spacecruft
/
pysalx
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
pysalx/doc/SEC.md

169 lines
5.1 KiB
Markdown
Raw Permalink Blame History

# Security
aka, I'd rather be teaching an AI to categorize spectra, but since I
can't do that, I'm sitting around doing this in the interim.
* https://spacecruft.org/spacecruft/pysalx/issues/1
Quick evaluation is it is basically an older Android device, likely
vulnerable to a wide range of older attacks. Has wifi, bluetooth,
maybe even GSM...
The process table shows it's ready to send SMS... `:)`
```
root@ngl:/ # ps a
USER PID PPID VSIZE RSS WCHAN PC NAME
root 126 2 0 0 002366ec 00000000 S apr_driver
system 328 1 16956 4044 ffffffff a548fa20 S /system/bin/audiod
root 2528 1 5868 368 ffffffff 00434a84 S /sbin/adbd
u0_a70 4397 302 1257352 23972 ffffffff a66719c0 S com.android.smspush
```
Not sure this is necessary... (?)
```
# from lsof
/system/priv-app/Telecom/Telecom.apk
/system/priv-app/TelephonyProvider/TelephonyProvider.apk
/data/data/com.android.providers.telephony/databases/cdmacalloption.db
/data/data/com.android.providers.telephony/databases/HbpcdLookup.db
/system/app/PhoneFeatures/PhoneFeatures.apk
/system/framework/qcrilhook.jar
/data/data/com.android.providers.telephony/databases/telephony.db
/data/data/com.android.providers.telephony/databases/mmssms.db
# Ok, so it has pretty much everything enabled/running apparently...
/system/app/Email/Email.apk
```
```
# Don't think it has hardware GPS (?).
# Perhaps for use with paired GPS (e.g. android phone).
/system/priv-app/com.qualcomm.location/com.qualcomm.location.apk
/system/framework/com.android.location.provider.jar
```
Uses SELinux kernel, may even have that old special hole! `:)`
(cf. Brad Spengler attack).
# Net
When connected to wifi the device tries to connect to port `80` of
IP `142.250.72.14`, which is allocated to `Google LLC`.
It also tries to connect to port `443` of IP `157.240.19.19`.
That IP is owned by `Facebook, Inc.` Not sure why that is needed.
# Binaries
The busybox binaries are (ancient) 32-bit(?).
```
$ file xbin/zcat
xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped
```
# Vulnerability Surface
The analyzers have Android on board, which is generally well documented.
There have been numerous Android security holes published in the last
decade or so. The analyzers have a lot of binaries dating back many versions,
some as old as 2013.
# Attack Surface
* Wifi
* Bluetooth
* Cell ?
* USB
# Hypothetical Scenarios
Nature of attacks, once exploited.
* Device can be fed bogus data. For example, hack a competitor's device to
say there's no gold when there is gold.
* Nefarious polluting company could root EPA's device
when they come inspect contaminated land, and make the device's readings
say everything is ok.
* Attacker sells bullion to vendor. Vendor tests with analyzer, which
attacker has rooted. Grade of bullion is found to be pure, when fake.
Vendor overpays for fake metal.
* Device can be a remote access point back into a corporate network.
Since the device is taken into the field and back into corporate offices,
it makes it an ideal vector to further penetrate networks. An employee
takes the analyzer into the field, exploitation and implant occurs, the
employee takes analyzer back to office to download data. In doing so,
they connect the analyzer to the network (e.g. even via USB), where the
device then phones home back to attackers.
* Safety features of the device can be overridden, causing it to emit
xray or laser power beyond default limits.
# Misc
* All devices have the same static IP hardcoded in binary.
* The devices query remote servers on port `80` in cleartext. This can be
easily hijacked and fed false data.
# CVE
The system is running kernel `3.10.49` which has a vast list of known
vulnerabilities.
## Known Kernel Holes:
The system uses Linux kernel `3.10.49`. This kernel was released
July 17th, 2014. Release announcement:
* https://lwn.net/Articles/605933/
There were twenty-five Kernel 3.10.49 vulnerabilities disclosed in 2021:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23222
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46283
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715
...
* This doozy is considered a top 25. Nice how it has a CVE from 2018,
but disclosure in 2021! :)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25020
...
* Too numerous to list for now...
## Other Known Issues
The `3.10` kernel series was declared a LTS kernel by Greg KH in 2013.
This blog post linked below from 2017 reflects back on it's history.
In that post it says there were `3,456` known unfixed bugs in the
`3.10.49` kernel in 2017. The number has likely increased.
https://wtarreau.blogspot.com/2017/11/look-back-to-end-of-life-lts-kernel-310.html
The last release in the stable 3.10 series was `3.10.108`, which was
released November 4th, 2017.
The post was released by the kernel developer that made the 3.10.108
commit to the official linux-stable archive. Last line, from 2017:
*So it's really time to switch now! 3.10 is dead.*
Reference in New Issue View Git Blame Copy Permalink