[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘(一)
mailto:wangkai0351@gmail.com
【未经同意禁止转载】
钉钉智能指纹考勤机M1s,支持指纹、WIFI、蓝牙、GPS四种考勤方式,并且可实时查看考勤数据,自动生成考勤报表,告别人工核算,数据云端存储不易丢失。
1. 固件脆弱性分析
1.1 固件文件提取
1.1.1 固件文件提取方法
a. 直接读取spi flash芯片中的数据
b. 串口访问设备(使用boot命令upload)
c. 固件在线升级
1.2 固件文件升级
a.
1 binwalk 2018_5_20.bin 2 3 DECIMAL HEXADECIMAL DESCRIPTION 4 -------------------------------------------------------------------------------- 5 135388 0x210DC Unix path: /usr/local/lib 6 136444 0x214FC Unix path: /dev/uart/0 7 136784 0x21650 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./heap_alloc_caps.c 8 137592 0x21978 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./ipc.c 9 138316 0x21C4C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./intr_alloc.c 10 151420 0x24F7C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/newlib/./locks.c 11 153984 0x25980 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/nvs_flash/src/nvs_pagemanager.cpp 12 154936 0x25D38 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/tcpip_adapter/./tcpip_adapter_lwip.c 13 158188 0x269EC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/./bravo.c 14 158608 0x26B90 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/base/dt_log.c 15 160212 0x271D4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./rtc_module.c 16 162508 0x27ACC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./crosscore_int.c 17 163212 0x27D8C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./phy_init.c 18 164840 0x283E8 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint.c 19 168032 0x29060 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint_helper.c 20 170560 0x29A40 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./userIdpool.c 21 172452 0x2A1A4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./alc5660.c 22 173328 0x2A510 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./fd650b.c 23 173548 0x2A5EC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./gpio_helper..c 24 173720 0x2A698 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./pcf8563.c 25 174092 0x2A80C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_fireeye.c 26 174372 0x2A924 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_flash.c 27 177628 0x2B5DC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_device.c 28 178748 0x2BA3C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_fingerprint.c 29 180436 0x2C0D4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_root.c 30 184596 0x2D114 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_coredump_upload.c 31 185312 0x2D3E0 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/wifi/./wifi.c 32 192984 0x2F1D8 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_response.c 33 199756 0x30C4C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_mid.c 34 429436 0x68D7C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/app_update/./esp_ota_ops.c 35 430192 0x69070 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_ble.c 36 432240 0x69870 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_npc.c 37 433612 0x69DCC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/controller.c 38 434636 0x6A1CC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_layer.c 39 435060 0x6A374 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_packet_factory.c 40 435564 0x6A56C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/packet_fragmenter.c 41 436272 0x6A830 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/fixed_queue.c 42 436516 0x6A924 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/future.c 43 468964 0x727E4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btu/btu_task.c 44 491312 0x77F30 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_api.c 45 502756 0x7ABE4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_fcr.c 46 534680 0x82898 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/dm/bta_dm_pm.c 47 540096 0x83DC0 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/sys/bta_sys_main.c 48 540940 0x8410C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/btcore/bdaddr.c 49 541200 0x84210 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/gki/gki_buffer.c 50 555132 0x8787C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btm/btm_ble_bgconn.c 51 590680 0x90358 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/interop.c 52 592260 0x90984 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2c.c 53 593324 0x90DAC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2s.c 54 596092 0x9187C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./uart.c 55 598004 0x91FF4 SHA256 hash constants, little endian 56 600212 0x92894 PEM RSA private key 57 600276 0x928D4 PEM EC private key 58 603708 0x9363C PEM certificate 59 644556 0x9D5CC PEM RSA private key 60 646264 0x9DC78 PEM certificate 61 647476 0x9E134 PEM RSA private key 62 649184 0x9E7E0 PEM certificate 63 650400 0x9ECA0 PEM RSA private key 64 652184 0x9F398 PEM certificate 65 653492 0x9F8B4 PEM certificate 66 662104 0xA1A58 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./heap_regions.c 67 662296 0xA1B18 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./queue.c 68 663168 0xA1E80 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./timers.c 69 663532 0xA1FEC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./ringbuf.c 70 6426992 0x621170 Unix path: /dev/uart/0
直接拖入IDA Pro V6.8
strings工具得到该固件编译过程中include 的一些c语言代码文件的路径和文件名如下
ESP32 有 3 个 UART 接口,即 UART0、UART1 和 UART2。
查阅《ESP32 技术规格书》版本2.1可知
U0RXD 40 号引脚
U0TXD 41 号引脚
U1RXD 28 号引脚
U1TXD 29 号引脚
U2RXD 25 号引脚
U2TXD 27 号引脚
到PCB上看看,这三对引脚有没有露出来,如果有任意一对引脚引到了PCB的焊盘上,那么很可能就是这个PCB的串口调试端口。
posted on 2018-05-19 16:13 大单GreatDane 阅读(5979) 评论(0) 编辑 收藏 举报
