Announcement

Collapse
No announcement yet.

Unknown offensive security behind history

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unknown offensive security behind history

    Subtitle: BMC and IPMI protocol.

    I'm going to tell you a very interesting story in the security industry today.

    Are you ready to listen?

    I was very excited today. Because I found one of the papers.
    The paper was presented at the RSA conference and the title of the paper is


    Download: "Reversers Assemble: Reverse Engineering from IC chips to Firmware".

    This paper was published by "
    ETRI" of South Korea.

    ETRI is a public corporation group where South Korean "
    Ph.D" of engineering research for national R&D.
    ETRI is a group of doctors in electrical and electronic engineering.

    Like other scientific industries, doctors work with engineers.

    ETRI has the same process.

    In this case, enterprise companies like "
    ETRI" usually have third-party partnerships.
    However, countries such as South Korea, which are at the level of developing countries, generally have a subcontract structure.
    Of course, South Korea is a very developed country. (
    Appearance only..)
    I was a security engineer at one of several third-party companies working with ETRI.
    Not now. Because our security research company went bankrupt.

    >> Let's mix up useless stories for a moment. Skip this part because it's just useless. <<
    >> If you don't want to hear useless stories, go to the "main" label and read them. <<

    Of course, the reason our company went bankrupt is not because of "ETRI".
    The reason our company went bankrupt is because of "
    NIS(NIS is like the CIA in South Korea)".
    They betrayed us and refused to deal with the annual security project.
    Of course, I have no hard feelings about them.

    (Do you feel uncomfortable reading the phrase "of course" in English sentences? I'm sorry, but I can't help it.)
    The unfortunate thing is that there is pressure that I cannot return to work because I lost my job at the age of 40.
    In South Korea and Japan, if you are over 40, you can't find a job that suits you even if you have a good career.
    This is a general social truth that no one tells you.
    There is also a Japanese YouTube broadcast that tells this truth.
    The more careers you have, the harder it is to get a job as you get older.
    This is because it is difficult to find a suitable job for a social career status.
    This seems like the reason why older women are getting more and more difficult to get married over time.
    In my article, there is a feature that contains useless private explanations.
    I write an article in order to relief stress and my self satisfaction.
    It is just my intelligent excrement.
    I do not write articles for others.
    I only write articles for me.
    Excretion from the bathroom causes pain in the abdomen.
    And it is cool when excretion is completed.
    It is very painful to put a lot of schematics, images, code and descriptions in my article.
    However, this is like putting pressure on the lower abdomen when excreted from the bathroom.
    When all this painful work is done, it is very cool.
    Climbers will understand this.
    However, I hate the pain that actually puts on the body through climbing off-line.
    Why?
    Already I doing mental climbing(
    or hiking) every time as a hobby.
    It is a mental climbing(
    or hiking) that ordinary people do not want to do.
    It is like telling me to die if I climb both mentally and physically.
    I explained why it is a hobby to create forums like blogs, write articles and create documents like
    PPT.
    I can't understand why people want to hike high mountains.
    Likewise they don't understand why I am writing this article or
    PPT document.
    People and I are just hiking(
    or climbing or jogging) in different ways.
    It is for this reason that we do not understand each other.

    main:

    I think I can tell you a little about this hidden history.
    ETRI's paper describes a firmware dump in hardware.
    And in chapters 26 and 27 of this document, the
    IPMI of the BMC board is described as an example.
    The
    BMC board is a management board embedded as an independent device in the server.
    The
    BMC board is equipped with an ARM-based CPU and RTOS operating system and uses a protocol called IPMI.
    More specifically, the
    IPMI protocol is just a communication protocol.
    The internal system can be controlled by
    IPMI.
    I just said
    IPMI is a communication protocol.
    If you are not using
    IPMI it can do the same action with a web server.
    On the server, the
    IPMI and web server only serve as the interface of the BMC board.
    Internally, they are all bound to one system in the RTOS operating system.
    It is a very unusual structure.

    if you ask me how do you know this?

