Embedded Malware Behavior Analyzer
사전 요구 사항 확인 및 패키지 설치
- Kali Linux 공식 VMWare 이미지 24.04 버전 설치
sudo apt update && sudo apt upgrade -y
sudo apt install -y git python3 python3-pip jq net-tools curl \
binwalk cpio squashfs-tools qemu-utils qemu-system \
strace lsof unzip zip libmagic-dev스캔 수행
default scan profile
sudo ./emba -l ~/log -f ~/firmware -p ./scan-profiles/default-scan.emba
default SBOM profile
sudo ./emba -l ~/log -f ~/firmware -p ./scan-profiles/default-sbom.emba
system-emulation scan profile
sudo ./emba -l ~/log -f ~/firmware -p ./scan-profiles/default-scan-emulation.emba
스캔 결과(default scan profile)
[+] Final aggregator
=================================================================
The main aggregator module compiles and summarizes results from various analysis modules into a comprehensive overview by processing and logging detailed information from each identified element.
[+] Tested firmware: /home/kali/Desktop/Firmware/source/DIR882A1_FW104B02_Middle_FW_Unencrypt.bin
[+] EMBA start command: ./emba -l /home/kali/log -f /home/kali/Desktop/Firmware/source/DIR882A1_FW104B02_Middle_FW_Unencrypt.bin -p ./scan-profiles/default-scan.emba
[+] Detected architecture and endianness (verified): MIPS / EL
[+] Operating system detected (verified): Linux / v3.10.14
-----------------------------------------------------------------
[+] 1212 files and 151 directories detected.
[+] Entropy analysis of binary firmware is: 7.999986 bits per byte.
[+] Entropy analysis of binary firmware is available: /logs/firmware_entropy.png
[+] Found 770 issues in 69 shell scripts.
[+] Found 22 successful emulated processes (user mode emulation).
-----------------------------------------------------------------
[+] Found the following configuration issues:
Found 4 password related details via STACS.
Found 18 kernel modules with 0 licensing issues.
Found 0 interesting files and 1 files that could be useful for post-exploitation.
-----------------------------------------------------------------
[+] Found 193 (100%) binaries without enabled stack canaries in 193 binaries.
[+] Found 183 (95%) binaries without enabled RELRO in 193 binaries.
[+] Found 193 (100%) binaries without enabled NX in 193 binaries.
[+] Found 87 (45%) binaries without enabled PIE in 193 binaries.
[+] Found 148 (77%) stripped binaries without symbols in 193 binaries.
-----------------------------------------------------------------
[+] Found 15586 possible vulnerabilities (via semgrep in Ghidra decompiled code) in 16 tested binaries.
[+] Found 1259 usages of strcpy in 193 binaries.
[+] STRCPY - top 10 results:
COUNT| BINARY NAME | common linux file: y/n | CWE CNT / SEMGREP | RELRO | lBIN_CANA | NX state | SYMBOLS | NETWORKING |
130 | libstarter.so | common linux file: no | Vulns: NA / 819 | No RELRO| Canary | NX disabled | Symbols | No Networking |
108 | inadyn-mt | common linux file: no | Vulns: NA / 783 | No RELRO| Canary | NX disabled | No Symbols | Networking |
95 | dnsmasq | common linux file: yes | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | Networking |
80 | librcm.so | common linux file: no | Vulns: NA / 2839 | No RELRO| Canary | NX disabled | No Symbols | Networking |
66 | libupnp.so.1.3. | common linux file: no | Vulns: NA / 621 | RELRO | Canary | NX disabled | No Symbols | Networking |
55 | busybox | common linux file: yes | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | Networking |
49 | rc | common linux file: no | Vulns: NA / 2392 | No RELRO| Canary | NX disabled | No Symbols | No Networking |
44 | starter | common linux file: no | Vulns: NA / 228 | No RELRO| Canary | NX disabled | Symbols | No Networking |
41 | prog-cgi | common linux file: no | Vulns: NA / 3550 | No RELRO| Canary | NX disabled | No Symbols | Networking |
39 | pluto | common linux file: no | Vulns: NA / 1065 | No RELRO| Canary | NX disabled | No Symbols | Networking |
[+] SYSTEM - top 10 results:
COUNT| BINARY NAME | common linux file: y/n | CWE CNT / SEMGREP | RELRO | lBIN_CANA | NX state | SYMBOLS | NETWORKING |
72 | rc | common linux file: no | Vulns: NA / 2392 | No RELRO| Canary | NX disabled | No Symbols | No Networking |
57 | prog-cgi | common linux file: no | Vulns: NA / 3550 | No RELRO| Canary | NX disabled | No Symbols | Networking |
34 | librcm.so | common linux file: no | Vulns: NA / 2839 | No RELRO| Canary | NX disabled | No Symbols | Networking |
24 | libstarter.so | common linux file: no | Vulns: NA / 819 | No RELRO| Canary | NX disabled | Symbols | No Networking |
21 | nvram_daemon | common linux file: no | Vulns: NA / 102 | No RELRO| Canary | NX disabled | No Symbols | No Networking |
19 | protest | common linux file: no | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | No Networking |
12 | dllog.cgi | common linux file: no | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | No Networking |
