Cisco Rop
Cisco Rop
Cisco Rop
George Nosenko
Security Researcher at Embedi
About me
George Nosenko
bug hunter, exploit developer, reverse engineer, SMT fun
g.nosenko@embedi.com
• Cisco Exploitation History
• Target’s characteristics
• Target Description
• Mitigations
• Exploitation
Agenda • DEP Bypass
• Shellcode Hunting
• Shellcode Completion
• Conclusions
Cisco Exploitation History
Cisco Exploitation Milestones
TFTP Exploit Cisco IOS Shellcode Cisco IOS Shellcodes Killing the Myth of Cisco IKEv2 Exploit EXTRABACON
Felix ‚FX‘ Lindner And Exploitation Techniques Gyan Chawdhary, Varun Uppal Diversity Exodus Intel (XI) NSA arsenal
Cisco IOS Michael Lynn Cisco IOS Ang Cyi Cisco ASA Cisco ASA
CVE-2002-0813 Cisco IOS Techniques: Cisco IOS CVE-2016-1287 CVE-2016-6366
Heap-Based BoF (CWE-122) Heap-Based BoF (CWE-122) • bind shell Techniques: Heap-Based BoF (CWE-122) Stack-Based BoF (CWE-121)
Techniques: Techniques: • connectback shell • interrupt-Hijack Shellcode Techniques: Techniques:
• write a positive value at an • overwrite (timer) linked-list • tinyshell • multistage attack • Heap feng shui • authentication bypass
arbitrary address (NVRAM • CheckHeaps bypass • image patching
corruption) • TTY/TCB Shellcode
• write-4 (Process Array)
2002 2003 2005 2007 2008 2009 2011 2015 2016 2017
HTTP Remote Integer Overflow FTP Server Exploit Router Exploitation Cisco Shellcode: All in One IKEv1 Exploit CMP Exploit (ROCEM)
Felix ‚FX‘ Lindner Andy Davis Felix ‚FX‘ Lindner George Nosenko nccgroup CIA arsenal,
Cisco IOS Cisco IOS Cisco IOS Cisco IOS/XE Cisco ASA Artem Kondratenko
CVE-2003-0647 CVE-2007-2586 CVE-2007-0480 Techniques: CVE-2016-1287 Cisco ASA
Stack-Based BoF (CWE-121) Stack-Based BoF (CWE-121) Stack-Based BoF (CWE-121) • TclShellcode: concept of an Heap-Based BoF (CWE-122) CVE-2017-3881
Integer Overflow (CWE-190) Techniques: Techniques: Image Independent Exploit Techniques: Stack-Based BoF (CWE-121)
Techniques: • VTY Shellcode • ROP (PowerPC) • Heap feng shui Techniques:
• write a positive value at an arbitrary • Signature-based Shellcode • disabling caching • ROP (PowerPC)
address (NVRAM corruption) • Disassembling Shellcode
• write-4 (Process Array) • return2caller
• TclLoader
Target’s characteristics
Cisco Diversity
Operation Systems:
• Cisco IOS
• Cisco IOS XE (based on Linux)
• Cisco NX-OS (based on Linux)
• Cisco IOS XR (based on QNX)
• ASA OS (based on Linux)
• CatOS
Architectures:
• PowerPC
• MIPS
• Intel x86_x64
• …
Over 300 000 unique images
7 embedi.com
Our Target
Cisco Catalyst 2960 Series Switches
• Cisco IOS 12.x – 15.x
• PowerPC 405 (32bit, Big-endian)
Cisco IOS
• proprietary software
8 embedi.com
Vulnerability
• Stack-based Overflow (CWE-121)
• Intercepted traffic
9 embedi.com
Mitigations
• Stack & Heap are not executable (DEP)
• Stack & Heap randomization
• CheckHeaps
• Checking of code integrity
• Watch-Dog Timer
• Cisco Diversity
• I-Cache, D-Cache (PowerPC)
Exploitation
Common Steps to Arbitrary Code Execution
1 Gain Control 3 Solve I-Cache, 5 Code Execution
• Stack-based overflow D-Cache problem Execute an arbitrary code:
• Heap-based overflow • Bind/Reverse shellcode
• Disable caching
• Disassembling shellcode
• Cache Invalidation
• TclShellcode
• etc..
