IoT exploitation: from memory corruption to code execution by Marco Romano
0 likes468 views
The document discusses various vulnerabilities in IoT devices, specifically focusing on exploits related to the Edimax IC-3140W network camera. It outlines the process of information gathering, firmware analysis, and the exploitation techniques used to achieve remote code execution through stack buffer overflow. The presentation highlights the exploitation plan, bypassing security protections, and concludes with a demonstration of executing arbitrary code on the target device.
![Stack Buffer Overflow
© Marco Romano - nemux.org
1) main() calls foo()
2) foo() copies “AA…” in buf[]
3) foo() “return;” —> go back in main()
“2 minutes Crash Course”
Stack](https://image.slidesharecdn.com/romano-nemuxcodemotionrome18cover-180503141128/85/IoT-exploitation-from-memory-corruption-to-code-execution-by-Marco-Romano-6-320.jpg)
IoT exploitation: from memory corruption to code execution by Marco Romano
- 1. IoT exploitation: from memory corruption to code execution Marco Romano ROME - APRIL 13/14 2018
- 2. Marco Romano (In)Security Researcher sometimes for fun, sometimes for profit FIND ME HERE @nemux_ IoT exploitation from memory corruption to code execution © Marco Romano - nemux.org
- 3. Independent researches Publicly disclosed vulnerabilities 2015 CVE-2015-7805 Heap-based buffer overflow in libsndfile 1.0.25 2016 CVE-2016-2399 Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 2018 CVE-2018-8072 ???? 2017 © Marco Romano - nemux.org
- 4. CVE-2018-8072 EDIMAX Network Cameras Stack Buffer Overflow Models: IC-3140W, IC-5150W, IC-6220DC An issue was discovered on EDIMAX IC-3140W through 3.06, IC-5150W through 3.09, and IC-6220DC through 3.06 devices… © Marco Romano - nemux.org
- 5. Stack Buffer Overflow © Marco Romano - nemux.org “2 minutes Crash Course” Stack For the sake of simplicity some stack info are missed
- 6. Stack Buffer Overflow © Marco Romano - nemux.org 1) main() calls foo() 2) foo() copies “AA…” in buf[] 3) foo() “return;” —> go back in main() “2 minutes Crash Course” Stack
- 7. Stack Buffer Overflow © Marco Romano - nemux.org “2 minutes Crash Course” Stack
- 8. Model number: IC-3140W (1) …open-up the box… (2) Information gathering (3) Attack surface mapping DAY 1 TARGET: HD Wireless Day & Night Network Camera © Marco Romano - nemux.org
- 9. Your are safe… you can see him… © Marco Romano - nemux.org
- 10. …and yell at him © Marco Romano - nemux.org Image courtesy of: edimax.com
- 11. …but not at him! (unauthenticated) Remote Code Execution © Marco Romano - nemux.org
- 12. Information Gathering & Attack Hardware Best friend: Screwdriver Take note of the components used in the device and collect online resources © Marco Romano - nemux.org
- 13. Software Best friend: Google Download everything the vendor allows you to… First of all the firmware! Information Gathering & Attack © Marco Romano - nemux.org
- 14. They are 4 interesting holes! UART Pinouts IC-3140W: UART root shell: 3 Wires + 1 USB Serial Adapter + Right baudrate (38400) 1. Tx 2. GND 3. Rx 4. Vcc UART Exploitation © Marco Romano - nemux.org
- 15. Get a root shell Goal: UART —> Serial Console —> telnetd & © Marco Romano - nemux.org
- 16. Firmware Firmware analysis Best friend: binwalk https://github.com/ReFirmLabs/ binwalk binwalk -M -e IC-3140W_3.05.bin © Marco Romano - nemux.org
- 17. Interesting targets Goal: Unauthenticated HTTP Request —> Binary CGI got something to reverse…. © Marco Romano - nemux.org
- 18. telnetd.cgi? sounds good! Goal: HTTP Request —> telnetd.cgi —> telnetd & (1) Undocumented “feature” (2) Not available in the admin panel (3) Run telnet daemon through an HTTP GET request …feature, really? (it comes in handy for debugging purpose) © Marco Romano - nemux.org
- 19. telnetd.cgi Reverse… Goal: HTTP Request —> telnetd.cgi —> telnetd & Typo here… © Marco Romano - nemux.org
- 20. telnetd.cgi Let’s test it! Goal: HTTP Request —> telnetd.cgi —> telnetd & No UART wires and “noise”, from now on… and typo here… so, it works :-) © Marco Romano - nemux.org
- 21. Bug Hunting Model number: IC-3140W TARGET: HD Wireless Day & Night Network Camera DAY 2 © Marco Romano - nemux.org
- 22. Binary Reverse Best friend: Debugger & Disassembler How it works: CGI manages parameter through environment variables (take note for debugging session) Reverse ipcam_cgi © Marco Romano - nemux.org
- 23. Goal: HTTP Request —> public/… —> vulnerability (?) 1) strcpy() —> dest with fixed size (1024) 2) strcpy() —> i can control the source 3) strcpy() —> no check on src size ipcam_cgi © Marco Romano - nemux.org
