One Article Review
| Source |  w00tsec |
|---|---|
| Identifiant | 8300163 |
| Date de publication | 2015-05-04 23:57:38 (vue: 2023-01-11 16:56:00) |
| Titre | Firmware Forensics: Diffs, Timelines, ELFs and Backdoors |
| Texte | This post covers some common techniques that I use to analyze and reverse firmware images. These techniques are particularly useful to dissect malicious firmwares, spot backdoors and detect unwanted modifications.Backdooring and re-flashing firmware images is becoming mainstream: malicious guys are infecting embedded devices and inserting trojans in order to achieve persistence. Recent articles covered the increasing number of trojanized android firmwares and routers that are being permanently modified.Attackers with a privileged network position may MITM your requests and forge fake updates containing malicious firmwares. Writing Evilgrade modules for this is really simple, as most vendors keep failing to deliver updates securely, right ASUS? All your HTTP packets are belong to us...Older versions of ASUS firmwares were vulnerable to MITM attacks (CVE-2014-2718) because it transmitted updates over HTTP and there were no security/signature checks. ASUS silently patched the issue on 3.0.0.4.376+ and they're now verifying RSA signatures via /sbin/rsasign_check.: Valid signature -> nvram_set("rsasign_check", "1")NoConName 2014 CTF Finals: VodkaI'll keep my tradition of writing posts based on CTF challenges because everybody upvotes CTF posts on reddit it's cool.The challenge "Vodka", from NoConName 2014 CTF Finals was created by @MarioVilas, who kindly provided the files here (thanks dude!).I did not participate on the CTF finals, but I found the challenge really interesting because there were many different ways to solve it, summarizing the actions needed to audit a compromised f |
| Envoyé | Oui |
| Condensat | 0x20 2014 comments cool creating gcc: https://downloads targeted /bin/nc /etc/banner /etc/profile /lib/modules/2 /sbin/rsasign 0x1c 0x20 0x3c 0x3ckernel: 0x72420 0x7e400 0x7e420in 0x8d8 0x8f8 0x8f8rootfs: 13:16:08 16:53:25 2007 2014 2014/vodka/vodkanetwork 2718 2769 30/diag 30/switch 30/wlcompat 376 376+ 378 3885 9/default/openwrt 9/micro/openwrt 9/pptp/openwrt : :for :trx :valid @mariovilas about ac87u firmwares access according achieve across actions actual actually additional addpattern address adjust adm affected after all along already also always amount analogous analysis analysismy analyze and and/or android answer any appears append apt are articles artifact as sasquatch handles assumes asus at 0x80001000: attacker attackers attackers based attacks attributes: attribution audit avoid backdoor backdooring backdoors banner base based bash bear because becoming before being belong beneficial best better big bin binaries binheader binopenwrt binutils binwalk binwally binwally to bios bit blue board boot boots bootstrap both broadcom broader bug build builder builds but by @el byte call calls can candidates candidates: capture carefully case cases cat category: caused cfe cfe/nvram challenge challenges chapter check checks choice clear clearly clues code com/mariovilas/write command comment commom common compare comparison compilation compilation/linking compile compiled compiler compiler/linker compilerit compiling composed compress compressed compression compromised concatenates concatenation concept conclusionwithout config configuration conjunction connection console constraints contain containing contains content contents context contributing control convert cool core correlate correlating could country couple course covered covers cpu craft crash crc create created creation creation/last ctf ctf/ custom customized cut cve cyutils data date date03 date29 dated dates day debug debugging decompress decompresses decompression defines definitely deliver desc described describing description design detailed detect deviations: device devices did didn diff difference differences:binwally different different device diffs directly directories directory disassembler discover display displayed displays dissect dlls does doesn don done download downloaded drama draws dude dump dumpthat during dynamic each ease easy echo elastic elasticsearch elf elf:woohoo elfs elk embedded emdebian encapsulation engine environment even everybody evilgrade modules evolving examine example exclusively executable executes existing extra extract extracted extracted/ extracted/the extraction failing failure fake families family fast faster february few field fields file filename files files/updates filestat filesystem filesystems: filter final finals finals: find fire firmware firmware:03 firmwares first fixes flag flags flash flashing focus follow following for forensic forensics forensics: forensicsdescription: no forensicsthe forge forget format formats found friendlier from from malware functions further fuzzy fwdate gcc generally generated get getting gnu going googling got government grab grep gui guide gunzip guys gzip h:this hack hacker hacky had happens hardware has hash hashingnow have having haystack header header/compression helpful helps here here and hex highest highly hints hired his histogram hopefully how however http identified identifiers identify identifying ignored|matches image imagebuilder and images imphash import imports impressed include included included/modified includes including increasing indeed indicating infect infecting information information:and informationi infosec initial initialization injection inserting installed instead interested interesting interface/bootloader internet interp into intriguing investigations isn issue issues it:a its jffs2/nvram job just keep kernel kernels key key ncndeadb6adec4c77a40c23e04770924d3c5b18face killerdwarf kind kindly know known ko:if large last later |
| Tags | Malware Hack Tool |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.