< Return to Video

36C3 - It's not safe on the streets... especially for your 3DS!

  • 0:00 - 0:20
    36C3 preroll music
  • 0:23 - 0:26
    Herald: The following talk is titled "It's
    Not Safe in the Streets, especially for
  • 0:26 - 0:31
    your 3DS" and it's about exploring a new
    attack surface on the 3DS. And the speaker
  • 0:31 - 0:36
    is nba::yoh. The show is yours.
  • 0:36 - 0:42
    applause
  • 0:43 - 0:50
    nba::yoh: Hi, everyone. I'm nba::yoh and
    today I'm going to talk about 3DS hacking
  • 0:50 - 1:01
    and especially about a protocol, an
    undocumented protocol. And we're gonna see
  • 1:01 - 1:11
    how I attacked the protocol and got remote
    code execution on the system. But before
  • 1:11 - 1:18
    before saying, oh, I did that, I'd like to
    do a quick recap of the state of 3DS
  • 1:18 - 1:27
    hacking in 2019, because there have been a
    lot of userland exploits, a lot of patched
  • 1:27 - 1:33
    kernel flaws and there's a lot of
    documentation online about the system. And
  • 1:33 - 1:41
    during the last few years, people have
    been working on it and broke the hardware
  • 1:41 - 1:50
    keyscambler. And they managed to dump the
    bootroms. And as a result, anyone who now
  • 1:50 - 1:58
    have the bootrom can derive all the secret
    keys of the system. And as a bonus, they
  • 1:58 - 2:04
    were able to find a permanent unpatchable
    bootrom exploit. So at that point, you
  • 2:04 - 2:11
    might be wondering what's left to do in
    the system. And actually, I wonder if it
  • 2:11 - 2:17
    would be possible to use those keys to
    attack features that were protected until
  • 2:17 - 2:22
    then by encryption. So that's why today
    I'm going to talk about StreetPass.
  • 2:25 - 2:31
    First, I'm going to do a quick introduction about
    the feature and then we'll see how I
  • 2:31 - 2:39
    expoited it and see what's possible to do
    once you get code execution. So what is
  • 2:39 - 2:46
    StreetPass? This is a local and wireless
    communication feature. The basic idea
  • 2:46 - 2:52
    behind StreetPass was that users would
    take their 3DS with them and go out and it
  • 2:52 - 3:00
    would automatically communicate with other
    people's systems. The point of the feature
  • 3:00 - 3:07
    was to share data between applications
    like custom levels for your games or
  • 3:07 - 3:15
    messages, avatars, et cetera. So this is
    quite an interesting feature for players,
  • 3:15 - 3:22
    but also for hackers. So this is the
    player point of view so you can send your
  • 3:22 - 3:29
    messages and other people will be able to
    receive them. But we'd like to - from an
  • 3:29 - 3:35
    hacker point of view - we'd like to
    replace one of these systems with a PC to
  • 3:35 - 3:41
    tamper with the protocol, for example. And
    eventually it would be nice if we could
  • 3:41 - 3:48
    send some corrupted messages and see if we
    can get code execution on foreign systems.
  • 3:50 - 3:55
    But for doing that, you need to know how
    the street the StreetPass feature works.
  • 3:56 - 4:01
    So it's quite simple. It acts like a mailbox.
    So you have CECD, which is a system
  • 4:01 - 4:11
    module, and it's the only one that manages
    all this StreetPass feature. So all your
  • 4:11 - 4:18
    applications have an inbox and an
    associated outbox in the CECD file system
  • 4:18 - 4:27
    and they can put and get messages from and
    to these boxes via IPC. Then messages in
  • 4:27 - 4:32
    these boxes are used to craft packets
    which are then sent using the StreetPass
  • 4:32 - 4:41
    protocol. And we can already see on this
    diagram which path we could try to attack.
  • 4:41 - 4:47
    The first one you might think about are
    our application boxes because it's very
  • 4:47 - 4:54
    likely that you'll be able to find some kind
    of game or application that have a float
  • 4:54 - 5:03
    parser. So we might take and get remote
    code execution in such an application. But
  • 5:03 - 5:11
    the most interesting one would be to try
    to attack CECDs parser. And this would
  • 5:11 - 5:19
    give us remote code execution in a system
    module, which would be nice. But for doing
  • 5:19 - 5:25
    that, we need to figure out how the
    StreetPass protocol works and nobody
  • 5:25 - 5:31
    really knows how it works. There is a bit
    of documentation online about the
  • 5:31 - 5:36
    pairings, so "oh both our systems are
    seeing a hand here. Would like would you
  • 5:36 - 5:42
    like to communicate with me?" But it has
    never been successfully reproduced, at
  • 5:42 - 5:50
    least publicly. And we know that it's
    using an unknown and encrypted protocol
  • 5:50 - 5:59
    that uses the secret AES key that we can
    now get. So let's reverse the protocol.
