FwHunt, CWE-Checker, Cyclone SBOM, Bug fixes, kernel-to-elf

.github/workflows/inactive_issues.yml

@@ -12,11 +12,11 @@ jobs:
     steps:
       - uses: actions/stale@v5
         with:
-          days-before-issue-stale: 14
-          days-before-issue-close: 7
+          days-before-issue-stale: 28
+          days-before-issue-close: 56
           stale-issue-label: "stale"
-          stale-issue-message: "This issue is stale because it has been open for 14 days with no activity."
-          close-issue-message: "This issue was closed because it has been inactive for 7 days since being marked as stale."
+          stale-issue-message: "This issue is stale because it has been open for 28 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 56 days since being marked as stale."
           days-before-pr-stale: -1
           days-before-pr-close: -1
           repo-token: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -5,11 +5,13 @@ COPY ./installer /installer
 
 WORKDIR /
 
-# updates system, install EMBA, disable coredumps and final cleanup
+# updates system
 RUN apt-get update && \
     apt-get -y upgrade && \
-    apt-get -y install wget kmod procps sudo dialog apt-utils && \
-    yes | sudo /installer.sh -D && \
+    apt-get -y install wget kmod procps sudo dialog apt-utils curl git
+
+# install EMBA, disable coredumps and final cleanup
+RUN yes | sudo /installer.sh -D && \
     ulimit -c 0 && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /emba

README.md

@@ -28,9 +28,9 @@ Author(s): Michael Messner, Pascal Eckmann
 </p>
 
 # EMBA
-## The security analyzer for embedded device firmware
+## The security analyzer for firmware of embedded devices
 
-*EMBA* is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the *firmware extraction* process, doing *static analysis* and *dynamic analysis* via emulation and finally generating a report. *EMBA* automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords. *EMBA* is a command line tool with the option to generate an easy to use web report for further analysis.
+*EMBA* is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the *firmware extraction* process, doing *static analysis* and *dynamic analysis* via emulation and finally generating a web report. *EMBA* automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords. *EMBA* is a command line tool with the option to generate an easy to use web report for further analysis.
 
 *EMBA* combines multiple established analysis tools and can be started with one simple command. Afterwards it tests the firmware for possible security risks and interesting areas for further investigation. No manual installation of all helpers, once the integrated installation script has been executed, you are ready to test your firmware.
 
