execute my packet
play

Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex - PowerPoint PPT Presentation

Jun 15, 2023 •295 likes •789 views

Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler Jordan Gruskovnjak Currently Working at Crowdstrike, Inc. Reverse Engineering & Malware Analysis Exploitation & Mitigation Research Previously worked

  1. Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler

  2. Jordan Gruskovnjak ● Currently Working at Crowdstrike, Inc. ○ Reverse Engineering & Malware Analysis ○ Exploitation & Mitigation Research ● Previously worked as an Exploit Developer at: ○ Exodus Intelligence ○ VUPEN Security ( with the infamous @cbekrar and @n_joly) ● @jgrusko on Twitter

  3. Alex Wheeler ● Currently at Exodus Intelligence ○ VP of Research ● Previously worked at ○ Accuvant ○ HP TippingPoint ○ IMB ISS X-Force (hi @mdowd @neelmehta) ● @vonbloke on Twitter

  4. Target Background: CVE-2016-1287 Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500-X Series Next-Generation Firewalls Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Cisco ASA 1000V Cloud Firewall Cisco Adaptive Security Virtual Appliance (ASAv) Cisco Firepower 9300 ASA Security Module Cisco ISA 3000 Industrial Security Appliance

  5. Target Background: Why? - Perimeter security devices == High ROI - Exploit mitigation on Cisco ASA < current browser exploit mitigation - Relatively under-researched area, especially considering: - criticality - market share - see affected products in next slide

  6. Target Background: Prior Cisco ASA Work Breaking Bricks @ Ruxcon 2014 by Alec Stuart - CVE-2014-3393: Auth bypass in WebVPN to gain authenticated user rights - CVE-2014-3389: Command injection in Failover Protocol to gain privilege escalation and lateral compromise

  7. Target Background: Specs ASA-5505 Hardware - AMD Geode (x86) - Marvell 88E6095 Gigabit Ethernet Switch Software - Linux 2.6.29.6 - lina 9.2.4 (IOS on Linux?)

  8. Outline 1. Getting Started 2. Audit 3. Exploitation 4. Conclusion + Open Problems

  9. Getting Started

  10. Getting Started: Dump Firmware Copy asa924-k8.bin from the CF card It’s just a FAT filesystem, nothing special OR Download it (check MD5 against Cisco’s website)

  11. Getting Started: Analyze Firmware $ binwalk -e asa924-k8.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 75000 0x124F8 SHA256 hash constants, little endian 144510 0x2347E gzip compressed data… (Linux kernel) 1501296 0x16E870 gzip compressed data, has original file name: "rootfs.img"… 27168620 0x19E8F6C MySQL ISAM index file Version 4 28192154 0x1AE2D9A Zip archive data, at least v2.0 to extract… 28773362 0x1B70BF2 Zip archive data, at least v2.0 to extract…

  12. Getting Started: Analyze Firmware $ cpio -id < _asa924-k8.bin.extracted/rootfs.img $ file asa/bin/lina asa/bin/lina: ELF 32-bit LSB executable, Intel 80386 , version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.29, stripped

  13. Getting Started: Debug Target Device JTAG: Failed Traced signals + Brute force combinations with Bus Pirate Enable gdb in ROMmon: It does nothing Desoldered flash + Poked around in IDA Get root: Achievement Unlocked Run lina under gdb-server + Disable the watchdog

  14. Getting Started: Debug Target Device — Get Root Patch kernel parameters in asa924-k8.bin 01d1a030 00 48 20 00 70 e0 14 00 51 b7 ba 01 71 75 69 65 |.H .p...Q...quie| quiet loglevel=0 auto 01d1a040 74 20 6c 6f 67 6c 65 76 65 6c 3d 30 20 61 75 74 |t loglevel=0 aut| 01d1a050 6f 20 6b 73 74 61 63 6b 3d 31 32 38 20 72 65 62 |o kstack=128 reb| 01d1a060 6f 6f 74 3d 66 6f 72 63 65 20 70 61 6e 69 63 3d |oot=force panic=| 01d1a070 31 20 69 64 65 5f 67 65 6e 65 72 69 63 2e 70 72 |1 ide_generic.pr| 01d1a080 6f 62 65 5f 6d 61 73 6b 3d 30 78 31 20 69 64 65 |obe_mask=0x1 ide| 01d1a090 31 3d 6e 6f 70 72 6f 62 65 20 70 72 6f 63 65 73 |1=noprobe proces| 01d1a0a0 73 6f 72 2e 6d 61 78 5f 63 73 74 61 74 65 3d 31 |sor.max_cstate=1| 01d1a0b0 20 62 69 67 70 68 79 73 61 72 65 61 3d 00 00 00 | bigphysarea=...| 01d1a030 00 48 20 00 70 e0 14 00 51 b7 ba 01 72 64 69 6e |.H .p...Q...rdin| rdinit=/bin/sh 01d1a040 69 74 3d 2f 62 69 6e 2f 73 68 20 20 20 20 20 20 |it=/bin/sh | 01d1a050 20 20 6b 73 74 61 63 6b 3d 31 32 38 20 72 65 62 | kstack=128 reb| 01d1a060 6f 6f 74 3d 66 6f 72 63 65 20 70 61 6e 69 63 3d |oot=force panic=| 01d1a070 31 20 69 64 65 5f 67 65 6e 65 72 69 63 2e 70 72 |1 ide_generic.pr| 01d1a080 6f 62 65 5f 6d 61 73 6b 3d 30 78 31 20 69 64 65 |obe_mask=0x1 ide| 01d1a090 31 3d 6e 6f 70 72 6f 62 65 20 70 72 6f 63 65 73 |1=noprobe proces| 01d1a0a0 73 6f 72 2e 6d 61 78 5f 63 73 74 61 74 65 3d 31 |sor.max_cstate=1| 01d1a0b0 20 62 69 67 70 68 79 73 61 72 65 61 3d 00 00 00 | bigphysarea=...|