11 | timer | common linux file: yes | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | No Networking |
9 | seama.cgi | common linux file: no | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | No Networking |
8 | ralink_init | common linux file: no | Vulns: NA / NA | No RELRO| Canary | NX disabled | No Symbols | No Networking |
-----------------------------------------------------------------
[*] Identified the following software inventory, vulnerabilities and exploits:
[+] Found version details: jcpd : 1.6.2 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: pciutils : 3.0.0 : CVEs: 0 : Exploits: 0 : Source: STAT/UEMU
[+] Found version details: dxml : 2.1b162 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: igmpproxy : 0.1 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: pppoe-discovery : 3.8p : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: wireless_tools : 29 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: udhcp : 0.9.8 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: ipsec : 2.6.49 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: ralink-dot1x : 3.0.0.0 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: radvd : 1.8 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: xl2tpd : 1.3.2 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: busybox : 1.12.1 : CVEs: 15 (3) : Exploits: 0 : Source: STAT
[+] Found version details: openswan : 2.6.49 : CVEs: 2 : Exploits: 0 : Source: STAT/UEMU
[+] Found version details: sed : 4.0 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: openswan : 2.2.0 : CVEs: 5 : Exploits: 0 : Source: STAT
[+] Found version details: zebra : 1.1.1 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: iproute2 : 110317 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: dnsmasq : 2.78 : CVEs: 13 : Exploits: 1 : Source: STAT
[+] Found version details: iptables : 1.11 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: goahead : 1.4b191 : CVEs: 7 : Exploits: 2 : Source: UEMU
[+] Found version details: libgcrypt : 1.5.1 : CVEs: 13 : Exploits: 0 : Source: STAT
[+] Found version details: goahead_webserver : 1.4b191 : CVEs: 7 : Exploits: 0 : Source: UEMU
[+] Found version details: pcre : 8.01 : CVEs: 0 : Exploits: 0 : Source: STAT
[+] Found version details: minidlna : 0.9.33 : CVEs: 1 : Exploits: 0 : Source: STAT
[+] Found version details: minidlna : 1.0.24 : CVEs: 1 : Exploits: 0 : Source: STAT
[+] Found version details: lua : 5.1.5 : CVEs: 2 : Exploits: 0 : Source: STAT
[+] Found version details: miniupnpd : 1.6 : CVEs: 4 : Exploits: 0 : Source: STAT
[+] Found version details: iptables : 1.4.10 : CVEs: 1 : Exploits: 0 : Source: UEMU
[+] Found version details: pppoe : 3.8 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: lighttpd : 1.4.20 : CVEs: 10 : Exploits: 4 : Source: STAT
[+] Found version details: point-to-point_proto: 2.4.5 : CVEs: 4 : Exploits: 1 : Source: UEMU
[+] Found version details: point-to-point_proto: 2.4.6 : CVEs: 4 : Exploits: 1 : Source: UEMU
[+] Found version details: sysstat : 10.1.6 : CVEs: 0 : Exploits: 0 : Source: UEMU
[+] Found version details: quagga : 1.1.1 : CVEs: 6 : Exploits: 0 : Source: STAT/UEMU
[+] Found version details: proftpd : 1.3.1 : CVEs: 20 : Exploits: 3 : Source: STAT
[+] Found version details: sysstat : 10.1.6 : CVEs: 4 : Exploits: 0 : Source: UEMU
[+] Found version details: zlib : 1.2.3 : CVEs: 6 : Exploits: 0 : Source: STAT
[+] Found version details: openssl : 1.0.2j : CVEs: 35 : Exploits: 5 : Source: STAT/UEMU
[+] Found version details: samba : 3.0.24 : CVEs: 62 : Exploits: 11 : Source: STAT
[+] Found version details: linux_kernel : 3.10.14 : CVEs: 2330 : Exploits: 114 : Source: STAT/KMOD
[+] Identified a SBOM including 40 software components with version details.
[+] Identified 2562 CVE entries.
Identified 801 High rated CVE entries / Exploits: 63
Identified 1579 Medium rated CVE entries / Exploits: 56
Identified 182 Low rated CVE entries /Exploits: 9
128 possible exploits available (19 Metasploit modules).
Remote exploits: 6 / Local exploits: 25 / DoS exploits: 8 / Github PoCs: 0 / Known exploited vulnerabilities: 7 / Verified Exploits: 0
-----------------------------------------------------------------
Error: No such object: 91e91e9e978cadc05023af2a962acf12d10051ccb7559dc9d97cd7a5f2d0883f
[*] Sun Feb 2 06:12:38 EST 2025 - EMBA finished analysis in default mode (docker container).
[*] Sun Feb 2 06:12:39 EST 2025 - Firmware tested: /home/kali/Desktop/Firmware/source/DIR882A1_FW104B02_Middle_FW_Unencrypt.bin
[*] Sun Feb 2 06:12:39 EST 2025 - Log directory: /home/kali/log
[*] Sun Feb 2 06:12:39 EST 2025 - Access the web-report with firefox /home/kali/log/html-report/index.html
[*] Sun Feb 2 06:12:39 EST 2025 - Access the web-report with firefox /home/kali/log/html-report/index.html
[*] Sun Feb 2 06:12:39 EST 2025 - Final cleanup started.
