e-m-b-a · m-1-k-3 · Jan 11, 2023 · Dec 2, 2022 · Dec 2, 2022 · Dec 2, 2022
diff --git a/check_project.sh b/check_project.sh
@@ -117,7 +117,8 @@ import_emba_main() {
 
 
 dockerchecker() {
-  echo -e "\\n""$ORANGE""$BOLD""EMBA docker-files check""$NC""\\n""$BOLD""=================================================================""$NC"
+  echo -e "\\n""$ORANGE""$BOLD""EMBA docker-files check""$NC"
+  echo -e "$BOLD""=================================================================""$NC"
   mapfile -t DOCKER_COMPS < <(find . -maxdepth 1 -iname "docker-compose*.yml")
   for DOCKER_COMP in "${DOCKER_COMPS[@]}"; do
     echo -e "\\n""$GREEN""Run docker check on $DOCKER_COMP:""$NC""\\n"
@@ -132,7 +133,8 @@ dockerchecker() {
 }
 
 check() {
-  echo -e "\\n""$ORANGE""$BOLD""Embedded Linux Analyzer Shellcheck""$NC""\\n""$BOLD""=================================================================""$NC"
+  echo -e "\\n""$ORANGE""$BOLD""Embedded Linux Analyzer Shellcheck""$NC"
+  echo -e "$BOLD""=================================================================""$NC"
 
   echo -e "\\n""$GREEN""Load all files for check:""$NC""\\n"
 
@@ -280,8 +282,9 @@ check
 dockerchecker
 summary
 
-if [[ "${#MODULES_TO_CHECK_ARR_TAB[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || \
-  [[ "${#MODULES_TO_CHECK_ARR_SEMGREP[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_DOCKER[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_PERM[@]}" -gt 0 ]] || \
+if [[ "${#MODULES_TO_CHECK_ARR_TAB[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || \
+  [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_SEMGREP[@]}" -gt 0 ]] || \
+  [[ "${#MODULES_TO_CHECK_ARR_DOCKER[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_PERM[@]}" -gt 0 ]] || \
   [[ "${#MODULES_TO_CHECK_ARR_COMMENT[@]}" -gt 0 ]]; then
   exit 1
 fi
diff --git a/config/bin_version_strings.cfg b/config/bin_version_strings.cfg
@@ -548,7 +548,7 @@ quagga;;gpl;"^(ldpd|linkd)\ version\ 0\.9[\.0-9]+$";"sed -r 's/(ldpd|linkd)\ ver
 quagga;;gpl;"^Hello,\ this\ is\ Quagga\ \(version\ [0-9](\.[0-9]+)+?\)\.$";"sed -r 's/Hello,\ this\ is\ Quagga\ \(version\ ([0-9](\.[0-9]+)+?)\)\.$/quagga:\1/'";
 #quik;;unknown;"QUIK\ version\ [0-9]\.[0-9]+";"NA";
 qdiscman;;unknown;"^qdiscman\ [0-9](\.[0-9]+)+?\ release$";"sed -r 's/qdiscman\ ([0-9](\.[0-9]+)+?)$/qdiscman:\1/'";
-radlogin;;unknown;"radlogin\.c,v\ [0-9]\.[0-9]+\ [0-9]+";"sed -r 's/radlogin\.c,v\ ([0-9](\.[0-9]+)+?)$/radlogin:\1/'";
+radlogin;;unknown;"radlogin\.c,v\ [0-9]\.[0-9]+\ [0-9]+";"sed -r 's/radlogin\.c,v\ ([0-9](\.[0-9]+)+?).*/radlogin:\1/'";
 radvd;strict;radvd-lic;"Version:\ [0-9]\.[0-9]+$";"sed -r 's/Version:\ ([0-9](\.[0-9]+)+?)$/radvd:\1/'";
 radvd;strict;radvd-lic;"Version:\ [0-9]\.[0-9]+\.[0-9]+$";"sed -r 's/Version:\ ([0-9](\.[0-9]+)+?)$/radvd:\1/'";
 radvdump;strict;radvd-lic;"Version:\ [0-9]\.[0-9]+$";"sed -r 's/Version:\ ([0-9](\.[0-9]+)+?)$/radvd:\1/'";

