SLIDE 1
Rooting Routers Using Symbolic Execution
Mathy Vanhoef β @vanhoefm HITB DXB 2018, Dubai, 27 November 2018
Overview
2
Symbolic Execution Handling Crypto 4-way handshake Results
Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 - - PowerPoint PPT Presentation
Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 - - PowerPoint PPT Presentation
Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto
SLIDE 2
SLIDE 3
Overview
3
Symbolic Execution Handling Crypto 4-way handshake Results
SLIDE 4
Symbolic Execution
4
void recv(data, len) { if (data[0] != 1) return if (data[1] != len) return int num = len/data[2] ... }
Mark data as symbolic Symbolic branch
SLIDE 5
Symbolic Execution
5
data[0] != 1 void recv(data, len) { if (data[0] != 1) return if (data[1] != len) return int num = len/data[2] ... } data[0] == 1 void recv(data, len) { if (data[0] != 1) return if (data[1] != len) return int num = len/data[2] ... }
SLIDE 6
Symbolic Execution
6
data[0] == 1 data[0] != 1
Continue execution: if (data[1] != len)
PC = Path Constraint
SLIDE 7
Symbolic Execution
7
data[0] != 1 Continue execution
data[0] == 1 && data[1] != len data[0] == 1 && data[1] == len
SLIDE 8
Symbolic Execution
8
Can data[2] equal zero under the current PC? Yes! Bug detected!
data[0] == 1 && data[1] == len void recv(data, len) { if (data[0] != 1) return if (data[1] != len) return int num = len/data[2] ...
SLIDE 9
Implementations
Practical limitations: βΊ πππ’βπ‘ = 2|ππβπ‘π’ππ’πππππ’π‘| βΊ Infinite-length paths βΊ SMT query complexity
9
We build upon KLEE βΊ Works on LLVM bytecode βΊ Actively maintained
SLIDE 10
Overview
10
Symbolic Execution Handling Crypto 4-way handshake Results
SLIDE 11
Motivating Example
11
void recv(data, len) { plain = decrypt(data, len) if (plain == NULL) return if (plain[0] == COMMAND) process_command(plain) else ... }
Mark data as symbolic Summarize crypto algo. (time consuming) Analyze crypto algo. (time consuming)
Wonβt reach this function!
SLIDE 12
Efficiently handling decryption?
Decrypted output = fresh symbolic variable
12
SLIDE 13
Example
13
void recv(data, len) { plain = decrypt(data, len) if (plain == NULL) return if (plain[0] == COMMAND) process_command(plain) else ... }
Create fresh symbolic variable Normal analysis Mark data as symbolic
ο Can now analyze code that parses decrypted data
SLIDE 14
Other than handling decryption
Handling hash functions βΊ Output = fresh symbolic variable βΊ Also works for HMACs (Message Authentication Codes)
14
Tracking use of crypto primitives? βΊ Record relationship between input & output βΊ = Treat fresh variable as information flow taint
SLIDE 15
Detecting Crypto Misuse
Timing side-channels βΊ β(πππ’βπ‘): all bytes of MAC in path constraint? βΊ If not: comparison exits on first byte difference
15
Decryption oracles βΊ Behavior depends on unauth. decrypted data βΊ Decrypt data is in path constraint, but not in MAC
SLIDE 16
Overview
16
Symbolic Execution Handling Crypto 4-way handshake Results
SLIDE 17
The 4-way handshake
Used to connect to any protected Wi-Fi network
17
Negotiates fresh PTK: pairwise transient key Mutual authentication
SLIDE 18
4-way handshake (simplified)
18
SLIDE 19
4-way handshake (simplified)
19
SLIDE 20
4-way handshake (simplified)
20
PTK = Combine(shared secret, ANonce, SNonce)
SLIDE 21
4-way handshake (simplified)
21
SLIDE 22
4-way handshake (simplified)
22
SLIDE 23
4-way handshake (simplified)
23
Encrypted with PTK
SLIDE 24
4-way handshake (simplified)
24
SLIDE 25
4-way handshake (simplified)
25
SLIDE 26
4-way handshake (simplified)
26
Authenticated with a MAC
SLIDE 27
We focus on the client
Symbolic execution of
27
How to get these working under KLEE? Intelβs iwd deamon wpa_supplicant kernel driver
SLIDE 28
Intelβs iwd
Avoid running full program under KLEE βΊ Would need to model Wi-Fi stack symbolically Our approach βΊ iwd contains unit test for the 4-way handshake βΊ Reuse initialization code of unit test! βΊ Symbolically execute only receive function
28
SLIDE 29
wpa_supplicant
Unit test uses virtual Wi-Fi interface ⺠Would again need to simulate Wi-Fi stack⦠Alternative approach: ⺠Write unit test that isolates 4-way handshake like iwd ⺠Then symbolically execute receive function! ⺠Need to modify code of wpa_supplicant (non-trivial)
29
SLIDE 30
MediaTekβs Driver
No unit tests & itβs a Linux driver βΊ Symbolically executing the Linux kernel?! Inspired by previous cases βΊ Write unit test & simulate used kernel functions in userspace βΊ Verify that code is correctly simulated in userspace βΊ Again symbolically execute receive function!
30
SLIDE 31
Not all our unit tests have clean code
31
https://github.com/vanhoefm/woot2018
SLIDE 32
Overview
32
Symbolic Execution Handling Crypto 4-way handshake Results
SLIDE 33
Discovered Bugs I
33
Timing side-channels βΊ Authenticity tag not checked in constant time βΊ MediaTek and iwd are vulnerable Denial-of-service in iwd βΊ Caused by integer underflow βΊ Leads to huge malloc that fails
SLIDE 34
Discovered Bugs II
Flawed AES unwrap crypto primitive βΊ Also in MediaTekβs kernel driver βΊ Manually discovered
34
Buffer overflow in MediaTek kernel module βΊ Occurs when copying the group key βΊ Remote code execution (details follow)
SLIDE 35
Decryption oracle in wpa_supplicant
ο Decrypt group key in Msg3 (details follow)
35
Decryption oracle: βΊ Authenticity of Msg3 not checked βΊ But decrypts and processes data
SLIDE 36
Rooting Routers:
Buffer overflow in MediaTek kernel module
36
SLIDE 37
MediaTek buffer overflow preconditions I
Triggered when the client processes Msg3 βΊ Adversary needs password of network βΊ Examples: Wi-Fi at conferences, hotels, etc.
37
SLIDE 38
MediaTek buffer overflow preconditions II
Which clients use the MediaTek driver? βΊ Not part of Linux kernel source tree βΊ Used in repeater modes of routers
38
Our target: βΊ RT-AC51U running Padavan firmware βΊ Original firmware has no WPA2 repeater
SLIDE 39
Popularity of Padavan firmware
39
SLIDE 40
Popularity of Padavan firmware
40
We exploit this version
SLIDE 41
The vulnerable code (simplified)
41
void RMTPParseEapolKeyData(pKeyData, KeyDataLen, MsgType) { UCHAR GTK[MAX_LEN_GTK]; if (MsgType == PAIR_MSG3 || MsgType == GROUP_MSG_1) { PKDE_HDR *pKDE = find_tlv(pKeyData, KeyDataLen, WPA2GTK); GTK_KDE *pKdeGtk = (GTK_KDE*)pKDE->octet; UCHAR GTKLEN = pKDE->Len β 6; NdisMoveMemory(GTK, pKdeGtk->GTK, GTKLEN); } APCliInstallSharedKey(GTK, GTKLEN); }
SLIDE 42
The vulnerable code (simplified)
42
void RMTPParseEapolKeyData(pKeyData, KeyDataLen, MsgType) { UCHAR GTK[MAX_LEN_GTK]; if (MsgType == PAIR_MSG3 || MsgType == GROUP_MSG_1) { PKDE_HDR *pKDE = find_tlv(pKeyData, KeyDataLen, WPA2GTK); GTK_KDE *pKdeGtk = (GTK_KDE*)pKDE->octet; UCHAR GTKLEN = pKDE->Len β 6; NdisMoveMemory(GTK, pKdeGtk->GTK, GTKLEN); } APCliInstallSharedKey(GTK, GTKLEN); }
SLIDE 43
The vulnerable code (simplified)
43
void RMTPParseEapolKeyData(pKeyData, KeyDataLen, MsgType) { UCHAR GTK[MAX_LEN_GTK]; if (MsgType == PAIR_MSG3 || MsgType == GROUP_MSG_1) { PKDE_HDR *pKDE = find_tlv(pKeyData, KeyDataLen, WPA2GTK); GTK_KDE *pKdeGtk = (GTK_KDE*)pKDE->octet; UCHAR GTKLEN = pKDE->Len β 6; NdisMoveMemory(GTK, pKdeGtk->GTK, GTKLEN); } APCliInstallSharedKey(GTK, GTKLEN); }
Len controlled by attacker Destination buffer 32 bytes
d SLIDE 44
Main exploitation steps
- Code execution in kernel
- Obtain a process context
- Inject shellcode in process
- Run injected shellcode
44
SLIDE 45
Main exploitation steps
- Code execution in kernel
- Obtain a process context
- Inject shellcode in process
- Run injected shellcode
45
SLIDE 46
Gaining kernel code execution
How to control return address & where to return? βΊ Kernel doesnβt use stack canaries βΊ Kernel stack has no address randomization βΊ And the kernel stack is executable
46
Return to shellcode on stack & done?
