emba v1.3 releases: analyzer for Linux-based firmware of embedded devices

emba, an analyzer for Linux-based firmware of embedded devices

Why?

emba is being developed as a firmware scanner that analyses already-extracted Linux-based firmware images. It should help you to identify and focus on the interesting areas of a huge firmware image. Although emba is optimized for offline firmware images, it can test both, live systems and extracted images. Additionally, it can also analyze kernel configurations. emba is designed to assist a penetration tester. It is not designed as a standalone tool without human interaction. emba is designed to give as much information as possible about the firmware. The tester can decide on the areas to focus on and is always responsible for verifying and interpreting the results.

How to use it?

Before starting, check that all dependencies are met and use the installer.sh script: ./emba.sh -d or ./emba.sh -d -F

Arguments:

Test firmware / live system

-a [MIPS]         Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC]

-A [MIPS]         Force Architecture of the linux firmware [MIPS, ARM, x86, x64, PPC] (disable architecture check)

-l [./path]       Log path

-f [./path]       Firmware path

-e [./path]       Exclude paths from testing (multiple usage possible)

-m [MODULE_NO.]   Test only with set modules [e.g. -m p05 -m s10 ... ]]

                  (multiple usage possible, case insensitive, final modules aren't selectable, if firmware isn't a binary, the p modules won't run)

-c                Enable cwe-checker

-g                Create grep-able log file in [log_path]/fw_grep.log

                  Schematic: MESSAGE_TYPE;MODULE_NUMBER;SUB_MODULE_NUMBER;MESSAGE

-E                Enable automated qemu emulation tests (WARNING this module could harm your host!)

-D                Run emba in docker container

-i                Ignore log path check



Dependency check

-d                Only check dependencies

-F                Check dependencies but ignore errors



Special tests

-k [./config]     Kernel config path



Modify output

-s                Print only relative paths

-z                Add ANSI color codes to log



Firmware details

-X [version]      Firmware version (double quote your input)

-Y [vendor]       Firmware vendor (double quote your input)

-Z [device]       Device (double quote your input)

-N [notes]        Testing notes (double quote your input)



Help

-h                Print this help message

Examples

Static firmware testing:

• Extract the firmware from an update file or from flash storage with binwalk or something else
• Execute emba with set parameters, e.g.

sudo ./emba.sh -l ./logs/arm_test -f ./firmware/arm_firmware/

• Path for logs and firmware path is necessary for testing successfully (WARNING: emba needs some free disk space for logging)
• The architecture will be detected automatically; you can overwrite it with -a [ARCH]
• Use -A [ARCH] if you don’t want to use auto-detection for architecture
• emba currently supports the following architectures: MIPS, ARM, PPC, x86, and x64

Live testing:

For testing live system with emba run it as if you were testing static firmware, but with / as firmware path:

sudo ./emba.sh -l ./logs/local_test -f /

• Path for logs and firmware path are necessary for testing successfully
• Architecture will be detected automatically; you can overwrite it with -a [ARCH]
• Use -A [ARCH] if you don’t want to use auto detection for architecture
• The paths /proc and /sys will be automatically excluded
• It improves output and performance, if you exclude docker
  -e /var/lib/docker

Test kernel config:

Test only a kernel configuration with the kernel checker of checksec:

sudo ./emba.sh -l ./logs/kernel_conf -k ./kernel.config

• If you add -f ./firmware/x86_firmware/, it will ignore -k and search for a kernel config inside the firmware

Good to know:

• sudo is necessary for some modules to run properly
• Currently only tested on Kali Linux(2020.4)
• emba needs some free disk space for logging
• emba uses well-known tools like objdump, LinEnum, checksec, linux-exploit-suggester.sh, cwe-checker
• emba includes multiple modules of the well known Linux analyser Lynis

