Exploiting Flipper Zero’s NFC file loader

Flipper Zero is a self-described portable multi-tool for pentesters and geeks in a toy-like body. The device comes with several built-in applications to transmit and recieve sub-1GHz frequencies, such as RFID, NFC, and Bluetooth.

This post demonstrates a buffer overflow in Flipper Zero’s NFC file loader that I discovered for BGGP3.

You Wouldn’t Download a Wolf Link

Nintendo Amiibos are collectible figurines with an embedded NFC chip that grant special in-game items on the Nintendo Switch. At anywhere from $15 to $70 USD, and considerably more for limited editions, it’s not surprising there’s an active community around cloning and emulating these NFCs.

Anyway, I just bought a Flipper Zero to keep amiibos from overflowing my desk and if you’re reading this you probably did too. The problem, or opportunity, is Flipper Zero firmware up to 0.65.2 is vulnerable to a buffer overflow that can crash your device and maybe execute code, who knows. The latest version, released 06 Sept 2022, includes the patch for this vulnerability.

Before we dive in, let’s look at how a Flipper Zero stores Amiibo files.


Filetype: Flipper NFC device

Version: 2

# Nfc device type can be UID, Mifare Ultralight, Mifare Classic, Bank card

Device type: NTAG215

# UID, ATQA and SAK are common for all formats

UID: 04 C1 8A 01 27 40 03

ATQA: 44 00

SAK: 00

# Mifare Ultralight specific data

Data format version: 1

Signature: 35 47 82 B2 E9 D5 8F 70 C3 BC 79 FE 8A ED 77 16 EC 25 8C 9A 95 32 4B 94 19 00 2E 12 5A D0 AC 90

Mifare version: 00 04 04 02 01 00 11 03

Counter 0: 0

Tearing 0: 00

Counter 1: 0

Tearing 1: 00

Counter 2: 95

Tearing 2: 00

Pages total: 4

Pages read: 4

Page 0: 33 33 33 33

Page 1: 33 33 33 33

Page 2: 33 33 33 33

Page 3: 33 33 33 33

The NFC file contains some metadata indicating the device type, version, and so on. We’re not really concerned with that and anyway the code to parse them looks fine. What we do care about is the page total field, here

and the 4 bytes of page data in each page which I’ve set to

0x33

for readability.

Buffer Overflow

A buffer overflow exists in the

nfc_device_load_mifare_ul_data

function of

nfc_device.c

that allows out of bounds write on the

dev_data.mf_ul_data.data

buffer. If you need a refresher on memory corruption bugs on ARM chips then best check Azeria’s blog on the subject.

The Flipper firmware hardcodes the length of the NFC data buffer

MF_UL_MAX_DUMP_SIZE

at 2040 bytes, enough to store data from the largest Mifare chips. When this function reads an NFC file it does not check that the length of page data in the file is less than the length of this buffer. Since there’s no check to prevent more than 510 pages from being read (510 * 4 = 2040 bytes), nor a check to ensure the data read is less than the length of

MF_UL_MAX_DUMP_SIZE

, we can store up to

uint16_t

pages of data in our file and read enough of them into memory to corrupt the device.

This may result in various crashes including a BusFault crash and a NULL pointer exception. In some cases, the device is unresponsive to a reboot (idk why, sorry) and must be re-flashed to recover it.

BGGP3

This is my first year participating in Binary Golf Grand Prix 3. The rules are simple; you need to crash a program using a file of no more than 4096 bytes. Unfortunately, this NFC file is way too large to be a valid entry (it’s a chonky 23k), but I still had fun finding a bug, writing the exploit, and writing a patch for the Flipper Zero firmware.

Special thanks to all the lovely people at BGGP who took time to organize this event, review submissions, offer support and encouragement, and to all the ghosts.

BGGP3 has bonus challenges that each grant additional points if completed. Copy pasta from their site:


Bonus points will be awarded for the following additional accomplishments:



+1024 pts, if you submit a writeup about your process and details about the crash

+1024 pts, if the program counter is all 3's when the program crashes

+2048 pts, if you hijack execution and print or return "3"

+4096 pts, if you author a patch for your bug which is merged before the end of the competition

Count to 3

Reminder that this bug is a heap based buffer overflow. We’re writing out of bounds on the

dev.dev_data.mf_ul_data.data

buffer which for this example we’ll say is stored in struct

dev

at address

0x2000f9e0

. In order to make the program call into code we control, we’ll need to find a value somewhere on the heap (at a higher address than the start of our buffer) that we can reach without crashing the program.

