Tuesday, March 10, 2015

XiaoMi phone - Analysis Part 2 - Bluebox Security Labs with Mi 4

Referring to the recent blog which posted by Bluebox Security labs (https://bluebox.com/blog/technical/popular-xiaomi-phone-could-put-data-at-risk), they discovered that Xiaomi devices being shipped with pre-installed malware and suspicious backdoor. Also, they observed that the MIUI ROM is a modified Android release, which the build properties (e.g. build version and corresponding API Level) are conflicting with original Google Android release. Their research and analysis is based on the Mi 4 devices.

Well, simply out of curiosity, I took a quick look on a brand new XiaoMi Note 4G LTE (Singapore version) with MIUI KHIMIBH21.0. Let's try go through what being discovered by Bluebox Security Lab:

Bluebox # 1 - Pre-Installed Malware
"One particularly nefarious app was Yt Service. Yt Service embeds an adware service called DarthPusher that delivers ads to the device among other things[2]. This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google).

Other risky apps of note included PhoneGuardService (com.egame.tonyCore.feicheng) classified as a Trojan, AppStats classified (org.zxl.appstats) as riskware and SMSreg classified as malware."

Observation:
I wish that I could find those packages for further analysis purposes, However, I have not seeing any installation of these reported packages on the device e.g. Yt Service (com.google.hfapservice), PhoneGuardService (com.egame.tonyCore.feicheng) or AppStats (org.zxl.appstats).

