Fuzzing usb modems rahu_sasi


Published on

Published in: Technology, Business

Fuzzing usb modems rahu_sasi

  1. 1. http://Garage4Hackers.com Fuzzing USB Modems [CanSecWest 2013] Rahul Sasi @fb1h2s http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/
  2. 2. http://Garage4Hackers.com Disclaimer I don‟t own any of the images I have used in these slides, and I don‟t know whom to give credits for other than Google, so don‟t come crying back to me with copyright crap . I might have copy/pasted diagrams from other websites and articles and I do not remember all the sites to give credits to, so don‟t be a kid just deal with it. References would be there in the actual white paper.
  3. 3. http://Garage4Hackers.com Who am IRahul Sasi aka fb1h2s. Admin Member at Team [Garage4hackers.com] Work as a Security Researcher . I was invited to present my researches at: Blackhat[Europe], Blackhat Arsenal[ Las Vegas], HITB[Amsterdam], HITB[Malaysia], Nullcon [Goa 2010-2013], NullCon [Delhi], Ekoparty [ Argentina] , Cocon[2012-2013] CanSecwest [Canada]
  4. 4. http://Garage4Hackers.com What I do at work
  5. 5. http://Garage4Hackers.com What I do at Work. 14% 19% 19%10% 5% 33% At work 15% Reverse Engineer 20% Build Tools 19% Exploit Analysis 10% Malware Analysis 5% Play counter strike
  6. 6. http://Garage4Hackers.com What I do [at Home ] 20% 20% 13% 19% 28% At Home Exploit Writing Code for KXP Try out Food Watch Porn Facebook
  7. 7. http://Garage4Hackers.com Agenda Introduction to USB Data modems. Fuzzing USM modem dialer applications. DOS attacks via SMS. Phishing Attacks via SMS. Fuzzing Device Drivers Demo Potential Code execution .
  8. 8. http://Garage4Hackers.com Why a security talk on USB modems 80 million devices in 2010 [It should be more now] http://www.efytimes.com/e1/fullnews.asp?edid=4765 0 Is security risk all about the market share of the device. Yes, USB devices are so popular and is owned by a lot of guys. o So is this the only reason we consider this for a security audit??
  9. 9. http://Garage4Hackers.com What was my interest in USB Data modems.
  10. 10. http://Garage4Hackers.com Spot the Similarity Tata Photon, Reliance Net connect , Idea Net setter, Airtel 3g, Bsnl 3G All the above products are USB modems sold in India by different Tele service vendors for different prices. And all of them are made by Huawei :D .
  11. 11. http://Garage4Hackers.com USB wireless modemsA USB modem used for mobile broadband Internet, aka dongle is widely used these days. They use the USB port on you're computer to make it connect to a GSM/CDMA network there by creating a PPPoE(Point to Point protocol over Ethernet) interface to your computer. Default comes a dialer software either written by the hardware manufacture customized for the mobile supplier. They also come bundled with device driver.
  12. 12. http://Garage4Hackers.com The most important thing. The mobile phone service providers distribute |sell these modems. These modems have a phone no which lies in a particular series, so all the phone numbers end with xxxxxx1000 to xxxxxx2000 would be running a particular version of USB modem dialer software so the impact is large. This means mass exploitation since u know were your targets are. It would be like an ms08-067 with an additional benefit of knowing where your targets are.
  13. 13. http://Garage4Hackers.com More on USB modems These devices when plugged in to a computer detects as a CDFS file systems and has the following software's in it.  Network Manager  Device driver  Modem dialer These software's comes bundled as a package and need to be installed on the host computer to connect to the internet . Software Included in Huawei Mobile Connect.
  14. 14. http://Garage4Hackers.com Architecture USB Modem Device Drivers Dialer App Network Manager
  15. 15. http://Garage4Hackers.com Device Driver The device driver usually provide interrupt handling for asynchronous hardware interface. They allow the host machine to communicate to the USB interface. A device driver package for Win , Mac ,Linux is included with all these devices.