Changelog v1.3

• Exit of add_partition in L10 by @m-1-k-3 in #430
• log dir on dep check by @m-1-k-3 in #428
• Nikto dep fix by @m-1-k-3 in #429
• cwe-checker install latest master by @m-1-k-3 in #431
• Further trickest blacklist entries by @m-1-k-3 in #432
• Freetzng-fix by @BenediktMKuehne in #433
• update sub-shell pwd fix by @BenediktMKuehne in #435
• Add Packetstorm and Snyk PoC sources by @m-1-k-3 in #434
• Full install fixes by @m-1-k-3 in #436
• s115 – empty log handling by @m-1-k-3 in #438
• Minimal cve-search installation / Dependency issues by @m-1-k-3 in #442
• blacklist update by @m-1-k-3 in #441
• Introducing module_wait helper function by @m-1-k-3 in #439
• Fix dependencies by @m-1-k-3 in #445
• Code cleanup – comments by @m-1-k-3 in #446
• Copyright updates 2023 by @m-1-k-3 in #447
• Kernel downloader and vulnerability verifier by @m-1-k-3 in #451
• cron job fix by @m-1-k-3 in #453
• L10 improvements, more services by @m-1-k-3 in #454
• Kernel config analysis by @m-1-k-3 in #455
• Update the known exploit behaviour by @m-1-k-3 in #458
• example disable profile by @m-1-k-3 in #457
• Refactoring by @m-1-k-3 in #462
• exploit databases updated by @m-1-k-3 in #466
• S12 – checksec implementation fix by @m-1-k-3 in #463
• Improve stop of system emulation by @m-1-k-3 in #465
• Hexagon support by @m-1-k-3 in #467
• Lighttpd analysis module by @m-1-k-3 in #469
• s08 safe_echo fix by @m-1-k-3 in #470
• p35 – true to not fail, s26 – check for files by @m-1-k-3 in #471
• JTR crack multiple hash types by @m-1-k-3 in #473
• deprecated -l option by @m-1-k-3 in #476
• s36 fixes, renamed p61 by @m-1-k-3 in #477
• System emulator improvements by @m-1-k-3 in #478
• Respect module blacklist in waiting state / Installer fix by @m-1-k-3 in #479
• Exploit database update, debug mode, command line tests by @m-1-k-3 in #481
• Add wordlist mechanism to s109 by @m-1-k-3 in #482
• csv export of p59, p60 and p70 by @m-1-k-3 in #483
• disk space monitor, rpm package analysis by @m-1-k-3 in #485
• Improve output of help command by @m-1-k-3 in #492
• Setup further workflows by @m-1-k-3 in #490
• Remove timezone setting by @m-1-k-3 in #494
• Refactor, PID log, Github actions, APKHunt by @m-1-k-3 in #495
• Packetstorm database update by @github-actions in #498
• Snyk database update by @github-actions in #497
• Metasploit database update by @github-actions in #496
• Improve restart EMBA analysis feature by @m-1-k-3 in #499
• Fix install with pip v23+ by @m-1-k-3 in #500
• Another PIPv23 fix by @m-1-k-3 in #501
• return if empty by @m-1-k-3 in #502
• Input validation by @m-1-k-3 in #505
• Check for update setting by @m-1-k-3 in #504
• Routersploit update workflow by @m-1-k-3 in #503
• Dependency checker, workflow by @m-1-k-3 in #506
• Metasploit database update by @github-actions in #509
• Snyk database update by @github-actions in #510
• CISA known exploited database update by @github-actions in #512
• Packetstorm database update by @github-actions in #514
• System emulation improvements, workflow by @m-1-k-3 in #515
• CVE state message printing by @m-1-k-3 in #518
• Packetstorm database update by @github-actions in #528
• Snyk database update by @github-actions in #527
• CISA known exploited database update by @github-actions in #525
• Routersploit database update by @github-actions in #524
• Metasploit database update by @github-actions in #523
• Trickest PoC database update by @github-actions in #526
• Input adjustment by @m-1-k-3 in #529
• version validation by @m-1-k-3 in #530
• PATH variable bug by @m-1-k-3 in #531
• EMBA v1.2.2 – Blue Hat edt. by @m-1-k-3 in #532
• Sponsoring issues by @m-1-k-3 in #534
• Metasploit database update by @github-actions in #536
• Snyk database update by @github-actions in #539
• CISA known exploited database update by @github-actions in #537
• Packetstorm database update by @github-actions in #540
• L25 improvements / multiple little fixes by @m-1-k-3 in #535
• L10 module improvements by @m-1-k-3 in #543
• Metasploit database update by @github-actions in #545
• Snyk database update by @github-actions in #547
• Packetstorm database update by @github-actions in #548
• New version strings (Flex and NBTscan) by @HoxhaEndri in #549
• L10 improvement round x by @m-1-k-3 in #550
• links in templates by @m-1-k-3 in #555
• Freetz extraction module deprecated by @m-1-k-3 in #554
• fix for #551 by @m-1-k-3 in #553
• Testing workflows by @BenediktMKuehne in #541
• Packetstorm database update by @github-actions in #563
• Snyk database update by @github-actions in #562
• CISA known exploited database update by @github-actions in #560
• Metasploit database update by @github-actions in #559
• Improve web crawler (L25) by @m-1-k-3 in #557
• Updated installer.sh for “ubuntu debian” /etc/os-release and new version string by @HoxhaEndri in #552
• SNMP module improvements by @m-1-k-3 in #565
• Remove warning apt-key is deprecated by @HoxhaEndri in #564
• update entropy output by @BenediktMKuehne in #566…

Install & Tutorial

Copyright (C) 2020 emba