Upload File

fuzzing usb modems rahu_sasi

56
http:// Garage4Hackers.com Fuzzing USB Modems [CanSecWest 2013] Rahul Sasi @fb1h2s http://www.garage4hackers.com/ blogs/8/sms-shell-fuzzing-usb- internet-modems-1082/

Upload: rahul-sasi

Post on 20-Jun-2015

4.657 views

Category:

Technology


5 download

Report

Tags:

TRANSCRIPT

  • 1. http://Garage4Hackers.com Fuzzing USB Modems [CanSecWest 2013] Rahul Sasi @fb1h2s http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/

2. http://Garage4Hackers.com Disclaimer I dont own any of the images I have used in these slides, and I dont know whom to give credits for other than Google, so dont come crying back to me with copyright crap . I might have copy/pasted diagrams from other websites and articles and I do not remember all the sites to give credits to, so dont be a kid just deal with it. References would be there in the actual white paper. 3. http://Garage4Hackers.com Who am IRahul Sasi aka fb1h2s. Admin Member at Team [Garage4hackers.com] Work as a Security Researcher . I was invited to present my researches at: Blackhat[Europe], Blackhat Arsenal[ Las Vegas], HITB[Amsterdam], HITB[Malaysia], Nullcon [Goa 2010-2013], NullCon [Delhi], Ekoparty [ Argentina] , Cocon[2012-2013] CanSecwest [Canada] 4. http://Garage4Hackers.com What I do at work 5. http://Garage4Hackers.com What I do at Work. 14% 19% 19%10% 5% 33% At work 15% Reverse Engineer 20% Build Tools 19% Exploit Analysis 10% Malware Analysis 5% Play counter strike 6. http://Garage4Hackers.com What I do [at Home ] 20% 20% 13% 19% 28% At Home Exploit Writing Code for KXP Try out Food Watch Porn Facebook 7. http://Garage4Hackers.com Agenda Introduction to USB Data modems. Fuzzing USM modem dialer applications. DOS attacks via SMS. Phishing Attacks via SMS. Fuzzing Device Drivers Demo Potential Code execution . 8. http://Garage4Hackers.com Why a security talk on USB modems 80 million devices in 2010 [It should be more now] http://www.efytimes.com/e1/fullnews.asp?edid=4765 0 Is security risk all about the market share of the device. Yes, USB devices are so popular and is owned by a lot of guys. o So is this the only reason we consider this for a security audit?? 9. http://Garage4Hackers.com What was my interest in USB Data modems. 10. http://Garage4Hackers.com Spot the Similarity Tata Photon, Reliance Net connect , Idea Net setter, Airtel 3g, Bsnl 3G All the above products are USB modems sold in India by different Tele service vendors for different prices. And all of them are made by Huawei :D . 11. http://Garage4Hackers.com USB wireless modemsA USB modem used for mobile broadband Internet, aka dongle is widely used these days. They use the USB port on you're computer to make it connect to a GSM/CDMA network there by creating a PPPoE(Point to Point protocol over Ethernet) interface to your computer. Default comes a dialer software either written by the hardware manufacture customized for the mobile supplier. They also come bundled with device driver. 12. http://Garage4Hackers.com The most important thing. The mobile phone service providers distribute |sell these modems. These modems have a phone no which lies in a particular series, so all the phone numbers end with xxxxxx1000 to xxxxxx2000 would be running a particular version of USB modem dialer software so the impact is large. This means mass exploitation since u know were your targets are. It would be like an ms08-067 with an additional benefit of knowing where your targets are. 13. http://Garage4Hackers.com More on USB modems These devices when plugged in to a computer detects as a CDFS file systems and has the following software's in it. Network Manager Device driver Modem dialer These software's comes bundled as a package and need to be installed on the host computer to connect to the internet . Software Included in Huawei Mobile Connect. 14. http://Garage4Hackers.com Architecture USB Modem Device Drivers Dialer App Network Manager 15. http://Garage4Hackers.com Device Driver The device driver usually provide interrupt handling for asynchronous hardware interface. They allow the host machine to communicate to the USB interface. A device driver package for Win , Mac ,Linux is included with all these devices. 