fuzzing exploiting wireless device drivers
play

fuzzing & exploiting wireless device drivers Vienna, 23 - PowerPoint PPT Presentation

Jun 14, 2023 •30 likes •820 views

fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil Clemens Kolbitsch sk (at) seclab (dot) tuwien (dot) ac (dot) at ck (at) seclab (dot) tuwien (dot) ac (dot) at Agenda 802.11 fundamentals 802.11

  1. fuzzing & exploiting wireless device drivers Vienna, 23 November 2007 Sylvester Keil Clemens Kolbitsch sk (at) seclab (dot) tuwien (dot) ac (dot) at ck (at) seclab (dot) tuwien (dot) ac (dot) at

  2. Agenda • 802.11 fundamentals • 802.11 fuzzing • Virtual 802.11 fuzzing & live demonstration • Kernel-mode exploits primer

  3. introduction

  4. About us • We are two students from the Technical University Vienna • Right now we ought to be working on our master theses at the Secure Systems Lab @ TU Vienna • The work presented here is based on the results of a seminar paper we wrote during a collaboration between the Secure Systems Lab and SEC Consult • SEC Consult also has a “Vulnerability Bonus Program” – for details see http://www.sec-consult.com or mail to vulnerabilities@sec-consult.com

  5. The playground • Wireless networks have become a widely used means of communication. Compatible devices are included in most portable computers, mobile phones, etc. • That means, there is an increasing number of mobile targets out there… • What’s more, the device drivers typically operate in supervisor-mode (i.e. in kernel-space), thus rendering vulnerabilities extremely dangerous.

  6. 802.11 primer

  7. The IEEE 802 Family 802.2 Logical link control (LLC) 802 802.1 Data Link Overview Management Layer 802.11 and 802.3 Media access control (MAC) architecture MAC 802.3 802.11 802.11 802.11 Physical PHY PHY PHY PHY Layer

  8. 802.11 MAC frames • Three types of frames: management, control and data frames • Management frames used to advertise and connect to networks Addresses Information Element FC … Addresses … Information Elements header body FCS (30 byte) (up to 2312 byte) (4 byte)

  9. 802.11 states State I Class 1 Authentication DeAuthentication State 2 Classes 1, 2 Association or Disassociation Reassociation State 3 Classes 1, 2, 3

  10. 802.11 association access station point

  11. 802.11 association Beacons 1 access station point

  12. 802.11 association Beacons 1 Probe Request 2 access station point

  13. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 access station point

  14. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 access station point Authentication 4

  15. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 access station point Authentication 4 Authentication 5

  16. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 State 2 access station point Authentication 4 Authentication 5

  17. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 access station point Authentication 4 Authentication 5 Association Request 6

  18. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 access station point Authentication 4 Authentication 5 Association Request 6 Association Response 7

  19. 802.11 association Beacons 1 Probe Request 2 Probe Response 3 access State 3 station point Authentication 4 Authentication 5 Association Request 6 Association Response 7

  20. 802.11 fuzzing

  21. 802.11 fuzzing issues • Fuzzers must be aware of frequency channels, BSSIDs, states, modes, and data link encryption (filtering may take place at hardware level!) • Response time and timing of replies is critical (e.g., because of reply windows or channel hopping) • Overload, interference, packet corruption may occur • Attacker and target must be co-ordinated and target must be continuously monitored

  22. What to fuzz? • Some Information Elements (IE) follow type- length-value pattern • Type and length fields have fixed size, the value field’s size is variable (potential overflow) type length value

  23. Example: a beacon frame FCS FC ID Source Destination BSSID 0x00 Time-stamp Beacon Interval Capability Information 0x0 0x9 ‘MyNetwork’ (ID) (LEN) (SSID) 0x1 0x8 11.0 (B) . . . 54.0 (B) 0x1 (ID) (LEN) (Supported Rates) (ID) 0x1 0x9 (LEN) (Freq)

  24. virtual 802.11 fuzzing

  25. A novel approach • Requirements • Eliminate timing contraints • Replace unstable wireless medium • Allow guaranteed delivery • Support advanced target monitoring • Solution • Move target into a virtual environment!

