Quick mining of equipment logic hole method sharing

Language 2023-05-04 15:29:20 views: null

  Reprint: https://www.cnblogs.com/pwnfeifei/p/17369551.html

foreword

I have been in contact with iot for almost a year, and I have dug dozens of holes, large and small. Although I can produce some output, I gradually feel bored and tired of manual auditing. During this period, I also tried to use taint analysis , fuzz and other methods to carry out automated vulnerability mining, but the mining effect was not very good because the target was not clear. So I came up with the idea of ​​writing a tool that can be used to assist cross-file analysis of dangerous functions, just recently I saw

https://conference.hitb.org/hitbsecconf2023ams/materials/D1T1%20-%20Your%20Not%20So%20Home%20Office%20-%20Soho%20Hacking%20at%20Pwn2Own%20-%20McCaulay%20Hudson%20&%20Alex %20Plaskett.pdf , I saw the dcalls tool in the article. His effect can well satisfy my previous ideas, but this tool does not seem to be open source, so I tried to implement this tool myself. After writing, I feel that the effect is not bad (but due to the rush of time, the author's limited ability and other reasons, there are many bugs in this tool, I hope the masters will forgive me), and I happened to remember that I was just getting started with iot at that time, and I didn't know how to dig holes . Sometimes, I don’t know where to start but I am anxious to get some results. So I wrote this article and shared it with the masters who are just getting started and hope to quickly find the loopholes.

Most Common Logic Hole

In my opinion, the most common logical hole in some small and medium-sized manufacturers' equipment should be command injection. Not only is exp simple, but it is also very harmful , and rce can often be easily realized . If you want to quickly find command injection vulnerabilities, you can start with some dangerous functions to see whether the parameters of these dangerous functions can be controlled by our users. Common dangerous functions such as system , execve, etc. But many manufacturers will define their own functions in the custom dynamic link library, and call these dangerous functions internally. Often these functions are the ones most likely to be ignored by us. If we can notice these functions during the audit, the probability of finding vulnerabilities will be greatly increased.

How to Quickly Find Vulnerabilities

fdcalls is a tool I wrote to assist us in finding dangerous function calls and possible dangerous functions. It has been open sourced on github ( https://github.com/fxc233/fdcalls).

Next, let's take a look at how to use this tool to quickly discover possible vulnerabilities and possible dangerous functions. This tool is divided into two modes. The first mode only matches where the target file may have command injection vulnerabilities, and returns the vulnerability point and the dangerous function call chain. As shown in the figure below, at this point we can go to the displayed address to make a further judgment on whether there is a vulnerability. Of course, due to time issues, I have not tried to test many devices from different manufacturers, which may lead to some error messages when running the script, but as long as the script is not interrupted and reports an error, then the analysis can still be performed normally. Of course, the displayed path may also have false positives.

The second mode displays all possible dangerous functions. The reason for adding this mode is that due to the limited ability of the author, some function calls may not be handled very well, so some dangerous functions may be called but cannot be displayed in the above path. As shown in the figure below, we can see possible dangerous functions and the dynamic link libraries that define them. When we cannot find vulnerabilities in the path scanned by the mode or scan the path, we can search for these function names in the binary file. If the function exists, there may also be a vulnerability.

Practical application

The author here takes a new cve ( IOT_Vulnerability/LB-Link/WR450H/CVE-2023-26697 at main kagehutatsu/IOT_Vulnerability GitHub ) that was released this year on github to see the effect of this tool. According to the vulnerability submission report, the vulnerability function is bs_SetForwardingInfo defined in ./lib/libshare-0.0.26.so .

The binary file we analyzed is ./bin/goahead , try to scan it directly with the tool.

It's a pity that we couldn't directly locate the location of the vulnerable function call, but fortunately, we can identify the existence of this dangerous function, which can still be helpful for our vulnerability mining.

epilogue

I wish all the masters can dig new 0days every day . Finally, if there are bugs in the use of this tool by masters, masters are welcome to raise issues on github.

Link

Project address: GitHub - fxc233/fdcalls

Guess you like

Origin blog.csdn.net/jingdianjiuchan/article/details/130481776
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com