moritz jodeit
play

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda - PowerPoint PPT Presentation

Jan 31, 2023 •324 likes •1.13k views

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From Hamburg,

  1. Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj

  2. Agenda • Attack Surface • Firmware Analysis • Device Rooting • System Architecture • Vulndev Environment • Remote H.323 Exploit • Post Exploitation

  3. Who am I? • From Hamburg, Germany • Senior Security Consultant at n.runs AG • Strong focus on application security • Did some research on USB security in the past • Enjoys bug hunting

  6. Background

  7. Background • Communication between two or more parties • Transmission over packet-based networks – IP or ISDN • Dedicated vs. Desktop systems

  8. Revenue Market Share Top Five Enterprise Videoconferencing and Telepresence Vendors Cisco (50.6%) Polycom (26.3%) Others (13.1%) Lifesize (5%) Teliris (2.6%) Vidyo (2.5%) Published by IDC for Q1 2012

  9. Polycom • One of the leading vendors • Different telepresence solutions • Most popular units cost up to $25,000 • Polycom customers – Government agencies / ministries worldwide – World’s 10 largest banks – 6 largest insurance companies

  10. Polycom HDX Systems • Popular video conferencing solution • Different configurations (HDX 4000 – 9000) • HDX 7000 HD (our lab equipment) – EagleEye HD camera – Mica Microphone array – Remote control – Connected to ext. display

  11. Attack Surface

  12. Attack Surface

  13. Attack Surface • Polycom HDX Web Interface • Provisioning Service • API Interface (serial console or TCP port 24) • Polycom Command Shell (TCP port 23) • SNMP • Video conferencing protocols – H.323 and SIP

  14. Attack Surface • Polycom HDX Web Interface • Provisioning Service • API Interface (serial console or TCP port 24) • Polycom Command Shell (TCP port 23) • SNMP • Video conferencing protocols – H.323 and SIP

  15. Attack Surface • Polycom HDX Web Interface • Provisioning Service • API Interface (serial console or TCP port 24) • Polycom Command Shell (TCP port 23) • SNMP • Video conferencing protocols – H.323 and SIP

  16. Attack Surface • Polycom HDX Web Interface • Provisioning Service • API Interface (serial console or TCP port 24) • Polycom Command Shell (TCP port 23) • SNMP • Video conferencing protocols – H.323 and SIP

  17. Attack Surface • Polycom HDX Web Interface • Provisioning Service • API Interface (serial console or TCP port 24) • Polycom Command Shell (TCP port 23) • SNMP • Video conferencing protocols – H.323 and SIP

  18. Firmware Analysis

  19. Firmware Analysis • Software updates at support.polycom.com • ZIP archives contain single PUP files • Manual installation or via provisioning server • Analysis based on version 3.0.5

  20. PUP File Structure

  21. PUP File Structure • PUP file header • Bootstrap archive – Bootstrap code to install update – Main functionality in setup.sh script • Update package

  22. PUP Header • Figuring out the PUP header file format • Found puputils.ppc in extracted firmware – Polycom Update Utilities – Used to verify and install updates – Can be run inside Qemu (Debian on PPC)

  23. PUP Header • Every PUP file starts with fixed PUP file ID – “PPUP” or “PPDP” • Several fixed-size fields – Padded with null bytes

  24. Length (bytes) Description 5 PUP File ID 4 Header Version 20 Header MAC Signature 32 Processor Type 32 Project Code Name 16 Software Version 16 Type of Software 32 Hardware Model 16 Build Number 32 Build Date 16 Build By 16 File Size (without header) 5 Compression algorithm 445 Supported Hardware 81 Signature (ASN.1 encoded)

  25. Length (bytes) Description 5 PUP File ID 4 Header Version 20 Header MAC Signature 32 Processor Type 32 Project Code Name 16 Software Version 16 Type of Software 32 Hardware Model 16 Build Number 32 Build Date 16 Build By 16 File Size (without header) 5 Compression algorithm 445 Supported Hardware 81 Signature (ASN.1 encoded)

