In this post, we will be discussing a specific attack vector that can be used after bypassing the bootloader process. Once a hacker gains access to the Das U-Boot prompt, they can proceed to take control of the underlying device. Our attack vector focuses on using TFTP to load a kernel and filesystem onto the target device. We will first set up the attack device and then attempt to gain root access to the target device.
TFTP, or Trivial File Transfer Protocol, is a widely used protocol due to its simplicity and usefulness. It is mainly used to retrieve or transmit files between compatible devices. TFTP uses UDP and typically runs over port 69. It is known for its efficiency and is often the file transfer protocol of choice. However, one drawback of TFTP is the lack of retransmission in case of lost packets.
To fully execute this attack vector, certain conditions must be met:
1. The bootloader process must be broken.
2. Access to the U-Boot prompt must be gained.
3. An attacker must have access to a network segment shared with the target device.
4. Prebuilt kernel, filesystem, and device tree files are required.
Once these conditions are met, we can proceed with the attack. As discussed in the previous parts of this series, we can interrupt the bootloader process to gain access to an intermediate stage of the boot process. In our case, we used the U-Boot example to illustrate this scenario. Once we have access to the U-Boot prompt, we can launch further attacks using the U-Boot syntax.
The chosen attack vector in this blog post involves using the TFTP protocol to bypass the intended boot process and replace it with our own firmware image. This type of attack is commonly used by vendors and companies for remote upgrades, making it a viable option for attackers to exploit without using foreign toolsets.
To fully realize this attack, we need to build three files using buildroot:
1. The kernel (zImage)
2. The filesystem (rootfs.cpio.uboot)
3. The device tree blob (versatilepb.dtb)
Once we have these files, we can proceed with the attack. We first need to set up and configure a host under the attacker’s control to serve as the TFTP server. We can install and configure the HPA’s TFTP server on a Debian-based system. After setting up the TFTP server, we can return to the U-Boot prompt and start leveraging its capabilities for our attack.
The steps involved in the attack are as follows:
1. Examine the DRAM structure to determine the correct load address for the kernel image.
2. Configure the network layer to establish communication with the attacker’s TFTP server.
3. Copy the required files from the TFTP server to the target device’s DRAM using TFTP.
4. Boot the target device using the kernel image and other required files.
5. Enjoy root privileges on the target device.
Throughout this three-part series, we have explored various aspects of the boot process, including bootloaders, Das U-Boot, and practical attack vectors. It is important to understand the boot process and potential vulnerabilities to protect against unauthorized access. We hope you have found this series insightful, and stay tuned for more content from Attify.