Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler
Jordan Gruskovnjak ● Currently Working at Crowdstrike, Inc. ○ Reverse Engineering & Malware Analysis ○ Exploitation & Mitigation Research ● Previously worked as an Exploit Developer at: ○ Exodus Intelligence ○ VUPEN Security ( with the infamous @cbekrar and @n_joly) ● @jgrusko on Twitter
Alex Wheeler ● Currently at Exodus Intelligence ○ VP of Research ● Previously worked at ○ Accuvant ○ HP TippingPoint ○ IMB ISS X-Force (hi @mdowd @neelmehta) ● @vonbloke on Twitter
Target Background: CVE-2016-1287 Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500-X Series Next-Generation Firewalls Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Cisco ASA 1000V Cloud Firewall Cisco Adaptive Security Virtual Appliance (ASAv) Cisco Firepower 9300 ASA Security Module Cisco ISA 3000 Industrial Security Appliance
Target Background: Why? - Perimeter security devices == High ROI - Exploit mitigation on Cisco ASA < current browser exploit mitigation - Relatively under-researched area, especially considering: - criticality - market share - see affected products in next slide
Target Background: Prior Cisco ASA Work Breaking Bricks @ Ruxcon 2014 by Alec Stuart - CVE-2014-3393: Auth bypass in WebVPN to gain authenticated user rights - CVE-2014-3389: Command injection in Failover Protocol to gain privilege escalation and lateral compromise
Target Background: Specs ASA-5505 Hardware - AMD Geode (x86) - Marvell 88E6095 Gigabit Ethernet Switch Software - Linux 2.6.29.6 - lina 9.2.4 (IOS on Linux?)
Outline 1. Getting Started 2. Audit 3. Exploitation 4. Conclusion + Open Problems
Getting Started
Getting Started: Dump Firmware Copy asa924-k8.bin from the CF card It’s just a FAT filesystem, nothing special OR Download it (check MD5 against Cisco’s website)
Getting Started: Analyze Firmware $ binwalk -e asa924-k8.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 75000 0x124F8 SHA256 hash constants, little endian 144510 0x2347E gzip compressed data… (Linux kernel) 1501296 0x16E870 gzip compressed data, has original file name: "rootfs.img"… 27168620 0x19E8F6C MySQL ISAM index file Version 4 28192154 0x1AE2D9A Zip archive data, at least v2.0 to extract… 28773362 0x1B70BF2 Zip archive data, at least v2.0 to extract…
Getting Started: Analyze Firmware $ cpio -id < _asa924-k8.bin.extracted/rootfs.img $ file asa/bin/lina asa/bin/lina: ELF 32-bit LSB executable, Intel 80386 , version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.29, stripped
Getting Started: Debug Target Device JTAG: Failed Traced signals + Brute force combinations with Bus Pirate Enable gdb in ROMmon: It does nothing Desoldered flash + Poked around in IDA Get root: Achievement Unlocked Run lina under gdb-server + Disable the watchdog
Getting Started: Debug Target Device — Get Root Patch kernel parameters in asa924-k8.bin 01d1a030 00 48 20 00 70 e0 14 00 51 b7 ba 01 71 75 69 65 |.H .p...Q...quie| quiet loglevel=0 auto 01d1a040 74 20 6c 6f 67 6c 65 76 65 6c 3d 30 20 61 75 74 |t loglevel=0 aut| 01d1a050 6f 20 6b 73 74 61 63 6b 3d 31 32 38 20 72 65 62 |o kstack=128 reb| 01d1a060 6f 6f 74 3d 66 6f 72 63 65 20 70 61 6e 69 63 3d |oot=force panic=| 01d1a070 31 20 69 64 65 5f 67 65 6e 65 72 69 63 2e 70 72 |1 ide_generic.pr| 01d1a080 6f 62 65 5f 6d 61 73 6b 3d 30 78 31 20 69 64 65 |obe_mask=0x1 ide| 01d1a090 31 3d 6e 6f 70 72 6f 62 65 20 70 72 6f 63 65 73 |1=noprobe proces| 01d1a0a0 73 6f 72 2e 6d 61 78 5f 63 73 74 61 74 65 3d 31 |sor.max_cstate=1| 01d1a0b0 20 62 69 67 70 68 79 73 61 72 65 61 3d 00 00 00 | bigphysarea=...| 01d1a030 00 48 20 00 70 e0 14 00 51 b7 ba 01 72 64 69 6e |.H .p...Q...rdin| rdinit=/bin/sh 01d1a040 69 74 3d 2f 62 69 6e 2f 73 68 20 20 20 20 20 20 |it=/bin/sh | 01d1a050 20 20 6b 73 74 61 63 6b 3d 31 32 38 20 72 65 62 | kstack=128 reb| 01d1a060 6f 6f 74 3d 66 6f 72 63 65 20 70 61 6e 69 63 3d |oot=force panic=| 01d1a070 31 20 69 64 65 5f 67 65 6e 65 72 69 63 2e 70 72 |1 ide_generic.pr| 01d1a080 6f 62 65 5f 6d 61 73 6b 3d 30 78 31 20 69 64 65 |obe_mask=0x1 ide| 01d1a090 31 3d 6e 6f 70 72 6f 62 65 20 70 72 6f 63 65 73 |1=noprobe proces| 01d1a0a0 73 6f 72 2e 6d 61 78 5f 63 73 74 61 74 65 3d 31 |sor.max_cstate=1| 01d1a0b0 20 62 69 67 70 68 79 73 61 72 65 61 3d 00 00 00 | bigphysarea=...|
