Geekly Articles each Day
📜 ⬆️ ⬇️

Investigate the "Inspector" Roskomnadzor

FSB good
Aqua mine
The auditor, a software hardware complex for monitoring access to sites from the registry by providers, began in October 2015, when the company MFI Soft, the same company that made SORMy, won the tender for software development for 84 million rubles. Under the terms of the tender, the developer had to provide workable software for Windows and Linux and 700 hardware "Agents" before December 12, 2015, in just 2.5 months, and it seems that everything was ready even a couple of weeks before the deadline. Already at the beginning of December, voluntary-compulsory providers were asked to install one of three variants of the Auditor: as an image of a VMWare virtual machine based on OpenWRT 14.07, as a program service under Windows, or as an iron “Agent” that represented TP-Link MR3020 router with OpenWRT installed on it and the necessary software. Many providers refused to install the complex due to the fact that it was not certified, and only they would be harmed, and the other devices simply did not get, and they had to install a software version.

So, I have in my hands the latest version of the VMWare image and Exe file of the Examiner. Let's see what's inside!
image

VM Image Investigation

First of all, I converted the image to RAW, in order to be able to just mount it without running it in a virtual machine. For this, there is a wonderful utility in qemu, qemu-img, which can convert all popular image formats of virtual machines to each other:
$ qemu-img convert -O raw ra-wrt-x86-disk1.vmdk rev-clean.raw
kpartx multipath-tools, , , , :
$ sudo kpartx -a rev-clean.raw
ext2 ext4:
                         Disk: /dev/loop1
          Size: 52.5 MiB, 55050240 bytes, 107520 sectors
                Label: dos, identifier: 0x00000000

    Device         Boot    Start     End  Sectors  Size  Id Type
>>  /dev/loop1p1   *         512    8703     8192    4M  83 Linux  
    /dev/loop1p2            9216  107519    98304   48M  83 Linux
— , /boot. Grub2 . .
OpenWRT. OpenWRT? — !
2014-04-10+18:34:34.0000000000  ./lib/firmware/rtl_nic/rtl8105e-1.fw
2014-04-10+18:34:34.0000000000  ./lib/firmware/rtl_nic/rtl8106e-1.fw
2014-04-10+18:34:34.0000000000  ./lib/firmware/rtl_nic/rtl8106e-2.fw
2014-04-10+18:34:34.0000000000  ./lib/firmware/rtl_nic/rtl8168d-1.fw
…
2014-09-16+23:45:16.0000000000  ./lib/netifd/netifd-proto.sh
2014-09-16+23:45:16.0000000000  ./lib/netifd/netifd-wireless.sh
2014-09-16+23:45:16.0000000000  ./lib/netifd/utils.sh
2014-09-21+14:46:54.0000000000  ./bin/ipcalc.sh
…
2015-10-23+12:04:49.0000000000  ./bin/revizor_postboot
2015-10-23+12:04:49.0000000000  ./bin/revizor_postupdate
2015-10-23+12:04:49.0000000000  ./dev
2015-10-23+12:04:49.0000000000  ./dev/console
2015-10-23+12:04:49.0000000000  ./etc/agent_id
2015-10-23+12:04:49.0000000000  ./etc/config/dropbear
2015-10-23+12:04:49.0000000000  ./etc/dropbear/dropbear_dss_host_key
2015-10-23+12:04:49.0000000000  ./etc/dropbear/dropbear_rsa_host_key
2015-10-23+12:04:49.0000000000  ./etc/opkg.conf
2015-10-23+12:04:49.0000000000  ./etc/shadow
2015-10-23+12:04:49.0000000000  ./etc/shells
2015-10-23+12:04:49.0000000000  ./etc/ssl
2015-10-23+12:04:49.0000000000  ./etc/ssl/certs
2015-10-23+12:04:49.0000000000  ./etc/ssl/certs/revizor_opkg.crt
2015-10-23+12:04:49.0000000000  ./root
2015-10-23+12:04:49.0000000000  ./root/.ssh
2015-10-23+12:04:49.0000000000  ./root/.ssh/id_rsa
2015-10-23+14:49:17.0000000000  ./etc/crontabs
2015-10-23+14:49:17.0000000000  ./etc/crontabs/root
2015-10-23+14:49:17.0000000000  ./etc/revizor_server
2015-10-29+14:27:19.0000000000  ./bin/revizor_boot
2015-10-29+14:27:19.0000000000  ./etc/config/network
2015-10-29+14:27:19.0000000000  ./etc/netfallback.conf
2015-10-29+14:27:19.0000000000  ./etc/rc.local
2015-11-03+15:43:21.0000000000  ./etc/init.d/dropbear
2015-11-03+15:43:21.0000000000  ./usr/lib/opkg/info/dropbear.conffiles
2015-11-03+15:43:21.0000000000  ./usr/lib/opkg/info/dropbear.control
2015-11-03+15:43:21.0000000000  ./usr/sbin/dropbear
2015-11-03+17:05:22.0000000000  ./bin/admin/admsrv
2015-11-03+17:05:22.0000000000  ./bin/revizor_logger
2015-11-03+17:05:22.0000000000  ./bin/revizor_preboot
2015-11-03+17:05:22.0000000000  ./etc/passwd
2015-11-09+17:10:52.0000000000  ./bin
2015-11-09+17:10:52.0000000000  ./bin/admin/admcli
2015-11-09+17:10:52.0000000000  ./bin/revizor_updater
2015-11-09+17:10:52.0000000000  ./etc/config
2015-11-09+17:10:52.0000000000  ./etc/config/system
2015-11-09+17:10:52.0000000000  ./etc/dropbear
2015-11-09+17:10:52.0000000000  ./etc/dropbear/authorized_keys
2015-11-09+17:10:52.0000000000  ./etc/inittab
2015-11-13+12:06:31.0000000000  ./bin/admin/netfallback
2015-11-16+15:31:23.0000000000  ./bin/admin
2015-11-16+15:31:23.0000000000  ./bin/admin/pwd-sh
2016-02-09+11:09:52.0000000000  ./etc
2016-02-09+11:09:52.0000000000  ./etc/revizor_firmware_version
2016-02-09+11:09:53.0000000000  ./bin/ash
2016-02-09+11:09:53.0000000000  ./bin/cat
2016-02-09+11:09:53.0000000000  ./bin/chgrp
…
: 23 , , , , 16 , 9 .

