Skip to content

Commit

Permalink
Merge pull request #451 from m-1-k-3/kernel_downloader
Browse files Browse the repository at this point in the history 
Kernel downloader and vulnerability verifier
  • Loading branch information
@m-1-k-3
m-1-k-3 authored Jan 11, 2023
2 parents f1abf2f + 80271a4 commit a019263
Show file tree
Hide file tree
Showing 28 changed files with 1,182 additions and 157 deletions.
11 changes: 7 additions & 4 deletions check_project.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,8 @@ import_emba_main() {


dockerchecker() {
echo -e "\\n""$ORANGE""$BOLD""EMBA docker-files check""$NC""\\n""$BOLD""=================================================================""$NC"
echo -e "\\n""$ORANGE""$BOLD""EMBA docker-files check""$NC"
echo -e "$BOLD""=================================================================""$NC"
mapfile -t DOCKER_COMPS < <(find . -maxdepth 1 -iname "docker-compose*.yml")
for DOCKER_COMP in "${DOCKER_COMPS[@]}"; do
echo -e "\\n""$GREEN""Run docker check on $DOCKER_COMP:""$NC""\\n"
Expand All @@ -132,7 +133,8 @@ dockerchecker() {
}

check() {
echo -e "\\n""$ORANGE""$BOLD""Embedded Linux Analyzer Shellcheck""$NC""\\n""$BOLD""=================================================================""$NC"
echo -e "\\n""$ORANGE""$BOLD""Embedded Linux Analyzer Shellcheck""$NC"
echo -e "$BOLD""=================================================================""$NC"

echo -e "\\n""$GREEN""Load all files for check:""$NC""\\n"

Expand Down Expand Up @@ -280,8 +282,9 @@ check
dockerchecker
summary

if [[ "${#MODULES_TO_CHECK_ARR_TAB[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || \
[[ "${#MODULES_TO_CHECK_ARR_SEMGREP[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_DOCKER[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_PERM[@]}" -gt 0 ]] || \
if [[ "${#MODULES_TO_CHECK_ARR_TAB[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || \
[[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_SEMGREP[@]}" -gt 0 ]] || \
[[ "${#MODULES_TO_CHECK_ARR_DOCKER[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_PERM[@]}" -gt 0 ]] || \
[[ "${#MODULES_TO_CHECK_ARR_COMMENT[@]}" -gt 0 ]]; then
exit 1
fi
2 changes: 1 addition & 1 deletion config/bin_version_strings.cfg
View file
Original file line number Diff line number Diff line change
Expand Up @@ -548,7 +548,7 @@ quagga;;gpl;"^(ldpd|linkd)\ version\ 0\.9[\.0-9]+$";"sed -r 's/(ldpd|linkd)\ ver
quagga;;gpl;"^Hello,\ this\ is\ Quagga\ \(version\ [0-9](\.[0-9]+)+?\)\.$";"sed -r 's/Hello,\ this\ is\ Quagga\ \(version\ ([0-9](\.[0-9]+)+?)\)\.$/quagga:\1/'";
#quik;;unknown;"QUIK\ version\ [0-9]\.[0-9]+";"NA";
qdiscman;;unknown;"^qdiscman\ [0-9](\.[0-9]+)+?\ release$";"sed -r 's/qdiscman\ ([0-9](\.[0-9]+)+?)$/qdiscman:\1/'";
radlogin;;unknown;"radlogin\.c,v\ [0-9]\.[0-9]+\ [0-9]+";"sed -r 's/radlogin\.c,v\ ([0-9](\.[0-9]+)+?)$/radlogin:\1/'";
radlogin;;unknown;"radlogin\.c,v\ [0-9]\.[0-9]+\ [0-9]+";"sed -r 's/radlogin\.c,v\ ([0-9](\.[0-9]+)+?).*/radlogin:\1/'";
radvd;strict;radvd-lic;"Version:\ [0-9]\.[0-9]+$";"sed -r 's/Version:\ ([0-9](\.[0-9]+)+?)$/radvd:\1/'";
radvd;strict;radvd-lic;"Version:\ [0-9]\.[0-9]+\.[0-9]+$";"sed -r 's/Version:\ ([0-9](\.[0-9]+)+?)$/radvd:\1/'";
radvdump;strict;radvd-lic;"Version:\ [0-9]\.[0-9]+$";"sed -r 's/Version:\ ([0-9](\.[0-9]+)+?)$/radvd:\1/'";
Expand Down
4 changes: 4 additions & 0 deletions config/report_templates/F20_vul_aggregator-post.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ print_output "$(indent "${ORANGE}S$NC - PoC code found on Snyk vulnerability dat
write_link "https://security.snyk.io/vuln"
print_output "$(indent "${ORANGE}X$NC - Vulnerability is known as exploited")"
write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
if [[ -f "$LOG_DIR"/s26_kernel_vuln_verifier.txt ]]; then
print_output "$(indent "${ORANGE}V$NC - Kernel vulnerability was verified from module s26")"
write_link "s26"
fi
print_ln
print_ln
print_output "[*] Source notes:"
Expand Down
15 changes: 15 additions & 0 deletions config/report_templates/S26_kernel_vuln_verifier-post.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/bash

