Shulou(Shulou.com)05/31 Report--

This article to share with you is about Windows 10 IoT Core remote command execution vulnerability verification and recommendations, Xiaobian think quite practical, so share to everyone to learn, I hope you can read this article after harvest, not much to say, follow Xiaobian to see it.

I. Overview

Recently, Antian Microelectronics and Embedded Security R & D Department (Antian Microembedded) conducted detailed analysis and verification of the security vulnerabilities of Windows IoT[2] operating system disclosed by SafeReach [1]. Attackers can exploit this vulnerability to achieve full control of the target device, such as remote command execution, file upload/download, etc. In this regard, Antian Microembedded set up an analysis team to analyze and verify the principle and POC of the vulnerability published by SafeReach in GitHub, confirm the impact scope of the vulnerability, and give corresponding protection suggestions for different application scenarios.

1.1 Introduction to Windows IoT System

As the second largest system in the IoT market after Linux system, Windows IoT Core is the core operating system version for the Internet of Things, covering many fields such as smart home, smart medical care, smart city, intelligent logistics, etc. Windows IoT comes in IoT Core and IoT Enterprise versions, and Windows IoT Core comes in Stock Image and Custom Image versions. The Stock Image version, also known as the Test Image version, contains interfaces for development and hardware compatibility testing purposes.

Windows IoT Core currently supports hardware platforms including Qualcomm DragonBoard 410c, Raspberry Pi 2, Raspberry Pi 3B, MinnowBoard Turbot, and Aaeon Up Squared.

1.2 Brief Introduction of HLK Framework and Sirep Protocol

HLK (Hardware Lab Kit) is a test framework for testing compatibility between hardware devices and corresponding drivers and Windows systems. The PC software HLK Studio[3] contains the Server part of the test framework, and the test equipment contains the Client part of the test framework. Users can select test cases in HLK Studio and send them to the device to be tested for testing. In the underlying implementation, the HLK Studio software interacts with the device under test via the Sirep protocol [4]. The relationship between HLK Server and HLK Client is shown in Figure 1-1:

Figure 1-1: Relationship between HLK Server and HLK Client

DLL files implementing the Sirep protocol are located in C:\..\on Windows IoT Core systems testsirepsvc.dll, a DLL that enables communication between HLK Studio and Windows IoT Core systems and performs test tasks sent by HLK Studio to Windows IoT Core. The Sirep protocol itself implements the following functions:

Get Windows IoT Core system information;

Execute Windows IoT Core system commands;

Download files from Windows IoT Core;

Upload files to Windows IoT Core;

Get file attribute information in Windows IoT Core systems.

II. Scope of influence

Based on public information and actual verification by the analysis team, the vulnerability currently affects the Stock/Test Image[4] version of Windows IoT Core. Developers or vendors who use the Stock/Test Image version of the system in the final release of the product, and the product has a wired connection scenario, will be affected by this disclosure. Building the Custom version requires purchasing a signing certificate from the CA (Certificate Authority) and using that certificate to sign the Custom version of the system, because the analysis team has not verified the Custom version of the Windows IoT system because of the rush of time.

III. Vulnerability Analysis

This analysis process used the Raspberry Pi 2B and Windows IoT Core (17763) versions as validation environments. The schematic diagram of equipment connection is shown in Figure 3-1:

Figure 3-1 Schematic Diagram of Equipment Connection

First, you can use Windows 10 IoT Core Dashboard[5] software to make a TF card with Windows IoT Core system, then insert the TF card into the Raspberry Pi, connect the Raspberry Pi with a network cable, and power on the system. After system startup, Windows 10 IoT Core Dashboard software can automatically discover Windows IoT devices within a local area network, perform remote PowerShell enablement, deploy applications to devices, and more. However, these operations need to be authenticated by the Windows IoT system administrator account and password before they can be used properly.

When implementing the Sirep protocol, testsirepsvc.dll's code uses the TCP Socket server to listen on ports 29817, 29819, and 29820, and does not perform proper permission checks on received requests in the code, resulting in unauthorized execution of the Sirep protocol's functionality.

In testsirepsvc.dll, the function that implements permission checking on remote requests is named:

ControllerWSA::IsConnectionAllowed

After the Windows IoT Core system is running, you can copy the DLL file to the analyzer through the USB flash drive, and use IDA to view the assembly code to implement the function, as shown in Figure 3-2 and Figure 3-3:

Figure 3-2 ControllerWSA::IsConnectionAllowed function snippet 1

Figure 3-3 ControllerWSA::IsConnectionAllowed function snippet 2

The above code fragment explains how testsirepsvc.dll performs permission checking on the received request logic. The program logic only determines whether the SOCKADDR_IN data structure returned by the getsockname function is the IP address of the wired network card. That is to say, testsirepsvc.dll considers all requests from the wired network to be legitimate requests. This process does not require the user to enter a username and password for authentication.

