Here’s how we got persistent shell access on a Boeing 747 – Pen Test Partners

Researchers from infosec biz Pen Test Partners established a persistent shell on an in-flight entertainment (IFE) system from a Boeing 747 airliner after exploiting a vulnerability dating back to 1999.

It’s an attack that’s more of a curiosity than anything else: it’s too difficult to pull off during an actual flight, and it’s rare these days to see a 747 passenger service, anyway.

“Pwning it was more of a challenge than we expected, mostly because the IFE was 25 years old and was missing many features we take for granted on more recent systems, but we did succeed,” said PTP in a post about the caper.

The system was so ancient its management server ran on Windows NT4 SP3, a distant ancestor of today’s Windows Server builds. That age posed a problem for PTP’s testers when they tried running modern pentesting tools against it: NT4 predated everyday attack surfaces such as the Remote Desktop Protocol.

Simply put, lots of modern tools and techniques didn’t work. Metasploit all but failed, giving no obvious reason for doing so. Even Backtrack, the predecessor to Kali Linux, didn’t work – triggering lots of scratching of heads at PTP HQ.

“This is where we get into the intricacies of NT4,” sighed PTP’s blogger. “Usually, the payload would be executed using a Windows internal function called cscript. Cscript is used through almost all versions of Windows as a tool that runs scripts, so any Visual Basic, C# or other scripts can be created then run with cscript. However, NT4 doesn’t include cscript, the operating system pre-dates the tool, so running any scripts is seemingly impossible.”

Alternative scripting tools weren’t present on the IFE’s NT4 deployment so an RCE the researchers used wasn’t available to them. Moreover, the box was a standalone workstation and not on a domain, defying an attempt to sniff and capture hashes over the network.

The other problem was that testing the network live and in situ required powering up the host aircraft. Doing so with the 747’s auxiliary power unit (APU) means fuelling a thirsty little jet turbine, buried in the airliner’s tail end – and a typical 747 APU burns 300-400kg of Jet A1 fuel per hour, or about $250/hour.

The version of NT4 on the in-flight entertainment (IFE) network PTP examined was running Internet Information Services v4.0 (which had “old” holes in it as far back as 2000).

Researchers obtained a directory traversal exploit on the IFE installation after some jiggery-pokery with character encoding. Modern operating systems tend to use UTF-8, which encodes characters in a single byte rather than UTF-16’s two bytes, PTP said, meaning their commands needed to be re-encoded prior to deployment.

“With every directory traversal attack the target program is required to be on the same drive as the webserver. In our case we needed the system32 folder to be on the same drive as the IIS install.” This was apparently easy enough in the lab but it was not spelled out in the blog post as to whether this was how the NT4 IFE system was configured aboard the 747.

The second exploit PTP used to gain persistent shell access was a 20-year-old remote code execution vuln, CVE-1999-1011. PTP described it as using “a package called Microsoft Data Access Components which allows direct access into the database objects through IIS.”

Eventually the researchers got into the box using Metasploit’s TFTP server module to obtain command line access, and from there obtained the admin password’s hash and cracked it. Full details are in the PTP blog post.

Although the target of the research was an IFE system, the necessary Ethernet port for gaining access to it is in the 747’s galley: an area rarely left unattended for more than a few minutes during flight. Using the exploits PTP found to pwn an in-flight 747 would be impossible in practice.

Moreover, though PTP declined to reveal more details when we asked about the system and particular aircraft involved, we were told the IFE system is now no longer in use in any 747 still flying today. Sad news for archaic Windows enthusiasts – though they can console themselves that floppy disks are still part of today’s jumbo jet flights. ®

READ MORE HERE