Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex - - PowerPoint PPT Presentation
Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler Jordan Gruskovnjak Currently Working at Crowdstrike, Inc. Reverse Engineering & Malware Analysis Exploitation & Mitigation Research Previously worked
David Barksdale, Jordan Gruskovnjak, and Alex Wheeler
○ Reverse Engineering & Malware Analysis ○ Exploitation & Mitigation Research
○ Exodus Intelligence ○ VUPEN Security (with the infamous @cbekrar and @n_joly)
○ VP of Research
○ Accuvant ○ HP TippingPoint ○ IMB ISS X-Force (hi @mdowd @neelmehta)
Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500-X Series Next-Generation Firewalls Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Cisco ASA 1000V Cloud Firewall Cisco Adaptive Security Virtual Appliance (ASAv) Cisco Firepower 9300 ASA Security Module Cisco ISA 3000 Industrial Security Appliance
Breaking Bricks @ Ruxcon 2014 by Alec Stuart
in WebVPN to gain authenticated user rights
injection in Failover Protocol to gain privilege escalation and lateral compromise
ASA-5505 Hardware
Software
Copy asa924-k8.bin from the CF card
It’s just a FAT filesystem, nothing special
OR Download it
(check MD5 against Cisco’s website)
$ binwalk -e asa924-k8.bin
DECIMAL HEXADECIMAL DESCRIPTION
144510 0x2347E gzip compressed data… (Linux kernel) 1501296 0x16E870 gzip compressed data, has original file name: "rootfs.img"… 27168620 0x19E8F6C MySQL ISAM index file Version 4 28192154 0x1AE2D9A Zip archive data, at least v2.0 to extract… 28773362 0x1B70BF2 Zip archive data, at least v2.0 to extract…
$ cpio -id < _asa924-k8.bin.extracted/rootfs.img $ file asa/bin/lina
asa/bin/lina: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.29, stripped
JTAG: Failed
Traced signals + Brute force combinations with Bus Pirate
Enable gdb in ROMmon: It does nothing
Desoldered flash + Poked around in IDA
Get root: Achievement Unlocked
Run lina under gdb-server + Disable the watchdog
Patch kernel parameters in asa924-k8.bin
01d1a030 00 48 20 00 70 e0 14 00 51 b7 ba 01 72 64 69 6e |.H .p...Q...rdin| 01d1a040 69 74 3d 2f 62 69 6e 2f 73 68 20 20 20 20 20 20 |it=/bin/sh | 01d1a050 20 20 6b 73 74 61 63 6b 3d 31 32 38 20 72 65 62 | kstack=128 reb| 01d1a060 6f 6f 74 3d 66 6f 72 63 65 20 70 61 6e 69 63 3d |oot=force panic=| 01d1a070 31 20 69 64 65 5f 67 65 6e 65 72 69 63 2e 70 72 |1 ide_generic.pr| 01d1a080 6f 62 65 5f 6d 61 73 6b 3d 30 78 31 20 69 64 65 |obe_mask=0x1 ide| 01d1a090 31 3d 6e 6f 70 72 6f 62 65 20 70 72 6f 63 65 73 |1=noprobe proces| 01d1a0a0 73 6f 72 2e 6d 61 78 5f 63 73 74 61 74 65 3d 31 |sor.max_cstate=1| 01d1a0b0 20 62 69 67 70 68 79 73 61 72 65 61 3d 00 00 00 | bigphysarea=...| 01d1a030 00 48 20 00 70 e0 14 00 51 b7 ba 01 71 75 69 65 |.H .p...Q...quie| 01d1a040 74 20 6c 6f 67 6c 65 76 65 6c 3d 30 20 61 75 74 |t loglevel=0 aut| 01d1a050 6f 20 6b 73 74 61 63 6b 3d 31 32 38 20 72 65 62 |o kstack=128 reb| 01d1a060 6f 6f 74 3d 66 6f 72 63 65 20 70 61 6e 69 63 3d |oot=force panic=| 01d1a070 31 20 69 64 65 5f 67 65 6e 65 72 69 63 2e 70 72 |1 ide_generic.pr| 01d1a080 6f 62 65 5f 6d 61 73 6b 3d 30 78 31 20 69 64 65 |obe_mask=0x1 ide| 01d1a090 31 3d 6e 6f 70 72 6f 62 65 20 70 72 6f 63 65 73 |1=noprobe proces| 01d1a0a0 73 6f 72 2e 6d 61 78 5f 63 73 74 61 74 65 3d 31 |sor.max_cstate=1| 01d1a0b0 20 62 69 67 70 68 79 73 61 72 65 61 3d 00 00 00 | bigphysarea=...|
quiet loglevel=0 auto rdinit=/bin/sh
The developers left helpful comments in boot script /asa/scripts/rcS:
# Use -g to have system await gdb connect during boot. #echo "/asa/bin/lina_monitor -l -g -d" >> /tmp/run_cmd # Use -s to specify a serial device other than the default /dev/ttyS1 #echo "/asa/bin/lina_monitor -l -g -s /dev/ttyUSB0 -d" >> /tmp/run_cmd
Boot the target, at the root prompt use sed to uncomment that last line and change ttyUSB0 to ttyS0 for the console port, then continue booting normally.
