Fuzzing usb modems rahu_sasi

http://Garage4Hackers.com
Fuzzing USB Modems
[CanSecWest 2013]
Rahul Sasi @fb1h2s
http://www.garage4hackers.com/blogs/8/sms-
shell-fuzzing-usb-internet-modems-1082/

Disclaimer
I don‟t own any of the images I have used in
these slides, and I don‟t know whom to give
credits for other than Google, so don‟t come
crying back to me with copyright crap .
I might have copy/pasted diagrams from other
websites and articles and I do not remember all
the sites to give credits to, so don‟t be a kid just
deal with it.
References would be there in the actual white
paper.

Who am IRahul Sasi aka fb1h2s.
Admin Member at Team [Garage4hackers.com]
Work as a Security Researcher .
I was invited to present my researches at:
Blackhat[Europe],
Blackhat Arsenal[ Las Vegas],
HITB[Amsterdam],
HITB[Malaysia],
Nullcon [Goa 2010-2013],
NullCon [Delhi],
Ekoparty [ Argentina] ,
Cocon[2012-2013]
CanSecwest [Canada]

What I do at work

What I do at Work.
14%
19%
19%10%
5%
33%
At work
15% Reverse
Engineer
20% Build Tools
19% Exploit
Analysis
10% Malware
Analysis
5% Play counter
strike

What I do [at Home ]
20%
20%
13%
19%
28%
At Home
Exploit Writing
Code for KXP
Try out Food
Watch Porn
Facebook

Agenda
Introduction to USB Data modems.
Fuzzing USM modem dialer applications.
DOS attacks via SMS.
Phishing Attacks via SMS.
Fuzzing Device Drivers
Demo Potential Code execution .

Why a security talk on USB
modems
80 million devices in 2010 [It should be more
now]
http://www.efytimes.com/e1/fullnews.asp?edid=4765
0
Is security risk all about the market share of the
device.
Yes, USB devices are so popular and is owned
by a lot of guys.
o So is this the only reason we consider this for a
security audit??

What was my interest in
USB Data modems.

Spot the Similarity
Tata Photon, Reliance Net connect , Idea Net
setter,
Airtel 3g, Bsnl 3G
All the above products are USB modems sold in
India by different Tele service vendors for
different prices.
And all of them are made by Huawei :D .

USB wireless modemsA USB modem used for mobile broadband
Internet, aka dongle is widely used these days.
They use the USB port on you're computer to
make it connect to a GSM/CDMA network there
by creating a PPPoE(Point to Point protocol over
Ethernet) interface to your computer.
Default comes a dialer software either written by
the hardware manufacture customized for the
mobile supplier.
They also come bundled with device driver.

The most important thing.
The mobile phone service providers distribute
|sell these modems.
These modems have a phone no which lies in a
particular series, so all the phone numbers end
with xxxxxx1000 to xxxxxx2000 would be running
a particular version of USB modem dialer
software so the impact is large.
This means mass exploitation since u know were
your targets are. It would be like an ms08-067
with an additional benefit of knowing where your
targets are.

More on USB modems
These devices when plugged in to a computer detects
as a CDFS file systems and has the following
software's in it.
 Network Manager
 Device driver
 Modem dialer
These software's comes bundled as a package and need
to be installed on the host computer to connect to the
internet .
Software Included in Huawei Mobile Connect.

Architecture USB Modem
Device
Drivers
Dialer
App
Network
Manager

Device Driver
The device driver usually provide
interrupt handling for asynchronous
hardware interface.
They allow the host machine to
communicate to the USB interface.
A device driver package for Win
, Mac ,Linux is included with all
these devices.

Modem Dialer
This software interacts with the modem
using AT commands, and dials a
connection to establish an internet
connection over 3g/4g.
One of the interesting features that are
added to these dialer software‟s is an
interface to read/sent SMS from your
computer directly.
This is mainly done for sending promotion
offers and advertising [Fuck u SMS
Spammers].
Network Manager: Manages the Network

What do we Attack
Application Inputs for Remote
Attacks:
o Spear Phishing SMS campaigns.
o SMS Parsing Module.
Application Input for Local Attacks.
o Device Drivers

Phishing SMS campaigns.
Video Here:

Social Engineering Attack
I Found this trick back in college 4 years back.
It still work‟s like a charm .
Finding Personal Info of any Phone number:
The security question for any sort of info on you‟r personal details is
you're last recharge value.
Call customer service , give them the no u need to track. Bluff to the
service guy u did a recharge for „n‟ amount and that it was never
reflected in you're account.
He will read out all past recharges for you :D .
Use that details to make a second call , and get access to any one‟s
personal info.

SMS Parsing Module.
These SMS modules added to the dialers, simply
check the connected USB modem for incoming
SMS messages.
If any new message is found it‟s parsed and
moved to a local sqlite database, which is further
used to populate the SMS viewer.
Parsing take place with out user interaction.

Understanding SMS
When an SMS is sent, its delivered to MSC[
message service center]
SMSC will further sent the message to the
recipient.
The SMS messages is limited to 160 [7 bit chars]
to 140 [8 bit chars] or 70 [16 bit chars] .
SMS concatenation is used to send a single
large message exceeding 160 chars to be sent
over as multiple SMS and the receiver puts them
together as single SMS.
Can also deliver Binary data [OTA
Configs, Ringtones]

Parser Working
Video here:

GSM 7 bit Ascii Encoding

SMS Handling By Modem Dialer
When an SMS arrives at a modem the parser queries the
modem using AT codes and retrieve the incoming SMS.
Response would be “AT” result code and SMS [pdu] DU
(protocol description unit) | text.
[Dialer]
AT+ Command
[Modem]
Response

The SMS PDU Format
This Is how an SMS u sent out looks like.
07911356131313F311000A9260214365870008AA5
2004800650020006400750064006500200068006F
0077007A002000740068006500200063006F006E0
066006500720065006E0063006500200067006F00
69006E0067002E002000210040002300240025005

Understanding PDU
Format

Making the Fuzz Payloads
SMS attacks presented by Collin Mulliner, Charlie Miller and Nico
Golde in 2010 -2011. They released a fuzzer that can fuzz mobile
phone by SMS along with test cases [PDU] format. Just steel it.

