- 1 week ago
The French ISP 'Free' was the first to introduce a set-top box in France in 2002, named the Freebox. Four years later, the fifth version of the Freebox was released and distributed to customers. It comprises two devices: a router, and a PVR called the Freebox HD, both running Linux. The Freebox HD had innovative features at the time, such as live television control and HD capabilities
Such a device has a lot of potential for running homebrew, so I decided to hack it. I present how I got arbitrary code execution on the Freebox HD and then root privileges, using a chain of two 0-day exploits, one of which is in the Linux kernel. I then analyze the device, run homebrew software, and explain the structure of the ISP's private network that I uncovered while exploring the device.
The Freebox HD is a set-top box with media player capabilities designed and built by the French ISP 'Free' in 2006, and distributed to customers since (including me). It is still in use and will be maintained until the end of 2025.
When I got it, I wanted to run homebrew software on it, so I decided to reverse engineer it. The initial goal was to get arbitrary code execution. The Freebox HD being largely undocumented, this talk shows the full process of reverse engineering it from scratch:
* Initial visual inspection
* Disassembly and inspection of the insides
* Attack surface analysis and choice of the target
* Search and exploitation of a vulnerability in PrBoom (a Doom source port running on the Freebox HD)
* Analysis of the Linux system running on the Freebox HD
* Search and exploitation of a Linux kernel exploit to escape the sandbox and gain root privileges
* Decryption and dump of the firmware
* Analysis of the Linux system and the programs of the Freebox HD
* Playing with the remote control capabilities
* Reverse engineering of the private networks of the ISP
The two exploits used to gain full root access were both discovered for this specific hack, which makes them 0-day exploits.
The analysis leads to some interesting discoveries about the device itself, but also the ISP, how their technical support works and accesses the devices remotely, and much more!
Licensed to the public under http://creativecommons.org/licenses/by/4.0
KI & mehr: Ausblicke zur digitalen Transformation
Such a device has a lot of potential for running homebrew, so I decided to hack it. I present how I got arbitrary code execution on the Freebox HD and then root privileges, using a chain of two 0-day exploits, one of which is in the Linux kernel. I then analyze the device, run homebrew software, and explain the structure of the ISP's private network that I uncovered while exploring the device.
The Freebox HD is a set-top box with media player capabilities designed and built by the French ISP 'Free' in 2006, and distributed to customers since (including me). It is still in use and will be maintained until the end of 2025.
When I got it, I wanted to run homebrew software on it, so I decided to reverse engineer it. The initial goal was to get arbitrary code execution. The Freebox HD being largely undocumented, this talk shows the full process of reverse engineering it from scratch:
* Initial visual inspection
* Disassembly and inspection of the insides
* Attack surface analysis and choice of the target
* Search and exploitation of a vulnerability in PrBoom (a Doom source port running on the Freebox HD)
* Analysis of the Linux system running on the Freebox HD
* Search and exploitation of a Linux kernel exploit to escape the sandbox and gain root privileges
* Decryption and dump of the firmware
* Analysis of the Linux system and the programs of the Freebox HD
* Playing with the remote control capabilities
* Reverse engineering of the private networks of the ISP
The two exploits used to gain full root access were both discovered for this specific hack, which makes them 0-day exploits.
The analysis leads to some interesting discoveries about the device itself, but also the ISP, how their technical support works and accesses the devices remotely, and much more!
Licensed to the public under http://creativecommons.org/licenses/by/4.0
KI & mehr: Ausblicke zur digitalen Transformation
Category
🤖
TechTranscript
00:00Thank you, thanks for this nice introduction.
00:21And I will now introduce the ISP 3.
00:25So 3 as mentioned is a French ISP.
00:28It has been known since forever to disrupt the market on a regular basis with nice offers
00:34both on the internet access side and mobile phone access too.
00:39It's the first ISP in France to release a set-top box which is called the Freebox.
00:45The set-top box from the beginning enabled triple play as in internet access, phone and TV over IP.
00:51On the left here you can see the first versions of the Freebox.
00:54In the middle is the version 3 and 4 with a smaller form factor.
00:58And the version 5 in 2006 was released as two separate boxes.
01:04One for the internet access on the top and one for the TV on the bottom.
01:08And that's our device of interest today.
01:11So this Freebox called Freebox HD released in 2006 comes with a nice form factor, a front panel to display information and quite some connectivity on the back.
01:23So we have here Wi-Fi antennas, TV antennas, inputs, outputs including HDMI, an ethernet port and two USB ports that we can plug in our USB drives there.
01:36The router part acts as a DSL modem, a switch and a router.
01:42It's a bit out of scope of this presentation but it will make a few appearances.
01:48So the main features of the Freebox HD is that it's a PVR, so personal video recorder.
01:53It's programmable, it has time shift and a hard drive of 40 gigabytes.
01:58And since Free likes geeks, they add nice features to their boxes.
02:04And this one has an FTP server, so we can upload videos.
02:07We can also download recordings, which is quite nice.
02:11The box also runs Doom, so it's possible to play Doom out of the box.
02:16We have Duke Nukem 3D as well, and an SDK.
02:21And this SDK allows to develop programs which are quite limited, unfortunately.
02:27It's limited to an interpreted language and it reads in a sandbox that's heavily restricted.
02:32So why would anyone want to hack a box if it already runs Doom?
