IoT Firmware Exploit Derivation
Data shows that only 5% of the CVE’s have publicly available exploits.
For the rest of them, we’re just left with CVE’s describing very brief information about the vulnerability & it’s nature.
For exploiting such vulnerabilities, one is required to investigate this partially available information & derive complete understanding of the vulnerability so as to exploit it.
We take an example of a widely used IoT device for which several CVE’s are publicly available but exploits were not during the time of it’s exploitation.
Disclaimer: With the publicly available exploitation details still hardly available, sensitive target related details are kept discreet to maintain the same.
We come across the CVE of the target IoT device.
We acquire the firmware available for download from the official website.
The bin file requires further investigation. We use binwalk for the same as below.
The files within bin file gets extracted in a folder as below.
Similar subsequent extractions result in retrieving all folders necessary for begin with the investigation.
We refer back the CVE description & search for the mentioned vulnerable function within the extracted folders & files.
Opening the above file shows us the function reference as below along with “getRemoteServerContent”.
We search for this new reference to understand how the vulnerable functions handles the passed inputs.
This we come across the function that handles the user inputs as below.
Cross checking with the below front-end we confirm that above function indeed handles the inputs passed from the below window.
Now next, Init.d folder contains several files which executes during the initiation. We hence investigate the files which initiate above functionalities.
When we go through the main_wsgi.sh file, we come across below .pyc file
Further we come across several other .pyc files which can’t be read without de-compiling.
We de-compile the .pyc files using below tool.
De-compiling all .pyc files gives us back the .py files which can be referred for further investigation.
Now searching for vulnerable function mentioned in the CVE gives below results.
Finally, thus we land upon the vulnerable function mentioned in CVE as below.
From above function we understand that input values are concatenated to use in executing the command. Hence, attacker can concatenate his own commands for execution upon the server.
Now with this understanding, lets proceed with exploitation of this vulnerability. We go back to our front-end & pass the values as below.
Intercepting the request in burpsuite gives us with below capture.
We prepare our payload which is to be concatenated along with the passed inputs as below.
The payload consists of reverse shell python file pulled from attacker’s server & executed upon target IoT device.
The attackers server hosts above reverse shell python file as below.
We embed the payload in the intercepted burp request as below.
As we see upon sending above request, the reverse shell python file gets pulled from attackers server as seen below.
Finally, we receive the reverse shell from the target IoT device as it’s firmware gets successfully exploited.