@@ -58,28 +58,11 @@ cd emba
 sudo ./installer.sh -d
 ```
 
-## Usage
-
----   
-### Classic (Docker mode):
-```console
-sudo ./emba.sh -l ./log -f /firmware
-```
-*Note: During installation at least 20GB of disk space is needed*
-
----   
-### Profile support:
+## Quick start with default scan profile:
 ```console
 sudo ./emba.sh -l ./log -f /firmware -p ./scan-profiles/default-scan.emba
 
 ```
----
-### Developer mode (WARNING: EMBA runs on your host and could harm your host!):
-```console
-./emba.sh -l ./log -f ./firmware -D
-```
-*WARNING: Before using the developer mode you need a full installation of EMBA with `sudo ./installer.sh -F`. This installation mode needs around 15 gigabyte of disk space and is only recommend for development environments.*
-
 ---
 *EMBA* supports multiple testing and reporting [options](https://github.com/e-m-b-a/emba/wiki/Usage#arguments). For more details check the [wiki](https://github.com/e-m-b-a/emba/wiki/Usage).
 

config/distri_id.cfg

@@ -3,7 +3,7 @@
 OpenWRT;/etc/banner;grep -a -o -E "KAMIKAZE.\(bleeding.edge..r[0-9]+\)";sort -u | sed -r 's/(KAMIKAZE) \(bleeding edge, (r[0-9]+)\)/OpenWRT \1 \2/'
 OpenWRT;/etc/banner;grep -a -o -E "BACKFIRE.\(bleeding.edge..r[0-9]+\)";sort -u | sed -r 's/(BACKFIRE) \(bleeding edge, (r[0-9]+)\)/OpenWRT \1 \2/'
 # Reboot (17.01.0-rc2, r3131-42f3c1f) -> LEDE
-OpenWRT;/etc/openwrt_release;grep -a -o -E -e "^DISTRIB_ID=.*" -a -o -E -e "^DISTRIB_RELEASE=.*" -a -o -E -e "^DISTRIB_REVISION=.*";sort -u | tr '\n' ' ' | sed 's/DISTRIB_ID=//g' | sed 's/DISTRIB_RELEASE=//g' | sed 's/DISTRIB_REVISION=//g' | tr -d \'
+OpenWRT;/etc/openwrt_release;grep -a -o -E -e "^DISTRIB_ID=.*" -a -o -E -e "^DISTRIB_RELEASE=.*" -a -o -E -e "^DISTRIB_REVISION=.*";sort -u | tr '\n' ' ' | sed 's/DISTRIB_ID=//g' | sed 's/DISTRIB_RELEASE=//g' | sed 's/DISTRIB_REVISION=//g' | tr -d \' | tr -d \"
 os-release-Linux;/etc/os-release;grep -a -o -E -e "^NAME=.*" -a -o -E -e "^VERSION=.*";sort -u | tr '\n' ' ' | sed 's/NAME=//g' | sed 's/VERSION=//g' | tr -d \"
 lsb-release-Linux;/etc/lsb-release;grep -a -o -E -e "^DISTRIB_ID=.*" -a -o -E -e "^DISTRIB_RELEASE=.*";sort -u | tr '\n' ' ' | sed 's/DISTRIB_ID=//g' | sed 's/DISTRIB_RELEASE=//g' | tr -d \"
 #debian-Linux;/etc/debian-version;-a -o -E -e ".*";sort -u

config/msf_cve-db.txt

@@ -714,6 +714,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb:CVE-2018-12464
 /usr/share/metasploit-framework/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb:CVE-2018-12465
 /usr/share/metasploit-framework/modules/exploits/linux/http/mida_solutions_eframework_ajaxreq_rce.rb:CVE-2020-15920
+/usr/share/metasploit-framework/modules/exploits/linux/http/mobileiron_core_log4shell.rb:CVE-2021-44228
 /usr/share/metasploit-framework/modules/exploits/linux/http/mobileiron_mdm_hessian_rce.rb:CVE-2020-15505
 /usr/share/metasploit-framework/modules/exploits/linux/http/multi_ncc_ping_exec.rb:CVE-2015-1187
 /usr/share/metasploit-framework/modules/exploits/linux/http/mutiny_frontend_upload.rb:CVE-2013-0136
@@ -756,6 +757,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb:CVE-2019-19509
 /usr/share/metasploit-framework/modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb:CVE-2020-10220
 /usr/share/metasploit-framework/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb:CVE-2014-8361
+/usr/share/metasploit-framework/modules/exploits/linux/http/roxy_wi_exec.rb:CVE-2022-31137
 /usr/share/metasploit-framework/modules/exploits/linux/http/saltstack_salt_api_cmd_exec.rb:CVE-2020-16846
 /usr/share/metasploit-framework/modules/exploits/linux/http/saltstack_salt_api_cmd_exec.rb:CVE-2020-25592
 /usr/share/metasploit-framework/modules/exploits/linux/http/saltstack_salt_wheel_async_rce.rb:CVE-2021-25281
@@ -771,6 +773,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/http/sophos_wpa_iface_exec.rb:CVE-2014-2849
 /usr/share/metasploit-framework/modules/exploits/linux/http/sophos_wpa_iface_exec.rb:CVE-2014-2850
 /usr/share/metasploit-framework/modules/exploits/linux/http/sophos_wpa_sblistpack_exec.rb:CVE-2013-4983