- 24. HACKED POTATO! HTTPdHTTP GET getSysteminfo.cgi 2016 ipcam_cgiHTTPd set ENV variables strcpy()ipcam_cgi parse & copy Stack Buffer Overflow Recipe… …result Goal: HTTP Request —> public/… —> vulnerability (?) ipcam_cgi © Marco Romano - nemux.org
- 25. ipcam_cgi Let’s test it! Value length > 1024 byte (0x400) Goal: HTTP Request —> public/… —> vulnerability (?) © Marco Romano - nemux.org
- 26. ipcam_cgi some math… “action=“ + 1017 + “BBBB” (0x42424242) Invalid Read Access Goal: HTTP Request —> public/… —> vulnerability (!) © Marco Romano - nemux.org
- 27. Exploiting Model number: IC-3140W TARGET: HD Wireless Day & Night Network Camera DAY 3 © Marco Romano - nemux.org
- 28. Protection Mechanisms Goal: HTTP Request —> ipcam_cgi —> code exec ASLR = Address Space Layout Randomization Randomly arranges the address space positions of key data areas of a process: executable, stack, heap and libraries. (2) Memory Map Stack Base = 0x7fad6000 Stack Base = 0x7fdac000 Partially Enabled (1) Memory Map © Marco Romano - nemux.org
- 29. Protection Mechanisms Goal: HTTP Request —> ipcam_cgi —> code exec (2) Memory Map (1) Memory Map W^X = Write XOR Execute Address space may be either writable or executable, but not both Not Enabled 32bit arch no PAE © Marco Romano - nemux.org
- 30. “Exploitation plan” Steps 1) Hijack the control flow 2) Bypass Protections 3) Inject arbitrary code …and jump there! © Marco Romano - nemux.org
- 31. Mips Note Goal: Low-level note…MIPS registers Image courtesy of hmc.edu © Marco Romano - nemux.org
- 32. Hijack the flow Goal: Overwrite Saved Return Pointer -> Control RA Control “Return Address” register Exception: “Invalid Read Access” = Pointer(s) stored in the Stack = “CONSTRAINTS” Constraints solved… Stack SrP —> 0x46464646 —> RA = SrP Control Flow Hijacked! © Marco Romano - nemux.org
- 33. Bypass Stack ASLR Jump there…. where!? Stack + ASLR “Code-Reuse” Attack Bypass Protections Goal: Find a stack pointer © Marco Romano - nemux.org
- 34. Bypass Stack ASLR Goal: Find a stack pointer “Code reuse” attack… how it works? Execute the code which is “already” present in the memory Usually used to bypass NX Bypass Protections © Marco Romano - nemux.org
- 35. Bypass Stack ASLR Goal: Find a stack pointer “System” applies a restriction… Bypass Protections © Marco Romano - nemux.org
- 36. Bypass Stack ASLR Goal: Find a stack pointer …but she’s smart! Bypass Protections Answer is “NO” © Marco Romano - nemux.org
- 37. Bypass Stack ASLR Goal: Find a stack pointer “Code reuse” attack… exploitation purpose 1. Libraries: Fixed location in memory 2. Plan: Concatenate “pieces” of (that) code 3. Get a (randomized) stack pointer to defeat ASLR Bypass Protections © Marco Romano - nemux.org
- 38. Cache coherence Goal: Defeat cache coherence MIPS CPUs have 2 separate caches (data and instructions) Cache != Protection… but affect exploitation! • Our payload will be in memory as data • Hijack control flow… and Shellcode in D-cache • How to move Shellcode in Main Memory? Bypass Protections © Marco Romano - nemux.org
- 39. “Bypass” Cache coherence Cache Flushing… how to 1. Filling the D-cache to force the CPU to write-back 2. cacheflush() systemcall 3. Call a blocking function (like sleep() or similar) Cache != Protection… and we can defeat it! Bypass Protections Goal: Defeat cache coherence © Marco Romano - nemux.org
- 40. put them all together… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 1 - Defeat Cache Inject arbitrary code Hijack Control Flow “Init” Gadget “Double-Jump” Gadget call usleep() set usleep() arg jump next… © Marco Romano - nemux.org
- 41. put them all together… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 2 - Defeat Stack ASLR Inject arbitrary code Move Stack Pointer in $A1 Move $A1 in $V0 Jump to $V0 © Marco Romano - nemux.org
- 42. put them all together… Goal: Execute a “connect back” shellcode Chain of “Gadgets” - Step 3 - Execute Shellcode Inject arbitrary code Ehi! That’s my code… Connect back shell… port 8080 © Marco Romano - nemux.org
- 43. Wait for a root shell… Goal: Execute a “connect back” shellcode Execute arbitrary code © Marco Romano - nemux.org
- 44. Let’s play the bad guys © Marco Romano - nemux.org Botnet
- 45. …while you wait for the crypto miner botnet © Marco Romano - nemux.org Don’t do this at home! :-)
- 46. TIMELINE 2016 February 2018 ME —> EDIMAX Proof of concept March 2018 EDIMAX —> ME Private Beta version April 2018 New Firmware (??) CVE-2018-8072 © Marco Romano - nemux.org
- 47. Thank you! © Marco Romano - nemux.org https://gitlab.com/nemux/CVE-2018-8072