  • 5:59 - 6:08
    First, well, let's reverse the pairing and
    replicate it. So it's fairly easy to
  • 6:08 - 6:15
    understand: You have both peers, the
    client and the master and before
  • 6:15 - 6:23
    communicating they randomize their console
    ID and their MAC address. Then the client
  • 6:23 - 6:32
    sends a bunch of probe requests with our
    bundle specific tag, containing a list of
  • 6:32 - 6:38
    the applications that have StreetPass
    activated. And then eventually the master
  • 6:38 - 6:45
    received that public list and analyzes it.
    It's checked if an application from the
  • 6:45 - 6:50
    client that has StreetPass activated
    matches one of it's own applications with
  • 6:50 - 6:56
    StreetPass activated. If it's the case, it
    sends the probe response to the client,
  • 6:56 - 7:02
    which will do the same. And if both peers
    agree that they can exchange data, they
  • 7:02 - 7:11
    will start communicating after deriving a
    common key. So replicating the pairing is
  • 7:11 - 7:21
    not super odd if you know what tool to
    use. I tried to reproduce the pairing
  • 7:21 - 7:28
    using a monitor mode, but it's really hard
    because you have to deal with all the
  • 7:28 - 7:38
    action item frames et cetera. So I used
    nl80211 which lets you register some
  • 7:38 - 7:44
    specific callback for some specific frames
    and send custom frames and everything is
  • 7:44 - 7:54
    handled by your wifi adapter driver. So at
    that point the 3DS starts sending
  • 7:54 - 8:01
    encrypted data and we have to decrypt
    them. So let's review the encryption. They
  • 8:01 - 8:10
    do this in two passes, the first one they
    use an HMAC-SHA1 over both consoles CIDs
  • 8:10 - 8:18
    and both MAC addresses and the output of
    this pass is used as an input counter for
  • 8:18 - 8:29
    on AES-CTR using the AES key slot we can
    now get. And the output of this encryption
  • 8:29 - 8:38
    is used as a session key for the
    communication. So nl80211 lets you
  • 8:38 - 8:46
    register CCMP keys so it's quite easy to
    send and receive encrypted packets using
  • 8:46 - 8:56
    it. So now we can start reversing the
    protocol. Let's take a look at the
  • 8:56 - 9:04
    structure of packets before doing any
    reverse engineering. So I put some packets
  • 9:04 - 9:10
    I was able to receive and the first one is
    one of the smallest one you can actually
  • 9:10 - 9:19
    observe. So first you have a header and
    then you have some data and you can spot
  • 9:19 - 9:27
    some magic values here. Actually, it's
    easy to spot them because CECD is using
  • 9:27 - 9:36
    really recognizable magic values. It's
    always the same byte repeated twice. Once
  • 9:36 - 9:41
    you know the structure of the packets, you
    can view that there are actually
  • 9:41 - 9:49
    two protocols. The first one is SPTCP.
    It's an equivalent of TCP, but for local
  • 9:49 - 9:55
    communication. It's mainly designed to
    ensure reliability and data segmentation.
  • 9:55 - 10:04
    And then you have SPMTP which is built
    over SPTCP and handles all the exchange of
  • 10:04 - 10:11
    stricter data and StreetPass messages. So
    we have two protocols and we need to
  • 10:11 - 10:18
    review both of them. Let's start with
    SPTCP. Actually, there is not much to say
  • 10:18 - 10:29
    because you only basically have to reverse
    and understand the header. You have a
  • 10:29 - 10:34
    magic value and some constants. But the
    most important field here is the flag
  • 10:34 - 10:39
    field because if you can understand what
    are the flags, you can understand the
  • 10:39 - 10:46
    meaning of the packets you are sending and
    receiving. And so you can basically
  • 10:46 - 10:54
    understand the protocol. And fortunately,
    in this case, they're using the same flags
  • 10:54 - 11:02
    as TCP, so it was really easy to
    understand the protocol and how it worked.
  • 11:02 - 11:14
    And what about SPTCP security? Actually,
    it's OK. I did not find any bug. But the
  • 11:14 - 11:19
    attack surface is really small. We can
    basically only tamper with the header and
  • 11:19 - 11:31
    that's it. So SPMTP should be much more
    interesting. Let's take a look at the
  • 11:31 - 11:40
    structure of SPMTP packets, because there
    are actually two different packet types.
