当前位置:首页 > 报告详情

亚历克斯·普拉斯克特与罗伯特·埃雷拉_注意听Sonos的空中远程内核利用与秘密窃听.pdf

上传人: 张** 编号:175487 2024-09-13 52页 2.62MB

1、#BHUSA BlackHatEventsListen Up:Sonos OverListen Up:Sonos Over-TheThe-Air Air Remote Kernel Exploitation and Remote Kernel Exploitation and Covert WiretapCovert WiretapRobert Herrera NCC GroupAlex Plaskett NCC Group#BHUSA BlackHatEvents$who$whoRobert Herrera NCC Group Hardware/Embedded Security Team(

2、HES)Alex Plaskett NCC Group Exploit Development Group(EDG)#BHUSA BlackHatEventsDevice IntroductionDevice IntroductionSonos OneSonos Era-100#BHUSA BlackHatEventsSonos One Sonos One WiWi-Fi ExploitationFi Exploitation#BHUSA BlackHatEventsBackgroundBackgroundNCC EDG previously researched Sonos Generati

3、on 2 for Pwn2OwnFound vulnerabilities of their ownCombined techniques with public research by bl4sty/Synacktiv etc.Wi-Fi driver was missing stack cookies!Sonos issued CVE-2023-50809Sonos S2 fix release 15.9(October 17,2023)Sonos S1 release 11.12(November 15,2023)MediaTek MT7615 fix release(CVE-2024-

4、20018)-January 2024https:/ BlackHatEventsSonos One Sonos One Device ReconDevice Recon UART exposed TX of device gives boot log(and kernel panic output!)RX of device U-Boot password protected Nothing afterwards Wi-Fi enabled by Wi-Fi Card connected via PCIe slot#BHUSA BlackHatEventsSonos One Sonos On

5、e Platform ReconPlatform Recon CONFIG_RANDOMIZE_BASE is not set No stack canaries within compiled Kernel Modules Aarch64 ELF Kernel Modules SoftMac Wi-Fi Stack mt7615.ko MediaTek Wi-Fi SoC Most of the Wi-Fi implementation is parsed/handled in the kernel module as opposed to firmware.#BHUSA BlackHatE

6、ventsWiWi-Fi Kernel ModuleFi Kernel Module Enumerate“receive”functionality Some funcs may require PSK to trigger downstream logic Sanity funcs called by respective state machine.Sonos is the client in the connection but does support its own AP mode#BHUSA BlackHatEventsWPA2 Handshake Vuln(CVEWPA2 Han

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
Sonos Era-100设备在安全性和启动过程中存在多个漏洞。其中一个关键漏洞是BL31安全监控器的漏洞,它允许攻击者在设备启动时覆盖环境变量,从而控制设备。此外,设备的eMMC存储也存在问题,可能导致数据泄露。Sonos设备的安全性很重要,因为它们通常用于家庭娱乐系统,处理大量的个人音乐和视频数据。Sonos已经发布了固件更新来修复这些问题,并且与OEM合作伙伴合作确保安全性的提升。然而,由于Sonos设备的广泛使用,这些漏洞可能影响了大量的用户。
"Sonos安全漏洞探秘" "如何利用Sonos漏洞获取权限" "Sonos设备安全更新解析"
客服
商务合作
小程序
服务号
折叠