The research object of this article is the second generation of Cuckoo printer. Before reading the following content, it is recommended to find some tutorials on the Internet. His appearance is as follows:
His working mechanism is as follows:
When the single-pole double-throw switch is set to local mode, the printer will print out the name and password of the hot spot issued by itself. The password is very simple: 1234567890, it should be hard-coded in the firmware. It’s time to connect to the hotspot. Multiple devices are allowed to connect, but after my computer is connected to the hotspot, I can’t catch his package, whether it is in wireshark or burp. Those who are interested can try to grab the wireless network card, but I didn’t try it at the time. This kind of multi-device connection can easily cause the theft of printed content.
The official gave an API call document to control the printer by constructing a fixed format URL and sending it to the server. The interface of this web interface requesting the server to print is different from the interface requested by the APP.
The mobile APP sends a request to the server, and the server sends it to the printer to control printing. There are many details about AP online binding equipment online. When configuring the printer to connect to the Internet for the first time, a broadcast WiFi will be generated. This WiFi has no password, which is different from the local mode WiFi. It is probably to guide the printer to connect to the home Internet. The communication between the APP and the server is easy to say, but how does the server connect to the printer? When using it, I found that the mobile phone sends a request. If the device is not powered, it will all be sent when it is powered on again. Therefore, it is guessed that the power-on scan is written in the firmware, and the server network is searched when the device is turned on. After scanning, it is connected, and the previous backlog is printed. In addition, there is an official web version APP. The interface of this web version of the APP is different from that of the mobile APP (this is very useful)
The main controller is Marvell88MW300, which integrates Cortex-M4 MCU and Wi-Fi in a single chip
Flash chip is MX25L6433F
The Bluetooth chip is CC2541, but this chip is not used at all in the G2 model
Firmware extraction ideas:
Use a writer (recommended to buy RT809f), read through the host computer with one key. If you don’t want to remove the chip, you can use silver pin probes. If you want to remove the chip, you need to match the programming socket. It is recommended to take it off, if you use the probe, other circuits will cause interference (about $50)
Ordinary players: buy a minimum system board with a burning socket. Check the starting address stored in the manual of the flash chip to be extracted, and then write a routine to let the main control chip read all the data under the flash.
Such a single-chip microcomputer program does not have a file system like router firmware that can be directly decompressed through binwalk. Instead, the original program logic needs to be reversed through the assembly instructions of the single-chip microcomputer on platforms such as ida, and some support may need to be imported. The script of the framework. If it is the default or wrong frame, it will be unreadable. There is such a situation as db.
During the packet capture process, I found the server ip, and found a user name and password transmitted in plain text (this often appears in later collections), which is a SOAP protocol, but the construction injection was not successful. After communicating with the official, I learned that the webservice passed the authentication with the client, but it won’t cause much harm if it is leaked, because it has performed a second encryption. This may also confirm why I failed to construct injection.
Scan: scan IP, scan second-level domain name, scan directory, scan port. The more you scan, the more information you collect, and the more vulnerabilities that may be exposed. There may be many common problems such as source code leaks, upload vulnerabilities, unauthorized access to libraries, xss, csrf, ssrf, etc.
Code review: Analyze whether there are vulnerabilities such as unverified identity and ultra vires. For encrypted transmission information, can you find an encryption and decryption method? Whether there is deserialization, whether there is an unreasonable processing mechanism, causing malformed data injection and causing the system to crash.
The web version of the APP website http://w.memobird.cn/cn/w/login.aspx was found in the test
Web API print official manual open.memobird.cn/upload/webapi.pdf
Cuckoo machine official API source code https://github.com/memobird/gugu-php
Webservice login URL (login with APP account, but none of t
Found that the second-level domain name was scanned to a web interface source code http://im.memobird.cn/wse/wsesmart.asmx
It was found that ip opened ports 80, 3389, 11211, etc., but no breakthrough point was found.
It was found that the source code was leaked. This config revealed the encryption and decryption algorithm and private key when the APP was sent.
No vulnerability found in upload directory
First in the APP vulnerability scanning platform
Scan for dangerous functions or configurations in the APP.
Then try to unpack: install the Android environment: you can press xpoesd on the Yeshen emulator, or you can go to Android Studio, and then the next SDK to build a sheller. At present, many hardened apps on the market can be unpacked.
Look for “Summary”: AndroidManifest.xml contains the configuration, package name, and entrance of the APP. From here, you can get an overview of the entire APP framework, and you can find risk configurations such as adb backup.
Look for “functions”: The package of the mobile APP is more compatible with the APP source code. To find the source code of encryption and decryption, WiFi configuration, Bluetooth configuration, etc., search for related functions. In the decompiled code of the APP, I found the username and password written in it and the private key of the APP to encrypt the data sent.
For secondary packaging: secondary packaging is more difficult for novices, mainly because signature verification is difficult to bypass or imitate. Uncertified apps cannot run after installation. According to the disassembled code, it is also difficult to imitate the original application. Copy and paste the disassembled code directly and repackage it, there will be many errors. And if the new package name is the same as the original package, it cannot be put on the application market.