gento@local:~$ adb shell 'pm list packages -f'
open: Permission denied
open: Permission denied
package:/system/app/fastdormancy.apk=com.qualcomm.fastdormancy
package:/data/app/partner-Swiftkey.apk=com.touchtype.swiftkey.xiaomi
package:/system/priv-app/MiuiGallery.apk=com.miui.gallery
package:/system/app/TimeService.apk=com.qualcomm.timeservice
package:/system/priv-app/DefaultContainerService.apk=com.android.defcontainer
package:/system/app/PartnerBookmarksProvider.apk=com.android.providers.partnerbookmarks
package:/system/priv-app/Contacts.apk=com.android.contacts
package:/system/priv-app/Phone.apk=com.android.phone
package:/system/app/Calculator.apk=com.android.calculator2
package:/system/priv-app/Music.apk=com.miui.player
package:/system/app/HTMLViewer.apk=com.android.htmlviewer
package:/system/app/MiAssistant.apk=com.xiaomi.mitunes
package:/system/app/GuardProvider.apk=com.miui.guardprovider
package:/system/app/CellBroadcastReceiver.apk=com.android.cellbroadcastreceiver
package:/system/priv-app/GoogleLoginService.apk=com.google.android.gsf.login
package:/system/app/CalendarProvider.apk=com.android.providers.calendar
package:/system/app/Bluetooth.apk=com.android.bluetooth
package:/system/app/TrafficControl.apk=com.trafficctr.miui
package:/system/app/GsmTuneAway.apk=com.qualcomm.gsmtuneaway
package:/data/app/partner-mOffice.apk=cn.wps.moffice_eng
package:/system/priv-app/YellowPage.apk=com.miui.yellowpage
package:/system/priv-app/Calendar.apk=com.android.calendar
package:/data/app/Browser.apk=com.android.browser
package:/system/app/MiLinkService.apk=com.milink.service
package:/system/app/AntHalService.apk=com.dsi.ant.server
package:/system/priv-app/Backup.apk=com.miui.backup
package:/system/app/ims.apk=org.codeaurora.ims
package:/system/app/AntiSpam.apk=com.miui.antispam
package:/system/app/CloudService.apk=com.miui.cloudservice
package:/system/app/Notes.apk=com.miui.notes
package:/system/app/DM.apk=com.xiaomi.dm
package:/system/app/DownloadProviderUi.apk=com.android.providers.downloads.ui
package:/system/app/DocumentsUI.apk=com.android.documentsui
package:/system/framework/framework-miui-res.apk=miui
package:/system/priv-app/SharedStorageBackup.apk=com.android.sharedstoragebackup
package:/system/app/WeatherProvider.apk=com.miui.providers.weather
package:/system/priv-app/VpnDialogs.apk=com.android.vpndialogs
package:/system/priv-app/Mms.apk=com.android.mms
package:/system/app/Provision.apk=com.android.provision
package:/system/priv-app/MediaProvider.apk=com.android.providers.media
package:/system/app/KingSoftCleaner.apk=com.cleanmaster.sdk
package:/system/app/CertInstaller.apk=com.android.certinstaller
package:/system/app/Cit.apk=com.miui.cit
package:/system/app/ThemeManager.apk=com.android.thememanager
package:/system/app/MiuiCompass.apk=com.miui.compass
package:/system/priv-app/GmsCore.apk=com.google.android.gms
package:/system/app/PhotoTable.apk=com.android.dreams.phototable
package:/data/app/SetupWizard.apk=com.google.android.setupwizard
package:/system/app/Updater.apk=com.android.updater
package:/system/priv-app/Settings.apk=com.android.settings
package:/system/app/LBESEC_MIUI.apk=com.lbe.security.miui
package:/system/app/FileExplorer.apk=com.android.fileexplorer
package:/data/app/Street.apk=com.google.android.street
package:/data/app/partner-Facebook.apk=com.facebook.katana
package:/data/app/Velvet.apk=com.google.android.googlequicksearchbox
package:/system/app/UserbookProvider.apk=com.miui.providers.userbook
package:/data/app/Music2.apk=com.google.android.music
package:/system/app/VisualizationWallpapers.apk=com.android.musicvis
package:/system/app/InterfacePermissions.apk=com.qualcomm.interfacepermissions
package:/system/app/NetworkAssistant2.apk=com.miui.networkassistant
package:/system/app/LiveWallpapersPicker.apk=com.android.wallpaper.livepicker
package:/data/app/GoogleBackupTransport.apk=com.google.android.backuptransport
package:/system/app/PackageInstaller.apk=com.android.packageinstaller
package:/system/app/LatinImeGoogle.apk=com.google.android.inputmethod.latin
package:/system/app/TelephonyProvider.apk=com.android.providers.telephony
package:/system/priv-app/MiuiHome.apk=com.miui.home
package:/system/app/PicoTts.apk=com.svox.pico
package:/system/app/NoiseField.apk=com.android.noisefield
package:/system/app/NetworkAssistant.apk=com.wali.miui.networkassistant
package:/system/app/Email.apk=com.android.email
package:/data/app/Maps.apk=com.google.android.apps.maps
package:/system/priv-app/WallpaperCropper.apk=com.android.wallpapercropper
package:/system/priv-app/FusedLocation.apk=com.android.location.fused
package:/system/priv-app/BackupRestoreConfirmation.apk=com.android.backupconfirm
package:/system/app/MagicSmokeWallpapers.apk=com.android.magicsmoke
package:/system/priv-app/SettingsProvider.apk=com.android.providers.settings
package:/system/app/com.qualcomm.services.location.apk=com.qualcomm.services.location
package:/data/app/Drive.apk=com.google.android.apps.docs
package:/system/app/qcrilmsgtunnel.apk=com.qualcomm.qcrilmsgtunnel
package:/system/priv-app/DownloadProvider.apk=com.android.providers.downloads
package:/data/app/BrowserProviderProxy.apk=com.android.browser.provider
package:/system/app/FM.apk=com.miui.fmradio
package:/system/priv-app/MusicFX.apk=com.android.musicfx
package:/data/app/Books.apk=com.google.android.apps.books
package:/system/app/PhaseBeam.apk=com.android.phasebeam
package:/system/app/SoundRecorder.apk=com.android.soundrecorder
package:/data/app/Videos.apk=com.google.android.videos
package:/data/app/ota-partner-GooglePinyin.apk=com.google.android.inputmethod.pinyin
package:/data/app/GoogleOneTimeInitializer.apk=com.google.android.onetimeinitializer
package:/data/app/GooglePartnerSetup.apk=com.google.android.partnersetup
package:/system/priv-app/ProxyHandler.apk=com.android.proxyhandler
package:/system/app/SVIService.apk=com.qualcomm.svi
package:/system/priv-app/BarcodeScanner.apk=com.miui.barcodescanner
package:/system/priv-app/InputDevices.apk=com.android.inputdevices
package:/system/app/HoloSpiralWallpaper.apk=com.android.wallpaper.holospiral
package:/system/app/BugReport.apk=com.miui.bugreport
package:/data/app/GoogleFeedback.apk=com.google.android.feedback
package:/data/app/Hangouts.apk=com.google.android.talk
package:/system/app/MiWallpaper.apk=com.miui.miwallpaper
package:/system/app/Stk.apk=com.android.stk
package:/system/app/shutdownlistener.apk=com.qualcomm.shutdownlistner
package:/system/app/MiuiVideoPlayer.apk=com.miui.videoplayer
package:/system/app/UserDictionaryProvider.apk=com.android.providers.userdictionary
package:/data/app/ConfigUpdater.apk=com.google.android.configupdater
package:/system/app/PacProcessor.apk=com.android.pacprocessor
package:/system/app/Galaxy4.apk=com.android.galaxy4
package:/system/app/Weather.apk=com.miui.weather2
package:/system/app/PrintSpooler.apk=com.android.printspooler
package:/data/app/GoogleCalendarSyncAdapter.apk=com.google.android.syncadapters.calendar
package:/system/framework/framework-res.apk=android
package:/system/app/ContactsProvider.apk=com.android.providers.contacts
package:/system/app/com.qualcomm.location.apk=com.qualcomm.location
package:/system/app/Protips.apk=com.android.protips
package:/system/priv-app/ExternalStorageProvider.apk=com.android.externalstorage
package:/system/app/WfdService.apk=com.qualcomm.wfd.service
package:/system/app/ApplicationsProvider.apk=com.android.providers.applications
package:/system/app/BasicDreams.apk=com.android.dreams.basic
package:/data/app/PlusOne.apk=com.google.android.apps.plus
package:/data/app/Phonesky.apk=com.android.vending
package:/data/app/PlayGames.apk=com.google.android.play.games
package:/system/app/DataHubProvider.apk=com.miui.providers.datahub
package:/system/priv-app/MiuiSystemUI.apk=com.android.systemui
package:/system/app/NetworkSetting.apk=com.qualcomm.networksetting
package:/system/app/KeyChain.apk=com.android.keychain
package:/data/app/Gmail2.apk=com.google.android.gm
package:/system/app/WAPPushManager.apk=com.android.smspush
package:/system/app/QComQMIPermissions.apk=com.qualcomm.qcom_qmi
package:/system/app/Userbook.apk=com.miui.userbook
package:/system/app/LiveWallpapers.apk=com.android.wallpaper
package:/system/priv-app/Camera.apk=com.android.camera
package:/data/app/YouTube.apk=com.google.android.youtube
package:/data/app/Magazines.apk=com.google.android.apps.magazines
package:/system/app/CABLService.apk=com.qualcomm.cabl
package:/system/app/DeskClock.apk=com.android.deskclock
package:/system/priv-app/GoogleServicesFramework.apk=com.google.android.gsf
package:/system/priv-app/MiuiKeyguard.apk=com.android.keyguard
package:/data/app/Chrome.apk=com.android.chrome
package:/system/app/matcli.apk=com.qcom.matcli
package:/system/app/xtra_t_app.apk=com.qualcomm.location.XT
package:/system/priv-app/Shell.apk=com.android.shell
package:/system/app/XiaomiServiceFramework.apk=com.xiaomi.xmsf
package:/system/app/GoogleContactsSyncAdapter.apk=com.google.android.syncadapters.contacts
gento@local:~$ adb shell 'pm list packages -f' | grep hfap
gento@local:~$ adb shell 'pm list packages -f' | grep hfapservice
gento@local:~$
gento@local:~$ adb shell 'pm list packages -f' | grep egame
gento@local:~$ adb shell 'pm list packages -f' | grep cheng
gento@local:~$ adb shell 'pm list packages -f' | grep appstats
gento@local:~$ adb shell 'pm list packages -f' | grep zx


