2. http://Garage4Hackers.com
Disclaimer
I don‟t own any of the images I have used in
these slides, and I don‟t know whom to give
credits for other than Google, so don‟t come
crying back to me with copyright crap .
I might have copy/pasted diagrams from other
websites and articles and I do not remember all
the sites to give credits to, so don‟t be a kid just
deal with it.
References would be there in the actual white
paper.
3. http://Garage4Hackers.com
Who am IRahul Sasi aka fb1h2s.
Admin Member at Team [Garage4hackers.com]
Work as a Security Researcher .
I was invited to present my researches at:
Blackhat[Europe],
Blackhat Arsenal[ Las Vegas],
HITB[Amsterdam],
HITB[Malaysia],
Nullcon [Goa 2010-2013],
NullCon [Delhi],
Ekoparty [ Argentina] ,
Cocon[2012-2013]
CanSecwest [Canada]
5. http://Garage4Hackers.com
What I do at Work.
14%
19%
19%10%
5%
33%
At work
15% Reverse
Engineer
20% Build Tools
19% Exploit
Analysis
10% Malware
Analysis
5% Play counter
strike
8. http://Garage4Hackers.com
Why a security talk on USB
modems
80 million devices in 2010 [It should be more
now]
http://www.efytimes.com/e1/fullnews.asp?edid=4765
0
Is security risk all about the market share of the
device.
Yes, USB devices are so popular and is owned
by a lot of guys.
o So is this the only reason we consider this for a
security audit??
10. http://Garage4Hackers.com
Spot the Similarity
Tata Photon, Reliance Net connect , Idea Net
setter,
Airtel 3g, Bsnl 3G
All the above products are USB modems sold in
India by different Tele service vendors for
different prices.
And all of them are made by Huawei :D .
11. http://Garage4Hackers.com
USB wireless modemsA USB modem used for mobile broadband
Internet, aka dongle is widely used these days.
They use the USB port on you're computer to
make it connect to a GSM/CDMA network there
by creating a PPPoE(Point to Point protocol over
Ethernet) interface to your computer.
Default comes a dialer software either written by
the hardware manufacture customized for the
mobile supplier.
They also come bundled with device driver.
12. http://Garage4Hackers.com
The most important thing.
The mobile phone service providers distribute
|sell these modems.
These modems have a phone no which lies in a
particular series, so all the phone numbers end
with xxxxxx1000 to xxxxxx2000 would be running
a particular version of USB modem dialer
software so the impact is large.
This means mass exploitation since u know were
your targets are. It would be like an ms08-067
with an additional benefit of knowing where your
targets are.
13. http://Garage4Hackers.com
More on USB modems
These devices when plugged in to a computer detects
as a CDFS file systems and has the following
software's in it.
Network Manager
Device driver
Modem dialer
These software's comes bundled as a package and need
to be installed on the host computer to connect to the
internet .
Software Included in Huawei Mobile Connect.
15. http://Garage4Hackers.com
Device Driver
The device driver usually provide
interrupt handling for asynchronous
hardware interface.
They allow the host machine to
communicate to the USB interface.
A device driver package for Win
, Mac ,Linux is included with all
these devices.
16. http://Garage4Hackers.com
Modem Dialer
This software interacts with the modem
using AT commands, and dials a
connection to establish an internet
connection over 3g/4g.
One of the interesting features that are
added to these dialer software‟s is an
interface to read/sent SMS from your
computer directly.
This is mainly done for sending promotion
offers and advertising [Fuck u SMS
Spammers].
Network Manager: Manages the Network
17. http://Garage4Hackers.com
What do we Attack
Application Inputs for Remote
Attacks:
o Spear Phishing SMS campaigns.
o SMS Parsing Module.
Application Input for Local Attacks.
o Device Drivers
19. http://Garage4Hackers.com
Social Engineering Attack
I Found this trick back in college 4 years back.
It still work‟s like a charm .
Finding Personal Info of any Phone number:
The security question for any sort of info on you‟r personal details is
you're last recharge value.
Call customer service , give them the no u need to track. Bluff to the
service guy u did a recharge for „n‟ amount and that it was never
reflected in you're account.
He will read out all past recharges for you :D .
Use that details to make a second call , and get access to any one‟s
personal info.
20. http://Garage4Hackers.com
SMS Parsing Module.
These SMS modules added to the dialers, simply
check the connected USB modem for incoming
SMS messages.
If any new message is found it‟s parsed and
moved to a local sqlite database, which is further
used to populate the SMS viewer.
Parsing take place with out user interaction.
22. http://Garage4Hackers.com
Understanding SMS
When an SMS is sent, its delivered to MSC[
message service center]
SMSC will further sent the message to the
recipient.
The SMS messages is limited to 160 [7 bit chars]
to 140 [8 bit chars] or 70 [16 bit chars] .
SMS concatenation is used to send a single
large message exceeding 160 chars to be sent
over as multiple SMS and the receiver puts them
together as single SMS.
Can also deliver Binary data [OTA
Configs, Ringtones]
25. http://Garage4Hackers.com
SMS Handling By Modem Dialer
When an SMS arrives at a modem the parser queries the
modem using AT codes and retrieve the incoming SMS.
