Binwalk 0.3.0 Release

While the recent v0.2.1 release was a bug fix release, v0.3.0 has added some important new features:

  1. Include and exclude filters now match search terms on anything in the resulting output rather than just matching the first line description from the magic file.
  2. Signatures that are two bytes or less in length tend to produce a huge number of false positives. In v0.3.0 these signatures are disabled by default in order to prevent being overloaded with false positive matches. These signatures can be enabled using the new -a or -i options.
  3. As always, new signatures have been added to the default magic file!

Grab the latest release here.

Reverse Engineering Firmware: Linksys WAG120N

The ability to analyze a firmware image and extract data from it is extremely useful. It can allow you to analyze an embedded device for bugs, vulnerabilities, or GPL violations without ever having access to the device.

In this tutorial, we’ll be examining the firmware update file for the Linksys WAG120N with the intent of finding and extracting the kernel and file system from the firmware image. The firmware image used is for the WAG120N hardware version 1.0, firmware version 1.00.16 (ETSI) Annex B, released on 08/16/2010 and is currently available for download from the Linksys Web site.

Continue reading

SHODAN Researches DD-WRT Vulnerability

John Matherly of SHODAN fame and Dan Tentler from Aten Labs teamed up to research the DD-WRT information disclosure vulnerability we released back in December.

The results show that approximately 10% of remotely accessible DD-WRT routers were both vulnerable to the attack and could be geo-located based on the information gleaned from the attack.

Dan did his research back in the December-January timeframe just after the vulnerability was released. Using SHODAN, he found that out of 8,000 – 9,000 DD-WRT routers, 2,000 were vulnerable to the information disclosure bug. Out of those 2,000, he was able to geo-locate 700 – 800 of them based on the information gleaned from the vulnerability.

Dan teamed up with John in who did another SHODAN search in April, this time finding 5,688 DD-WRT routers, with 543 that were both vulnerable to the information disclosure bug and could be geo-located.

Although the results aren’t broken out by protocol (HTTP vs HTTPS), this also carries implications of how many DD-WRT users have remote administration enabled and are at risk of SSL MITM attacks.

John has put together a great write-up and a Google map of his results on the SHODAN Research page.

Dan’s work can be found on the Aten Labs blog.

MiniDNS: The Simplest DNS Server

When you’re setting up a device for testing, sometimes you need to set up a DNS server. And when you do, you don’t want to be messing around with DNS configuration files.

MiniDNS is a very simplistic DNS server that responds to all DNS queries with a single IPv4 address. Just provide it with the IP address you want requests to resolve to, and you’re up and running:

# minidns

Serial File Uploads With Serio

So you’ve got an embedded device that’s running Linux, you’ve tapped into the board’s serial port and you have a root shell. You’re poking around and want to run netstat/netcat/grep/whatever – but it’s not installed! And what’s worse, the device doesn’t have any utilities to perform a network file transfer. How do you get the file you want to execute from your host machine up to the embedded device?

Transferring ASCII files can be done with minicom, but that method won’t work properly for binary files. ASCII encoding a binary file usually isn’t an option since most embedded systems won’t have utilities like base64 or uuencode in order to un-encode the transferred file, and other transfer methods (Xmodem/Ymodem/Zmodem, Kermit) require a corresponding utility to already be installed on the embedded device.

If the echo command on your serial shell supports the -n and -e options (most do), serio can help. Continue reading