Phase 1: My Simple Fuzz
Read PDU
Add Victim No
and SMSC
Sent to Victim
If no crash on
Victim
Do it again

Results:
Video here:

Attacks
Possible to Take down n number of systems on
the network, just sent one crafted payload to
each victims and ka-boom.

Few Interesting Bugs:
#Bug-1:

Bug-1[ Non Exploitable ]
• If two simultaneous SMS are received on the
modem then then you can trigger a UAF[Use
after free] , and doing that is fairly simple.
• There was no user controlled registers for this
bug, or least I could not find one.
• So I marked it Non exploitable [Fun Bug]

Bug-2 [Non-Exploitable]
App crashes handling service SMS which .
We had a partial register control, but I had to
classify it non exploitable as it was not that easy.
• More technical Details on other bugs and
analysis you can read at my Blog soon.
http://www.garage4hackers.com/blogs/8/
Lets move on …

Now What:

Jan-26 : Bug Reported to Huawei

Feb 5: No response from them
Instead a Chinese New Year
Greetings

Feb 11: PSTR sent a mail to my alternate
address asking about my Nullcon +
CansecWest talk.

More Interactions with them and they
closed the bug thread on Feb 26

Analysis Of the Bugs
• Currently Huawei does not have an Auto Update
, customers will have to manually download
install the patched application.
• The Dealers do not update there customers on
security patches.
• So technically almost all device out there that are
sold or are yet to be sold runs on a vulnerable
version.

Now that we know bugs
are there,
More Fuzzing

What to Fuzz for
WAP Push
Operator Logo|Messages
Service messages
VCARD
Concatenation of Message
Some support MMS
Even though all these are not supported in many of
the Modems, some do.

Reverse Engineering
DialerWe can reverse the Parser modules to
understand the supporting formats and functions
to help us in better fuzzing.
I didn't spent much time reversing the modules
, as most of the things I wanted were available
from USB sniffing .
I had to spent some time understanding the
different SMS formats supported .The same thing
could be achieved by reading the manual.

Poor Man‟s Fuzzing

Sniffing USB Traffic:
Analyzing USB traffic to better understand the
process.
On Mac Using USB Prober using
http://adcdownload.apple.com/Developer_Tools/ious
bfamily_log_release_for_os_x_10.8/iousbfamily516.
4.1log.dmg .
On Windows using Usbsnoop pro:
http://jaist.dl.sourceforge.net/project/usbsnoop/Snoo
pyPro/SnoopyPro-0.22/SnoopyPro-0.22.zip
On Linux using Wireshark .

USB Sniffing
Video Here:

AT Commands Extracted from USB
logs
AT^SYSINFO
This command is used to query the current system information, e.g.
system service state, domain, roaming or not and SIM card state.
+COPS: 0,1,"IDEA",2
This interface enables to query the network state and network
selection mode currently registered by the MS.
AT+CPMS="SM","SM","SM”
The SET command is used to set the message storage media
corresponding to the message read/write operations, and return the
current use state of the selected media.

How messages are Read
We can set the Message storage area in modem
by
AT+CPMS="SM","SM","SM”
The AT+CMGL is used to read messages based
on a particular status.
Read/Unread messages are categorized based
on a status "received unread", "received
read", "stored unsent", "stored sent", etc.
AT+CMGL="REC UNREAD"

Building Test Cases
Collect some SMS [PDU] messages.
Mutate them and build you're test cases.
Set PDU status to “received unread”.
Attach you‟r sim to you‟r fuzzer.
AT+CMGW=”+917738222968",145,” received
unread"<CR>fuzztest1<Ctrl+z>
Write test cases to SIM , you can write 500-1000 test
cases based on the storage capacity.

The flow
Read
SMS
PDU
Set
Sender
and SMS
Set PDU
Unread
[write]
Attach to
Modem

What to Fuzz
I downloaded other popular devices that were
available in our region and started fuzzing them.
And we got multiple crashes [w00t w00t] .
One was a memory corruption in parsing
Service Center Number. Even though this was
exploitable, in actual scenarios you cannot sent
an SMS message with an invalid Service Center
Number over a GSM network.
So that was dead end.

Another Memory Corruption in
a Service Message
[Exploitable]Exploitation:
1) You're Hex Shell code has to be in SMS PDU
format appended along with the text.
2) SMS Concatenation works great to send longer
shell codes, but the stack is corrupted with junk
each time new shell code is appended.
3) You would not have to worry about ASLR/DEP as
they are not compiled with them.

POC
We made a working POC [35 byte] shellcode, 1 SMS.
The shell code just write‟s to c:// hack.txt.
I know it sucks but getting a Metpreter running
needed more time and patience than I actually had.
Even though Metpreter was my aim, sometimes you
fail and you need to accept it  .
Probably other skilled hackers in this room could get
it done.

Exploitation
Video Here:

Thanks
Mail me at: fb1h2s@gmail.com
https://twitter.com/fb1h2s
http://www.Garage4Hackers.com

Fuzzing usb modems rahu_sasi

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Fuzzing usb modems rahu_sasi (20)

More from Rahul Sasi (6)

Recently uploaded (20)

Fuzzing usb modems rahu_sasi