  26. Header HMAC • Header HMAC value stored in PUP header • Verification process 1. Set Header HMAC field to zero 2. Calculate HMAC over PUP header 3. Compare result with stored value 4. Abort update if result doesn’t match

  27. Header HMAC

  28. Header HMAC • Secret is required for verification – Must be stored on the device – Can be extracted :) • Hardcoded in puputils.ppc binary

  29. Header HMAC • Secret is required for verification – Must be stored on the device – Can be extracted :) • Hardcoded in puputils.ppc binary

  30. Header HMAC • With the secret we can calculate a valid HMAC • We didn’t reverse the used HMAC algorithm – We don’t even need a debugger – The correct HMAC is part of the error message!

  31. Public Key DSA Signature • Second protection to prevent file tampering • Used in addition to the header HMAC • Verifies integrity of the whole file – Including the PUP header • Signature is stored in PUP header – ASN.1 encoded form • No further analysis conducted

  32. Device Rooting

  33. Device Rooting • No system level access to the device • Reasons for getting root access – Simplifies bug hunting – More device control for fuzzing • Process monitoring • Restarting processes – Makes exploit development a lot easier

  34. HDX Boot Modes • HDX offers two boot modes – Production vs. Development

  35. Development Mode • Used by Polycom internally • Can still be enabled in released firmware • Enables NFS-mounted developer workspace • Enables telnet server on port 23 • Allows root login without password

  36. Enabling Development Mode • Development mode enabled in startup script – U-Boot environment variable devboot • Flash variable othbootargs – Stores additional kernel parameters – Can be used to set devboot variable • Modifying flash variables...

  37. Polycom Command Shell • Provided on TCP port 23 or serial console

  38. Polycom Command Shell • Commands to read/write flash variables – printenv and setenv

  39. Device Rooting

  40. Development Mode • Not all services enabled in this mode – End-user services not running – Web interface not started • Just add permanent root access – E.g. in /etc/inetd.conf.production • Switch back to production mode – /opt/polycom/bin/devconvert normal

  41. Device Rooting – Method #2 • Use command injection to root the device • Not too hard to find (at least in v3.0.5) • Example: Firmware Update Functionality – PUP filename embedded in shell command – Just use the following PUP filename test;logger PWNED;#.pup

  42. Device Rooting – Method #2

  43. Problems with previous Methods • Described rooting methods not long-lasting – Bugs get fixed • We could just try to find new bugs – Unpredictable time investment – Increases effort

  44. Device Rooting – Method #3 • We know the old bugs • Strategy – Downgrade to old (vulnerable) firmware – Exploit known vulnerability & persist – Re-upgrade to current version • Removal of downgrade feature less likely

  45. System Architecture

  46. System Architecture • PowerPC based Linux system • Kernel 2.6.33.3 • U-Boot boot loader • Comes with standard binaries – busybox – wget – gdbserver – …

  47. Filesystem Partition Description Mounted /dev/hda1 Boot related files, Linux kernel image ro /dev/hda2 Root file system ro /dev/hda3 Log and configuration files rw /dev/hda4 Factory restore file system -- • Polycom-specific files reside in /opt/polycom – Binaries – Configuration files

  48. Configuration Files • Stored as .dat files in /opt/polycom/dat • One configuration setting per file • Text-based files – One or more lines of text

  49. Main Processes • AppMain Java Process – GUI – Web interface functionality – User authentication + crypto functionality • Polycom AVC – H.323 – SIP

  50. AppMain Java Process • Code scattered around several JAR files – /opt/polycom/bin/*.jar • Running as root

  51. AppMain Java Process • Good place to look for web interface bugs – Lighttpd communicates with FastCGI – Every CGI handler extends class polycom.web.CGIHandler – Can easily be identified during code audits • Also implements user authentication – For all device interfaces – Place to look for auth bypasses / backdoors

  52. Polycom AVC • Implemented in /opt/polycom/bin/avc • Huge non-stripped binary (~ 50 MB) • Implemented in C • Running as root • E.g. implementation of H.323 and SIP – and many other complicated protocols… • What could possibly go wrong? :)

