Jump to content

Search the Community

Showing results for tags 'firmware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 9 results

  1. Salutare oameni buni am telefon Allview a5 ready si am nevoie de un backup stock rom pentru a-mi reface telefonul cu sp flashtool cine are acest telefon va rog sa ma ajutati cu un link de download.Ajutati-ma sa imi refac telefonul...VA ROG.
  2. Un amic cu ceva Ford și cu o navigație versiune mai veche care nu suportă mirrorlink, mi-a zis că a primit de la cineva ceva ce pare a fi un custom firmware și un jpg care prin setarea ca wallpaper forțează acest patch, lucru ce face navigația să suporte mirrorlink. Tutorial: https://youtu.be/cqqzhiPRZFk Fișierele: https://mega.nz/file/pMcizDpD#4JKvMplAUNq2Anp7WnZIGJflpymvv8JT5RrpP-FNeQw Băieții care au făcut jucăria, au limitat folosirea ei pe serial number-ul navigației în particular, pentru fișierele de față serialul fiind: YU3P01X9 Le-am trecut puțin prin Hopper, dar n-am dat de ceva indiciu concludent legat de limitarea legată de serial. Dacă aveți chef poate aruncați un indiciu, eu încă n-am avut ocazia să mai fac RE pe firmware-uri. Thx
  3. Salutare. In ultimele 3 luni am lucrat la un proiect un pic mai ambitios de cercetare in care am vrut sa cuprind mai multe sfere de interes - pornind de la IoT (in special camere de supraveghere si SCADA), putin crypto forensics (BTC), firmware extraction (unde m-am rezumat la binwalk, firmadyne, firmwalker ca si 3rd party integration), metadata extraction + hashing si un modul de ML folosind Random Forests pe o baza de date sintetica cu 33 de variable ( vendor, densitate device-uri, bug bounty programs, tech stack, jurisdictia sub care opereaza, IP, ASN, services, port number, organization, packet header, MAC etc). Pentru l33t h@x0rs am inclus si un modul de obfuscation (via pyarmor). Proiectul vine cu o documentatie completa (R&D journal) ce cuprinde progresul pe care l-am facut in fiecare zi, screenshot-uri, cat si bibliografia completa - 190 titluri, aveti in total 174 de pagini de continut numerotat si formatat. Pe langa tema proiectului am atins si cativa algoritmi gen ssdeep, Rabin Karp, putin reverse engineering, industrial communication protocols, sisteme de operare, fake ID generation, fake news generation, fake facial features generation (via GANs). Abordarea e una relaxata, mai aveti meme-uri din cand in cand, nimic stufos. In repo am inclus si ToS.pdf ce contine terms of use, va rog sa cititi inainte. Va recomand sa incepeti cu whitepaper-ul mai intai, acolo e principala sursa de informatie si componenta principala a proiectului. PDF-ul e pe Google Drive. Atasez link-ul: https://drive.google.com/open?id=1ABSp209AUEKh5DkKqth_HxYidrfMzIA_ Are 167 MB, probabil va dura ceva timp pana il luati, dar, insist, incepeti cu asta, sunt multe resurse acolo, link-uri, repo-uri, carti si studii de caz care va vor ajuta mult mai mult. Have fun https://github.com/cionutmihai/Philter
  4. WHEN SECURITY RESEARCHER Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn’t issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself. Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. “This is the first time we know we can change the dosage,” Rios told WIRED. The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira—an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world. The vulnerable models include the company’s standard PCA LifeCare pumps; its PCA3 LifeCare and PCA5 LifeCare pumps; its Symbiq line of pumps, which Hospira stopped selling in 2013 due to concerns raised by the FDA over other quality and safety issues with the pumps; and its Plum A+ model of pumps. Hospira has at least 325,000 of the latter model alone installed in hospitals worldwide. These are the systems that Rios knows are vulnerable because he’s tested them. But he suspects that the company’s Plum A+3 and its Sapphire and SapphirePlus models are equally vulnerable too. Hospira did not respond to a request for comment. Earlier this year, Rios went public with information about a different security issue with Hospira’s LifeCare pumps. This one involved drug libraries used with the pumps, which help set upper and lower boundaries for dosages of intravenous drugs a pump can safely administer. Because the libraries don’t require authentication, Rios found that anyone on the hospital’s network—including patients in the hospital or a hacker accessing the pumps over the Internet—can load a new drug library that alters the limits for a drug. At the time he publicly disclosed the library vulnerability, Rios told WIRED that he had not yet found any vulnerabilities that would allow him to actually alter a drug dosage, though he was working on it. But he now acknowledges that he had found these more serious vulnerabilities in the LifeCare pumps at the time and had in fact reported them to Hospira and the FDA last year. At the time he hadn’t yet tested a Plum A+ pump, however. The new vulnerabilities would allow attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. And because the pumps are also vulnerable to the previous library vulnerability he disclosed, an attacker would be able to first raise the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert. How the Firmware Security Flaw Works The problem lies with a communication module in