SLIDE 47
Gaining kernel code execution
How to control return address & where to return? βΊ Kernel doesnβt use stack canaries βΊ Kernel stack has no address randomization βΊ And the kernel stack is executable
47
Return to shellcode on stack & done? Nope⦠our shellcode crashes
SLIDE 48
Problem: cache incoherency on MIPS
Data cache
β¦
- ld stack data
β¦
48
Memory
β¦
- ld stack data
β¦
SLIDE 49
Problem: cache incoherency on MIPS
Data cache
β¦
shellcode
β¦
49
Instruction cache
β¦
<no cached entry>
β¦
Memory
β¦
- ld stack data
β¦
Fetch
SLIDE 50
Problem: cache incoherency on MIPS
Data cache
β¦
shellcode
β¦
50
Instruction cache
β¦
- ld stack data
β¦
Memory
β¦
- ld stack data
β¦
Fetch
SLIDE 51
Solution: flush cache after write
Data cache
β¦
shellcode
β¦
51
Instruction cache
β¦
<no cached entry>
β¦
Memory
β¦
- ld stack data
β¦
Flush
SLIDE 52
Solution: flush cache after write
Data cache
β¦
shellcode
β¦
52
Instruction cache
β¦
<no cached entry>
β¦
Memory
β¦
shellcode
β¦
Flush Fetch
SLIDE 53
Solution: flush cache after write
Data cache
β¦
shellcode
β¦
53
Instruction cache
β¦
shellcode
β¦
Memory
β¦
shellcode
β¦
Flush Fetch
SLIDE 54
How to flush the cache?
Execute kernel function to flush cache βΊ Rely on Return Oriented Programming (ROP) βΊ Use mipsrop tool of Craig Heffner
54
ο Building ROP chain is tedious but doable
SLIDE 55
Main exploitation steps
- Code execution in kernel
- Obtain a process context
- Inject shellcode in process
- Run injected shellcode
55
SLIDE 56
Obtaining a process context
Code execution in kernel, letβs spawn a shell? βΊ Tricky when in interrupt context βΊ Easier in process context: access to address space
56
How to obtain a process context? βΊ System calls run in process context β¦ βΊ β¦ so intercept a close() system call
SLIDE 57
Intercepting system calls
57
System call table:
sys_open sys_read sys_close β¦
sys_close normal code
SLIDE 58
Intercepting system calls
58
System call table:
sys_open sys_read sys_close β¦
sys_close normal code Interceptor attackers code Jump to sys_close
SLIDE 59
Main exploitation steps
- Code execution in kernel
- Obtain a process context
- Inject shellcode in process
- Run injected shellcode
59
SLIDE 60
Hijacking a process
Kernel now executes in process context βΊ Hijack unimportant detect_link process βΊ Recognize by its predictable PID Now easy to inject shellcode in process:
- 1. Call mprotect to mark process code writable
- 2. Copy user space shellcode to return address
- 3. Flush caches
60
SLIDE 61
Main exploitation steps
- Code execution in kernel
- Obtain a process context
- Inject shellcode in process
- Run injected shellcode
61
SLIDE 62
User space shellcode
When close() returns, shellcode is triggered βΊ It runs βtelnetd βp 1337 βl /bin/shβ using execve βΊ Adversary can now connect to router Important remaks: βΊ Original process is killed, but causes no problems βΊ Used telnetd to keep shellcode small
62
SLIDE 63
Running the full exploit
Multi-chain exploit. Space for shellcode? βΊ For initial stage we have 250 bytes βΊ Handshake frame can transport ~2048 bytes βΊ We can even use null bytes!
63
SLIDE 64
Exploit recap & lessons learned
64
io.netgarage.org
___ / /\ /__/\ / /::\ \__\:\ / /:/\:\ / /::\ / /:/ \:\ __/ /:/\/ /__/:/ \__\:\ /__/\/:/~~ \ \:\ / /:/ \ \::/ \ \:\ /:/ \ \:\ \ \:\/:/ \__\/ \ \::/ \__\/
Debug with infinite loops
First test ideas in C Cache incoherence
SLIDE 65
Decryption Oracle
65
SLIDE 66
Recall: decryption oracle in wpa_supplicant
66
Decryption oracle: βΊ Authenticity of Msg3 not checked βΊ Does decrypt and process data
How can this be abused to leak data?