print_output "[*] Exploitability notes:"
print_output "$(indent "${ORANGE}EDB$NC - Exploit code found in the Exploit database")"
write_link "https://exploit-db.com"
print_output "$(indent "${ORANGE}MSF$NC - Exploit code found in the Metasploit framework")"
write_link "https://github.com/rapid7/metasploit-framework"
print_output "$(indent "${ORANGE}GH$NC - PoC code found on Github (via trickest)")"
write_link "https://github.com/trickest/cve"
print_output "$(indent "${ORANGE}PS$NC - PoC code found on Packetstormsecurity")"
write_link "https://packetstormsecurity.com/files/tags/exploit/"
print_output "$(indent "${ORANGE}SNYK$NC - PoC code found on Snyk vulnerability database")"
write_link "https://security.snyk.io/vuln"
print_output "$(indent "${ORANGE}EXP$NC - Vulnerability is known as exploited")"
write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
2 changes: 1 addition & 1 deletion docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,12 @@ services:
- ${FIRMWARE}/:/firmware:ro
- ${LOG}/:/logs
- ${EMBA}/:/emba:ro
- ${EMBA}/external/linux_kernel_sources/:/external/linux_kernel_sources:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- /dev:/dev
- /lib/modules:/lib/modules:ro
- /boot:/boot:ro
# - /home/m1k3/github-repos/EMBA-emulation-binaries:/external/EMBA_Live_bins/:ro
environment:
- USER
devices:
Expand Down
97 changes: 52 additions & 45 deletions emba.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,7 +415,8 @@ main()
welcome # Print EMBA welcome message

if [[ $# -eq 0 ]]; then
print_output "\\n""$ORANGE""In order to be able to use EMBA, you have to specify at least a firmware (-f).\\nIf you don't set a log directory (-l), then ./logs will be used.""$NC" "no_log"
print_output "\\n""$ORANGE""In order to be able to use EMBA, you have to specify at least a firmware (-f)." "no_log"
print_output "If you don't set a log directory (-l), then ./logs will be used.""$NC" "no_log"
print_help
exit 1
fi
Expand Down Expand Up @@ -656,6 +657,14 @@ main()
create_log_dir
fi

# kernel downloader runs on the host and waits for an identified kernel version. Afterwards
# it tries to download the kernel sources for further analysis
if [[ $IN_DOCKER -eq 0 ]]; then
kernel_downloader &
K_DOWN_PID="$!"
print_output "[*] Started kernel downloader thread with PID $K_DOWN_PID" "no_log"
fi

if [[ $IN_DOCKER -eq 0 ]]; then
echo "$LOG_DIR" > "$TMP_DIR"/orig_logdir
fi
Expand Down Expand Up @@ -854,58 +863,56 @@ main()

print_output "[*] EMBA sets up the docker environment.\\n" "no_log"

if [[ "$UPDATE" -eq 1 ]]; then
EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker pull embeddedanalyzer/emba
if ! docker images | grep -qE "emba[[:space:]]*latest"; then
if ! docker images | grep -qE "emba[[:space:]]*latest"; then
print_output "[*] Available docker images:" "no_log"
docker images | grep -E "emba[[:space:]]*latest" || true
print_output "[-] EMBA docker not ready!" "no_log"
exit 1
fi
fi

if ! docker images | grep -qE "emba[[:space:]]*latest"; then
print_output "[*] Available docker images:" "no_log"
docker images | grep -E "emba[[:space:]]*latest" || true
print_output "[-] EMBA docker not ready!" "no_log"
exit 1
else
print_output "[*] EMBA initializes docker container.\\n" "no_log"
print_output "[*] EMBA initializes docker container.\\n" "no_log"