02:36Well, for the second reason, which is they remove features that we like, for no good reason.
02:42So let me present my use case.
02:45My Freebox HD, I had a small crappy screen connected to it.
02:50And I used it to record programs, then download them with FTP,
02:54and watch them on my PC, which had a much better screen.
02:57It's something that I could do with a TV capture card, it would work the same.
03:01And then one day, the two main private TV channels in France, GF1 and M6,
03:06decided that this is not acceptable.
03:09So they asked Free to stop the ability to download recordings through FTP.
03:16It was still possible to record them, but not to download them.
03:19So I was a bit annoyed because many other channels followed,
03:23and it was almost impossible to download recordings.
03:26But we know that the box has a hard drive, so we can just open it and get the hard drive out.
03:33So there are three screws, two visible screws and one below this sticker.
03:38And once it's open, it looks like this.
03:42After the hard drive is removed, it looks like this.
03:45And I will come back to this picture in a bit.
03:48But OK, I had the hard drive disconnected.
03:50I connected it to my PC, and I decided to do a full dump of the raw data
03:55and unplug it as soon as possible.
03:57I was afraid to write something and make it unusable.
04:01Then I mounted this dump and analyzed it.
04:05And there are three partitions on it, which are XFS.
04:08Two small partitions which are encrypted, and I couldn't get anything out of them.
04:12And the third partition is not encrypted.
04:16It contains the recordings, which are also not encrypted, in a special directory called private records.
04:23So you can see that this directory is the only one owned by root.
04:27So at this point, I assume that the FTP server just doesn't list files if they are owned by root.
04:34Interestingly enough, the other files are owned by user 4242.
04:38It seems like at three people like the number 42.
04:43OK, so this is mission accomplished, right?
04:47I could get my recordings, but let's look at before how it used to work.
04:51I record the program, I get it with FTP.
04:54And after I record the program, I have to open the Freebox HD,
04:58remove the hard drive, connect it to a PC,
05:01mount it, copy the file, and put it back to the Freebox HD.
05:04So it's FTP with a lot of extra steps, and I was not really satisfied with that.
05:11And I thought it's surely possible to do better,
05:14and we can make the private recordings public again.
05:17But for that, I need to understand how the PVR program works.
05:22And I started with what I had, which was the unencrypted HDD partition.
05:28Unfortunately, there was really nothing interesting there.
05:30So besides the recordings, it's pure data.
05:33There is no configuration file, no binary, nothing that could be reasonably exploited.
05:38So the next step is to hack the Freebox, which I consider a good thing.
05:44And in addition, if successful, it could unlock Homebrew
05:49and potentially many more possibilities.
05:51But in all honesty, I had already decided I would hack it,
05:54regardless of the recording situation at this point.
05:57OK, so what's in it again?
06:01We have here the main CPU and its RAM.
06:06We have 128 megabytes of RAM.
06:09So I knew there should be some flash memory somewhere,
06:12but it was not on this side of the PCB.
06:15Later, I learned that it was a 32 megabytes chip.
06:18So the next step would be to remove the PCB, inspect the other side,
06:23and just desolder the flash and dump it.
06:27But there's a slight problem with that.
06:29This is not really my box.
06:31So technically, and I mean legally, the box really belongs to Free.
06:37It's just lent to subscribers.
06:39And as far as I know, it's always been like this with Free,
06:42and it's still like this.
06:43So we never own the box as customers.
06:46We just get it and we have to give it back in working order
06:51when we cancel the subscription.
06:53So I didn't want to desolder anything or even touch the PCB
06:58because I had already damaged the sticker at this point,
07:02and I decided that I was not going to make any hardware modification.
07:06So there is no choice but to have a soft mode.
07:10However, to start with a soft mode,
07:13we need some kind of entry point, something to begin with.
07:18And I had no firmware, no information,
07:21so I was starting a blind exploitation.
07:25And what's the first step in hacking a device?
07:28It's to check if someone else has already done it.
07:32So in my case, I did a few Google searches,
07:37and I saw that indeed there was a team who had already attempted this.
07:41The team was called OpenFreebox.
07:44So I was never a part of it.
07:45I just stumbled upon their website when doing my research.
07:50And today the website is down but still accessible with the Wayback Machine.
07:54So they had done quite some work on the Freebox before,
07:57but never really a hack.
07:59And the Freebox V5, of which the Freebox HD is,
08:02was almost undocumented.
08:04There was nothing they had given that was really interesting.
08:08So we got this picture of a serial interface on the Freebox HD PCB,
08:13and the boot log that they got with it.
08:16And if we look at it, it seems as a very early boot log.
08:20There's not much information.
08:22The only thing that we can see that could mean something
08:25is Z-Boot SMP863X.
08:29So nothing really to work with here.
08:32But what about Free themselves?
08:35Because most of the software on the Freebox HD is GPL,
08:38which means that Free has to publish the modification that they do.
08:42They are legally obliged to do that.
08:45Except that there was a debate, and for some time they didn't,
08:48because they argued that the Freebox HD is never the customer's property.
08:53So it should be considered as just a node in their internal network.
08:58But after a few years, they caved and published the modifications.
09:03So by just looking at this, we see that the SystemoChip is SMP8634,
09:09actually, which is a MIPS CPU.
09:12It runs Linux 2631 with VGBOX.
09:17The DOOM software which is used is also mentioned,
09:20and it's called PRBoom.
