-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathnapper.py
327 lines (281 loc) · 9.64 KB
/
napper.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
#!/usr/bin/python2.7
#-*- coding: utf-8 -*-
#
# Napper
# ------------
# TPM vulnerability checking tool for CVE-2018-6622
#
# Copyright (C) 2019 Seunghun Han
# at National Security Research Institute of South Korea
# Project link: https://github.com/kkamagui/napper-for-tpm
#
import subprocess
import os
import sys
from time import sleep
# Color codes
RED = '\033[1;31m'
GREEN = '\033[1;32m'
YELLOW = '\033[1;33m'
BLUE = '\033[1;34m'
MAGENTA = '\033[1;35m'
CYAN = '\033[1;36m'
WHITE = '\033[1;37m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
BLINK = '\033[5m'
SUCCESS = GREEN
FAIL = RED
#
# Show banner.
#
def show_banner():
banner = """\
,----------------, ,---------,
,-----------------------, ," ,"|
," """ + GREEN + 'Napper v 1.3 for TPM' + ENDC + """ ,"| ," ," |
+-----------------------+ | ," ," |
| .-----------------""" + GREEN + BLINK + 'Z' + ENDC + """ | | +---------+ |
| | """ + GREEN + BLINK + 'Z' + ENDC + """ | | | | -==----'| |
| | ︶ ︶ """ + GREEN + BLINK + 'z' + ENDC + """ | | | | | |
| | - | | |/----| ==== oo | |
| | | | | ,/| (((( | ,"
| `-----------------' |," .;'/ | (((( | ,"
+-----------------------+ ;; | | |,"
/_)______________(_/ //' | +---------+
___________________________/___ `,
/ oooooooooooooooo .o. oooo / \,"---------
/ ==ooooooooooooooo==.o. ooo= / ,`\--{-D) ,"
`-----------------------------' '----------"
""" + \
GREEN + 'Napper v1.3 for checking a TPM and Intel PTT vulnerability, CVE-2018-6622 and unknown CVE\n' + ENDC + \
' Made by Seunghun Han, https://kkamagui.github.io\n' + \
' Project link: https://github.com/kkamagui/napper-for-tpm \n'
print banner
#
# Print colored message
#
def color_print(message, color):
print color + message + ENDC
return
#
# Check TPM version in this system
#
def check_tpm_version():
tpm_version = ""
print ' [*] Checking TPM version...',
try:
output = subprocess.check_output('journalctl -b | grep "TPM"', shell=True)
except:
output = ''
if '2.0 TPM' in output:
color_print('TPM v2.0.', SUCCESS)
tpm_version = '2.0'
elif '1.2 TPM' in output:
color_print('TPM v1.2.', SUCCESS)
tpm_version = '1.2'
elif 'ACPI: TPM2' in output:
color_print('Intel PTT.', SUCCESS)
tpm_version = '2.0'
else:
print 'No TPM.'
return tpm_version
#
# Check if the resource manager is running and run it.
#
def check_and_run_resource_manager():
print ' [*] Checking the resource manager process...',
try:
output = subprocess.check_output('ps -e | grep resourcemgr', shell=True)
except:
output = ''
# Already running.
if 'resourcemgr' in output:
color_print('Running.', SUCCESS)
return 0
else:
color_print('Starting.', SUCCESS)
# Start the resource manager
pid = os.fork()
if (pid == 0):
try:
subprocess.call('resourcemgr > /dev/null', shell=True)
except:
print ' [*] resoucemgr error'
sys.exit(0)
else:
sleep(3)
return 0
#
# Check if the TPM vulnerability testing module is running and run it.
#
def check_and_run_vuln_testing_module():
print ' [*] Checking the TPM vulnerability testing module...',
try:
output = subprocess.check_output('lsmod | grep napper', shell=True)
except:
output = ''
# Already running.
if 'napper' in output:
color_print("Running.", SUCCESS)
return 0
try:
subprocess.check_call('insmod napper-driver/napper.ko', shell=True)
color_print("Starting.", SUCCESS)
except:
color_print("Fail.", FAIL)
print 'You might need to disable lockdown mode with'
print ''
print ' echo 1 > /proc/sys/kernel/sysrq'
print ' echo x > /proc/sysrq-trigger'
return -1
return 0
#
# Sleep system.
#
def sleep_system():
print ' [*] Ready to sleep! Please press "Enter" key.'
raw_input ( ' [*] After sleep, please press "Enter" key again to wake up.')