Bluebox # 2 - Device comes 'root'
"Additionally, we noticed that the device comes rooted. The “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn't exist in a production released build of Android, as it’s a gateway for apps that can access it to do potentially bad things."

Observation:
No luck for me. I guess I need to root it by myself later.

gento@local:~$ adb shell
shell@dior:/ $ su -
/system/bin/sh: su: not found
127|shell@dior:/ $ su
/system/bin/sh: su: not found

Bluebox # 3 - Conflicting build properties
"we found several conflicts with the API level corresponding to Android 4.2 and whether or not the device is signed with test-keys or release-keys. This means it’s unclear if this build of the software was meant for testing or release to consumers."

Observation:
shell@dior:/ $ cat /system/build.prop
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=KVT49L
ro.build.display.id=KVT49L
ro.build.version.incremental=KHIMIBH21.0
ro.build.version.sdk=19
ro.build.version.codename=REL
ro.build.version.release=4.4.2
ro.build.date=Tue Nov  4 11:26:53 CST 2014
ro.build.date.utc=1415071613
ro.build.type=user
ro.build.user=builder
ro.build.host=zc-miui-ota-bd34
ro.build.tags=release-keys
ro.product.model=HM NOTE 1LTE
ro.product.brand=Xiaomi
ro.product.name=dior
ro.product.device=dior
ro.product.mod_device=dior_global
ro.product.board=MSM8226
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product.manufacturer=Xiaomi
ro.product.locale.language=zh
ro.product.locale.region=CN
ro.wifi.channels=
ro.board.platform=msm8226
# ro.build.product is obsolete; use ro.product.device
ro.build.product=dior
# Do not try to parse ro.build.description or .fingerprint
ro.build.description=dior-user 4.4.2 KVT49L KHIMIBH21.0 release-keys
ro.build.fingerprint=Xiaomi/dior/dior:4.4.2/KVT49L/KHIMIBH21.0:user/release-keys
ro.build.characteristics=default
# end build properties
#
# from device/xiaomi/dior/system.prop
#
#
# system.prop for dior
#

# Use reference RIL for initial bringup
#rild.libpath=/system/lib/libreference-ril.so
rild.libpath=/vendor/lib/libril-qc-qmi-1.so
rild.libargs=-d /dev/smd0
persist.rild.nitz_plmn=
persist.rild.nitz_long_ons_0=
persist.rild.nitz_long_ons_1=
persist.rild.nitz_long_ons_2=
persist.rild.nitz_long_ons_3=
persist.rild.nitz_short_ons_0=
persist.rild.nitz_short_ons_1=
persist.rild.nitz_short_ons_2=
persist.rild.nitz_short_ons_3=
persist.sys.ssr.restart_level=3
persist.radio.ramdump_sdcard=1
ril.subscription.types=RUIM
DEVICE_PROVISIONED=1
persist.radio.msgtunnel.start=false
# Start in LTE/GSM/WCDMA/TDSCDMA mode
# ro.telephony.default_network=20