09:22It's a DOOM source port, so it's the DOOM engine,
09:24a bit cleaned up, and it can compile for many architectures.
09:28There's also LibExif, LibTimidity,
09:30and since the box allows to view pictures,
09:33I thought there must be LibJPEG and LimPMG.
09:36And these two libraries are known to have many vulnerabilities.
09:41fixed for almost all of them.
09:44And the nice thing is the bug reports often come with sample pictures
09:48to trigger the vulnerabilities.
09:50However, they are also usually popular, so the vulnerabilities are fixed,
09:54and that's the case also on the Freebox HD.
09:56So I was never able to trigger a bug with a picture.
10:00I thought about finding a new zero-day vulnerability in one of these libraries,
10:05but this was in 2012 and 2011, so quite a while ago.
10:11But shortly after, Chrome had released,
10:13and Google had audited these libraries really to the core,
10:17and all the easy vulnerabilities were fixed,
10:22and I thought this could be a waste of time.
10:25So by the way, this all happened in 2011 and 2012, so quite a while ago,
10:30but it's the first time I'm presenting this.
10:33So what other entry point do we have?
10:36Well, I like game save files,
10:39because generally the game developers, they treat them as trusted data.
10:43After all, it's their own game which produced them,
10:46and they don't really expect people to modify them manually.
10:50And, well, this box runs Doom, which is good.
10:54We know which version.
10:55It's open source, so we even have the source code.
10:58And while playing with Doom, I noticed that the way to play Doom
11:02is to upload save files and Watt files with the FTP server.
11:07So the reason for that is while PRBoom is open source
11:10and can be freely distributed, the Watt files,
11:13which contains the Doom data, all the assets, all the levels,
11:17they are copyrighted and, for example, Doom1.Watt belongs to its software.
11:23So they had to let the users somehow provide a Watt file
11:28for the box to be able to run Doom.
11:30So I thought that should be a good entry point
11:33and decided to download the source files
11:36and look at the save algorithm.
11:39So the save algorithm is pretty much what you would expect.
11:43It copies the player structure to a buffer
11:47and the buffer will be later written to the file.
11:49But it also does something with some structure,
11:54a pSprite state.
11:56And the reason for that, if we look at the player structure,
11:59we see that it contains some pSprites.
12:02And these are sprites used to display the weapon, actually.
12:05And the pSprite has a state, which is a pointer,
12:10and this pointer points to a global state array.
12:13So, of course, you cannot just write a pointer to a file
12:16because when you load the file, the pointer will be invalid.
12:19So what the code does is it converts the pointer
12:22into an index into this array.
12:25So that's perfectly fine.
12:27You just need to do the opposite when the file is loaded.
12:30And let's look at both algorithms side by side.
12:34So, copy the player structure to the buffer,
12:36and when you load, you copy from the buffer to the player structure.
12:40That's fine.
12:41But then, the load algorithm, when it restores the state,
12:45it has to take the index and convert it back to a state pointer.
12:49And I think some of you may already have spotted the problem here.
12:53There is absolutely no check down on the state index
12:58before converting it to a pointer.
13:01So, in theory, if we modify this state index in the save file,
13:06we can control the state address and make it point anywhere.
13:10This could be good.
13:12Let's have a look at what's inside the state and how it's used.
13:17So, this is the state structure that we can control in theory,
13:21and it's really only used in that function p-move-p-sprites.
13:26So, if we control the state, then we can control the next state too.
13:30The next state is passed to a function p-set-p-sprites as st-num.
13:36St-num is used to load a new state, so we can control that too.
13:41The state has an action, and this action is called as a callback.
13:47So, this looks pretty good.
13:50We can probably get some code execution with that.
13:54So, let me recap quickly how we do that.
13:57We have this player structure. It has a state.
14:01We modify this state by touching the save file,
14:04so it points to some memory that we control too.
14:07In this memory, we craft a state T that has a next state,
14:12which points to another state T that we also control.
14:15And finally, this action pointer will be called.
14:18We control it.
14:20We make it point to some arbitrary code that we want executed,
14:23and it should work.
14:26Or should it?
14:29We still have two problems to solve.
14:31The first one is that the payload will only be executed if its memory is executable.
14:37So, this is the NX protection.
14:40Normally, the CPU will refuse to execute some memory
14:43which is not marked as executable.
14:45And second, we absolutely have no idea
14:48where we should have control of these tracks,
14:52at which addresses, where the game loads.
14:55We know nothing.
14:56So, for the first problem, I chose to just ignore it,
15:00and because it's a MIP CPU, maybe it doesn't have NX protection.
15:04We'll see that later.
15:06For the second problem, we need a memory address leak or something.
15:11We could use heap spraying to maximize the chances,
15:14or maybe we could use both.
15:17So, let's think a bit more about this and what we can do.
15:22If we put in the save file a completely wrong index,
15:27then the pointer that is reconstructed will point to invalid memory,
15:31and the game will crash.
15:32And this, of course, we will see it.
15:35But if we look at the code of PZP sprite,
15:39we see that if we provide a state that is zero,
15:42the weapon sprite is completely removed,
15:45so the weapon disappears from the game.
15:48We have an infolick right here.
15:50We know if the game crashes,
15:52it means the pointer points to an invalid memory.
15:54And if the weapon disappears, the memory is valid,
15:57and it contains zeros.
16:00So, that's the theory.