the LifeCare and Plum A+ pumps. Hospitals use the communication modules to update the libraries on the pumps. But the communication modules are connected via a serial cable to a circuit board in the pumps, which contains the firmware. Hospira uses this serial connection to remotely access the firmware and update it. But hackers can use it for the same purpose. The serial connection would be less of a concern if Hospira’s pumps accepted only legitimate firmware updates that were authenticated and digitally signed. But Rios says they’ll accept any update, which means anyone can alter the software on the pumps. “And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios says. A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered. The compromise of the communication module and serial cable doesn’t automatically mean a compromise of the pump. An attacker needs to know how to perform a firmware update. But Rios says it didn’t take him long to figure it out. Hospira Denied Problem With Pumps Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other. “From an architecture standpoint, it looks like these two modules are separated,” he says. “But when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump.” An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns. Hospira knows this, he says, because this is how it delivers firmware updates to its pumps. Yet despite this, he says, the company insists that “the separation makes it so you can’t hurt someone. So we’re going to develop a proof-of-concept that proves that’s not true.” He plans to demonstrate a proof-of-concept attack next month at the SummerCon security conference in Brooklyn, New York. Rios says when he warned Hospira a year ago about the firmware problem in its LifeCare pumps, he advised the company to perform what’s called a variant analysis to determine if its other models of pumps were affected as well, but the company refused, saying the problem was confined to the LifeCare line. To prove Hospira wrong, Rios purchased and tested one of the company’s Plum A+ drug pumps and found that it had the same firmware issue. Last month, the FDA issued an alert about the firmware issue, but only in reference to Hospira’s LifeCare PCA3 and PCA5 pumps. The alert didn’t mention the other models, which could lead hospitals to believe they don’t have a security risk. Rios contacted the FDA last week to tell the agency that the vulnerability extended to Hospira’s Plum A+ line as well, but he says the federal agency asked him to withhold the finding from the public until Hospira had time to verify the issue. But Rios declined, saying Hospira had already had a year to test the Plum A+ pumps and determine if the problem extended to them, but had declined to do so. He said hospitals needed to know now that the pumps are putting patients at risk. The FDA did not respond to a request for comment. Rios is planning to obtain models from Hospira’s Sapphire line of pumps as well to prove that they’re equally vulnerable to the issue. Source
  5. Hack allows firmware to be rewritten right after older Macs awake from sleep. acs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction. The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system. The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn't require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it. "BIOS should not be updated from userland and they have certain protections that try to mitigate against this," Vilaca wrote in an e-mail to Ars. "If BIOS are writable from userland then a rootkit can be installed into the BIOS. BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates." You will go into a deep sleep Vilaca's exploit works by attacking the BIOS protections immediately after a Mac restarts from sleep mode. Normally, the protection—known as FLOCKDN—allows userland apps read-only access to the BIOS region. For reasons that aren't clear to the researcher, that FLOCKDN protection is deactivated after a Mac wakes from sleep mode. That leaves the firmware open to apps that rewrite the BIOS, a process typically known as reflashing. From there, attackers can modify the machine's extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. "The flash is unlocked and now you can use flashrom to update its contents from userland, including EFI binaries," Friday's blog post stated, referring to the freely available utility for reading, writing, erasing, and verifying firmware contained in flash chips. "It means Thunderstrike like rootkit strictly from userland." To work, an exploit would require a vulnerability that provides the attacker with unfettered "root" access to OS X resources. Such vulnerabilities aren't always easy to find, but they're by no means impossible, as demonstrated by the Rootpipe privilege escalation bug that came to light late last year. Vilaca said a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack. "The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access," Vilaca wrote. "The only requirement is that a suspended happened [sic] in the current session. I haven’t researched but you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage ;-)." An attacker could add code that deliberately sends a targeted Mac into sleep, or the exploit could be programmed to detonate the BIOS payload the next time