Recently, we noticed that the HP DVLabs has been in the Belkin（Belkin） N300 Dual-Band WiFi range Extender（F9K1111 in at least 1 0 a vulnerability. In response, the Belkin just released the version number is 1. 0 4. 1 0 firmware. Because this is the F9K1111 the first update release, but there is no any response to the vulnerability disclosure triggering method, so its in-depth study will be very interesting and meaningful. 0×0 1 unpack the update file Before you begin an analysis, we start from the Supplierssite to download this firmware update, and then use a firmware tool binwalkThe update file is unpacked. $ binwalk-Me F9K1111_WW_1. 0 4. 10_upg. bin The pictures below show the obtained results, this result looks to be a fairly standard SquashFS file systems, represents the device's root directory. ! Now, in order to perform bindiff, we will need to work with the hardware for some interaction to get inside the pre-patched state of the file. 0×0 2 access to basic firmware In order to analyze the basis for the firmware, we need to use some method of transfer storage processing device in the data. To do this, you must first remove the device housing. ! On the figure the red and blue box part may be to retrieve the firmware, the SPI flash chip and the UART interface of the place. Although we have seen some UART level of activity, but we will continue by analyzing the SPI flash chip on the basis of image processing. We are processing chip pin MX25L 1606e from Macronix obtained. ! In acquisition to this table and remove the chip, we're ready for the GoodFETwith the above-described General-purpose 8-pin pin connection. ! In pin 7 and pin 8 of the bridge, we use the following code to ensure that all hooks are correctly executed: $ python goodfet. spiflash info Next, we run the goodfet. spiflash dump to get the chip in the content. $ python goodfet. spiflash dump s ! Finally, we the results file for fast string Search, in order to ensure that the dump looks legitimate, at least contains some readable string. ! With prior similar, the generated binary files can be through binwalk to unpack. 0×0 the 3 update files for Diffing The previous two times to unpack the file system is moved to a Windows box, and then they are dragged into WinMerge to, can be seen actually and not too big change. ! File compiler_data, version and FUNCTION_SCRIPT does not contain any interesting changes in addition to possible for some fingerprint useful data, util_system. asp changes not many interesting places. So, we will most of the effort spent in the review of the Belkin to the webs GoAhead Webserver to modify. 0×0 4 webs analysis HP's Zero Day Initiative has been the use of likely to be affected by the function name or input on these vulnerabilities were named, respectively, as follows: 1, The formWpsStart pinCode remote code vulnerability 2, the formWlanSetupWPS wps_enrolee_pin remote code execution vulnerability 3, the formWlanMP remote code execution vulnerability 4, the formBSSetSitesurvey remote code execution vulnerability 5, the formHwSet remote code execution vulnerability 6, the formConnectionSetting remote code execution vulnerability 7, the formAccept remote code execution vulnerability 8, the formiNICWpsStart remote code execution vulnerability 9, the formUSBStorage remote code execution vulnerability So, in the webs of the patch version is loaded into IDA, we in the function list search formHwSet, but found nothing, in fact, these function a lot of are not found. Be dragged into Bindiff, we can see that in the update removes 7 functions, as shown below. !
These nicely correspond to the ZDI report of the data. In fact, ZDI given in the report of each function has been deleted, in addition to formWlanSetupWPS and formBSSetSitesurvey it. Next, we take the time to view these deleted functions. 0×0 5 formUsbStorage Our first analysis is formUsbStorage function. In a quick Read of the function, it is obvious that here there are some problems. First, by GoAhead webs API function websGetVar access the POST variable sub_dir, then the variable is used for system calls, where the Allow command injection. ! This code can be by following instructions trigger: wget --post-data="sub_dir=vectra;reboot" http://belkin.range/goform/formUSBStorage 0×0 6 formWlanMP Similarly, in formWIanMP found a similar error, by tracing the websGetVar the call, we see some possible loopholes in place. ! Continue to look down, we find that several possible can be injected into the system call entry point, here we analyze the ateFunc it.