Getting Started: Debug Target Device — gdbserver The developers left helpful comments in boot script /asa/scripts/rcS: # Use -g to have system await gdb connect during boot. #echo "/asa/bin/lina_monitor -l -g -d" >> /tmp/run_cmd # Use -s to specify a serial device other than the default /dev/ttyS1 #echo "/asa/bin/lina_monitor -l -g -s /dev/ttyUSB0 -d" >> /tmp/run_cmd Boot the target, at the root prompt use sed to uncomment that last line and change ttyUSB0 to ttyS0 for the console port, then continue booting normally. # sed -i 's/#\(.*\)ttyUSB0\(.*\)/\1ttyS0\2/' /asa/scripts/rcS # exec /sbin/init … SMFW PID: 514, Starting /asa/bin/lina under gdbserver /dev/ttyS0 Process /asa/bin/lina created; pid = 517 Remote debugging using /dev/ttyS0
Getting Started: Disable Watchdog for Debugging Patch that watchdog lina uses setitimer() to schedule a SIGALARM signal to be delivered periodically to the process. Use a gdb init script to attach to the target and overwrite watchdog_timeout with zero, disabling it. target remote /dev/ttyXXX set *0x0a53f168 = 0 (version specific)
Getting Started: gdbserver setup
Audit
Audit: Summary Goal: Identify + Exploit at least 1 vulnerability to yield anonymous system level RCE without user interaction Approach: • Static using only IDA Pro (between 40 and 60 hours spent on this phase) • Confirm findings using gdb (between 4 and 8 hours)
Audit: Code Coverage Code Areas : Useful Things : - Content Inspection via IDS/IPS - Allocator X-Refs - Firewall Session Maintenance - Byte Reordering - SSL VPN and IPSec VPN - Linked Lists
Audit: Following Memory Resolving indirection and meaning can be done w/ a debugger ( SLOW ) or by inference ( FAST ). Allocators are useful cross references for identifying memory corruption. Questions to infer allocators should be this: - Is a size field passed to this call? - Is a return value checked for not zero and used as a destination buffer subsequent to this call?
Audit: Following Memory Example Plus 8 (could be size or offset) Test for Not Zero Return Value Some Offset + Return Value Passed as an Argument, What’s this Function
Audit: Following Memory Resolved Example Where is this Size from? MALLOC() – 573 XREFS FIXED J Now We Know Direction == Input Minus 8 is Interesting (Underflow?) Length for Our Copy MEMCPY() – 4,109 XREFS FIXED J
Audit: Cheap Trick – Byte Reordering Specifically on the ASA project, but also generally useful: - Network data is big-endian and requires reordering on little-endian CPU’s: - shl bits + (add/or), ror bits, bswap, mul 0x100 Useful Even on Big Endian CPU: - Inferring the direction of the data: lbu $v0, 0($a0) - INPUT == byte reorder then operate lbu $v1, 1($a0) sll $t0, $v0, 8 - OUTPUT == operate then reorder … addu $t0, $v1
Audit: Cheap Trick – Byte Reordering Direction == ? We Need to Follow This NOT GOOD Direction == Input Reassembly Allocation Length
Audit: Cheap Trick - Logging Specific to Cisco ASA Firewall firmware, but useful in general. Symbols were stripped from the binary. However, manufacturer left in valuable engineering and error reporting information. It is useful to create an IDA Pro script to follow the cross references and name the function it is being cross referenced from according to one of its arguments.
Audit: Cheap Trick – Logging Logging functions state context: 3 rd Argument is Function Name 1222 XREFS FIXED THANK YOU CISCO ENGINEERING J
Audit: Triggering the Bug Forces Attacker to Use ikev2_check_neg_and_sa() Legit IP Address Establish IKEv2 Phase 1 SA OR be MITM Underflow the Payload ikev2_add_rcv_frag() Length AND Pass Signed Reassembly Underflow Cisco Fragment with Length < 8 Length Check Small because of Ikev2_get_assembled_pkt() Underflowed Payload Allocate Too Small Reassembly Buffer Length(s)
Audit: Fixing the Bug Messy Fix: if ((unsigned int) (reassembly_length + fragment_length – 8) > 0x7FFF ) goto DISCARD; Clean Fix: if ((unsigned int) length < 8) goto DISCARD; Cisco IKEv2 Fragmentation Header
Audit: Concluded For every allocation examine size allocated vs size copied . Followup only on differences. Point Auditing allows quick identification of potential issues without much application specific knowledge. Now we can trigger the vulnerability to bounce the box, which is not good enough: We want RCE.
Exploitation
Exploitation: Taming the wild copy 1 / 3 Need to craft a correct fragment sequence to: ● Still have an undersized allocation ● Avoid the negative memcpy() Fragment can’t have a sequence # > last fragment sequence # Fragment copy will stop when next sequence # is not found
Recommend
More recommend