After the service program in testsirepsvc.dll receives the command data sent by HLK Studio, it will distribute it through SirepPipeServiceRoutine function. In this function, different commands will be distributed to different functions for execution through command type field. The execution function names corresponding to different command types are respectively:

SirepGetSystemInformationFromDevice;SirepPutFileOnDevice;SirepGetFileFromDevice;SirepGetFileInformationFromDevice;SirepLaunchWithOutput

The assembly code for the SirepPipeServiceRoutine function that implements this command diversion process is shown in Figure 3-4:

Figure 3-4. SirepPipeServiceRoutine command diversion code

IV. POC Execution Verification

The analysis team set up a validation environment using the Raspberry Pi 2B and Windows IoT Core (17763)(Stock/Test Image), combining the above analysis process to validate the public POC[6].

An example of POC execution for uploading files is shown in Figure 4-1 and Figure 4-2:

Figure 4-1. Upload File POC Execution Example

As shown in Figure 4-1, the POC creates a file named uploaded.txt in the C:\Windows\System32\directory with the content "Hello Windows IoT! "。

Figure 4-2. View upload results

As shown in Figure 4-2, after executing the POC command shown in Figure 4-1, use the cat command to view the contents of the file named uploaded.txt in the C:\Windows\System32\directory.

An example of POC execution of remote execution system commands is shown in Figure 4-3:

Figure 4-3. Example of POC Execution of Remote Execution System Command

As shown in Figure 4-3, the POC implements remote command execution, executes the hostname command in the target device, and returns the result of command execution, i.e."minwinpc"

It has been verified that the POC disclosed by SafeReach security researchers can upload files and execute system commands to the Stock/Test Image version of Windows IoT Core system, which has serious security risks.

V. Protection recommendations

The vulnerability verified this time can execute high-risk actions such as uploading files and executing system commands on the affected system equipment without authorization. Malware can easily hijack the equipment to become a member of botnet through the exploitation of this vulnerability and become one of the weapons for hackers to launch network attacks; the equipment can also be controlled by hackers to become a part of mining; At the same time, because IoT devices are applied to all walks of life, once controlled, the most direct thing is to affect the normal operation of the device, which in turn affects production and life; at the same time, hackers can also use the device as a springboard to further invade the network where the IoT device is located to carry out dangerous behaviors such as virus transmission, intelligence theft and network destruction, causing serious threats to the target network.

Although the vulnerability in this validation only applies to the Stock/Test Image version of Windows IoT Core, since building Custom versions requires purchasing a signed certificate from Certificate Authority (CA) and signing Custom versions of the system with that certificate, vendors may consider using Stock/Test Image versions of Windows IoT Core systems for product release directly for cost or other reasons, meaning that Stock/Test Image versions of Windows IoT Core systems IoT devices may have been widely used in the supply chain. And IoT devices are difficult to upgrade firmware in real-world application scenarios and are easily overlooked.

In summary, in order to effectively reduce the threat caused by vulnerabilities, improve product security, and effectively improve the security protection capability of the network where the product is located, and ensure customer value, we give three security suggestions based on vulnerability analysis and verification. The details are as follows:

Recommendation 1: The actual product launch process should be strictly in accordance with the official requirements of the R & D, testing and release process specifications, using Custom Image instead of Stock/Test Image version of Windows IoT system as the actual product release system, can effectively avoid this or other undiscovered Stock/Test Image version of the system vulnerability caused by the impact.

Recommendation 2: The service involved in this vulnerability uses three ports 29817, 29819, and 29820, and the service involved is only used for compatibility testing in the R & D phase, not the function used by the actual product. In the case that the firmware cannot be upgraded temporarily, and ensure that there is no function dependent on the corresponding port in the actual product to prevent the normal use of the device from being affected after closing the corresponding port, you can temporarily block the three ports 29817, 29819 and 29820 used by the compatibility test service in the Windows IoT Core system firewall, and temporarily avoid the impact of this disclosure vulnerability. However, it is still necessary to upgrade the firmware as soon as possible to effectively avoid the impact of this or other undiscovered Stock/Test Image version system vulnerabilities.

The commands to temporarily block ports on Windows IoT Core are as follows:

Recommendation III: According to the technical characteristics of the functions implemented by IoT devices and in combination with the actual operating environment, the IP list, port list, access protocol type of the device that can be accessed, and the protocol type, IP list and port list that the device can actively connect to the outside are sorted out in detail, and the white list access rule list of the corresponding bidirectional IP address, port and protocol is configured by using the border firewall product or the device-specific firewall product in combination with the sorting result, so as to guarantee the access security of IoT devices to the maximum extent. Although this method can effectively guarantee the access security of IoT devices and reduce the possibility of vulnerabilities being exploited, it does not eradicate the risk of vulnerabilities, so upgrade firmware to fix vulnerabilities as soon as possible to effectively avoid the impact of this or other undiscovered Stock/Test Image version system vulnerabilities.

The above is what Windows 10 IoT Core remote command execution vulnerability verification and recommendations are, Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.