Shulou(Shulou.com)05/31 Report--

I would like to share with you an example analysis of unexpected memory leaks in the server. I believe most people don't know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. Let's learn about it!

Start the analysis

Our router uses a Macronix MX15L12835FMI flash memory chip (16-pin SOP):

First of all, I need to observe the routine operation of the chip. In the course of my research, I found that its flash memory was not fully utilized, only when the device booted (or loaded the entire operating system) or when using the Web management panel. The flash chip appears to be in Single API mode, and its regular read commands are as follows:

The command begins with a 05 FF command that reads out the status of the register according to the information provided by the data table. My original goal was to tamper with the flash read command and use it to read data from the hard disk.

Considering that the SPI command is synchronized with the clock signal, my attack can also be synchronized with the same clock signal: I can record the number of rising edge signals of the clock, ground the 15 pin of the flash chip under a certain number of clock signals, and then modify the flash read command and use it to read other information. After amplifying the clock signal, we can see that the data will only change at the falling edge of the clock signal, so our attack should be effective.

First we go to the serial console of the device, and then use the command cat / dev/mtdblock0 to trigger the flash read command. The original state of the command is as follows:

For ease of comparison, I ran cat / dev/mtdblock2:

Next, I connected a transistor and a FPGA,FPGA switch that reads the clock signal and controls the transistor. The grounding pin 15 temporarily waits for several clock cycles and invalidates one of the read instruction addresses:

I also specially wrote a script to make the program wait for a certain clock cycle, modify the read operation of the flash memory, then run cat / dev/mtdblock2 and monitor the command execution of the flash memory through the oscilloscope:

If you look closely, you will see the remnants of the original flash read operation on the right (the original command / dev/mtdblock2 is 03 01 00 00), and we can verify our findings by running the cat / dev/mtdblock2 command:

It is important to note that the command did execute successfully, and the first block of / dev/mtdblock2 is the same as before / dev/mtdblock0, indicating that our operation has been successful.

Now, we can use this method to attack the Web server interface. If I can cause a resource on the hard drive to fail to load, I can theoretically make it read anything I want, such as getting the firmware file through a Web request.

However, I soon encountered a problem such as the following:

Although I can read any chunk from physical flash memory, I cannot guarantee that the data will be decompressed correctly. Although the Web server seems to be working properly, one of the images is no longer loaded correctly. After analyzing it with Burp, I quickly found the "culprit":

This is a response to a valid request for / wireless_1.gif. I know this is an invalid GIF file, but I don't know what it is. I guess it is either from the memory of the Web server or from a block of data on disk.

For testing, I analyzed the entire Web application and sent a new / wireless_1.gif request:

Miraculously, the gif file changed on its own, and I didn't observe any other SPI traffic generation, which means I successfully implemented a memory leak (probably a post-use memory release vulnerability), but the only regret is that it is not the password file of the target system.

The above is all the contents of the article "sample Analysis of unexpected memory leaks in the Server". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.