  • 11:40 - 11:50
    The first one is an info packet. It's
    basically used in the handshake and it's
  • 11:50 - 11:57
    only here to share information between
    both peers. And then you have message box
  • 11:57 - 12:03
    packets which are much more interesting
    because they contain actual StreetPass
  • 12:03 - 12:11
    data and you can even spot the CECD
    message via magic value, which means that
  • 12:11 - 12:18
    we actually reach actual game data and
    SPMTP is the last layer of encapsulation
  • 12:18 - 12:26
    of the whole protocol. So once you figure
    out how SPMTP works, you can reimplement
  • 12:26 - 12:34
    the protocol. So let's first review info
    packets. There's a bunch of things in
  • 12:34 - 12:40
    here. Many fixed size data like friend
    codes, MAC addresses, et cetera. It's not
  • 12:40 - 12:47
    much interesting when you're looking for
    vulnerabilities. There are variable size
  • 12:47 - 12:52
    data, which are much more interesting.
    They are sending application lists,
  • 12:52 - 12:59
    metadata lists, and it's much more
    interesting because when you process them,
  • 12:59 - 13:06
    you can fail your parser. And if there is
    some vulnerability here, we might exploit
  • 13:06 - 13:15
    them to get remote execution. So let's
    take a look at one of this parser. This is
  • 13:15 - 13:24
    a function that parses meta data lists. So
    let's focus on the for-loop. They are
  • 13:24 - 13:34
    actually copying a list of entries to the
    stack. The destination is on the stack and
  • 13:34 - 13:41
    they do not check the number of entries in
    the list. So this is clearly a buffer
  • 13:41 - 13:48
    overflow, but is it exploitable? Let's
    illustrate this with a diagram. So this is
  • 13:48 - 13:57
    a regular copy. So you have your packet
    buffer. And you have memcopy called on
  • 13:57 - 14:09
    each entry and everything's is all right
    here. But if you had more entries, you
  • 14:09 - 14:16
    have a bunch of entries, compete on the
    stack, that overwrite a bunch of things.
  • 14:16 - 14:22
    But there's a problem here, because the
    packet buffer is not large enough for us
  • 14:22 - 14:33
    to reach the return address on the stack.
    So we are probably copying uncontrol data.
  • 14:33 - 14:39
    So I was like, it's too bad, we can't do
    anything with this, but let's check the
  • 14:39 - 14:45
    buffer next to our packet buffer. Maybe
    there are some control data in there. And
  • 14:45 - 14:54
    actually, yes, it's this buffer just
    next to the packet buffer, dedicated to a
  • 14:54 - 15:03
    list that we sent just before. So actually
    we can rewrite the return address. So, how
  • 15:03 - 15:10
    do we exploit it now? On the 3DS, you have
    the NX bit, but there is no stack cookies
  • 15:10 - 15:16
    or no ASLR, so it's pretty
    straightforward. You can just embed a ROP-
  • 15:16 - 15:23
    chain, a small ROP-chain, and then send
    another one in some kind of packets and
  • 15:23 - 15:31
    stack-pivot to it. And then you get remote
    code execution in CECD. So this one was
  • 15:31 - 15:40
    quite easy. Let's move on to message box
    packets. Message box packets are packets
  • 15:40 - 15:48
    to send a list of StreetPass messages for
    some specific applications. They are
  • 15:48 - 15:55
    actually stored in some temporary files
    for avoiding delays and they are parsed
  • 15:55 - 16:02
    once the communication is over. So they
    are parsed. So let's take a look at the
  • 16:02 - 16:15
    parser. This is the function that actually
    loads a temp file into an associated
  • 16:15 - 16:24
    structure on the stack and whoops, they do
    not check the number of messages in the
  • 16:24 - 16:35
    box. So this is another buffer overflow.
