This is exploitable – tampering with CNN for Samsung Edge Panel

A humble first for a small series on leaky and vulnerable apps

The Samsung-exclusive app CNN for Samsung Edge Panel, exists to enable users to get the latest news as an edge-panel. To do this it uses HTTP to get sections, images, headlines, links to articles and report metrics back to CNN. This means that, on an insecure or untrusted network, it’s this possible for a third-party (someone not CNN or the user) to find out how, if and when the app is used, which categories the user is interested in, if they want the US or international version, details about the device, details about the service-provider, the possibility to log or replace any image shown in the app, as well as any title or article link.

The included PoC uses mitmdump and python to extract received telemetry and modify content, replacing headlines, images, and links. While the PoC could use HTTP 301 to move the section-definitions to a third-party server, this has intentionally not been done, in order to ensure it’s easily reversible. As of writing, this exploit works with the most up to date version of the app.

Proof of Concept

Source: Github
Requirements: mitmproxy 4.0.4 installed on the PC (pip install -r requirements.txt), CNN for Samsung Edge Panel (1.0.rc39) installed on the Samsung mobile device (available in the Galaxy Store)

Only tested with Python 3.6.5 on Ubuntu 18.04.1


1. On the test PC run: mitmdump -s cnn-edge-panel-01/src/demo.py --anticomp --anticache --ignore :443$
2. On the Samsung mobile device: set the test PC as the HTTP proxy of the device
3. (not necessary) On the Samsung mobile device: open a browser and go to a website, if you see “… clientconnect” or “GET …” in the window mitmdump terminal, things should be working
4. Open the CNN for Samsung Edge Panel app. If the PoC works, you should see all categories being renamed “Hacking”, and all the news being replaced with jokes. Pressing “Hack all the things”, should then open a YouTube video. Additionally, the terminal should have at least one line reading “Got metrics …”, config.outturner.com, metrics.cnn.com, and compositor.api.cnn.com.

Depending on caching, you might experience that the sections retain their unmodified names if this happens but the headlines and such changed, the app didn’t reload edge-config.json but did reload the section. As of writing, it appears edge-config.json has been 404ed.

Expected behavior

  1. HTTPS, not HTTP being used in the app, HTTP 301, HSTS on compositor.api.cnn.com
  2. edge-config.json only lists HTTPS URLs
  3. edgepanelkill.json only lists HTTPS URLs

Timeline

  • 2018-09-11 Issue reported to Samsung
  • 2018-09-14 Samsung dismisses issue (not a Samsung app)
  • 2018-09-14 Issue reported to CNN
  • 2018-10-06 Issue reported to CNN
  • 2018-12-16 Report publishe

Using memory-protection against certain types of time of check to time of use (TOCTOU)-attacks

Time of check to time of use is a class of vulnerabilities that depend on it taking some amount of time between the time a certain resource is validated and the time the resource is used. For further information, please consult the wikipedia-article. In this post, I’ll propose using memory-protection to try and stop some TOCTOU-attacks where the resource to be validated and used is a region of memory. This is a way of stopping TOCTOU by making the memory-region immutable (read https://www.sans.org/reading-room/whitepapers/securecode/tour-tocttous-1049)

Basic user-mode pseudo-code:

void be_vulnerable() {
    void* res=load_resource("some-resource");
    if(!validate_resource(res)) {
        printf("Something bad happened");
        exit(-1);
    }
    use_resource(res);
}
  1. validate_resource is going to start off with basic validation before it goes off to more complex validation
  2. validate_resource is going to take some amount of time
  3. There’s some other, in-process, not pictured, thread that can access res while be_vulnerable is running

If the other thread manages to access res while validate_resource is running, then be_vulnerable could end up in a situation where the validation does not match the value of res.

One way to avoid this is to use mprotect (2), like this:

void be_vulnerable() {
    void* res=load_resource("some-resource");
    mprotect(res, len, PROT_READ); // len not defined, to simplify example
    if(!validate_resource(res)) {
        printf("Something bad happened");
        exit(-1);
    }
    use_resource(res);
}

This way, you can ensure that after line 3, you’re looking at a definitive truth. Now, there are some limitations to this, sharing res with other processes makes things a bit more difficult (you have to use O_RDONLY when calling shm_open(3)) or have res be placed in shared memory, copying the data doesn’t copy the protection. Fun fact: If you want to work on private data, you can create a code-section that directly accesses the data, then map that code-section PROT_EXEC (without PROT_READ), this is used in Safari on iOS.

Yeah Martin, that’s fine and dandy, but my problem is with code running on devices, not on the main CPU (yes, this has actually been a problem on some consoles).

Well, dear reader, I might still have a solution for you, it’s called an IOMMU. Yes, it’s an MMU, for IO (devices). Now, for security purposes, the IOMMU can only be controlled from the kernel-mode (or hypervisor if you’re using one), so if you’re in user-mode you’re out of luck (unless OSes add support outside of VMs). With the IOMMU, you can carve out regions of memory you want or don’t want a given domain to access, then assign devices to said domain. For simplicity, you can still have the available regions 1:1-mapped for the domains.