[!] Sun Feb 2 06:12:39 EST 2025 - Test ended on Sun Feb 2 06:12:39 EST 2025 and took about 0 days and 03:33:29스캔 결과 분석
1. 주요한 분석 결과 요약
펌웨어 파일
DIR882A1_FW104B02_Middle_FW_Unencrypt.bin
탐지된 파일
- 파일: 1,212개
- 디렉터리: 151개
펌웨어 아키텍처
MIPS / EL
운영체제
Linux v3.10.14
엔트로피 분석
7.999986 bits/byte (거의 랜덤 데이터 수준)
보안 취약점 개요
-
취약점 발견된 바이너리
- 16개 -
취약점 탐지 (Semgrep 분석)
- 15,586개 가능성 있는 취약점
- 1,259개
strcpy()사용 사례 (버퍼 오버플로우 위험)
-
보안 설정 미흡 (이진 바이너리 분석)
- 193개 (100%) 바이너리 → Stack Canary 미적용
- 183개 (95%) 바이너리 → RELRO 미적용
- 193개 (100%) 바이너리 → NX 미적용
- 87개 (45%) 바이너리 → PIE 미적용
-
보안 설정 관련 문제
- 4개 패스워드 관련 보안 문제 탐지 (STACS)
- 취약한 설정 파일 발견
-
DNSMASQ, OpenSSL, Samba 관련 보안 취약점 존재
- DNSMASQ (v2.78): CVE 13건, Exploit 1건
- OpenSSL (v1.0.2j): CVE 35건, Exploit 5건
- Samba (v3.0.24): CVE 62건, Exploit 11건
- Linux Kernel (v3.10.14): CVE 2,330건, Exploit 114건
-
Exploit 가능성 (Metasploit 포함)
- 128개 가능 Exploit
- 19개 Metasploit 모듈
- 원격 공격 가능 Exploit 6개
- 로컬 권한 상승 Exploit 25개
2. 주요 취약점 파트 분석
strcpy() 및 system() 함수 사용 분석
┌──(kali㉿kali)-[~/Desktop/Firmware/inspect_result/emba_log]
└─$ grep -c "strcpy" ./s13_weak_func_check.txt
97
┌──(kali㉿kali)-[~/Desktop/Firmware/inspect_result/emba_log]
└─$ grep -c "system" ./s13_weak_func_check.txt
44strcpy()사용 횟수: 97회 (버퍼 오버플로우 위험)system()사용 횟수: 44회 (명령어 삽입 취약점 가능성)
┌──(kali㉿kali)-[~/Desktop/Firmware/inspect_result/emba_log]
└─$ grep "strcpy" ./s13_weak_func_check.txt | cut -d '|' -f 2 | sort | uniq -c | sort -nr
1 right before the strcpy function. Additionally it checks if the binary is a known Linux binary or unknown and probably
1 file config/functions.cfg. The module counts the usages per binary. For strcpy functions it also counts strlen functions
1 Examples of binary functions are system, strcpy, printf and strcat. These functions are configured in the configuration
1 [*] Vulnerable functions: fprintf mmap popen printf sprintf strcat strcpy system
1 [+] /usr/sbin/timer (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: strcpy / Function count: 1 / strlen: 0 / networking: no
1 [+] /usr/sbin/starter (-rw-r--r-- root root) - common linux file: no - Vulnerable function: strcpy / Function count: 44 / strlen: 0 / networking: no
1 [+] /usr/sbin/pppd (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: strcpy / Function count: 5 / strlen: 1 / networking: no
1 [+] /usr/sbin/onetouch (-rw-r--r-- root root) - common linux file: no - Vulnerable function: strcpy / Function count: 29 / strlen: 0 / networking: yes
...
1 [+] /bin/hw_nat (-rw-r--r-- root root) - common linux file: no - Vulnerable function: strcpy / Function count: 1 / strlen: 0 / networking: no
1 [+] /bin/flash (-rw-r--r-- root root) - common linux file: no - Vulnerable function: strcpy / Function count: 1 / strlen: 1 / networking: no
1 [+] /bin/dnsmasq (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: strcpy / Function count: 95 / strlen: 20 / networking: yes
1 [+] /bin/busybox (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: strcpy / Function count: 55 / strlen: 21 / networking: yes
1 [+] /bin/bndstrg (-rw-r--r-- root root) - common linux file: no - Vulnerable function: strcpy / Function count: 5 / strlen: 0 / networking: yes
1 [+] /bin/ac (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: strcpy / Function count: 1 / strlen: 0 / networking: no
1 [+] /bin/acl (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: strcpy / Function count: 1 / strlen: 0 / networking: no ┌──(kali㉿kali)-[~/Desktop/Firmware/inspect_result/emba_log]
└─$ grep "system" ./s13_weak_func_check.txt | cut -d '|' -f 2 | sort | uniq -c | sort -nr
1 Examples of binary functions are system, strcpy, printf and strcat. These functions are configured in the configuration
1 [*] Vulnerable functions: fprintf mmap popen printf sprintf strcat strcpy system
1 [+] /usr/sbin/timer (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: system / Function count: 11 / networking: no
1 [+] /usr/sbin/starter (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 5 / networking: no
1 [+] /usr/sbin/pppoe-discovery (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: system / Function count: 2 / networking: yes
1 [+] /usr/sbin/onetouch (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 1 / networking: yes
1 [+] /usr/sbin/omcproxy (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 2 / networking: no
1 [+] /usr/sbin/easyroaming (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 1 / networking: yes
1 [+] /usr/sbin/dxml (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 1 / networking: yes
1 [+] /usr/sbin/dhcp6-multi (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 2 / networking: yes
...