16. http://Garage4Hackers.com Modem Dialer This software interacts with the modem using AT commands, and dials a connection to establish an internet connection over 3g/4g. One of the interesting features that are added to these dialer softwares is an interface to read/sent SMS from your computer directly. This is mainly done for sending promotion offers and advertising [Fuck u SMS Spammers]. Network Manager: Manages the Network 17. http://Garage4Hackers.com What do we Attack Application Inputs for Remote Attacks: o Spear Phishing SMS campaigns. o SMS Parsing Module. Application Input for Local Attacks. o Device Drivers 18. http://Garage4Hackers.com Phishing SMS campaigns. Video Here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/ 19. http://Garage4Hackers.com Social Engineering Attack I Found this trick back in college 4 years back. It still works like a charm . Finding Personal Info of any Phone number: The security question for any sort of info on your personal details is you're last recharge value. Call customer service , give them the no u need to track. Bluff to the service guy u did a recharge for n amount and that it was never reflected in you're account. He will read out all past recharges for you :D . Use that details to make a second call , and get access to any ones personal info. 20. http://Garage4Hackers.com SMS Parsing Module. These SMS modules added to the dialers, simply check the connected USB modem for incoming SMS messages. If any new message is found its parsed and moved to a local sqlite database, which is further used to populate the SMS viewer. Parsing take place with out user interaction. 21. http://Garage4Hackers.com 22. http://Garage4Hackers.com Understanding SMS When an SMS is sent, its delivered to MSC[ message service center] SMSC will further sent the message to the recipient. The SMS messages is limited to 160 [7 bit chars] to 140 [8 bit chars] or 70 [16 bit chars] . SMS concatenation is used to send a single large message exceeding 160 chars to be sent over as multiple SMS and the receiver puts them together as single SMS. Can also deliver Binary data [OTA Configs, Ringtones] 23. http://Garage4Hackers.com Parser Working Video here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/ 24. http://Garage4Hackers.com GSM 7 bit Ascii Encoding 25. http://Garage4Hackers.com SMS Handling By Modem Dialer When an SMS arrives at a modem the parser queries the modem using AT codes and retrieve the incoming SMS. Response would be AT result code and SMS [pdu] DU (protocol description unit) | text. [Dialer] AT+ Command [Modem] Response 26. http://Garage4Hackers.com The SMS PDU Format This Is how an SMS u sent out looks like. 07911356131313F311000A9260214365870008AA5 2004800650020006400750064006500200068006F 0077007A002000740068006500200063006F006E0 066006500720065006E0063006500200067006F00 69006E0067002E002000210040002300240025005 27. http://Garage4Hackers.com Understanding PDU Format 28. http://Garage4Hackers.com Understanding PDU Format 29. http://Garage4Hackers.com Making the Fuzz Payloads SMS attacks presented by Collin Mulliner, Charlie Miller and Nico Golde in 2010 -2011. They released a fuzzer that can fuzz mobile phone by SMS along with test cases [PDU] format. Just steel it. 30. http://Garage4Hackers.com Phase 1: My Simple Fuzz Read PDU Add Victim No and SMSC Sent to Victim If no crash on Victim Do it again 31. http://Garage4Hackers.com Results: Video here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/ 32. http://Garage4Hackers.com Attacks Possible to Take down n number of systems on the network, just sent one crafted payload to each victims and ka-boom. 33. http://Garage4Hackers.com Few Interesting Bugs: #Bug-1: 34. http://Garage4Hackers.com Bug-1[ Non Exploitable ] If two simultaneous SMS are received on the modem then then you can trigger a UAF[Use after free] , and doing that is fairly simple. There was no user controlled registers for this bug, or least I could not find one. So I marked it Non exploitable [Fun Bug] 35. http://Garage4Hackers.com Bug-2 [Non-Exploitable] App crashes handling service SMS which . We had a partial register control, but I had to classify it non exploitable as it was not that easy. More technical Details on other bugs and analysis you can read at my Blog soon. http://www.garage4hackers.com/blogs/8/ Lets move on 36. http://Garage4Hackers.com Now What: 37. http://Garage4Hackers.com Jan-26 : Bug Reported to Huawei 38. http://Garage4Hackers.com Feb 5: No response from them Instead a Chinese New Year Greetings 39. http://Garage4Hackers.com Feb 11: PSTR sent a mail to my alternate address asking about my Nullcon + CansecWest talk. 40. http://Garage4Hackers.com More Interactions with them and they closed the bug thread on Feb 26 41. http://Garage4Hackers.com Analysis Of the Bugs Currently Huawei does not have an Auto Update , customers will have to manually download install the patched application. The Dealers do not update there customers on security patches. So technically almost all device out there that are sold or are yet to be sold runs on a vulnerable version. 