diff --git a/config/report_templates/F20_vul_aggregator-post.sh b/config/report_templates/F20_vul_aggregator-post.sh
@@ -12,6 +12,10 @@ print_output "$(indent "${ORANGE}S$NC - PoC code found on Snyk vulnerability dat
 write_link "https://security.snyk.io/vuln"
 print_output "$(indent "${ORANGE}X$NC - Vulnerability is known as exploited")"
 write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+if [[ -f "$LOG_DIR"/s26_kernel_vuln_verifier.txt ]]; then
+  print_output "$(indent "${ORANGE}V$NC - Kernel vulnerability was verified from module s26")"
+  write_link "s26"
+fi
 print_ln
 print_ln
 print_output "[*] Source notes:"

diff --git a/config/report_templates/S26_kernel_vuln_verifier-post.sh b/config/report_templates/S26_kernel_vuln_verifier-post.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+print_output "[*] Exploitability notes:"
+print_output "$(indent "${ORANGE}EDB$NC - Exploit code found in the Exploit database")"
+write_link "https://exploit-db.com"
+print_output "$(indent "${ORANGE}MSF$NC - Exploit code found in the Metasploit framework")"
+write_link "https://github.com/rapid7/metasploit-framework"
+print_output "$(indent "${ORANGE}GH$NC - PoC code found on Github (via trickest)")"
+write_link "https://github.com/trickest/cve"
+print_output "$(indent "${ORANGE}PS$NC - PoC code found on Packetstormsecurity")"
+write_link "https://packetstormsecurity.com/files/tags/exploit/"
+print_output "$(indent "${ORANGE}SNYK$NC - PoC code found on Snyk vulnerability database")"
+write_link "https://security.snyk.io/vuln"
+print_output "$(indent "${ORANGE}EXP$NC - Vulnerability is known as exploited")"
+write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -40,12 +40,12 @@ services:
         - ${FIRMWARE}/:/firmware:ro
         - ${LOG}/:/logs
         - ${EMBA}/:/emba:ro
+        - ${EMBA}/external/linux_kernel_sources/:/external/linux_kernel_sources:ro
         - /etc/timezone:/etc/timezone:ro
         - /etc/localtime:/etc/localtime:ro
         - /dev:/dev
         - /lib/modules:/lib/modules:ro
         - /boot:/boot:ro
-          # - /home/m1k3/github-repos/EMBA-emulation-binaries:/external/EMBA_Live_bins/:ro
     environment:
         - USER
     devices:

diff --git a/emba.sh b/emba.sh
@@ -415,7 +415,8 @@ main()
   welcome  # Print EMBA welcome message
 
   if [[ $# -eq 0 ]]; then
-    print_output "\\n""$ORANGE""In order to be able to use EMBA, you have to specify at least a firmware (-f).\\nIf you don't set a log directory (-l), then ./logs will be used.""$NC" "no_log"
+    print_output "\\n""$ORANGE""In order to be able to use EMBA, you have to specify at least a firmware (-f)." "no_log"
+    print_output "If you don't set a log directory (-l), then ./logs will be used.""$NC" "no_log"
     print_help
     exit 1
   fi
@@ -656,6 +657,14 @@ main()
       create_log_dir
     fi
 
+    # kernel downloader runs on the host and waits for an identified kernel version. Afterwards
+    # it tries to download the kernel sources for further analysis
+    if [[ $IN_DOCKER -eq 0 ]]; then
+      kernel_downloader &
+      K_DOWN_PID="$!"
+      print_output "[*] Started kernel downloader thread with PID $K_DOWN_PID" "no_log"
+    fi
+
     if [[ $IN_DOCKER -eq 0 ]]; then
       echo "$LOG_DIR" > "$TMP_DIR"/orig_logdir
     fi
@@ -854,58 +863,56 @@ main()
 
     print_output "[*] EMBA sets up the docker environment.\\n" "no_log"
 
-    if [[ "$UPDATE" -eq 1 ]]; then
-      EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker pull embeddedanalyzer/emba
+    if ! docker images | grep -qE "emba[[:space:]]*latest"; then
+      if ! docker images | grep -qE "emba[[:space:]]*latest"; then
+        print_output "[*] Available docker images:" "no_log"
+        docker images | grep -E "emba[[:space:]]*latest" || true
+        print_output "[-] EMBA docker not ready!" "no_log"
+        exit 1
+      fi
     fi
 
-    if ! docker images | grep -qE "emba[[:space:]]*latest"; then
-      print_output "[*] Available docker images:" "no_log"
-      docker images | grep -E "emba[[:space:]]*latest" || true
-      print_output "[-] EMBA docker not ready!" "no_log"
-      exit 1
-    else
-      print_output "[*] EMBA initializes docker container.\\n" "no_log"
+    print_output "[*] EMBA initializes docker container.\\n" "no_log"
 