if [[ "$ONLY_DEP" -eq 0 ]]; then
# store some details that we do not have in the docker container:
echo "$FIRMWARE_PATH" >> "$TMP_DIR"/fw_name.log
echo "$LOG_DIR" >> "$TMP_DIR"/emba_log_dir.log
echo "$EMBA_COMMAND" >> "$TMP_DIR"/emba_command.log
fi
if [[ "$ONLY_DEP" -eq 0 ]]; then
# store some details that we do not have in the docker container:
echo "$FIRMWARE_PATH" >> "$TMP_DIR"/fw_name.log
echo "$LOG_DIR" >> "$TMP_DIR"/emba_log_dir.log
echo "$EMBA_COMMAND" >> "$TMP_DIR"/emba_command.log
fi

write_notification "EMBA starting docker container"
write_notification "EMBA starting docker container"

if [[ "$STRICT_MODE" -eq 1 ]]; then
set +e
fi
disable_strict_mode "$STRICT_MODE" 0
EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}"
D_RETURN=$?
enable_strict_mode "$STRICT_MODE" 0

if [[ $D_RETURN -eq 0 ]] ; then
if [[ $ONLY_DEP -eq 0 ]] ; then
print_output "[*] EMBA finished analysis in docker container.\\n" "no_log"
write_notification "EMBA finished analysis in default mode"
print_output "[*] Firmware tested: $ORANGE$FIRMWARE_PATH$NC" "no_log"
print_output "[*] Log directory: $ORANGE$LOG_DIR$NC" "no_log"
if [[ -f "$HTML_PATH"/index.html ]]; then
print_output "[*] Open the web-report with$ORANGE firefox $(abs_path "$HTML_PATH/index.html")$NC\\n" "main"
fi
cleaner 0
else
# we do not need the log dir from dependency checker
if [[ -d "$LOG_DIR" ]]; then
rm -r "$LOG_DIR"
fi
if [[ "$STRICT_MODE" -eq 1 ]]; then
set +e
fi
disable_strict_mode "$STRICT_MODE" 0
EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}"
D_RETURN=$?
enable_strict_mode "$STRICT_MODE" 0

if [[ $D_RETURN -eq 0 ]] ; then
if [[ $ONLY_DEP -eq 0 ]] ; then
print_output "[*] EMBA finished analysis in docker container.\\n" "no_log"
write_notification "EMBA finished analysis in default mode"
print_output "[*] Firmware tested: $ORANGE$FIRMWARE_PATH$NC" "no_log"
print_output "[*] Log directory: $ORANGE$LOG_DIR$NC" "no_log"
if [[ -f "$HTML_PATH"/index.html ]]; then
print_output "[*] Open the web-report with$ORANGE firefox $(abs_path "$HTML_PATH/index.html")$NC\\n" "main"
fi
exit 0
else
print_output "[-] EMBA failed in docker mode!" "no_log"
cleaner 0
write_notification "EMBA failed analysis in default mode"
exit 1
else
# we do not need the log dir from dependency checker
if [[ -d "$LOG_DIR" ]]; then
rm -r "$LOG_DIR"
fi
fi
exit 0
else
print_output "[-] EMBA failed in docker mode!" "no_log"
cleaner 0
write_notification "EMBA failed analysis in default mode"
exit 1
fi
fi

Expand Down
8 changes: 7 additions & 1 deletion helpers/helpers_emba_dependency_check.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,7 +339,10 @@ dependency_check()
# Check system tools
#######################################################################################
if [[ $USE_DOCKER -eq 0 ]] ; then
SYSTEM_TOOLS=("awk" "basename" "bash" "cat" "chmod" "chown" "cp" "cut" "date" "dirname" "dpkg-deb" "echo" "eval" "find" "grep" "head" "kill" "ln" "ls" "md5sum" "mkdir" "mknod" "modinfo" "mv" "netstat" "openssl" "printf" "pwd" "readelf" "realpath" "rm" "rmdir" "sed" "seq" "sleep" "sort" "strings" "tee" "touch" "tr" "uniq" "unzip" "wc")
SYSTEM_TOOLS=("awk" "basename" "bash" "cat" "chmod" "chown" "cp" "cut" "date" "dirname" \
"dpkg-deb" "echo" "eval" "find" "grep" "head" "kill" "ln" "ls" "md5sum" "mkdir" "mknod" \
"modinfo" "mv" "netstat" "openssl" "printf" "pwd" "readelf" "realpath" "rm" "rmdir" "sed" \
"seq" "sleep" "sort" "strings" "tee" "touch" "tr" "uniq" "unzip" "wc")

