BT CPE Devices - Amazon S3s3.amazonaws.com/zcutlip_storage/Reversing and Exploiting BT CPE Devices -...
Transcript of BT CPE Devices - Amazon S3s3.amazonaws.com/zcutlip_storage/Reversing and Exploiting BT CPE Devices -...
BT CPE Devices:Adventures in Reversing and Exploiting
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
• Zachary Cutlip
• Senior Vulnerability Researcher Tactical Network Solutions, LLC
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Home Hub 3.0b (back)Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Home Hub 3.0b
Manufacturer Huawei
CPUBroadcom BCM6361
Dual core 400 MHz MIPS32
RAM 64 MB DDR2 800 SDRAM
Flash Storage 32 MB NAND Flash, TSOP48 Package
OS Linux 2.6.30
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Firmware managed by ISPReversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Backstory
• forum.kitz.co.uk users wanted to hack their modems
• Forum user emailed, requesting help
• Shipped me hardware
• Another user had already extracted firmware
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Goal
• Overall goal:
• Unlock HH3b configuration options, and/or
• Immediate goal
• Get interactive root prompt
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Attack Surface
• Web interface
• UPnP
• Configuration backup file
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Command injection
• Common in SOHO routers
• Unsanitized input + system()
• Easy to discover/exploit
• Portable
• Can be limited
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Example: Trendnet TEW-654TR
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Injecting shell commands: You can do it, too!
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Investigating
• grep for strings with shell-style redirects
• i.e. “%s %s > /dev/null”
• Verify which, if any:
• Are passed to a shell invocation
• Are combined with user-supplied input
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Promising lead
• HH3b’s ‘cms’ application
• Gets executed by web server
• executes lots of commands, e.g. iptables
• Lots of “shell-like” strings, such as....
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
“My God. It’s full of %s.”Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
iptables %s -%c %s %s %s %s %s %s %s %s %s %s %s 2>/dev/null
Twelve input strings.
Seriously. We’re done. Time for beers.
Shell redirect
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Do we have command injection?
• Unsanitized user input?
• That may be hard to verify
• First, verify how this gets executed
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
HH3b command execution
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
HH3b command execution
• Command string generated with snprintf()
• Passed to QosExec()
• Passed to ATP_Util_ExecCmdNoHang()
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
ATP_UtilExecCmdNoHang
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
• WHAT...
• Parse command string into array
• Open file referenced by shell redirect
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
• THE...
• fork()
• dup2() the opened redirect
• execv() command
• wait()
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
• FUCK.
• No “/bin/sh -c”
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Config backup• Assumed to be well formed -->Memory
corruption?
• If parsed by a shell script, command injection
• Options in the configuration grammar, but hidden from the GUI
• Undocumented backdoor credentials?
• Enable SSH?
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Config backup
• Usually obfuscated for tamper-resistance
• Encrypted
• Robust, well-known encryption
• Custom “encryption”
• Signed
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Encrypted config• Custom encryption implementations
• Often not mindful of cryptography principles
• May be reverse engineered and re-implemented
• Strong, well known implementations
• Algorithms are sound
• If keys are protected, not easily defeated
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
HH3b uses AES for encrypting configs
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Encrypted config
• HH3b uses AES
• Assumed unique per-user/per-device keys
• Almost didn’t analyze, not worth it
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Encrypted Config
• But wait...
• A new modem should restore an old backup
• I had two HH3bs, so I tried it...
• ....And it worked!