Response would be “AT” result code and SMS [pdu] DU
(protocol description unit) | text.
[Dialer]
AT+ Command
[Modem]
Response
26. http://Garage4Hackers.com
The SMS PDU Format
This Is how an SMS u sent out looks like.
07911356131313F311000A9260214365870008AA5
2004800650020006400750064006500200068006F
0077007A002000740068006500200063006F006E0
066006500720065006E0063006500200067006F00
69006E0067002E002000210040002300240025005
29. http://Garage4Hackers.com
Making the Fuzz Payloads
SMS attacks presented by Collin Mulliner, Charlie Miller and Nico
Golde in 2010 -2011. They released a fuzzer that can fuzz mobile
phone by SMS along with test cases [PDU] format. Just steel it.
34. http://Garage4Hackers.com
Bug-1[ Non Exploitable ]
• If two simultaneous SMS are received on the
modem then then you can trigger a UAF[Use
after free] , and doing that is fairly simple.
• There was no user controlled registers for this
bug, or least I could not find one.
• So I marked it Non exploitable [Fun Bug]
35. http://Garage4Hackers.com
Bug-2 [Non-Exploitable]
App crashes handling service SMS which .
We had a partial register control, but I had to
classify it non exploitable as it was not that easy.
• More technical Details on other bugs and
analysis you can read at my Blog soon.
http://www.garage4hackers.com/blogs/8/
Lets move on …
41. http://Garage4Hackers.com
Analysis Of the Bugs
• Currently Huawei does not have an Auto Update
, customers will have to manually download
install the patched application.
• The Dealers do not update there customers on
security patches.
• So technically almost all device out there that are
sold or are yet to be sold runs on a vulnerable
version.
43. http://Garage4Hackers.com
What to Fuzz for
WAP Push
Operator Logo|Messages
Service messages
VCARD
Concatenation of Message
Some support MMS
Even though all these are not supported in many of
the Modems, some do.
44. http://Garage4Hackers.com
Reverse Engineering
DialerWe can reverse the Parser modules to
understand the supporting formats and functions
to help us in better fuzzing.
I didn't spent much time reversing the modules
, as most of the things I wanted were available
from USB sniffing .
I had to spent some time understanding the
different SMS formats supported .The same thing
could be achieved by reading the manual.
46. http://Garage4Hackers.com
Sniffing USB Traffic:
Analyzing USB traffic to better understand the
process.
On Mac Using USB Prober using
http://adcdownload.apple.com/Developer_Tools/ious
bfamily_log_release_for_os_x_10.8/iousbfamily516.
4.1log.dmg .
On Windows using Usbsnoop pro:
http://jaist.dl.sourceforge.net/project/usbsnoop/Snoo
pyPro/SnoopyPro-0.22/SnoopyPro-0.22.zip
On Linux using Wireshark .
48. http://Garage4Hackers.com
AT Commands Extracted from USB
logs
AT^SYSINFO
This command is used to query the current system information, e.g.
system service state, domain, roaming or not and SIM card state.
+COPS: 0,1,"IDEA",2
This interface enables to query the network state and network
selection mode currently registered by the MS.
AT+CPMS="SM","SM","SM”
The SET command is used to set the message storage media
corresponding to the message read/write operations, and return the
current use state of the selected media.
49. http://Garage4Hackers.com
How messages are Read
We can set the Message storage area in modem
by
AT+CPMS="SM","SM","SM”
The AT+CMGL is used to read messages based
on a particular status.
Read/Unread messages are categorized based
on a status "received unread", "received
read", "stored unsent", "stored sent", etc.
AT+CMGL="REC UNREAD"
50. http://Garage4Hackers.com
Building Test Cases
Collect some SMS [PDU] messages.
Mutate them and build you're test cases.
Set PDU status to “received unread”.
Attach you‟r sim to you‟r fuzzer.
AT+CMGW=”+917738222968",145,” received
unread"<CR>fuzztest1<Ctrl+z>
Write test cases to SIM , you can write 500-1000 test
cases based on the storage capacity.
52. http://Garage4Hackers.com
What to Fuzz
I downloaded other popular devices that were
available in our region and started fuzzing them.
And we got multiple crashes [w00t w00t] .
One was a memory corruption in parsing
Service Center Number. Even though this was
exploitable, in actual scenarios you cannot sent
an SMS message with an invalid Service Center
Number over a GSM network.
So that was dead end.
53. http://Garage4Hackers.com
Another Memory Corruption in
a Service Message
[Exploitable]Exploitation:
1) You're Hex Shell code has to be in SMS PDU
format appended along with the text.
2) SMS Concatenation works great to send longer
shell codes, but the stack is corrupted with junk
each time new shell code is appended.
3) You would not have to worry about ASLR/DEP as
they are not compiled with them.
54. http://Garage4Hackers.com
POC
We made a working POC [35 byte] shellcode, 1 SMS.
The shell code just write‟s to c:// hack.txt.
I know it sucks but getting a Metpreter running
needed more time and patience than I actually had.
Even though Metpreter was my aim, sometimes you
fail and you need to accept it .
Probably other skilled hackers in this room could get
it done.