Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
2023-12-4 18:26:39 Author: research.nccgroup.com(查看原文) 阅读量:9 收藏

Vendor: Sonos
Vendor URL: https://www.sonos.com/
Versions affected:
    * Confirmed 73.0-42060
Systems Affected: Sonos Era 100
Author: Ilya Zhuravlev 
Advisory URL: Not provided by Sonos. Sonos state an update was released on 2023-11-15 which remediated the issue. 
CVE Identifier: N/A
Risk: High

Summary

Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability.

Impact

An unsigned attacker-controlled rootfs may be loaded by the Linux kernel. This achieves a persistent bypass of the secure boot mechanism, providing early code execution within the Linux userspace under the /init process as the “root” user. It can be further escalated into kernel-mode arbitrary code execution by loading a custom kernel module.

Details

The implementation of the custom “sonosboot” command loads the kernel image, performs the signature check, and then passes execution to the built-in U-Boot “bootm” command. Since “bootm” uses the “bootargs” environment variable as Linux kernel arguments, the “sonosboot” command initializes it with a call to `setenv`:

setenv(“bootargs”,(char *)kernel_cmdline);

However, the return result of `setenv` is not checked. If this call fails, “bootargs” will keep its previous value and “bootm” will pass it to the Linux kernel.

On the Sonos Era 100 the U-Boot environment is loaded from the eMMC from address 0x500000. Whilst the factory image does not contain a valid U-Boot environment there, and we can confirm it through the presence of the “*** Warning – bad CRC, using default environment” warning message displayed on UART, it is possible to place a valid environment by directly writing to the eMMC with a hardware programmer.

There is a feature in U-Boot that allows setting environment variables as read-only. For example, setting “bootargs=something” and then “.flags=bootargs:sr” would make any future writes to “bootargs” fail. Thus, the Linux kernel will boot with an attacker-controlled “bootargs“.

As a result, it is possible to fully control the Linux kernel command line. From there, an adversary could append the “initrd=0xADDR,0xSIZE” option to load their own initramfs, overwriting the one embedded in the image.

By replacing the “/init” process it is then possible to obtain early persistent code execution on the device. 

Recommendation

  • Consider setting CONFIG_ENV_IS_NOWHERE to disable loading of a U-boot environment from the flash memory.
  • Validate the return value of setenv and abort the boot process if the call fails.

Vendor Communication

DateCommunication
2023-09-04Issue reported to vendor.
2023-09-07Sonos has triaged report and is investigating.
2023-11-29NCC queries Sonos for expected patch date.
2023-11-29Sonos informs NCC that they already shipped a patch on the 15th Nov.
2023-11-30NCC queries why there are no release notes, CVE, or credit for the issues.
2023-12-01NCC informs Sonos that technical details will be published the w/c 4th Dec.
2023-12-04NCC publishes blog and advisory.

Thanks to

Alex Plaskett (@alexjplaskett)

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Written by:  Ilya Zhuravlev

Here are some related articles you may find interesting

Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100

Research performed by Ilya Zhuravlev supporting the Exploit Development Group (EDG). The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One. It was also one of the target devices for Pwn2Own Toronto 2023. NCC found multiple security weaknesses…

Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets

Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings.

Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group

Author: Alex Jessop (@ThisIsFineChief) Summary Tl;dr This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape. Below provides a summary of findings which are presented in this blog post:  NoEscape NoEscape is a new financially…

View articles by category

Call us before you need us.

Our experts will help you.

Get in touch


文章来源: https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-secure-boot-bypass-through-unchecked-setenv-call/
如有侵权请联系:admin#unsafe.sh