Sunday, September 1, 2013

Analyzing and Running binaries from Firmware Images - Part 1

During the first part of SIMET Box Firmware analysis, we downloaded the firmware Image, extracted its contents, compared/analyzed its base and found a couple of interesting files (SSH keys, binary files, init scripts, firewall rules and so on).

For this part we'll focus on identifying binaries, comparing and executing them to find interesting data. Whenever you're analyzing binaries from different architectures, there are a couple of nice tools that aid debugging, reversing and emulating their behavior, like objdump, readelf and QEMU.

Embedded Debian Project provides pre-built binary toolchains for mips, mipsel, arm, armel, powerpc, and a couple of other architectures. In order to download and install it on Debian based Linux distros, you have to apt-get its archive signing key:
sudo apt-get install emdebian-archive-keyring

Now you you need to include their repository on your /etc/apt/sources.list:
deb http://www.emdebian.org/debian/ squeeze main

After the apt-get update you can install binutils for you target archs:
sudo apt-get install binutils-mips-linux-gnu binutils-mipsel-linux-gnu  binutils-arm-linux-gnueabi

For this little exercise I'll analyze three busybox binaries, from three different firmwares: busybox-simet (from SIMET Box), busybox-asuswrt (from AsusWRT-Merlin firmware) and busybox-sb6120 (from Motorolla's SB6120 Surfboard Cable Modem).

Architecture, Big-Endian or Little Endian?

When analyzing SIMET Box we already knew that the device was based on ar71xx platform, which is MIPS based and big endian as stated on OpenWRT's official page. If you want to find it by your own you can use the file utility:


Emdebian binutils also provide useful tools to identify further info from unknown binaries. A nice hack that I commonly use is to display information from object files using different toolchains in order to find out which one understands the file structure properly. For example, objdump -f displays contents of the overall file header.

  • SIMET Box tl-wr740n-v4 (architecture: mips:isa32r2, file format elf32-tradbigmips)

  • AsusWRT-Merlin v3.0.0.4.374.32 (architecture: mips:isa32 file format elf32-tradlittlemips)

  • SB6120 v1.0.2.4-SCM01 (architecture: arm, file format elf32-bigarm)

We now know each file's format/architecture and can proceed using QEMU to emulate the binaries on a virtual environment.

QEMU

QEMU is a generic and open source machine emulator and virtualizer that supports architectures like MIPS, ARM and PowerPC. In order to setup and run single binaries with QEMU on Debian based Linux distributions, you need to install the qemu-user-static package. RogueAsian and devtty0 detail these steps here and here.
sudo apt-get install qemu-user-static

It's important to run qemu on a chrooted environment to avoid mixing your target's libraries with those on your host system.

AsusWRT-Merlin v3.0.0.4.374.32

Let's try this on AsusWRT's busybox first. We'll have to use qemu-mipsel-static because it's MIPS32 based and Little Endian.


Hmmm, not so lucky this time, ld-uClibc.so is missing. Let's check the dynamic section and copy the necessary libraries from the original firmware:
mips-linux-gnu-objdump -x bin/busybox-asuswrt | grep lib


We can also cross compile these libraries on our own or install the target C libraries with dpkg-cross, but using the firmware original libraries is always preferred. After copying the necessary files, we can finally execute it using QEMU:
cp `whereis qemu-mipsel-static | cut -d" " -f2` .
sudo chroot . ./qemu-mipsel-static bin/busybox-asuswrt


SB6120 v1.0.2.4-SCM01

Let's try to run busybox from Motorolla's cable modem Surfboard SV6120 (ARM/Big Endian):

cp `whereis qemu-armeb-static | cut -d" " -f2` .
sudo chroot . ./qemu-armeb-static bin/busybox-sb6120


BusyBox v1.4.2, might be vulnerable to CVE-2011-2716 =)

SIMET Box tl-wr740n-v4

Running the busybox binary extracted from SIMET Box (MIPS/Big Endian):

cp `whereis qemu-mips-static | cut -d" " -f2` .
sudo chroot . ./qemu-mips-static bin/busybox-simet
mips-linux-gnu-readelf -h bin/busybox-simet


Unfortunately, qemu-mips-static did not recognize the ELF image properly and was unable to run SIMET Box's binaries on the fly. For the next post I'll detail on how to overcome this issue with SIMET Box's busybox by running a full OpenWRT MIPS environment on QEMU. This is useful because we can compile and run our own (compatible) kernel, set up a network device, analyze the network activity and its system-wide interactions.

Conclusion
These techniques help identifying unknown binaries from unknown architectures and running them on a virtual environment. They might be useful to analyze malware for embedded systems (Internet Census 2012 anyone?), during forensic analysis and to hack/find vulnerabilities on firmware images.