1 [+] /bin/init_system (-rw-r--r-- root root) - common linux file: no - Vulnerable function: printf / Function count: 24 / networking: no
1 [+] /bin/igmpproxy (-rw-r--r-- root root) - common linux file: no - Vulnerable function: system / Function count: 3 / networking: yes
1 [+] /bin/busybox (-rw-r--r-- root root) - common linux file: yes - Vulnerable function: system / Function count: 8 / networking: yes-
strcpy()취약점이 있는 바이너리libstarter.so(130회 호출)inadyn-mt(108회 호출)dnsmasq(95회 호출)librcm.so(80회 호출)prog-cgi(41회 호출)rc(49회 호출)
-
system()취약점이 있는 바이너리rc(72회 호출)prog-cgi(57회 호출)librcm.so(34회 호출)libstarter.so(24회 호출)nvram_daemon(21회 호출)
가장 많은 취약점이 발견된
libstarter.so파일을 집중적으로 분석
이후의 단계는 IDA 또는 Ghidra에 해당 스크립트를 올려서 진행
- strcpy
char *strcpy(char *dest, const char *src)
{
const char *v2; // $a0
((void (__fastcall *)(char *, const char *))__ctype_b)(dest, src);
return (char *)printf(v2);
}- system
int system(const char *command)
{
size_t v1; // $a0
((void (__fastcall *)(const char *))__ctype_b)(command);
return (int)malloc(v1);
}중간 점검
- 두 함수 모두
__ctype_b을 호출하고 있음
-__ctype_b는 일반적으로ctype.h에서의 문자 분류 관련 함수지만, 바이너리 환경이므로 확인 필요 strcpy()는printf(v2)를 반환하는 형태이며, 일반적인 문자열 복사가 아님system()함수는 명령을 실행하는 대신malloc()을 호출하는 것으로 보임
- 기능이 변조된 상태인가?
분석 방향 제시
-
__ctype_b가 실제로 어떤 역할을 하는지 확인 필요- 일반적인
strcpy()및system()함수가 아니므로, 추가적인 조사가 필요 __ctype_b의 정의를 찾고, 이 함수가 어떤 동작을 수행하는지 분석해보자
- 일반적인
-
이 함수가 실제로 어디에서 호출되는지 구체적으로 확인 필요
xref가 너무 많아 리스트로 정리하기 어려우므로 특정 보안 위험이 있는 바이너리를 선별해서 분석해야 함
___ctype_b 확인
LOAD:00000000 ___ctype_b: .word 0x464C457F # DATA XREF: LOAD:00000B54↓o
LOAD:00000000 # LOAD:00000B94↓o ...
LOAD:00000000 # File format: \x7FELF
LOAD:00000004 .byte 1 # File class: 32-bit
LOAD:00000005 .byte 1 # Data encoding: little-endian
LOAD:00000006 .byte 1 # File version
LOAD:00000007 .byte 0 # OS/ABI: UNIX System V ABI
LOAD:00000008 .byte 0 # ABI Version
LOAD:00000009 .byte 0, 0, 0, 0, 0, 0, 0 # Padding
LOAD:00000010 .half 3 # File type: Shared object
LOAD:00000012 .half 8 # Machine: MIPS
LOAD:00000014 .word 1 # File version
LOAD:00000018 .word _ftext # Entry point
LOAD:0000001C .word 0x34 # PHT file offset
LOAD:00000020 .word 0x278EC # SHT file offset
LOAD:00000024 .word 0x70001007 # Processor-specific flags
LOAD:00000028 .half 0x34 # ELF header size
LOAD:0000002A .half 0x20 # PHT entry size
LOAD:0000002C .half 6 # Number of entries in PHT
LOAD:0000002E .half 0x28 # SHT entry size
LOAD:00000030 .half 0x24 # Number of entries in SHT
LOAD:00000032 .half 0x21 # SHT entry index for string table- 특별한 함수가 아닌, ELF 헤더를 가리키는 임의의 데이터 섹션으로 확인
- 점점 더 미궁 속으로...
관리자 인증 관련 취약점 분석
- STACS(Static Analysis for Credential Secrets) 가 탐지한 하드코딩된 패스워드 정보를 바탕으로 분석 시작
┌──(kali㉿kali)-[~/Desktop/Firmware/inspect_result/emba_log]
└─$ cat ~/Desktop/Firmware/inspect_result/emba_log/s108_stacs_password_search.txt
[+] Stacs analysis of firmware for password hashes
=================================================================
The STACS password searching module utilizes STACS analysis to examine firmware for password hash values.
[*] STACS log:
2025-02-02 03:01:50,382 - 510659 - [INFO] STACS running with 10 threads
2025-02-02 03:01:50,382 - 510659 - [INFO] STACS uses libarchive (licenses may be found at https://github.com/libarchive/libarchive/blob/master/COPYING)
2025-02-02 03:01:50,382 - 510659 - [INFO] STACS uses yara (licenses may be found at https://github.com/VirusTotal/yara-python/blob/master/LICENSE)
2025-02-02 03:01:50,382 - 510659 - [INFO] Attempting to load rule pack from /external/stacs-rules/credential.json
2025-02-02 03:01:50,387 - 510659 - [INFO] Using cache directory at /tmp/1738483310387734
2025-02-02 03:01:50,387 - 510659 - [INFO] Attempting to get a list of files to scan from /logs/firmware
2025-02-02 03:01:55,801 - 510659 - [INFO] Found 4221 files for analysis
2025-02-02 03:02:09,578 - 510659 - [INFO] Generating SARIF from findings
2025-02-02 03:02:09,578 - 510659 - [INFO] Found 12 findings
[+] Found 12 credential areas:
[+] PATH: /unblob_extracted/firmware_extract/160-13265262.lzma_extract/lzma.uncompressed_extract/9090904-18668237.lzma_extract/lzma.uncompressed_extract/bin/openssl - Hash: "MIIBOgIBAAJBANYzucj7Tzx9wAGG0OegVfKVk8xPt1tnW5RoyTQV3qUuHDPCbvw0XnETt9bu2KVlBXKHqLB3/lf1/F9Vg4fdV0kCAwEAAQ==".
