- Prelude: The Quest
- Part One: Wireless Packet Analysis
- Part Two: Firmware Analysis
- Part Three: Hunting Gnomes with Shodan
- Part Four: Global Pwnage
- SuperGnome 1: Password Reuse
- SuperGnome 2: Local File Inclusion, Path Traversal
- SuperGnome 3: NoSQL Injection
- SuperGnome 4: Server-Side JavaScript Injection
- SuperGnome 5:
- Part Five: Meet the Villain
- Or read the entire solution in one LONG page
Part Two: Firmware Analysis for Fun and Profit
Challenges:- What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
- What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
Useful tool: binwalk
Summary: Use binwalk to extract the filesystem from a firmware image, explore the web interface, and view the contents of a NoSQL database, which includes a table with cleartext usernames and passwords.
The next two challenges are a bit more up my alley. I've done a bit of firmware analysis, primarily with wireless router firmware, and discovered several flaws in these routers. I tend to start with the web browser interface and then work my way into the device; in the case of these challenges though, I don't have a gnome in hand so have to explore only the firmware itself.
Electronic devices are essentially miniature computers, in many cases running stripped-down versions of the Linux operating system. Device firmware includes the code that makes the computer run - often including a complete compressed filesystem.
Binwalk is an open-source, Python-based tool that can open up a firmware image and extract the individual files. I had actually used it before in examining a firmware upgrade vulnerability in Asus wireless routers. The below command line extracts (-e) files from the firmware image, then if any of the extracted files are themselves compressed, recursively (-M) opens those files too.
binwalk -Me giyh-firmware-dump.bin
As expected, the gnome firmware is in fact a Linux operating system.Binwalk extracts the contents into a new directory _giyh-firmware-dump.bin. In that folder is another folder, squashfs-root. Squashfs is a fast and lightweight filesystem for Linux; similar to many computing devices, when the device is powered on, the filesystem is extracted into memory and boots just like a small computer. For simplicity, I will refer to the squashfs-root folder in the extracted filesystem as $gnomefs for the rest of this write-up.
Where Windows uses a registry to store system settings, Linux stores settings in files in the folder "/etc." A common Linux convention is to place files named "[distribution]_release" and "[distribution]_version" in the /etc folder, with details as to the type and version of the operating system. Searching /$gnomefs/etc for files with likely names, I find openwrt_release and openwrt_version:
$gnomefs/etc# cat openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='Bleeding Edge'
DISTRIB_REVISION='r47650'
DISTRIB_CODENAME='designated_driver'
DISTRIB_TARGET='realview/generic'
DISTRIB_DESCRIPTION='OpenWrt Designated Driver r47650'
DISTRIB_TAINTS=''
$gnomefs/etc# cat openwrt_version
r47650>
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='Bleeding Edge'
DISTRIB_REVISION='r47650'
DISTRIB_CODENAME='designated_driver'
DISTRIB_TARGET='realview/generic'
DISTRIB_DESCRIPTION='OpenWrt Designated Driver r47650'
DISTRIB_TAINTS=''
$gnomefs/etc# cat openwrt_version
r47650>
This firmware is based on the popular OpenWRT distribution of Linux. The distribution has been customized and labeled "designated driver," version r47650.
Ordinarily I would look for the file /proc/cpuinfo for details on the CPU installed, but that doesn't exist until after the system is booted. The next best option is to use the built in Unix "file" command to see the properties of an executable system file:
$gnomefs/sbin# file ifconfig
ifconfig: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
ifconfig: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
This file was compiled for a 32-bit ARM processor.
As for the database itself, I see lots of references to mongo and mongodb in the files under $gnomefs/www, leading to the conclusion that the gnomes run MongoDB. $gnomefs/etc/mongod.conf contains the following, identifying the location of the actual database files:
storage:
dbPath: /opt/mongodb
dbPath: /opt/mongodb
I am sure there are other ways to examine the contents of the database, but I found it easiest to install the mongodb-server package on my laptop and simply run the daemon (Linux-speak for a server):
sudo apt-get install mongodb-server
sudo apt-get install mongodb-client
sudo mongod --dbpath $gnomefs/opt/mongodb
sudo apt-get install mongodb-client
sudo mongod --dbpath $gnomefs/opt/mongodb
This starts up a Mongo database server; with the server running, I can use the command "mongo" to start a database client from which to explore the database:
> show dbs
gnome 0.078125GB
local 0.078125GB
test (empty)
gnome 0.078125GB
local 0.078125GB
test (empty)
"Show dbs" gives me a list of databases contained within the files; I now want to look specifically in the database labeled gnome, then see the "collections" (similar to tables in a traditional database):
> use gnome
switched to db gnome
> show collections
cameras
settings
status
system.indexes
users
switched to db gnome
> show collections
cameras
settings
status
system.indexes
users
Of these collections, the "users" collection seems the most likely to be interesting, so I use the command db.[collection].find() to show the contents of the collection (somewhat akin to a select * statement in SQL):
> db.users.find()
{ "_id" : ObjectId("56229f58809473d11033515b"), "username" : "user", "password" : "user", "user_level" : 10 }
{ "_id" : ObjectId("56229f63809473d11033515c"), "username" : "admin", "password" : "SittingOnAShelf", "user_level" : 100 }
{ "_id" : ObjectId("56229f58809473d11033515b"), "username" : "user", "password" : "user", "user_level" : 10 }
{ "_id" : ObjectId("56229f63809473d11033515c"), "username" : "admin", "password" : "SittingOnAShelf", "user_level" : 100 }
Lo and behold, the users collection includes two users - "user" and "admin," both of which have the passwords in plain text.
- What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
A custom OpenWRT distribution, named "designated driver," version r47650. The web interface uses Express web server running on Node.JS. The gnome firmware is designed to run on 32-bit ARM processors.
Incidentally, the email recovered from pwning SuperGnome 02 includes a parts list that is a bit more specific: an Ambarella S2Lm IP Camera Processor System-on-Chip, with an ARM Cortex A9 CPU and Linux SDK. - What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
The database engine is mongodb; the "users" collection contains records for two users, both including plaintext passwords. The plaintext password for user "admin" is "SittingOnAShelf"; the password for user "user" is "user."