  26. Advantages • Virtual wireless device (software) replaces network hardware • High-level IPC instead of live frame-injection • CPU of virtual machine can be interrupted and stopped if necessary • Guest OS monitoring at low-level (system restart, console output, etc.) • Drastically simplifies complexity of fuzzing process

  27. Our solution • Develop a fuzzing “framework” on the basis of Fabrice Bellard’s QEMU (optional ethernet card can be added via command-line option) • Modular design • packets read from outgoing queue are copied to shared memory • connected modules are notified via semaphores • packets are read from shared memory and copied to incoming queue

  28. System overview QEMU Dumper (RM): store outgoing packets CPU Listener (RM): display outgoing packets MMU … Ethernet Injector (IM): inject arbitrary packets 802.11 Fuzzer Stateless fuzzer (IM): reply directly Shared memory Reply (RM) Access point (RM & IM) PCI ID: 168c0013 (rev01) Atheros Communications, Inc. Inject (IM) AR5212 802.11abg NIC (rev 01) Stateful fuzzer (RM & IM): AP and fuzzer

  29. Access Point module • Broadcasts beacon frames • Responds to incoming probe requests • Supports complete Open System Authentication • Responds to incoming association requests • Features minimum implementation of ICMP • Full logging of 802.11 traffic • But words can only say so much…

  30. Stateful fuzzer module • Initially, the fuzzer behaves like an access point module, broadcasting valid beacons and responding to probe requests • Once authentication is complete, it is possible to fuzz the target in state 2, e.g. transmit fuzzed association response frames • See it yourself…

  31. fuzzing results

  32. Results • We have developed a “framework” for 802.11 fuzzing using QEMU • So far the framework supports fuzzing in all three states of a target in managed mode • A simple fuzzer using the framework and old versions of the MadWifi driver detected known vulnerabilities • A previously undocumented vulnerability was also found!

  33. The vulnerability • Our fuzzer detected a flaw in the MadWifi implementation • A beacon frame with a specially crafted Extended Supported Rates information element crashes Linux when scanning for available networks • Sadly (uh, is deepsec blackhat?), no remote code execution possible (but DoS) • Recently published by SEC Consult & TU Vienna and fixed since 0.9.3.3

  34. kernel-mode exploits

  35. Vulnerabilities in kernel space

  36. Vulnerabilities in kernel space • What types of kernel space vulnerabilities are there?

  37. Vulnerabilities in kernel space • What types of kernel space vulnerabilities are there? • How can they be exploited (remotely)?

  38. Vulnerabilities in kernel space • What types of kernel space vulnerabilities are there? • How can they be exploited (remotely)? • How generic are these exploits?

  39. NULL / user-space dereference ring0 ring3

  40. NULL / user-space dereference ring0 ring3

  41. NULL / user-space dereference … foo = kmalloc(size, GFP_KERNEL); /* if kmalloc fails, foo will be NULL */ … /* later on... */ ring0 ring3 foo->data->value = some_value;

  42. NULL / user-space dereference … foo = kmalloc(size, GFP_KERNEL); /* if kmalloc fails, foo will be NULL */ … /* later on... */ ring0 ring3 foo->data->value = some_value;

  43. NULL / user-space dereference … foo = kmalloc(size, GFP_KERNEL); /* if kmalloc fails, foo will be NULL */ … /* later on... */ ring0 ring3 foo->data->value = some_value;

  44. Heap (slab) overflows

  45. Heap (slab) overflows • The slab allocator can create so called lookaside caches for you: pools of memory objects (slabs) that all have the same size.

  46. Heap (slab) overflows • The slab allocator can create so called lookaside caches for you: pools of memory objects (slabs) that all have the same size. • kmalloc uses just a number of such pools!