  53. Polycom AVC • The place to look for bugs in videoconferencing protocols • > 800 xrefs to strcpy() • > 1400 xrefs to sprintf() • No exploit mitigations at all • Easy to reverse engineer due to symbols

  54. Vulndev Environment

  55. Remote Debugging • Working debug environment helps – Eases bug hunting – Simplifies exploit development process • Debugging on the device – No option due to memory constraints • HDX systems come with gdbserver – Use powerpc-linux-gdb for remote debugging – Don’t forget to specify remote shared libs

  56. Remote Debugging • Remotely attaching to debug stub…

Recommend

A Stepping Stone into your Kernel Moritz

A Stepping Stone into your Kernel Moritz

2009 A Stepping Stone into your Kernel Moritz Jodeit, Martin Johns Agenda USB intro Motivation Attack surface Vulnerability identification Hardware-aided approach

615 views • 32 slides
fpga manager & device tree overlays moritz fischer moritz.fischer@ettus.com

fpga manager & device tree overlays moritz fischer moritz.fischer@ettus.com

fpga manager & device tree overlays moritz fischer moritz.fischer@ettus.com mfischer embedded sdr wtf?! what does that even mean embedded sdr? come see other talks tomorrow @ sdr track so why care about fpgas? performance

835 views • 46 slides
Wealth and Income Inequality in America 1949 - 2013 Moritz Kuhn Moritz Schularick Ulrike I.

Wealth and Income Inequality in America 1949 - 2013 Moritz Kuhn Moritz Schularick Ulrike I.

Wealth and Income Inequality in America 1949 - 2013 Moritz Kuhn Moritz Schularick Ulrike I. Steins WID.World Conference, PSE December 15, 2017 What we are asking We know a lot about income or wealth concentration at the to But

607 views • 49 slides
o Impact of different Geant4 effects and Genfit MSC models on Si-tracking Moritz Nadler

o Impact of different Geant4 effects and Genfit MSC models on Si-tracking Moritz Nadler

o Impact of different Geant4 effects and Genfit MSC models on Si-tracking Moritz Nadler Institute of High Energy Physics Austrian Academy of Sciences March 2012 Moritz Nadler 1 HEPHY Wien & BELLE Collaboration Overview I will mainly

439 views • 18 slides
STRATEGIES FOR KNOWLEDGE DISCOVERY Workshop: The Scent of Information Moritz Stefaner // Linz //

STRATEGIES FOR KNOWLEDGE DISCOVERY Workshop: The Scent of Information Moritz Stefaner // Linz //

STRATEGIES FOR KNOWLEDGE DISCOVERY Workshop: The Scent of Information Moritz Stefaner // Linz // Feb 13, 2009 MORITZ STEFANER B.Sc. Cognitive Science University of Osnabrck M.A. Interface Design FH Potsdam Freelance information visualizer

352 views • 20 slides
Measurement of from B DK and related modes at LHCb Till Moritz Karbach CERN

Measurement of from B DK and related modes at LHCb Till Moritz Karbach CERN

Measurement of from B DK and related modes at LHCb Till Moritz Karbach CERN moritz.karbach@cern.ch FPCP, May 2013 Outline I. LHCb measurements B Dh, followed by: two-body GLW/ADS GLW: D CP final states 22 observables

648 views • 49 slides
Scripting with Bash Compact Course @ MPE Moritz August March 14 - 16, 2017 Moritz August:

Scripting with Bash Compact Course @ MPE Moritz August March 14 - 16, 2017 Moritz August:

Scripting with Bash Compact Course @ MPE Moritz August March 14 - 16, 2017 Moritz August: Scripting with Bash Compact Course @ MPE, March 14 - 16, 2017 1 Part IV Working Remotely And More Moritz August: Scripting with Bash Compact Course

473 views • 8 slides
GRASS GIS Development APIs @ Moritz Lennert, based on a presentation design by Markus Neteler

GRASS GIS Development APIs @ Moritz Lennert, based on a presentation design by Markus Neteler

GRASS GIS Development APIs @ Moritz Lennert, based on a presentation design by Markus Neteler Lifting the fog on the different ways to develop with and for GRASS CC-BY-SA license Moritz Lennert Member of the GRASS GIS Project Steering