[+] PATH: /unblob_extracted/firmware_extract/160-13265262.lzma_extract/lzma.uncompressed_extract/9090904-18668237.lzma_extract/lzma.uncompressed_extract/bin/openssl - Hash: "MIICXAIBAAKBgQDcmEPoPUNb5AXN0Kk+y4N19rWln2vpNEEpGPpqVU1w/OyuhzgKIKnARXduV2BX9O2WIsuP4TM6Fx/tN6Vv66a8EoAdU71w6yF2PskvGkUkgv/NWTIGLhI7I3jtEj3gjflnTzdORwJMLcBPH7OU4UEuLZAQ/IKRiw8i1PL8LKtTVQIDAQAB".
[+] PATH: /unblob_extracted/firmware_extract/160-13265262.lzma_extract/lzma.uncompressed_extract/9090904-18668237.lzma_extract/lzma.uncompressed_extract/bin/openssl - Hash: "MIIEowIBAAKCAQEAwMDOPjxTZz9PxS+kwlovWP0nUmroz0pzR40lD18DJnjv8CIS095HshwLOGMabIV6gMaPoEGvYsRnMoj4ppz1Ix3krD8p+ezhiyYDLLKr8321yknAjxzfMzpg2jywFvipEo9krCMMaWSXXZnUCYObYdOs8N7dXp9ElNs6TZfoUin325QHRZB4HjELgPdXrRx5xcsysM7NdLPilMV4LzQaRfeMUqW8jezRLzE78ElZXoidFZI1MsHnYexQSHy6Bfn4+KeMg+hmW+v+2E/dbTbAspAPuFL5BJtALCfWNo7CG0TzktUVnpq8830D1wIUIOkQkv35/I/lGOGVzJ5gpvo4TQIDAQAB".
[+] PATH: /unblob_extracted/firmware_extract/160-13265262.lzma_extract/lzma.uncompressed_extract/9090904-18668237.lzma_extract/lzma.uncompressed_extract/bin/openssl - Hash: "MIIJKQIBAAKCAgEAwHGsGhOIgkM7UVdxjbYrgmUhU18oKU+NfIq5RLMoQU/T+mr4uShQOWdTLDzXy5ZBQDK763CuH7Bl9zrZIv0Qrr0C4t3zwnk8xvx1u69OOjbCT+ol3xMWSyD+S2kWxH8aQ6YXG7kK8wmGKInPLNDUga/GbeYhje7v6ty3xjtjnw6tiXgjGL9wfoTgN+zbjpw+ahnMmXLmtX1t+uXT5JC1srIScE7K+BD4oxTCSBnrYJm7Kh+xerE9JPugKdq9G9ekv+9gLSLKZZjxxOHJAmsWKC+hqnkA2tx8Q/dCPKDvaPffuWn7jgHtAUK1TlemJrjQe1ZtA8ZAjIwqVdecNQCUk+wD6yLvd7t5Ez8VoY/K3/3TuOHUzAk/PCzb0Ul/OAeDbesIZukGRBKslSKQI2fUCMz0t9zMh9SsaTVMtTk2zaTSlcoNxdrCxSIyKAjj0os4MNyMdU9q7HqsFj6o1GpF4ahPLoA0qlQbApV9im3MecrypC6N+/4VURAOTYixx/R52/C0VkQ3ylrBjEisrkiAgwE/3tnTLFFGsUG2xpFy+YNVG4y683PlLHRQOr7FL6eybYyeE3ejE81tjEXh/Au3aeknvGXD+pvQ7/7oH7NeNPSM6vzTgb89MLK0AehDD7oCI0J2gjFzke0HRmENOYNAznrU24A=".
[*] Found 4 password hashes.
[*] Statistics:4- 총 12개의 크리덴셜 관련 데이터가 발견
- 4개의 패스워드 해시가 포함된 파일이 발견
openssl바이너리 내부에서 RSA 키 또는 인증 관련 해시 값이 다수 포함
해시 값 유효성 판단
- 해당 해시들이 포함된 파일을 직접 확인하여 이 값들이 실제 패스워드인지, 인증 키인지, 혹은 설정 값인지 분석
- 패스워드나 키 관련 내용만 요약하여 검출 시도
┌──(kali㉿kali)-[~/Desktop/Firmware/inspect_result/emba_log]
└─$ strings ~/Desktop/Firmware/inspect_result/emba_log/firmware/unblob_extracted/firmware_extract/160-13265262.lzma_extract/lzma.uncompressed_extract/9090904-18668237.lzma_extract/lzma.uncompressed_extract/bin/openssl | grep -iE "pass|key|admin|password|user|secret|auth" | awk 'length($0) < 100'
EVP_PKEY_asn1_get_count
EVP_PKEY_asn1_get0
EVP_PKEY_asn1_get0_info
pkey_ctrl_string
EVP_PKEY_CTX_get_app_data
EVP_PKEY_CTX_get_keygen_info
app_passwd
EVP_PKEY_free
EVP_PKEY_CTX_free
load_key
X509_REQ_get_pubkey
X509_set_pubkey
X509_get_pubkey
EVP_PKEY_base_id
EVP_PKEY_CTX_set_cb
EVP_PKEY_CTX_set_app_data
EVP_PKEY_keygen
PEM_write_bio_PrivateKey
X509_REQ_set_pubkey
PEM_write_bio_PUBKEY
EVP_PKEY_asn1_find_str
EVP_PKEY_id
EVP_PKEY_asn1_find
EVP_PKEY_CTX_new
EVP_PKEY_bits
EVP_PKEY_CTX_new_id
EVP_PKEY_keygen_init
EVP_PKEY_CTX_ctrl
load_pubkey
EVP_PKEY_new_mac_key
EVP_PKEY_size
EVP_PKEY_get0_asn1
EVP_BytesToKey
EVP_CIPHER_key_length
X509_check_private_key
EVP_PKEY_get_default_digest_nid
NETSCAPE_SPKI_get_pubkey
EVP_PKEY_missing_parameters
EVP_PKEY_copy_parameters
X509_REQ_check_private_key
EVP_PKEY_get1_RSA
PEM_write_bio_RSA_PUBKEY
RSA_check_key
i2d_RSA_PUBKEY_bio
PEM_write_bio_RSAPrivateKey
PEM_write_bio_RSAPublicKey
i2d_RSAPublicKey_bio
i2d_RSAPrivateKey_bio
EVP_PKEY_get1_DSA
PEM_write_bio_DSA_PUBKEY
i2d_DSA_PUBKEY_bio
PEM_write_bio_DSAPrivateKey
i2d_DSAPrivateKey_bio
DSA_generate_key
PEM_read_bio_EC_PUBKEY
EC_KEY_get0_group
EC_KEY_free
d2i_EC_PUBKEY_bio
PEM_read_bio_ECPrivateKey
d2i_ECPrivateKey_bio
PEM_write_bio_EC_PUBKEY
EC_KEY_print
EC_KEY_set_asn1_flag
EC_KEY_set_conv_form
i2d_EC_PUBKEY_bio
PEM_write_bio_ECPrivateKey
i2d_ECPrivateKey_bio
EC_KEY_new
EC_KEY_set_group
EC_KEY_generate_key
i2d_X509_PUBKEY
EVP_PKEY_save_parameters
RSA_generate_key_ex
password_callback
EVP_PKEY_paramgen_init
ENGINE_get_pkey_asn1_meth_str
EVP_PKEY_paramgen
EVP_PKEY_print_params
i2d_PrivateKey_bio
EVP_PKEY_print_private
SRP_user_pwd_free
SRP_VBASE_get1_by_user
SSL_export_keying_material
SSL_get_srp_username
psk_key
set_cert_key_stuff
SSL_CTX_set_srp_username_callback
ssl_print_tmp_key
SSL_CTX_set_srp_username
d2i_RSAPrivateKey
DES_set_key_unchecked
AES_set_encrypt_key
Camellia_set_key
idea_set_encrypt_key
SEED_set_key
BF_set_key
CAST_set_key