, , — /etc/rc.local:
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

/bin/admin/admsrv &
/bin/admin/netfallback &
/bin/revizor_boot &
exit 0
/bin/admin/admsrv admin /etc/agent_id, ( DICK-BUTT-I386), , MD5, 12 , . /etc/agent_id — 28 , 80×24. , , - Shift+PgUp/PgDown. SSH- (dropbear) 2222, , 2 .
#!/bin/sh

sleep 2
chmod a+rw /etc/opkg.conf
chmod a+rw /etc/netfallback.conf

ADMIN_PORT=2222
ADMIN_TIMEOUT=120

read ADMIN_PWD </etc/agent_id
if [ ! -z ADMIN_PWD ]; then
  ADMIN_PWD=`echo $ADMIN_PWD | tail -c +2 | md5sum | head -c 12`
  if [ ! -z ADMIN_PWD ]; then
    echo "admin password: $ADMIN_PWD" | revizor_logger
    echo -e "$ADMIN_PWD\n$ADMIN_PWD" | passwd admin
  fi
fi

/usr/sbin/dropbear -F -p 0.0.0.0:$ADMIN_PORT -n -K 30 -I 300 &
PID=$!

sleep $ADMIN_TIMEOUT
kill -9 $PID

/bin/admin/netfallback — 5 IP- DHCP-, 192.168.0.254, 30 , DHCP- IP-.
/bin/revizor_boot opkg.conf, cron, 15 . .
#!/bin/sh

if [ ! -f /rom/etc/opkg.conf ]; then
  read REVIZOR_SERVER </etc/revizor_server
  if [ -z "$REVIZOR_SERVER" ]; then
    REVIZOR_SERVER="revizor.mfisoft.ru"
  fi

  mkdir -p /rom/etc
  OPKG_CFG=`cat /etc/opkg.conf | grep -v '^src revizor '`
  echo "$OPKG_CFG" > /rom/etc/opkg.conf
  echo "src revizor https://$REVIZOR_SERVER/updates/openwrt-x86/common" >> /rom/etc/opkg.conf
  cp -f /rom/etc/opkg.conf /etc/opkg.conf
fi

rm -f /usr/lib/opkg/lock
/bin/revizor_preboot

sleep 2
/bin/revizor_updater -f /rom/etc/opkg.conf

/etc/init.d/cron start
/bin/revizor_postboot

/bin/revizor_preboot /bin/revizor_postboot .