415 views • 22 slides
Spin Tracking Studies for Polarimetry at the ILC Moritz Beckmann DESY - FLC visiting SLAC

Spin Tracking Studies for Polarimetry at the ILC Moritz Beckmann DESY - FLC visiting SLAC

Spin Tracking Studies for Polarimetry at the ILC Moritz Beckmann DESY - FLC visiting SLAC May-August 2010 IWLC, Geneva October 20, 2010 Moritz Beckmann IWLC Oct 20, 2010 1/ 16 Introduction Polarization is planned to be measured at the

533 views • 28 slides
General gauge mediation in higher dimensions Moritz McGarrie NEXT Workshop, July 2011 Based on

General gauge mediation in higher dimensions Moritz McGarrie NEXT Workshop, July 2011 Based on

General gauge mediation in higher dimensions Moritz McGarrie NEXT Workshop, July 2011 Based on arXiv:1004.3305 M.M., Rodolfo Russo arXiv:1009.0012 M.M. arXiv:1009.4696 M.M., Daniel Thompson arXiv:1101.5158 M.M. Moritz McGarrie (Queen Mary,

280 views • 27 slides
(Ab)using Google's Chromium EC for your own projects Building Franken Chrome Devices Moritz

(Ab)using Google's Chromium EC for your own projects Building Franken Chrome Devices Moritz

(Ab)using Google's Chromium EC for your own projects Building Franken Chrome Devices Moritz Fischer - Senior Software Engineer National Instruments $whoami Moritz Fischer Embedded Software Engineer @ National Instruments Work on the

587 views • 43 slides
TA K I N G F E R G U S O N S E R I O U S LY Amna Akbar Assistant Professor Moritz College of

TA K I N G F E R G U S O N S E R I O U S LY Amna Akbar Assistant Professor Moritz College of

1 0 T H I N G S T O C O N S I D E R TA K I N G F E R G U S O N S E R I O U S LY Amna Akbar Assistant Professor Moritz College of Law, The Ohio State University Black people are angry because of the way we're treated, the way the police,

445 views • 15 slides
Adjoint Derivative Computation Moritz Diehl and Carlo Savorgnan Adjoint Derivative Computation

Adjoint Derivative Computation Moritz Diehl and Carlo Savorgnan Adjoint Derivative Computation

Adjoint Derivative Computation Moritz Diehl and Carlo Savorgnan Adjoint Derivative Computation Moritz Diehl and Carlo Savorgnan 1/16 There are several methods for calculating derivatives: 1 By hand 2 Symbolic differentiation 3 Numerical

260 views • 24 slides
Sui Phang, Mark Moritz, Sarah Laborde, Michael Durand, Alfonso Fernandez Rivera, Ian

Sui Phang, Mark Moritz, Sarah Laborde, Michael Durand, Alfonso Fernandez Rivera, Ian

1 A dam by a thousand canals - Modelling Regime Shifts in the Logone (MORSL) Global Conference On Inland Fisheries FAO Headquarters, Rome, Italy January 26 28 2015 Drivers and Synergies Sui Phang, Mark Moritz, Sarah Laborde, Michael

278 views • 14 slides
Scripting with Bash Compact Course @ MPE Moritz August March 14 - 16, 2017 Moritz August:

Scripting with Bash Compact Course @ MPE Moritz August March 14 - 16, 2017 Moritz August:

Scripting with Bash Compact Course @ MPE Moritz August March 14 - 16, 2017 Moritz August: Scripting with Bash Compact Course @ MPE, March 14 - 16, 2017 1 Part I Bash Basics Moritz August: Scripting with Bash Compact Course @ MPE, March 14

378 views • 24 slides
What does strong causal influence mean? Joint work with David Balduzzi, Moritz

What does strong causal influence mean? Joint work with David Balduzzi, Moritz

What does strong causal influence mean? Joint work with David Balduzzi, Moritz Grosse-Wentrup and Bernhard Sch olkopf Dominik Janzing Max Planck Institute for Intelligent Systems T ubingen, Germany 1 Quantifying strength of

1.38k views • 48 slides
Profits of honour: Justice and moneymaking in classical Greece Moritz Hinsch

Profits of honour: Justice and moneymaking in classical Greece Moritz Hinsch

Dresden, June 7th 2019: Hybris, ancient and modern Profits of honour: Justice and moneymaking in classical Greece Moritz Hinsch Humboldt-Universitt zu Berlin I. The nature of the problem and the state of debate a) Ethics vs.