Very lucky that the

dev

struct contains the address of a callback function! Let’s look at that in the code.


typedef struct {

    Storage* storage;

    DialogsApp* dialogs;

    NfcDeviceData dev_data;

    char dev_name&#91;NFC_DEV_NAME_MAX_LEN + 1];

    string_t load_path;

    NfcDeviceSaveFormat format;

    bool shadow_file_exist;



    NfcLoadingCallback loading_cb;  // owo

    void* loading_cb_ctx;

} NfcDevice;

After loading the NFC file, the program does a bit of cleanup and then calls the

loading_cb

function as it transitions between sub-menus. So if we can control the address without crashing we’re guaranteed to load this code right away.

After end of the data buffer,

0x4242

, I’ve copied the heap bytes up to

0xcccccccc

as they appear when the buffer is 2040 bytes long and not overflowed, so the payload is rebuilding the

dev

struct on the heap (you’ll need to fix the alignment too) to reach the address of the

loading_cb

function in the

dev

struct. It looks like this:


0x20010a60: 0x41414141  0x41414141  0x41414141  0x41414141

0x20010a70: 0x41414141  0x41414141  0x41414141  0x41414141

0x20010a80: 0x41414141  0x41414141  0x41414141  0x42424141

0x20010a90: 0x67627067  0x00330000  0x00000000  0x00000000

0x20010aa0: 0x00000000  0x00000000  0x00120000  0x001c0000

0x20010ab0: 0x0a402001  0x00020000  0xcccccccc  0x20002000

Oopsie!

Print 3

We can control some data on the heap, and we can control a callback pointer. So how can we get the program to print 3?

This image shows the number of pages read from the NFC file as

511

. It should say

510

511

, so what’s going on here?

Look at the NFC data on the heap and you’ll notice that immediately following the page data is the number

0x07f8


...

0x2000e4a8: 0x41414141 0x41414141 0x41414141 0x41414141

0x2000e4b8: 0x41414141 0x41414141 0x41414141 0x41414141

0x2000e4c8: 0x42424141 0x07f84242 0x00000000 0x00000000

0x07f8

is the length of the

MF_UL_MAX_DUMP_SIZE

buffer (2040 bytes). Divide by 4 and you have the number of pages read. To print

instead of the actual page count, just replace this value with

0x0c

which results in

when divided by 4.

But the challenge is code execution! Just overflowing a value on the stack isn’t very cash money of me.

So let’s talk about ROP. In another post haha. I was hoping to modify one of the menu animations to include

BGGP3

but I’ve run out of time. >.<

Patching the bug

The final challenge is to submit a patch and have it merged before the end of the competition. My patch was submitted on the last day of BGGP3 and merged into the Flipper Zero firmware repository on Sept 5, after the competition closed.

The patch is a one-liner that checks if the size of either

data_size

data_read

is greater than the length of

MF_UL_MAX_DUMP_SIZE

buffer. If it is, the function breaks triggering a file parser failure which is the same behaviour as the other checks on the NFC metadata fields.

Here’s the patch. Ezpz.


if(data->data_size > MF_UL_MAX_DUMP_SIZE || data->data_read > MF_UL_MAX_DUMP_SIZE) break;

08.09.202208.09.2022

CVE-2022-36923 ManageEngine OpManager getUserAPIKey Authentication Bypass

origianl text by 4er

Intro:

ManageEngine offers enterprise IT management software for your service management, operations management, Active Directory and security needs.

CVE-2022-36923 ManageEngine OpManager getUserAPIKey Authentication Bypass
CVE-2022-35405 Zoho Password Manager Pro XML-RPC RCE
CVE-2022-28219 Zoho ManageEngine ADAudit Plus XXE to RCE
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Pre-Auth RCE
CVE-2020-10189 Zoho ManageEngine Desktop Central deserialize RCE

According to ZDI’s announcement , the vulnerability exists


<strong>com.adventnet.me.opmanager.server.util.RMMUtil#getUserAPIKey</strong>

The key point is how to get to this position.

Search the xml configuration file to find

The route is

/RestAPI/getAPIKey

, try to construct the request packet

Prompt missing parameters, see the log to report an error

The IAMSecurityException breakpoint hits its constructor and traces back up, and finally

com.adventnet.iam.security.ParameterRule#checkForAllowedValueRegex

found that an exception was thrown because the parameter regular matching was incorrect.