    You are basically overflowing the message
  • 16:35 - 16:43
    pointers array and the message sizes
    array. So let's treat this with another
  • 16:43 - 16:55
    diagram. So you have on the right the temp
    file and on the left the stack and you see
  • 16:55 - 17:02
    that you have this structure on the stack
    we can see that there is the message
  • 17:02 - 17:08
    pointers with pointer pointing to your
    temp file buffer and you have the message
  • 17:08 - 17:18
    sizes. And if you add another message in
    the temporary file, you overflow both
  • 17:18 - 17:27
    arrays and start overwriting some data on
    the stack. We are a bit concerned because
  • 17:27 - 17:32
    we are writing partially or uncontrolled
    data on the stack. Obviously you cannot
  • 17:32 - 17:39
    control the message pointers and you can
    not still control message size because you
  • 17:39 - 17:45
    can not put some arbitrary values in
    there. You'd have to send gigabytes of
  • 17:45 - 17:57
    messages and you can not do that. So what
    can we do? What you can see here is that
  • 17:57 - 18:02
    you can actually set the last message size
    to an arbitrary value because they are
  • 18:02 - 18:11
    checking if the current message being
    parsed is actually inside of the temporary
  • 18:11 - 18:16
    file, a buffer. And if the current message
    pointer goes out of the buffer,
  • 18:16 - 18:17
    they break the loop
  • 18:17 - 18:24
    without returning an error. So what you
    can do is set the last message size to an
  • 18:24 - 18:30
    arbitrary value and then the pointer will
    go out of the buffer and you will write
  • 18:30 - 18:40
    one 32-bit value on the stack. But we
    need to know what to write. You cannot,
  • 18:40 - 18:45
    unfortunately, you cannot directly
    overwrite the return address because
  • 18:45 - 18:52
    remember that we are writing mainly
    uncontrolled data and reaching the return
  • 18:52 - 18:59
    address would require you to overwrite the
    whole stack frame with uncontrolled or
  • 18:59 - 19:08
    partially uncontrolled data. So the only
    thing I was able to rewrite without
  • 19:08 - 19:17
    crashing the system is this particular
    variable. It's a pointer to a critical
  • 19:17 - 19:26
    section and it's used for signed
    synchronization and mutual exclusion. And
  • 19:26 - 19:32
    you can see it's used after the temporary
    file has been parsed. So maybe we can do
  • 19:32 - 19:37
    something with it. This is the leave_critical_section
    call at the end of the loop
  • 19:37 - 19:43
    iteration. And you can see that they're
    using the pointer to decrement some kind
  • 19:43 - 19:49
    of count. So it's basically the number of
    threads that are using the critical
  • 19:49 - 19:56
    section and we can override the lock
    pointer. So by overwriting it, we can
  • 19:56 - 20:03
    decrement an arbitrary value in memory,
    but we need to find what to overwrite,
  • 20:03 - 20:13
    that would give us more control of the
    memory and control the execution flow. So
  • 20:13 - 20:19
    I've been looking for something like this
    and I found something interesting in the
  • 20:19 - 20:27
    function that deinitialized the structure
    associated to temporary files. This is the
  • 20:27 - 20:35
    function for the structure
    deinitialization. And you can spot this
  • 20:35 - 20:43
    variable. They actually implemented
    some kind of allocation mode. And if it's
  • 20:43 - 20:50
    equal to pointer mode, it will not try to
    free the pointer. The pointers in the
  • 20:50 - 20:58
    message pointers array. But if it's not
    pointer mode, they will free all of them.
  • 20:58 - 21:04
    And while this value should be pointer
    mode in any case. But we can decrement it
  • 21:04 - 21:14
    using the the vulnerability we've seen
    before. So we can get some pointer freed.
  • 21:14 - 21:22
    And since we control everything at the
    location pointed by message pointers, we can
  • 21:22 - 21:31
    try to make it free some crafted and fake
    chunks. But there is another problem
  • 21:31 - 21:39
    because they're actually resetting the
    allocation mode each time a temporary box
  • 21:39 - 21:48
    is passed. So we have to find a solution
    to this. And what you can do is try to
  • 21:48 - 21:55
    make that function return early before the
    allocation mode is restored. But this
  • 21:55 - 22:06
    implies making it return an invalid return
    code. But actually, it's not a problem
  • 22:06 - 22:16
    because they're not checking the return
    code. So what can we do so far with
  • 22:16 - 22:24
    this? So you can send a first temporary
    box. This will overwrite the lock variable
  • 22:24 - 22:30
    in the stack and decrement the
    allocation mode. Then you can send your
  • 22:30 - 22:38
    invalid second temorary box and the
    parser will return early and the
  • 22:38 - 22:43
    message pointers array will not be
    updated. And in the end, all the pointers
  • 22:43 - 22:51
    in that particular array will be freed.