Sources:
https://stackoverflow.com/questions/7216870/how-to-protect-the-memory-shared-between-processes-in-linux
http://man7.org/linux/man-pages/man2/mprotect.2.html
https://linux.die.net/man/3/shm_open

D-Link DIR-100D1 Authentification-bypass

(post recovered after backup-issues, thanks to Archive.org)
After the previous set of bugs was discovered (read my previous blog-post about it here), D-Link implemented access controls. This made most commands and variables protected. So for example, an unauthentificated can’t ask for the administrative password in B13 and B15 nor can he do other naughty stuff an ill-behaved unauthentificated user may want to do (I’m considering writing more on that in a later blog-post) but he can ask for the current system language, that’s not too dangerous, now is it?

An inquisitive mind, will note that multiple cliget-commands can be batched together in one HTTP-request. If the unauthentificated user asks for say /cliget.cgi?cmd=$sys_user1%;$poe_user%;$poe_pass, the router will tell him rightfully of, those are all protected variables and this is the expected result. However, let’s say the first variable isn’t a protected variable, let’s say the request is for /cliget.cgi?cmd=$sys_language%;$sys_user1%;$poe_user%;$poe_pass. As you’ll notice, this just asks for the current language in addition to all the previously mentioned hush-hush-stuff, the correct response would be for the router to tell him off again but unless it runs on a firmware I’m about to link you to, it’ll say “he asked for the language, the admin-credentials and the poe-credentials, language seems good go right ahead then” and let the unauthentificated user read the administrative password, amongst other things.

 

This should be seen as a good lesson for the importance of correct array usage; if you take an array, validate all elements before taking them for granted, don’t just check the first and be done with it.

 

This issue has been fixed in 4.03 B13_fam2 (ftp://dlinktemp:dlinktemp2015@194.117.170.198/Router/DIR-100/RevD/DIR100D1_FW403WWB13_fam2.bin) Yes, I know downloading from IPs, especially IPs not registred in a block owned by the device manufacturer seems shady, I don’t like it but that’s the link I got so that’s what I can give you, the firmwares don’t seem to be neither signed nor encrypted nor do any public hashes/hashfiles from a reputable source exist so you choose if you trust me or not, though the official D-Link twitter-account has apparently refered to it before (https://twitter.com/dlink/status/181876200338231297).

 

For the record, I don’t hate the DIR-100D1, I’ve grown rather fond of mucking about with it and if there’s interest, I’ll write more about what I’ve done to the poor thing and learned from mucking about.

Hacking the DIR-100 rev. D1

So, let’s say you have this router, the DIR-100 revision D1, I did. Being bored, I went the login screen but since the password was not the default I was unable login. So I cranked open Chromes fantastic development tools.

 

Now, I sent random values to try to capture some traffic and lo and behold there was a several requests made to /cliget.cgi?cmd=$… . The client-side code was loading configuration-data using XHR, including a partial MD5 of the password! Trying more values I discovered that if I requested /cliget.cgi?cmd=$, I would get the entire configuration file, including the username and password! The router was giving away admin access to everyone with access to the login page (LAN, or if remote admin is enabled LAN+WAN).

 

Later, revisiting the router I discovered that the thing didn’t check the HTTP Origin header, meaning that a basic CSRF attack could successfully perform a login, given a known username and password. I also discovered the /cli.cgi?cmd= API that is used by the client-side code to change the configuration setting, which also proved unable to hinder basic CSRF attacks. Using a simple link and i bit of JavaScript a hacker could take control of someones network including but not limited to redirecting traffic.

 

After watching a bit of WarGames (the 80’s flick that thaught us that every system has a help function) I got this funky idea, that would happen if I requested help from the router? Apparently, a lot, you get a list of every command in the system, including amongst other dhcps (lists all DHCP-clients), mem, reboot and GDB (supposedly not GNU GDB).  One of the first thing i tried executing, was gdb which crashed the system, it might be that it triggers a debugger  Connected to the internal 3-pin serial port. mem however is quite a different beast, it’s a memory monitor like debug.com of DOS-past. That’s right: you can read and write memory on the device without authentification.

 

In addition to all this, I have it from credible sources that the router is plagued by the wide-spread UPnP portmap-from-wan bug that was detected, which means that an attacker may use the router for connection-bouncing and/or presumably use the UPnP bug to gain access to the internal admin-panel.

I will however remark that there has been some mention of the cliget.cgi and cli.cgi APIs before http://forum.nag.ru/forum/index.php?showtopic=58050&st=20.

So, as any responsible man would do, I attempted to contact D-Link, to no avail. D-Link has also made it difficult to track down firmware upgrades for the router.

I ask that anyone handling this information does so with care, and that D-Link makes sufficient arrangements for their unprotected customers.

Mitral valve repair – a marvel of modern medicine

 

Imagine that there was a dual-pump system with a number of check-valves necessary for you to live. Furthermore, imagine that one of the valves was leaking causing exhaustion, coughing blood and possibly death. This is what medical professionals refer to as Mitral valve regurgiation, or leaking of the mitral valve. The mitral valve is the valve in your heart that, when functioning properly, ensures that oxygenated blood from the lungs is not pumped back into the lungs but to the rest of the body (including the heart itself).

Repairing this valve appears very difficult due to its continued operation being an apparant necessity for the pasients survival, yet it not operating is a necessity for making changes to it. So do surgeons murder their pasients to get ideal circomstances for the surgery or do they operate on a moving valve? Well yes and no. If the task of pumping and oxygenating of blood is delagated to a machine, then the valve doesn’t have to work, while the pasient stays alive without a pulse during the surgery. It’s magnificently advanced yet decently safe.

Here’s to what we as a species has achieved, and what we will bring to the co-fortune of our co-beings!