fuzzing and debugging cisco ios
play

Fuzzing and Debugging Cisco IOS Blackhat Europe 2011 Sebastian Mu - PowerPoint PPT Presentation

Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Fuzzing and Debugging Cisco IOS Blackhat Europe 2011 Sebastian Mu niz, Alfredo Ortega Groundworks


  1. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Fuzzing and Debugging Cisco IOS Blackhat Europe 2011 Sebastian Mu˜ niz, Alfredo Ortega Groundworks Technologies March 18, 2011 Groundworks Technologies Fuzzing and Debugging Cisco IOS

  2. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Agenda Cisco IOS Architecture Debugger internals Dynamips modification GDB support IDA Pro support Shortcomings of self-checking routines Demos: Malware analysis Fuzzing example Groundworks Technologies Fuzzing and Debugging Cisco IOS

  3. Cisco IOS architecture Architecture Analyzing Pros and Cons Dynamips emulator Use case: IOS malware Built-in GDB server Use case: ROMMON debugging Use cases: Fuzzer Wrapping up cisco IOS architecture Fast Packet Switch Processes Buffers Softw. Single binary image Shared single address space Kernel Device Drivers Cooperative priority-based scheduler Hardware Figure: Cisco IOS process memory Groundworks Technologies Fuzzing and Debugging Cisco IOS

  4. Cisco IOS architecture Architecture Analyzing Pros and Cons Dynamips emulator Use case: IOS malware Built-in GDB server Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Dynamips emulator Created by Christophe Fillot 1 Runs on Windows, Linux and Mac OS X. Equivalent to QEMU/Bochs Implements MIPS/PowerPC architecture and Cisco hardware Supports the following models: (a) 7200 (b) 36XX (c) 2691 (d) 3725 (e) 3745 (f) 26XX (g) 17XX 1http://www.ipflow.utc.fr/index.php/Cisco 7200 Simulator Groundworks Technologies Fuzzing and Debugging Cisco IOS

  5. Cisco IOS architecture Architecture Analyzing Pros and Cons Dynamips emulator Use case: IOS malware Built-in GDB server Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Built-in GDB server Used by Cisco developers and support engineers Works over Telnet, SSH and Serial console Slightly different GDB protocol Examine Debug Kernel Read Registers Write Registers Read Memory Write Memory Freeze OS Remote Figure: GDB debugging modes Groundworks Technologies Fuzzing and Debugging Cisco IOS

  6. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Virtual Machine Debugger internals Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Virtual Machine Debugger internals Dynamips GDB PowerPC Server CPU/Memory instrumentation GDB Protocol MIPS No JIT support Supported commands Memory Controller Special Hard Read/Write CPU Registers FPGA Read/Write Memory Set/Unset Breakpoints PCI WIC Any standard GDB client supported NM Figure: GDB Server embedding Groundworks Technologies Fuzzing and Debugging Cisco IOS

  7. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up Pros and Cons of Virtual Machine Debugger Pros: Complete isolation (almost!) Cost-effective Controlled debugging environment Bug-hunter friendly Cons: Not 100% exact emulation Not all models or hardware compatible Findings need double-check with physical device Check Cisco EULA before doing anything crazy. Just in case. Groundworks Technologies Fuzzing and Debugging Cisco IOS

  8. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up Why isolation is good? Analyzing malware Analyzing malware GDB Client Cisco IOS Cisco IOS GDB Client Malware Read_Memory Read_Memory Request Malware Built−In GDB Stub Expected (fake) Bytes Malware memory Original memory GDB Stub dump Mirror DYNAMIPS Figure: Using built-in GDB Figure: Dynamips GDB server Lesson learned: NEVER analyze malware inside an infected host. Groundworks Technologies Fuzzing and Debugging Cisco IOS

  9. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up I don’t need this, I have the verify command Cisco Response on IOS rootkits 2 : Maintain chain of trust when verifying IOS images Verify IOS image in external host, or before booting it Use the MD5 File Validation command “verify” on Loaded image: Using the MD5 File Validation Feature “The MD5 File Validation feature, added in Cisco IOS Software Releases 12.2(4)T and 12.0(22)S, allows network administrators to calculate the MD5 hash of a Cisco IOS software image file that is loaded on a device.” 2 http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml Groundworks Technologies Fuzzing and Debugging Cisco IOS

  10. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up Shortcomings of self-checking routines Malware-affected analysis Clean analyis Verify CLI command Cisco IOS External Trusted environment Malware MD5 Tool Calculate User expected MD5 CHK MD5 chksum (fake) Result Login routine Hash Cisco IOS GDB server Figure: Using Dynamips GDB server Figure: Using built-in GDB Lesson learned ( again ): NEVER verify code inside an infected host. Groundworks Technologies Fuzzing and Debugging Cisco IOS

  11. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Use cases: IOS malware Demo: Backdoored IOS installation Not trivial to analyze (Many IOS variations) At least, possible: Demo! Groundworks Technologies Fuzzing and Debugging Cisco IOS

  12. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Use case: ROMMON debugging ROMMON: Cisco bootloader 3 Very easy to verify and analyze (less variations) Read-only in some models Contains a basic but privileged debugger ROMMON itself can be debugged by Dynamips 3 Felix ’FX’ Lindner , 25c3, Cisco IOS - Attack & Defense Groundworks Technologies Fuzzing and Debugging Cisco IOS

  13. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Fuzzing requirements Correct exception handling Reproducible test-cases Logging Desirable: Debugging envirment (for post-analysis) Groundworks Technologies Fuzzing and Debugging Cisco IOS

  14. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Fuzzing timing diagram Fuzzer GDB Dynamips Start Start Fuzz case N Exception Signal Get Regs Registers Log Restart Restart Fuzz case N+1 Groundworks Technologies Fuzzing and Debugging Cisco IOS

  15. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Example fuzzer Start Connect to FTP Attack surface via Protocol fuzzer (ftp) Send: Command + "AAA..." (100 A’s) Trivial test-case generation (just an Disconnect Yes example!) No Yes More Crash? Save state CMDs? No End DB Groundworks Technologies Fuzzing and Debugging Cisco IOS

  16. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Fuzzer Demo Demo! Groundworks Technologies Fuzzing and Debugging Cisco IOS

  17. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Triggered Vulnerability Cisco Security Advisory: Multiple Vulnerabilities in the IOS FTP Server (cisco-sa-20070509-iosftp) 30 FTP commands, remote code execution on 16: (USER,CWD,DELE,RNFR,STOR,NLST,APPE,MKD, RMD,STOU,RETR,LIST,STAT,MDTM,SIZE, and HELP) Patched in 2007: Completely remove all FTP server code Groundworks Technologies Fuzzing and Debugging Cisco IOS

  18. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up How secure is this debugger? Very. Can be used in a production environment to analyze malicious code? No Dynamips contains emulation bugs. Demo! Groundworks Technologies Fuzzing and Debugging Cisco IOS

Recommend


More recommend