42. http://Garage4Hackers.com Now that we know bugs are there, More Fuzzing 43. http://Garage4Hackers.com What to Fuzz for WAP Push Operator Logo|Messages Service messages VCARD Concatenation of Message Some support MMS Even though all these are not supported in many of the Modems, some do. 44. http://Garage4Hackers.com Reverse Engineering DialerWe can reverse the Parser modules to understand the supporting formats and functions to help us in better fuzzing. I didn't spent much time reversing the modules , as most of the things I wanted were available from USB sniffing . I had to spent some time understanding the different SMS formats supported .The same thing could be achieved by reading the manual. 45. http://Garage4Hackers.com Poor Mans Fuzzing 46. http://Garage4Hackers.com Sniffing USB Traffic: Analyzing USB traffic to better understand the process. On Mac Using USB Prober using http://adcdownload.apple.com/Developer_Tools/ious bfamily_log_release_for_os_x_10.8/iousbfamily516. 4.1log.dmg . On Windows using Usbsnoop pro: http://jaist.dl.sourceforge.net/project/usbsnoop/Snoo pyPro/SnoopyPro-0.22/SnoopyPro-0.22.zip On Linux using Wireshark . 47. http://Garage4Hackers.com USB Sniffing Video Here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/ 48. http://Garage4Hackers.com AT Commands Extracted from USB logs AT^SYSINFO This command is used to query the current system information, e.g. system service state, domain, roaming or not and SIM card state. +COPS: 0,1,"IDEA",2 This interface enables to query the network state and network selection mode currently registered by the MS. AT+CPMS="SM","SM","SM The SET command is used to set the message storage media corresponding to the message read/write operations, and return the current use state of the selected media. 49. http://Garage4Hackers.com How messages are Read We can set the Message storage area in modem by AT+CPMS="SM","SM","SM The AT+CMGL is used to read messages based on a particular status. Read/Unread messages are categorized based on a status "received unread", "received read", "stored unsent", "stored sent", etc. AT+CMGL="REC UNREAD" 50. http://Garage4Hackers.com Building Test Cases Collect some SMS [PDU] messages. Mutate them and build you're test cases. Set PDU status to received unread. Attach your sim to your fuzzer. AT+CMGW=+917738222968",145, received unread"fuzztest1 Write test cases to SIM , you can write 500-1000 test cases based on the storage capacity. 51. http://Garage4Hackers.com The flow Read SMS PDU Set Sender and SMS Set PDU Unread [write] Attach to Modem 52. http://Garage4Hackers.com What to Fuzz I downloaded other popular devices that were available in our region and started fuzzing them. And we got multiple crashes [w00t w00t] . One was a memory corruption in parsing Service Center Number. Even though this was exploitable, in actual scenarios you cannot sent an SMS message with an invalid Service Center Number over a GSM network. So that was dead end. 53. http://Garage4Hackers.com Another Memory Corruption in a Service Message [Exploitable]Exploitation: 1) You're Hex Shell code has to be in SMS PDU format appended along with the text. 2) SMS Concatenation works great to send longer shell codes, but the stack is corrupted with junk each time new shell code is appended. 3) You would not have to worry about ASLR/DEP as they are not compiled with them. 54. http://Garage4Hackers.com POC We made a working POC [35 byte] shellcode, 1 SMS. The shell code just writes to c:// hack.txt. I know it sucks but getting a Metpreter running needed more time and patience than I actually had. Even though Metpreter was my aim, sometimes you fail and you need to accept it . Probably other skilled hackers in this room could get it done. 55. http://Garage4Hackers.com Exploitation Video Here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/ 56. http://Garage4Hackers.com Thanks Mail me at: [email protected] https://twitter.com/fb1h2s http://www.Garage4Hackers.com


