From ae2c104b80d09d1a7ef8c923e43f95fe4c7548c8 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 17 Oct 2024 09:47:51 +0200 Subject: [PATCH 1/5] updates --- helpers/helpers_emba_defaults.sh | 1 + installer/IP00_extractors.sh | 3 ++- modules/F20_vul_aggregator.sh | 9 +++++++-- modules/P18_BMC_decryptor.sh | 2 +- modules/S16_ghidra_decompile_checks.sh | 10 ++++++---- modules/S17_cwe_checker.sh | 10 +++++----- modules/S18_capa_checker.sh | 18 +++++++++--------- 7 files changed, 31 insertions(+), 22 deletions(-) diff --git a/helpers/helpers_emba_defaults.sh b/helpers/helpers_emba_defaults.sh index ec635d0ed..81ba9ddc6 100755 --- a/helpers/helpers_emba_defaults.sh +++ b/helpers/helpers_emba_defaults.sh @@ -175,6 +175,7 @@ set_log_paths() { export S13_LOG="${LOG_DIR}/s13_weak_func_check.txt" export S13_CSV_LOG="${CSV_DIR}/s13_weak_func_check.csv" export S14_LOG="${LOG_DIR}/s14_weak_func_radare_check.txt" + export S14_CSV_LOG="${CSV_DIR}/s14_weak_func_radare_check.csv" export S16_LOG="${LOG_DIR}/s16_ghidra_decompile_checks.txt" export S17_LOG="${LOG_DIR}/s17_cwe_checker.txt" export S17_CSV_LOG="${CSV_DIR}/s17_apk_check.csv" diff --git a/installer/IP00_extractors.sh b/installer/IP00_extractors.sh index abc92a0ce..0021499a4 100755 --- a/installer/IP00_extractors.sh +++ b/installer/IP00_extractors.sh @@ -27,7 +27,8 @@ IP00_extractors(){ print_git_info "payload_dumper" "EMBA-support-repos/payload_dumper" "Android OTA payload.bin extractor" print_git_info "smcbmc" "EMBA-support-repos/smcbmc" "Supermicro BMC firmware image decryptor" print_git_info "dji-firmware-tools" "EMBA-support-repos/dji-firmware-tools" "Tools for extracting, modding and re-packaging firmwares of DJI multirotor drones." - print_pip_info "pycryptodome" + # print_pip_info "pycryptodome" + print_tool_info "python3-pycryptodome" 1 # ubireader: # print_tool_info "python3-lzo" 1 print_tool_info "liblzo2-dev" 1 diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 12ce48424..39597d71e 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -315,7 +315,9 @@ aggregate_versions() { print_output "[*] Software inventory aggregated:" for VERSION in "${VERSIONS_AGGREGATED[@]}"; do # ensure our set anchor is based on the binary name and is limited to 20 characters: - local ANCHOR="${VERSION/:*/}" + local ANCHOR="" + ANCHOR=$(echo "${VERSION}" | cut -d ':' -f3-4) + ANCHOR="${ANCHOR//:/_}" ANCHOR="cve_${ANCHOR:0:20}" print_output "[+] Found Version details (${ORANGE}aggregated${GREEN}): ""${ORANGE}${VERSION}${NC}" write_link "f20#${ANCHOR}" @@ -1082,7 +1084,10 @@ cve_extractor() { local BIN_LOG="${LOG_PATH_MODULE}/cve_details_${BINARY}_${VERSION}.log" write_log "[*] Vulnerability details for ${ORANGE}${BINARY}${NC} / version ${ORANGE}${VERSION}${NC} / source ${ORANGE}${VSOURCE}${NC}:" "${BIN_LOG}" - write_anchor "cve_${BINARY:0:20}" "${BIN_LOG}" + local ANCHOR="" + ANCHOR=$(echo "${BINARY}_${VERSION}") + ANCHOR="cve_${ANCHOR:0:20}" + write_anchor "${ANCHOR}" "${BIN_LOG}" if [[ "${EXPLOIT_COUNTER_VERSION}" -gt 0 ]]; then write_log "" "${BIN_LOG}" grep -v "Statistics" "${LOG_PATH_MODULE}"/cve_sum/"${AGG_LOG_FILE}" >> "${BIN_LOG}" || true diff --git a/modules/P18_BMC_decryptor.sh b/modules/P18_BMC_decryptor.sh index d49d404ff..2bc87da1b 100755 --- a/modules/P18_BMC_decryptor.sh +++ b/modules/P18_BMC_decryptor.sh @@ -50,7 +50,7 @@ bmc_extractor() { "${EXT_DIR}"/smcbmc/smcbmc.py "${lBMC_FILE_PATH_}" "${lEXTRACTION_FILE_}" || print_error "[-] BMC decryption failed for ${lBMC_FILE_PATH_}" print_ln - if [[ -f "${lEXTRACTION_FILE_}" ]]; then + if [[ -s "${lEXTRACTION_FILE_}" ]]; then export FIRMWARE_PATH="${lEXTRACTION_FILE_}" print_output "[+] Extracted BMC encrypted firmware file to ${ORANGE}${FIRMWARE_PATH}${NC}" backup_var "FIRMWARE_PATH" "${FIRMWARE_PATH}" diff --git a/modules/S16_ghidra_decompile_checks.sh b/modules/S16_ghidra_decompile_checks.sh index 7e5c6aa3d..7af3bd2e4 100755 --- a/modules/S16_ghidra_decompile_checks.sh +++ b/modules/S16_ghidra_decompile_checks.sh @@ -46,14 +46,16 @@ S16_ghidra_decompile_checks() local BINS_CHECKED_ARR=() if [[ "${FULL_TEST}" -ne 1 ]]; then - # we only need to wait if we are not using the full_scan profile + # we need to wait in default mode for the results of S13 and S14 module_wait "S13_weak_func_check" + module_wait "S14_weak_func_radare_check" fi - if [[ -f "${S13_CSV_LOG}" ]]; then - local BINARIES=() + + if [[ -f "${S13_CSV_LOG}" ]] || [[ -f "${S14_CSV_LOG}" ]]; then # usually binaries with strcpy or system calls are more interesting for further analysis # to keep analysis time low we only check these bins - mapfile -t BINARIES < <(grep "strcpy\|system" "${S13_CSV_LOG}" | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) + local BINARIES=() + mapfile -t BINARIES < <(grep -h "strcpy\|system" "${S13_CSV_LOG}" "${S14_CSV_LOG}" | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) fi for BINARY in "${BINARIES[@]}"; do diff --git a/modules/S17_cwe_checker.sh b/modules/S17_cwe_checker.sh index 9ff02c86c..e831e7584 100755 --- a/modules/S17_cwe_checker.sh +++ b/modules/S17_cwe_checker.sh @@ -32,10 +32,10 @@ S17_cwe_checker() local lCWE_CNT_=0 local lTESTED_BINS=0 - # [[ "${IN_DOCKER}" -eq 1 ]] && cwe_container_prepare if [[ "${FULL_TEST}" -ne 1 ]]; then - # we only need to wait if we are not using the full_scan profile + # we need to wait in default mode for the results of S13 and S14 module_wait "S13_weak_func_check" + module_wait "S14_weak_func_radare_check" fi cwe_check @@ -87,11 +87,11 @@ cwe_check() { local lNAME="" local lBINS_CHECKED_ARR=() - if [[ -f "${S13_CSV_LOG}" ]]; then - local BINARIES=() + if [[ -f "${S13_CSV_LOG}" ]] || [[ -f "${S14_CSV_LOG}" ]]; then # usually binaries with strcpy or system calls are more interesting for further analysis # to keep analysis time low we only check these bins - mapfile -t BINARIES < <(grep "strcpy\|system" "${S13_CSV_LOG}" | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) + local BINARIES=() + mapfile -t BINARIES < <(grep -h "strcpy\|system" "${S13_CSV_LOG}" "${S14_CSV_LOG}" | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) fi for lBINARY in "${BINARIES[@]}" ; do diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh index b2a3b32c5..e0cdc9021 100755 --- a/modules/S18_capa_checker.sh +++ b/modules/S18_capa_checker.sh @@ -35,11 +35,11 @@ S18_capa_checker() { # we only need to wait if we are not using the full_scan profile module_wait "S13_weak_func_check" fi - if [[ -s "${S13_CSV_LOG}" ]]; then - local BINARIES=() + if [[ -f "${S13_CSV_LOG}" ]] || [[ -f "${S14_CSV_LOG}" ]]; then # usually binaries with strcpy or system calls are more interesting for further analysis # to keep analysis time low we only check these bins - mapfile -t BINARIES < <(grep "strcpy\|system" "${S13_CSV_LOG}" | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) + local BINARIES=() + mapfile -t BINARIES < <(grep -h "strcpy\|system" "${S13_CSV_LOG}" "${S14_CSV_LOG}" | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) fi local lBINARY="" @@ -82,12 +82,12 @@ S18_capa_checker() { # in normal operation we stop checking after the first 20 binaries # if FULL_TEST is activated we are testing all binaries -> this takes a long time - lBINS_CHECKED_CNT=$(wc -l "${TMP_DIR}"/s18_checked.tmp 2>/dev/null || true) - if [[ "${lBINS_CHECKED_CNT/\ *}" -gt 20 ]] && [[ "${FULL_TEST}" -ne 1 ]]; then - print_output "[*] 20 binaries already analysed - ending capa binary analysis now." "no_log" - print_output "[*] For complete analysis enable FULL_TEST." "no_log" - break 2 - fi + # lBINS_CHECKED_CNT=$(wc -l "${TMP_DIR}"/s18_checked.tmp 2>/dev/null || true) + # if [[ "${lBINS_CHECKED_CNT/\ *}" -gt 40 ]] && [[ "${FULL_TEST}" -ne 1 ]]; then + # print_output "[*] 20 binaries already analysed - ending capa binary analysis now." "no_log" + # print_output "[*] For complete analysis enable FULL_TEST." "no_log" + # break 2 + #fi else print_output "[-] Binary behavior testing with capa for $(print_path "${lBIN_TO_CHECK}") not possible ... unsupported architecture" "no_log" fi From e2e0af986b07608286cdd22de90840201f341e39 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 17 Oct 2024 09:50:53 +0200 Subject: [PATCH 2/5] shellcheck --- modules/F20_vul_aggregator.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 39597d71e..aa67cd935 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -1085,7 +1085,7 @@ cve_extractor() { local BIN_LOG="${LOG_PATH_MODULE}/cve_details_${BINARY}_${VERSION}.log" write_log "[*] Vulnerability details for ${ORANGE}${BINARY}${NC} / version ${ORANGE}${VERSION}${NC} / source ${ORANGE}${VSOURCE}${NC}:" "${BIN_LOG}" local ANCHOR="" - ANCHOR=$(echo "${BINARY}_${VERSION}") + ANCHOR="${BINARY}_${VERSION}" ANCHOR="cve_${ANCHOR:0:20}" write_anchor "${ANCHOR}" "${BIN_LOG}" if [[ "${EXPLOIT_COUNTER_VERSION}" -gt 0 ]]; then From b2c7834c9d56626d14379e13b4ac7fc1a7316dc1 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 17 Oct 2024 14:22:12 +0200 Subject: [PATCH 3/5] #1340 - pip deps --- installer/IP00_extractors.sh | 5 ++++- installer/IP99_binwalk_default.sh | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/installer/IP00_extractors.sh b/installer/IP00_extractors.sh index 0021499a4..02718b214 100755 --- a/installer/IP00_extractors.sh +++ b/installer/IP00_extractors.sh @@ -27,8 +27,10 @@ IP00_extractors(){ print_git_info "payload_dumper" "EMBA-support-repos/payload_dumper" "Android OTA payload.bin extractor" print_git_info "smcbmc" "EMBA-support-repos/smcbmc" "Supermicro BMC firmware image decryptor" print_git_info "dji-firmware-tools" "EMBA-support-repos/dji-firmware-tools" "Tools for extracting, modding and re-packaging firmwares of DJI multirotor drones." - # print_pip_info "pycryptodome" print_tool_info "python3-pycryptodome" 1 + # sometimes the python pip installation is needed - probably this will be solved in the future + # probably it depends on the venv?!? + print_pip_info "pycryptodome" # ubireader: # print_tool_info "python3-lzo" 1 print_tool_info "liblzo2-dev" 1 @@ -59,6 +61,7 @@ IP00_extractors(){ pip_install "protobuf" pip_install "bsdiff4" pip_install "python-lzo>=1.14" + pip_install "pycryptodome" if ! [[ -d external/payload_dumper ]]; then git clone https://github.com/EMBA-support-repos/payload_dumper.git external/payload_dumper diff --git a/installer/IP99_binwalk_default.sh b/installer/IP99_binwalk_default.sh index 701f13493..d6e26c987 100755 --- a/installer/IP99_binwalk_default.sh +++ b/installer/IP99_binwalk_default.sh @@ -40,6 +40,9 @@ IP99_binwalk_default() { print_tool_info "cabextract" 1 print_tool_info "util-linux" 1 print_tool_info "python3-matplotlib" 1 + # sometimes the python pip installation is needed - probably this will be solved in the future + # probably it depends on the venv?!? + print_pip_info "matplotlib" # tools only available on Kali Linux: if [[ "${OTHER_OS}" -eq 0 ]] && [[ "${UBUNTU_OS}" -eq 0 ]]; then @@ -91,6 +94,7 @@ IP99_binwalk_default() { y|Y ) apt-get install "${INSTALL_APP_LIST[@]}" -y --no-install-recommends pip_install "setuptools" + pip_install "matplotlib" git clone https://github.com/EMBA-support-repos/binwalk_ospg.git external/binwalk cd external/binwalk || ( echo "Could not install EMBA component binwalk" && exit 1 ) From be9d58d4a5fd48eacc45f82ee4b1e555afec8602 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 17 Oct 2024 14:22:38 +0200 Subject: [PATCH 4/5] update bse image --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 15f3380c1..74ec84039 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ services: # nosemgrep emba: - image: embeddedanalyzer/emba:1.4.2g + image: embeddedanalyzer/emba:1.4.2h container_name: emba read_only: true # all pre-checker mount modules need privileged mode @@ -50,7 +50,7 @@ services: soft: 0 emba_quest: - image: embeddedanalyzer/emba:1.4.2g + image: embeddedanalyzer/emba:1.4.2h container_name: emba_quest read_only: true tmpfs: From f0366ce7e65df0fbe0cca081693c40e035ab2132 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 17 Oct 2024 14:42:16 +0200 Subject: [PATCH 5/5] spaces --- modules/S18_capa_checker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh index e0cdc9021..d95120ecb 100755 --- a/modules/S18_capa_checker.sh +++ b/modules/S18_capa_checker.sh @@ -87,7 +87,7 @@ S18_capa_checker() { # print_output "[*] 20 binaries already analysed - ending capa binary analysis now." "no_log" # print_output "[*] For complete analysis enable FULL_TEST." "no_log" # break 2 - #fi + # fi else print_output "[-] Binary behavior testing with capa for $(print_path "${lBIN_TO_CHECK}") not possible ... unsupported architecture" "no_log" fi