort required to re-initialise the handheld together with disruption to normal field agent operations translates directly into financial loss. Data transferred to the handheld may have included viruses which could threaten the data captured on the handheld PC, viruses could then propagate to other networks belonging to the utility company when the handheld is connected for synchronisation. Damage to the backend database caused by rogue use of database parameters and disclosure of information relating to clients of the utility are possible as the database connection parameters were discovered. |
