A printer safety analysis

Category: Tag:

The research object of this article is the second generation of Cuckoo printer. Before reading the following content, it is recommended to find some tutorials on the Internet. His appearance is as follows:

His working mechanism is as follows:

Local mode
When the single-pole double-throw switch is set to local mode, the printer will print out the name and password of the hot spot issued by itself. The password is very simple: 1234567890, it should be hard-coded in the firmware. It’s time to connect to the hotspot. Multiple devices are allowed to connect, but after my computer is connected to the hotspot, I can’t catch his package, whether it is in wireshark or burp. Those who are interested can try to grab the wireless network card, but I didn’t try it at the time. This kind of multi-device connection can easily cause the theft of printed content.

API mode
The official gave an API call document to control the printer by constructing a fixed format URL and sending it to the server. The interface of this web interface requesting the server to print is different from the interface requested by the APP.

Cloud mode
The mobile APP sends a request to the server, and the server sends it to the printer to control printing. There are many details about AP online binding equipment online. When configuring the printer to connect to the Internet for the first time, a broadcast WiFi will be generated. This WiFi has no password, which is different from the local mode WiFi. It is probably to guide the printer to connect to the home Internet. The communication between the APP and the server is easy to say, but how does the server connect to the printer? When using it, I found that the mobile phone sends a request. If the device is not powered, it will all be sent when it is powered on again. Therefore, it is guessed that the power-on scan is written in the firmware, and the server network is searched when the device is turned on. After scanning, it is connected, and the previous backlog is printed. In addition, there is an official web version APP. The interface of this web version of the APP is different from that of the mobile APP (this is very useful)

 

Collect message
Hardware level

The main controller is Marvell88MW300, which integrates Cortex-M4 MCU and Wi-Fi in a single chip

Flash chip is MX25L6433F

The Bluetooth chip is CC2541, but this chip is not used at all in the G2 model

Firmware extraction ideas:

Use a writer (recommended to buy RT809f), read through the host computer with one key. If you don’t want to remove the chip, you can use silver pin probes. If you want to remove the chip, you need to match the programming socket. It is recommended to take it off, if you use the probe, other circuits will cause interference (about $50)

Ordinary players: buy a minimum system board with a burning socket. Check the starting address stored in the manual of the flash chip to be extracted, and then write a routine to let the main control chip read all the data under the flash.

Such a single-chip microcomputer program does not have a file system like router firmware that can be directly decompressed through binwalk. Instead, the original program logic needs to be reversed through the assembly instructions of the single-chip microcomputer on platforms such as ida, and some support may need to be imported. The script of the framework. If it is the default or wrong frame, it will be unreadable. There is such a situation as db.

web level
Packet capture: get sending address, analyze sending content, find injection points, use cookies, etc.

 

During the packet capture process, I found the server ip, and found a user name and password transmitted in plain text (this often appears in later collections), which is a SOAP protocol, but the construction injection was not successful. After communicating with the official, I learned that the webservice passed the authentication with the client, but it won’t cause much harm if it is leaked, because it has performed a second encryption. This may also confirm why I failed to construct injection.

Scan: scan IP, scan second-level domain name, scan directory, scan port. The more you scan, the more information you collect, and the more vulnerabilities that may be exposed. There may be many common problems such as source code leaks, upload vulnerabilities, unauthorized access to libraries, xss, csrf, ssrf, etc.

Code review: Analyze whether there are vulnerabilities such as unverified identity and ultra vires. For encrypted transmission information, can you find an encryption and decryption method? Whether there is deserialization, whether there is an unreasonable processing mechanism, causing malformed data injection and causing the system to crash.

The web version of the APP website http://w.memobird.cn/cn/w/login.aspx was found in the test

Web API print official manual open.memobird.cn/upload/webapi.pdf

Cuckoo machine official API source code https://github.com/memobird/gugu-php

Webservice login URL (login with APP account, but none of t

 

Found that the second-level domain name was scanned to a web interface source code http://im.memobird.cn/wse/wsesmart.asmx

It was found that ip opened ports 80, 3389, 11211, etc., but no breakthrough point was found.

It was found that the source code was leaked. This config revealed the encryption and decryption algorithm and private key when the APP was sent.

No vulnerability found in upload directory

APP level
First in the APP vulnerability scanning platform

https://security.tencent.com/index.php/blog/msg/109

Scan for dangerous functions or configurations in the APP.

Then try to unpack: install the Android environment: you can press xpoesd on the Yeshen emulator, or you can go to Android Studio, and then the next SDK to build a sheller. At present, many hardened apps on the market can be unpacked.

Look for “Summary”: AndroidManifest.xml contains the configuration, package name, and entrance of the APP. From here, you can get an overview of the entire APP framework, and you can find risk configurations such as adb backup.

Look for “functions”: The package of the mobile APP is more compatible with the APP source code. To find the source code of encryption and decryption, WiFi configuration, Bluetooth configuration, etc., search for related functions. In the decompiled code of the APP, I found the username and password written in it and the private key of the APP to encrypt the data sent.

