COMMSEC: Army of Undead – Tailored Firmware Emulation

This talk will be live streamed on the HITBSecConf Youtube Channel


The exploding number of embedded systems, like network cameras, routers and programmable logic controllers (PLCs) of the past years raise the question how secure these devices are and which connections are established in the background. As these devices are often concepted as closed systems, a popular possibility is emulation of the firmware of such devices. Past projects like FIRMADYNE by Chen et al. and Automated Dynamic Firmware Analysis at Scale by Costin et al. showed that emulation of such devices is possible, but only by doing manual modifications on the Linux kernel and restricted to few architectures.

During this talk, comprehensive methods for tasks like finding the file system root, determining the exact instruction set and emulating the target firmware in an automated manner will be discussed. All these steps can be done by simple scripts and open-source components without changing the code of any kernel.
In contrast to known projects, a wide spectrum of CPU architectures (SH4, PPC, ARMv5/6/7, MIPS/MIPS64 and x86) as well as different init systems (System V / D) can be covered.
Partial emulation of incomplete firmware upgrade files was also done to check libraries for known vulnerabilities. This was achieved by using the combination of Buildroot and QEMU.

The methods, that were tested for the past year, were used for identifying vulnerabilities in various embedded devices without owning the hardware. The overall outcome of different known and unknown vulnerabilities was recorded during a large scale study through over 40 different vendors.
Many of the easily found vulnerabilities could have been avoided while few others, that were more difficult to find, are harder to mitigate.
A smaller count of backdoor-like functionalities were also identified in some of the tested product firmware.

Presentation Outline
——————–

This talk covers smart techniques to build a custom firmware emulation environment by using open-source software like QEMU and Buildroot.
Pre-processing methods of the firmware images and upgrade files are also an essential part of the talk that will be covered in-depth.
All methods were used and evaluated and refined during more than one year of research to ensure that a simple and most effective workflow is condensed together.
Uncovered vulnerabilities had different shapes like backdoor accounts/functionality, outdated and vulnerable software, dangerous functionality and usual web-based vulnerabilities (e.g. XSS).

* Nowadays Firmware
In the first slides, a short introduction about firmware development, firmware storage and distribution is given.
This covers the differences of firmware upgrades and full images that are not always that clear.
Selected methods how firmware is extracted from electronic devices nowadays are also part of this section.

* Detection of Essential Parts
One question is always raising after a firmware image got decompressed: How do we proceed with the mass of separated data now?
This is answered in this section by introducing an easy-scriptable graphical root file detection.
Other techniques for architecture and instruction set detection are also introduced here.
The instruction set was really crucial, especially for ARM devices, as there are many incompatibilities between ARMv5, ARMv6 and ARMv7 as well as some MIPS cores.
Further techniques to determine things like the interpreter (glibc, uclibc), initialization scripts are also discussed in this section.

* Preparing Fake Images
Although the framework Buildroot is designed to develop firmware for real-world devices, it can also be used to create images that run on virtual machines.
This framework can be configured in a way that acts as leverage for Linux based firmware emulation.
The resulting image provides the natural Linux environment with analysis tools (like gdb, valgrind or tcpdump) where the image can be started.
The target firmware that is loaded into this analysis firmware is started with chroot that allows partial emulation, and therefore library testing, too.
These “Frankenstein-images” are considered as undead reincarnations of the original device.

* Monitoring and Debugging
A good portion of coverage can be achieved by using basic Linux commands like ps, top, netstat and tcpdump.
The usage of other monitoring tools like perf are also discussed with regards to firmware emulation in this section.
Another important task is cross-compiling gdb and gdbserver, which is usually a cumbersome step.
The said topics and more is covered here.

* Study
As the presented emulation methods and techniques from the prior sections should be tested, a study from devices of different vendors was done.
Key indicators like up-to-dateness of TPS (Third Party Software) packages, established network connections (also to servers on the internet), opened listeners and other features are part of the study.
The outcomes and observations are presented in this section to the audience.

* Vulnerabilities
Found vulnerabilities (known and unknown) are presented in this section.
Some released vulnerabilities were written by using the prior mentioned methods:
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-cisco-router-series-rv34x-rv26x-and-rv16x/
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-wago-852-industrial-managed-switch-series-cve-2019-12550-cve-2019-12549/
0day-vulnerabilities will be released during the talk.

* Conclusion and Further Work
The last section contains the conclusions that were made from the past year and the study.
Methods for emulating firmware that worked and ones that did not are also shown to the audience.
More advanced approaches for further improvements are also part of this last section.
This covers topics like instruction sets in QEMU, recursive library dependency resolving and kernel version hopping.

COMMSEC TRACK
Location: Track 4 / CommSec Date: April 23, 2020 Time: 11:30 am - 12:30 pm Thomas Weber