Difference between revisions of "Decompressing Snom Firmware"

From Secure Computing Wiki
Jump to: navigation, search
m
m
Line 22: Line 22:
 
</nowiki>  
 
</nowiki>  
  
I started with binwalk, the version from apt-get gave me nothing, so i installed the latest git and it said:
+
I started with file, just in case I was looking at a zip/tar that they renamed .bin
 +
<nowiki>
 +
> file snom760-vpnfeature-r.bin
 +
snom760-vpnfeature-r.bin: data
 +
</nowiki>
 +
 
 +
it's not a known data format, so next I tried binwalk. The version from apt-get gave me nothing, so i installed the latest git and it said:
 
  <nowiki>
 
  <nowiki>
 
> binwalk snom760-vpnfeature-r.bin  
 
> binwalk snom760-vpnfeature-r.bin  

Revision as of 10:25, 21 September 2016

I (krzee) recently decided to check if Snom ever decided to update their version of OpenVPN yet. About 18 months ago I informed them on their forum [1] that their versions of openssl and openvpn are insecure. When I went to reply to my own post to bump it, I found that Snom has decided to discontinue their web forum, and their new helpdesk is closed to the public. They will only allow their authorized resellers to use their new helpdesk. So now I can no longer reach them to see if they care about my request at all. I decided it was time to decompress their latest vpn firmware in order to see what version of openvpn it contains. I found the exact same version (2.2.2) Hopefully next time one of us decompresses their VPN firmware we will find an up to date version of openvpn and openssl (or better, mbedtls). In case they remove the web forum all together, here was my post:

 
Posted 13 March 2015 - 11:02 AM by krzee

on snom710-SIP 8.7.5.13:

OpenSSL 1.0.0c 2 Dec 2010
OpenVPN 2.2.2 mips-linux [SSL] [LZO2] [EPOLL] [eurephia]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
https://community.openvpn.net/openvpn/wiki/CCSInjection

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1j

There is also a HMAC key leak in openvpn 2.3.0 and before.

What are the plans for updating openssl and openvpn?
that version of openssl is from 2010 and openvpn is from 2011!
 

I started with file, just in case I was looking at a zip/tar that they renamed .bin

> file snom760-vpnfeature-r.bin 
snom760-vpnfeature-r.bin: data

it's not a known data format, so next I tried binwalk. The version from apt-get gave me nothing, so i installed the latest git and it said:

> binwalk snom760-vpnfeature-r.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
256           0x100           OpenSSL encryption, salted, salt: 0x-4BD2A526-583EEAB2

This let me know that I was going to need use a root console on an snom phone to pull out more info... The following is the commands (and contents of a file) that I used to decompress the files in the firmware package.

 
# Yes, that is 1024 :-p

> cat firmware1.pub 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpLolhDoYHzFJWkAG8IBS1xdM7
nloux+nWyB2sHdH3O+fzuXdzO7RSkflx/Yoa+GrFXPn1CMQMTiL7VScTU8d4wcvP
U7RJ1LaDX9Xpg/H9Py1Sfwz12bEJtXigTi6dT2QS6CrOI8zAZluzQArsoiEyQzjq
knHQIZiY+HLiiRNSTwIDAQAB
-----END PUBLIC KEY-----

keyFile=update.key
pubFile=firmware1.pub 
imgFile=snom760-vpnfeature-r.bin 

dd if=$imgFile bs=128 skip=1 count=1 2>/dev/null | openssl rsautl -verify -out $keyFile -inkey "$pubFile" -pubin >/dev/null 2>&1

dd if=$imgFile bs=128 skip=2 2>/dev/null | openssl enc -aes128 -d -kfile $keyFile 2>/dev/null | tar --exclude=proc/.hidden --exclude=sys/.hidden -xzmf -