  16. 16. http://Garage4Hackers.com Modem Dialer This software interacts with the modem using AT commands, and dials a connection to establish an internet connection over 3g/4g. One of the interesting features that are added to these dialer software‟s is an interface to read/sent SMS from your computer directly. This is mainly done for sending promotion offers and advertising [Fuck u SMS Spammers]. Network Manager: Manages the Network
  17. 17. http://Garage4Hackers.com What do we Attack Application Inputs for Remote Attacks: o Spear Phishing SMS campaigns. o SMS Parsing Module. Application Input for Local Attacks. o Device Drivers
  18. 18. http://Garage4Hackers.com Phishing SMS campaigns. Video Here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/
  19. 19. http://Garage4Hackers.com Social Engineering Attack I Found this trick back in college 4 years back. It still work‟s like a charm . Finding Personal Info of any Phone number: The security question for any sort of info on you‟r personal details is you're last recharge value. Call customer service , give them the no u need to track. Bluff to the service guy u did a recharge for „n‟ amount and that it was never reflected in you're account. He will read out all past recharges for you :D . Use that details to make a second call , and get access to any one‟s personal info.
  20. 20. http://Garage4Hackers.com SMS Parsing Module. These SMS modules added to the dialers, simply check the connected USB modem for incoming SMS messages. If any new message is found it‟s parsed and moved to a local sqlite database, which is further used to populate the SMS viewer. Parsing take place with out user interaction.
  21. 21. http://Garage4Hackers.com
  22. 22. http://Garage4Hackers.com Understanding SMS When an SMS is sent, its delivered to MSC[ message service center] SMSC will further sent the message to the recipient. The SMS messages is limited to 160 [7 bit chars] to 140 [8 bit chars] or 70 [16 bit chars] . SMS concatenation is used to send a single large message exceeding 160 chars to be sent over as multiple SMS and the receiver puts them together as single SMS. Can also deliver Binary data [OTA Configs, Ringtones]
  23. 23. http://Garage4Hackers.com Parser Working Video here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/
  24. 24. http://Garage4Hackers.com GSM 7 bit Ascii Encoding
  25. 25. http://Garage4Hackers.com SMS Handling By Modem Dialer When an SMS arrives at a modem the parser queries the modem using AT codes and retrieve the incoming SMS. Response would be “AT” result code and SMS [pdu] DU (protocol description unit) | text. [Dialer] AT+ Command [Modem] Response
  26. 26. http://Garage4Hackers.com The SMS PDU Format This Is how an SMS u sent out looks like. 07911356131313F311000A9260214365870008AA5 2004800650020006400750064006500200068006F 0077007A002000740068006500200063006F006E0 066006500720065006E0063006500200067006F00 69006E0067002E002000210040002300240025005
  27. 27. http://Garage4Hackers.com Understanding PDU Format
  28. 28. http://Garage4Hackers.com Understanding PDU Format
  29. 29. http://Garage4Hackers.com Making the Fuzz Payloads SMS attacks presented by Collin Mulliner, Charlie Miller and Nico Golde in 2010 -2011. They released a fuzzer that can fuzz mobile phone by SMS along with test cases [PDU] format. Just steel it.
  30. 30. http://Garage4Hackers.com Phase 1: My Simple Fuzz Read PDU Add Victim No and SMSC Sent to Victim If no crash on Victim Do it again
  31. 31. http://Garage4Hackers.com Results: Video here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/
  32. 32. http://Garage4Hackers.com Attacks Possible to Take down n number of systems on the network, just sent one crafted payload to each victims and ka-boom.
  33. 33. http://Garage4Hackers.com Few Interesting Bugs: #Bug-1:
  34. 34. http://Garage4Hackers.com Bug-1[ Non Exploitable ] • If two simultaneous SMS are received on the modem then then you can trigger a UAF[Use after free] , and doing that is fairly simple. • There was no user controlled registers for this bug, or least I could not find one. • So I marked it Non exploitable [Fun Bug]
  35. 35. http://Garage4Hackers.com Bug-2 [Non-Exploitable] App crashes handling service SMS which . We had a partial register control, but I had to classify it non exploitable as it was not that easy. • More technical Details on other bugs and analysis you can read at my Blog soon. http://www.garage4hackers.com/blogs/8/ Lets move on …
  36. 36. http://Garage4Hackers.com Now What:
  37. 37. http://Garage4Hackers.com Jan-26 : Bug Reported to Huawei
  38. 38. http://Garage4Hackers.com Feb 5: No response from them Instead a Chinese New Year Greetings
  39. 39. http://Garage4Hackers.com Feb 11: PSTR sent a mail to my alternate address asking about my Nullcon + CansecWest talk.
