Security design analysis of polar routing sister article

There are two things to be said at the outset:

Thank you very much, freebuf. The Hiwifi firmware found on the Web site provided by the 9003 version SQUASHFS the LUA code on the filesystem is not precompiled, which provides the possibility for us to base the source analysis pole route. Address

Second, after the cultivation found Hiwifi firmware decompression problem, you can actually use the Windows operating system under the open source software 7zip decompression.

So, the focus of this issue is to analyze the Hiwifi Lua source code security Design section.

0x01 Analysis Ideas

First, understand the OpenWrt Web authentication process.

Second, understand the Hiwifi Web authentication process and Hiwifi Cloud communication authentication analysis.

0X02 Analysis Process

Test tool: Source code reading using Luaedit. Connect OpenWrt to view the directory software WinSCP, because some files are certified before they are generated.

First, understand the OpenWrt Web authentication process.

1.1, build OpenWrt virtual operating environment

1.2, network analysis combined with LUA source code analysis, understand its certification process.

Build OpenWrt virtual machine running environment, download the OPENWRT.VMDK file of x86 architecture, emphasize a point if you only use a single wireless network card to build the environment, it will fail because OPENWRT requires two different LAN, WAN.

OpenWrt mainly through the built-in Web server uhttpd with the LUA scripting language to achieve B/s mutual exchange.

Grab the interactive packet by grasping the package software as follows:

POST http://192.168.1.10/cgi-bin/luci http/1.1Host:192.168.1.10User-agent:mozilla/5.0(Windows NT6.1; WOW64; Rv:40.0) gecko/20100101firefox/40.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*; Q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DeflateReferer:Http://192.168.1.10/cgi-bin/luciconnection:keep-alivecontent-type:application/x-www-form-urlencodedcontent-length:29username=root& Password=123qwe

GET http://192.168.1.10/cgi-bin/luci/;stok=f10e9261c036d0c97db82c5eee568b34?status=1&_=0.4118332080369933 HTTP/1.1 Host:192.168.1.10User-agent:mozilla/5.0(Windows NT6.1; WOW64; Rv:40.0) gecko/20100101firefox/40.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*; Q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, DeflateReferer:Http://192.168.1.10/cgi-bin/lucicookie:sysauth=ae896241b40cf93dbf079c08acaeffcdconnection:keep-alive

The username and password provided through the Web interface return the token that the user keeps communicating on the web side.

Stok=f10e9261c036d0c97db82c5eee568b34

and client-certified cookies.

COOKIE:SYSAUTH=AE896241B40CF93DBF079C08ACAEFFCD time to produce cookies.

Then using WINSCP to log on to OpenWrt to view the file, you will find the entire login call file process as follows:

Discovery of server-side changes through Ccache.lua processing:/tmp/luci-sessions generates f10e9261c036d0c97db82c5eee568b34 a file (session)

This file stores a precompiled Lua script, primarily mapping the login user name and token correspondence.

JSON data form (saved database form):

 return  {[  Secret  ] = "  bb8d42ed6c097b6f16ea698b22f7b0e1   ,[  " token   "] =  " f10e9261c036d0c97db82c5eee568b34 " Span style= "color: #800000;" > " ,[ "   ] = "   Root   /usr/lib/lua/luci/ Ccache.lua 

involves the encryption algorithm 16 binary output. encoded = encoded. ("%2x"% string.byte (name, i))

Because the source code is too much not all written out, you can refer to the relevant bin file in the codes.

Then look at: How/usr/lib/lua/luci/dispatcher.lua handles the login: Discover the Authenticator.htmlauth function.

function Authenticator.htmlauth (validator, ACCs,default) Local User= Luci.http.formvalue ("username") Local Pass= Luci.http.formvalue ("Password")     ifUser and validator (user, pass) thenreturnuser end require ("luci.i18n") require ("luci.template") Context.path={} luci.template.render ("Sysauth", {duser=default, fuser=user}) return falseEnd

validator{}, mainly by the password to do MD5 contrast check, if the match is returned true.

How exactly did the Sysauth come about?

by querying/usr/lib/lua/luci/sauth.lua

Key code:

Sessiontime = Tonumber (luci.config.sauth.sessiontime) or the* -local function _checkid (ID)returnNot not (id and #id = = +and Id:match ("^[a-fa-f0-9]+$")) End---Write session data to a session file.--@param ID Session identifier--@param data Session data tablefunction write (ID, data)ifNot Sane () then prepare () End assert (_checkid (ID),"Security exception:session ID is invalid!") Assert (Type (data)=="Table","Security exception:session Data invalid!") Data.atime=luci.sys.uptime () _write (ID, luci.util.get_bytecode (data)) End

From the above code can be seen session generation and time-related, want to crack this need through the system time traversal. It's a little difficult.

Of course, on the polar route I found that before this there would be a function call authenticator{}; However, no specific functions were found in LUA code, and the full-text content search was discovered through the Luaedit tool. In the libauth.so file. This is explained in the last chapter.

Summary: It can be seen that only the certification through the OpenWrt will be generated on the server-side token, stored in the UHTTPD server local files. The whole process is basically impossible to forge, the login verification system is more secure, of course, there are loopholes, including traversal password attempts.