EC_KEY_new_by_curve_name
EC_KEY_precompute_mult
EC_KEY_get0_public_key
ECDH_compute_key
UI_get0_user_data
ENGINE_load_private_key
d2i_PrivateKey_bio
PEM_read_bio_PrivateKey
ENGINE_load_public_key
b2i_PublicKey_bio
d2i_PUBKEY_bio
d2i_RSAPublicKey_bio
EVP_PKEY_new
EVP_PKEY_set1_RSA
PEM_read_bio_RSAPublicKey
PEM_read_bio_PUBKEY
EVP_PKEY_CTX_ctrl_str
X509_policy_tree_get0_user_policies
SSL_use_PrivateKey
SSL_CTX_use_PrivateKey_file
SSL_CTX_check_private_key
SSL_CTX_use_PrivateKey
EVP_PKEY_get1_EC_KEY
cookie_secret
dump_certs_pkeys_bags
PKCS12_decrypt_skey
EVP_PKCS82PKEY
PKCS8_PRIV_KEY_INFO_free
dump_certs_pkeys_bag
PKCS12_unpack_authsafes
EVP_PKEY_add1_attr_by_NID
dump_certs_keys_p12
X509_keyid_set1
EVP_PKEY2PKCS8_broken
d2i_PKCS8_PRIV_KEY_INFO_bio
PEM_read_bio_PKCS8_PRIV_KEY_INFO
i2d_PKCS8_PRIV_KEY_INFO_bio
PEM_write_bio_PKCS8_PRIV_KEY_INFO
i2d_PUBKEY_bio
EVP_PKEY_print_public
EVP_PKEY_verify_recover
EVP_PKEY_derive
EVP_PKEY_decrypt
EVP_PKEY_sign
EVP_PKEY_encrypt
EVP_PKEY_derive_set_peer
EVP_PKEY_encrypt_init
EVP_PKEY_derive_init
EVP_PKEY_decrypt_init
EVP_PKEY_verify_recover_init
EVP_PKEY_verify_init
EVP_PKEY_sign_init
EVP_PKEY_verify
NETSCAPE_SPKI_set_pubkey
CMS_SignerInfo_get0_pkey_ctx
CMS_decrypt_set1_key
CMS_decrypt_set1_pkey
CMS_decrypt_set1_password
CMS_RecipientInfo_get0_pkey_ctx
CMS_add0_recipient_key
CMS_add0_recipient_password
ENGINE_get_pkey_meths
X509_get0_pubkey_bitstr
TS_CONF_set_signer_key
list-public-key-algorithms
passwd
genpkey
pkey
pkeyparam
pkeyutl
Key Type does not match parameters
Internal error: can't find key algorithm
Error allocating keygen context
Error initializing keygen context
Error setting RSA keysize
-keygen_engine
Can't find keygen engine %s
-key
-pubkey
-keyform
-keyout
-passin
-passout
-newkey
-pkeyopt
-pubkey output public key
-nodes don't encrypt the output key
-passin private key password source
-key file use the private key contained in file
-keyform arg key file format
-keyout arg file to send the key to
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
Error getting passwords
input_password
output_password
Private Key
private key length is too short,
Generating a %ld bit %s private key
Error Generating Key
default_keyfile
writing new private key to stdout
writing new private key to '%s'
encrypt_rsa_key
encrypt_key
you need to specify a private key
Error getting public key
-hmac arg set the HMAC key to arg
-sign file sign digest using private key in file
-verify file verify a signature using public key in file
-prverify file verify a signature using private key in file
-keyform arg key file format (PEM or ENGINE)
-hmac key create hashed MAC with key
-macopt nm:v MAC algorithm parameters or key
Error getting password
MAC and Signing key cannot both be specified
Error generating key
-pass
unable to read key from '%s'
zero length password
%-14s pass phrase source
-pass <arg>
%-14s passphrase is the next argument
%-14s passphrase is the first line of the file argument
%-14s the next argument is the md to use to create a key
%-14s from a passphrase. One of md2, md5, sha or sha1
%-14s key/iv in hex is the next argument
%-14s print the iv/key (then exit if -P)
enter %s %s password:
bad password read
invalid hex key value
key=
passwd.c
Warning: truncating password to %u characters
strlen(passwd) <= pw_maxlen
Usage: passwd [options] [passwords]
-crypt standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-in file read passwords from file
-stdin read passwords from stdin
-noverify never verify when reading password from terminal
Password:
*passwds != ((void *)0)
passwd != ((void *)0)
passwd_main
do_passwd
-out file - output the key to 'file
keyCompromise
CAkeyTime
keyTime
Certificate request and CA private key do not match
error unpacking public key
-keyfile
private_key
CA private key
CA certificate and CA private key do not match
error unpacking SPKAC public key
signature verification failed on SPKAC public key
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-selfsign - sign a certificate with the key associated with it
-spkac file - File contains DN and signed public key and challenge
Error getting CRL issuer public key
Missing CRL signing key
CRL signing key
-sgckey
-RSAPublicKey_in
-RSAPublicKey_out
-sgckey Use IIS SGC key format
-passin arg input file pass phrase source
-passout arg output file pass phrase source
