Read It Twice! A mass-storage-based TOCTTOU attack Collin Mulliner and Benjamin Mich´ele Security in Telecommunications Technische Universit¨at Berlin and Telekom Innovation Laboratories {collin,ben}@sec.t-labs.tu-berlin.de Abstract are mostly not hardened against hacking and modding. Here the effort mostly comes down to figuring out file Consumer electronics and embedded devices often al- and firmware formats or finding the serial console on low the installation of applications and firmware up- the hardware. More costly devices contain more sophis- grades from user-provided mass-storage devices. To ticated security measures. Here firmware upgrades are protect the integrity of these devices and the associ- protected by cryptographic signatures. Attacking the ated electronic markets, the software packages are pro- more costly and thus protected devices comes down to tected by cryptographic signatures. The software instal- finding and exploiting software bugs to achieve code ex- lation code assumes that files on attached mass-storage ecution often requiring a lot of effort. devices cannot change while the storage device is con- Many embedded systems and especially consumer nected. The software installation is therefore not bound electronics (CE) support the installation of software to the file integrity check, thus laying the founda- and firmware upgrades through attached mass-storage tions for a time-of-check-to-time-of-use (TOCTTOU) devices. Most commonly, USB mass-storage devices are attack. This work presents a TOCTTOU attack via ex- used for this, such as flash drives and hard disks. De- ternally attached mass-storage devices. The attack pending on the type of embedded system, Secure Dig- is based on emulating a mass-storage device to ob- ital (SD) and Compact Flash (CF) cards are also pop- serve and alter file access from the consumer device. ular. The TOCTTOU attack is executed by providing dif- In this paper we present a novel time-of-check-to- ferent file content to the check and installation code time-of-use (TOCTTOU) attack that targets file con- of the target device, respectively. The presented at- tent. We attack software installation and firmware up- tack effectively bypasses the file content inspection, grade code that reads files from an external mass- resulting in the execution of rogue code on the de- storage volume. Our attack is based on an emulated vice. mass-storage device that allows to change the content of files while the mass-storage volume is connected to Keywords: race condition, USB, mass-storage, con- the attacked target. sumer electronics, software attestation Our attack method is based on a number of obser- vations that are present on many different consumer electronics devices today. The main observation is that 1. Introduction code for software installation and firmware upgrade is separated into two parts: check and install. If each part Consumer electronics today are heavily targeted by implements its own file access it is potentially prone to the hacking and modding community with the primary a TOCTTOU attack. goal to modify or replace the software running the de- This work demonstrates a practical implementation vices. To fulfill this goal the attacker (the modder) has of such an attack against a Linux-based TV-set. We to execute his own code on the target device. In most show that we are able to install a shared library on the cases the attack further needs to gain system or root system, which is then loaded by the main application privileges on the target device. running on the TV-set. Our code runs with root privi- There are many ways to achieve code execution and leges. Our attack currently is the only method to root a firmware replacement mostly depending on the type specific series of Samsung TV-sets. We further present of device and software running on it. Low cost devices a tool to analyze the behavior of CE devices to deter- mine if a device might be susceptible to mass-storage- an attached mass-storage device will not change dur- based TOCTTOU attacks. ing the installation. In general, an installation consists Similar issues exist in the areas of trusted com- of the following steps: puting and software attestation. One party tries Check the software package or firmware upgrade. to verify or measure the integrity of another party This step verifies version numbers and crypto- (the other partie’s code) before accessing or us- graphic signatures of the packages that are going ing it. If a time window between measurement and to be installed. access exists, the software attestation might be vul- nerable to a TOCTTOU attack. Install the actual software or firmware upgrade. This step copies the files from the external storage de- The contributions of this paper are the following: vice to the internal storage or flashes the firmware. • Read It Twice (RIT) Attack which is a mass- The check and installation phases are not com- storage-based TOCTTOU attack based on the bined in an atomic operation as file contents are condition that software installation and firmware assumed to be immutable while the mass-storage de- upgrade code are separated into two parts: check vice is plugged-in. and install. If each code part individually reads file(s) from an external mass-storage device an ex- Our RIT attack works as follows: ploitable TOCTTOU condition might exist. Our attack also specifically accounts for a possible ex- Given the file-X that is expected by the check-install isting block and file system cache on the target code. We have the benign file-B and the modified ver- device. Our approach is different from traditional sion file-M. We construct a mass-storage device that TOCTTOU attacks as we target the content of can observe the read requests to fileX. For the first ac- files and not their permissions. cess to fileX our mass-storage device serves the benign file-B. This is likely the check code that calculates and • USB-Mass-Storage RIT Attack Implemen- compares the cryptographic hashes or verifies other pa- tation and Evaluation against a Samsung TV- rameters contained in fileX. For the second read access set. Using this attack we were able to gain code to fileX our mass-storage device serves our modified execution and root privileges on our target device. file-M. This is likely the installation phase of software • Mass-Storage File Access Analysis Method install code. and tool for black box investigation of file ac- The attack succeeds if the check code verifies the sig- cess to external mass-storage devices. This anal- nature of the benign file file-B and then the install code ysis method allows to detect possible TOCTTOU uses the modified file file-M. Effectively our attack cir- conditions in firmware upgrade and software in- cumvents the signature check and/or file content in- stallation code of embedded systems that read files spection. from external mass-storage devices. 2.1. Boundary Conditions The rest of this paper is organized as follows. In Sec- tion 2 we introduce our novel Read It Twice attack. In There are two boundary conditions for our RIT at- Section 3 we provide a brief overview of our target, a tack that have to be resolved in real world implemen- TV-set. Section 4 presents our Mass-Storage File Ac- tations. These are: cess Analysis method and tool. Our method is general and can be used for black box analysis of arbitrary de- File size of the benign file and the modified file vices that read files from a USB mass-storage device. likely need to be equal. Further the filesystem us- In Section 5 we present a practical implementation of age must be exactly the same to guarantee that our RIT attack against the software installation sub- both files are located within the same blocks in system of our TV-set. In Section 6 we discuss related each filesystem image. work and in Section 7 we briefly conclude. Block cache. Embedded devices running sophisti- cated operating systems such as Linux, BSD, and 2. The Read It Twice Attack Windows implement a block cache. If the target file fits in the block or filesystem cache the at- Our Read It Twice (RIT) attack is based on the ob- tack has to be adjusted so that the install code servation that software installation and firmware up- will read the file from the attached device rather grade code on embedded devices assumes that files on than from the block cache. 2 Another boundary condition is that the target de- 1 <?xml version="1.0" encoding="utf-8"?> vice does not copy the software package or firmware up- 2 <contentlibrary> grade file to internal memory before checking it. This 3 <contentpack id="tocttou"> is an obvious countermeasure for our attack that we 4 <category>Wellness</category> briefly discuss in Section 5.3. In the remainder of this 5 <title language_id="English">tocttou</title> paper we will discuss these boundary conditions and 6 <startpoint language_id="English"> how we dealt with them to successfully launch our at- 7 tocttou.so</startpoint> tack. 8 <thumbnailpath>tocttou.bmp</thumbnailpath> 9 <totalsize>1</totalsize> 3. The Samsung TV-set 10 </contentpack> 11 </contentlibrary> Our target TV-set is the Samsung LE32B650T2- PXZG [13], a 32 inch version of the Samsung B se- Figure 1. Example clmeta.dat file that we used ries LCD-based television set. We chose this TV-set be- for testing and the RIT attack. cause this series has a very active modding community called SamyGO [15]. Through this community many technical details of this line of Samsung TVs are avail- nels, changing the TV settings, interacting with UPnP able to the general public.