os.system('systemctl suspend')
print '\n [*] Waking up now. Please wait for a while.',
for i in range(0, 10):
print '.',
sleep(1)
sys.stdout.flush()
print ''
return
#
# Check if static PCRs (PCR #0~ PCR #16, PCR #23) are all zeros.
#
def check_pcrs_all_zeros():
print '\n [*] Reading PCR values of TPM and checking a vulnerability...',
try:
output = subprocess.check_output('tpm2_listpcrs -g 0x04', shell=True)
except:
return -1, False
try:
output_sha256 = subprocess.check_output('tpm2_listpcrs -g 0x0b', shell=True)
output += output_sha256
except:
output += '\n'
vulnerable = True
for line in output.splitlines():
if "PCR_" in line:
if not ("00 00 00 00 00 00" in line) and \
not (("PCR_17" in line) or ("PCR_18" in line) or \
("PCR_19" in line) or ("PCR_20" in line) or \
("PCR_21" in line) or ("PCR_22" in line)):
vulnerable = False
if (vulnerable == True):
color_print('Vulnerable.', FAIL)
else:
color_print('Not vulnerable', SUCCESS)
# Show PCR values
print " [*] Show all PCR values:",
for line in output.splitlines():
print " ", line
return 0, vulnerable
#
# Extend 0xdeadbeef values to all static PCRs.
#
def extend_pcrs():
print '\n [*] Extending 0xdeadbeef to all static PCRs.'
try:
output = subprocess.check_output('tpm2_extendpcrs -g 0x04', shell=True)
except:
return -1
try:
output_sha256 = subprocess.check_output('tpm2_extendpcrs -g 0x0b', shell=True)
output += output_sha256
except:
output += '\n'
# Show PCR values
print " [*] Show all PCR values:",
for line in output.splitlines():
print " ", line
return 0
#
# Show system information.
#
def show_system_info():
print ' [*] TPM v2.0 information.'
try:
output = subprocess.check_output('tpm2_getinfo', shell=True)
except:
print " [*] tpm2_getinfo error"
return -1
# Show PCR values
for line in output.splitlines():
print " ", line
print '\n [*] System information.'
try:
output = subprocess.check_output('dmidecode -s baseboard-manufacturer', shell=True)
print ' Baseboard manufacturer: ' + output,
output = subprocess.check_output('dmidecode -s baseboard-product-name', shell=True)
print ' Baseboard product name: ' + output,
output = subprocess.check_output('dmidecode -s baseboard-version', shell=True)
print ' Baseboard version: ' + output,
output = subprocess.check_output('dmidecode -s bios-vendor', shell=True)
print ' BIOS vendor: ' + output,
output = subprocess.check_output('dmidecode -s bios-version', shell=True)
print ' BIOS version: ' + output,
output = subprocess.check_output('dmidecode -s bios-release-date', shell=True)
print ' BIOS release date: ' + output,
output = subprocess.check_output('dmidecode -s system-manufacturer', shell=True)
print ' System manufacturer: ' + output,
output = subprocess.check_output('dmidecode -s system-product-name', shell=True)
print ' System product name: ' + output,
except:
print ' [*] dmidecode error.'
return 0
#
# Main function.
#
def main():
# Show banner.
show_banner()
color_print('Checking TPM version for testing.', BOLD)
tpm_version = check_tpm_version()
if (tpm_version == "2.0"):
print " [*] Your system has TPM v2.0, and vulnerability checking is needed."
elif (tpm_version == "1.2"):
print " [*] Your system has TPM v1.2, and it is not vulnerable."
return 0
else:
print " [*] Your system has no TPM. Thank you for using this tool!"
return 0
color_print('\nPreparing for sleep.', BOLD)
# Load the TPM vunlerability testing module.
result = check_and_run_vuln_testing_module()
if (result != 0):
return result
#color_print('\nTesting a TPM vulnerability with sleep.', BOLD)
sleep_system()
# Run the resource manager.
result = check_and_run_resource_manager()
if (result != 0):
return result
# Check if all static PCRs are zeros.
result, vulnerable = check_pcrs_all_zeros()
if (result != 0):
return result
# Extend 0xdeadbeef value to all static PCRs.
if (vulnerable == True):
extend_pcrs()
# Show summary.
color_print('\nSummary. Please contribute summary below to the Napper project, https://www.github.com/kkamagui/napper-for-tpm.', BOLD)
print ' [*] Your TPM version is 2.0, and it is',
if (vulnerable == True):
color_print('vulnerable.', FAIL + BLINK)
color_print(' Please download the latest BIOS firmware from the manufacturer\'s site and update it.\n', FAIL)
else:
color_print('safe.\n', SUCCESS + BLINK)
show_system_info()
return 0
if __name__ == "__main__":
main()
print ""
if (len(sys.argv) == 2 and sys.argv[1] == 'wait'):
while True:
sleep(10)