-des3 encrypt PEM output with ede cbc des using 168 bit key
-text print the key in text
-noout don't print key out
-modulus print the RSA key modulus
-check verify key consistency
-pubin expect a public key in input file
-pubout output a public key
Only private keys can be checked
Public Key
RSA key ok
RSA key error: %s
writing RSA key
unable to write key
-inkey
-inkey file input key
-keyform arg private key format - default PEM
-certin input is a certificate carrying an RSA public key
-sign sign with private key
-verify verify with public key
-encrypt encrypt with public key
-decrypt decrypt with private key
-passin arg pass phrase source
A private key is needed for this operation
Error getting RSA key
read DSA key
unable to load Key
Public Key=
writing DSA key
unable to write private key
-genkey
-genkey generate a DSA key
number number of bits to use for generating private key
Error, DSA key generation failed
-text print the key
read EC key
bad input format specified for key
writing EC key
-genkey generate ec key
-CAkeyform
-signkey
-CAkey
-force_pubkey
Forced key
need to specify a CAkey if using the CA command
We need a private key to sign with
It does not contain a public key
unsigned char XXX_public_key[%d]={
Getting Private key
Private key
Getting CA Private Key
CA Private Key
Error obtaining CA X509 public key
Getting request Private Key
no request key file specified
request key
-keyform arg - private key format - default PEM
-CAkeyform arg - CA key format - default PEM
-passin arg - private key password source
-modulus - print the RSA key modulus
-pubkey - output the public key
-ocspid - print OCSP hash values for the subject name and public key
-signkey arg - self sign cert with arg
-CAkey arg - set the CA key, must be PEM format
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-idea encrypt the generated key with IDEA in cbc mode
-out file output the key to 'file
Generating RSA private key, %d bit long modulus
-out file - output the key to 'file'
-des - encrypt the generated key with DES in cbc mode
-des3 - encrypt the generated key with DES in ede cbc mode (168 bit key)
-idea - encrypt the generated key with IDEA in cbc mode
Generating DSA key, %d bits
No keytype specified
Usage: genpkey [options]
-pass arg output file pass phrase source
-<cipher> use cipher <cipher> to encrypt the key
-algorithm alg the public key algorithm
-pkeyopt opt:value set the public key algorithm option <opt>
-genparam generate parameters, not key
Bad format specified for key
Error writing key
Error printing key
Keying material exporter:
Keying material:
SRP username = "%s"
User %s doesn't exist
SRP parameters set: username = "%s" info="%s"
Could not convert PSK key '%s' to buffer
psk buffer of callback is too small (%d) for key (%ld)
Allocation error in generating RSA key
Generating temp (%d bit) RSA key...
-dkeyform
-dpass
-dkey
-srpuserseed
-key2
-keymatexport
-keymatexportlen
-auth - send and receive RFC 5878 TLS auth extensions and supplemental data
-auth_require_reneg - Do not send TLS auth extensions until renegotiation
-key arg - Private Key file to use, in cert file if
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
-no_tmp_rsa - Do not generate a tmp RSA key
-srpuserseed string - A seed string for a default user salt.
-key2 arg - Private Key file to use for servername, in cert file if
certificate authentication (colon-separated list)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
server certificate private key file
second server certificate private key file
second certificate private key file
PSK key given or JPAKE in use, setting server callback
Server public key is %d bit
SRP user
Can't read Password
-srpuser
-srppass
-srp_lateuser
-key arg - Private key file to use, in cert file if
-keyform arg - key format (PEM or DER) PEM default
-srpuser user - SRP authentification for 'user'
-srppass arg - password for 'user'
-srp_lateuser - SRP username into second ClientHello message
certificate authentication (colon-separated list)
Error getting client auth engine
client certificate private key file
Error setting client auth engine
PSK key given or JPAKE in use, setting client callback
Unable to set SRP username
AUTH TLS
You have chosen to measure elapsed time instead of user CPU time.
internal error loading RSA key number %d
This is a key...