    But since the message pointers array is
  • 22:51 - 22:58
    not updated, the pointer in that
    particular array are still pointing to the
  • 22:58 - 23:06
    first temporary file buffer
    which has been freed. That's not a
  • 23:06 - 23:12
    problem. If you send a xecond temporary
    box with the same size, the buffer will be
  • 23:12 - 23:16
    re-allocated for that second
    temporary file and we eventually free
  • 23:16 - 23:26
    up pointers to control the buffer. So
    what's next? We can craft some fake heap
  • 23:26 - 23:33
    chunks. We can have the application free
    them. What do we do? The free, yes, it is
  • 23:33 - 23:39
    actually really insecure. You can exploit
    the classic unsafe linker vulnerability,
  • 23:39 - 23:48
    so you get one arbitrary write for each
    chunk you can free. And you still need to
  • 23:48 - 23:57
    know what to overwrite. But you can just
    rewrite the heap free list head pointer. So the
  • 23:57 - 24:04
    next malloc call will return a pointer to
    wherever you want, and you can especially
  • 24:04 - 24:10
    put a pointer to the stack in there. So
    the next malloc call will return a
  • 24:10 - 24:21
    pointer to the stack and it will be used
    to store your third temporary file. So
  • 24:21 - 24:29
    it's a bit hard to understand. So let's
    again illustrate this with a diagram. So
  • 24:29 - 24:36
    first you have your first temporary file
    loaded in memory. So on the right it's
  • 24:36 - 24:49
    parsed and the associated structure is
    written in stack and it overwrites the
  • 24:49 - 24:58
    lock pointer to make it point to the alloc
    mode in memory. In the end,
  • 24:58 - 25:05
    leave_critical_section is called. So you have
    your temporary buffer freed and your location
  • 25:05 - 25:14
    mode decremented. Then your second
    temporary file is loaded in memory. The
  • 25:14 - 25:19
    buffer used for the first
    file is relocated and the pointers in the
  • 25:19 - 25:26
    structure still point to our
    controlled data and especially our fake
  • 25:26 - 25:39
    chunks. So your second temporary file is
    loaded and parsed. Then all the chunks are
  • 25:39 - 25:49
    freed and the field it is at is moved to
    point on the stack. And finally, you can
  • 25:49 - 25:54
    see that your last temporary file is
    read in on the stack so we can overwrite
  • 25:54 - 26:01
    the return address and put a ROP-chain in
    there. So this gives us a second remote
  • 26:01 - 26:10
    code execution vulnerability in CECD. And
    this one this one was quite trickier. So
  • 26:10 - 26:19
    what's next? Another one. Yeah. Again,
    there is another vulnerability in the
  • 26:19 - 26:30
    message parser. It's actually an SDK
    function. So any application that uses
  • 26:30 - 26:34
    SteetPass is vulnerable, not only CECD but
    all application and games that use
  • 26:34 - 26:36
    StreetPass are vulnerable for this one.
  • 26:36 - 26:41
    But I'm not going
    to talk about it and explain everything.
  • 26:41 - 26:51
    It's up to you to exploit it. So this
    gives us a third Remote Code Execution in
  • 26:51 - 26:57
    CECD and you can get Code Execution in any
    application using StreetPass. And this
  • 26:57 - 27:06
    also give us a persistent backdoor in CECD
    because of CECD usually parses all the
  • 27:06 - 27:15
    messages in the in and out boxes at startup.
    So you can trigger the vulnerability
  • 27:15 - 27:25
    once the system boots. So we've got a
    Remote Code Execution in CECD, what can we
  • 27:25 - 27:35
    do? No, actually, CECD does not have much
    privileges. It's only a userspace
  • 27:35 - 27:41
    application. And it's pretty well
    sandboxed. You can not access the
  • 27:41 - 27:49
    internet, for example or not the SD card.
    So if you want more privileges and we
  • 27:49 - 27:57
    want more privileges, you need to take
    care of something else. And your
  • 27:57 - 28:05
    best choice would be trying to take over
    ARM11 Kernel, which is the kernel for the
  • 28:05 - 28:14
    userland processor. This this would give
    you total control over this processor.
  • 28:14 - 28:18
    And if you want really full system
    control, you'd like to also take over the
  • 28:18 - 28:26
    ARM9 security processor. So this is the
    processor that do all the encryption and
  • 28:26 - 28:35
    signature stuff. And we will see this
    later. So let's first try to take over the
  • 28:35 - 28:46
    ARM11 kernel. But first, I need to
    talk about IPC and especially
  • 28:46 - 28:56
    what are called static buffers. So when
    you are doing IPC, you need to sometimes
  • 28:56 - 29:03
    send data from a sender process to a
    receiver process and on the 3DS, you can
  • 29:03 - 29:12
    do this in multiple ways. The first one is
    if you want to send large regular
  • 29:12 - 29:20
    buffers, you can map parts of the sender's
    memory into the receivers, but you can
  • 29:20 - 29:27
    also use what are called static buffers.
