Sunday, December 29, 2013

Pwning a SafeNET Microdog - Part 2

Part 2 - Microdog 3.4 Client Lib

The older (3.4) client lib actually used a different method to obfuscate the Dongle Serial and ID which doesn't use AES or any kind of hashing. 

First of all, there's an InfoBuffer area that starts with 'NEIWAIJM'. Not too far after that, we have two areas referenced by PickupDogID and PickupSerialNo - very nice of RainbowChina to leave this binary unstripped.



 The algorithms for these are pretty straightforward:
 A DogSerial is 4 bytes.
A DogID is 8 bytes.
 A DogSerial buffer is 48 bytes (4 * 12)
A DogID buffer is 96 bytes (8 * 12)

Basically, a key is split into sections of 12 bytes - as each byte in the sequence is read, it's either subtracted from the current number, added, or XORed depending on if its byte 1,2,3,4,5,etc.

For get_serial:
 bytes 0 , 3 , 6 , 9 are Added
 bytes 1 , 4 , 7 , 10 are Subtracted
 bytes 2 , 5 , 8 , 11 are XORed

 For get_dog_id:
 bytes 0 , 3 , 6 , 9 are Added
 bytes 1 , 4 , 7 , 10 are XORed
 bytes 2 , 5 , 8 , 11 are Subtracted




How do we repack? Well, we COULD reverse this algorithm, but the algorithhm itself is inherently weak...
Think about this: What happens when you Add, Subtract, or XOR 0? That's right, Nothing!!!

Technically, we could take an 8 byte DogID and 4 byte serial, split the bytes up and stick one at the beginning of each 12 byte row and it would work! Something like this:



 And repacking our new dongle ID works :)


Full Code:

Monday, December 23, 2013

Pwning a SafeNET Microdog - Part 1

Foreward
This one... this one's gonna be fun. For obvious reasons, I need to keep this pretty generic due to things I've worked on in the past that utilize this hardware. Will it help you further work with those? Probably...

Right now, I'm looking at three parts for this one - the first part is going to be an overview concluding with our first exploit. Okay? Let's dive in!!!

Overview
The SafeNET Microdog (originally owned by Rainbow China) is a usb and LPT based hardware dongle pretty popular for low cost and its wide range of cross-platform/language capabilities.


To summarize the hardware:

- 200 bytes of flash memory that a dev can read/write.
- Password to set read only modes.
- Timeout for anti debugging
- Unique Serial Numbers
- Unified ID numbers from the factory (to ensure a dongle only works with its libs)
- Embedded Cryptoprocessor (contains special hashing program)
- Multiple dongle daisy chain (cascase system)

There are 3 Parts:

Dongle itself
The dongle is accessed via either USB or LPT through a driver or user space daemon (depending on version). Payloads are sent to the dongle after authenticating to ensure only trusted sources communicate to it. The transaction passes data between the dongle and the driver/daemon.

Driver/Daemon
Older versions of the Microdog SDK (version 3.4) use a kernel module (usbdog.o/ko) for linux that makes calls to the hardware, decrypts transactions from the client library in the program, sends data back to the program, etc.

Newer versions of the Microdog SDK (version 4.0) decided that only having certain kernel modules compiled for certain kernels was a horrible idea (as SafeNet/RC don't make the source code for their driver available for obvious reasons). As a result, they now use a user space daemon that communicates with the program via unix domain sockets and the dongle via standard usb control messages.

Windows has always done the driver route and doesn't appear to change.

Protocol of the packets to the driver are unchanged regardless of the version (we'll get into that in a later part).

The Client Library
The main point of entry for a developer. Basically, you get a .h file (gsmh.h) and a mhwin.lib/mhlinux.o file to compile with your program. No source is included (obviously) and is basically set up like a black box. From this library, you can change the password, write to the dongle's flash area, get the manufacturer serial number, get the vendorID of the dongle, or (what most people do with it) convert any stream of bytes to a 4 byte response.

Basically, the main purpose of the dongle for obfuscation is DogConvert() - a function that hashes input data with its cryptoprocessor into a 4 byte response. Obviously, 32 bits isn't all that secure and Microdog expects you to do something else with such a primative, but I digress.

So, where do we begin with exploiting this thing?  Let's start with the client library :)

Hacking the Client Library
In normal operation, you can't use any old Microdog with a particular program. Also, you can't simply use any dongle with any client library - you need the client lib from the manufacturer when you set up the dongle originally. Let's change that so we can use any Microdog (given a program it was used for and any client library).

By comparing these two client libraries that have been initialized, we can see the only difference is this block:

This is called the DataPool in unstripped libs - it contains encrypted metadata about the dongle (VendorID, internal IDs, etc). By copying this data over a program in the right spot (it's pretty easy to find in something compiled with the client lib), the target should now communicate with the dongle (although no converts will work right unless the last 4 bytes of the internal memory are the same as that determines the hashing algorithm).

Just copying it isn't interesting, however - let's actually decrypt it and see what's up:

As a note - mhlinux.o normally has the key located at 0xB500 for MD4.0 libs.

Essentially, it's a 112 byte sequence where the first 16 bytes are an IV, then 80 bytes of cipher, and 16 bytes of a key. Ripping through the client lib will pull up a number of functions that look suspiciously like Rijndael signatures - that's because it is. Basically, all these 16 byte rows are AES encrypted - decrypting them gives the plaintext that was embedded from the dongle at setup. From here, we can see the vendorID (the only value we need to make the dongle think we come from a trusted program).




This leads to another exploit - if we call the device descriptor of the dongle, we can get this vendorID - by replacing this value and then re-encrypting, we can use a dongle with any program without having a program it was originally used in.


In short, we can now talk to any dongle we have around with a generic client library which will come in handy when we start talking to dongles to emulate them and use them for other exploits soon :)

Stay Tuned!