MIPS Architecture Development Discontinued; Vulnerabilities Identified
/ 4 min read
Quick take - The MIPS architecture, a 32-bit RISC processor developed in the 1980s and discontinued in 2021, remains prevalent in embedded systems despite its vulnerabilities, prompting ongoing interest in exploitation techniques for security research.
Fast Facts
- MIPS architecture, a 32-bit RISC processor, was developed in the 1980s and widely used in embedded systems and consumer electronics before its development was discontinued in 2021 by Wave Computing.
- Many MIPS CPUs remain operational in devices that often lack essential memory corruption protections like ASLR and NX, leading to potential vulnerabilities.
- A MIPS32 QEMU image (“mipsel_stretch.zip”) is available for experimentation, allowing users to run a simulated MIPS environment and disable ASLR.
- Exploitation techniques for MIPS include identifying stack-based buffer overflow vulnerabilities, generating cyclic patterns to determine offsets, and using reverse shell shellcode while avoiding bad characters.
- Despite the discontinuation of MIPS development, understanding its vulnerabilities and exploitation techniques is vital for security research, given its ongoing use in various embedded systems.
Overview of MIPS Architecture
The MIPS (Microprocessor without Interlocked Pipeline Stages) architecture is a 32-bit processor architecture categorized under Reduced Instruction Set Computing (RISC). It was developed in the 1980s by MIPS Computer Systems, which was subsequently acquired by Silicon Graphics. MIPS processors have been widely utilized in embedded systems, networking hardware, and consumer electronics. The development of the MIPS architecture was officially discontinued in 2021 when Wave Computing, the current owner of MIPS, decided to discontinue its development. Wave Computing has since shifted its focus towards RISC-V based systems.
Vulnerabilities in MIPS Systems
Despite the discontinuation of MIPS development, many MIPS CPUs continue to be operational in various embedded devices. These devices frequently have common memory corruption protections disabled. Address Space Layout Randomization (ASLR) and Non-Executable (NX) memory protections are often not enabled, which can lead to vulnerabilities in the systems using MIPS architecture.
For those interested in experimentation or exploitation on MIPS architecture, a MIPS32 (little endian) QEMU image is available, named “mipsel_stretch.zip.” To run the QEMU system, users need to execute a script named “start.sh.” Accessing the QEMU menu requires users to press CTRL+A, release both keys, and then press ‘C’. ASLR can be disabled in the QEMU image using specific commands, which need to be reapplied after each reboot.
Exploiting MIPS Vulnerabilities
In a practical scenario, a target application has been identified with a specific vulnerability. The application reads 1000 characters of user input using the fgets function and attempts to store that input in a 32-byte buffer. This setup makes the application susceptible to stack-based buffer overflow vulnerabilities.
To exploit this vulnerability, one can generate a cyclic pattern using Metasploit, which helps determine the Program Counter (PC) offset. The PC is found to be overwritten with the value 41326241 after 36 bytes. To analyze the stack and determine where characters are being inserted, the stack pointer should be examined. A specific address noted during the process is 0x7fffecdc.
Identifying bad characters is crucial in the exploitation process. This can be done by creating a file with all possible hexadecimal values, excluding 0x00. The program can then be run in GDB (GNU Debugger) to check for any corrupted characters. This process of identifying bad characters is iterative.
Exploit creation involves using reverse shell shellcode generated with MSFVenom, excluding known bad characters during shellcode generation. Given the limitations of MIPS32, using a NOP instruction is not feasible due to NULL bytes. Instead, an alternative instruction that modifies an unused register can be utilized, such as incrementing the $s0 register. This instruction can be converted to hexadecimal using online tools.
Successful exploitation requires combining all components into a complete exploit. Running the exploit within GDB may provide shell access, while executing the exploit outside of GDB could lead to application crashes. To facilitate debugging, the ulimit command can be used to ensure that core dumps are collected for further analysis. Reviewing these core dumps may indicate that the PC overwrite address points to ‘A’ characters, necessitating possible modifications to the exploit code. Using a different address, such as 0x7fffed10, can help avoid NULL bytes.
While the MIPS architecture is no longer under active development, its historical significance remains. The continued use of MIPS in embedded systems highlights the importance of understanding its vulnerabilities. Techniques for exploiting these vulnerabilities are crucial for security research and development.
Original Source: Read the Full Article Here