    If you want to send some small buffers,
  • 29:27 - 29:35
    the receiver can register static buffers
    and the ARM11 kernel will do the copy for
  • 29:35 - 29:42
    you to that particular buffer. And
    sometimes you need some buffers
  • 29:42 - 29:52
    to be sent to the ARM9
    processor. So the ARM11 kernel need to
  • 29:52 - 29:59
    write some pairs of
    physical addresses and size to the static
  • 29:59 - 30:06
    buffers because the ARM9 does not have an
    MMU so it's only using physical addresses
  • 30:06 - 30:15
    and the copy of data is eventually done by
    the Process9, which is the only process
  • 30:15 - 30:24
    running on the ARM9 side. So let's talk
    about a vulnerability now. So it's called
  • 30:24 - 30:33
    LazyPixie and it has been found by TuxSH.
    So it's not me. How does the kernel handle the
  • 30:33 - 30:45
    PXI buffers case because it
    seems a bit complicated. So first
  • 30:45 - 30:49
    they check the alignment of the
    destination state buffer, they check the
  • 30:49 - 30:54
    size of the destination static buffer.
    They check the permissions for the source
  • 30:54 - 31:01
    buffers. Then they do cache operations, they
    copy metadata. So the physical address and
  • 31:01 - 31:09
    the size of the static buffer
    to the destination and then the copy is
  • 31:09 - 31:16
    done by the ARM9 side. But I think
    there is something missing here because
  • 31:16 - 31:24
    they do not check the permissions for the
    destination buffer. So what you can do is
  • 31:24 - 31:30
    use an arbitrary address as a destination.
    And so you can just overwrite the MMU
  • 31:30 - 31:38
    table and make your kernnel read, write and
    execute, which is obviously enough to take
  • 31:38 - 31:49
    it over. So at that point, the ARM11
    Kernel has fallen and we have
  • 31:49 - 31:59
    the full control of that processor. But we
    would like a bit more privileges because
  • 31:59 - 32:08
    why not? We want the full system control.
    So let's take the road to full system
  • 32:08 - 32:16
    control and see why taking over CECD was
    one of the best ideas ever. So I am going
  • 32:16 - 32:22
    to talk about SAFEHAX. Maybe some of you
    know what SAFEHAX is because it's a really
  • 32:22 - 32:32
    cool vulnerability. It's actually race a
    condition in the firmware header parsing
  • 32:32 - 32:38
    you can take over the ARM9 side if you
    control the ARM11 kernel. It has
  • 32:38 - 32:47
    been fixed in the system version 9.5 for
    the regular native firmware
  • 32:47 - 32:52
    and fixed in the safe mode firmware, which
    is basically the recovery firmware if
  • 32:52 - 32:58
    something went wrong for your console. So
    people have been exploiting it both on the
  • 32:58 - 33:05
    native firmware and the
    safe mode firmware and it has been
  • 33:05 - 33:13
    mitigated in version 11.3 and 11.4. So it
    does not work anymore, but it has only
  • 33:13 - 33:20
    been mitigated and not patched. So let's
    take a look at that mitigation because
  • 33:20 - 33:27
    how do they prevent us to exploit that
    vulnerability? So this so-called
  • 33:27 - 33:37
    mitigation is a boolean flag that has been
    added on the ARM9 side and when it's set to
  • 33:37 - 33:49
    1 the system just panics. When you try to
    launch the safe mode firmware. So this
  • 33:49 - 33:53
    flag is actually set to 1 whenever you try
    to launch an application, so this was the
  • 33:53 - 33:59
    usual way to exploit it, you were
    launching the homebrew menu through an
  • 33:59 - 34:07
    application and then exploiting the ARM11
    kernel and then running SAFEHAX. So they
  • 34:07 - 34:14
    set the flag to 1 whenever you try to
    launch a specific application, except some
  • 34:14 - 34:22
    of them because your reconnection ARMs needs some
    applications to run. So this is there is
  • 34:22 - 34:29
    an exception for the home menu and the
    system modules. And guess what? We are
  • 34:29 - 34:35
    exploiting CCD, which is a system module
    and we are getting Remote Code Execution
  • 34:35 - 34:43
    in CCD. So the the flag is never set to 1
    when we are getting code executing on the
  • 34:43 - 34:53
    CCD. So with that kind of exploit. You can
    easily replicate the initial SAFEHAX
  • 34:53 - 35:03
    exploit. So then you get a full control,
    remote code execution without any user
  • 35:03 - 35:10
    interaction. And it's StreetPass and it's
    doing all of this thing in the background
  • 35:10 - 35:16
    and on any firmwre version at the time
    this was developed because Nintendo
  • 35:16 - 35:29
    patched it with firmware version 11.12. So
    I guess it's time for a little demo. I'm
  • 35:29 - 35:38
    not going to do it live because I don't
    want to some exploits in the air. So I
  • 35:38 - 35:46
    have a little video. So I'm running my
    exploit on my laptop and you can see the
  • 35:46 - 35:53
    LED is turned on to see that the exploit
    is running in CCD. And then you once
  • 35:53 - 36:00
    you're you can exploit and you can launch
    the installer for the Boot ROM exploit,
  • 36:00 - 36:10
    for example.
