IoT Security โ€“ Hacking the Firmware โ€“ #Day5 [TWT๐Ÿ†]

Hack the Firmware

(Continued from post on day 4)

We just used binwalk to extract the filesystem from the WiFi routerโ€™s publicly available firmware, now letโ€™s navigate to the folder we just extracted. (your extracted folder should look something like this)

If you poke around this folder, you will easily find the following directory

home โ€”> www โ€”> boardDataWW.php

Use a tool to open this php file and we will find,

In the highlighted line, we could notice that there seem to be a command injection vulnerability in the macAddress parameter

Definition of Command Injection Vulnerability

Command injection is a type of web vulnerability that allows attackers to execute arbitrary operating system commands on the server, where the application is running. Command injection vulnerabilities occur when the applications make use of shell commands or scripts that execute shell commands in the background.

Firmware Emulation

Now that we know there could be a command injection vulnerability, letโ€™s emulate the firmware using open-source software since we do not have the hardware to run the firmware. For this purpose, we will need to install Firmadyne.

However, for simplicity, there is a Firmadyne package that has already included all other tools needed, we will install this package instead,

https://github.com/attify/firmware-analysis-toolkit

(credit to attify for their software)

Follow the steps shown on the Readme to setup and configure the environment and then run,

python fat.py <firmware>

This command will automatically emulate the firmware and reply with a IP address which we will need for later use.

Command Injection Attack

Open your web browser and navigate to the URL given, in this case 192.168.0.100/boardDataWW.php

Then key in our injection code to test if the vulnerability exist,

โ€œ001122334455 ; ping -c 20 127.0.0.1 # โ€œ

image

Now key in the actual attack code

"AA:BB:CC:DD:EE:FF ; cp /etc/passwd . #"

Then navigate to 192.168.0.100/passwd and you will see what we have been wanting to get,

image

With this, we have successfully exploit the firmware!

Hope you enjoy this! and remember, technique shown here are only for educational purpose, firmware vulnerability are already commonly known to the public.

2 Likes

Seems good