a machine comes out of sleep mode. In either case, once the Mac awakes it would be possible for the attacker to bypass OS X firmware protections and rewrite the BIOS. "An exploit could either verify if the computer already went previously into sleep mode and it's exploitable, it could wait until the computer goes to sleep, or it can force the sleep itself and wait for user intervention to resume the session," Vilaca told Ars. "I'm not sure most users would suspect anything fishy is going on if their computer just goes to sleep. That is the default setting anyway on OS X." As was the case with Thunderstrike, Vilaca said he doesn't think his attack is likely to be exploited on a mass scale. Instead, it would likely be exploited only in highly targeted attacks, say those carried out against high-value targets the attackers know and have a high interest in. Vilaca said he has confirmed his attack works against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. He said Macs released since mid to late 2014 appear to be immune to the attacks. He said he wasn't sure if Apple silently patched the vulnerability on newer machines or if it was fixed accidentally. Ars has asked Apple for comment, but company officials generally don't discuss security issues until a fix has been released. At the moment, Vilaca said, there isn't much users of vulnerable machines can do to prevent exploits other than to change default OS X settings that put machines to sleep when not in use. More advanced users can download software made available by Trammell Hudson, creator of the Thunderstrike exploit. Available here and here, Hudson's software dumps the contents of a Mac's BIOS chip so users can compare the results against firmware files provided by Apple. This safeguard doesn't prevent users from having their Mac firmware rewritten, but it will alert them if such an attack has occurred. "I asked Apple to start publishing these files and their signatures so we can have a good baseline to compare against," Vilaca wrote in his blog post. "Hopefully they will do this one day. I built some tools for this purpose but they aren't public." While the attack isn't likely to be exploited on a mass scale, it's also not hard for people with above-average skill to carry it out. The technique joins a growing roster of attacks that rewrite firmware with a malicious replacement. Besides Thunderstrike, such exploits include BadUSB and attacks against VoIP phones, home and small office routers, and hacks tied to the National Security Agency that hid inside the firmware of hard disk drives. Given the inability of most current security products to detect malicious firmware, such attacks could one day represent a significant threat unless manufacturers devise ways to ensure the authenticity of the firmware powering the devices they sell. "We need to think different and start a trust chain from hardware to software," Vilaca wrote. "Everyone is trying to solve problems starting from software when the hardware is built on top of weak foundations. Apple has a great opportunity here because they control their full supply chain and their own designs. I hope they finally see the light and take over this great opportunity." Headline updated to remove the word "remote" since the hack involves use of a local exploit. Source
  6. One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here’s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.” Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk. Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. “[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.” Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.” They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.” Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. “The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. Source
  7. One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here’s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.” Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “"customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk. Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. “[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.” Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.” They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.” Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. “The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. Sursa:How the NSA's Firmware Hacking Works and Why It's So Unsettling | WIRED
  8. CANCUN – BadUSB was the hot hack of the summer of 2014. Noted researcher Karsten Nohl delivered a talk at Black Hat during which he explained how USB controller chips in peripheral devices that connect over USB can be reprogrammed. The result is a completely compromised device hosting undetectable code that could be used for a number of malicious purposes, including remote code execution or traffic redirection. While the situation is bad enough for IT systems that would be in line for serious data loss, would the affect be similar on the processes under the watch of industrial control systems? Today at the Kaspersky Lab Security Analyst Summit, Michael Toecker of Context Industrial Security delivered what he termed a public service announcement in which he explained how a riff on BadUSB attacks could