+/usr/share/metasploit-framework/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb:CVE-2022-23642
 /usr/share/metasploit-framework/modules/exploits/linux/http/spark_unauth_rce.rb:CVE-2018-11770
 /usr/share/metasploit-framework/modules/exploits/linux/http/suitecrm_log_file_rce.rb:CVE-2020-28328
 /usr/share/metasploit-framework/modules/exploits/linux/http/suitecrm_log_file_rce.rb:CVE-2021-42840
@@ -875,6 +878,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/local/ufo_privilege_escalation.rb:CVE-2017-1000112
 /usr/share/metasploit-framework/modules/exploits/linux/local/vmware_alsa_config.rb:CVE-2017-4915
 /usr/share/metasploit-framework/modules/exploits/linux/local/vmware_mount.rb:CVE-2013-1662
+/usr/share/metasploit-framework/modules/exploits/linux/local/vmware_workspace_one_access_certproxy_lpe.rb:CVE-2022-31660
 /usr/share/metasploit-framework/modules/exploits/linux/misc/aerospike_database_udf_cmd_exec.rb:CVE-2020-13151
 /usr/share/metasploit-framework/modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb:CVE-2014-9583
 /usr/share/metasploit-framework/modules/exploits/linux/misc/cisco_rv340_sslvpn.rb:CVE-2022-20699
@@ -1249,7 +1253,7 @@
 /usr/share/metasploit-framework/modules/exploits/multi/misc/openview_omniback_exec.rb:CVE-2001-0311
 /usr/share/metasploit-framework/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb:CVE-2015-1497
 /usr/share/metasploit-framework/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb:CVE-2004-1389
-/usr/share/metasploit-framework/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb:CVE-2017-10271
+/usr/share/metasploit-framework/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb:CVE-2019-2725
 /usr/share/metasploit-framework/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb:CVE-2020-2883
 /usr/share/metasploit-framework/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb:CVE-2020-2555
 /usr/share/metasploit-framework/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb:CVE-2016-3510
@@ -2083,6 +2087,7 @@
 /usr/share/metasploit-framework/modules/exploits/windows/http/zentao_pro_rce.rb:CVE-2020-7361
 /usr/share/metasploit-framework/modules/exploits/windows/http/zenworks_assetmgmt_uploadservlet.rb:CVE-2011-2653
 /usr/share/metasploit-framework/modules/exploits/windows/http/zenworks_uploadservlet.rb:CVE-2010-5324
+/usr/share/metasploit-framework/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb:CVE-2022-35405
 /usr/share/metasploit-framework/modules/exploits/windows/ibm/ibm_was_dmgr_java_deserialization_rce.rb:CVE-2019-4279
 /usr/share/metasploit-framework/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb:CVE-2017-7269
 /usr/share/metasploit-framework/modules/exploits/windows/iis/ms01_023_printer.rb:CVE-2001-0241

docker-compose.yml

@@ -2,6 +2,7 @@ version: "3"
 services:
   emba:
     image: embeddedanalyzer/emba:latest
+    hostname: emba
     read_only: true
     # all pre-checker mount modules need privileged mode
     privileged: true
@@ -11,6 +12,7 @@ services:
     tmpfs:
       - /tmp
       - /root
+      - /root/.cargo/bin:exec
       - /run
       - /var/run
       - /var/tmp
@@ -45,6 +47,12 @@ services:
       core:
         hard: 0
         soft: 0
+    # adjust the following limits to protect your host
+    #    deploy:
+    #  resources:
+    #    limits:
+    #      memory: 14g
+    #     cpus: 7
 
 networks:
   emba_runs:

emba.sh

@@ -308,6 +308,7 @@ main()
   export GTFO_CFG="$CONFIG_DIR"/gtfobins_urls.cfg         # gtfo urls
   export DISABLE_STATUS_BAR=1
   export DISABLE_NOTIFICATIONS=0    # disable notifications and further desktop experience
+  export NOTIFICATION_PID="NA"
   export EMBA_ICON=""
   EMBA_ICON=$(realpath "$HELP_DIR"/emba.svg)
   export WSL=0    # wsl environment detected
@@ -548,6 +549,7 @@ main()
 
   if [[ "$IN_DOCKER" -eq 0 ]]; then
     print_notification &
+    NOTIFICATION_PID="$?"
     print_output "[*] Original user: $ORANGE${SUDO_USER:-${USER}}$NC" "no_log"
     echo "${SUDO_USER:-${USER}}" > "$LOG_DIR"/orig_user.log
   fi
@@ -773,6 +775,9 @@ main()
           fi
 
           if [[ "$IN_DOCKER" -eq 0 ]]; then