ECDH key generation failure.
%d connections in %.2fs; %.2f connections/user sec, bytes read %ld
pass phrase
User interface error
Invalid password argument "%s"
Error reading password from BIO
pass:
Passpharse callback error for %s
Mac verify error (wrong password?) in PKCS12 file for %s
OpenSSL application user interface
no keyfile specified
bad input format specified for key file
SET_USER_INTERFACE
Authority
User
no_pubkey
unable to get private key from '%s'
Private key does not match the certificate public key
error setting private key
Server Temp Key:
, CLIENT-MASTER-KEY
user_canceled
, ClientKeyExchange
, ServerKeyExchange
trusted CA keys
user mapping
client authz
server authz
error setting random cookie secret
Server Key
-xkey
Key already specified
-xkeyform
Sign with EE key
EE key parameters
CA key parameters
Explicity sign with EE key
Key bag
Key Attributes
Shrouded Keybag:
-nokeys
-keyex
-keysig
-twopass
-keypbe
-password
-inkey file private key if not infile
-nokeys don't output private keys.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-idea encrypt private keys with idea
-seed encrypt private keys with seed
-nodes don't encrypt private keys
-twopass separate MAC, encryption passwords
-keypbe alg specify private key PBE algorithm (default 3DES)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-LMK Add local machine keyset attribute to private key
Enter MAC Password:
private key
No certificate matches private key
Enter Export Password:
Enter Import Password:
Mac verify error: invalid password?
Error outputting keys and certificates
-passin arg input file pass phrase source
-passout arg output file pass phrase source
-nocrypt use or expect unencrypted private key
Error converting key
Enter Encryption Password:
Error encrypting key
Error reading key
Enter Password:
Error decrypting key
Warning: broken key encoding:
No Octet String in PrivateKey
DSA parameters included in PrivateKey
DSA public key include in PrivateKey
DSA private key value is negative
Usage pkey [options]
Usage pkeyparam [options]
Usage: pkeyutl [options]
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-verifyrecover verify with public key, recover original data
-derive derive shared secret
-engine e use engine e, maybe a hardware device, for loading keys.
-passin arg pass phrase source
-peerkey
Peer Key
Error reading peer key %s
Error setting up peer key
pkeyutl.c
Public Key operation error
-key arg create SPKAC using private key
-passin arg input file pass phrase source
Illegal -inkey without -signer
Multiple signers or keys not allowed
No recipient certificate or key specified
-inkey file input private key (if not signer or recipient)
-keyform arg input private key format (PEM or ENGINE)
-passin arg input file pass phrase source
signing key file
-keyid
-secretkey
Invalid key %s
-secretkeyid
-pwri_password
-keyopt
No key specified
-keyid use subject key identifier
-keyopt nm:v set public key parameters
No secret key id
Error decrypting CMS using secret key
Error decrypting CMS using private key
Error decrypting CMS using password
-resp_key_id
-rkey
-signkey file private key to sign OCSP request with
-rkey file responder key to sign responses with
-resp_key_id identify reponse by signing certificate key ID
responder private key
signer private key
Need a responder certificate, key and CA for this operation!
Error getting password.
user="%s"
srp_usersalt="%s"
Pass %s
user="%s"
-userinfo
Need at least one user for options -add, -delete, -modify.
-passin, -passout arguments only valid with one user.
Starting user processing
Processing user "%s"
User entry
List all users
user "%s" does not exist, ignored. t
user "%s" reactivated.
Cannot create srp verifier for user "%s", operation abandoned .
user "%s" does not exist, operation ignored.
user "%s" already updated, operation ignored.
Verifying password for user "%s"
Invalid password for user "%s", operation abandoned.
Password for user "%s" ok.
Cannot create srp verifier for user "%s", operation abandoned.
user "%s" does not exist, operation ignored. t
user "%s" revoked. t
User procession done.
User errors %d.
usage: srp [args] [user]
-add add an user and srp verifier
-modify modify the srp verifier of an existing user
-delete delete user from verifier file
-list list user
-userinfo arg additional info to be set for user
-key arg - RSA file to use, PEM format assumed, key is in cert file검출 결과 분석
openssl바이너리 내부에 패스워드(pass), 키(key), 인증(auth) 관련 문자열 다수 포함"password_callback","passin","passout","zero length password","bad password read"등의 문자열 존재- RSA 키 관련 문자열 (
PEM_write_bio_PrivateKey,RSA_generate_key_ex,Private Key,Public Key)이 많음 "User %s doesn't exist","Verifying password for user %s"등의 사용자 인증 관련 코드 존재
추후 탐색 방향 정립
- 빈 비밀번호 허용 여부 확인
zero length password관련 코드가 있는 바이너리(openssl등)에서 실제로 빈 비밀번호를 허용하는지 실험- OpenSSL을 이용한 TLS/SSL 인증 방식에서 빈 패스워드가 허용되는지 확인
- 비밀번호 검증 방식이 안전한지 확인
Verifying password for user %s관련 코드에서 단순 문자열 비교(strcmp)를 사용하는지 확인- 해싱 없이 비밀번호를 비교하는 로직이 있다면 보안이 위험
- SSH, Telnet, Web UI 인증 방식 분석
- 해당 펌웨어가 SSH/Telnet/Web UI 로그인을 제공한다면, 인증 과정에서 취약점이 있을 가능성 검토
- 설정 파일 (
config,.cfg,.conf등)에서 사용자 계정 관련 설정이 있는지 확인
안드로이드는 리눅스의 꿈을 꾸는가