-
Notifications
You must be signed in to change notification settings - Fork 120
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 854a41c
Showing
115 changed files
with
12,281 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
*.o | ||
*.armel | ||
*.mipseb | ||
*.mipsel | ||
binaries/ | ||
images/ | ||
scratch/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[submodule "analyses/routersploit"] | ||
path = analyses/routersploit | ||
url = https://github.com/threat9/routersploit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
The MIT License (MIT) | ||
|
||
Copyright (c) 2015 - 2016, Daming Dominic Chen | ||
Copyright (c) 2017 - 2020, Mingeun Kim, Dongkwan Kim, Eunsoo Kim | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# FirmAE | ||
|
||
FirmAE is a fully-automated framework that performs emulation and vulnerability analysis. FirmAE significantly increases the emulation success rate (From [Firmadyne](https://github.com/firmadyne/firmadyne)'s 16.28% to 79.36%) with five arbitration techniques. We tested FirmAE on 1,124 wireless-router and IP-camera firmware images from top eight vendors. | ||
|
||
We also developed a dynamic analysis tool for 0-day discovery, which infers web service information based on the filesystem and kernel logs of target firmware. | ||
By running our tool on the succesfully emulation firmware images, we discovered 12 new 0-days which affect 23 devices. | ||
|
||
# Installation | ||
|
||
Note that we tested FirmAE on Ubuntu 18.04. | ||
|
||
1. Clone `FirmAE` | ||
``` | ||
$ git clone --recursive https://github.com/pr0v3rbs/FirmAE | ||
``` | ||
|
||
2. Run `download.sh` script. | ||
``` | ||
$ ./download.sh | ||
``` | ||
|
||
3. Run `install.sh` script. | ||
``` | ||
$ ./install.sh | ||
``` | ||
|
||
4. Run `init.sh` script. | ||
``` | ||
$ ./init.sh | ||
``` | ||
|
||
# Usage | ||
|
||
1. Prepare a firmware. | ||
|
||
``` | ||
$ wget ftp://ftp.dlink.eu/Products/dir/dir-868l/driver_software/DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip | ||
``` | ||
|
||
2. Check emulation | ||
``` | ||
$ sudo ./run.sh -c <brand> <firmware> | ||
``` | ||
|
||
3. Run analysis | ||
``` | ||
$ sudo ./run.sh -a <brand> <firmware> | ||
``` | ||
|
||
## Parallel mode | ||
|
||
First, prepare a docker image. | ||
``` | ||
$ sudo ./docker-init.sh | ||
``` | ||
|
||
Then, run one of the below commands. ```-ec``` checks only the emulation, and ```-ea``` checks the emulation and analyzes vulnerabilities. | ||
``` | ||
$ sudo ./docker-helper.py -ec <brand> <firmware> | ||
$ sudo ./docker-helper.py -ea <brand> <firmware> | ||
``` | ||
|
||
# CVEs | ||
|
||
- ASUS: [CVE-2019-20082](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-20082) | ||
- Belkin: [Belkin01](https://github.com/pr0v3rbs/CVE/tree/master/Belkin01) | ||
- D-Link: [CVE-2018-20114](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-20114), [CVE-2018-19986](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19986---hnap1setroutersettings), [CVE-2018-19987](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19987---hnap1setaccesspointmode), [CVE-2018-19988](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19988---hnap1setclientinfodemo), [CVE-2018-19989](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19989---hnap1setqossettings), [CVE-2018-19990](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19990---hnap1setwifiverifyalpha), [CVE-2019-6258](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258), [CVE-2019-20084](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-20084) | ||
- TRENDNet: [CVE-2019-11399](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-11399), [CVE-2019-11400](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-11400) | ||
|
||
# Authors | ||
This research project has been conducted by [SysSec Lab](https://syssec.kr) at KAIST. | ||
* [Mingeun Kim](https://pr0v3rbs.blogspot.kr/) | ||
* [Dongkwan Kim](https://0xdkay.me/) | ||
* [Eunsoo Kim](https://hahah.kim) | ||
* [Suryeon Kim](#) | ||
* [Yeongjin Jang](https://www.unexploitable.systems/) | ||
* [Yongdae Kim](https://syssec.kaist.ac.kr/~yongdaek/) | ||
|
||
# Citation | ||
We would appreciate if you consider citing [our paper](https://syssec.kaist.ac.kr/pub/2020/kim_acsac2020.pdf) when using FirmAE. | ||
```bibtex | ||
@inproceedings{kim:2020:firmae, | ||
author = {Mingeun Kim and Dongkwan Kim and Eunsoo Kim and Suryeon Kim and Yeongjin Jang and Yongdae Kim}, | ||
title = {{FirmAE}: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis}, | ||
booktitle = {Annual Computer Security Applications Conference (ACSAC)}, | ||
year = 2020, | ||
month = dec, | ||
address = {Online} | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
This directory contains analyses for the FirmAE system. The public release | ||
of our system includes the following analyses. | ||
|
||
* FirmAE | ||
* `initilzer.py`: Setup default state a target devices' web page. | ||
* `fuzzer`: Dynamic analyses tool which can find command injection and buffer | ||
overflow. | ||
* `routersploit`: Customized routersploit tool. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/bin/bash | ||
|
||
if [ $# -ne 4 ]; then | ||
echo $0: Usage: ./analyses_all.sh [iid] [brand] [target address] [sql ip] | ||
exit 1 | ||
fi | ||
|
||
set -e | ||
set -u | ||
|
||
IID=${1} | ||
BRAND=${2} | ||
TARGET=${3} | ||
PSQL_IP=${4} | ||
LOG_DIR="analyses_log/$BRAND/$IID" | ||
EXPLOIT_DIR="$LOG_DIR/exploits" | ||
|
||
mkdir -p analyses_log | ||
mkdir -p $LOG_DIR | ||
mkdir -p $EXPLOIT_DIR | ||
|
||
sleep 10 | ||
|
||
echo '[*] FirmAE web server initializer' | ||
{ time ./initializer.py $BRAND $TARGET > $LOG_DIR/initializer_log ; } 2> $LOG_DIR/initializer_time | ||
{ time nmap -O -sV $TARGET -oX $LOG_DIR/nmap_log.txt ; } 2> $LOG_DIR/nmap_time | ||
echo '[*] fuzzer' | ||
{ time ./fuzzer/fuzzer.py ci $BRAND $IID $TARGET > $LOG_DIR/fuzzer_log_ci ; } 2> $LOG_DIR/fuzzer_ci_time | ||
{ time ./fuzzer/fuzzer.py bof $BRAND $IID $TARGET > $LOG_DIR/fuzzer_log_bof ; } 2> $LOG_DIR/fuzzer_bof_time | ||
echo '[*] rsf' | ||
cd routersploit && timeout --preserve-status --signal SIGINT 300 ./rsf.py $TARGET > ../$LOG_DIR/rsf && cd - | ||
echo '[*] analyzer finished' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
This directory contains analyses for the FirmAE system. | ||
|
||
* `fuzzer.py`: This is a main script for testing command injection and buffer overflow vulnerability. | ||
* `hnap_pair`: Default key-value pair information for a HNAP request. | ||
* `login.py`: This script helps to login the webpages on the emulated firmware. | ||
|
||
Fuzzer works with two steps to find command injection and one step for buffer overflow. | ||
1. Parse parameters in xml, php, html pages for the web pages in target system filesystem. | ||
2. Command injection | ||
- Spray signatures such as `d34d1`, `d34d2`, ... | ||
- Find signatures with a execve system call in the kernel log of target emulation. | ||
- Send vulnerable command injection combination for the found vulnerable parameters on web page. | ||
3. Buffer overflow | ||
- Spray large buffer with a signature such as `aaaaaaa1...aaaaaaa1`, ..., `aaaaaa10...aaaaaa10`, ... | ||
|
||
Found vulnerability | ||
* Command injection in a Belkin product reported through bugcrowd | ||
* CVE-2018-19986 | ||
* CVE-2018-19987 | ||
* CVE-2018-19988 | ||
* CVE-2018-19989 | ||
* CVE-2018-19990 | ||
* CVE-2018-20114 D-Link soap.cgi command injection | ||
* CVE-2019-11399 TRENDNet command injection | ||
* CVE-2019-11400 TRENDNet buffer overflow | ||
* CVE-2019-6258 D-Link buffer overflow | ||
* CVE-2019-20082 ASUS buffer overflow | ||
* CVE-2019-20084 |
Oops, something went wrong.