  15. Getting Started: Debug Target Device — gdbserver The developers left helpful comments in boot script /asa/scripts/rcS: # Use -g to have system await gdb connect during boot. #echo "/asa/bin/lina_monitor -l -g -d" >> /tmp/run_cmd # Use -s to specify a serial device other than the default /dev/ttyS1 #echo "/asa/bin/lina_monitor -l -g -s /dev/ttyUSB0 -d" >> /tmp/run_cmd Boot the target, at the root prompt use sed to uncomment that last line and change ttyUSB0 to ttyS0 for the console port, then continue booting normally. # sed -i 's/#\(.*\)ttyUSB0\(.*\)/\1ttyS0\2/' /asa/scripts/rcS # exec /sbin/init … SMFW PID: 514, Starting /asa/bin/lina under gdbserver /dev/ttyS0 Process /asa/bin/lina created; pid = 517 Remote debugging using /dev/ttyS0

  16. Getting Started: Disable Watchdog for Debugging Patch that watchdog lina uses setitimer() to schedule a SIGALARM signal to be delivered periodically to the process. Use a gdb init script to attach to the target and overwrite watchdog_timeout with zero, disabling it. target remote /dev/ttyXXX set *0x0a53f168 = 0 (version specific)

  17. Getting Started: gdbserver setup

  18. Audit

  19. Audit: Summary Goal: Identify + Exploit at least 1 vulnerability to yield anonymous system level RCE without user interaction Approach: • Static using only IDA Pro (between 40 and 60 hours spent on this phase) • Confirm findings using gdb (between 4 and 8 hours)

  20. Audit: Code Coverage Code Areas : Useful Things : - Content Inspection via IDS/IPS - Allocator X-Refs - Firewall Session Maintenance - Byte Reordering - SSL VPN and IPSec VPN - Linked Lists

  21. Audit: Following Memory Resolving indirection and meaning can be done w/ a debugger ( SLOW ) or by inference ( FAST ). Allocators are useful cross references for identifying memory corruption. Questions to infer allocators should be this: - Is a size field passed to this call? - Is a return value checked for not zero and used as a destination buffer subsequent to this call?

  22. Audit: Following Memory Example Plus 8 (could be size or offset) Test for Not Zero Return Value Some Offset + Return Value Passed as an Argument, What’s this Function

  23. Audit: Following Memory Resolved Example Where is this Size from? MALLOC() – 573 XREFS FIXED J Now We Know Direction == Input Minus 8 is Interesting (Underflow?) Length for Our Copy MEMCPY() – 4,109 XREFS FIXED J

  24. Audit: Cheap Trick – Byte Reordering Specifically on the ASA project, but also generally useful: - Network data is big-endian and requires reordering on little-endian CPU’s: - shl bits + (add/or), ror bits, bswap, mul 0x100 Useful Even on Big Endian CPU: - Inferring the direction of the data: lbu $v0, 0($a0) - INPUT == byte reorder then operate lbu $v1, 1($a0) sll $t0, $v0, 8 - OUTPUT == operate then reorder … addu $t0, $v1

  25. Audit: Cheap Trick – Byte Reordering Direction == ? We Need to Follow This NOT GOOD Direction == Input Reassembly Allocation Length

  26. Audit: Cheap Trick - Logging Specific to Cisco ASA Firewall firmware, but useful in general. Symbols were stripped from the binary. However, manufacturer left in valuable engineering and error reporting information. It is useful to create an IDA Pro script to follow the cross references and name the function it is being cross referenced from according to one of its arguments.

  27. Audit: Cheap Trick – Logging Logging functions state context: 3 rd Argument is Function Name 1222 XREFS FIXED THANK YOU CISCO ENGINEERING J

  28. Audit: Triggering the Bug Forces Attacker to Use ikev2_check_neg_and_sa() Legit IP Address Establish IKEv2 Phase 1 SA OR be MITM Underflow the Payload ikev2_add_rcv_frag() Length AND Pass Signed Reassembly Underflow Cisco Fragment with Length < 8 Length Check Small because of Ikev2_get_assembled_pkt() Underflowed Payload Allocate Too Small Reassembly Buffer Length(s)

  29. Audit: Fixing the Bug Messy Fix: if ((unsigned int) (reassembly_length + fragment_length – 8) > 0x7FFF ) goto DISCARD; Clean Fix: if ((unsigned int) length < 8) goto DISCARD; Cisco IKEv2 Fragmentation Header

  30. Audit: Concluded For every allocation examine size allocated vs size copied . Followup only on differences. Point Auditing allows quick identification of potential issues without much application specific knowledge. Now we can trigger the vulnerability to bounce the box, which is not good enough: We want RCE.