16:02I wanted to test it, and since PRBOM is open source,
16:05I just compiled it and run it on my PC.
16:07And indeed, with a normal save file, we load it,
16:12and we see Doomguy with the weapon.
16:15Everything is fine.
16:17Now, if I modify the save file so that the next state becomes zero,
16:22when we load, we have Doomguy without a weapon.
16:27Okay.
16:28So, this is already something that we can use.
16:32But we need to do that now on a MIPS CPU.
16:35And the MIPS CPU has the following address space.
16:38So, what's important here is that any user space program
16:42can only be loaded in the lower 2 gigabytes of memory.
16:46So, we can expect PRBOM will load somewhere in this memory.
16:51The save file is around 30 kilobytes in size.
16:55And we are not in control of everything.
16:59It still needs to be valid.
17:00So, we cannot control all of it.
17:02But still, if we control all of it,
17:04and we would just try to use random indexes
17:07until the pointer of the state somehow points back to the save file,
17:11this would be around 70,000 attempts
17:14to cover the full address space, which is too much.
17:18And on top of that, it's quite difficult to automate.
17:22But we have WAD files.
17:25So, for example, the Doom1 WAD file
17:27is actually a file that contains other files.
17:30So, every WAD is just a file container.
17:33For Doom1, it contains this PayPal color map, E1M1, N1M2,
17:38and more files.
17:39And it's absolutely feasible and possible
17:43to just add our own data to a WAD.
17:47And I tried this until the Freebox would refuse to load Doom,
17:51and I reached a Doom1 WAD file of around 100 megabytes,
17:56which is consistent with the 128 megabytes of the Freebox HD.
18:02So, the plan is to use the WAD file instead of the save file
18:06for the data that we need to trigger the exploit.
18:10In particular, we will add a file in the WAD of 33 megabytes,
18:16which will contain the first crafted state T.
18:19We will add another file with the second crafted state T,
18:24and the payload, which contains arbitrary code.
18:27And by doing this way,
18:30we are trying every time 33 megabytes of address space.
18:35So, in 60 aptents, we should be done.
18:38But we can do even better.
18:41If we have a WAD file, which we fill with zeros,
18:45100 megabytes of zeros,
18:47then we know that if somehow the modified state index
18:50in the save file
18:52ends up pointing in this WAD,
18:54in the zero section,
18:55the weapon will not load.
18:58It could also be that, by chance,
19:01we are pointing to some other memory which contains zeros.
19:05But we can check that by also having a WAD
19:09which contains only garbage data.
19:12Because this time,
19:14if the modified state index
19:16ends up pointing in the garbage section,
19:18the game crashes.
19:20So, by combining these two WADs,
19:23we have a way of telling for sure
19:26if a crafted index works
19:29by testing it first with the WAD which contains zeros,
19:32and then confirming that it was not by chance
19:35by testing it with the garbage WAD.
19:38This assumes that the heap is at a fixed address
19:41or has minimal variation.
19:43And in the end, with 100 megabytes,
19:45it doesn't really matter.
19:47So, these are the results of my tests at the time,
19:50in a spreadsheet, of course.
19:52And at line 17, you see the first index
19:55that worked for me.
19:57So, I tried it five times,
19:59and I was able every time
20:01to have no weapon display
20:03with the WAD which contains zeros,
20:05and to have a crash with the WAD
20:07which contains garbage data.
20:09So, finally, I was able to construct
20:12an exploit that should work.
20:14I start by setting this index
20:16that I found in the save file.
20:18So, this will affect the state pointer here,
20:21and will make it point to the first part of the WAD file
20:25which contains the first crafted state T.
20:28This, then, points to the second crafted state T,
20:31which points to the third one,
20:34which contains arbitrary code,
20:36with a NOP sled, so 32 megabytes of NOP,
20:40and, finally, the exploit code.
20:42This should work in theory,
20:45assuming there is no NX protection on the MIPS CPU.
20:48So, I decided to create the simplest exploit I could,
20:52and I had to do it by writing MIPS assembly.
20:55The goal of this exploit is to just create a file
20:59that I can then see using the FTP server.
21:03So, MIPS assembly is quite complicated and quirky.
21:07Just this highlighted instruction is used
21:10to get the program counter value.
21:12So, because the rest of the code
21:14is position independent.
21:16And, you can see also that after every branch instruction,
21:19there's a NOP operation,
21:21because MIPS always executes the instruction
21:24after a branch, even if the branch is taken.
21:27And then, the rest of the exploit
21:30is just calling the create syscall.
21:32With the file path that is displayed there.
21:36So, then, I connect to FTP, LS,
21:40and the file is there.
21:42It worked.
21:51No NX protection.
21:52So, I was right to ignore this problem.
21:54And then, I decided to start exploring,
21:57so I wrote a lot more MIPS assembly.
22:00And, I found some interesting files,
22:04including a library to control the front panel display.
22:07And, I thought I would make a more visual exploit.
22:10So, the first frame, this is me loading the save file
22:14of PRBoom.
22:15And, then, this happens.
22:29So, it definitely works.
22:30It definitely works.
22:37Okay.
22:38So, now, it's time to explore a bit more.
22:42And, immediately, I realized that PRBoom is running in the sandbox.
22:47So, it has a CH route.
22:49As user 4242, of course.
22:52There is almost nothing accessible.
22:55No nice file is there.
22:57No configuration.
22:58I can see almost nothing.
22:59One thing that is there is the shared memory.
23:03It's not mounted as no exec.
23:06So, at least, this lets me write proper C code instead of MIPS assembly,
23:11compile it as an Elf executable.
23:13And, I wrote a loader, which lets me upload the program using FTP.
23:18It will copy it to DevSHM, set it as executable, and execute it.
23:24So, this made my life much easier.
23:27But, still, no good results.
23:30Nothing useful is accessible.
23:32So, the next step was to break out of the CH route jail.
23:37And, how do we do that?
23:39Frankly, I had no idea.
23:41So, I just Googled it.
23:43And, it turns out, it's pretty easy.
23:46It's even documented.
23:47There are tutorials.
23:49Two steps.
23:50The first one, BeRoot.
23:52And, the second one, just execute this magic sequence of MKDR-CHDR, FCHDR-CH route.
23:59Okay, but I'm not route.
24:01So, how can I become route when I'm not route?
24:05And, I think you might know the answer already.
24:09I have to exploit local privilege escalation vulnerability in the Linux kernel.
24:16And, of course, if there isn't one, I will have to find one myself.
24:21So, the next step is to look at the list of LPs in the kernel.
24:26And, really, there are very few.
24:29Typically, one every few years.
24:32The free box has all the latest fixes.
24:35So, I have no choice but to find a new one.
24:39And, the first entry point is the system calls.
24:44Because, you go directly from user space to kernel space.
24:47You control all the arguments, all the memory.
24:50It looks like a pretty nice way to find the vulnerability.
24:54But, that's what everybody thinks.
24:57That's what everybody does.
24:59So, this is scrutinized by too many people.
25:01And, it's hardened so much that it was a dead end.
25:06So, I kept thinking, well, what else could I do?
25:11And, this is the connectivity of the Freebox HD.
25:16We have two USB ports here.
25:18We can plug in USB drives.
25:20So, file system vulnerabilities.
25:24So, the file system modules in Linux, they are just kernel modules.
25:28They run directly in the kernel.
25:30And, after looking at them for weeks, I can tell you that your USB drives, they don't really contain files.
25:37They contain untrusted data.
25:39And, these kernel modules attempt to interpret that as files.
25:43So, I had a new plan.
25:45If I can put a corrupted file system image on a USB drive, plug it into the Freebox HD, then I can get root.
25:53And, of course, what's the first file system that anybody would look at for vulnerabilities?
25:59FAT32.
26:02But, there are so many implementations of FAT32.
26:06Everyone is broken in one way or multiple ways that the Linux kernel module just is very, very hard about sanitizing this data.
26:16And, as soon as something looks even a bit weird, the data is discarded.
26:21So, it's really a dead end.
26:23So, what's the other file system that consumers typically use when they have Apple devices, for example?
26:30HFS Plus.
26:32It's a bit more complex than FAT32, but it was promising.
26:37So, we have to look quickly at how it works.
26:40It's really a lot of binary trees.
26:43And, there is a catalog file which, as far as I understand, contains all the files.
26:49And, the binary tree of these catalog files looks like this.
26:53And, every index node or intermittent node is a directory.
26:57And, every leaf node is a file.
27:00So, now I'm going to jump straight to the bug.
27:04But, this was the result of multiple weeks of looking at the code and trial and error.
27:09And, here we have HFS Plus read there.
27:13So, this function is called whenever we are enumerating files in a directory.
27:19For example, by doing LS.
27:22We see here there is a structure that's allocated on the stack.
27:26And, this line here calls a function which finds a node in the catalog, the binary tree of the catalog.
27:35And, puts the result in the FD variable.
27:39So, after this function is called, the FD variable contains mostly controlled data, as in data coming from the USB drive.
27:46And, a few lines later, we see that the same FD variable is used to read from the drive into this entry variable that's allocated on the stack.
27:59So, here we control entry of set and entry length.
28:03So, we have a typical stake-based overflow.
28:07Which is very nice because it means that we can, with a bit of luck, overwrite the return address.
28:13And, have the kernel call us back with kernel privileges.
28:17That is assuming there is no stack protection in the kernel.
28:22Again, I chose to ignore the problem and assume it's a MIPS CPU.
28:26So, it's probably not there.
28:28So, my new plan.
28:31I have this small program, which will be loaded by my PR boom loader.
28:36It has a main function, which just opens a directory in the USB drive.
28:41And, then, called getDNs or getDirectoryEntries.
28:45And, I used a special linker script for this program.
28:49So, that the main function would load at address 400,000.
28:53And, the exploitCallback function would load at address 600,000.
28:58And, this is because my HFS plus oversized entry looks like this.
29:04So, full of 600,000.
29:07And, of course, this directory corresponds to the one on the USB drive, which contains this oversized entry.
29:16So, the program should start in user mode.
29:20The main function calls getDirectoryEntries, which eventually calls HFS plus readdir, which triggers the stack overflow, which overwrites the return address by the address where exploitCallback is.
29:35And, normally, this means that my function should be called with kernel privileges.
29:41Again, I tried to run the rootexploit and have it create a file so I could check if it actually did something.
29:49And, yes, the file appears, which is good, but it also means that it's not owned by root.
29:56So, I need to try again.
29:58I need to call setUID0 and retry.
30:02And, I do that and, well, it's refused.