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Config import/export
• Reversed config import/export API
• XML data
• compressed with ‘gzip’
• AES encrypted
• Base-64 encoded
• 128-bit AES signature prepended
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Signature check, then decryption
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Config import API
• ATP_CFM_ExtDigVerifyFile
• Checks & removes signature
• ATP_CFM_ExtCustomImportEncryptedUserCfgFile
• Base64 decode
• Decrypt
• Decompress with ‘gunzip’
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Straightforward APIReversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
QEMU first attempt
• Cross compile decryption tool
• link against libcfmapi.so
• Run in QEMU MIPS emulator
• Weird dynamic linker errors
• Missing functions, like:
• PZMM_K_Fun2()
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Missing functions
• Linker can’t find several functions
• Strings analysis finds them in unrelated libs
• PZMM_K_Fun1-4 build AES key
• PZMM_I_Fun1-4 build AES IV
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
QEMU second attempt
• LD_PRELOAD various libs
• Run in QEMU again
• Success! Decrypted config file
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Re-encrypt, re-sign
• Reverse the process
• Modify config file
• Call encryption & signing functions
• Upload to HH3b
• Success!
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Snagged AES Key
Because why not?
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
No attack vectors in the config file
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Default configuration
• Same trick applies to defaultcfg.xml
• Many more configuration options
• Remote admin creds, etc
• Schema incompatible with backup config
• Modifying and uploading was not successful
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Buffer Overflows
• No easy 1996-style bugs
• Highly unusual for SOHO routers
• One exception…
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Shaky program
• One binary was promising: ‘bcmupnp’
• Lots of use of sprintf(),strcpy(), etc.
• Hard to analyze: didn’t disassemble cleanly
• Lots of functions with no x-refs.
• Lots of jump tables
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Dynamic analysis
• Static analysis is frustrated by poor disassembly
• Need to run & debug for dynamic analysis
• QEMU
• Tutorial: http://bit.ly/15pCvSy
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Emulation problems• ‘bcmupnp’: UPnP server that manages
wireless hardware
• Provided by Broadcom
• Won’t run in emulated environment
• Assumptions about hardware that is present
• NVRAM unavailable for configuration queries
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Emulation problems
• Wrote an NVRAM ‘faker’ library:
• https://github.com/zcutlip/nvram-‐faker
• Provides responses to nvram_get() queries
• INI-style configuration file
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Emulation problems
• With NVRAM solved, ‘bcmupnp’ runs
• Just idles
• No response to M-SEARCH queries
• More reverse engineering
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Binary Patching
• With no hardware to manage, M-SEARCHes are ignored
• A field in a global struct gets modified if there’s no wireless hardware
• Binary patched out the modification
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Before and After
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Emulation success
• NVRAM Faked
• Patched hardware check
• ‘bcmupnp’ runs and responds to M-SEARCH!
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
A bug and a crash
• strcpy() of ST:uuid: from M-SEARCH
• Excessively long uuid string crashes ‘bcmupnp’
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
ST:uuid buffer overflow
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
CRASH!!
jr to 0x41414141 == pwnage
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
MIPS Buffer Overflows
• Black Hat 2012
• “From SQL Injection to MIPS Overflows”
•https://vimeo.com/64809593
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Bowcaster
• Exploit Development Framework
• Python
• Lightweight
• Buffer overflow API
• MIPS/Linux-specific payloads
• Useful utilities
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Bowcaster
https://github.com/zcutlip/bowcaster
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Develop exploit
• Buffer overflow via single multicast packet
• Made easy(ier) with Bowcaster
• Root shell via connect-back payload
• Tested against ‘bcmupnp’ in QEMU
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Tested against live device
Root prompt on the first try.
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Proof-of-Concept Exploit: !
http://github.com/zcutlip/exploit-‐poc
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Root or it didn’t happen.
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Future Work
• Still no unlock yet
• Bricked a HH3b after rooting
• Need a firmware update file for recovery
• Need to evade filesystem integrity check
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Future Work
• HomeHub 4
• Need to extract firmware
• Tiny flash chip
• BGA form factor
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Acknowledgments
• Craig Heffner
• Tactical Network Solutions
• William Kirby
• kitz.co.uk user ‘asbokid’
• PsiDOC.com user ‘dmcdonnell’
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
Resources
http://goo.gl/lzjx7C [shadow-‐file.blogspot.com]
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
• Talk to me:
• @zcutlip on Twitter
• http://shadow-file.blogspot.com
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013
• Talk to me:
• @zcutlip on Twitter
• http://shadow-file.blogspot.com
Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013