![]() ![]() Since he is(!) an amazing hipster, he avoided the use of #Hopper and #IDA but chose #Binary Ninja to reverse all the important calls involved. We needed #DoubleDipper back in the game. ![]() So, guess what, you need proper reversing skills to understand what is going on here. Attaching a debugger (Hopper) and setting some breakpoint here and there I quickly noticed there was a native C function performing AES crypto before the soap call was created. So quickly I understood the greatness of Frida (which gave me a quicker insight into where to look and especially in which areas of the binary not to waste any time). SMMusicLibraryManager addRemoteShareWithPath:username:passwordįrida without reversing is a bunch of nothing I guess SMMusicLibraryManager _registerShareOnZPWithNetworkPath The only thing they are good for is debugging and verifying the outcome of the real crypto routine responsible for putting the password in encrypted format on the wire. And guess what: I got our infosec hipsters (especially #DoubleDipper) hooked (Frida) good! FridaĪfter tracing some methods, I quickly noticed that I was able to understand the password handling but these functions were not responsible for encrypting the password on the wire. Kingfishing is an internal Securify hipster term to lure a colleague into helping you. After huffing and puffing #hipsters got fed up with my approach and started pitching in, or did I lure them in? Kingfishing I quickly discovered many crypto implementations in the binary (Mach-O) but was unable to determine which one was actually used. In order to determine how the encryption was implemented in the macOS Sonos Desktop Controller I started a reverse engineering process by monitoring disk access, memory access, and an apparently too long time on the binary. Access to these resources requires secure sharing of credentials.įirst thing I noticed after configuring a share location is that the credentials used to gain access to the share (SMB) are transferred to the Sonos device in clear text (HTTP) and are consequently subject to potential MITM attacks.Īnother important part of the same HTTP (SOAP) call shown in the Wireshark trace below is that my share username/password are somehow encrypted. The macOS Sonos Desktop Controller has the ability to add a new music library in multiple ways such as the use of an (SMB) network share, or a folder on the user’s system. Introduction the SMB network share option At least, I think that should be every nerdy business owner’s dream. or in better words: be part(!) of a crew that outsmarts me in all technical directions. ![]() Hipster voices yelling from the back: "what the hell is taking you so long, use Frida dude!" If you are still reading this, try to be very happy that I am not going through all details of multiple pranks that eventually made me fall in love with Frida. This part of the journey is how I got introduced to hipster reverse tools ( Achievement unlockedīefore we start getting into the details of several Sonos vulnerabilities it is important to note that Securify has (too) many #infosec hipsters, shout out to #DoubleDipper ( and #OsdorpHotBoy ( These two gentlemen are very eager to tell me that I am doing it all wrong and to stop messing around with the wrong tools. In addition, Sonos Desktop Controller for Windows contains vulnerabilities that allow a malicious user or malware to share any file on the system. When these credentials are captured by a suitable positioned attacker (MiTM) on the network (for example open WiFi) they can be decrypted by enrolling to the same Sonos device as the victim (Sonos devices have no access control capabilities). ![]() Before the credentials are shared by the Desktop Controller they are first encrypted (insecurely) and then send over an insecure connections (HTTP). In order for the Sonos device to gain remote access to these music resources the network share credentials must be shared and stored on the Sonos device. Sonos Desktop Controller for Windows and MacOSX has the ability to add remote music libraries to a Sonos device by providing credentials of a network share (for example NAS) containing music or local folders on the user’s system. Sonos has released a fix (v10.1) for Sonos Desktop Controller (Windows and Mac OSX) on April 3rd, 2019 #TL DR Older versions of the Desktop Controller app are also affected. Sonos Desktop Controller for Windows version 10.0 build 48261220.Sonos Desktop Controller for macOS version 10.0 build 48261220.Frida without reversing is a bunch of nothing I guess.Introduction the SMB network share option. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |