Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Using Buildroot for Security Research of IoT and Other Embedded Systems

These days many vendors, like IoT vendors, use Linux running on top of ARM CPU for their embedded solutions. Some of these vendors use a tool called buildroot (https://buildroot.org) to produce a root filesystem for the device. This becomes obvious when grepping through binaries on the filesystem of certain embedded devices. At the same time many binaries useful for security research can be missing on the device. In this post I will show you how to use buildroot to add tools necessary for doing security research on an embedded device.

Imagine we have shell access to the router and while looking at binary strings we've spotted "Buildroot 2012.02" string:

strings – wget | grep -i buildroot
GCC: (Buildroot 2012.02) 4.5.3

This means we can try to reproduce the build environment used by developers using discovered Buildroot version.

Download ubuntu-12.04.5-server-i386.iso from http://releases.ubuntu.com/12.04/

Why use legacy version 12.04? Buildroot 2012.02 most likely was built on that version, so less likely there will be some conflicts with newer versions of dependencies. Why 32-bit? Again, target ARM CPU binaries are 32-bit.

Create a VM and bring it up to date with:

sudo apt-get clean
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
sudo apt-get upgrade

Followed by installing necessary components:

sudo apt-get install build-essential libncurses5-dev bison flex gettext texinfo unzip

Download buildroot-2012.02 and unpack it:

curl -O https://buildroot.org/downloads/buildroot-2012.02.tar.gz
tar -zxvf buildroot-2012.02.tar.gz
cd buildroot-2012.02
make menuconfig

Select desired utilities to build under the "Package Selection for the target": lsof, ltrace, strace, and then under "System configuration" select "Build gdb server for the Target" and save the config. Finally complete the compilation with:

make

Give it some time to download required components and do the work (may take an hour or so). Once it is done, you can grab just baked binaries from the ./output/target/ directory. For example, the gdb server is at:

./output/target/usr/bin/gdbserver

How can we use them? Well first you need to upload the binaries to the embedded system. In our case, the router has USB slots so it is a matter of copying the binaries to a thumb drive and plugging it into the router. At that point you should have binaries ready to use to research the embedded device.

Here are a few examples that I found very useful:

  1. Trace process starts via the strace utility:
/path/to/usb_drive/strace -f -s 4096 -f -e execve -p <PID>
  1. Remotely debug a process using Hex-Rays IDA:
/path/to/usb_drive/gdbserver --attach 192.168.1.1:9000 <PID>

Now on the IDA machine configure the "Debugger - use remote GDB debugger". Under Debugger->Process options specify proper path to the binary on embedded system, IP and port (192.168.1.1 and 9000 in the example above). Finally use Debugger->Attach to process menu item to actually connect via the network and debug.

  1. Use lsof to get mappings of TCP/UDP ports to processes. Otherwise it can be done manually by examining /proc/net/tcp file and then looking for file descriptors.

On a closing note, sometimes vendors will publish source code for some parts of a device if they use some GPL'ed components. This might be another way to produce the binaries we need - we can get kernel version, some sources and so on. Sometimes it is even possible to build entire root filesystem using instructions from the vendor. Buildroot just saves time by doing a lot of the work for us.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More