indeed be carried out against industrial equipment. While the risks are still admittedly theoretical, Toecker reported that USB-to-serial converters used to connect to critical hardware via old-school nine-pin serial ports can be abused to manipulate ICS gear by installing reprogrammed firmware. “Engineers trust these [serial] connections more than Ethernet in ICS; if they have a choice, they pick serial vs Ethernet, because they trust that,” Toecker said. “What engineers don’t see is that bump in the wire that could be programmed maliciously, Telnet over two wires. That’s what thought of when I heard about BadUSB.” To test his theory, Toecker said he bought 20 different USB-to-serial converters online, ripped them apart and used a number of resources to try to figure out whether the chips inside them could be reprogrammed BadUSB style. Of the 20, he learned that 15 from ATMEGA, FTDI, WCH, Prolific and SiLabs, were essentially not re-programmable. “It wasn’t as bad as I thought,” Toecker said. “I was not able to change the underlying functionality via USB ports.” Of the remaining converters, a processor from Texas Instruments, the TUSB 3410 was reprogrammable, making it a definite risk, Toecker said. An attacker who is able to modify firmware will be able to maintain persistence on a system, run code, or deny attempts to update existing issues on the chip. In the case of the TUSB 3410, the chip has two modes of operation, Toecker said; one is where firmware is pulled from a chip on the board, or another where firmware is pulled from a driver on the host machine. “Drivers installed on the host will provide firmware to the device and then run that firmware and do what it’s supposed to do after that,” Toecker said. “That’s the badness of BadUSB.” BadUSB, for example, continues to propagate because it is persistent on the chip and undetectable. Mitigating the risk with USB-to-serial converters is that an attacker would have to be on an ICS system hosting the drivers. “If you were to plug that USB-to-serial converter into anything else, it would not function because you did not have the correct drivers. But if you did have the correct drivers it would then go through the same process but provide good firmware,” Toecker said. “You have to own the host that’s on it. This is why it’s of a less severity of a normal BadUSB infection.” Source
  9. Ma plictiseam la cafea si cautam cu ce sa ma joc, asa ca am dat de binwalk 1. Descarcam binwalk si extragem fisierele din arhiva root@pluto:~# wget https://github.com/devttys0/binwalk/archive/v1.3.0.tar.gz root@pluto:~# tar zxvf v1.3.0.tar.gz root@pluto:~# cd binwalk-1.3.0/ 2. Instalam dependintele principale pentru binwalk cat si ceva tool-uri pentru dezarhivare root@pluto:~/binwalk-1.3.0# apt-get install python-magic root@pluto:~/binwalk-1.3.0# apt-get install libfuzzy2 root@pluto:~/binwalk-1.3.0# apt-get install python-opengl python-qt4 python-qt4-gl python-numpy python-scipy root@pluto:~/binwalk-1.3.0# apt-get install mtd-utils zlib1g-dev liblzma-dev ncompress gzip bzip2 tar arj p7zip p7zip-full openjdk-6-jdk squashfs-tools root@pluto:~/binwalk-1.3.0# wget http://www.pyqtgraph.org/downloads/pyqtgraph-0.9.8.tar.gz root@pluto:~/binwalk-1.3.0# tar zxvf pyqtgraph-0.9.8.tar.gz root@pluto:~/binwalk-1.3.0# cd pyqtgraph-0.9.8/ root@pluto:~/binwalk-1.3.0/pyqtgraph-0.9.8# python setup.py install 3. Instalam binwalk root@pluto:~/binwalk-1.3.0/pyqtgraph-0.9.8# cd ../src/ root@pluto:~/binwalk-1.3.0/src# python setup.py install 4. Stergem arhiva si directorul cu sursele din care am compilat root@pluto:~/binwalk-1.3.0/src# cd root@pluto:~# rm -rf v1.3.0.tar.gz binwalk-1.3.0/ 5. Sa facem cateva teste pe o imagine de Router luata de pe dd wrt root@pluto:~# su - marian marian@pluto:~$ cd work/ marian@pluto:~/work$ wget ftp://ftp.dd-wrt.com/stable/dd-wrt.v23/standard/dd-wrt.v23_generic.bin marian@pluto:~/work$ binwalk dd-wrt.v23_generic.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 3522560 bytes, CRC32: 0x54888AF2 flags: 0x0, version: 1 28 0x1C gzip compressed data, maximum compression, from Unix, NULL date: Thu Jan 1 01:00:00 1970 2264 0x8D8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 1941504 bytes 604396 0x938EC Squashfs filesystem, little endian, version 2.1, size: 2912869 bytes, 793 inodes, blocksize: 65536 bytes, created: Sun Dec 25 17:00:26 2005 6. Ce ne intereseaza pe noi, este in filesystem. O sa extragem tot ce este dupa 604396 cu dd-ul intr-o imagine. marian@pluto:~/work$ dd if=dd-wrt.v23_generic.bin bs=1 skip=604396 of=ddwrt.squashfs 2918164+0 records in 2918164+0 records out 2918164 bytes (2.9 MB) copied, 2.72447 s, 1.1 MB/s 7. Sa vedem cum arata imaginea extrasa cu dd-ul spre diferenta de cea originala. marian@pluto:~/work$ binwalk ddwrt.squashfs DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 0 0x0 Squashfs filesystem, little endian, version 2.1, size: 2912869 bytes, 793 inodes, blocksize: 65536 bytes, created: Sun Dec 25 17:00:26 2005 marian@pluto:~/work$ file ddwrt.squashfs ddwrt.squashfs: Squashfs filesystem, little endian, version 2.1, 2912869 bytes, 793 inodes, blocksize: 65536 bytes, created: Sun Dec 25 17:00:26 2005 De aici cred ca va puteti juca si voi (squashfs/unsquashfs). Sfanta documentatie o puteti gasi aici: Wiki | Binwalk Spor la joaca ;-)
×
×
  • Create New...