Better grep/analysis about emba HOT 6 CLOSED

Looking at STACS it actually looks great! But that's password/hash-related things only it seems. I guess the main focus of CRASS/semgrep is different, to also look for other vulnerable looking things. You might be right that semgrep is a little too focused on source code. Now I'm thinking maybe CRASS isn't the worst fit. Here's why I think it might be worth:

• In unpacked firmware there is sometimes a little source code for scripting languages (PHP, perl, python, JSP, JavaScript, other CGI etc.) or indirectly such as .NET binaries that are easily decompiled. I think they have a high potential for issues because they are a) sometimes called from binaries (system calls etc.) which creates a trust boundary and b) the scripting language is often not the embedded developers main language to code in. It's also very easy to analyse them because they are ASCII.
• I've found iOS source code in a appliance ISO and PHP-server-side code in an Android app before. Developers do strange things.
• Finding Cloud API keys/credentials can be a goldmine
• For me tools are also about guiding the user on what he should target during the manual analysis time. So if the tool provides a priority rated list by keyword (e.g. CRASS creates one file which includes all files that reference "SHA1")

I'll try to see if I can provide some more concrete examples next time I use EMBA.

Ultimately you can have a look from https://github.com/floyd-fuh/crass/blob/f2da104b073f530fbadeda7578c39a377ebd296b/grep-it.sh#L311 on to see what could be worth doing.

I guess it's not about what STACS or shellcheck are missing, but more what else can be done.

from emba.

Hi @floyd-fuh, a first module using your grep-it rules is now included as s99 in this PR: #251

Give it a try ...

from emba.

Hi @floyd-fuh, thank you for pointing this again. We already talked on it ... probably on twitter? It is on our internal todo list but currently we are working on different other areas.

Regarding the password hash search we are currently using two approaches:

• EMBA is using STACS which gives quite good results - https://github.com/e-m-b-a/emba/blob/master/modules/S108_stacs_password_search.sh
• EMBA internal - https://github.com/e-m-b-a/emba/blob/master/modules/S107_deep_password_search.sh -> this module has different disadvantages but in case STACS is failing there is a backup in place

Have you found something that these approaches are missing? If yes, which firmware and which tool have you used for identification of the hash automatically? Probably we can tweak our current modules.

from emba.

I wonder if it could also provide some alternatives to shellcheck.

from emba.

As far as I can see there are not a lot of *sh rules available: https://github.com/returntocorp/semgrep-rules/tree/develop/bash

from emba.

grepit module merged.

from emba.