  47. Heap (slab) overflows • The slab allocator can create so called lookaside caches for you: pools of memory objects (slabs) that all have the same size. • kmalloc uses just a number of such pools! • A slab overflow is, if we write beyond the boundary of a slab and into the adjacent slab.

  48. Heap (slab) overflows • The slab allocator can create so called lookaside caches for you: pools of memory objects (slabs) that all have the same size. • kmalloc uses just a number of such pools! • A slab overflow is, if we write beyond the boundary of a slab and into the adjacent slab. slab buffer slab slab

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment Tokyo 25 October 2007 Sylvester Keil sk [at] seclab [dot] tuwien [dot] ac [dot] at Clemens Kolbitsch ck [at] seclab [dot] tuwien [dot] ac [dot] at About us We are

589 views • 45 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

3/6/12 Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5 million LOC and 70% of kernel Little exposure to this breadth of driver code from research Better understanding of drivers can lead to

484 views • 14 slides
Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2. Kernel Modules Friedrich Schiller University Jena 3. Char Drivers Department of Mathematics and 4. Advanced Char Drivers Computer Science 5.

531 views • 12 slides
Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller

Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller

Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller University Jena 2. Kernel Modules Department of Mathematics and 3. Char Drivers Computer Science 4. Advanced Char Drivers Jena, Germany 5.

529 views • 17 slides
Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Concurrent Device Drivers Martin Ellis Motivation Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX Drivers in CSP Previous Work The Problem Our Technique Resource Driver Martin Ellis

605 views • 32 slides
Device Drivers: Dont build a house on a shaky foundation johnny cache, researcher david

Device Drivers: Dont build a house on a shaky foundation johnny cache, researcher david

Device Drivers: Dont build a house on a shaky foundation johnny cache, researcher david maynor, SecureWorks Overview Problems Nifty Fingerprinting Stuff Finding and Exploiting Vulns Shellcode Design DEMOS!!!!!!

881 views • 68 slides
Wireless monitoring device Goal Wireless monitoring device monitors existing wireless network

Wireless monitoring device Goal Wireless monitoring device monitors existing wireless network

Wireless monitoring device Goal Wireless monitoring device monitors existing wireless network using independent network to report status. Logical parts Communication Monitoring unit unit Storage Central Unique unit processing unit unit

154 views • 4 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

Systems Design&Programming Linux Device Drivers III CMPE 310 Char Drivers Well develop a device driver, scull , which treats an area of memory as a device. There are several types of scull devices: scull[0-3] This type has four

481 views • 19 slides
Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different about device drivers? Hardware access Writing device

634 views • 45 slides
Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW, NICTA, Open Kernel Labs (Australia) The problem with drivers 70% of OS crashes are caused by device drivers Drivers contain 1.5x-7x bugs per loc

557 views • 36 slides
HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd

HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd

HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd Edition (www.makelinux.net/ldd3)) Device Drivers -> DD They are a well defined programming interface between the applications and the actual

486 views • 24 slides
Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter

Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter

Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1 Summer 2017 Outline Devices and device drivers I/O performance issues Device driver abstractions

1.92k views • 58 slides
Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device Driver? Hardware Functionality A device driver is the software that bridges Device Driver the two. 2 Focus of This Presentation

1.08k views • 93 slides
Kernel Modules KLD Device Drivers The kld interface allows system administrators to

Kernel Modules KLD Device Drivers The kld interface allows system administrators to

Dynamic Kernel Linker Facility - Kernel Modules KLD Device Drivers The kld interface allows system administrators to dynamically add and remove functionality from a Pseudo device example running system. Joystick device example This

503 views • 8 slides
Linux Wireless Drivers Freedom considered harmful? Felix Fietkau <nbd@openwrt.org>

Linux Wireless Drivers Freedom considered harmful? Felix Fietkau <nbd@openwrt.org>

Linux Wireless Drivers Freedom considered harmful? Felix Fietkau <nbd@openwrt.org> 2015-12-30 Introduction OpenWrt developer for >10 years Involved with Linux wireless drivers almost as long Main focus: access points and

306 views • 27 slides
InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse Arjan Seesing and Alessandro Orso Georgia Institute of Technology This work was supported in part by an IBM Eclipse Innovation Grant.