/bin/admin/pwd-sh, - ( /etc/inittab tty1 ttyS0), — SSH- localhost. , OpenWRT , , , . , root-, Enter . , getty, , getty . , - , getty, SSH, SSH- . , , - root, , SSH- .

admin /bin/admin/admcli, :
system reboot
system resetfs
system update
log
info
ifconfig
route
arp
ping
nslookup
traceroute
net proxy clear
net proxy set
net fallback
« », opkg:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12303214825491704792 (0xaabdccb2d4c0abd8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=RU, ST=Russia, O=MFISOFT
        Validity
            Not Before: Oct 21 10:21:46 2015 GMT
            Not After : Aug  5 10:21:46 2289 GMT
        Subject: C=RU, ST=Russia, O=MFISOFT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cc:ed:e0:84:c4:7b:4e:49:2d:11:86:41:0f:f8:
                    51:97:42:91:76:34:38:96:e0:9e:a4:3c:7b:30:f6:
                    15:b2:1e:03:0e:12:46:96:f9:57:a1:db:2d:63:8a:
                    dc:01:2e:e7:10:56:8d:c3:d5:de:5a:bb:d7:75:e3:
                    6b:e3:d5:6a:04:4d:f4:65:81:05:07:d7:d0:a8:29:
                    ab:9d:83:81:00:04:73:27:39:db:d3:c8:ba:d3:78:
                    41:84:d9:8b:62:21:00:51:fc:78:06:ce:f7:db:e6:
                    5b:fd:d7:b6:2b:0f:72:9e:63:d8:06:f1:dd:2d:c5:
                    17:f1:a9:b8:d3:5e:ad:6c:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                F6:F9:BB:39:1B:20:4F:B4:11:B5:CE:EA:C2:F5:95:DB:24:DB:49:53
            X509v3 Authority Key Identifier: 
                keyid:F6:F9:BB:39:1B:20:4F:B4:11:B5:CE:EA:C2:F5:95:DB:24:DB:49:53

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         16:31:a0:2f:01:1b:06:a3:31:d3:d2:50:38:b4:c2:57:ec:6d:
         a0:25:5e:e0:35:68:92:dd:38:fc:1a:ef:88:2d:e8:b9:1b:d7:
         f5:ef:97:14:75:ef:65:1c:f9:ae:61:43:05:49:74:08:8a:d5:
         19:01:e3:63:ff:69:57:34:74:9e:b8:7d:6d:5b:2a:66:59:a6:
         9d:b4:a3:3f:41:91:30:26:1f:0e:3a:24:2b:36:0e:68:f8:e8:
         44:f5:5a:18:ea:5e:48:8e:a9:8f:03:25:87:ba:60:9c:93:ac:
         cb:43:b7:ee:6d:6c:85:88:77:40:a7:b4:a8:c9:ce:d0:29:6d:
         78:0a
-----BEGIN CERTIFICATE-----
MIICMDCCAZmgAwIBAgIJAKq9zLLUwKvYMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNV
BAYTAlJVMQ8wDQYDVQQIDAZSdXNzaWExEDAOBgNVBAoMB01GSVNPRlQwIBcNMTUx
MDIxMTAyMTQ2WhgPMjI4OTA4MDUxMDIxNDZaMDAxCzAJBgNVBAYTAlJVMQ8wDQYD
VQQIDAZSdXNzaWExEDAOBgNVBAoMB01GSVNPRlQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMzt4ITEe05JLRGGQQ/4UZdCkXY0OJbgnqQ8ezD2FbIeAw4SRpb5
V6HbLWOK3AEu5xBWjcPV3lq713Xja+PVagRN9GWBBQfX0Kgpq52DgQAEcyc529PI
utN4QYTZi2IhAFH8eAbO99vmW/3XtisPcp5j2Abx3S3FF/GpuNNerWzVAgMBAAGj
UDBOMB0GA1UdDgQWBBT2+bs5GyBPtBG1zurC9ZXbJNtJUzAfBgNVHSMEGDAWgBT2
+bs5GyBPtBG1zurC9ZXbJNtJUzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4GBABYxoC8BGwajMdPSUDi0wlfsbaAlXuA1aJLdOPwa74gt6Lkb1/XvlxR172Uc
+a5hQwVJdAiK1RkB42P/aVc0dJ64fW1bKmZZpp20oz9BkTAmHw46JCs2Dmj46ET1
WhjqXkiOqY8DJYe6YJyTrMtDt+5tbIWId0CntKjJztApbXgK
-----END CERTIFICATE-----

