Practical Exploitation of CoAP Protocol Vulnerabilities

Practical Exploitation of CoAP Protocol Vulnerabilities

This article is an excellent piece from the Kanxue Forum.

Kanxue Forum Author ID: Feng Yi Ying Han

It seems that there is very little content related to the CoAP protocol on domestic security forums like Kanxue, and the CVEs mainly involve vulnerabilities in the CoAP protocol library. Therefore, I will organize and record my recent analysis related to the exploitation of vulnerabilities in a certain device’s CoAP protocol.

Brief Introduction to CoAP Principles (For details, refer to the RFC document)

CoAP can simply be regarded as a lightweight HTTP protocol based on UDP.
Protocol Stack:
Practical Exploitation of CoAP Protocol Vulnerabilities
Constrained RESTful Environments (CoRE)

  • Based on REST

  • Applicable to constrained nodes and networks

  • Helps clients discover resources on the server

CoAP Resource Discovery Mechanism

  • Based on CoRE

  • Uses /.well-known/core as the Well-Known URI, see RFC8615 for details

  • Example: CoAP server provides 2 resources

REQ: GET coap://server:port/.well-known/core
RES:  2.05 Content  </sensors/temp>;if="sensor",  </sensors/light>;if="sensor"
Security Mechanisms
CoAP has four security mechanisms: NoSec, PreSharedKey, RawPublicKey, Certificate, but only NoSec and RawPublicKey are mandatory implementations.

  • NoSec: no protocol-level security (DTLS is disabled)

  • PreSharedKey: DTLS is enabled. Authentication is based on pre-shared keys.

  • Certificate: DTLS is enabled. Authentication is based on asymmetric keys with X.509 certificates.

  • RawPublicKey: DTLS is enabled. Authentication is based on raw public keys.

CoAP itself does not implement authentication and authorization mechanisms but completes them through communication security (IPsec, DTLS) and object security.
Security Considerations
  • Protocol parsing and URI processing
The processing logic of incoming packets may have vulnerabilities.
  • Proxies and caching
Proxies can compromise the protection of IPsec or DTLS.
  • Reflection Attacks
Reflection attacks caused by the inability of the UDP protocol to verify the source address.
There are some related reports on this.
https://www.netscout.com/blog/asert/coap-attacks-wild
https://anquan.baidu.com/article/807
  • IP Address Spoofing Attacks
Sending forged ACK and other messages.
  • Cross-Protocol Attacks
Attacks that bypass firewall rules by spoofing source addresses.

Practical Exploitation

The default port for CoAP is 5683 or 5684. The security mechanism for port 5683 is NoSec, while 5684 has DTLS enabled. I checked the device, and it has port 5683 open.
udp        0      0 0.0.0.0:5683            0.0.0.0:*
As shown, the device implements a Well-Known URI based on CoRE.
if ( *((_BYTE *)v21->hdr + 1) == 1 && !memcmp(key, &unk_A0DC, 4u) ){  coap_log_impl(7, "create default response for %s\n", ".well-known/core");  v22 = wellknown_response(context, node->pdu);}
So we can proceed directly with the Resource Discovery process:
import asyncio
from aiocoap import *

async def main():
    protocol = await Context.create_client_context()
    msg = Message(code=GET, uri="coap://192.168.1.1:5683/.well-known/core")
    response = await protocol.request(msg).response
    print(response.payload)