30:06And, the reason for that is that while the exploitCallback is called with kernel privileges, the Linux kernel still sees my process as run by user 4242.
30:16So, the CPU is okay with me reading and writing anywhere.
30:21But, the kernel is telling me, well, your UID is not zero, permission denied.
30:26So, since the kernel is not collaborating, I'll have to set my UID to zero myself.
30:32And, in order to do that, I need to know where this UID is.
30:39So, let's have a look at the threads or processes.
30:42It's treated the same in the Linux.
30:44So, in user mode, we have threads which are normally represented by a pthreadt.
30:49But, the kernel keeps track of the threads as task threads.
30:54And, this task structure contains the credentials.
30:57I've put a quick snapshot of what this task structure looks like.
31:02So, it's a big structure.
31:04And, maybe you can see that what it contains depends a lot on how the kernel was compiled.
31:11So, by just reading the source code, we cannot know what is the offset of the credential.
31:18We need to know how it was compiled.
31:20We could brute force this, but it's going to take a lot of atoms.
31:25And, well, I can read anywhere, right?
31:28So, I can just dump all the kernel memory.
31:31Then, I try to find the function setUID in the kernel memory.
31:37So, here it is.
31:39And, by reading the disassembly, I can guess or even find the offset of the credentials in the task struct.
31:49Okay.
31:50Now, I need to find this task struct.
31:52Where is it in memory?
31:53And, it turns out that in the MIPS implementation of Linux, as soon as a process enters kernel mode,
32:00the current task pointer is saved to the GP registers and stays like this until it leaves the kernel.
32:07So, I can just read this register from my callback to know where the task struct is.
32:12In practice, so, this is how setUID is implemented in user mode.
32:17So, these are three lines highlighted there.
32:21The first one just reads the GP register, so we know where the task is.
32:25The second one gets the pointer to the credentials, and the third one sets the UID to zero.
32:32So, in practice, being root does nothing in Linux, except for accessing files owned by root.
32:39We need capabilities to really override the protections of the kernel.
32:43So, that's what the next lines do in this exploit.
32:46They just enable all the capabilities for my thread.
32:49In particular, to escape the jail, I need capsys chroot.
32:54Okay, so, this is done.
32:57Does it work?
32:58Let's see the root file system before and after.
33:03Well, clearly, it works.
33:13So, the first thing I did was to look at the flash memory,
33:17and all the flash partitions are nicely mounted already.
33:22And I'm happy I didn't disorder it because most of them are encrypted,
33:26and I would have been able to do nothing with that.
33:29Interestingly enough, we find some partitions named Xenv and Zboot,
33:35as we had in the boot log by the team OpenFreeBox.
33:40So, let me give you a quick overview of the system.
33:44It's a custom Linux.
33:46It has a read-only root partition, and it runs busybox.
33:49There is no X server.
33:51Everything happens in the frame buffer.
33:53And the main user interface is a web browser,
33:58a frame buffer web browser, which is called Xenbrowser.
34:01It has been since discontinued.
34:04There is an SSH server running.
34:06It's not OpenSSH.
34:07It is DropBear, which is a lightweight implementation of SSH.
34:11We can find, of course, FTPD, PVRD, and other processes.
34:16And there are two users, which are root and freebox.
34:20And, well, you remember the OpenFreeBox team?
34:24Can you guess what is the root password?
34:29Well, this is it.
34:31And that was slide 42.
34:47So, when I saw that, I thought, okay, I have to connect to this SSH server as root.
34:54And it's a bit weird because to access the FTP server on the Freebox HD,
35:01we connect to this IP address, which is a public IP address on the internet.
35:06So, I assume that the Freebox server intercepts packets to this IP address
35:11and forwards them to the Freebox HD.
35:14So, I tried to connect to SSH with this IP address and timeout.
35:19I tried to have a reverse shell so the Freebox HD would connect to my computer
35:24and nothing happens.
35:25So, eventually, I just run ifconfig on the Freebox HD.
35:30And this is what I get.
35:32So, there is no IP address on the ETH0 interface.
35:36Instead, we see that the VLAN 100 is used and the IP address is 192.168.27.1.
35:44By looking into it, I saw that there is also IPSec enabled.
35:47So, there is really no way to access the network without knowing this.
35:52But let's try it.
35:54So, we need VLAN 100.
35:57This is easy. We can just configure it on any computer.
36:00We need the keys from IPSec.
36:02And, well, it's just not too complicated to get them once you're root.
36:07And there is a special file that just gives them good.
36:10And then there's something a bit special, this libfbx netwrap.
36:16It is a soft firewall, as in, for example, for DropBear.
36:20DropBear has to ask this library if an IP address is allowed to connect.
36:25So, it's an opt-in firewall in a way.
36:27But it has a config file, and we see that in order to access the SSH server, we need to be in the 172.16.12 range.
36:38And another piece of information that I got using Wireshark is that when the Freebox SG boots,
36:44it's going to get its IP address from the server through a DHCP query,
36:48which happens before IPSec is set up. So, this we can see in clear.
36:53With all that, I had my plan to access the Freebox using SSH.
36:57So, I would boot it up, let it get its IP address from the Freebox server,
37:02and then I remove the Freebox server from the network.
37:05I replace it with a computer, which I call the Gateway Computer.
37:10I set it as VLAN 100 with the IP address of the Freebox server,
37:15IPSec setup, and I set up another VLAN, the VLAN 70,
37:20with an IP address of 172.16.0.1, and IP forwarding enabled.
