Reversing ArubaOS Firmware and Licensing
References
- 一种获取 FortiGate 权限的方法 & License 授权分析 - CataLpa: This blog post reverse-engineered the FortiGate firmware and licensing mechanism, and published a tool to generate the license keys.
- Reversing ArubaOS Firmware - SerializingMe: This blog post explores the ArubaOS firmware using Binwalk, but it doesn’t go into the details.
- Aruba Authentication Bypass / Insecure Transport / Tons Of Issues ≈ Packet Storm: This blog post published a collection of vulnerabilities in ArubaOS, including arbitrary modification of
/etc/ntp.conf
, static password of privileged “support” account and hardcoded “arubasecretadmin” account in/etc/passwd
. The most important part is:- It says the IV required for 3DES consists of 8
random bytes, and is stored as the first 8 byte of the encrypted password, which may also be used in ArubaOS for lisensing mechanism, I guess. - It leaked the hardcoded 3DES key in the firmware.
- It says the IV required for 3DES consists of 8
- Remote Code Execution in Aruba Mobility Controller (ArubaOS) - CVE-2018-7081: This blog post describes simulating the ArubaOS in QEMU and intercepting the communication of PAPI.
Exploration
By chance, I obtained a brand new Aruba 650 controller with full licenses, at a few years ago with an irresistible price. The licensing mechanism is complete off-line, which means that all necessary information is hashed/encoded as a part of the license key, including the serial number, feature set, expiration date, and so on.
- Device serial number:
AR00XXXXX
- License:
XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-XXX
- Length with hyphens: 48
- Length without hyphens: 43
- Length of license without hyphens in base64: 64
1 | filename: ArubaOS_6xx_6.4.4.25_79899 |
By simply running binwalk -re --dd=".*" ArubaOS_6xx_6.4.4.25_79899
, we can extract the firmware from the image.
1 | DECIMAL HEXADECIMAL DESCRIPTION |
Then, do the same thing for the extracted ELF file 200
: binwalk -e 200
, now we obtained a compressed file 5B4000.7z
. On Windows 10, we can use Bandizip to extract it, and we got a core_image_files.tar
, which is the root filesystem of the ArubaOS. This step seems cannot be done on macOS, for unknown reasons. The file tree is attached.
As for its name, core_image_files/mswitch/bin/licensemgr
, it seems to be the license manager of the ArubaOS. Based on the existing knowledge and with the help of ChatGPT, we can perform deobfucation to some extent.
1 | filename: licensemgr |
By looking into IDA, we have the pseudo code as follows:
1 | _BYTE *__fastcall _license_user_to_base64(char *a1, int a2) |
With the help of ChatGPT, we obtained the following deobfuscated code, with some comments generated by ChatGPT as well:
1 | // Function to convert a string to base64 with certain conditions |
So basically, it removes the hyphens from the input string, and adds padding for making it as a valid base64 string. By checking XREF information, we can found that this function is called by _license_decrypt_bundle_key
, _license_decrypt_feature_key
and _license_decrypt_platform_key
.
Let’s focus on _license_decrypt_bundle_key
first, it first calls _license_user_to_base64
to convert the input string to base64, then calls _license_str_to_byte
to convert the base64 string to byte array and check format validity, and finally calls _license_decrypt
to decrypt the byte array.
1 | license_decrypt((int)licenseInBytes, lic_b64_length_int_64 / 2, (int)output, 51) |
Since then I stucked, the _license_base64_dec
is so complicated.