Exploit the smart speaker at Pwn2Own

Transcript

1. An unauthenticated RCE on the Sonos smart speaker

2. $ whoami § I am Trung from VN AST §

   Interested in RE, pwn things for fun § Member of Qrious Secure

3. Qrious Secure § A small CTF group with 6 members

   § Exploited Linux kernel, v8, Virtualbox, routers, Android phones and many more … § https://x.com/qriousec

4. Content § Why we chose this target? § How SMB

   protocols works? § How the bugs were found? § The demo

5. Why we chose this target? ZDI published a research on

   the Sonos One Speaker (2023)

6. Why we chose this target? Later, Orange Tsai also published

   his research on the Sonos One Speaker

7. Why we chose this target? § Content of the ZDI

   blog post § 1 info leak and 1 use after free (UAF) inside the libsmb2 library § 1 info leak inside the HTTP server code § 1 stack buffer overflow inside the MPEG-TS parser § Content of Orange’s talk § He talked about the file format parsers § He also mentioned the libsmb2 library

8. Why we chose this target? § We choose to look

   at libsmb2 library § It is an open source project § It bases on https://github.com/sahlberg/libsmb2 with some modification

9. How the Sonos speaker utilizes the libsmb2 library? Unauthenticated user

   The Sonos speaker The remote SMB server Send remote play request Fetch music from a remote SMB server using libsmb2 library

10. How the Sonos speaker utilizes the libsmb2 library? Unauthenticated user

    The Sonos speaker The remote SMB server Send remote play request Fetch music from a remote SMB server using libsmb2 library Attacker can control this

11. What is libsmb2 library? § libsmb2 is written in pure

    C § libsmb2 supports asynchronous operations § When a task is done, libsmb2 will call the provided callback function

12. The SMB protocol

13. The SMB protocol § SMB protocol is a client-server communication

    protocol § Sharing files, printers, and other resources over network § Port 445

14. How libsmb2 works?

15. How libsmb2 works? Client Server Wait queue

16. How libsmb2 works? Client Server Wait queue Request 1

17. How libsmb2 works? Client Server Wait queue Request 1 |

    Function_1 | Data_1

18. How libsmb2 works? Client Server Wait queue Request 1 |

    Function_1 | Data_1 Request 2

19. How libsmb2 works? Client Server Wait queue Request 1 |

    Function_1 | Data_1 Request 2 | Function_2 | Data_2

20. How libsmb2 works? Client Server Wait queue Request 1 |

    Function_1 | Data_1 Request 2 | Function_2 | Data_2 Reply 1

21. How libsmb2 works? Client Server Wait queue Request 1 |

    Function_1 | Data_1 Request 2 | Function_2 | Data_2 Call Function_1(Data_1)

22. The UAF bug

23. The UAF bug § When a SMB client wants to

    get information of a file § libsmb2 sends 3 requests at once § OPEN request § QUERY request § CLOSE request

24. The UAF bug Wait queue OPEN | Function_1 | Data

    QUERY | Function_2 | Data CLOSE | Function_3 | Data

25. The UAF bug Wait queue OPEN | Function_1 | Data

    QUERY | Function_2 | Data CLOSE | Function_3 | Data Different callback functions but SAME callback data

26. The UAF bug § Normally the replies arrive in the

    order OPEN -> QUERY -> CLOSE § But a malicious SMB server can change the order of the replies § CLOSE -> QUERY -> OPEN § Then the callback order is Function_3 -> Function_2 -> Function_1 § Let’s look at these functions

27. static void getinfo_cb_3(struct smb2_context *smb2, int status, void *command_data _U_,

    void *private_data) { struct stat_cb_data *cb_data = private_data; // stripped free(cb_data); // ß free } static void getinfo_cb_2(struct smb2_context *smb2, int status, void *command_data, void *private_data) { struct stat_cb_data *cb_data = private_data; struct smb2_stat_64 *st = cb_data->st; // ß use st->smb2_nlink = fs->standard.number_of_links; // ß use /* stripped ... */ } Function_3 Function_2

28. The UAF bug § UAF confirmed § By reclaiming the

    cb_data, we can get arbitrary write static void getinfo_cb_2(struct smb2_context *smb2, int status, void *command_data, void *private_data) { struct stat_cb_data *cb_data = private_data; struct smb2_stat_64 *st = cb_data->st; st->smb2_nlink = fs->standard.number_of_links; /* stripped ... */ }

29. The UAF bug § But what/where to write? § Can’t

    write into GOT table (Full RELRO) § My idea is to overwrite __free_hook with system (glibc 2.29) § But don’t know their locations yet (ASLR, PIE) à Need a leak

30. The OOB read

31. static int encode_ntlm_auth(struct smb2_context *smb2, time_t ti, struct auth_data *auth_data,

    char *server_challenge) { /* ... */ memcpy(&u32, &auth_data->ntlm_buf[40], 4); u32 = le32toh(u32); // ß------------------------- We control this server_name_len = u32 >> 16; memcpy(auth_data->buf, server_name_buf, server_name_len); // Bug here } We can control server_name_len and no length check was made on them

32. The OOB read § Basically, we can do § memcpy(reply_buffer,

    buffer, Y) § We control Y § OOB read confirmed à Leak libc address à Defeat ASLR

33. The demo

34. None

35. Thanks for listening