asyncio.run(main())
We can see that the CoAP server provides the following resources:
b'</>;title="General Info";ct=0,...</device/inform/boot>;title=device/inform/boot,</device/inform/syncreq>;title=device/inform/syncreq,</device/inform/off>;title=device/inform/off,</device/inform/hb>;title=device/inform/hb,</device/inform/data>;title=device/inform/data,</device/cmd/file>;title=device/cmd/file</async>;ct=0'
By reversing the corresponding binary, we can see the implementation of the code, and we can infer the corresponding functions and URIs.
void *__fastcall start_coap_server_thread(void *a1){ pthread_t v1; // $v0 v1 = pthread_self(); pthread_detach(v1); ... registerCoapMethod("device/inform/boot", coapboot_handler) registerCoapMethod("device/inform/syncreq", coapsync_handler) registerCoapMethod("device/inform/off", coapoff_handler) registerCoapMethod("device/inform/hb", coaphb_handler ) registerCoapMethod("device/inform/data", coapdata_handler) registerCoadMethod("device/cmd/url", coapdata_url_handler) ... startCoapService("0.0.0.0", 5683); return 0;}
The remaining task is to further exploit these functions for vulnerabilities.
Findings:
1. The coapsync_handler function returns device SSID, Pwd, and other parameters to the client, leading to information leakage, which is a rather trivial vulnerability.
...cJSON_AddItemToObject(v73, "SSID", v13);v14 = cJSON_CreateString(&v83[136]);cJSON_AddItemToObject(v73, "SecurityMode", v14);v15 = cJSON_CreateString(&v83[72]);cJSON_AddItemToObject(v73, "Pwd", v15);...
Practical Exploitation of CoAP Protocol Vulnerabilities
2. Command injection caused by URL field data.
recv_cmdfile_handler will call cmdupgrade_parse.
cmdupgrade_parse will parse the value of the URL from the posted cjson data.
v17 = cJSON_GetObjectItem(v9, "Url");    v18 = v17;    if ( v17 )    {      v19 = *(const char **)(v17 + 16);      v20 = 0;      if ( v19 )      {        v21 = strlen(v19);        v20 = malloc(v21 + 1);        v22 = strlen(*(const char **)(v18 + 16));        memset(v20, 0, v22 + 1);        strcpy((char *)v20, *(const char **)(v18 + 16));      }
Ultimately, the function do_upgrade is called, and the URL field data is concatenated to the command executed by the system, leading to unauthorized RCE.
do_upgrade
int __fastcall do_upgrade(const char *Url){...  if ( !strcmp((const char *)v35, "XXXX-XXXXXX") )    snprintf(cmd, 0x180u, "curl %s -o %s%s -k", Url, "/var/tmp/", uri);  else    snprintf(cmd, 0x180u, "wget -q -P %s %s", "/var/tmp/", Url);  system(cmd);}

Some Related Tools

  • cotopaxi

    https://github.com/Samsung/cotopaxi

  • libcoap, aiocoap and other CoAP protocol implementation libraries

Attack Path

Determine whether resource discovery operations can be performed to obtain resources from the CoAP server;
Determine which security mechanism is in place;
Determine whether authentication mechanisms are implemented;
Perform reverse analysis on request parsing functions.

References

https://tools.ietf.org/html/rfc8615

https://datatracker.ietf.org/doc/html/rfc6690

https://en.wikipedia.org/wiki/Constrained_Application_Protocol

https://datatracker.ietf.org/doc/html/rfc7252

https://datatracker.ietf.org/doc/html/rfc5785

Practical Exploitation of CoAP Protocol Vulnerabilities

Kanxue ID: Feng Yi Ying Han

https://bbs.pediy.com/user-home-647447.htm

*This article is original by Feng Yi Ying Han from Kanxue Forum. Please indicate the source when reprinting from the Kanxue community.

Practical Exploitation of CoAP Protocol Vulnerabilities

# Previous Recommendations

1. Practical Protocol Analysis

2. Writing a Simple Linux Kernel Rootkit

3. Analysis of Tenda Cameras

4. Android APP Vulnerability Battle – Detailed Explanation of WebView Vulnerability

5. UDS Diagnostic Protocol – Reverse Engineering WP

6. CVE-2018-18708 Tenda Buffer Overflow Vulnerability

Practical Exploitation of CoAP Protocol Vulnerabilities
Practical Exploitation of CoAP Protocol Vulnerabilities

Share

Practical Exploitation of CoAP Protocol Vulnerabilities

Like

Practical Exploitation of CoAP Protocol Vulnerabilities

Watching

Related posts

  1. Member Spotlight: Lingxin Micro’s Highly Integrated SOC Supports Electric Vehicle Control, Achieves AEC-Q100 Certification
  2. Electrical Symbols and Project Codes in Electrical Technology
  3. Dobby Source Code Reading: Instruction-Level Tool
  4. Understanding IoT Application Protocols – CoAP Explained (Part 1)
  5. MQTT and CoAP Date in EMQ X World
  6. CoAP Protocol Explained in IoT Technology System
  7. CoAP: The Next Protocol Vulnerable to DDoS Attacks
  8. Basic Comparison of XMPP, MQTT, HTTP, and CoAP Protocols
  9. Spring Boot IoT Practice: Easy CoAP Protocol Integration
  10. Debugging CoAP Protocol in ThingsBoard
  11. Choosing Between MQTT, CoAP, and LwM2M for IoT Protocols
  12. Python IoT Programming: Using MQTT and CoAP Protocols
  13. CoAP | Implementing RESTful Architecture in IoT
  14. Hands-On Writing of UDP Protocol Stack – CoAP Message Parsing 5
  15. Detailed Explanation and Application of MQTT IoT Protocol
  16. Fundamentals of Cybersecurity
  17. Californium (Cf): Java’s CoAP Protocol Library
  18. Introducing CoAP Protocol for Enhanced IoT Connectivity
  19. Introduction to IoT Application Layer Protocols – CoAP

Leave a Comment