Second, understand the Hiwifi Web authentication process and Hiwifi Cloud communication authentication analysis.

I applied for a pole-routed root privilege to view the newly generated files in its directory via WINSCP login. Originally wanted to reverse lua the latest source code Unlua and Luadec two open source anti-compilation tools are unable to pass, so had to look at the h5661-9003 version of the software.

get/cgi-bin/turbo/;stok=7523cc581c1bccca1db1ea1866c90b95/api/system/check_network_connect?_=1440172033296http/1.1Host:192.168.199.1Connection:keep-aliveaccept:application/json, Text/javascript, */*; q=0.01x-requested-with:xmlhttprequestuser-agent:mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/37.0.2062.103 Safari/537.36referer:Http://192.168.199.1/cgi-bin/turbo/admin_webaccept-encoding:gzip,deflate,sdchaccept-language:en-us,en;q=0.8,zh-cn;q=0.6,zh;q=0.4cookie:sysauth= d4b90df6bee107655b1672c244dd8b75; Is_mobile=0

The whole process is similar to OpenWrt, but some changes have been made. Change the path to:/cgi-bin/turbo/admin_web, and then push the Ajax script to detect the relevant content.

Improvement section:

(1) Participate in key generation through the cloud.

local_key=' olkmbg1g' App_login_auth_file='/etc/app/appcloudkey' PutKey () {echo" $"| Grep-q-E"^[a-z0-9_]+$"  if[$ (echo $?) !=0 ]; Thenreturn 1fi Touch"${app_login_auth_file}"Echo" $">"${app_login_auth_file}"  return 0} validate () {UserKey=" $"Randkey=" $"Echo"${userkey}"| Grep-q-E"^[a-f0-9]{32}$"  if[$ (echo $?) !=0 ]; Then Echofalse    return 1fi echo"${randkey}"| Grep-q-E"^[a-f0-9]{8,}$"  if[$ (echo $?) !=0 ]; Then Echofalse    return 1fi Touch"${app_login_auth_file}"Key=$ (cat"$APP _login_auth_file") echo"${key}"| Grep-q-E"^[a-z0-9]+$"  if[$ (echo $?) !=0 ]; Then Echofalse    return 1fi Sign=$ (echo-n"$LOCAL _key""${key}""${randkey}"|md5sum|awk039; {print $1}')  if[${userkey} = ="${sign}"]2>/dev/NULL; then echotrue    return 0fi echofalse  return 1}

(2) Increase login retry limit (10 times). Number of times the/tmp/loginerrnum is stored by verifying

Local Loginlock_time =Tenfunction Up_loginlock () Local num= Fs.readfile ("/tmp/loginerrnum") or0Num=num+1Fs.writefile ("/tmp/loginerrnum", num) endfunction unset_loginlock () fs.writefile ("/tmp/loginerrnum",0) endfunction get_loginlock () local num= Fs.readfile ("/tmp/loginerrnum") or0returnnumend function Authenticator.jsonauth (validator, ACCs,default)ifUser and validator (user, pass) and user~="Root"Thenluci.util.unset_loginlock ()returnUserendcontext.path={}local json_msg=039; {"Code":"99999","msg":"Not auth."}' Luci.http.write (json_msg)return falseEnd

(3) Set the sandbox permissions on the OPENAPI call and the more restrictive token acquisition method.

In the/usr/lib/lua/luci/dispatcher.lua

authenticator{}; The implementation method was not found.

The authentication information may be present by querying the directory Discovery usr/lib/libauth.so. and throw it into Ida. Select MIPS Little Endian

The local storage token is read through Cache_load_token_v3 first. If we don't apply for token,

HTTPS://auth.hiwifi.com/tokenv2?app=%s&checksum=%s&name=%s&cnonce=%d&nonce=%s  Checksum (checksum), name (device MAC address), Cnonce (locally generated random number) Cnonce  time and salt handling

Nonce is automatically generated through the cloud platform, the algorithm only cloud itself know.

What we're looking for here is the checksum value.

Find Tw_get_uuid, find in tw.so file by finding

Of course you can also use the Python language to call so libraries to test their cryptographic algorithms.

UUID is through the device MAC address, plus a constant 123456789123 and so on, plus a complex algorithm generation, then because each device's UUID is not the same, so even if the other's MAC address, can not be exploited through the forgery request. This multi-factor verification mechanism, greatly protects the cloud Platform user's security.

The sandbox section, in fact, is now the access directory limit for obtaining keys through OPENAPI logins, preventing two of developers from developing malicious programs and then counting millions of routers.

0X03 Safety Design Summary

As can be seen, the pole route from Openwrt->hiwifi 9003->hiwifi 9008 (currently the largest version of 1s), the entire firmware of the software security part of the design more and more complex.

A perverted safety design is also in line with business needs:

(1) Basic safety protection: Open the original LUA source code is visible, must be pre-compiled before publishing the device. The core algorithms and authentication libraries are placed in the so file.

(2) because to do the router software market, then, the cloud key verification mechanism in combination, even if you cracked the local algorithm, cloud algorithm You do not understand also useless.

Finally, for this information security of the Craftsman spirit of praise.

Security design analysis of polar routing sister article