analysis of polar routing security design

Posted by barello at 2020-04-16

I want to start with two things:

1、 Thanks to freebuf, we found hiwifi firmware on the website provided by freebuf. The Lua code on the 9003 squashfs file system has not been precompiled, which makes it possible for us to analyze polar routing based on source code. address

2、 After training, we found that hiwifi firmware decompression problem, in fact, you can use the open-source software 7zip under the windows operating system to decompress.

So, the focus of this issue is to analyze the source security design part of hiwifi Lua.

0 × 01 analysis idea

1、 Learn about the openwrt web authentication process.

2、 Understand the process of hiwifi web authentication and the analysis of communication authentication between hiwifi cloud.

0 × 02 analysis process

Test tool: use luaedit for source code reading. Connect openwrt to view the directory software winscp, because some files are generated after authentication.

1、 Openwrt web authentication process

1.1. Build openwrt virtual operation environment

1.2 network analysis and Lua source code analysis to understand the authentication process.

To build the openwrt virtual machine running environment and download the openwrt.vmdk file of x86 architecture, it is emphasized that if you only use one wireless network card to build the environment, it will fail, because openwrt requires two different network LANs and WANs.

Openwrt mainly realizes B / s interaction through the built-in web server uhttpd and Lua script language.

The interactive data package is captured by the packet capturing software as follows:

Through the account and password provided by the web interface, return the token that the user maintains communication at the web end

And client authenticated cookies.

Then use winscp to log in to openwrt to view the file. You will find that the whole process of logging in and calling the file is as follows:

Through ccache.lua processing, it is found that the server-side changes / TMP / Luci sessions generate a file (session) of f10e9261c036d0c97db82c5ee568b34

This file stores a precompiled Lua script, which is mainly about the corresponding relationship between the mapped login user name and token.

JSON data form (saved database form):

It involves the hexadecimal output of encryption algorithm. encoded = encoded .. ("%2X" % string.byte(name, i))

Because the source code is too many not all written out, you can refer to the relevant bin file code.

Then look at how: / usr / lib / Lua / Luci / dispatcher.lua handles logins: the authenticator.htmlauth function is found.

Validator {}, mainly through MD5 verification of the submitted password. If it matches, it returns true.

How did sysauth come into being?

By querying / usr / lib / Lua / Luci / sauth.lua

Key code:

From the above code, we can see that session generation is related to time. To solve this problem, we need to traverse the system time. It's a little difficult.

Of course, on the polar route, I found that there would be a function call authenticator {} before this, but I didn't find the specific function writing content in Lua code. Later, I found the full-text content through luaedit tool. In the file. This is explained in the last chapter.

Summary: it can be seen that the server token will be generated on openwrt only after the authentication is passed and saved in the local file of uhttpd server. The whole process can't be forged basically, and the login authentication system is relatively safe, of course, there are also loopholes, including password traversal attempts.

2、 Understand the communication analysis between the hiwifi web authentication process and the hiwifi cloud

I applied for the root permission of polar route to view the newly generated files in its directory through winscp login. Originally, two open-source decompilation tools, unlua and luadec, the latest source code of lua, could not pass, so we had to look at the h5661-9003 version of the software.

The whole process is similar to openwrt, but some changes have been made. Change the path to / CGI bin / turbo / Admin web, and push the Ajax script to detect the content.


(1) Participate in key generation through the cloud.

(2) Increase the login retry limit (10 times). Number of times stored by verification / TMP / loginernum

(3) Set sandbox permissions for OpenAPI calls, as well as more strict token acquisition methods.

In / usr / lib / Lua / Luci / dispatcher.lua

Authenticator {}; no implementation found.

It is found that there may be authentication information in usr / lib / by querying the directory. Then throw it into IDA. Choose MIPS little endian

First, read the local storage token through cache load token v3. If not, apply for token

Nonce is generated automatically through the cloud platform, and the algorithm is only known by the cloud itself.

What we are looking for here is the checksum value.

Find TW get UUID and find it in the file

Of course, you can also use Python language to call so library to test its encryption algorithm.

UUID is generated by the MAC address of the device, plus a constant of 123456789123 and other complex algorithms. Because the UUID of each device is not the same, even if the MAC address of the other device is obtained, it cannot be used by forging a request. This multi factor verification mechanism greatly guarantees the security of cloud platform users.

In the sandbox part, it is actually the access directory restriction to obtain the key through the OpenAPI login to prevent secondary developers from developing malicious programs, and then millions of routers.

Summary of 0 × 03 safety design

It can be seen that from openwrt - > hiwifi 9003 - > hiwifi 9008 (currently the most used version of the 1s), the design of the software security part of the whole firmware is becoming more and more complex.

Abnormal safety design also meets business requirements:

(1) Basic security guarantee: the original Lua source code can be seen, and must be precompiled before releasing the device. The core algorithm and authentication library are put into the so file.

(2) Because we need to do router software market, after combining the cloud key verification mechanism, even if you crack the local algorithm, the cloud algorithm you don't know is useless.

Finally, praise the craftsman spirit of information security.

*The author of this article: bt0sea, this article belongs to the freebuf original award program, reprint is prohibited without permission