620 views • 32 slides
Data Visualization with Vega-Lite and Altair With many collaborators: Dominik Moritz

Data Visualization with Vega-Lite and Altair With many collaborators: Dominik Moritz

Data Visualization with Vega-Lite and Altair With many collaborators: Dominik Moritz @domoritz Kanit Wongsuphasawat Arvind Satyanarayan Jeffrey Heer Interactive Data Lab @uwdata Jake VanderPlas University of Washington and many more

824 views • 20 slides
DELEGATEE: BROKERED DELEGATION USING TRUSTED EXECUTION ENVIRONMENTS Sinisa Matetic, Moritz

DELEGATEE: BROKERED DELEGATION USING TRUSTED EXECUTION ENVIRONMENTS Sinisa Matetic, Moritz

DELEGATEE: BROKERED DELEGATION USING TRUSTED EXECUTION ENVIRONMENTS Sinisa Matetic, Moritz Schneider, Andrew Miller, Ari Juels, Srdjan Capkun OVERVIEW 1. Introduction 2. Motivations and Problem Statement 3. DelagaTEE 4. Security Analysis 5.

946 views • 46 slides
Orticolario 2017 Reaching out to the Moon In the ever-welcoming Casa Ethimo in Milan, Moritz

Orticolario 2017 Reaching out to the Moon In the ever-welcoming Casa Ethimo in Milan, Moritz

Orticolario 2017 Reaching out to the Moon In the ever-welcoming Casa Ethimo in Milan, Moritz Mantero (Orticolarios founder and president) unveils the essence of the ninth edition of the cultural event dedicated to the passion for gardening,

110 views • 10 slides
The More the Merrier: Efficient Multi-Source Graph Traversal Manuel Then * , Moritz Kaufmann * ,

The More the Merrier: Efficient Multi-Source Graph Traversal Manuel Then * , Moritz Kaufmann * ,

The More the Merrier: Efficient Multi-Source Graph Traversal Manuel Then * , Moritz Kaufmann * , Fernando Chirigati , Tuan-Anh Hoang-Vu , Kien Pham , Huy T. Vo , Alfons Kemper * , Thomas Neumann * * Technische Universit t M

491 views • 37 slides
Kira Phil Ninh Moritz Schacht Zajonz Sophie Rotgeri Sak Zirai

Kira Phil Ninh Moritz Schacht Zajonz Sophie Rotgeri Sak Zirai

Kira Phil Ninh Moritz Schacht Zajonz Sophie Rotgeri Sak Zirai Marie Timcke Elena Erdmann @daten_drang | @journocode https://www.rbb24.de/politik/beitrag/2018/06/dre

432 views • 3 slides
Reconfiguration of Common Independent Sets of Matroids Moritz M uhlenthaler TU Dortmund

Reconfiguration of Common Independent Sets of Matroids Moritz M uhlenthaler TU Dortmund

Reconfiguration of Common Independent Sets of Matroids Moritz M uhlenthaler TU Dortmund Aussois, 2018 Moritz M uhlenthaler (TU Dortmund) Aussois, 2018 1 / 21 Reconfiguration of Common Independent Sets of Matroids Moritz M

416 views • 28 slides
f2py: Pythons interface to the world of number crunching CodeJam08 Moritz Helias

f2py: Pythons interface to the world of number crunching CodeJam08 Moritz Helias

f2py: Pythons interface to the world of number crunching CodeJam08 Moritz Helias introduction f2py: part of numpy wrapping fortran (or C) code into a python module frequently needed to make special numerical functions available

339 views • 8 slides

More recommend