-      if [[ "$ONLY_DEP" -eq 0 ]]; then
-        # store some details that we do not have in the docker container:
-        echo "$FIRMWARE_PATH" >> "$TMP_DIR"/fw_name.log
-        echo "$LOG_DIR" >> "$TMP_DIR"/emba_log_dir.log
-        echo "$EMBA_COMMAND" >> "$TMP_DIR"/emba_command.log
-      fi
+    if [[ "$ONLY_DEP" -eq 0 ]]; then
+      # store some details that we do not have in the docker container:
+      echo "$FIRMWARE_PATH" >> "$TMP_DIR"/fw_name.log
+      echo "$LOG_DIR" >> "$TMP_DIR"/emba_log_dir.log
+      echo "$EMBA_COMMAND" >> "$TMP_DIR"/emba_command.log
+    fi
 
-      write_notification "EMBA starting docker container"
+    write_notification "EMBA starting docker container"
 
-      if [[ "$STRICT_MODE" -eq 1 ]]; then
-        set +e
-      fi
-      disable_strict_mode "$STRICT_MODE" 0
-      EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}"
-      D_RETURN=$?
-      enable_strict_mode "$STRICT_MODE" 0
-
-      if [[ $D_RETURN -eq 0 ]] ; then
-        if [[ $ONLY_DEP -eq 0 ]] ; then
-          print_output "[*] EMBA finished analysis in docker container.\\n" "no_log"
-          write_notification "EMBA finished analysis in default mode"
-          print_output "[*] Firmware tested: $ORANGE$FIRMWARE_PATH$NC" "no_log"
-          print_output "[*] Log directory: $ORANGE$LOG_DIR$NC" "no_log"
-          if [[ -f "$HTML_PATH"/index.html ]]; then
-            print_output "[*] Open the web-report with$ORANGE firefox $(abs_path "$HTML_PATH/index.html")$NC\\n" "main"
-          fi
-          cleaner 0
-        else
-          # we do not need the log dir from dependency checker
-          if [[ -d "$LOG_DIR" ]]; then
-            rm -r "$LOG_DIR"
-          fi
+    if [[ "$STRICT_MODE" -eq 1 ]]; then
+      set +e
+    fi
+    disable_strict_mode "$STRICT_MODE" 0
+    EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}"
+    D_RETURN=$?
+    enable_strict_mode "$STRICT_MODE" 0
+
+    if [[ $D_RETURN -eq 0 ]] ; then
+      if [[ $ONLY_DEP -eq 0 ]] ; then
+        print_output "[*] EMBA finished analysis in docker container.\\n" "no_log"
+        write_notification "EMBA finished analysis in default mode"
+        print_output "[*] Firmware tested: $ORANGE$FIRMWARE_PATH$NC" "no_log"
+        print_output "[*] Log directory: $ORANGE$LOG_DIR$NC" "no_log"
+        if [[ -f "$HTML_PATH"/index.html ]]; then
+          print_output "[*] Open the web-report with$ORANGE firefox $(abs_path "$HTML_PATH/index.html")$NC\\n" "main"
         fi
-        exit 0
-      else
-        print_output "[-] EMBA failed in docker mode!" "no_log"
         cleaner 0
-        write_notification "EMBA failed analysis in default mode"
-        exit 1
+      else
+        # we do not need the log dir from dependency checker
+        if [[ -d "$LOG_DIR" ]]; then
+          rm -r "$LOG_DIR"
+        fi
       fi
+      exit 0
+    else
+      print_output "[-] EMBA failed in docker mode!" "no_log"
+      cleaner 0
+      write_notification "EMBA failed analysis in default mode"
+      exit 1
     fi
   fi
 

diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh
@@ -339,7 +339,10 @@ dependency_check()
   # Check system tools
   #######################################################################################
   if [[ $USE_DOCKER -eq 0 ]] ; then
-    SYSTEM_TOOLS=("awk" "basename" "bash" "cat" "chmod" "chown" "cp" "cut" "date" "dirname" "dpkg-deb" "echo" "eval" "find" "grep" "head" "kill" "ln" "ls" "md5sum" "mkdir" "mknod" "modinfo" "mv" "netstat" "openssl" "printf" "pwd" "readelf" "realpath" "rm" "rmdir" "sed" "seq" "sleep" "sort" "strings" "tee" "touch" "tr" "uniq" "unzip" "wc")
+    SYSTEM_TOOLS=("awk" "basename" "bash" "cat" "chmod" "chown" "cp" "cut" "date" "dirname" \
+      "dpkg-deb" "echo" "eval" "find" "grep" "head" "kill" "ln" "ls" "md5sum" "mkdir" "mknod" \
+      "modinfo" "mv" "netstat" "openssl" "printf" "pwd" "readelf" "realpath" "rm" "rmdir" "sed" \
+      "seq" "sleep" "sort" "strings" "tee" "touch" "tr" "uniq" "unzip" "wc")
 
     for TOOL in "${SYSTEM_TOOLS[@]}" ; do
       check_dep_tool "$TOOL"
@@ -434,6 +437,9 @@ dependency_check()
     # Freetz-NG
     check_dep_file "Freetz-NG fwmod" "$EXT_DIR""/freetz-ng/fwmod"
 