 

For secondary packaging: secondary packaging is more difficult for novices, mainly because signature verification is difficult to bypass or imitate. Uncertified apps cannot run after installation. According to the disassembled code, it is also difficult to imitate the original application. Copy and paste the disassembled code directly and repackage it, there will be many errors. And if the new package name is the same as the original package, it cannot be put on the application market.

Sort out attack ideas and realize the attack
Transmission content sniffing
Whether it is local mode or cloud mode, a man-in-the-middle attack can be used to intercept printed content. Here I am using a mobile phone to transfer the proxy to the computer and intercept the data packet. It is found that the transmission time and the transmission content are encoded in base64 mode, without complex encryption.

The picture on the left is the preview effect in the app. The picture on the right is the effect of decoding in the website, the picture is restored, pay attention to add the header

 

 

 

How to control the printer

Batch control of printers

Causes of vulnerability:

1. AK leakage leads to ultra vires: Among the official API call instances, an available AK is leaked. Originally, API printing needed to apply for AK according to the process. The effective AK leak caused anyone to become a developer without applying for it, and had the permission to print online.

The following figure is the URL required for printing and the parameters contained in the official API:

 

Here to explain the meaning of each parameter:

memobirdID is the device number, which will be printed out automatically when you double-click the Cuckoo machine

What useridEntifying said in the official development group is the coo number, which is the 6-digit number viewed in “my” in the app

The userid is assigned a fixed userid after registration in the APP. Because some users have registered but have not bought the device, some userid does not have a corresponding device number, and there may be cases where one userid corresponds to multiple device numbers.

So: AK (it is ineffective) + time (it is ineffective) + memobirdID + useridEntifying àuserid

2. The server verification mechanism is imperfect: when the official requires binding, the entered useridEntifying needs to be a cuckoo number, but the document says user-defined. In the official public API source code (officially placed on GitHub: https://github.com/memobird/gugu-php), the analysis is that useridentifying has not been processed, which is equivalent to suspending the parameter and having the device number. Directly return userid

So: AK (it is ineffective) + time (it is ineffective) + memobirdID → userid

Because: memobirdID (16 bytes) + userid (ranging from 1-6 bytes) → print

memobirdID → userid

Consider: blast memobirdID → get userid

memobirdID + userid → print, but the memobirdID is too long, it is difficult to blast, and it is guessed that the userid may increase, which may be the value of the number of users.

Try: memobirdID ← userid

Blast userid → get memobirdID

memobirdID + userid → print

3. Leaked encryption and decryption methods:

In the APP web version, click print

 

We caught a package related to userid that can return smartguid (value=memobirdID)

But whether it is sending or responding, it is ciphertext. If we want to blast a short userid, we need to understand his encryption method, send us the blasted, encrypted userid, and he will return to us smartguid.

At this time, the config we scanned earlier is useful. Here is the encryption algorithm

 

Or you can find some clues in the APP

 

Encryption and decryption analysis:

Because: GetSmartCoreByUserID returns the encrypted Smartguid

Guess: parameter should be encrypted userid.

Verification: The yellow catalog file in the captured package is the previously leaked source code. There is an encryption and decryption method before the request is sent. The effect is to use the timestamp and private key for DES encryption and decryption, and the timestamp is only accurate to ten seconds. Bit, the ones place does not participate. Find a py script written by others on github

Decryption verified the conjecture.

 

So: userid → encrypted Smartguid

Try: encrypted Smartguid → plaintext Smartguid

Because: userid (ming) → ← userid (secret)

Guess: Smartguid (Ming) → ← Smartguid (Secret)

Attempt: Use the same decryption method as userid to decrypt Smartguid, but it fails. Moreover, the response timestamp and encryption are not in the same system time period, and the estimation algorithm may be different.

 

4. The parameters required for printing can be reversed

When clicking to view the details of the bound Cuckoo machine

Caught such a plaintext package that can return smartguid! This is what we have been waiting for: encrypted Smartguid à plaintext Smartguid

 

These are two more harmful reverses:

Plaintext and ciphertext can be reversed

Userid and smartguid reverse inference

This leads to all the required printing parameters can be obtained by blasting

Vulnerability Exploitation: According to the script written by the instructor (attached to github), many printers can be crawled on the network to control them

 

 

Fishing control printer

For Android API 8 or higher, the backup setting is enabled by default. Without processing by the developer, the username and password will be directly backed up. When backing up to other devices, the device can directly log in the identity of the person being backed up.

The current mainstream APPs recognize the risk of this setting and set the backup data to be restored after logging in again. But many niche apps did not realize it, leading to serious privacy leaks

Vulnerability:

Using the idea: I found a script on the Internet that can batch detect the APP with allowbackup in the mobile phone and back it up in batches on the computer. https://sobug.com/article/detail/16

It is estimated that more than one-third of the apps in a mobile phone may be affected. This led to the disclosure of a large number of accounts and other sensitive information in this phone.

Try: Our school’s APP has this configuration problem, which will cause the leakage of student ID cards and student numbers. You can also try some rental apps, there may be more leaks. The picture below shows the username and password exposed in the backup file in the Cuckoo App.

 

Bluetooth control printer

This vulnerability involves the model GT1, which is a pure Bluetooth communication mode

Reviews

There are no reviews yet.

Be the first to review “A printer safety analysis”

Your email address will not be published. Required fields are marked *