search

e-m-b-a / emba

EMBA - The firmware security analyzer
https://www.securefirmware.de
GNU General Public License v3.0
2.49k stars 223 forks source link

Fix to prevent the detection of binaries not beeing present in the firmware #1138

Closed chconil closed 2 months ago

chconil commented 2 months ago

S09_firmware_base_version_check.sh incorrectly detects multiple binaries, not present in the firmware.

Forcing the binary name (${VERSION_IDENTIFIER}) to be present at the start of the dumped strings, instead of anywhere inside, removes a lot of incorrectly detected binaries, while preserving all the correctly detected ones.

The fix corrects for example the wrong detection on OpenSSL 1.1.1a, even if it's not present in the firmware.

Capture d’écran du 2024-04-22 11-12-39

m-1-k-3 commented 2 months ago

Good catch. Thank you for highlighting this issue Nevertheless, the area to fix would be the regex for detection over here:

https://github.com/e-m-b-a/emba/blob/50489254b9ccbe23068da2b1315be48900c8e96b/config/bin_version_strings.cfg#L521

chconil commented 2 months ago

This is not only related to OpenSSL, at least in my case. This problem also happened on my firmware for:

For OpenSSL we had two occurences, one in source of "ntpsec" (version 1.1.1a), the other source of "lib-dynload" (1.0.1) That's why I thought this is a more general issue.

Let me know :-)

m-1-k-3 commented 2 months ago

This is an issue that we probably can see more often. The problem is now that there are multiple regex definitions that are not optimized for matching the pattern "^regex$". If we enforce this mechanism now in the grep command we are going to break them. So, I would suggest to fix the known weak regexes that produce fp and let the others alive

m-1-k-3 commented 2 months ago

Something like the following should work as OpenSSL configuration:

openssl;;OpenSSL OR Apache-2.0;"^OpenSSL\ [0-9](\.[0-9]+)+?\ ";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?).*$/openssl:openssl:\1/'";
openssl;;OpenSSL OR Apache-2.0;"^OpenSSL\ [0-9](\.[0-9]+)+?(-[a-z]+)\ ";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?)((-[a-z]+)?)\ .*$/openssl:openssl:\1\2/'";
openssl;;OpenSSL OR Apache-2.0;"^OpenSSL\ [0-9](\.[0-9]+)+?([a-z]+)?-";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?([a-z]+)?)-.*$/openssl:openssl:\1/'";
openssl;;OpenSSL OR Apache-2.0;"^OpenSSL\ [0-9](\.[0-9]+)+?([a-z]+)?\ ";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?([a-z]+)?)\ .*$/openssl:openssl:\1/'";
openssl;;OpenSSL OR Apache-2.0;"^OpenSSL\ [0-9](\.[0-9]+)+?(-[a-z]+)$";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?)((-[a-z]+)?)$/openssl:openssl:\1\2/'";
openssl;;OpenSSL OR Apache-2.0;"part of OpenSSL\ [0-9](\.[0-9]+)+?\ ";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?).*$/openssl:openssl:\1/'";
openssl;;OpenSSL OR Apache-2.0;"part of OpenSSL\ [0-9](\.[0-9]+)+?(-[a-z]+)\ ";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?)((-[a-z]+)?)\ .*$/openssl:openssl:\1\2/'";
openssl;;OpenSSL OR Apache-2.0;"part of OpenSSL\ [0-9](\.[0-9]+)+?([a-z]+)?-";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?([a-z]+)?)-.*$/openssl:openssl:\1/'";
openssl;;OpenSSL OR Apache-2.0;"part of OpenSSL\ [0-9](\.[0-9]+)+?([a-z]+)?\ ";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?([a-z]+)?)\ .*$/openssl:openssl:\1/'";
openssl;;OpenSSL OR Apache-2.0;"part of OpenSSL\ [0-9](\.[0-9]+)+?(-[a-z]+)$";"sed -r 's/OpenSSL\ ([0-9](\.[0-9]+)+?)((-[a-z]+)?)$/openssl:openssl:\1\2/'";

This will ensure we do not fall into fp because of some text refering to "asdf OpenSSL 1.3.4" and we catch the emulation output as well as the strings output.

m-1-k-3 commented 2 months ago

I will update the OpenSSH detection soon. In the mean time you can find and comment it here https://github.com/m-1-k-3/emba/blob/further_updates/config/bin_version_strings.cfg