SSH , :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCAxFzEe20FUIegQ8p25S/b1SIhVi0XTWZtLDF7FLpMsoxi+JhgzoVEwmCIpoQ9c5Flid0jiqKCVhnm8GRe+qjkxibAOa8WlfiQ16eapqA0Dd6laFW4RzTTiinebPRlLJBsj8xGhrvf4lsKXng5+ZDWXnrz7pICbh62U7MYNEpOuy9x4P4285Xq9ccIuCrCAS8rZ4TdFdzeM+270asIQB/vsQ2joJ1vNn3WzdISmRepknR4eTo6H881vHAiWVTpGioXssvOGyLYfqn0rqVECC9/tknV0hQJP+iYU3mov4+JYvRVa+5m1DLD0Nj0QWKFXl79VNxstwyOt6RDvQrhlxNB root@revizor-agent
?

!

, . :
n01.rfc-revizor.ru/updates/openwrt-x86/common/Packages

, «revizor»:
Package: revizor
Version: 1.2.2-34720
Depends: libc, libstdcpp, libpthread, libpcre, libopenssl
Section: utils
Architecture: x86
MD5Sum: 0afc31c21b785690ca38a89d24d749ed
Size: 322098
Filename: revizor_1.2.2-34720_x86.ipk
Source: package/revizor
Description: revizor agent
!
n01.rfc-revizor.ru/updates/openwrt-x86/common/revizor_1.2.2-34720_x86.ipk

IPK .tar.gz DEB-. abelyak.
image
ELF-: revizor-crypto urlcheck. , , , , , . , , , .

urlcheck. C++, , libevent OpenSSL-, :

IPv6 .

Lens, , JSON-RPC, URL n01.rfc-revizor.ru/rpclens. Lens «», . , , . - , ya.ru, google.ru, cbr.ru, gov.ru, hotlog.ru, kremlin.ru, onf.ru, ria.ru, rostelecom.ru, kp.ru, URL . -. - , , , SSH- Socks5-, urlcheck, curl, , wkhtmltoimage.
, , , , , DNS-.

!

API HTTPS, , GeoTrust, , , « », . , : TP-Link MR3020 4 , x86 .
mitmproxy!

SetMyParams, , 4 .
POST /rpclens HTTP/1.1
Host:            n01.rfc-revizor.ru
Connection:      close
Content-Length:  176

{"method":"SetMyParams","params":{"version":"WRT-1.2.2.34720","traf":{"duration":3600,"bytes_in":24055,"bytes_out":32636}},"id":"DICK-BUTT-I386---1AE822EF40","session_id":1488}


Server:                  nginx
Date:                    Mon, 01 Apr 2016 12:34:56 GMT
Content-Type:            text/html
Transfer-Encoding:       chunked
Connection:              keep-alive
X-Powered-By:            PHP/5.2.6
X-Frame-Options:         SAMEORIGIN
X-Content-Type-Options:  nosniff

{"jsonrpc":"2.0","result":{"status":"done"},"id":"DICK-BUTT-I386---1AE822EF40"}

GetMyTasks, - . :
{"method":"GetMyTasks","params":"","id":"DICK-BUTT-I386---1AE822EF40","session_id":1488}