    applause
  • 36:10 - 36:24
    Thanks. So now, some some takeaways. Well,
    you'd better check your return value,
  • 36:24 - 36:29
    really, because there's a second
    vulnerability would have been really,
  • 36:29 - 36:42
    really out to exploit without that
    mistake. And really, you should not hide
  • 36:42 - 36:48
    behind cryptography because one day your
    encryption will be broken and this might
  • 36:48 - 37:00
    come sooner than you think. And for this
    specific case, there was a bunch of dumb
  • 37:00 - 37:09
    mistakes and basically all vulnerabilities
    were only buffer overflows. Then,
  • 37:09 - 37:17
    assessing hard-to-reach features is really
    arduous. I spent a lot of time doing this,
  • 37:17 - 37:26
    especially figuring out how to replicate
    all the features, parts and all the
  • 37:26 - 37:33
    different protocols involved. But
    eventually, you can get some really
  • 37:33 - 37:41
    interesting results like this. Then, I'd
    say please fix your flows, and do not
  • 37:41 - 37:51
    implement some poor mitigation, like for
    SAFEHAX. And there's things still to do on
  • 37:51 - 37:57
    the 3DS. I think I was able to show this
    today. There is, this is an amazing system
  • 37:57 - 38:04
    you can start to work on and do some
    practical things. And there's still things
  • 38:04 - 38:13
    to document on the open source wiki, so
    feel free to contribute. So, in the end, I
  • 38:13 - 38:25
    would like to thank @TuxSH for the
    LazyPixie and helping me getting this full
  • 38:25 - 38:39
    chain exploit done, and @hedgeberg for
    recurring support with a lot of things. So
  • 38:39 - 38:45
    now, if you have some questions, feel free
    to ask.
  • 38:45 - 38:51
    Herald: Thank you very much.
  • 38:51 - 38:55
    applause
  • 38:55 - 39:02
    Herald: We are very, very much on time. So
    ask any questions, but please do ask them
  • 39:02 - 39:14
    at a microphone. Go ahead. No, I thought
    there was going to ask a question. No
  • 39:14 - 39:21
    questions? Oh, the Internet has one.
    Great.
  • 39:21 - 39:29
    Signal angel: So, yes, we have two
    questions. The first one is what tools and
  • 39:29 - 39:34
    environments do you use for your research?
    For example, someone mentioned how do you
  • 39:34 - 39:41
    get all the source code?
    nba::yoh: Oh, everything on the 3DS is
  • 39:41 - 39:50
    closed source. So you have to reverse
    engineer everything. I used IDA and Ghidra
  • 39:50 - 39:57
    to reverse the binaries of CCD and, yeah,
    that, that's it.
  • 39:57 - 40:08
    Signal angel: OK. Thank you. We have a
    second question: Is there any procedure
  • 40:08 - 40:13
    for the Switch that is compatible with all
    what you've done?
  • 40:13 - 40:16
    nba::yoh: Sorry, could you repeat that
    question?
  • 40:16 - 40:23
    Signal angel: Well, all the things you
    have done, all the code. Is there anything
  • 40:23 - 40:28
    similar for the Switch?
    nba::yoh: I don't think there is something
  • 40:28 - 40:37
    similar on the Switch, at least something
    that looks like the StreetPass feature.
  • 40:37 - 40:44
    But I don't really know how the Switch
    works, I've only done things on the 3DS.
  • 40:44 - 40:52
    Herald: OK, first question for the room.
    Microphone: Thanks for the talk, great.
  • 40:52 - 40:58
    Did you really need all the three
    exploits? And which one did you use in the
  • 40:58 - 41:03
    end for the full chain? Thanks.
    nba::yoh: Could you repeat the question?
  • 41:03 - 41:08
    Microphone: Did you need all the three
    exploits that you had or could you just
  • 41:08 - 41:12
    use the easiest one? And which one did you
    use in the end?