#
# system props for the cne module
#
persist.cne.feature=1


# Skip /sys/power/wait_for_fb_* nodes and
# force FB to be always on
debug.sf.fb_always_on=1

debug.sf.hw=1
debug.egl.hw=1
debug.composition.type=c2d
persist.hwc.mdpcomp.enable=true
debug.mdpcomp.logs=0
dalvik.vm.heapsize=36m
dev.pm.dyn_samplingrate=1

persist.demo.hdmirotationlock=false
ro.hdmi.enable=true
qcom.hw.aac.encoder=true

#system props for the MM modules

media.stagefright.enable-player=true
media.stagefright.enable-http=true
media.stagefright.enable-aac=true
media.stagefright.enable-qcp=true
media.stagefright.enable-fma2dp=true
media.stagefright.enable-scan=true
mmp.enable.3g2=true
mm.enable.smoothstreaming=true
#9273 is decimal sum of supported codecs in AAL
#codecs:(PARSER_)AVI AC3 ASF AAC QCP DTS 3G2 MP2TS
mm.enable.qcom_parser=37491

# VIDC: debug_levels
# 1:ERROR 2:HIGH 4:LOW 0:NOlogs 7:AllLogs
vidc.debug.level=1
#
# system props for the data modules
#
ro.use_data_netmgrd=true
persist.data.netmgrd.qos.enable=true

#system props for time-services
persist.timed.enable=true

#
# system prop for opengles version
#
# 196608 is decimal for 0x30000 to report version 3
ro.opengles.version=196608

#
# System props for telephony
# System prop to turn on CdmaLTEPhone always
# telephony.lteOnCdmaDevice=1

#System property to turn on hfp client
bluetooth.hfp.client=1

# simulate sdcard on /data/media
#
persist.fuse_sdcard=true

#
#snapdragon value add features
#
ro.qc.sdk.audio.ssr=false
##fluencetype can be "fluence" or "fluencepro" or "none"
ro.qc.sdk.audio.fluencetype=fluence
persist.audio.fluence.voicecall=true
persist.audio.fluence.voicerec=true
persist.audio.fluence.speaker=false

# System props for charger
persist.usb.hvdcp.detect=true

# Enable/disable cabl
ro.qualcomm.cabl=1

# system prop for NFC DT
ro.nfc.port=I2C

#property to enable user to access Google WFD settings
persist.debug.wfd.enable=1
##property to choose between virtual/external wfd display
persist.sys.wfd.virtual=0
tunnel.audio.encode = false

#use VERY_HIGH_QUALITY for audio resampler
af.resampler.quality=4

#Buffer size in kbytes for compress offload playback
audio.offload.buffer.size.kb=32

#Enable offload audio video playback by default
av.offload.enable=true

#enable voice path for PCM VoIP by default
use.voice.path.for.pcm.voip=true

#enable dsp gapless mode by default
audio.offload.gapless.enabled=true

#disable audio offload mode
audio.offload.disable=1
audio.offload.pcm.enable=false

# disable strictmode
persist.sys.strictmode.disable=true

# button jack mode & switch
persist.sys.button_jack_profile=volume
persist.sys.button_jack_switch=0

# media button for headset hook
persist.sys.button_headset_hook=media

# enable auto-brightness adjustment
persist.power.useautobrightadj=true

#property to set minimum frequency as 787Mhz by default
ro.min_freq=787000

#
# ADDITIONAL_BUILD_PROPERTIES
#
ro.product.locale.language=en
ro.product.locale.region=GB
ro.miui.ui.version.code=3
ro.miui.ui.version.name=V5
keyguard.no_require_sim=true
ro.com.android.dataroaming=false
ro.com.android.dateformat=MM-dd-yyyy
ro.config.elder-ringtone=Angel.mp3
ro.carrier=unknown
ro.vendor.extension_library=/vendor/lib/libqc-opt.so
persist.radio.apm_sim_not_pwdn=0
dalvik.vm.heapstartsize=8m
dalvik.vm.heapgrowthlimit=96m
dalvik.vm.heapsize=256m
dalvik.vm.heaptargetutilization=0.75
dalvik.vm.heapminfree=2m
dalvik.vm.heapmaxfree=8m
qcom.bt.dev_power_class=1
ro.btconfig.if=smd
ro.btconfig.dev=/dev/smd3
ro.btconfig.vendor=qcom
ro.btconfig.chip=WCN3680
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=4.4_r4
drm.service.enabled=true
persist.sys.dalvik.vm.lib=libdvm.so
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
ro.qc.sdk.izat.premium_enabled=1
ro.qc.sdk.izat.service_mask=0x5
persist.gps.qc_nlp_in_use=1
persist.loc.nlp_name=com.qualcomm.services.location
ro.gps.agps_provider=1
ro.config.ringtone=MI.ogg
ro.config.notification_sound=FadeIn.ogg
ro.config.alarm_alert=GoodMorning.ogg
ro.config.sms_received_sound=FadeIn.ogg
ro.config.sms_delivered_sound=MessageComplete.ogg
ro.com.android.mobiledata=false
persist.sys.mitalk.enable=true