The final construction parameter successfully returns 200

look back now

com.adventnet.me.opmanager.server.util.RMMUtil#getUserAPIKey


    public String getUserAPIKey(HttpServletRequest request, HttpServletResponse response) throws IOException {

        String userName = request.getParameter("username");

        String domainName = request.getParameter("domainname");

        if (userName != null &amp;&amp; domainName != null) {

            try {

                Long userId = MickeyLiteUtil.getUserId(userName, domainName);

                String apiKey = (new APIKeyGenerator()).checkAndGenerateApiKey(userId, -1L);

                response.setContentType("text/plain");

                PrintWriter out = response.getWriter();

                out.println(apiKey);

                out.flush();

                return null;

            } catch (Exception var8) {

                var8.printStackTrace();

                return null;

            }

        } else {

            return null;

        }

    }

MickeyLiteUtil.getUserId()

You need to give a correct domainName, it depends on what value is in the AaaLogin table in the database.

View database jdbc link

C:\Program Files\ManageEngine\OpManager\conf\database_params.conf

The password is encrypted and found in the bin directory

bin\encrypt.bat


call .\setCommonEnv.bat



set CLASS_PATH="%SERVER_HOME%\lib\framework-tools.jar"



IF "%1"=="" GOTO SHOW_SYNTAX



"%JAVA%"  -Dserver.home="%SERVER_HOME%" -cp %CLASS_PATH% com.zoho.framework.utils.crypto.CryptoUtil %*

GOTO END_ENCRYPT



:SHOW_SYNTAX 

"%JAVA%" -Dserver.home="%SERVER_HOME%" -cp %CLASS_PATH% com.zoho.framework.utils.crypto.CryptoUtil "showUsage"



:END_ENCRYPT

Call the CryptoUtil class for encryption

Write a class directly to call the decrypt function

cryptTag is

EnDecryptUtil.getCryptTag()

obtained by

Parse the persistence-configurations.xml file to get the CryptTag attribute and view the file content

Attempt to

MLITE_ENCRYPT_DECRYPT

decrypt unsuccessfully, and then found that an external entity was introduced at the top of the xml file

Finally

conf\customer-config.xml

found the CryptTag in the file

The algorithm is AES256. After decryption, link to the database and check the AaaLogin table.

The domainName is obtained
-
, and the final request package is as follows

Get restapi from this

The rce method looked at the restapi documentation. There is a workflow that can be used for rce, but there is a problem with accessing through restapi.

OpManagerServerClasses.jar!/com/adventnet/me/opmanager/server/api/OpManagerAPIServlet.class:354

If your api is

APIUtil.getInstance().isInternalAPI()

an internal api, the isAPIClient in the session will only be assigned when you log in, so this place isApiclient is false, and NmsUtil.isRMMEdition is false, causing an exception to be thrown

APIError.internalAPI(request, response)

. then all internal apis cannot be called.

The

conf\OpManager\do\RestApi.xml

key APIs that define the workflow are

EXPOSED_API=TRUE

the internal APIs.

At this point, the rce is broken. I traced back the

isInternalAPI()

function and found that all the APIs are in the database

OpManagerDB.public.restapioperation

table. After filtering

exposed_api='true'

, a total of 955 APIs can be accessed through restapi.

I looked at it and saw that nothing was added, deleted, modified, and checked. I hope someone who is destined can dig out a rce.

Replenish

My colleague looked at the cve injected by the other two commands of opmanager and found that it should be possible to string rce together. see colleagues’ articles

ZOHO ManageEngine OpManager Two RCEs

The writing is rubbish, the wording is frivolous, the content is simple, and the operation is unfamiliar. The deficiencies are welcome to give pointers and corrections from the masters, and I am grateful.

CVE-2022-36923 Detail

Current Description

_{Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user’s API key, and then access external APIs.}

08.09.202208.09.2022

Zyxel addressed a critical RCE flaw in its NAS devices

mportant RCE Vulnerability Impacts Zyxel NAS Units — Firmware Patch Launched

original text by Pierluigi Paganini

Networking equipment vendor Zyxel addressed a critical vulnerability impacting its network-attached storage (NAS) devices.

Zyxel addressed a critical vulnerability, tracked as CVE-2022-34747, impacting its network-attached storage (NAS) devices.

The CVE-2022-34747 (CVSS score: 9.8) flaw is classified as a format string vulnerability that resides in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0. An attacker can exploit the vulnerability to achieve unauthorized remote code execution via a crafted UDP packet.

“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet.” reads the advisory published by the vendor.

Below is the list of affected models and the firmware patches released by the company.

AFFECTED MODEL	AFFECTED VERSION	PATCH AVAILABILITY
NAS326	V5.21(AAZF.11)C0 and earlier	V5.21(AAZF.12)C0
NAS540	V5.21(AATB.8)C0 and earlier	V5.21(AATB.9)C0
NAS542	V5.21(ABAG.8)C0 and earlier	V5.21(ABAG.9)C0

The vulnerability was reported to Zyxel by Shaposhnikov Ilya.

