Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Alex Plaskett - NCC GroupPosted 2 Years Ago- The Sonos Era 100 speakers uses UBoot for the basic boot process. UBoot is a common microcontroller boot framework that has a lot of existing functionality but can be crafted for whatever you need. The Sonos team created a custom
sonosbootcommand that loads the kernel image, does the signature check then passes execution over to thebootmcommand. bootmcommand uses environment variables from UBoot for various configurations. In order to ensure that only trusted parameters are used, the implementation callssetenv(). However, the error message is NOT checked for this call. Can we abuse this?- By interacting with the UBoot console or modifying the eMMC memory directly, we can control these variables. Normally, these would be overwritten. UBoot allows for the setting of environment variables as read only though. This can be done with
bootargs=somethingthen setting the flags with.flags=bootargs:sr. Now, going forward, any future writes tobootargswill fail. - Now, as an attacker, we can set any of the ENV variables we want then make them read only to ensure that the
setenv()call fails. The authors set theinitrdvariable to control the initramfs image that was loaded, hijacking the boot process. - I really enjoy vulnerabilities that result in things failing in weird ways like this. Not handling errors can have devastating consequences even when it seems impossible that something would fail. Good article!