shell@dior:/ $ 
shell@dior:/ $ cat /system/build.prop | grep version                           
ro.build.version.incremental=KHIMIBH21.0
ro.build.version.sdk=19
ro.build.version.codename=REL
ro.build.version.release=4.4.2
# system prop for opengles version
# 196608 is decimal for 0x30000 to report version 3
ro.opengles.version=196608
ro.miui.ui.version.code=3
ro.miui.ui.version.name=V5
ro.com.google.gmsversion=4.4_r4

shell@dior:/ $ cat /system/build.prop | grep tags                              
ro.build.tags=release-keys

shell@dior:/ $ cat /system/build.prop | grep fingerprint                       
# Do not try to parse ro.build.description or .fingerprint
ro.build.fingerprint=Xiaomi/dior/dior:4.4.2/KVT49L/KHIMIBH21.0:user/release-keys

Bluebox # 4 - Hidden directory on external storage which store tampered app
"As Bluebox Labs mentioned in the original findings there is a hidden directory on the sdcard called .apk. It is within this hidden directory that some APKs are sitting like CPU-Z and also a version of the AntiFake app. If a user tries to install an app on their phone that corresponds to one of these packages then the app on the sdcard replaces the real app the user attempts to install. This is one method the ROM is using to bypass the verification app."

Observation:
Again, no luck for me. no hidden directory.

shell@dior:/sdcard $ ls -al
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Alarms
drwxrwx--x root     sdcard_r          1970-01-02 07:40 Android
drwxrwx--- root     sdcard_r          1970-01-02 07:35 DCIM
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Download
drwxrwx--- root     sdcard_r          1970-01-02 07:40 MIUI
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Movies
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Music
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Notifications
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Pictures
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Podcasts
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Ringtones
drwxrwx--- root     sdcard_r          1970-01-02 07:36 ramdump
shell@dior:/sdcard $ 

As a response to Bluebox Labs discovery, Xiaomi claimed that the tested device is counterfeit. No matter what, credit to Bluebox Labs for the findings,. Cheers.


Friday, September 12, 2014

XiaoMi phone - Analysis Part 1 - Privacy Issue

With a brand new Xiao Mi 1S (Singapore version) on hand, we can observe that the phone will automatically send various information back to the backend server, even we have not inserted any Sim Card / login with Google or Mi Cloud account.

(a) Once the phone boot up, it will send a list of installed packages to the 'policy.app.xiaomi.com'. Well.

POST /cms/interface/v1/checkpackages.php HTTP/1.1
Content-Length: 778
Content-Type: text/plain; charset=ISO-8859-1
Host: policy.app.xiaomi.com
Connection: Keep-Alive

{"packages":["com.touchtype.swiftkey.xiaomi\/545390674","cn.wps.moffice_eng\/77","com.xiaomi.channel\/733","com.google.android.street\/18102","com.google.android.googlequicksearchbox\/300303110","com.facebook.katana\/381878","com.google.android.music\/1413","com.google.android.inputmethod.latin\/19133","com.google.android.apps.maps\/707001323","com.google.android.apps.docs\/1256331","com.google.android.apps.books\/30133","com.google.android.videos\/30251","com.google.android.talk\/20303130","com.google.android.apps.plus\/413065443","com.google.android.play.games\/15080136","com.google.android.gm\/4720010","com.miui.userbook\/7","com.google.android.youtube\/5527","com.google.android.apps.magazines\/140341352","com.android.chrome\/1750136"]}


HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 30 Jul 2014 13:30:33 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 30 Jul 2014 13:30:33GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 15

{"errCode":202}


(b) The phone is not inserted with any Sim Card. However, the phone number will continuously sent to backend server while:
- add a new contact to the contact list
- dial a number on the dialpad
- send a SMS and the recipient contact number will be sent


In this example, the phone number is being transmitted in HTTP parameter 'externalId' with the deviceId as the 'Cookie'

GET /pass/v3/user@id?type=MXPH&externalId=888888888 HTTP/1.1
User-Agent: armani_sg; MIUI/JHCSGBD27.0
Cookie: deviceId=
Host: api.account.xiaomi.com
Connection: Keep-Alive
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: Tengine/2.0.1
Date: Wed, 30 Jul 2014 13:44:04 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 68

{"result":"ok","description":"成功","data":{"userId":-1},"code":0}

The testing was carried out on JHCSGBD27.0


Sunday, May 8, 2011

ATSVC support for Dionaea

For SMB/NETBIOS hacking, one of the usual ways to execute the payload in remote machine is via Task Scheduler. In Windows environment, we could use the 'at' command to schedule the related tasks on specific time. AT command can be executed, for example:

To view the scheduled task on remote machine :
-at \\ip

To scheduled the task on 2300 hours on the remote machine:
-at \\ip 23:00 command

Recently, I take a look on the possibilities to add the ATSVC service support for Dionaea as mentioned by Markus in his blog when observed over MS11-020 vulnerability http://carnivore.it/2011/04/19/rumors. As usual procedure, with a couple of checks over MSDN and wireshark, it is interesting to observe the different between legitimate connection and Dionaea response.

