Transcription of 베디드 시스템 취약 분석 - grayhash.com
1 ( ).. ( ) .. / .. ( , ). GrayHash( ) . ( ) . (codegate, secuinside) . Defcon CTF .. Step1 : . Step2 : (wallpad). Step3 : wallpad ( ) . Step4 : wallpad . Step5 : UART . Step6 : . Step7 : (Exploitation) . Step1.. : (gateway). : (gateway). : (gateway). : (gateway). OS : Embedded Linux : Wallpad ( ). OS : Linux ( Android ). : Wallpad ( ).. / (P2P).. ( ). Step2.. Wallpad VS Gateway Wallpad UI .. P2P . Gateway , .. Wallpad VS Gateway .. , . , Gateway . ( ). Wallpad . Step3. Wallpad ( ).. 1.. 2. / . 3. UART . 4. Shell . (partition dump, /dev/mtdblock). 5. Flash Memory . 6. JTAG . 1.. ~iptime/ .. Boot-loader Kernel Ram Disk (initrd). Root File System (applications).
2 2. / .. ? => . ex> 1 .. Ex> + => .. TWIN IP. ARP Spoofing . , .. IP . TWIN IP. IP NAT MAC .. , . IP . ARP Spoofing Ettercap . ettercap -T -M arp : , : Sniffing . 3. UART PORT . UART . UART PORT . Shell . memory reading 4.. , Shell command execution Shell . /dev/ . S .. dd if=/dev/block/bml1 of=/ bs=512.. dd if=/dev/block/bml7 of=/sdcard/zImage bs=4096.. dd if=/dev/block/stl9 of=/ bs=4096. 5. Flash Memory Dump Flash Memory . desoldering Flash Memory . Socket Adaptor Flash Memory . DataSheet . Flash Memory . 6. JTAG . CPU JTAG . JTAG . JTAG = marionette( ). CPU . JTAG Flash Memory . Firmware .. Binwalk (Firmware Analysis Tool).. Signature . Ex> squashfs == hsqs.
3 FMK (Firmware Mod Kit).. Firmware Mod Kit . [root@hackerschool trunk]# . Firmware Mod Kit (build-ng) beta, (c)2011 Craig Heffner, Jeremy Collake Scanning DECIMAL HEX DESCRIPTION. ---------------------------------------- ----------------------------------- ------------------ 720896 0xB0000 Squashfs filesystem, little endian, version , size: 1235415 bytes, 257 inodes, blocksize: 65536 bytes, created: Wed Nov 14. 13:28:13 2012. Extracting 720896 bytes of header image at offset 0. Extracting squashfs file system at offset 720896. Extracting 160 byte footer from offset 1957920. Extracting squashfs Firmware extraction successful! Firmware parts can be found in 'fmk/*'.
4 [root@hackerschool trunk]#. Firmware Mod Kit . [root@hackerschool rootfs]# ls -al 132. drwxr-xr-x 15 root root 4096 10 14 2014 . drwxr-xr-x 5 root root 4096 4 3 14:22 .. drwxr-xr-x 4 553779200 4160815104 4096 10 14 2014 bin drwxr-xr-x 6 553779200 4160815104 4096 10 14 2014 default drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 dev lrwxrwxrwx 1 root root 8 4 3 14:22 etc -> /tmp/etc drwxr-xr-x 3 553779200 4160815104 4096 10 14 2014 home drwxr-xr-x 3 553779200 4160815104 4096 10 14 2014 lib lrwxrwxrwx 1 root root 11 4 3 14:22 linuxrc -> bin/busybox drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 ndbin drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 plugin drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 proc drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 save drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 sbin drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 tmp drwxr-xr-x 2 553779200 4160815104 4096 10 14 2014 upgrade-bin drwxr-xr-x 5 553779200 4160815104 4096 10 14 2014 usr lrwxrwxrwx 1 root root 8 4 3 14:22 var -> /tmp/var [root@hackerschool rootfs]#.
