Exploiting Embedded Systems – Part 3

In part 2 of this series we found a SQL injection vulnerability using static analysis. However, it is often advantageous to debug a target application, a capability that we’ll need when working with more complex exploits later on.

In this segment we won’t be discovering any new vulnerabilities, but instead we will focus on configuring and using our debugging environment. For this we will be using Qemu and the IDA Pro debugger. If you don’t have IDA you can use insight/ddd/gdb instead, but in my experience IDA is far superior when it comes to embedded debugging.

Continue reading

Exploiting Embedded Systems – Part 2

In part 1 we used the TEW-654TR’s TFTP service to retrieve the administrative credentials to our target system.

But what if we didn’t have access to the TFTP service? Many embedded devices don’t have a TFTP service, or there may be a firewall between us and the target that blocks traffic to UDP port 69. In this case, we’ll have to take a closer look at the web application running on the target.

Burpsuite Login

Continue reading

Adding Hyperlinks to IDA HTML Files With IDAnchor

IDA can export disassembled data in a variety of formats, including HTML. However, the HTML output is difficult to navigate as there are no hyperlinks connecting any of the code cross references. This is a bit frustrating, so I wrote IDAnchor.

IDAnchor will take an HTML file generated by IDA and attempt to locate functions and code references in the file. It then adds anchor tags to each location and hyperlinks all cross references together for easy navigation. It also adds a function navigation table for easily jumping to a desired function:

IDAnchor Example Output

IDAnchor is still very much beta code, but so far it works for me!

Exploiting Embedded Systems – Part 1

So far our tutorials have focused on extracting file systems, kernels and code from firmware images. Once we have a firmware image dissected into something we can work with, the next step is to analyze it for vulnerabilities.

Our target is going to be the Trendnet TEW-654TR. We’ll be examining many different security holes in this device, but for part 1 we will focus on gaining initial access given only a login page and nothing more. We will assume that we do not have physical access to the target device, nor to any other device for testing or analysis.

If you don’t already have them, you will need to install binwalk and the firmware mod kit.

Let’s get started!

Continue reading

Modifying The DD-WRT GUI

Although released under the GPL, DD-WRT is notoriously difficult to build from source. If you want to customize your DD-WRT installation, it is usually easier to extract files from the firmware image, change what you need, and then re-construct the image.

One exception here is the Web GUI. The DD-WRT Web pages (*.asp, *.htm, *.gif, *.css) in each firmware image are protected in order to prevent modification. Being able to customize the Web interface can be advantageous for those wishing to add compatibility with mobile/uncommon browsers, change themes, add links, etc.

And, despite claims to the contrary, that’s exactly what we’ll be doing.

DD-WRT Sporting the Hack-A-Day Logo

Continue reading

Firmware-Mod-Kit Updated, v0.69 Released

For the past month I’ve been working with Jeremy Collake on updating the firmware-mod-kit. This has resulted in lots of bug fixes and the creation of two new scripts for deconstructing and re-building firmware images:

  • extract-ng.sh
  • build-ng.sh

The NG scripts have been designed as more flexible and generic replacements for the current extract_firmware.sh / build_firmware.sh scripts, and provide many improved features including:

  • The use of binwalk (now included with the firmware-mod-kit) to locate and extract file systems
  • Automatic identification and extraction of firmware footers, such as those used by the TEW-632BRP
  • Automatic identification of the correct SquashFS version and compression to use
  • Support for identifying and patching multiple headers inside a single firmware image.

Usage is simple. To extract a firmware image, run:

$ ./extract-ng.sh firmware.bin

The extracted file system will be saved to fmk/rootfs. After modifying the root file system, the new firmware image can be re-built by running:

$ ./build-ng.sh

Additionally, several new tools have been added to the kit, including:

  • New un/squashfs utilites
  • New uncramfs utilities
  • crcalc, a tool to update uImage and TRX checksums

The extract-ng.sh and build-ng.sh tools currently support TRX and uImage firmware headers and SquashFS file systems, and should work with most firmware images that use these components. However, they are still in beta testing and should be considered less stable than the older extract_firmware.sh and build_firmware.sh tools.

As always, tread with caution and use at your own risk!