Legitimate SMB connection over 2 Windows machine:
1. Negotiate Procol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. NT Create AndX Request/Response
5. Trans2 Request/Response......

Connection between a Windows machine and Dionaea:
1. Negotiate Protocol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. Tree Disconnect Request/Response

The connection would terminated after this response. How can it be?!

I spent quite some time to figure out the root cause for the issue, by checking every single packet layer, field value and etc. With quite a long time of tweaking and troubleshooting, upon the edge of nearly giving up, the NBNS queries and response which transfered even before the SMB negotiation caught my attention. I noticed that at.exe would need to have NETBIOS protocol support, which currently not available for Dionaea. Dionaea mainly support for SMB procotol which is run on Port TCP/445, whereas at.exe would require the NETBIOS support which run on port UDP/137.

To execute at.exe remotely over the network, the normal connection flow as below :
1. NBNS queries/responses
2. Negotiate Procol Request/Response
3. Sssion Setup AndX Request/Response with NTLMSSP authentication
4. Tree Connect AndX Request/Response
.....[continue]

At the initial stage, several NBSN (NETBIOS Name Services) queries will be communicated on port UDP/137 prior the SMB negotiation took place. I believe that at.exe as one of the legacy binary which existed since Window NT, would depend on NBSN queries to determine the continuity of the further action. The culprit found.

Screenshot:
Legitimate connection of 2 windows hosts

Failed connetion of Windows host and Dionaea


Move on.

Friday, January 14, 2011

Dionaea SIP module test

Here is the listing of my test of Dionaea SIP module with sipvicious. Tool sipvicious is one of the de-facto sip auditing tool based VOIP system. The testing has performed with svmap.py and specifying the some common scanning method that supported by a legitimate VOIP system.

I have listed the sipvicious output,followed by Dionaea response of each method:


C:\sipvicious>python svmap.py -s session1 -v 192.168.56.101

INFO:DrinkOrSip:Db does sync
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:unknown:unknown -> 192.168.56.101:5060 -> unknown
-> 3CXPhoneSystem
INFO:root:we have 1 devices
| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

INFO:root:Total time: 0:00:03.223000

C:\sipvicious>python svmap.py -m OPTIONS 192.168.56.10

| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

C:\sipvicious>python svmap.py -m CANCEL 192.168.56.101

| SIP Device | User Agent | Fingerprint
|
--------------------------------------------------------------------------------
-----------
| 192.168.56.101:5060 | unknown | Viceroy 1.2 / T-Com Speedport W500V / Firmw
are v1.37 |
| | | MxSF/v3.2.6.26 / ET747-a3
|

[14012011 00:11:13] sip dionaea/sip.py:1118: Received CANCEL
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/none [192.168.56.101:5060->192.168.56.1:5060] state: none->close
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/close [192.168.56.101:5060->192.168.56.1:5060] state: close->close
[14012011 00:11:15] logsql dionaea/logsql.py:574: attackid 21567 is done

Note : Wireshark show the malformed packet.


C:\sipvicious>python svmap.py -m REGISTER 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INVITE 192.168.56.101

WARNING:root:found nothing
[14012011 00:08:33] sip dionaea/sip.py:833: SIP Session created
[14012011 00:08:33] sip dionaea/sip.py:975: Received INVITE
[14012011 00:08:33] sip dionaea/sip.py:1183: Mandatory header content-type not in message

C:\sipvicious>python svmap.py -m ACK 192.168.56.101

WARNING:root:found nothing
[14012011 00:10:55] sip dionaea/sip.py:833: SIP Session created
[14012011 00:10:55] sip dionaea/sip.py:1061: Received ACK
[14012011 00:10:55] sip dionaea/sip.py:1069: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m BYE 192.168.56.101

WARNING:root:found nothing
[14012011 00:12:42] sip dionaea/sip.py:833: SIP Session created
[14012011 00:12:42] sip dionaea/sip.py:1101: Received BYE
[14012011 00:12:42] sip dionaea/sip.py:1109: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m PRACK 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m SUBSCRIBE 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m NOTIFY 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m PUBLLISH 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INFO 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m REFER 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m UPDATE 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m MESSAGE 192.168.56.101

WARNING:root:found nothing

[14012011 00:16:27] sip dionaea/sip.py:966: Unknown SIP header (supported: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER and SIP responses

From the quick these, the current Dionaea SIP module managed to support OPTIONS and CANCEL method well. Several SIP method can be improved for DIonaea SIP module such as INVITE, ACK, BYE, REGISTER, which include the support of the request and reply with the correct response. I will work on it soon.