859 views • 24 slides
Ash Deposition and Shedding in Straw and W ood Suspension-Fired Boilers : Full-scale Measurem

Ash Deposition and Shedding in Straw and W ood Suspension-Fired Boilers : Full-scale Measurem

Ash Deposition and Shedding in Straw and W ood Suspension-Fired Boilers : Full-scale Measurem ents Student: Muham m ad S. Bashir Supervisors: Professor Kim Dam -Johansen Asso. Prof. Peter A. Jensen Asso. Prof. Flem m ing Frandsen Asso.

286 views • 27 slides
1 EXISTING CONDITION EXISTING CONDITION 424 BROADWAY STOREFRONT 12.11.18 2 HISTORIC BUILDING

1 EXISTING CONDITION EXISTING CONDITION 424 BROADWAY STOREFRONT 12.11.18 2 HISTORIC BUILDING

GREENE ST E BLEECKER ST W HOUSTON ST AVE OF THE AMERICAS SULLIVAN ST E HOUSTON ST THOMPSON ST PRINCE ST J E R S E Y S T Y A GREENE ST W D A WEST BROADWAY O R BROADWAY B L P SPRING ST D WOOSTER ST MERCER ST N A L E

775 views • 21 slides
Content Reflectometer Erin L. Bush Gerard J. Kluitenberg Nathan O. Nelson Introduction

Content Reflectometer Erin L. Bush Gerard J. Kluitenberg Nathan O. Nelson Introduction

Lab Calibration of a Water Content Reflectometer Erin L. Bush Gerard J. Kluitenberg Nathan O. Nelson Introduction Importance of accurate soil moisture measurements Monitor water use by cropping systems Assist with management

373 views • 14 slides
e sting Ultr asonic T Who we ar e Co nve ntio na l a nd Oil a nd Ga s, Re fine ry, Ove r

e sting Ultr asonic T Who we ar e Co nve ntio na l a nd Oil a nd Ga s, Re fine ry, Ove r

Phase d Ar r ay IO N SERVIC ES DAC O N INSPEC T e sting Ultr asonic T Who we ar e Co nve ntio na l a nd Oil a nd Ga s, Re fine ry, Ove r 400 pe rso nne l T ha ila nd he a dq ua rte rs Adva nc e d NDT a nd Pe tro c he mic a l, He a

450 views • 18 slides
Latest developments at SENIS Dr. Dragana Popovic Renella, COO OUR PRODUCTS.... MAPPERS

Latest developments at SENIS Dr. Dragana Popovic Renella, COO OUR PRODUCTS.... MAPPERS

Latest developments at SENIS Dr. Dragana Popovic Renella, COO OUR PRODUCTS.... MAPPERS MAGNETOMETERS CURRENT SENSORS 3MTS Handheld USB 3D Teslameter 3-axis Hall 2uT to 20T Accuracy 1% MFSV 150x150m 2uT to 20T

424 views • 21 slides
Updating dynamic origin- destination matrices using observed link travel speed by probe vehicles

Updating dynamic origin- destination matrices using observed link travel speed by probe vehicles

Updating dynamic origin- destination matrices using observed link travel speed by probe vehicles Toshiyuki Yamamoto, Tomio Miwa, Tomonori Takeshita and Takayuki Morikawa Nagoya Univ. Background P-DRGS (Probe-based dynamic route guidance

501 views • 16 slides
Welcome to Hydronix Defining the Standard for Microwave Moisture Measurement www.hydronix.com 1

Welcome to Hydronix Defining the Standard for Microwave Moisture Measurement www.hydronix.com 1

Welcome to Hydronix Defining the Standard for Microwave Moisture Measurement www.hydronix.com 1 An Introduction to Hydronix Hydronix design, manufacture and sell microwave moisture measurement and control equipment Industry leader

1.2k views • 74 slides

More recommend