+            if [[ "$NOTIFICATION_PID" != "NA" ]]; then
+              kill "$NOTIFICATION_PID" 2>/dev/null || true
+            fi
             restore_permissions
             if ! [[ -d "$TMP_DIR" ]]; then
               pkill -f "inotifywait.*$LOG_DIR" 2>/dev/null || true
@@ -924,6 +929,9 @@ main()
     else
       print_output "[!] Test ended on ""$(date)"" and took about ""$(date -d@$SECONDS -u +%H:%M:%S)"" \\n" "no_log"
     fi
+    if [[ "$NOTIFICATION_PID" != "NA" ]]; then
+      kill "$NOTIFICATION_PID" 2>/dev/null || true
+    fi
     write_grep_log "$(date)" "TIMESTAMP"
     write_grep_log "$(date -d@$SECONDS -u +%H:%M:%S)" "DURATION"
   else

helpers/helpers_emba_dependency_check.sh

@@ -413,6 +413,14 @@ dependency_check()
     # yara
     check_dep_tool "yara"
 
+    # cyclonedx - converting csv sbom to json sbom
+    if [[ -d "/home/linuxbrew/.linuxbrew/bin/" ]]; then
+      export PATH=$PATH:/home/linuxbrew/.linuxbrew/bin/
+    fi
+    check_dep_tool "cyclonedx"
+
+    check_dep_file "vmlinux-to-elf" "$EXT_DIR""/vmlinux-to-elf/vmlinux-to-elf"
+
     if function_exists S108_stacs_password_search; then
       # stacs - https://github.com/stacscan/stacs
       check_dep_tool "STACS hash detection" "stacs"

helpers/helpers_emba_prepare.sh

@@ -238,7 +238,7 @@ prepare_binary_arr()
   #readarray -t BINARIES < <( find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -type f -executable -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\  -f3 )
 
   # In some firmwares we miss the exec permissions in the complete firmware. In such a case we try to find ELF files and unique it
-  readarray -t BINARIES_TMP < <( find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -type f -exec file {} \; 2>/dev/null | grep ELF | cut -d: -f1)
+  readarray -t BINARIES_TMP < <(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -type f -exec file {} \; 2>/dev/null | grep ELF | cut -d: -f1 || true)
   if [[ -v BINARIES_TMP[@] ]]; then
     for BINARY in "${BINARIES_TMP[@]}"; do
       if [[ -f "$BINARY" ]]; then

installer.sh

@@ -219,10 +219,14 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" -
 
   IP99_binwalk_default
 
+  I02_UEFI_fwhunt
+
   I13_objdump
 
   I20_php_check
 
+  I24_25_kernel_tools
+
   I108_stacs_password_search
 
   I110_yara_check

installer/I01_default_apps.sh

@@ -37,6 +37,9 @@ I01_default_apps(){
     # john password cracker
     print_tool_info "john" 1
     print_tool_info "john-data" 1
+    # linuxbrew
+    print_tool_info "curl" 1
+    print_tool_info "git" 1
 
     if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then
       ANSWER=("n")
@@ -49,6 +52,19 @@ I01_default_apps(){
       y|Y )
         echo
         apt-get install "${INSTALL_APP_LIST[@]}" -y
+
+        # install brew installer - used later for cyclonex in IF20 installer
+        echo "[*] Installing linuxbrew ..."
+        if ! grep -q linuxbrew /etc/passwd; then
+          useradd -m -s /bin/bash linuxbrew
+        fi
+        usermod -aG sudo linuxbrew
+        if [[ -d /home/linuxbrew/.linuxbrew ]]; then
+          rm -r /home/linuxbrew/.linuxbrew
+        fi
+        mkdir -p /home/linuxbrew/.linuxbrew
+        chown -R linuxbrew: /home/linuxbrew/.linuxbrew
+        sudo -u linuxbrew CI=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
       ;;
     esac
   fi

installer/I02_UEFI_fwhunt.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# EMBA - EMBEDDED LINUX ANALYZER
+#
+# Copyright 2020-2022 Siemens Energy AG
+#
+# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+# EMBA is licensed under GPLv3
+#
+# Author(s): Michael Messner
+
+# Description:  Installs fwhunt-scan including rules
+#               fwhunt-scan https://github.com/binarly-io/fwhunt-scan
+#               fwhunt rules https://github.com/binarly-io/FwHunt
+
+I02_UEFI_fwhunt() {
+  module_title "${FUNCNAME[0]}"
+
+  if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then
+
+    print_pip_info "rzpipe"
+    print_pip_info "uefi_firmware"
+    print_pip_info "pyyaml"
+    print_pip_info "click"