Reference:
How to use svmap
http://code.google.com/p/sipvicious/wiki/SvmapUsage
List of SIP request methods
http://en.wikipedia.org/wiki/SIP_Requests

Monday, November 22, 2010

MS10-054 Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS

Another SMB protocol vulnerability that catch my eye these few days - MS10-054 Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS. My curiosity as the same : How it work?

This vulnerability has first discovered Laurent Gaffié in early 2010. He also discovered the issue in ms10-020 vulnerability previously. Summary from the advisory :

"A vulnerability in the Windows kernel can be triggered via SMB in Microsoft
Windows versions ranging from Windows 2000 through to Windows 7. This vulnerability allows an attacker to trigger a kernel pool corruption by sending a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of this issue may result in remote code execution with kernel privileges, while failed attempts will result in a Denial of Service condition. Microsoft haspublished a patch to resolve the issue"

What is SMB_COM_TRANSACTION2 ?
From [MS-CIFS].pdf, SMB_COM_TRANSACTION2 subcommands provide support for a richer set of server-side file system semantics. The "Trans2 subcommands", as they are called, allow clients to set and retrieve Extended Attribute key/value pairs, make use of long file names (longer than the original 8.3 format names), and perform directory searches, among other tasks.

The subcommand can be find in http://manubatbat.free.fr/doc/smb/6.2.htm

The original SMB_COM_TRANSACTION2 request is in this format :

SMB_Parameters
{
UCHAR WordCount;
Words
{
USHORT TotalParameterCount;
USHORT TotalDataCount;
USHORT MaxParameterCount;
USHORT MaxDataCount;
UCHAR MaxSetupCount;
UCHAR Reserved1;
USHORT Flags;
ULONG Timeout;
USHORT Reserved2;
USHORT ParameterCount;
USHORT ParameterOffset;
USHORT DataCount;
USHORT DataOffset;
UCHAR SetupCount;
UCHAR Reserved3;
USHORT Setup[SetupCount];
}
}
SMB_Data
{
USHORT ByteCount;
Bytes
{
SMB_STRING Name;
UCHAR Pad1[];
UCHAR Trans2_Parameters[ParameterCount];
UCHAR Pad2[];
UCHAR Trans2_Data[DataCount];
}
}

How MS10-054 works?
The culprit is the MaxDataCount field! It indicates the maximum number of data bytes that the client will accept in the transaction reply. Windows will allocate a pool chunk with the MaxDataCount size without any sanity check. By allocating ZERO size of pool chunk, it could be a trouble if freeing the memory chunk.

PoC can be found in the full disclosure adviosry http://seclists.org/fulldisclosure/2010/Aug/122 . I have try to test the PoC and it work with the target machine is in "WORKGROUP" domain and has a user namey "Y0" (0 is the zero).

C:\Python26>python.exe test.py 192.168.56.101 C
[+]Negotiate Protocol Request sent
[+]Session Query sent

C:\Python26>python.exe test.py 192.168.56.101 C
[+]Negotiate Protocol Request sent
[+]Session Query sent
[+]Malformed Trans2 packet sent
[+]The target should be down now

C:\Python26>

And the WinXP VM freezee...

For the PoC packet, we can clearly see the culprint "MaxDataCount = 0".

After all, the working exploit has included in metasploit modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb

Wednesday, November 17, 2010

VirtualBox and Vmware network setup

Just figure out this.

1. Connect Virtual Box images and VMware Player Images.

Settings
Virtual Box - VirtualBox Host-Only Ethernet Adapter
Vmware's setting in vmnetcfg.exe : Bridged to VirtualBox Host-Only Ethernet Adapter
Vmware image : Network connection: Bridged

It works! All images can ping each other well. The IP that assigned for the VM images
- Host Machine : 192.168.56.1
- VirtualBox Ubuntu 9.04 image : 192.168.56.101
- VirtualBox Ubuntn 9.10 image : 192.168.56.102
- VMWare Backtrack image : 192.168.56.103

The traffic between images can be captured with wireshark that set to the VirtualBox Host-Only adapter. Another drawback that is the internet connection not work for all images, although the Host Machine able to acccess internet well.

Lets' improve

2. Create internal network for 2 VirtualBox images + internet

Setttings
Virtual Box Ubuntu 9.04 image
- Enable 2 Network Adapters
- Setting for Adapter 1 : NAT
- Setting for Adapter 2 :
 Attached to "Internal Network", Name:"intnet"
IP setting: 192.168.4.1
Subnet mask : 255.255.255.0
Gateway : 10.0.3.2 ( which same as the NAT gateway)

Virtual Box Ubuntu 9.10 image
- Enable 2 Network Adapters
- Setting for Adapter 1 : NAT
- Setting for Adapter 2 :
 Attached to "Internal Network", Name:"intnet"
IP setting : 192.168.4.2
Subnet mask : 255.255.255.0
Gateway : 10.0.3.2 ( which same as the NAT gateway)

Both images can access internet and ping each others, and most importantly it is the internal network. The network packets cannot captured with wireshark listening on Host Machine, unless the wireshark is listening inside VM images.