    In early 2015, "
    ETRI" came to ThirdEyeSecurity.
    At that time, I worked as the research director for
    ThirdEyeSecurity.
    ThirdEyeSecurity is an offensive security company co-founded by me and my friends.

    ETRI told us that they had already dumped the firmware on their own.
    ETRI used the firmware dump technology presented in this document to dump the firmware memory from the HP server's
    BMC board.
    ETRI handed us the dumped firmware.
    ETRI asked us to find only zero-day vulnerabilities in the software portion.

    Interestingly, ETRI not only dumped this firmware, but also inserted the read and write capabilities of system-wide memory.
    This white paper also mentions the relevant content.
    For this project, we purchased an HP server and brought it to ETRI.
    ETRI rewritten the manipulated dump to the firmware.

    Our role was to reverse engineer the
    IPMI protocol service in the RTOS binary dump files to find IMPI vulnerabilities.
    Our responsibility was not the hardware part.

    At the time, I first came across the
    BMC board.
    I went to ETRI and heard the internal explanation of the
    BMC board.
    As always, this training hasn't helped much.

    I started analyzing
    IPMI services and fuzzing.
    The
    IPMI service was running on UDP 623 port.
    I initially investigated all the
    IPMI vulnerabilities that existed before.
    However, all were patched and none of them were applied.
    I was only able to get an idea of how to target.

    Honestly, I didn't work early and enjoyed my spare time.
    After a month, I became more and more focused on the project.
    Until then, I had only a leisurely preliminary investigation.

    I confess honestly now.

    At this time, We hired two college hackers for a short term contract.
    ETRI doesn't know this specifically because we haven't officially hired college hackers.
    They are part-time jobs.

    One hacker hired is a friend nicknamed "
    jinmo123" from the "Cykor" CTF team at "Korea University".
    It seemed to be a famous hacker at home and abroad because he won every CTF he participated in.

    The other is a hacker named "
    Lee Jin-sung" who won the "LINE(messanger app)" Vulnerability Event.
    These two guys were friends with each other.


    I told them that early in the security research doesn't have to work hard.

    This is because most college student hackers are scared of the actual work.
    If they are afraid, they refuse to work.
    This is why companies are very difficult to hire college hackers who have won the CTF competition.
    It is always possible that no vulnerabilities will be found in any project.
    And in such cases, they do not want to take responsibility.
    So am I.

    I always think the project should not be tight.
    However, the difference between a professional and an amateur is just a difference in how you manage your mind.


    At the beginning of the project, we did not all work, but did leisurely preliminary investigations.
    But two months later, I realized that I wasn't working and wasting too much time.
    I suddenly got busy. I had to concentrate a lot for a short time.
    I left a message in the chat to work hard.
    College students rarely responded.

    After intensive research for about a week, I became very depressed.
    What if I don't find the vulnerability?
    I was worried.

    So before I left the office at 11:00 PM, I went to the rooftop and looked at the moon and prayed.

    I prayed with tears like this.
    I have many experiences like this.
    This is a technique from a documentary called "
    secret" and it's one of the special techniques I find for vulnerabilities.
    But I don't use this "
    occult magick" often.
    I use this technique only in emergencies.

    "
    If I don't find the vulnerability, I'll assume that God is telling me to retire.
    Please help me find it once.
    "

    Then I returned to the office.
    It's too late to go home after work.
    After 30 minutes of further investigation I thought to go home.

    Then suddenly someone seemed to whisper in my ear.

    "
    Why are you attacking the IPMI port?
    You can also attack BMC board's web servers.
    The web server is also opened with the default port.
    Anyway, both are just interfaces.
    You just need to get the administrator, right?
    In general, the embedded web server is generally vulnerable.
    As a result, you may encounter problems when processing HTTP HEADER on your web server.
    "

    This thought came to mind for a moment.

    After connecting to HP's
    BMC web server via burpproxy, I sent a long string like AAAAAAAA...AAAA to all values in the HTTP header.
    Suddenly, the server's fan sounded loud.
    And quiet.
    Then the server reboots.

    I thought I had something.
    I sent an urgent message to fellow researchers through the "KakaoTalk" chat.
    I seemed to have found a buffer overflow, so I ordered all
    IPMI side investigations to be stopped.
    I said to redirect the attack to the web server.
    And I said that there seems to be a buffer overflow on the HTTP header side.

    As soon as I said this, a response came from "
    jinmo123".
    "
    jinmo123" immediately replied that he would analyze some of the HTTP headers I said.

    I thought I should smoke. I was too stressed.
    After smoking a cigarette, I chatted with "
    jinmo123".
    "
    jinmo123" replied.
    There seems to be a "
    UAF" vulnerability in the "Connection:" header.

    I also saw the code that handles HTTP headers through IDA pro.
    I said "
    UAF" seems to be exploitable and pointed to the place where it will attack the virtual function table pointer.

    It seemed to prove once again that "jinmo123" was the winner of the CTF that has been held in recent years..
    Why?
    After checking the vulnerability, I saw "
    jinmo123" coding the exploit close to the speed of light.
    "
    Jinmo123" and "Lee Jin-Sung" talked to each other, and the exploit was coded at a crazy speeds for about two days.
    If I coded the exploit myself, it would have taken 2 weeks.
    They took two days to solve the "
    two-week" task.

    ETRI told us, doubting our technology from the beginning project.
    RTOS has no shell.
    But how do you run the shell?

    We said.
    It is not impossible for us.

    Since
    RTOS did not have a shell, "Lee Jin-sung" found an account printing routine with the goal of obtaining authorization.

    Hackers think flexibly and don't think they have to make the shell work.

    This is the difference between a "
    Ph.d" doctor and a hacker.

    Also, in this exploit, a format string attack technique using function address replacement was used.

    This was the idea of "
    jinmo123".

    I watched all of their work and organized them all into documents.

    I presented the final report to ETRI and delivered the report to the ETRI.
    (In fact, ETRI acts as a government agency.)

    As far as I know, ETRI seems to have discovered vulnerabilities in Supermicro servers as well as HP.

    I had forgotten all of these events in memory.
    This is because we are not only doing ETRI's project.
    We were working directly with NIS.

    The vulnerabilities we discovered were released by other foreign teams in 2017.


    https://www.synacktiv.com/posts/expl...in-hp-ilo.html

    It is exactly the same as the vulnerability location found.
    It is registered as "
    CVE-2017-12542".

    We don't know this team or company, and it has nothing to do with it.
    It's just the concurrency of vulnerability discovery.

    I also wanted to present it in a place like BlackHat conference.
    But for me, such luck doesn't seem to come forever.
    Perhaps this is the
    NINJA's fate.

    I have to completely forget good memories from the major societies of hackers like the Black Hat class in the past.
    Because hacking has completely smashed all my life.
    I lived with the wrong dream of becoming the best security expert.
    Not my way.
    Why doesn't my heart beat even when I see a pretty woman all my life?
    Still, I feel like my heart is beating whenever I watch a CTF competition.
    But I shouldn't.
    Not my way.
    I have no friends.
    I don't have a friend to go hiking with.
    And now there is no money.
    I lost my job because I chose a computer security job.
    Now I just try to be satisfied with my research as a hobby.

    And one day in 2019, I saw a very interesting and strange news article.
    It was a news article about the Chinese spyware chip incident.
    Then I saw a picture from the incident.
    It was a
    BMC board.
    What did I think?

    Can you understand why my stress is relieved by telling this story now?

    Do you know why I like computer hacking and security?
    Just because you can control security issues around the world with a keyboard at home alone.

    Once again I say, I hate hiking(
    physically).

    Thank you.

    P.S:
    I am not friendly with "
    jinmo123" and "Lee Jin-sung".
    It's just someone I know when I did the project.


    P.S2:
    The reason I publish this information here is simple.
    This is because ETRI first judged that the period of non-disclosure has passed because they first released their research.
Working...
X