In May 2022, Zyxel released security updates to address multiple vulnerabilities affecting multiple products, including firewall, AP, and AP controller products.

Below is the list of the four vulnerabilities, the most severe one is a command injection flaw in some CLI commands tracked as CVE-2022-26532 (CVSS v3.1 7.8):

CVE-2022-0734: A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.
CVE-2022-26531: Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.
CVE-2022-26532: A command injection vulnerability in the “packet-trace” CLI command of some firewall, AP controller, and AP versions could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.
CVE-2022-0910: An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

Networking device maker Zyxel is warning customers today of a new critical remote code execution (RCE) vulnerability impacting three models of its Networked Attached Storage (NAS) products.

The vulnerability is tracked as CVE-2022-34747 and has received a CVSS v3 severity score of 9.8, rated critical, but not many details have been disclosed.

Security researcher Shaposhnikov Ilya discovered the vulnerability on June 2022. As a result, Zyxel gradually released security updates for the impacted models over the following months.

The NAS devices vulnerable to this flaw are NAS326, NAS540, and NAS542, all still within their active support period.

The vulnerable firmware versions are V5.21(AAZF.11)C0 and earlier for NAS326, V5.21(AATB.8)C0 and earlier for NAS540, and V5.21(AATB.8)C0 or older for NAS542.

The vendor has already released security updates for the impacted devices in the form of firmware updates, with links to the downloads in the security advisory.

Alternatively, you can visit Zyxel’s official download portal, enter your device model, and download the latest firmware update listed in the results.

Remote code execution flaws allow many different attacks, including bypassing the need for user authentication, elevation of privilege, or any other limiting prerequisite.

The vulnerability could be abused to steal data, delete data, or deploy ransomware on Internet-exposed NAS devices.

While all scenarios are dire, ransomware is the most common, as it gives the threat actors the best way to monetize a successful attack.

Only yesterday, we reported that QNAP patched a zero-day vulnerability over the weekend that was used in a new wave of DeadBolt ransomware attacks.

In February, the same group also targeted ASUSTOR devices by leveraging an exploit for a previously unknown flaw.

Thus, DeadBolt is competent enough to find undocumented security gaps, let alone exploit known vulnerabilities.

Other ransomware gangs actively targeting NAS devices are Checkmate and eChoraix, both very active in 2022.

QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.

The company has patched the security flaw but attacks continue today.

«QNAP® Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet,» explains the security notice.

The attacks were widespread, with the ID Ransomware service seeing a surge in submissions on Saturday and Sunday.

**A surge in DeadBolt submissions to ID Ransomware**
*Source: BleepingComputer*

QNAP releases patches for a zero-day flaw

QNAP released Photo Station security updates 12 hours after DeadBolt began using the zero-day vulnerability in attacks, urging NAS customers to immediately update Photo Station to the newest version.

The following security updates fix the vulnerability:

QTS 5.0.1: Photo Station 6.1.2 and later
QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
QTS 4.3.6: Photo Station 5.7.18 and later
QTS 4.3.3: Photo Station 5.4.15 and later
QTS 4.2.6: Photo Station 5.2.14 and later

Alternatively, QNAP suggests users replace Photo Station with QuMagie, a safer photo storage management tool for QNAP NAS devices.


“We strongly urge that their QNAP NAS should not be directly connected to the internet. We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service.” - QNAP.

Applying the security updates will prevent the DeadBolt ransomware and other threat actors from exploiting the vulnerability and encrypting devices. However, NAS devices should never be publicly exposed to the Internet and instead placed behind a firewall.

QNAP customers can find detailed instructions on applying the available updates and setting up myQNAPcloud in the security advisory.

Finally, it is recommended to use strong passwords on all NAS user accounts and take regular snapshots to prevent data loss in the case of attacks.

DeadBolt: the NAS ransomware bane

The DeadBolt ransomware gang has been targeting NAS devices since January 2022, using an alleged zero-day vulnerability on Internet-exposed NAS devices.

The ransomware operation conducted further attacks on QNAP devices in May and June 2022.

**DeadBolt ransom notes**
*Source: BleepingComputer*

Earlier in February, DeadBolt began targeting ASUSTOR NAS devices using a zero-day vulnerability they attempted to sell to the vendor for 7.5 Bitcoin.

In most of these attacks, DeadBolt demanded a payment of just over a thousand USD from impacted users in exchange for a working decryptor.

However, other NAS ransomware groups demand more significant amounts from their victims.

The Checkmate ransomware targeted QNAP NAS products in July, demanding victims pay $15,000.

Сентябрь 2022
Пн	Вт	Ср	Чт	Пт	Сб	Вс
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30