5 Binary .. 1.. 2. / . 3. UART . 4. Shell . (partition dump, /dev/mtdblock). 5. Flash Memory . 6. JTAG . Step4. (wallpad) .. ? CPU ? ARM? MIPS? CPU , . ( ) . Flash Memory ? AMD? SAMSUNG? Flash Memory , Reading/Writing . ? UART ? UART . 4 . uart debug rs232 . JTAG ? CPU . TDI, TDO, TMS, TCK .. CPU. NXP2120. ARM11 32 . Flash Memory K9F1G08U0D. , Nand Type, TSOP Package (48p). UART (O). JTAG (X). Step5. UART . UART . UART . UART ? Universal asynchronous receiver/transmitter / .. / LINE .. => .. LED ? => . LCD ? => . ? => . ? UART! UART .. Putty, Xshell, , .. USB-UART, USB-RS232, USB-SERIAL. UART Pin . 4 . TX : . RX : . GND : . VCC : . TX RX . PC TX : PC . TX : . UART.
6 , OS .. Ex> printf( initializing network adaptor ok\n );.. Ex> Segmentation fault, command not found UART . Hidden or Setting Menu (Bootloader).. Writing (Command Shell). , .. UART . UART . UART . UART . USB-UART, USB-RS232, USB-SERIAL. USB UART . -> ->COM(n) . UART . USB . CP2102, PL2303, FT232 .. RS, TX, GND, VCC.. Putty Xshell . UART . UART . UART . Demo Shell . UART root . Android . Telnet( ) .. Step6.. network packet . packet replay attack . (1). identity/credential . (2). spoofing/bypass . (1). Wallpad Gateway .. (2). Wallpad device . / .. (tcpdump + wireshark).. 1. telnet (/user/app/bin/telnetd) , passwd , . 2.. 3. ACL . 4. (/user/app/bin/cmxnp) . 5. secure coding Buffer Overflow Format String.
7 Step7. (Exploitation) . Telnet . /etc/passwd, /etc/shadow . /usr/bin/login . => .. Hash . Telnet . Telnet . IP . Gateway : Wallpad : 10 : . 7: . 5: . 3x : . 30 : gateway 31 : wallpad .. / .. Demo .. Demo .. 1 : . 2 : . 1 PC . 2 PC .. 1 2 . SSH .. / . Gstreamer Library .. # /user/app/ cmxvideosrc src=CMOS header=true xpos=0. ypos=0 width=0 height=0 bitrate=6 gop=6 lcd=true ! video/mpeg, mpegversion=4, width=320, height=240, framerate=6/1 ! tcpserversink host= port=6161.. # -v tcpclientsrc host= port=6161 ! filesink location=/ . Demo . wallpad/gateway ( remote) .. BOF, FS .. (Obfuscation). (Anti-Reversing).. IP MAC .. Shell . / . identity . IP, MAC Address .. identity.
8 IP IP ? IP . IP MAC ? . IP Spoofing ARP Spoofing .. ( ).. 3 . KEY . 101 : wallpad(keyA ) <-> gateway(keyA ). 102 : wallpad(keyB ) <-> gateway(keyB ). Key .. Packet replay attack .. Timestamp Nonce . Timestamp .. Nonce nonce . nonce . packet replay attack nonce . packet . +Timestamp|Nonce HMAC . HMAC : keyed-hash message authentication code ( ). 3 .. / .. Certificate Pinning Permanent Session . Certificate Pinning .. public key . Ex> wallpad A public key . Permanent Session random . Session gateway wallpad .. UART . telnet . SSH , shadow . Packet replay attack .. - . Step1 : . gateway + wallpad Step2 : (wallpad). Step3 : wallpad ( ) . UART, Update, Flash Memory Dump Step4 : wallpad.
9 Step5 : UART . Root Shell . Step6 : . + . Step7 : (Exploitation) .. BOF, FS . / Identity . , . (UART, JTAG ).
