SlideShare a Scribd company logo

EMBA - Firmware analysis - Black Hat Asia 2022

M
MichaelM85042

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems, and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is the open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://www.blackhat.com/asia-22/arsenal/schedule/index.html#emba-open-source-firmware-security-testing-26210

Technology
1 of 34
Download to read offline
#BHASIA @BlackHatEvents EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann
#BHASIA @BlackHatEvents # whoami Michael Messner Penetration tester Firmware analysis Hardware analysis Siemens Energy AG @s3cur1ty_de https://github.com/m-1-k-3 @ michael.messner@siemens-energy.com
#BHASIA @BlackHatEvents # whoami Pascal Eckmann Security Research Full Stack Software Developer Siemens AG @_p4cx https://github.com/p4cx @ pascal.eckmann@siemens.com
The landscape
What the firmware analysis • Firmware is the operating system • Linux analysis techniques can be used quite often and are well known • Commercial tools are available, but they are expensive and limited • EMBA has no limits, costs no money and gives the best results
The typical workflow • Do some strings • Do some binwalk • Do some find • Do some regex • Do a lot google • Load something into IDA/Ghidra • Do something
EMBA to the rescue Get the firmware (vendor, hardware) Extract the firmware (e.g., Linux filesystem, Kernel) Analyze the firmware Report all the things Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Web report generator Access the firmware
EMBA Workflow EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator Firmware binary file
Get the firmware • Updates from vendor / web site • Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device • Other vulnerabilities e.g., command injection • Desolder Flash memory and extract the content • JTAG / SWD • Communication sniffing (e.g., SPI)
EMBA Workflow Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator
The easiest way Binwalk all the things
That was easy … But what if binwalk fails? You can try to use other tools like Freetz-NG (AVM firmware)
That was easy … What if there are some deb, ipk, or apk packages in the firmware?
The EMBA extraction process EMBA extraction modules Ext/UFS filesystems VMWare images Encrypted images Special binaries Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool Binwalk Identify Linux root filesystem Deep extraction EMBA analyzer FACT extractor Identify Linux root filesystem Identify Linux root filesystem OK Not ok Not ok OK
EMBA Workflow Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator
Finally, we have something extracted Which files and directories are there? Which binaries, configuration files, … Which architecture are we dealing with? Which binary protections are in use? Which Software versions in use? Is some outdated software in use? Which areas are from the vendor, which are open source? Where are possible weak spots or interesting functions used? Which kernel? Are there hard-coded passwords? Scripting issues (shell, python, php, …)? Insecure permissions? Weak configurations? Public exploits? Dynamic analysis? Reporting EMBA analyzer modules
Don’t reinvent the wheel Multiple Linux tools binwalk Freetz-NG FACT extractor Checksec.sh CVE and CVSS databases CVE-Search CVE-Searchsploit cwe-checker GHIDRA Docker Radare2 fdtdump linux-exploit-suggester OpenSSL uboot mkimage objdump pixd bandit progpilot Qemu shellcheck sshdcc tree unzip sudo parser sshdc Yara and others … See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies
#BHASIA @BlackHatEvents Hunting 0days Identify interesting spots
What the 0day? • 0day – unknown vulnerability (There is no patch available) • You have to find the vulnerability by yourself • The goal of every penetration tester is to find 0days • 1day – already known vulnerability (Patches are in theory available) • You have to identify the components with exact version details and match it against a vulnerability database • The goal of every penetration tester is to do this automagically and do not waste time with it
Weak binary functions When using legacy C functions such as strcpy, it’s up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer overruns. If this is not done properly, it can result in a buffer overflow, causing the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be executed. Source: https://rules.sonarsource.com/c/RSPEC-1081
Identify interesting spots Create disassembly objdump radare2 Check binary protection mechanisms Weak fct counter Check network functionality Common Linux file
Identify interesting spots See also: https://github.com/darkarnium/secpub/blob/master/Vulnerabilities/Multivendor/ncc2/README.md by @Darkarnium
Identify interesting spots See also: https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc by @stereotype32
#BHASIA @BlackHatEvents The 1day issue
What the 1day? • 0day – unknown vulnerability (There is no patch available) • You have to find the vulnerability by yourself • The goal of every penetration tester is to find 0days • 1day – already known vulnerability (Patches are in theory available) • You have to identify the components with exact version details and match it against a vulnerability database • The goal of every penetration tester is to do this automagically and do not waste time with it
What’s the problem?!? • We are working on the compiled/packed firmware • Mostly no source code with component versions available • No standardised format of version details • No standardised mechanism/parameter on how to get version details
Version detection in EMBA We need a database with regular expressions for the identification of version details
Version detection in EMBA Static analysis Dynamic analysis EMBA database with version identifiers Output generation with Qemu Output generation with string analysis, kernel modules, path details
Version detection in EMBA Match the output against a version dictionary:
We love exploits
Version detection in EMBA
EMBA Workflow Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator
Demo time
#BHASIA @BlackHatEvents @ pascal.eckmann@siemens.com @ michael.messner@siemens-energy.com EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann

Recommended

EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 

Recommended

EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
Alireza Esmikhani
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
Project for Public Spaces & National Center for Biking and Walking
 

More Related Content

Featured

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

EMBA - Firmware analysis - Black Hat Asia 2022

  • 2. #BHASIA @BlackHatEvents # whoami Michael Messner Penetration tester Firmware analysis Hardware analysis Siemens Energy AG @s3cur1ty_de https://github.com/m-1-k-3 @ michael.messner@siemens-energy.com
  • 3. #BHASIA @BlackHatEvents # whoami Pascal Eckmann Security Research Full Stack Software Developer Siemens AG @_p4cx https://github.com/p4cx @ pascal.eckmann@siemens.com
  • 5. What the firmware analysis • Firmware is the operating system • Linux analysis techniques can be used quite often and are well known • Commercial tools are available, but they are expensive and limited • EMBA has no limits, costs no money and gives the best results
  • 6. The typical workflow • Do some strings • Do some binwalk • Do some find • Do some regex • Do a lot google • Load something into IDA/Ghidra • Do something
  • 7. EMBA to the rescue Get the firmware (vendor, hardware) Extract the firmware (e.g., Linux filesystem, Kernel) Analyze the firmware Report all the things Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Web report generator Access the firmware
  • 8. EMBA Workflow EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator Firmware binary file
  • 9. Get the firmware • Updates from vendor / web site • Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device • Other vulnerabilities e.g., command injection • Desolder Flash memory and extract the content • JTAG / SWD • Communication sniffing (e.g., SPI)
  • 10. EMBA Workflow Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator
  • 11. The easiest way Binwalk all the things
  • 12. That was easy … But what if binwalk fails? You can try to use other tools like Freetz-NG (AVM firmware)
  • 13. That was easy … What if there are some deb, ipk, or apk packages in the firmware?
  • 14. The EMBA extraction process EMBA extraction modules Ext/UFS filesystems VMWare images Encrypted images Special binaries Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool Binwalk Identify Linux root filesystem Deep extraction EMBA analyzer FACT extractor Identify Linux root filesystem Identify Linux root filesystem OK Not ok Not ok OK
  • 15. EMBA Workflow Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator
  • 16. Finally, we have something extracted Which files and directories are there? Which binaries, configuration files, … Which architecture are we dealing with? Which binary protections are in use? Which Software versions in use? Is some outdated software in use? Which areas are from the vendor, which are open source? Where are possible weak spots or interesting functions used? Which kernel? Are there hard-coded passwords? Scripting issues (shell, python, php, …)? Insecure permissions? Weak configurations? Public exploits? Dynamic analysis? Reporting EMBA analyzer modules
  • 17. Don’t reinvent the wheel Multiple Linux tools binwalk Freetz-NG FACT extractor Checksec.sh CVE and CVSS databases CVE-Search CVE-Searchsploit cwe-checker GHIDRA Docker Radare2 fdtdump linux-exploit-suggester OpenSSL uboot mkimage objdump pixd bandit progpilot Qemu shellcheck sshdcc tree unzip sudo parser sshdc Yara and others … See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies
  • 19. What the 0day? • 0day – unknown vulnerability (There is no patch available) • You have to find the vulnerability by yourself • The goal of every penetration tester is to find 0days • 1day – already known vulnerability (Patches are in theory available) • You have to identify the components with exact version details and match it against a vulnerability database • The goal of every penetration tester is to do this automagically and do not waste time with it
  • 20. Weak binary functions When using legacy C functions such as strcpy, it’s up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer overruns. If this is not done properly, it can result in a buffer overflow, causing the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be executed. Source: https://rules.sonarsource.com/c/RSPEC-1081
  • 21. Identify interesting spots Create disassembly objdump radare2 Check binary protection mechanisms Weak fct counter Check network functionality Common Linux file
  • 22. Identify interesting spots See also: https://github.com/darkarnium/secpub/blob/master/Vulnerabilities/Multivendor/ncc2/README.md by @Darkarnium
  • 23. Identify interesting spots See also: https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc by @stereotype32
  • 25. What the 1day? • 0day – unknown vulnerability (There is no patch available) • You have to find the vulnerability by yourself • The goal of every penetration tester is to find 0days • 1day – already known vulnerability (Patches are in theory available) • You have to identify the components with exact version details and match it against a vulnerability database • The goal of every penetration tester is to do this automagically and do not waste time with it
  • 26. What’s the problem?!? • We are working on the compiled/packed firmware • Mostly no source code with component versions available • No standardised format of version details • No standardised mechanism/parameter on how to get version details
  • 27. Version detection in EMBA We need a database with regular expressions for the identification of version details
  • 28. Version detection in EMBA Static analysis Dynamic analysis EMBA database with version identifiers Output generation with Qemu Output generation with string analysis, kernel modules, path details
  • 29. Version detection in EMBA Match the output against a version dictionary:
  • 32. EMBA Workflow Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Access the firmware Web report generator
  • 34. #BHASIA @BlackHatEvents @ pascal.eckmann@siemens.com @ michael.messner@siemens-energy.com EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann