From Hardware to Zero-Day by Pietro Oliva at BSides Toronto 2020

hello all and welcome to our first talk uh this is thank you very much pietro for being our uh our experimentation subject for the first time ever thank you max um so we have a great talk it's from hardware to zero day and it's uh pietro oliva who's going to be giving us this talk thank you and please proceed hi everyone and welcome to my presentation called from arab to zero day or basically how i bought the camera and never used it for what it was supposed to do so before we start into the videos let's talk about who i am so i am pietro liba and that's my twitter handle and i'm executive researcher currently at r3

i was previously working for sony jp morgan and other companies of security roles and before we even begin i just want to clarify that none of this research has anything to do with my current or previous employers it's just a personal project that i made myself so let's get started first of all why would we even perform secure research on a camera i mean what's interesting about it and uh afterwards i started looking what's the current state of the work on this camera so what's been done before and then i faced myself with a challenge i i chose to have this challenge and then with various steps i achieved some success to my reach my goal

and then there were i will talk about some lessons learned one learner from this process and then what was initially my to-do list and future work that you can also feel free to continue yourself and then we'll talk about conclusions and q a so the first question why would we even start doing recession a security camera so the question i asked myself is many people say autistic devices are insecure and is that really true can i verify this claim myself and apart from that i was looking myself for a challenge and a learning opportunity so i want to get something out of it so let's look a little bit into the previous work of the security camera this is the

camera that i bought myself for this purpose and there was some common injection vulnerability at the time i bought it and apparently there was nothing else so i asked myself is there really only one vulnerability for this camera and then that's when i started with my challenge and i decided that i want to hack the latest and greatest firmware regardless of the previous findings right so i wanted to do this in a particular way because i wanted to learn so i started from the hardwood itself and damping the firmware myself in order to analyze it with some reverse engineering tool because i want to learn uh mips assembly in architecture so that's what i started doing and i

want to look for a tool that i could use everywhere for casual uh hacking on the go and i found that tool which is radar2 which by the way can be used in your mobile phone or tablet so if you have an android device for example you can install it and use it so how did i do this hardware analysis and flash damping so i simply took pictures of the board this is the main board that you can see in these pictures and i also looked at the fcc id of the device that is found in the one of the labels in the package and you can see for example this the picture on the right is

the is taken from the fcc website and you can see here the processor mediatek and if you zoom in you can see even the the exact model and everything and this is the run and then we can find the main components once identify the main components such as the spi flash and i basically proceeded to dump them uh to see what were the contents so in order to do that i used this tool called pirate which is the board you can see in the background uh of this light and i use flash from to interface with the with this bus pirate because it acts like a serial port and through that interface you can issue

commands that goes to the spi chip and i figured out once i took that down that the 8 megabit 8 megabytes sorry spi flash contained the main firmware so i started analyzing it how do we analyze this firmware so i chose these tools you can use others certainly so i use bin work and jefferson to extract the mind filmer so bin work is to extract the main field the main components that make the raw image and then jefferson to extract the jefferson uh file system and then i use that radar as the members engineering tool and i focus mainly on a binary called ip camera which implements all the main functionality of the camera [Music]

so once we start looking into this let's see what are the panel bits that i found so this is the first one so as you can see it is a login method this is what it's doing is it's taking the user and password and matching them to see if there is a valid login provided by the user and then if it's not valid then it just keeps an entire piece of code otherwise it just goes ahead and grabs the http user agent adder and then it looks for the firefox string now what this code was supposed to do was to check if you are logging in with the certain browser there were also chrome and others and

depending on that it will do certain actions and customize the depending on the browser now if you look closely you will notice that when it's getting the user agent string in here in this b0 and this b0 actually could be no because if you don't send any http user agent header this this header will just not exist so this pointer will be known and when you call strcr at that point you will get a new blended reference and it will crash the main process so crashing this ip camera means you cannot longer access the web ui because that's the main binary that manages all of it so this was the first bug i disclosed to

tp-link which is the vendor and i post there are a quick uh summary of the timeline so the way it started was that they claimed the camera wasn't supported anymore and after that i decided to see if other cameras were affected and i could confirm that even though i didn't have all of them because i could go to the website download all the firmware images and reverse engineer them and i confirmed and i won the vendor that all of them were affected by the same vulnerability so in march at the end of march i dropped this as a zero day because the vendors will will still not fix the issue will not be responsive and you will not

seem to be keen to fix this issue so i decided that i will just drop it as a little day and suddenly after roughly a week they fix it so they did care about this but they just didn't really want to do it without a zero day out so after i did that all the next reports were taken way more seriously and the deadlines were kind of respected and after that i promised that i won't report any more issues because it was not very pleasant certainly and i mean let's say i was basically asked can you please confirm this is the last issue you you are going to report us so i said yes i won't do it anymore

right so let's talk about other issues that i found interesting ones so this is a uh stack workflow the way it works is there is a routine called uh dell multi-user this dell multi user what it does is exactly what it says which means it goes through a list of users which is a commerce comma separated list of users and then basically calls this delete user method and then stores the error code in a stack variable which is here in the frame pointer now the thing is since this this accepts a list of usernames if your list is long enough it means it will get a very huge list of error code strings that get concatenated

so of course since the destination buffer is on the stack this means that you are effectively introducing a stack buffer overflow the only problem with that is that you cannot really control too much because the only thing that changes between those strings is the error code itself so depending on whether the user exists or not or if it's yourself and things like that so if you're wondering what the proof of concept looks like it's something like this in the http request you will just send username equals a bunch of commas and that will be enough to render your camera basically unusable [Music] now let's talk about the next part this one is a bit more interesting

so it doesn't look really hard to understand what's going on here it's taking a backup from this location and it's taking a string tp link and it's passing it to a function called this encrypt with this e-backup uh string so what we understand from this is that's taking this back up it's encrypting it with this key and then with the this algorithm and then it's storing it into the encrypted backup that looks easy right [Music] but uh there was a problem uh i mean after i tried to decrypt these config files from that you could download from the web ui i could still not decrypt it because i will see random characters and i couldn't understand

what was going on so i knew the algorithm because it was this it was ecb mode you could see from the patterns in the encrypted format that you will see some repetitions so i found a tool on the internet that will correctly encrypt and decrypt it but if i tried any sort of standard this implementation i could not decrypt it and i couldn't understand why and i was doing i thought i was doing something wrong myself and then i realized that you don't just use an encryption key or at least that's not what they did why they did is after checking all the code i noticed i went ahead and checked the permutation tables and if you compare the screenshot on the

left and description on the right you can see that these tables differ slightly actually by one unit for each of these values now this is not only true for the initial permutation table but for all of the constants of the test algorithm so what they did was to change all of the constants everywhere not just this initial permutation table and that's why i could not decrypt it [Music] so this must be the default process that was behind it so you could have chosen to use a strong encryption algorithm but instead it decides to customize a weak one now once we decrypt this file let's figure out what's inside it what's the structure of this file

so we can see there is a small header that tells you what is the file size with uh there is a magic and then the md5 then there is this null terminated string fingerprint and then some padding and then start the file entries sorry and we have very simple format we have four bytes for the absolute offset of the file content file size again some padding and then alternated file name and that's it and then at the end you will see also the content but the screenshot is not big enough to appreciate that so what we see from this is that this contains effectively file names and file contents so this could probably give us an arbitrary

file right and we're going to see it shortly if that's true or not all right so i made this little script and what it does is it creates a config file and then it embeds in this config file this demo 1 and demo 2 htm files and then it encrypts it right in a format that can be understood so if you execute this and then go to the web ui now we should be able to just restore this config backup

so it's here and restore now the camera is going to reboot because of course there could be changes that are that need uh device reboot of course it's not our case but that's just the way it was programmed so we'll have to wait until the camera comes back to us [Music] in the meantime i will set up the [Music] network [Music] right so we're back into the ui cool so let's see if we have uh successfully uploaded this demo one and then onto hdm files oh look now we can play doom on this camera instead of the camera frame what we can see is just launching this game just as a proof concept to show that we

can effectively write files everywhere play doom or whatever we like could even replace it with some uh i don't know some image some static image if you want to give the illusion that the camera is being used but it's actually frozen but also what's interesting is that we could go ahead and i mean i don't know if you know this but if you go here it says that you need to install a plug-in to sell to watch the stream this is ridiculous because it's 2020. so i went ahead and say you can actually make this better and this was the result [Music] so as you can see now i can see the live stream of my camera

without any plugins that i will not trust anyway from this company and it just works now let's go back to the presentation go ahead with the next topic so this was great this gives us arbitrary arbitrary file right and i wanted to find some other issue like uh for example this one this one is specific to dnc 260 and 450 models and what it does is just literally takes an encryption key from an argument in the http request and then just tries to store it in this encrypt key uh directory now the way it does it is it's actually doing some echo of your string and it's passing it into this sim command sim command it's just a wrapper

