This attack is rather of great interest than a real threat - it is too difficult to carry out during a real flight, and the Boeing 747 is rare these days.
“This turned out to be more challenging than we expected, mainly because the on-board entertainment system is 25 years old and lacks many of the features that were taken for granted in later systems, but we succeeded,” the researchers said.
The system was so outdated that its management server ran on Windows NT4 SP3, the long-standing ancestor of modern Windows Servers. Due to the age of the system, researchers could not even take advantage of modern penetration testing tools - NT4 existed before all the current attack surfaces, such as the Remote Desktop Protocol, appeared.
Simply put, modern tools and techniques for hacking the Boeing 747's onboard entertainment system are not suitable. Metasploit almost failed, and even Backtrack, the predecessor to Kali Linux, failed, which left researchers at a standstill.
“This is where we get into the intricacies of NT4. Typically, the payload is executed using an internal Windows function called cscript. Cscript is used in almost all versions of Windows as a script launching tool, with which any scripts like Visual Basic, C #, etc. can be created and run. However, NT4 does not have cscript, since the operating system is older than this tool, so any scripts can be run, apparently was not possible, ”the researchers explained.
Alternative scripting tools were also missing from the NT4 in-flight entertainment system, so remote code execution was not possible. Moreover, the system was a stand-alone workstation, not a domain, so it was also impossible to intercept the hash over the network.
Another problem was that real-time and on-site network testing required the aircraft to be powered up. Doing this with an auxiliary power unit (APU) meant fueling a small jet turbine in the tail end of the airliner, and a typical Boeing 747 APU burns 300-400 kg of Jet A1 fuel per hour (equivalent to $ 250 per hour).
The NT4 version, on the basis of which the aircraft entertainment system studied by the researchers worked, using the version of Internet Information Services v4.0, in which vulnerabilities were discovered back in 2000. With a little character encoding trick, the researchers were able to traverse the directory during system installation. Modern operating systems tend to use the UTF-8 standard, which encodes characters in one byte rather than two as UTF-16, so researchers had to recode the commands before deployment.
“In every directory traversal attack, the attacked program must be on the same disk as the webserver. In our case, we needed the system32 folder to be on the same drive as the on-board entertainment system, ”the researchers explained.
The second vulnerability exploited by experts allowed them to gain permanent access to the system through a web shell. This is a 20-year-old remote code execution vulnerability - CVE-1999-1011.
In the end, the researchers infiltrated the system using the Metasploit TFTP server module to gain command-line access, and from there retrieved the administrator password hash and cracked it.