Analysis and Vulnerability Studies #1 with Ghidra

Publisher: Secunnix Editor

Published on: 2021-03-19

I wanted to write this article in order to make some analyzes with the Ghidra tool, which has been curious recently, and to contribute to the new generation 'Web Application' category without going into too much detail. The software to be examined today is the Lumenvox application. We will analyze the web interface with the help of Ghidra and try to colonize the results we find.

After obtaining the necessary files for the Lumenvox Linux installation, we can start the processes for the binary files after the installation on CentOS.

As you can see above, our “elf” files will be collected under “/usr/bin” in this way after installation. Since we will be processing for the web interface here, we take “lv_manager” to our own machine and start the process with Ghidra.

Our screen will be as raw as you see above and we can start our research for the attention-grabbing parameters of our interface.

The panel of the Lumenvox product comes open by default. We reach the above page after a short time to analyze this panel in depth and investigate the parameters. This page contains the steps to be taken in general, backup operations and disk.

When we call the function called Run Diagnostic Tests, we get administrative and related information set by default.

Backup Config To Disk is a function defined to store the existing settings, let's see how it works if you want;

Defined Data is an ideal tool to easily extract defined parameters. Let's see the function of the function we detected (here you can Decompile with the [CTRL+E] hotkey).

As you can see above, the backup file name is created by taking “hostname”, “config_bk” and “time”. The directory and name of our created file is “/etc/lumenvox/www/info/localhost._config_bk_2021-04-16-19 -21.zip” is created in this way. (Please review clsBackupConfigurationManger for details and development)

Send Report To Disk Let's come to another function, the working logic of this function is the function of sending a report to the disk. One report is generated and this report is saved to the disk and kept there. Now let's see how it functions with Ghidra;

The functions above will receive the values that will come from the user first (name, mail, etc.) and then send them to the server with the added attachments. Yes, let's read the code a bit;

If the decompiled value seen above does not meet the entry requirements of the “Company” parameter, we see that the log is logged with the “Missing Parameter” and as a result, the value of “Value” indicates this deficiency. mg_get_var and continues with else if there is an error.

The sequential images tell us that the file is written to the disk and the content is processed during this writing. You will see that a temporary directory is created by going under the code block decompiled from the previous images and the temporary values processed into this directory are deleted. There is a function rmdir, it is possible to interfere with the variable that is directly defined without protection and adapted to the parameter.

Our Customers