37:26My computer is going to connect to that Gateway Computer using the VLAN 70
37:32with an IP address of 172.16.0.2.
37:36And this way, I have VLAN 100, IPsec, and libfbx.netwrap is taken care of.
37:44So, I try it and, well, it connects, but password is invalid, which is weird.
37:50I just read it from PassWD.
37:52But, well, the plaintext password in there, they are just jokes.
37:57Normally, hashes should be there. So, no password can work at all.
38:01And only public key can work.
38:05So, at this point, I just decided to take the drop-burn binary,
38:09patch it so any password would work.
38:13And finally, I have SSH access as routes to the Freebox HD.
38:19Okay, so mission accomplished.
38:29Well, what about the recordings?
38:31That was the initial goal, right?
38:33So, PVRD.
38:37This binary contains all the symbols,
38:40so it's pretty easy to have a look at it.
38:43And I give you a screenshot of a decompiled function.
38:46It reads a config file,
38:48and this config file decides if the recordings are private or public.
38:52And the config file, it lives on one of the two encrypted hard drive partitions,
38:57which is mounted, so I can just edit it in place with SSH.
39:02But I decided to get the keys just in case.
39:06And again, when you are routes, this is pretty easy.
39:08You can just ask a device mapper,
39:10which is responsible for mounting these partitions,
39:12well, what are the keys?
39:14And it will give you the keys.
39:15So, this is for the sake of future proof.
39:19If I lose access, I can still access the partition by removing the hard drive.
39:24So, in practice, we have here the configuration for TF1.
39:29We see that PVR mode is set to private,
39:32so we change it to public,
39:34try to have a recording,
39:37and we use FTP,
39:40and here it is, ready to be downloaded.
39:43So, this time, mission accomplished.
39:45I know that some of you, because I did as well, might wonder,
39:56okay, there are URLs here for the streams.
40:00Can we access paid TV channels by modifying the URLs?
40:05And, well, first, you need to know that this RTSP server host
40:10resolves to the Freebox server.
40:12So, the answer is, I don't know.
40:15I didn't dare to try it,
40:18because, probably, there are more checks,
40:21and I don't want to have someone on Free get an alarm
40:25that this customer is accessing a TV channel that he's not paying for.
40:29So, it might work, it might not work.
40:33Another interesting part is a custom HTTP server, it seems.
40:38At least, I couldn't find any HTTP server with that name.
40:41It's called Chain, and it provides a kind of RPC interface,
40:46which is used, presumably, by the customer support.
40:50We can, for example, reboot the Freebox,
40:52show a message on the panel,
40:54and make a panel blink with test hotline.
40:57And I tested it on my Freebox.
41:00It works perfectly fine.
41:02And, of course, I thought, does it work on other people's Freeboxes?
41:08Right?
41:09So, IPsec configuration.
41:13On the Freebox HD, it's configured in both Transport and Tunnel mode.
41:17So, Transport mode just encrypts the packets,
41:19but Tunnel mode can be used to make a VPN, anyway.
41:23And, well, after looking at it for a while, I'm pretty sure of the following.
41:28The Tunnel mode is used for communication with developers
41:32and customer support, as well.
41:34So, there are public keys of the developers
41:37in the SSH configuration of the Freeboxes,
41:39which means that developers can access them.
41:42Also, this is correlated by the usage of the private IP range
41:47for the access to the SSH server.
41:50So, I'm pretty sure, with the right IPsec keys,
41:55it's possible to access any deployed Freeboxes.
41:58But, again, I didn't dare to do that in the end.
42:01First, I'm not sure that the keys are global
42:05or are unique per Freeboxes.
42:07I don't know, and I didn't have a second Freebox to test.
42:10And, second, well, it's one thing to play with the Freebox
42:15that's, okay, not mine but at my home
42:17and disconnected from the network.
42:19It's another thing to, well, display a message
42:23on some random person's Freebox.
42:25So, I thought this will probably remain forever
42:29a question that will not be answered.
42:31And, honestly, I had done what I wanted, so I stopped there.
42:36I was scared of getting dragged into some problems.
42:39So, an epilogue.
42:43The Freebox HD is quite old, but it's still in use.
42:47It's planned to be retired at the end of next year, I think.
42:51I tried to report the HFS Plus vulnerability,
42:54but I didn't have to because it was fixed
42:57three months after I discovered it.
42:59So, I can just say this is not just a potential buffer overflow.
43:03And a funny thing is it was fixed three years before in HFS,
43:09which is not HFS Plus, right?
43:13So, okay.
43:15I've also contacted Free, and they are aware of all these vulnerabilities.
43:20I think they have been fixed.
43:22I cannot check, but they must have fixed them.
43:24And I think it's funny to see that, for once,
43:28the device was not hacked in order to run DOOM on it,
43:30but because it runs DOOM.
43:32And finally, I gave back my Freebox HD in 2013,
43:46so already 12 years ago.
43:49And the months after I gave it back,
43:52Xavier Niel, the CEO of Free,
43:54he founded a new computer science school,
43:58which he called 42.
44:00So, and that's it.
44:12Thank you, Frederic.
44:14Thank you for your amazing talk.
44:16Now it's time for questions.