SLIDE 67
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
67
header Key Data
Encrypted and authenticated
SLIDE 68
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
- 2. Parses the type-length-values elements
68
header
Encrypted and authenticated
SLIDE 69
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
- 2. Parses the type-length-values elements
69
header 48 18 Type Len
Encrypted and authenticated
SLIDE 70
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
- 2. Parses the type-length-values elements
70
header 48 18 ππ β¦ πππ Type Len RSNE
Encrypted and authenticated
SLIDE 71
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
- 2. Parses the type-length-values elements
71
header 48 18 ππ β¦ πππ 221 38 Type Len RSNE Type Len
Encrypted and authenticated
SLIDE 72
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
- 2. Parses the type-length-values elements
72
header 48 18 ππ β¦ πππ 221 38 ππ β¦ πππ Type Len RSNE Type Len GTK
Encrypted and authenticated
SLIDE 73
Background: process ordinary Msg3
On reception of Msg3 the receiver:
- 1. Decrypts the Key Data field
- 2. Parses the type-length-values elements
- 3. Extracts and installs the group key (GTK)
73
header 48 18 ππ β¦ πππ 221 38 ππ β¦ πππ Type Len RSNE Type Len GTK
Encrypted and authenticated
SLIDE 74
How to turn parsing into an oracle?
74
SLIDE 75
Constructing an oracle
75
header 221 38 ππ β¦ πππ Type Len GTK
Encrypted Adversary knows type and length, but not GTK
SLIDE 76
Constructing an oracle
76
header 221 36 ππ β¦ πππ Type Len
Encrypted Adversary knows type and length, but not GTK.
- 1. Reduce length by two
SLIDE 77
Constructing an oracle
77
header 221 36 ππ β¦ πππ Type Len
Encrypted Adversary knows type and length, but not GTK.
- 1. Reduce length by two
- 2. Parsing
SLIDE 78
Constructing an oracle
78
header 221 36 ππ β¦ πππ Type Len
Encrypted Adversary knows type and length, but not GTK.
- 1. Reduce length by two
- 2. Parsing
SLIDE 79
Constructing an oracle
79
header 221 36 ππ β¦ πππ πππ πππ Type Len GTKβ
Encrypted Adversary knows type and length, but not GTK.
- 1. Reduce length by two
- 2. Parsing
SLIDE 80
Constructing an oracle
80
header 221 36 ππ β¦ πππ πππ πππ Type Len GTKβ Type Len
Encrypted Adversary knows type and length, but not GTK.
- 1. Reduce length by two
- 2. Parsing only succeeds if πππ equals zero
SLIDE 81
Constructing an oracle
81
header 221 36 ππ β¦ πππ πππ πππ Type Len GTKβ Type Len
Encrypted Adversary knows type and length, but not GTK.
- 1. Reduce length by two
- 2. Parsing only succeeds if πππ equals zero
- 3. Keep flipping encrypted πππ until parsing succeeds
SLIDE 82
Abusing the oracle in practice
- 1. Guess the last byte (in our example πππ)
- 2. XOR the ciphertext with the guessed value
- 3. Correct guess: decryption of πππ is zero
Parsing succeeds & we get a reply
- 4. Wrong guess: decryption of πππ is non-zero
Parsing fails, no reply
ο Keep guessing last byte until parsing succeeds
82
SLIDE 83
Practical aspects
Test against Debian 8 client: βΊ Adversary can guess a value every 14 seconds βΊ Decrypting 16-byte group key takes ~8 hours
83
Attack can be made faster by: βΊ Attacking several clients simultaneously βΊ Can brute-force the last 4 bytes
SLIDE 84
The big picture
84
SLIDE 85
The big picture
85
Although limitations remain, symbolic execution tools are now more usable & efficient.
SLIDE 86
Future symbolic execution work
Short-term βΊ Efficiently simulate reception of multiple packets βΊ If 1st packet doesnβt affect state, stop exploring this path Long-term βΊ Extract packet formats and state machine βΊ Verify basic properties of protocol
86
SLIDE 87
Conclusion
βΊ Symbolic execution of protocols βΊ Simple simulation of crypto βΊ Root exploit & decryption oracle βΊ Interesting future work
87
SLIDE 88