# sed -i 's/#\(.*\)ttyUSB0\(.*\)/\1ttyS0\2/' /asa/scripts/rcS # exec /sbin/init … SMFW PID: 514, Starting /asa/bin/lina under gdbserver /dev/ttyS0 Process /asa/bin/lina created; pid = 517 Remote debugging using /dev/ttyS0
Patch that watchdog
lina uses setitimer() to schedule a SIGALARM signal to be delivered periodically to the process. Use a gdb init script to attach to the target and
disabling it. target remote /dev/ttyXXX set *0x0a53f168 = 0 (version specific)
Goal: Identify + Exploit at least 1 vulnerability to yield anonymous system level RCE without user interaction Approach:
Code Areas:
Useful Things:
Resolving indirection and meaning can be done w/ a debugger (SLOW) or by inference (FAST). Allocators are useful cross references for identifying memory corruption. Questions to infer allocators should be this:
subsequent to this call?
Plus 8 (could be size
Test for Not Zero Return Value Some Offset + Return Value Passed as an Argument, What’s this Function
Where is this Size from? Now We Know Direction == Input Minus 8 is Interesting (Underflow?) Length for Our Copy MALLOC() – 573 XREFS FIXED J MEMCPY() – 4,109 XREFS FIXED J
Specifically on the ASA project, but also generally useful:
Useful Even on Big Endian CPU: lbu $v0, 0($a0) lbu $v1, 1($a0) sll $t0, $v0, 8 … addu $t0, $v1
Direction == ? We Need to Follow This Direction == Input Reassembly Allocation Length NOT GOOD
Specific to Cisco ASA Firewall firmware, but useful in general. Symbols were stripped from the binary. However, manufacturer left in valuable engineering and error reporting information. It is useful to create an IDA Pro script to follow the cross references and name the function it is being cross referenced from according to one of its arguments.
Logging functions state context:
3rd Argument is Function Name 1222 XREFS FIXED THANK YOU CISCO ENGINEERING J
Ikev2_get_assembled_pkt()
Allocate Too Small Reassembly Buffer
ikev2_add_rcv_frag()
Underflow Cisco Fragment with Length < 8
ikev2_check_neg_and_sa()
Establish IKEv2 Phase 1 SA
Underflow the Payload Length AND Pass Signed Reassembly Length Check Small because of Underflowed Payload Length(s) Forces Attacker to Use Legit IP Address OR be MITM
Cisco IKEv2 Fragmentation Header Clean Fix: if ((unsigned int) length < 8) goto DISCARD; Messy Fix: if ((unsigned int) (reassembly_length + fragment_length – 8) > 0x7FFF ) goto DISCARD;
For every allocation examine size allocated vs size copied. Followup only on differences. Point Auditing allows quick identification of potential issues without much application specific knowledge. Now we can trigger the vulnerability to bounce the box, which is not good enough: We want RCE.
Need to craft a correct fragment sequence to:
Fragment can’t have a sequence # > last fragment sequence # Fragment copy will stop when next sequence # is not found
All fragments must have the same size Only the last fragment is allowed a different size
packet_size = 1 - 8 + 1 - 8 + 10 + 8 = 4 bytes allocation. So far so good :)
But will crash and burn when processing the first fragment due to the negative memcpy() :’(
Fragment processing function has some quirks regarding the fragments
Using this 2 quirks eventually leads to the following working fragment sequence This fragment sequence leads to
Leads to a 1 byte corruption of the next heap chunk’s size field:
We need to have the heap in a predictable state Heap Feng Shui FTW Basic alloc & free primitive:
○ IKEv2 Configuration Attributes ○ Took advantage of 0x100 bytes buffer being freed after each request
Old dlmalloc compiled with debug options + a few new fields in metadata Allocated chunk Free chunk No Safe Unlinking :) 2 write4 on unlink due to the 2 different linked lists :))
1 byte overflow allows overwriting the adjacent chunk’s size field Create an overlapping chunk by freeing the corrupted chunk to a bigger linked list Reallocate the overlapping chunk with controlled data & corrupt the allocator linked list pointers We now have a classic write4 on unlink() (actually 2)
Cisco doesn’t have ASLR / DEP enabled Decided to target the list_add function pointer location into .data Called when a new fragment is sent and inserted in the fragment list Cool, but where’s my shellcode ?
ECX points to the newly created fragment, and its first dword points to the fragment’s actual data Can’t use the write4 to jump on a jmp [ecx] / call [ecx] gadget in .text section, since write4 requires both pointers to point to writable memory Write address 0xc821ff90 at address 0xc8002000 using 2nd write 4 This address translates to the jmp [ecx] byte code sequence
gdb) x/2i 0xc8002000 0xc8002000: nop 0xc8002001: jmp DWORD PTR [ecx]
Execution flow finally landed into shellcode \o/
Sames problems as when exploiting a kernel RCE You can’t afford to crash after successful exploitation Otherwise, the device reboots and exploitation was useless To avoid rebooting, use object on the stack to find and fix stuffs we broke:
We can move on to the “real” payload execution
We don’t want a classic /bin/sh, but Cisco CLI Cisco doesn’t use POSIX sockets :( but channels Use the alloc_ch() with the following string as parameter to create a connect- back:
Cisco doesn’t dup() since it doesn’t use socket Each running thread has a default channel in which it redirect in/out data Just overwrite it with the newly created channel: Allocate and set the privileges structure to highest privileges (enable_15)
The shellcode then jumps on the ci_cons_shell() function responsible for displaying the Cisco CLI prompt We are finally greeted by a “root” Cisco CLI \o/
Even bugs looking unexploitable can be turned into something better Still good to know the old heap exploitation tricks as well as the new ones Really interesting RE work to figure out the shellcode Cisco virtual appliances are 64-bits and might have ASLR / DEP which significantly raises the bar
Reliability:
Just look at the timeline to see it’ll take forever
Targeting:
Non-Factors:
size)