1 Cable modems Cable modems BASIC TELECOMMUNICATIONS

Virtualised USB Fuzzing · 2010. 9. 10. · USB The Fuzzing Results Q&A Stack Stress Test USB Fingerprinting Driver Flaws USB Fingerprinting Targeted attacks OS Packet Sequence Retries

Gsm Fuzzing

File Format Fuzzing in Android - DeepSec · Agenda 2 •File format fuzzing in Android •Fuzzing the Stagefright media framework •Fuzzing the Android application installer •Fuzzing

Configuring USB Modems - Check Point Software · HUAWEI E220 USB HSDPA 230400 AnyData CDMA EVDO USB CDMA 230400 Sierra Wireless AirCard 595U USB EVDO Rev.A/0 Samsung I607 Blackjack

Configuring USB Modems

Fuzzing USB devices using - NCC Group · Fuzzing USB devices using Frisbee Lite Page 4 of 15 2.1. bmRequestType This is a bitmapped field that describes the characteristics of the

RADIO MODEMS RANGE - Adeunis€¦ · Integrated DIN-Rail mount Power supply jack connector SubD9 socket - RS232/485/USB Radio modems description Status LEDs IP53 and IP67 options

Fuzzing Sucks! - Introducing Sulley Fuzzing Framework

USBFuzz: A Framework for Fuzzing USB Drivers by Device ... · Leveraging the USBFuzz framework, we applied coverage-guided fuzzing, the state-of-art fuzzing technique, on a broad

USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation · 2020. 12. 23. · device side, drivers are also not exhaustively tested. Nowa-days, using programmable USB devices

INSTALACIÓN DEL MODEM HUAWEI (MT810) - Hogareshogares.telecom.com.ar/ayudaysoporte/soporte/internet/modems/usb/... · 01 _ Datos útiles 05 _ Instalación 06 _ Desinstalación. INSTALACIÓN

High speed Wi-Fi router for Wireless USB modems ... - Option

Fuzzing Frameworks, Fuzzing Languages?!

Manual do Utilizador do Modem USB - Hayes Micro · 2013. 7. 24. · Modems. No caso do Windows 2000, efectue duplo clique no ícone Telefone e Modems e em seguida clique na tecla

Conversor de TV Digital Terrestre TS 2017 · O conversor poderá ser conectado à internet através do uso de modems externos inseridos às entradas USB disponíveis. Os modems poderão

Security Testing esp. Fuzzing - E. Poll, - cs.ru.nl · Overview • Testing • Abuse cases & negative tests • Fuzzing –dumb fuzzing –generational aka grammar-based fuzzing

Fuzzing sucks!

Fuzzing USB devices using - NCC Group · Fuzzing USB devices using Frisbee Lite Page 13 of 15 4.3. Usage Run FrisbeeLite.py _ and the GUI below should be displayed: The first step

Fuzzing Frameworks

Fuzzing 101

Virtualised USB Fuzzing using QEMU and Scapy - …skill.informatik.uni-leipzig.de/blog/wp-content/uploads/2015/06/... · Intro Fuzzing Results 1 Intro Motivation USB Architecture

Manual do Utilizador do Modem USB - Hayes Micro · Modems. No caso do Windows 2000/XP, efectue duplo clique no ícone Telefone e Modems e em seguida clique na tecla Modems. • Quando

Logical Fuzzing

Implementing an USB Host Driver Fuzzer · Fuzzing “Fuzzing or Fuzz Testing is a software negative testing technique. It uses the fault injection approach, which basically

HIT 55 RS232 HIT 55 USB GSM/GPRS modems - Home | HCP · HIT 55 RS232 HIT 55 USB GSM/GPRS modems. ... Connectors pin-out 4. Power supply ratings 5. RS232 interface description 6. USB

High speed Wi-Fi router for Wireless USB modems Easy-to-use

USB Cellular Modems - Multi-Tech · USB Cellular Modems FEATURES ... With 3G packet data rates, the QuickCarrier USB-D will support highly data-intensive applications such as remote

Configuring USB Modems · PDF fileHUAWEI K4605 USB 8.2 1.4 ... HUAWEI E176G USB HSUPA / HSDPA /EDGE/GPRS 8.1 1.4 HUAWEI E182E USB ... Configuring USB Modems

DIR-825/AC - NetCHEIF · DIR-825/AC Quick Installation Guide Supported USB Modems GSM modems • Alcatel X500 • D-Link DWM-152C1 • D-Link DWM-156A6 • D-Link DWM-156A7 • D-Link

Biswajit Mazumder Rohit Hooda Arpan Chowdhary. What is Fuzzing? Fuzzing techniques Types of Fuzzing Fuzzing explained Case study and changes:

2130961 Compass USB Modems Installation Guide

13 Fuzzing

fuzzing protocol fuzzing model-based testing automated ...erikpoll/ufrj/4_SecurityTesting.pdf · Security Testing fuzzing protocol fuzzing model-based testing automated reverse engineering

Configuring USB/Express Card Modems - Check Point … · Configuring USB/Express Card Modems ... Siemens ER75i USB GPRS/EDGE 8.0 230400 ... HUAWEI E220 USB HSDPA 7.5