某设备CoAP协议漏洞挖掘实战
本文为看雪论坛优秀文章
看雪论坛作者ID:风亦映寒
发现看雪等国内安全论坛好像CoAP协议相关内容很少,以及CVE中基本也是CoAP协议库存在的漏洞,所以将最近对某设备CoAP漏洞挖掘的相关分析整理记录一下。
CoAP原理简要介绍(具体可以看rfc文档)
基于REST
应用于受限节点和网络
帮助client对server进行Resource Discovery
基于CoRE
使用/.well-known/core 作为 Well-Known URI, 详见 rfc8615
例: CoAP server 提供了2个资源
REQ: GET coap://server:port/.well-known/core
RES:
2.05 Content
</sensors/temp>;if="sensor",
</sensors/light>;if="sensor"
NoSec:no protocol-level security (DTLS is disabled)
PreSharedKey: DTLS is enabled. 基于pre-shared keys进行认证。
Certificate: DTLS is enabled. 基于具有X.509证书的非对称密钥进行认证。
RawPublicKey:DTLS is enabled. 基于 raw public key进行认证。
协议解析和URI的处理
代理和缓存
反射攻击
IP地址欺骗攻击
Cross-Protocol Attacks
实战
udp 0 0 0.0.0.0:5683 0.0.0.0:*
if ( *((_BYTE *)v21->hdr + 1) == 1 && !memcmp(key, &unk_A0DC, 4u) )
{
coap_log_impl(7, "create default response for %s\n", ".well-known/core");
v22 = wellknown_response(context, node->pdu);
}
import asyncio
from aiocoap import *
async def main():
protocol = await Context.create_client_context()
msg = Message(code=GET, uri="coap://192.168.1.1:5683/.well-known/core")
response = await protocol.request(msg).response
print(response.payload)
asyncio.run(main())
b'</>;title="General Info";ct=0,
...
</device/inform/boot>;title=device/inform/boot,</device/inform/syncreq>;title=device/inform/syncreq,</device/inform/off>;title=device/inform/off,</device/inform/hb>;title=device/inform/hb,</device/inform/data>;title=device/inform/data,
</device/cmd/file>;title=device/cmd/file
</async>;ct=0'
void *__fastcall start_coap_server_thread(void *a1)
{
pthread_t v1; // $v0
v1 = pthread_self();
pthread_detach(v1);
...
registerCoapMethod("device/inform/boot", coapboot_handler)
registerCoapMethod("device/inform/syncreq", coapsync_handler)
registerCoapMethod("device/inform/off", coapoff_handler)
registerCoapMethod("device/inform/hb", coaphb_handler )
registerCoapMethod("device/inform/data", coapdata_handler)
registerCoadMethod("device/cmd/url", coapdata_url_handler)
...
startCoapService("0.0.0.0", 5683);
return 0;
}
...
cJSON_AddItemToObject(v73, "SSID", v13);
v14 = cJSON_CreateString(&v83[136]);
cJSON_AddItemToObject(v73, "SecurityMode", v14);
v15 = cJSON_CreateString(&v83[72]);
cJSON_AddItemToObject(v73, "Pwd", v15);
...
v17 = cJSON_GetObjectItem(v9, "Url");
v18 = v17;
if ( v17 )
{
v19 = *(const char **)(v17 + 16);
v20 = 0;
if ( v19 )
{
v21 = strlen(v19);
v20 = malloc(v21 + 1);
v22 = strlen(*(const char **)(v18 + 16));
memset(v20, 0, v22 + 1);
strcpy((char *)v20, *(const char **)(v18 + 16));
}
int __fastcall do_upgrade(const char *Url){
...
if ( !strcmp((const char *)v35, "XXXX-XXXXXX") )
snprintf(cmd, 0x180u, "curl %s -o %s%s -k", Url, "/var/tmp/", uri);
else
snprintf(cmd, 0x180u, "wget -q -P %s %s", "/var/tmp/", Url);
system(cmd);
}
一些相关工具
cotopaxi
https://github.com/Samsung/cotopaxi
libcoap,aiocoap等 coap 协议实现库
攻击路径
引用
https://tools.ietf.org/html/rfc8615
https://datatracker.ietf.org/doc/html/rfc6690
https://en.wikipedia.org/wiki/Constrained_Application_Protocol
https://datatracker.ietf.org/doc/html/rfc7252
https://datatracker.ietf.org/doc/html/rfc5785
看雪ID:风亦映寒
https://bbs.pediy.com/user-home-647447.htm
# 往期推荐
1.协议分析实战
4.Android APP 漏洞之战——WebView 漏洞详解
球分享
球点赞
球在看
点击“阅读原文”,了解更多!