Sort out attack ideas and realize the attack
Transmission content sniffing
Whether it is local mode or cloud mode, a man-in-the-middle attack can be used to intercept printed content. Here I am using a mobile phone to transfer the proxy to the computer and intercept the data packet. It is found that the transmission time and the transmission content are encoded in base64 mode, without complex encryption.
The picture on the left is the preview effect in the app. The picture on the right is the effect of decoding in the website, the picture is restored, pay attention to add the header
How to control the printer
Batch control of printers
Causes of vulnerability:
1. AK leakage leads to ultra vires: Among the official API call instances, an available AK is leaked. Originally, API printing needed to apply for AK according to the process. The effective AK leak caused anyone to become a developer without applying for it, and had the permission to print online.
The following figure is the URL required for printing and the parameters contained in the official API:
Here to explain the meaning of each parameter:
memobirdID is the device number, which will be printed out automatically when you double-click the Cuckoo machine
What useridEntifying said in the official development group is the coo number, which is the 6-digit number viewed in “my” in the app
The userid is assigned a fixed userid after registration in the APP. Because some users have registered but have not bought the device, some userid does not have a corresponding device number, and there may be cases where one userid corresponds to multiple device numbers.
So: AK (it is ineffective) + time (it is ineffective) + memobirdID + useridEntifying àuserid
2. The server verification mechanism is imperfect: when the official requires binding, the entered useridEntifying needs to be a cuckoo number, but the document says user-defined. In the official public API source code (officially placed on GitHub: https://github.com/memobird/gugu-php), the analysis is that useridentifying has not been processed, which is equivalent to suspending the parameter and having the device number. Directly return userid
So: AK (it is ineffective) + time (it is ineffective) + memobirdID → userid
Because: memobirdID (16 bytes) + userid (ranging from 1-6 bytes) → print
memobirdID → userid
Consider: blast memobirdID → get userid
memobirdID + userid → print, but the memobirdID is too long, it is difficult to blast, and it is guessed that the userid may increase, which may be the value of the number of users.
Try: memobirdID ← userid
Blast userid → get memobirdID
memobirdID + userid → print
3. Leaked encryption and decryption methods:
In the APP web version, click print
We caught a package related to userid that can return smartguid (value=memobirdID)
But whether it is sending or responding, it is ciphertext. If we want to blast a short userid, we need to understand his encryption method, send us the blasted, encrypted userid, and he will return to us smartguid.
At this time, the config we scanned earlier is useful. Here is the encryption algorithm
Or you can find some clues in the APP
Encryption and decryption analysis:
Because: GetSmartCoreByUserID returns the encrypted Smartguid
Guess: parameter should be encrypted userid.
Verification: The yellow catalog file in the captured package is the previously leaked source code. There is an encryption and decryption method before the request is sent. The effect is to use the timestamp and private key for DES encryption and decryption, and the timestamp is only accurate to ten seconds. Bit, the ones place does not participate. Find a py script written by others on github
Decryption verified the conjecture.
So: userid → encrypted Smartguid
Try: encrypted Smartguid → plaintext Smartguid
Because: userid (ming) → ← userid (secret)
Guess: Smartguid (Ming) → ← Smartguid (Secret)
Attempt: Use the same decryption method as userid to decrypt Smartguid, but it fails. Moreover, the response timestamp and encryption are not in the same system time period, and the estimation algorithm may be different.
4. The parameters required for printing can be reversed
When clicking to view the details of the bound Cuckoo machine
Caught such a plaintext package that can return smartguid! This is what we have been waiting for: encrypted Smartguid à plaintext Smartguid
These are two more harmful reverses:
Plaintext and ciphertext can be reversed
Userid and smartguid reverse inference
This leads to all the required printing parameters can be obtained by blasting
Vulnerability Exploitation: According to the script written by the instructor (attached to github), many printers can be crawled on the network to control them
Fishing control printer
For Android API 8 or higher, the backup setting is enabled by default. Without processing by the developer, the username and password will be directly backed up. When backing up to other devices, the device can directly log in the identity of the person being backed up.
The current mainstream APPs recognize the risk of this setting and set the backup data to be restored after logging in again. But many niche apps did not realize it, leading to serious privacy leaks
Using the idea: I found a script on the Internet that can batch detect the APP with allowbackup in the mobile phone and back it up in batches on the computer. https://sobug.com/article/detail/16
It is estimated that more than one-third of the apps in a mobile phone may be affected. This led to the disclosure of a large number of accounts and other sensitive information in this phone.
Try: Our school’s APP has this configuration problem, which will cause the leakage of student ID cards and student numbers. You can also try some rental apps, there may be more leaks. The picture below shows the username and password exposed in the backup file in the Cuckoo App.
Bluetooth control printer
This vulnerability involves the model GT1, which is a pure Bluetooth communication mode