tool system so effectively this gives us command injection and if you were wondering these commands are being executed as root so this was great but it only affected these two models so let's see if we can do even better than that and this is where it comes this next pack so it's as we can see here there is this cm command again which is a good sign right we know it's system and if you go backwards we can see this command mdns responder o6 and then there is some some parameters which is a string and if you look at this string it should be this b0 which is in a1 and if we go backwards

again v0 comes from this fp20 the frame pointer plus 20. and if you go backwards again we can see that it comes from this bonjour get name because it's one of the arguments it's v0 so that means this is getting a name from somewhere and then this name gets put into this mdres responder command and then just executed the thing is can we control this name let's look at this system set product alias check which is the the method that actually is called exactly before setting the name and we can see that the only real check that is happening here is this call to strllen so they are check they're indeed doing some checking in these uh

in this routine but they are only checking for the length of the string so as long as your string is uh shorter than this 0x81 your string will just be unfiltered and be part of the command line now this is true for all cameras except the nc 210 which has this filter implemented correctly but not this one in the monitor.http and we can see how we can exploit that and this basically what the thought process must have been in this moment when they check for the length without checking anything else so this bag we know it affects all the cameras and can be triggered easily and it gives us a reliable rule shell let's see if that's true and if

it's if it's working so we got here these okay here's the terminal so what we have here is this little script we are generating a payload with msf venom nothing fancy about it now what we do here is creating a config file again so we can exploit the issue without going through the first check so we are combining effectively the um a code encryption key issue with the command ejection issue so the way we are doing it is we are uploading a system.com file that looks exactly like this and then as you can see the command injection is here and then it's doing is executing this etcs now this etcs as you can see is getting uploaded here

and it's this payload that we just generated so we are uploading two files the payload itself and the command injection here in the system com file so let's see how that works we execute this so effectively we are creating these files and now it will start a multiple framework now i have this qmo running gear which is simulating this nc210 camera and now what i all i have to do is to go to management browse go to this where is it systemcom.cfg and just restore now again this is going to reboot uh the virtual devices which is in this qmo thing so i'll just skip through it for a moment i'll just leave it there

let it reboot because can take a while and let's go ahead with the demo number three now for the other cameras which are a bit more uh more vulnerable because they have they have missing checks on both methods you can explore them directly with this meta split module that i made and by the way it's also public so you can freely download it and use it it's part of the meta spy framework on github so all is doing is setting the remote host port using a password from the web ui and then just the payload that you want and where you want to receive the shell so let's see how it goes this the nc200

device which is the one that i showed you before and this is the same thing but for nc 450 camera which is another one that i have in qm so hopefully this is not too much to ask for my laptop and so this is still rebooting this one i know what's going on yes it's running okay so we can see in the nc200 camera we have a shell opened and we can clearly see that we on this user local has been path and we can list the processes and we can see this mdns responder politics and we can see the command injection like clearly now the same thing is valid here [Music] we can see in the epa and nc 450 camera

which is also this emulated with um we can get a shell and we are root [Music] so that's great and let's check the demo number two so we have here this camera is rebooted so i'm going to simulate uh the reboot with this start sh it's not doing anything fancy apart from starting the http server right so we're going to start it and then there you go basically when it starts the [Music] mdns responder process it will get this command injection there and we get a shell so okay let's go back to the slides so what did we learn from this so we can see that it's a lot of code reuse right because all these cameras were very similar

indeed and that means that the same vulnerabilities affected them and another lesson is that dropping zero days is not necessarily a bad thing if it helps fixing issues uh please give time to vendors to fix their products but if they're not responsive and they don't do anything about it then maybe this is the little pressure that they need to uh go ahead and fix stuff and also another thing that i learned is that reverse engineering can reveal bags that cannot be found via fuzzing or blocks but black black box testing and why is that because the this bonjour command injection thing uh could not be exploited like automatically because you could not see anywhere where you could set the

device name in the web ui but there was this url that you could just if you knew it you will send a request and at that point you will trigger the command injection so it's not good to do only fuzzing on only black box testing or only reverse engineering is good to both now feature work this was initially my to-do list you can guys take this research and uh continue it if you really want to for example you could look at banabi that can be explored from the tp-link cloud or the browser plug-in or basement vulnerabilities conclusions so indeed there was one more than one vulnerability affecting these cameras and you don't need any expensive tools

you can just use radar and you can even be on a mobile phone on a plane actually i didn't show this before but if you look at the screenshot you can clearly see that it's taken in a mobile phone this is thermox and this is radar and you can see i was in flight mode so you can even do this on a plane it's amazing without any preparation you don't need to have any tools and special tools to bring with you so this is what you can do and as we said before it is necessary to complement your testing and it was indeed a very good idea to never connect this cover and never use it