  31. Exploitation

  32. Exploitation: Taming the wild copy 1 / 3 Need to craft a correct fragment sequence to: ● Still have an undersized allocation ● Avoid the negative memcpy() Fragment can’t have a sequence # > last fragment sequence # Fragment copy will stop when next sequence # is not found

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Curriculum &amp; Activities Night Class of 2020 Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #) Feeder School Name NEON GREEN sticker on front of packet = MISSING EXPLORE Appointment date

99 views • 6 slides
Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede

Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede

Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede Department of Computing Science University of Glasgow September 6, 2005- WV 1 Overview Asynchronous Packet Switch Building the PEPA Model

658 views • 26 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University Course: Cyber Security Practice 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

593 views • 14 slides
Packet Classification Omid Mashayekhi Vaibhav Chidrewar What is Packet Classification?

Packet Classification Omid Mashayekhi Vaibhav Chidrewar What is Packet Classification?

Packet Classification Omid Mashayekhi Vaibhav Chidrewar What is Packet Classification? Definition: The function of identifying and categorizing packets of data moving across the network Rule Source IP Dest IP Action R1 152.163.190.69/

574 views • 15 slides
Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Maranello : Practical Partial Packet Recovery for 802.11 Bo Han Aaron Schulman Lusheng Ji Neil Spring Francesco Gringoli Seungjoon Lee Bobby Bhattacharjee Lorenzo Nava Robert Miller University of Maryland University of Brescia AT&amp;T

894 views • 43 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac@ce 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs)

172 views • 14 slides
Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's network Interface card, which then filters packets based on the MAC address. A network packet has multiple concatenated components. 2 How Packets

625 views • 39 slides
Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet

Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet

Worm Detection Packet Content Matching Port Number Matching Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet Content Matching Which characteristic of worm is exploited? Should whole packet

325 views • 7 slides
Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
Packet Radio Basics Introduction to Packet Radio operation with emphasis on parameters and

Packet Radio Basics Introduction to Packet Radio operation with emphasis on parameters and

Packet Radio Basics Introduction to Packet Radio operation with emphasis on parameters and connecting with other stations, nodes, clusters, digis or BBSs Presented by Todd Cady, K7PKT - January 17th, 2009 There are three basic parts to a

562 views • 17 slides
Habanero Operating Committee January 25 2017 Habanero Overview 1. Execute Nodes 2. Head Nodes

Habanero Operating Committee January 25 2017 Habanero Overview 1. Execute Nodes 2. Head Nodes

Habanero Operating Committee January 25 2017 Habanero Overview 1. Execute Nodes 2. Head Nodes 3. Storage 4. Network Execute Nodes Type Quantity Standard 176 High Memory 32 GPU* 14 Total 222 Execute Nodes Standard Node CPU (2 per

637 views • 35 slides
rt Pr t

rt Pr t

s t r t r s r s t r r t r rtrs

1.06k views • 87 slides
Project 1 Notes and Demo Overview Youll be given the

Project 1 Notes and Demo Overview Youll be given the

Project 1 Notes and Demo Overview Youll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed

632 views • 38 slides
More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green line: mean 2 50 60 70 80 90 100 last time stack smashing particular exploit technique for bufger overfmows bufger overfmow = out-of-bounds

1.4k views • 71 slides
Pre-GDB, GDB, and IRIS-HEP Retreat: Updates from Recent Meetings Brian Bockelman OSG Technology

Pre-GDB, GDB, and IRIS-HEP Retreat: Updates from Recent Meetings Brian Bockelman OSG Technology

Pre-GDB, GDB, and IRIS-HEP Retreat: Updates from Recent Meetings Brian Bockelman OSG Technology Area Coordinator Associate Scientist, Morgridge Institute for Research Recent Meetings Involving OSG The week of Sept 9 featured three

410 views • 15 slides
BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR) Linux Debugging Challenges: Default debugger is intimidating to new users Tough to get symbols and source to show up Many tricks needed

544 views • 40 slides
DebugAllYourCode: PortableMixedEnvironmentDebugging

DebugAllYourCode: PortableMixedEnvironmentDebugging

DebugAllYourCode: PortableMixedEnvironmentDebugging ByeongcheolLee Mar:nHirzel RobertGrimm KathrynMcKinley OOPSLA 2009 B. Lee, M. Hirzel, R. Grimm, and K. S. McKinley 1

1.12k views • 52 slides
Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers

Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers

Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers life Debugger allows the programmer to take a look at the program in execution to deduce the cause of crashes and erroneous results Debugger

595 views • 13 slides
gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

1 what to do when my program segfaults? gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It allows you to inspect what a program is doing at points during ll t i t h t i d i t i t d i execution

537 views • 12 slides

More recommend