  • 41:12 - 41:20
    nba::yoh: Well, no, you do not need all
    three exploits, at least in CCD. You only
  • 41:20 - 41:30
    need one basically to get remote code
    execution. But I found it fun to just show
  • 41:30 - 41:36
    all the exploits for CCD.
    Herald: Next question.
  • 41:36 - 41:40
    Microphone: Are the StreetPass messages
    passed to the applications even when those
  • 41:40 - 41:44
    applications are not running? So, for
    example, when you have like Pokémon or
  • 41:44 - 41:47
    something installed...
    nba::yoh: Could you speak louder, please?
  • 41:47 - 41:51
    Microphone: Okay. Are the applications
    parsing the messages even if they are not
  • 41:51 - 41:55
    running? Like, is there some sort of a
    handler being run by the OS even if you
  • 41:55 - 42:00
    don't have an application running, just
    installed? So that if you have a
  • 42:00 - 42:06
    vulnerable application with the old SDK
    built in there, will it automatically
  • 42:06 - 42:15
    parse the corrupted message?
    nba::yoh: Could you reformulate your
  • 42:15 - 42:19
    question? I don't understand.
    Microphone: Okay. In your tree
  • 42:19 - 42:25
    exploitation method, you mentioned the
    third method that mentions the SDK being
  • 42:25 - 42:27
    broken.
    nba::yoh: Yeah.
  • 42:27 - 42:31
    Microphone: And if you have an application
    built with that old SDK, does it
  • 42:31 - 42:36
    automatically parse the message even if
    it's not running, so that even if you have
  • 42:36 - 42:41
    a patched OS, but not patched
    applications, it will still get exploited?
  • 42:41 - 42:49
    nba::yoh: Yeah, all the applications using
    the SDK should be updated to fix the
  • 42:49 - 43:00
    vulnerability. So the exploit is triggered
    when the application parsed the messages.
  • 43:00 - 43:11
    So you have to run the application to
    exploit it. CCD has been patched, so there
  • 43:11 - 43:21
    is no more remote code execution in CCD,
    nor a permanent backdoor in CCD, that
  • 43:21 - 43:29
    automatically runs, when the system is
    started. But you can probably still
  • 43:29 - 43:34
    exploit games and applications that use
    the old SDK.
  • 43:34 - 43:39
    Microphone: Okay, thanks.
    Herald: There's a question over there.
  • 43:39 - 43:44
    Microphone: Yes. Can you go back to the
    slide where you showed how the encryption
  • 43:44 - 43:47
    for the packets worked?
    nba::yoh: The encryption?
  • 43:47 - 44:12
    Microphone: Yes, the encryption. Yeah.
    Yeah. That one. So my question is, if all
  • 44:12 - 44:19
    you're, if the only thing that you're
    changing is the counter, and the data is
  • 44:19 - 44:24
    constant and the key is constant, and it's
    CTR, then you're basically just XOring a
  • 44:24 - 44:34
    known block with your HMAC output. So why
    do you even need the key here?
  • 44:34 - 44:43
    nba::yoh: Well, the counter changed every
    time you start a new StreetPass
  • 44:43 - 44:50
    communication, because the CID's are
    randomized and the MAC address is, the MAC
  • 44:50 - 44:56
    address is also randomized before starting
    a new communication.
  • 44:56 - 45:01
    Microphone: Right. But I guess what I'm
    asking is, why do you need key slot 2E? In
  • 45:01 - 45:08
    my mind, having the CCD HMAC key would be
    enough, because you can just XOR the, you
  • 45:08 - 45:14
    know, output of that with the final
    output, and that removes, you know, the
  • 45:14 - 45:20
    CTR part, and now you have the raw output
    of the null block encrypted with key slot
  • 45:20 - 45:27
    2E, which is always going to be constant,
    and then you can just XOR whatever output
  • 45:27 - 45:33
    to get the final result, right?
    nba::yoh: Yeah, well I'm not super
  • 45:33 - 45:42
    familiar with all the cryptography, but
    maybe we could talk about it. I was just
  • 45:42 - 45:51
    putting this for, for people to reproduce
    it if they want.
  • 45:51 - 46:02
    Herald: Okay. Are there any more
    questions? Thank you so much.
  • 46:02 - 46:04
    nba::yoh: Thanks.
  • 46:04 - 46:05
    applause
  • 46:05 - 46:08
    postroll music
  • 46:08 - 46:29
    subtitles created by c3subtitles.de
    in the year 2020. Join, and help us!
Title:
36C3 - It's not safe on the streets... especially for your 3DS!
Description:

more » « less
Video Language:
English
Duration:
46:29

English subtitles

Revisions