亚历克斯·普拉斯克特与罗伯特·埃雷拉_注意听Sonos的空中远程内核利用与秘密窃听.pdf

《亚历克斯·普拉斯克特与罗伯特·埃雷拉_注意听Sonos的空中远程内核利用与秘密窃听.pdf》由会员分享，可在线阅读，更多相关《亚历克斯·普拉斯克特与罗伯特·埃雷拉_注意听Sonos的空中远程内核利用与秘密窃听.pdf（52页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsListen Up:Sonos OverListen Up:Sonos Over-TheThe-Air Air Remote Kernel Exploitation and Remote Kernel Exploitation and Covert WiretapCovert WiretapRobert Herrera NCC GroupAlex Plaskett NCC Group#BHUSA BlackHatEvents$who$whoRobert Herrera NCC Group Hardware/Embedded Security Team(

2、HES)Alex Plaskett NCC Group Exploit Development Group(EDG)#BHUSA BlackHatEventsDevice IntroductionDevice IntroductionSonos OneSonos Era-100#BHUSA BlackHatEventsSonos One Sonos One WiWi-Fi ExploitationFi Exploitation#BHUSA BlackHatEventsBackgroundBackgroundNCC EDG previously researched Sonos Generati

3、on 2 for Pwn2OwnFound vulnerabilities of their ownCombined techniques with public research by bl4sty/Synacktiv etc.Wi-Fi driver was missing stack cookies!Sonos issued CVE-2023-50809Sonos S2 fix release 15.9(October 17,2023)Sonos S1 release 11.12(November 15,2023)MediaTek MT7615 fix release(CVE-2024-

4、20018)-January 2024https:/ BlackHatEventsSonos One Sonos One Device ReconDevice Recon UART exposed TX of device gives boot log(and kernel panic output!)RX of device U-Boot password protected Nothing afterwards Wi-Fi enabled by Wi-Fi Card connected via PCIe slot#BHUSA BlackHatEventsSonos One Sonos On

5、e Platform ReconPlatform Recon CONFIG_RANDOMIZE_BASE is not set No stack canaries within compiled Kernel Modules Aarch64 ELF Kernel Modules SoftMac Wi-Fi Stack mt7615.ko MediaTek Wi-Fi SoC Most of the Wi-Fi implementation is parsed/handled in the kernel module as opposed to firmware.#BHUSA BlackHatE

6、ventsWiWi-Fi Kernel ModuleFi Kernel Module Enumerate“receive”functionality Some funcs may require PSK to trigger downstream logic Sanity funcs called by respective state machine.Sonos is the client in the connection but does support its own AP mode#BHUSA BlackHatEventsWPA2 Handshake Vuln(CVEWPA2 Han