Reference
https://opensourceexperiments.wordpress.com/2008/04/13/case-study-configuring-internal-networking-work-for-talking-two-linux-guest-os-ubuntu-on-windows-vista-host/

Monday, November 15, 2010

Simple steps to improve Dionaea SMB stack

SMB protocol is one of the core protocol that supported by Dionaea. The attacks on Port 445 will be received and logged in the sqlite database. Dioanea emulates SMB protocol and the related functions in SMB stack have written in Python. If you are running Dionaea and you found the unsupported RPC calls, you are most welcomed to improve Dionaea's SMB stack.

This is my work out. The process:
1. Dig out the unsupported function, in this case is the unsupported RPC call
2. Refer to MSDN Library for further detail about the function call
3. Find the application/test suite that can trigger the function well. Observe the original request and reply of the function, by using a clean Windows Image
4. Code it out!
5. Test, debug, test, debug, BINGO!!
6. Commit to the tree

Example:
1. Recently I found that this lines always appear in /opt/dionaea/var/log/dionaea.log, and I realised this unsupported RPC SRVSVC call with Opnum 21 hit my sensor frequently.
[13112010 09:02:07] rpcservices dionaea/smb/rpcservices.py:104-info: 
Unknown RPC Call to SRVSVC 21
.....
[13112010 12:21:37] rpcservices dionaea/smb/rpcservices.py:104-info:
Unknown RPC Call to SRVSVC 21
.....
[13112010 13:38:34] rpcservices dionaea/smb/rpcservices.py:104-info:
Unknown RPC Call to SRVSVC 21
.....

With the query to database /opt/dionaea/var/dionaea/logsql.sqlite, 68 hits of such unsupported RPC call attacked the sensor that running not more than 72 hours.
Here the database query result:
COUNT(*) | dcerpcrequest_uuid | dcerpcrequest_opnum | dcerpcservice_name 
68 4b324fc8-1670-01d3-1278-5a47bf6ee188 21 SRVSVC
1 12345778-1234-abcd-ef00-0123456789ac 34 samr

2. Refer to MSDN Library http://msdn.microsoft.com/en-us/library/cc247243%28v=PROT.13%29.aspx, it is the NetServerGetInfo method which used to retrieve current configuration information for the targeted server. The method structure quite simple:

NET_API_STATUS NetrServerGetInfo(
[in, string, unique] SRVSVC_HANDLE ServerName,
[in] DWORD Level,
[out, switch_is(Level)] LPSERVER_INFO InfoStruct
);

3. With some googling time, I managed to find the way that I can observe the original request and response of such NetServerGetInfo method. Here the simple Win32 program that can be used to test the NetServerGetInfo method. It worked well with a clean WindowsXP image as target and packet detail can be studied with Wireshark.
http://www.installsetupconfig.com/win32programming/networkmanagementapis16_49.html

Note: To make this simple program work, the targeted WindowsXP need Guest account to be enabled. This spend me quite some time to figure it out as the System error 17XX keep appeared.

4. It is the time to code the method and let Dionaea support it! The RPC methods has resided in http://src.carnivore.it/dionaea/tree/modules/python/scripts/smb/rpcservices.py and it seperated clearly in classes such as ATSVC, DCOM, IOXIDResolver,lsarpc and others. Find the SRVSVC class and define the NetServerGetInfo handler.

5. Test the code with the Win32 program that compiled previously. Observed the packet in Wireshark. Test, debug, test, debug.. and it worked well as similiar with the Windows image. Further code test can be done by put it into the real network. The code works!

Observation with readlogsqltree.py

2010-11-14 10:30:16
connection 21150 pcap tcp reject 192.168.1.50:139 <- 118.X.180.91:47775
2010-11-14 10:30:16
connection 21151 smbd tcp accept 192.168.1.50:445 <- 118.X.180.91:47774
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188'
(SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188'
(SRVSVC) opnum 15 (NetShareEnum ())
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188'
(SRVSVC) opnum 21 (NetServerGetInfo ())

Waiting next coming attack :)

6. Commit to the tree. Example : http://src.carnivore.it/dionaea/commit/?id=974002a510a13f4565d58b458da665bd4e165e7c

7. After the commit, the added handler need to observe from time to time. Sometime the real world attack will be different from what what have coded. It need minor changes in certain packet field to make it work.

This is one of the ways to improve SMB stack. Simple and exciting. Feel free to write yours. If you need the git tree access, feel free to contact Markus nepenthesdev@gmail.com


Cheers,