for TOOL in "${SYSTEM_TOOLS[@]}" ; do
check_dep_tool "$TOOL"
Expand Down Expand Up @@ -434,6 +437,9 @@ dependency_check()
# Freetz-NG
check_dep_file "Freetz-NG fwmod" "$EXT_DIR""/freetz-ng/fwmod"

# AVM fitimg extraction script
check_dep_file "fitimg script" "$EXT_DIR""/fitimg-0.8/fitimg"

# EnGenius decryptor - https://gist.github.com/ryancdotorg/914f3ad05bfe0c359b79716f067eaa99
check_dep_file "EnGenius decryptor" "$EXT_DIR""/engenius-decrypt.py"

Expand Down
7 changes: 7 additions & 0 deletions helpers/helpers_emba_helpers.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,13 @@ cleaner() {
restore_permissions
fi

if [[ "$IN_DOCKER" -eq 0 ]] && [[ -v K_DOWN_PID ]]; then
if ps -p "$K_DOWN_PID" > /dev/null; then
# kernel downloader is running in a thread on the host and needs to be stopped now
print_output "[*] Stopping kernel downloader thread with PID $K_DOWN_PID" "no_log"
kill "$K_DOWN_PID" || true
fi
fi
if [[ "$IN_DOCKER" -eq 0 ]] && pgrep -f "find ./external/trickest" &> /dev/null 2>&1; then
pkill -f "find ./external/trickest" 2>/dev/null || true
fi
Expand Down
27 changes: 15 additions & 12 deletions helpers/helpers_emba_html_generator.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,19 +293,22 @@ add_link_tags() {

# CVE links
if ( grep -a -q -E '(CVE)' "$LINK_FILE" ) ; then
readarray -t CVE_IDS < <( grep -a -n -E -o 'CVE-[0-9]{4}-[0-9]{4,7}' "$LINK_FILE" | uniq || true)
for CVE_ID in "${CVE_IDS[@]}" ; do
CVE_ID_LINE="$(echo "$CVE_ID" | cut -d ":" -f 1)"
CVE_ID_STRING="$(echo "$CVE_ID" | cut -d ":" -f 2-)"
if [[ -n "$CVE_ID_STRING" ]] ; then
HTML_LINK="$(echo "$CVE_LINK" | sed -e "s@LINK@$CVE_ID_STRING@g")""$CVE_ID_STRING""$LINK_END"
if [[ "$LINK_FILE" == *"f20_vul_aggregator"* ]]; then
LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"[[:blank:]]$CVE_ID_STRING"'@'"\t$HTML_LINK""@" )
else
LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"$CVE_ID_STRING"'@'"$HTML_LINK"'@' )
# in l35 html report we do not link CVE - we have Metasploit links in there
if ! [[ "$LINK_FILE" == *"l35_"* ]]; then
readarray -t CVE_IDS < <( grep -a -n -E -o 'CVE-[0-9]{4}-[0-9]{4,7}' "$LINK_FILE" | uniq || true)
for CVE_ID in "${CVE_IDS[@]}" ; do
CVE_ID_LINE="$(echo "$CVE_ID" | cut -d ":" -f 1)"
CVE_ID_STRING="$(echo "$CVE_ID" | cut -d ":" -f 2-)"
if [[ -n "$CVE_ID_STRING" ]] ; then
HTML_LINK="$(echo "$CVE_LINK" | sed -e "s@LINK@$CVE_ID_STRING@g")""$CVE_ID_STRING""$LINK_END"
if [[ "$LINK_FILE" == *"f20_vul_aggregator"* ]]; then
LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"[[:blank:]]$CVE_ID_STRING"'@'"\t$HTML_LINK""@" )
else
LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"$CVE_ID_STRING"'@'"$HTML_LINK"'@' )
fi
fi
fi
done
done
fi
fi

# CWE links
Expand Down
Loading

0 comments on commit a019263

Please sign in to comment.