01 02 03 04 05 06
• But you can try to enter in the recovery mode or ROMMON and boot a
firmware under the debug mode
• overwrite .text
• Cache Invalidation
04 • Correct a checksum
• Disable this
mechanism
• Disable DEP & Use generic shellcode • Use an uncontrolled
region
https://github.com/embedi/PPCGadgetFinder
Write-4 primitive
• r31 contains a destination address
• Due to C call convention on PowerPC it’s difficult to find a • BLRL gadgets maybe more useful than common gadgets
gadget to initialize r3-r18
• You need load to r27 address of next gadget
• You have to use a move gadget but it increase ROP-chain
• Next gadget must load new value to LR
• BLRL gadgets do something useful but don’t consume stack
• TLB programming
• ZPR abuse
RPN EX WR ZSEL W I M G
PowerPC 405: Zone Protection Register
• It is designed for flexible and effective work with pages ZPR
protection Z0 Z1 Z2 Z3 Z4 Z5 Z6 Z7 Z8 Z9 Z10 Z11 Z12 Z13 Z14 Z15
• Try to disable
• Try to invalidate
IO-Memory structure
Shared memory that is visible to both the CPU and the network media controllers over a data bus
Packet Fragmentation
We have to collect code by parts 4-bit 8-bit 16-bit 32-bit
Ver. Header Length Type of service Total Length
• IP-header Identification Flags Offset
Time to live Protocol Checksum
• IP Identification Source Address
Destination Address
• IP Source Address Options and Padding
• TCP-header
Structure of IP Header
• Destination Port
• Sequence Number
• Flags
• .text
36
Omelet Egg Hunter (192 bytes)
• Look for the 1st part of a shellcode by Source IP & SIGNATURE
• enumerate the elements of the double-linked list of Packet
Data
• parse an IP header
• check Source IP
• look for signature
• save value of the IP Identification field
• copy 1st part to destination address
• Look for other parts of the shellcode until the entire shellcode is
collected
• Enumerate the elements of the double-linked list of Packet Data
• look for a package with IP Identification higher by one than
that of the previous one
• parse a IP header
• check Source IP & IP Identification
• copy the current part to destination address
https://github.com/embedi/iomem_hunter
37
Checking Code Integrity
• Interrupt-Hijack Shellcode
start_of_code = 0x3000
end_of_code = 0x01715233
Image-independent shellcodes:
1. Signature-based Shellcode by Andy Davis — Version-independent IOS shellcode, 2008
2. Disassembling Shellcode by Felix ‘FX’ Lindner — Cisco IOS Router Exploitation, 2009
3. Interrupt-Hijack Shellcode by Columbia University NY — Killing the Myth of Cisco IOS Diversity, 2011
42
Completion of the shellcode
Cooperative multitasking 1 Gain Control 01
• Stack-based overflow
• Task processes voluntarily yield control periodically or when idle • Heap-based overflow
2 DEP Bypass
in order to enable multiple applications to be run simultaneously • Return Oriented
• Watch-Dog Timer 02 Programming
• Disable DEP
• Return to caller
• Infinite loop
3 Solve I-Cache, 03 4 Code Integrity
D-Cache problem Bypass
• Use scheduler’s functions • Disable caching • Don’t touch any code
• process_sleep_for() • Cache Invalidation
04 • Correct a checksum
• Disable this
• process_suspend() mechanism
• Use an uncontrolled
• process_kill() region
5 Code Execution
Execute an arbitrary 05 6 Completion
code:
• Bind/Reverse • Return to caller
shellcode • Abuse scheduler’s
• Disassembling
shellcode
06 functions
• Infinite loop
• TclShellcode
• etc..
Infinite Loop: Watch-Dog Bypass
• You can use Tcl_Sleep() function to return the CPU time
• You can get the address of Tcl_Sleep() during the execution of a
shellcode
void shellcode()
{
while(1){
Tcl_Sleep(5000);
};
}
44
ARBITRARY CODE EXECUTION: GEEKPWN CASE
1 Gain Control 3 Solve I-Cache, 5 Code Execution
• Stack-based overflow D-Cache problem • Execute the TclShellcode to
• Just overwrite a return address • Omelet-hunter use ios_move_hundler gain control under device
to copy with caches invalidation
01 02 03 04 05 06
CONTACTS:
Website: embedi.com
Telephone: +1 5103232636
Email: info@embedi.com
Address: 2001 Addison Street Berkeley, California 94704