169 lines
5.1 KiB
Markdown
169 lines
5.1 KiB
Markdown
# Security
|
|
aka, I'd rather be teaching an AI to categorize spectra, but since I
|
|
can't do that, I'm sitting around doing this in the interim.
|
|
|
|
* https://spacecruft.org/spacecruft/pysalx/issues/1
|
|
|
|
|
|
Quick evaluation is it is basically an older Android device, likely
|
|
vulnerable to a wide range of older attacks. Has wifi, bluetooth,
|
|
maybe even GSM...
|
|
|
|
|
|
The process table shows it's ready to send SMS... `:)`
|
|
|
|
```
|
|
root@ngl:/ # ps a
|
|
USER PID PPID VSIZE RSS WCHAN PC NAME
|
|
root 126 2 0 0 002366ec 00000000 S apr_driver
|
|
system 328 1 16956 4044 ffffffff a548fa20 S /system/bin/audiod
|
|
root 2528 1 5868 368 ffffffff 00434a84 S /sbin/adbd
|
|
u0_a70 4397 302 1257352 23972 ffffffff a66719c0 S com.android.smspush
|
|
```
|
|
|
|
Not sure this is necessary... (?)
|
|
|
|
```
|
|
# from lsof
|
|
/system/priv-app/Telecom/Telecom.apk
|
|
/system/priv-app/TelephonyProvider/TelephonyProvider.apk
|
|
/data/data/com.android.providers.telephony/databases/cdmacalloption.db
|
|
/data/data/com.android.providers.telephony/databases/HbpcdLookup.db
|
|
/system/app/PhoneFeatures/PhoneFeatures.apk
|
|
/system/framework/qcrilhook.jar
|
|
/data/data/com.android.providers.telephony/databases/telephony.db
|
|
/data/data/com.android.providers.telephony/databases/mmssms.db
|
|
# Ok, so it has pretty much everything enabled/running apparently...
|
|
/system/app/Email/Email.apk
|
|
```
|
|
|
|
```
|
|
# Don't think it has hardware GPS (?).
|
|
# Perhaps for use with paired GPS (e.g. android phone).
|
|
/system/priv-app/com.qualcomm.location/com.qualcomm.location.apk
|
|
/system/framework/com.android.location.provider.jar
|
|
```
|
|
|
|
Uses SELinux kernel, may even have that old special hole! `:)`
|
|
(cf. Brad Spengler attack).
|
|
|
|
|
|
# Net
|
|
When connected to wifi the device tries to connect to port `80` of
|
|
IP `142.250.72.14`, which is allocated to `Google LLC`.
|
|
|
|
|
|
It also tries to connect to port `443` of IP `157.240.19.19`.
|
|
That IP is owned by `Facebook, Inc.` Not sure why that is needed.
|
|
|
|
|
|
# Binaries
|
|
The busybox binaries are (ancient) 32-bit(?).
|
|
|
|
```
|
|
$ file xbin/zcat
|
|
xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped
|
|
```
|
|
|
|
# Vulnerability Surface
|
|
The analyzers have Android on board, which is generally well documented.
|
|
There have been numerous Android security holes published in the last
|
|
decade or so. The analyzers have a lot of binaries dating back many versions,
|
|
some as old as 2013.
|
|
|
|
|
|
# Attack Surface
|
|
|
|
* Wifi
|
|
|
|
* Bluetooth
|
|
|
|
* Cell ?
|
|
|
|
* USB
|
|
|
|
# Hypothetical Scenarios
|
|
Nature of attacks, once exploited.
|
|
|
|
* Device can be fed bogus data. For example, hack a competitor's device to
|
|
say there's no gold when there is gold.
|
|
|
|
* Nefarious polluting company could root EPA's device
|
|
when they come inspect contaminated land, and make the device's readings
|
|
say everything is ok.
|
|
|
|
* Attacker sells bullion to vendor. Vendor tests with analyzer, which
|
|
attacker has rooted. Grade of bullion is found to be pure, when fake.
|
|
Vendor overpays for fake metal.
|
|
|
|
* Device can be a remote access point back into a corporate network.
|
|
Since the device is taken into the field and back into corporate offices,
|
|
it makes it an ideal vector to further penetrate networks. An employee
|
|
takes the analyzer into the field, exploitation and implant occurs, the
|
|
employee takes analyzer back to office to download data. In doing so,
|
|
they connect the analyzer to the network (e.g. even via USB), where the
|
|
device then phones home back to attackers.
|
|
|
|
* Safety features of the device can be overridden, causing it to emit
|
|
xray or laser power beyond default limits.
|
|
|
|
|
|
# Misc
|
|
|
|
* All devices have the same static IP hardcoded in binary.
|
|
|
|
* The devices query remote servers on port `80` in cleartext. This can be
|
|
easily hijacked and fed false data.
|
|
|
|
|
|
# CVE
|
|
The system is running kernel `3.10.49` which has a vast list of known
|
|
vulnerabilities.
|
|
|
|
|
|
## Known Kernel Holes:
|
|
The system uses Linux kernel `3.10.49`. This kernel was released
|
|
July 17th, 2014. Release announcement:
|
|
|
|
* https://lwn.net/Articles/605933/
|
|
|
|
|
|
There were twenty-five Kernel 3.10.49 vulnerabilities disclosed in 2021:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23222
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46283
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715
|
|
|
|
...
|
|
|
|
* This doozy is considered a top 25. Nice how it has a CVE from 2018,
|
|
but disclosure in 2021! :)
|
|
|
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25020
|
|
|
|
...
|
|
|
|
* Too numerous to list for now...
|
|
|
|
## Other Known Issues
|
|
The `3.10` kernel series was declared a LTS kernel by Greg KH in 2013.
|
|
This blog post linked below from 2017 reflects back on it's history.
|
|
In that post it says there were `3,456` known unfixed bugs in the
|
|
`3.10.49` kernel in 2017. The number has likely increased.
|
|
|
|
https://wtarreau.blogspot.com/2017/11/look-back-to-end-of-life-lts-kernel-310.html
|
|
|
|
The last release in the stable 3.10 series was `3.10.108`, which was
|
|
released November 4th, 2017.
|
|
|
|
The post was released by the kernel developer that made the 3.10.108
|
|
commit to the official linux-stable archive. Last line, from 2017:
|
|
|
|
|
|
*So it's really time to switch now! 3.10 is dead.*
|
|
|