Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of Vxworks encryption vulnerabilities. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Text

There are fixed steps for the analysis of industrial control firmware (usually vxworks), which can be summarized as follows:

1. Use binwalk to view the basic firmware information and extract the firmware

two。 Confirm the information about the decompressed firmware such as CPU type and the big head sequence used to compile the firmware

3. Determine the loading address of firmware, which is usually 0x10000 (the original text does not interpret how to find the loading address)

4. Use the IDA pro disassembler and fix the function name in the firmware

5. Find the corresponding vulnerability function for analysis.

Because the original text does not explain how to find out the firmware load address, nor does it explain the process of the final collision hash value. Under such doubts, I have made a further analysis of these two questions:

One is to find out a reliable way to calculate the firmware loading address (thanks to the idea given by the eldest brother of the "craftsman Safety Lab").

The other is to write a program to collide multiple key solutions of the same hash value.

Calculate the firmware load address

The firmware load address is calculated from the function symbol table in the vxworks firmware. In the firmware, there are two addresses associated with the function string, one is the storage address of the string in the firmware, and the other is the memory address of the function string saved in the firmware. The two addresses are subtracted from each other to get the firmware load address. Therefore, we just need to locate a fixed string, find its location in the firmware and the address where it is loaded in memory, and we can calculate the firmware load address. Search winhex for the string APP_STATION (this string has its particularity, it is the last string in the function character table, as shown in the figure below, if the string cannot be found, it is also possible to find the last string in the character table in this way), and make a note of its address in the firmware as 0x26656c.

The next step is to find the load address of the string in memory. According to the characteristics of the function symbol table, its memory load address is the starting position of the symbol table. You can view the approximate starting position of vxworks's character table in binwalk. As shown in the following figure, the starting position of the symbol table calculated by binwalk is 0x301E74.

It is important to note that this value is not necessarily accurate and needs to be further confirmed in winhex. Jump to 0x301E74 in winhex, as shown in the following figure. There is a regular column of ". 'e." on the right side of the graph. This law combines the arrangement of the symbol table of the function, so according to the arrangement law, the starting position of the symbol table should be 0x301E64.

What is stored at this address is the memory address of the string as 0x27656C, and you can see that the address of the string is in reverse order, so this address is the memory address of the last string before it.

So, load the memory address with a string address minus the string address: 0x27656C-0x26656C = 0x10000

After calculating the load address of the firmware, what should we do when we need to fix the function name after loading the firmware? You can do this with a function name repair script, as shown in the following figure:

When repairing the function name of a specific industrial control firmware, there are three values in the script that need to be noted. Loadaddres is the loading address that has just been calculated. EaStart is the starting address of the function symbol table. 0x301E64jaEnd is the end address of the function symbol table. How to find this address can only be found according to the rules of the symbol table. As shown in the following figure, the symbol table is arranged regularly, which is arranged at the end of the 0x3293a4, so this address is the end address of the symbol table.

In this way, the script can be loaded and run smoothly.

2. Hash value of violent collision

First, through the firmware reverse analysis of the loginDefaultEncrypt function, you can see the disassembly of the loginDefaultEncrypt function in IDA Pro. Combined with the source code given by vxworks, the function can be rewritten as follows:

As you can see in the function, the length of the entered password key is limited, which must be greater than 8 and less than 40. The length of the hash value cQwwddSRxS is 10. After analysis, it is found that key with length 9 and 10 may produce hash value with length 10. Therefore, I first randomly generate a password book with a length of 10 by writing a program, and the code is as follows, which is a shell script.

In the large for loop, a total of 1 million passwords of length 10 were generated. Run the program in shell:

. / 10pass.sh > 1.txt # outputs the random password to the 1.txt file.

Then write a program to read the randomly generated password in the codebook, and use the written loginDefaultEncrypt function to calculate the corresponding hash value of the password; finally, compared with the hash value given by the topic, if the calculated hash value is equal to the hash value of the topic, it is regarded as colliding out the key value. The following is the main function of the program, in which you can clearly see the operation of each step.

Compile with gcc: gcc-o guesshash. / guesshash.c, run, and the collision result is shown in the following figure.

As you can see, this is indeed a very weak encryption algorithm, 1 million random passwords collide with 11 results with the same hash value.

This is the end of this article on "sample Analysis of Vxworks encryption vulnerabilities". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.