{"jsonrpc":"2.0","result":{"tasks":[{"id_task":"493629","id_task_meta":null,"type":"check","priority":"1","checklist":"own","checklist_count":"2","params":"{\"checklist\":{\"group_id\":1,\"records\":{\"records_type\":2},\"requests\":{\"get\":1,\"post\":0,\"use_dns\":1,\"check_escaped\":0,\"add_slashes\":0,\"add_dot\":0,\"randomize\":0,\"report_success\":0,\"max_redirects\":5,\"use_dns_only\":1,\"all_resolved_ips\":0},\"screenshots\":{\"fail_screenshots\":1,\"skip_if_protocol_exist\":0,\"skip_if_exists_hours\":null,\"skip_if_over\":null,\"only_200\":1,\"skip_3xx\":null}}}","status":"CREATED","completion":null,"result":null,"pass":null,"fail":null,"passed_items":null,"failed_items":null,"id_creator":"WWW-ANUS-PYOS","id_lens":"DICK-BUTT-I386---1AE822EF40","ts_create":"1461299321","ts_start":null,"ts_stop":null}],"params":{"DnsThreadsMax":20,"MAXfailedChecklistDownloadCount":100,"MAXfailedReportUploadCount":25,"whiteCheckMinInterval":60000,"connectTimeout":10000,"soTimeout":10000,"maxTotalConnections":50,"maxHttpsConnections":20,"maxContentSize":3000},"ts":1461299347,"zip":1,"tests":[{"id":1,"statusCode":"200","header":null,"headerRegexp":null,"contentRegexp":"\u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u043d","content":null},{"id":9,"statusCode":"200","header":null,"headerRegexp":null,"contentRegexp":"\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d","content":null},{"id":2661,"statusCode":"409","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2919,"statusCode":"404","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2922,"statusCode":"403","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2923,"statusCode":"451","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2924,"statusCode":"500","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2925,"statusCode":"502","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2926,"statusCode":"503","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2932,"statusCode":"307","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2936,"statusCode":"301","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2967,"statusCode":"302","header":null,"headerRegexp":null,"contentRegexp":".*","content":null},{"id":2968,"statusCode":"302","header":"Location","headerRegexp":"62.33.207.195","contentRegexp":null,"content":null},{"id":3228,"statusCode":"404","header":"Connection","headerRegexp":"close","contentRegexp":null,"content":null},{"id":3580,"statusCode":"307","header":"Location","headerRegexp":".*","contentRegexp":null,"content":null}]},"id":"DICK-BUTT-I386---1AE822EF40"}
, - «» «», IP- 62.33.207.195 , , -.

SSH- , tunnel_on , , :
"method":"GetMyTasks","params":"","id":"DICK-BUTT-I386---1AE822EF40","session_id":1488}    

{"jsonrpc":"2.0","result":{"tasks":[{"id_task":"148411","id_task_meta":null,"type":"service","priority":"1","checklist":null,"checklist_count":"0","params":"{\"format\":1,\"command\":\"tunnel_on\",\"param1\":64123,\"param2\":60000}","status":"RUNNING","completion":"0","result":null,"pass":"0","fail":"0","passed_items":null,"failed_items":null,"id_creator":"N01-KONA-CHAN","id_lens":"DICK-BUTT-I386---1AE822EF40","ts_create":"1460000000","ts_start":"1460000000","ts_stop":null}],"params":{"DnsThreadsMax":20,"MAXfailedChecklistDownloadCount":100,"MAXfailedReportUploadCount":25,"whiteCheckMinInterval":60000,"connectTimeout":10000,"soTimeout":10000,"maxTotalConnections":50,"maxHttpsConnections":20,"maxContentSize":3000},"ts":1460000000,"zip":1,"tests":null},"id":"DICK-BUTT-I386---1AE822EF40"}
SSH- Dropbear, , fork() execv(), :
/usr/bin/ssh -y -y -K 30 -N -T -R 0.0.0.0:6412:127.0.0.1:1080 -p 22 -i /root/.ssh/id_rsa
-y SSH- (?), -N -T , -R , .. (64123) 1080 , Socks5-.
, -R -D, ICMP Administratively Prohibited.
, . , , , 1024 65535? , 1000 . , , , ulimit, OpenSSH. , Socks5- , 65 SSH- , !
? - tunnel_on , , - , , , . Socks5- , , , .
image
, , !

API HTTPS, TLS- SSH-? 4 ROM 1500₽ ? Debian Oldstable ? 84 .
, - Blockcheck? …
URL.

image

')

Source: https://habr.com/ru/post/282087/

More articles:


All Articles