and i can now say for real from my experience that some audio devices indeed are insecure and another thing that i wanted to reinforce is that secured insertion and vendors have a shared responsibilities not just the vendors isn't just just researchers but is the collaboration between them that enables devices to become more secure and that's all thank you very much for listening and if you got any questions so that that's great thanks a lot um i think people really enjoyed the doom running on the security cameras i would say anybody else um i'm just quickly checking to see if any questions have been relayed up um so far no questions uh let me just go back to the training

channel and see what else nope no questions uh just comments so they've really enjoyed the talk and uh i want to thank you very much so there is the discord channel if you do have questions um sorry a question just came in said when you said you wouldn't continue research the question is yes why not i will not because as i said it wasn't super placent as i said there was a slide called the pain of responsible disclosure so if you want to do this responsibly and then there can be a bit of pain there uh because the vendor is not always responsive and uh not always it's uh it's pleasant of course it can be

rewarding if you manage to uh get uh something out of it but uh yeah i will not continue with myself because i had to promise it they said literally like we pushed uh two updates in the past two months can you please stop basically so that's why i said okay fine i'll stop it okay yeah no it's understandable um if you don't have a willing participant that's uh that makes it difficult um and another question came in says one of your objectives was to learn mips uh you seem to have picked it up very well uh do you have any resources that you can share as to what helped you through that uh well what they did was to just look in the

mips manuals that you can find online there are plenty of them just go through the list of instructions and and basically just compare them with your disassembly and also i recommend you to check with some decompilers because i want to learn mips and that was it but if you want to speed it up a bit you can also use the compiler so you can look at the same time what it looks like in a decompile form and what it looks like in in assembly form so you can also cross check uh your knowledge and always go back to the manuals and there are also some instructions and some commands in radar that you can use

to describe the instructions that you're reading so you can it will say like i don't know moving this value to this register and things like that so that these things really help a lot okay great um another question is uh did they patch the unsupported camera or just the newer ones yeah they patched all of them uh that's great and actually yes yeah that's why i could make this presentation right i didn't feel like dropping uh all the zero days everywhere but uh there is one good thing i mean i mean one defense depends on which side you look at you look from um the hardcore encryption key for example the way they fix it

is that they uh generate a random key for each camera right and now if you think about it this means that they are using this in ecb mode and everything so if you want to because you know also the file format so you have non-plain text attack you will do you could do some brute force for example because you could guess what's the um what's the plain text and you could recover this key and if you can record this key then you could craft your backup file and you could still exploit the same vulnerability as if it was recorded because you can effectively break this which is too weak which is by the way something that i told them and they

said that it would be too much architectural change to make this happen so that's something that they're not going to fix thanks for sharing that i'm sure that's uh another path for somebody else to explore yep um as far as the um the response that you received back from d-link through this um did they pressure you to stop uh exploring further in this uh let's say that uh i could feel that uh my reports are not necessarily too welcome sure they're not appreciated i understand completely yes you know you don't want to keep pouring in your efforts if someone's going to resist change i understand it yeah also there's lots of reason right i mean i want to go ahead with my life as

well i mean this game has a nice and nice play with but i had other projects as well that they want to get into cool do you have any of those that you care to share at this point uh not yet because they have many minds so i have to still focus and decide okay no problem no problem uh do you mind if i have another question that came up uh what steps can clients do to minimize the attack surface based on the vulnerabilities you found yes yeah i will say limit the access to the web interface for sure and uh the first thing would be do not use unsupported devices right i mean and if you're buying a camera don't buy

a cheap 20 euros one just just get some something that looks a bit more reasonable and also i will say restrict access to everything you can so for example uh access to the web ui don't expose that port to the internet that would be stupid or if you are in a corporate network firewall the sports and just allow authorized traffic for example only the admin should be able to manage these things there is no reason why somebody will access the web interface of these devices right other services this seems to be geared more for home consumers than anything else yes yes do you think network isolation could be a very effective well yes if you can't reach something

you cannot hack it or at least it's it's going to be much harder if you cannot poke with something you can crack you cannot reach it um so yeah i want to thank you for for giving the first talk and and uh helping us thank you shake out all the bugs um it was a wonderful talk it was very well appreciated um from the community lots of uh people congratulating if you um want to shift over to the discord while we wait for our next talk to happen okay thank you very much guys yeah thanks thanks a lot thanks everyone thanks max