+    print_tool_info "meson" 1
+    print_git_info "rizin" "rizinorg/rizin" ""
+    print_git_info "fwhunt-scan" "binarly-io/fwhunt-scan" "Tools for analyzing UEFI firmware and checking UEFI modules with FwHunt rules."
+    print_git_info "fwhunt-rules" "binarly-io/FwHunt" "The Binarly Firmware Hunt (FwHunt) rule format was designed to scan for known vulnerabilities in UEFI firmware."
+    print_git_info "BIOSUtilities" "platomav/BIOSUtilities" "Various BIOS Utilities for Modding/Research"
+
+    if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then
+      ANSWER=("n")
+    else
+      echo -e "\\n""$MAGENTA""$BOLD""These applications (if not already on the system) will be downloaded!""$NC"
+      ANSWER=("y")
+    fi
+
+    case ${ANSWER:0:1} in
+      y|Y )
+
+        pip3 install rzpipe 2>/dev/null
+        pip3 install click 2>/dev/null
+        pip3 install pyyaml 2>/dev/null
+        pip3 install uefi_firmware 2>/dev/null
+
+        # rizin:
+        apt-get install "${INSTALL_APP_LIST[@]}" -y
+        echo -e "$ORANGE""$BOLD""Installing rizin""$NC"
+        if [[ -d external/rizin ]]; then
+          rm -r external/rizin
+        fi
+        git clone https://github.com/rizinorg/rizin.git external/rizin
+        cd external/rizin || ( echo "Could not install EMBA component rizin" && exit 1 )
+        meson build
+        ninja -C build
+        ninja -C build install
+        cd "$HOME_PATH" || ( echo "Could not install EMBA component rizin" && exit 1 )
+
+        # BIOSUtilities
+        echo -e "$ORANGE""$BOLD""Installing BIOSUtilities""$NC"
+        if [[ -d external/BIOSUtilities ]]; then
+          rm -r external/BIOSUtilities
+        fi
+        git clone --branch refactor https://github.com/platomav/BIOSUtilities.git external/BIOSUtilities
+
+        echo -e "$ORANGE""$BOLD""Installing FwHunt""$NC"
+        if [[ -d external/fwhunt-scan ]]; then
+          rm -r external/fwhunt-scan
+        fi
+        git clone https://github.com/binarly-io/fwhunt-scan.git external/fwhunt-scan
+        cd external/fwhunt-scan || ( echo "Could not install EMBA component fwhunt-scan" && exit 1 )
+        git clone https://github.com/binarly-io/FwHunt.git rules
+        echo "Installed $(find rules/ -iname "BRLY-*" | wc -l) fwhunt rules"
+        # currently the following installation step is failing:
+        python3 setup.py install || true
+        cd "$HOME_PATH" || ( echo "Could not install EMBA component fwhunt-scan" && exit 1 )
+      ;;
+    esac
+  fi
+} 

installer/I120_cwe_checker.sh

@@ -91,19 +91,19 @@ I120_cwe_checker() {
           mkdir ./external/cwe_checker 2>/dev/null
           git clone https://github.com/fkie-cad/cwe_checker.git external/cwe_checker
           cd external/cwe_checker || ( echo "Could not install EMBA component cwe_checker" && exit 1 )
-          make all GHIDRA_PATH=./external/ghidra/ghidra_10.1.2_PUBLIC
+          make all GHIDRA_PATH="$HOME_PATH""/external/ghidra/ghidra_10.1.2_PUBLIC"
           cd "$HOME_PATH" || ( echo "Could not install EMBA component cwe_checker" && exit 1 )
 
-          mv "$HOME""/.cargo/bin" "external/cwe_checker/bin"
-          #rm -r -f "$HOME""/.cargo/"
-          rm -r ./external/rustup
-
           if [[ "$IN_DOCKER" -eq 1 ]]; then
+            mv "$HOME""/.cargo/bin" "external/cwe_checker/bin"
             echo '{"ghidra_path":"/external/ghidra/ghidra_10.1.2_PUBLIC"}' > /root/.config/cwe_checker/ghidra.json
+
+            # save .config as we remount /root with tempfs -> now we can restore it in the module
+            mv /root/.config ./external/cwe_checker/
+            mv /root/.local ./external/cwe_checker/
           fi
-          # save .config as we remount /root with tempfs -> now we can restore it in the module
-          mv /root/.config ./external/cwe_checker/
-          mv /root/.local ./external/cwe_checker/
+          #rm -r -f "$HOME""/.cargo/"
+          rm -r ./external/rustup
         else
           echo -e "\\n""$GREEN""cwe-checker already installed - no further action performed.""$NC"
         fi