  40. 40. http://Garage4Hackers.com More Interactions with them and they closed the bug thread on Feb 26
  41. 41. http://Garage4Hackers.com Analysis Of the Bugs • Currently Huawei does not have an Auto Update , customers will have to manually download install the patched application. • The Dealers do not update there customers on security patches. • So technically almost all device out there that are sold or are yet to be sold runs on a vulnerable version.
  42. 42. http://Garage4Hackers.com Now that we know bugs are there, More Fuzzing
  43. 43. http://Garage4Hackers.com What to Fuzz for WAP Push Operator Logo|Messages Service messages VCARD Concatenation of Message Some support MMS Even though all these are not supported in many of the Modems, some do.
  44. 44. http://Garage4Hackers.com Reverse Engineering DialerWe can reverse the Parser modules to understand the supporting formats and functions to help us in better fuzzing. I didn't spent much time reversing the modules , as most of the things I wanted were available from USB sniffing . I had to spent some time understanding the different SMS formats supported .The same thing could be achieved by reading the manual.
  45. 45. http://Garage4Hackers.com Poor Man‟s Fuzzing
  46. 46. http://Garage4Hackers.com Sniffing USB Traffic: Analyzing USB traffic to better understand the process. On Mac Using USB Prober using http://adcdownload.apple.com/Developer_Tools/ious bfamily_log_release_for_os_x_10.8/iousbfamily516. 4.1log.dmg . On Windows using Usbsnoop pro: http://jaist.dl.sourceforge.net/project/usbsnoop/Snoo pyPro/SnoopyPro-0.22/SnoopyPro-0.22.zip On Linux using Wireshark .
  47. 47. http://Garage4Hackers.com USB Sniffing Video Here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/
  48. 48. http://Garage4Hackers.com AT Commands Extracted from USB logs AT^SYSINFO This command is used to query the current system information, e.g. system service state, domain, roaming or not and SIM card state. +COPS: 0,1,"IDEA",2 This interface enables to query the network state and network selection mode currently registered by the MS. AT+CPMS="SM","SM","SM” The SET command is used to set the message storage media corresponding to the message read/write operations, and return the current use state of the selected media.
  49. 49. http://Garage4Hackers.com How messages are Read We can set the Message storage area in modem by AT+CPMS="SM","SM","SM” The AT+CMGL is used to read messages based on a particular status. Read/Unread messages are categorized based on a status "received unread", "received read", "stored unsent", "stored sent", etc. AT+CMGL="REC UNREAD"
  50. 50. http://Garage4Hackers.com Building Test Cases Collect some SMS [PDU] messages. Mutate them and build you're test cases. Set PDU status to “received unread”. Attach you‟r sim to you‟r fuzzer. AT+CMGW=”+917738222968",145,” received unread"<CR>fuzztest1<Ctrl+z> Write test cases to SIM , you can write 500-1000 test cases based on the storage capacity.
  51. 51. http://Garage4Hackers.com The flow Read SMS PDU Set Sender and SMS Set PDU Unread [write] Attach to Modem
  52. 52. http://Garage4Hackers.com What to Fuzz I downloaded other popular devices that were available in our region and started fuzzing them. And we got multiple crashes [w00t w00t] . One was a memory corruption in parsing Service Center Number. Even though this was exploitable, in actual scenarios you cannot sent an SMS message with an invalid Service Center Number over a GSM network. So that was dead end.
  53. 53. http://Garage4Hackers.com Another Memory Corruption in a Service Message [Exploitable]Exploitation: 1) You're Hex Shell code has to be in SMS PDU format appended along with the text. 2) SMS Concatenation works great to send longer shell codes, but the stack is corrupted with junk each time new shell code is appended. 3) You would not have to worry about ASLR/DEP as they are not compiled with them.
  54. 54. http://Garage4Hackers.com POC We made a working POC [35 byte] shellcode, 1 SMS. The shell code just write‟s to c:// hack.txt. I know it sucks but getting a Metpreter running needed more time and patience than I actually had. Even though Metpreter was my aim, sometimes you fail and you need to accept it  . Probably other skilled hackers in this room could get it done.
  55. 55. http://Garage4Hackers.com Exploitation Video Here: http://www.garage4hackers.com/blogs/8/sms- shell-fuzzing-usb-internet-modems-1082/
  56. 56. http://Garage4Hackers.com Thanks Mail me at: fb1h2s@gmail.com https://twitter.com/fb1h2s http://www.Garage4Hackers.com