44:18People from the stream can ask questions on matrix
44:21in the hall zero, hall ground room, please,
44:25as well as on IRC, on hackint.org,
44:28on hash 39C3,
44:31minus hall, minus ground.
44:37The first question is from the chat, please.
44:40Okay, dangerous question to ask,
44:42but the internet is wondering how much time you put in the research.
44:46Well, I started in September,
44:50of 2011,
44:53and I finished,
44:54so in March of 2012.
44:56So, not that much,
44:59but at the time I had nothing else to do.
45:05Next question.
45:06Microphone number three, please.
45:08Hi.
45:09Great work, by the way.
45:11Just a quick question.
45:12Why does it run DOOM?
45:14I think it runs DOOM for the same reason
45:17that it has an FTP server.
45:20The developers at 3 are probably geeks,
45:24and 3 has always had this reputation
45:27of providing features for geeks.
45:29For example, you were able to choose
45:31if your DSL should be in fast pass or interleaved mode,
45:36which I don't even know what it means,
45:38but it changes the ping.
45:40So, this is not the kind of thing
45:41that you usually find with many ISPs.
45:44So, I think they just thought it would be nice
45:47to have a box which runs DOOM.
45:50Next question.
45:51Microphone number two.
45:53Okay.
45:54So, what is the free box server?
45:57Amazing talk, by the way.
45:58Sorry.
45:59Yeah.
46:00The free box server,
46:01I haven't really looked into it.
46:03This one, I was...
46:05I mean, first, it was not preventing me from doing anything,
46:10so I had no real reason to look into it.
46:14Also, I must say, I could have done it,
46:19but I was really getting scared,
46:21because I know that if I look too much into it,
46:24I will end up doing something that I will regret.
46:26And again, the main reason is that it's not my device,
46:30and the free box server cannot really be disconnected
46:33from the network and remain useful,
46:35so experimenting with it can get dangerous.
46:38Fair enough.
46:40Microphone number four, please.
46:43Hello.
46:44I'm a bit surprised that you had to rely on a kernel exploit,
46:48did you try the obvious, like, you know,
46:50plugging a Linux file system with SATURID binaries
46:53or a leak handled in the process or stuff like that?
46:57Yeah.
46:58So, I tried a few things and none of them works
47:00because everything that is mounted is mounted with no SUID,
47:05no exec, no nothing.
47:07So, it's quite well secured on this part.
47:11Microphone number three, please.
47:14Thank you very much for hacking a device that I had at home
47:17when I was a child but couldn't touch yet.
47:20It's very interesting for me to see.
47:22As a former 42 student and long-time free user,
47:25I'm wondering how the disclosure procedure went
47:28and if you got any bug bounty out of it.
47:31Okay.
47:32So, well, first, I kept that to myself for a long time
47:38because then if it's not disclosed, it keeps working.
47:43So, all right.
47:49And, again, I was scared of how they could react.
47:54And I really only contacted them when this talk was accepted
47:58because I preferred for them to do in advance than to discover this,
48:02especially in the Christmas holiday season.
48:05And they were very nice.
48:07They immediately acknowledged the problem, wanted to talk with me.
48:12I gave them the commit to apply in the kernel
48:15to fix the HFS plus vulnerability.
48:18So, PR boom is not maintained anymore
48:20and hasn't been in almost 20 years.
48:22So, there is no patch there.
48:25But I gave them the two lines to check the index.
48:29And I think I could have told them without any issue much earlier.
48:35But they just reacted as I would expect from free,
48:38which is they welcome the research done.
48:42There was no bug bounty because, well,
48:46I think there is just no not free.
48:49So, yeah, I did this for no money in the end.
48:55Microphone number two.
48:57Yes, sorry, I had another question.
48:59In the remote control scripts, that stood out to me a lot
49:03because it looks like Lua.
49:04It is Lua, yes.
49:06How does the remote control feature work at a high level?
49:09So, this web server, which is custom, has a Lua runtime.
49:14And it loads some Lua files, which provides some RPC.
49:19There is another, I mean, there is a file, a CGI file,
49:23that ends up allowing execution of the functions
49:27that are in these Lua modules.
49:28I didn't really look into how exactly it works.
49:31I just tried it and it worked, so.
49:35Microphone number four.
49:37Any idea why Free kept this particular device around
49:41for so many years, especially compared to other setup boxes
49:45that retire after like three years?
49:48So, I think it's been a long time since it's not possible
49:52to get one anymore.
49:54But one of the reasons is that at some point,
49:57Free bought another ISP, which was called Alice ADSL at the time.
50:02And it was a bit cheaper than the free subscription.
50:06And you had no choice but to get this Freebox V5 and the Freebox HD.
50:11And some people just like what they have and don't want to change.
50:15And I guess these are the people who still have this box at home.
50:19But no matter what, they are going to replace it end of next year,
50:24if I have understood correctly.
50:27Thanks.
50:29One more question from the Internet.
50:32Yes, the Internet Wanderers.
50:34Have you looked into the newer Freeboxes,
50:37if you can do something with them?
50:39So, right now, I'd say Free is still my ISP.
50:47And I have a newer Freebox.
50:51I prefer not to say.
50:56But, let's say, I really need my Internet access to remain up at the time.
51:05So, I prefer not to say.
51:10Okay.
51:11Any last question?
51:13Thanks a lot, Frédéric, for this amazing talk.
51:20A last warm round of applause, please.
51:22Merci beaucoup.
Be the first to comment