+    # AVM fitimg extraction script
+    check_dep_file "fitimg script" "$EXT_DIR""/fitimg-0.8/fitimg"
+
     # EnGenius decryptor - https://gist.github.com/ryancdotorg/914f3ad05bfe0c359b79716f067eaa99
     check_dep_file "EnGenius decryptor" "$EXT_DIR""/engenius-decrypt.py"
 

diff --git a/helpers/helpers_emba_helpers.sh b/helpers/helpers_emba_helpers.sh
@@ -136,6 +136,13 @@ cleaner() {
     restore_permissions
   fi
 
+  if [[ "$IN_DOCKER" -eq 0 ]] && [[ -v K_DOWN_PID ]]; then
+    if ps -p "$K_DOWN_PID" > /dev/null; then
+      # kernel downloader is running in a thread on the host and needs to be stopped now
+      print_output "[*] Stopping kernel downloader thread with PID $K_DOWN_PID" "no_log"
+      kill "$K_DOWN_PID" || true
+    fi
+  fi
   if [[ "$IN_DOCKER" -eq 0 ]] && pgrep -f "find ./external/trickest" &> /dev/null 2>&1; then
     pkill -f "find ./external/trickest" 2>/dev/null || true
   fi

diff --git a/helpers/helpers_emba_html_generator.sh b/helpers/helpers_emba_html_generator.sh
@@ -293,19 +293,22 @@ add_link_tags() {
 
     # CVE links
     if ( grep -a -q -E '(CVE)' "$LINK_FILE" ) ; then
-      readarray -t CVE_IDS < <( grep -a -n -E -o 'CVE-[0-9]{4}-[0-9]{4,7}' "$LINK_FILE" | uniq || true)
-      for CVE_ID in "${CVE_IDS[@]}" ; do
-        CVE_ID_LINE="$(echo "$CVE_ID" | cut -d ":" -f 1)"
-        CVE_ID_STRING="$(echo "$CVE_ID" | cut -d ":" -f 2-)"
-        if [[ -n "$CVE_ID_STRING" ]] ; then
-          HTML_LINK="$(echo "$CVE_LINK" | sed -e "s@LINK@$CVE_ID_STRING@g")""$CVE_ID_STRING""$LINK_END"
-          if [[ "$LINK_FILE" == *"f20_vul_aggregator"* ]]; then
-            LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"[[:blank:]]$CVE_ID_STRING"'@'"\t$HTML_LINK""@" )
-          else
-            LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"$CVE_ID_STRING"'@'"$HTML_LINK"'@' )
+      # in l35 html report we do not link CVE - we have Metasploit links in there
+      if ! [[ "$LINK_FILE" == *"l35_"* ]]; then
+        readarray -t CVE_IDS < <( grep -a -n -E -o 'CVE-[0-9]{4}-[0-9]{4,7}' "$LINK_FILE" | uniq || true)
+        for CVE_ID in "${CVE_IDS[@]}" ; do
+          CVE_ID_LINE="$(echo "$CVE_ID" | cut -d ":" -f 1)"
+          CVE_ID_STRING="$(echo "$CVE_ID" | cut -d ":" -f 2-)"
+          if [[ -n "$CVE_ID_STRING" ]] ; then
+            HTML_LINK="$(echo "$CVE_LINK" | sed -e "s@LINK@$CVE_ID_STRING@g")""$CVE_ID_STRING""$LINK_END"
+            if [[ "$LINK_FILE" == *"f20_vul_aggregator"* ]]; then
+              LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"[[:blank:]]$CVE_ID_STRING"'@'"\t$HTML_LINK""@" )
+            else
+              LINK_COMMAND_ARR+=( "$CVE_ID_LINE"'s@'"$CVE_ID_STRING"'@'"$HTML_LINK"'@' )
+            fi
           fi
-        fi
-      done
+        done
+      fi
     fi
 
     # CWE links