Home

Presentation

1. C0 aura SOFTWARE Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances aura FTWARE Graeme Neilson Security Consultant Aura Software Security graeme aurasoftwaresecutity co nz aura FTWARE Trailer What if a core network security device was compromised an attacker has exploited a vulnerability malicious appliance supplier malicious third party support malicious employee This is a POST EXPLOIT SERIAL CONSOLE or MITM attack Goal is hidden root control of the appliance Discuss reversing and modifying the firmware code Demo a zombied Netscreen Netscreens are manufactured by Juniper Inc Allin one Firewall VPN Router security appliance SME to Datacentre scale NS5XP NS5000 Common Criteria and FIPS certified Runa closed source real time OS called Screenos ScreenOS is supplied as a binary firmware blob NS5XT Model PowerPC 405 GP RISC processor 64MB Flash Serial console Telnet SSH HTTP HTTPS admin interfaces Attack Attacking firmware two vectors of attack Live evisceration debugging with remote GDB debugger over serial line Feeding on the remains dead listing static binary analysis using disassembler and hex editor PowerPC architecture fixed instruction size of 4 bytes flat memory model 32 GP registers no explicit stack link register IBM PPC405 Embedded Processor Co
2. d of 8 bytes Insert new Bub into firmware file replacing original compressed blob Night of the Living Netscreen Cut out the compressed Bub section of the image Uncompress the Bub Modify the resulting binary to add or change code and or data Re compress the modified binary into a new Bub Prepend the original firmware header to the modified Bub Upload the modified firmware over serial SUCCESS Upload the modified firmware over network FAILED Uncompressed Bub is 20Mb ScreenOS binary with a header Want to load into IDA but need a loading address so that references within the program point to the correct locations From header program entry address offset signature 00000000 EE16BAS1 00010110 00000010 01440578 00000000 00000000 F8A2FASF Confirm with live debugging Correctly loaded binary but unknown sections Autopsy ii Use IDA scripts to find function prologs 0x9421F and mark as code Mark strings in data section for cross references Use error strings to identify functions and rename Search for str cmp file read file write login etc Build up a picture of the binary structure and functions Need to cut out boot loader and disassemble separately with loading address 0x0 aura FTWARE Netscreen of the Dead ScreenoS Trojaned Firmware required functionality Install Upgrade Load trojan firmware via serial tftp and web Maintain Access Incl
3. ecommending Install firmware authentication certificate at factory Prevent certificate deletion Encrypt firmware rather than using LIMA compression Juniper 13 09 08 This is expected 28 10 08 I saw you are presenting at RUXCON on Nov 30th Cool 24 11 08 Publish JTAC Bulletin PSN 2008 11 111 ScreenOS Firmware Image Authenticity Notification Risk Level Medium a aura FTWARE Victim ii All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed Juniper recommend Install the imagekey cer certificate Utilize the Manager IP feature to control which hosts via their IP addresses can manage your firewall Change the TCP port by which the device listens for administration traffic HTTPS SSH a aura FTWARE Remove the Brain Install known firmware before deployment Who is your Juniper vendor Admin via SSH key authentication only disable Telnet HTTP and HTTPS Out of band management network Limit number of administrators Strong passwords Andy and Mark Aura Software Security George Romero Simon Pegg Script by ScreenOS Dev BOB Code should never reach here by design
4. n disabled One bit patch provides login with any password if a valid username is supplied es a string compare equal if match equal if they don t a aura FTWARE Infection Injecting code into the binary ScreenOS code section contains a block of nulls Proof of concept code injected into nulls Proof of Concept Code motd Patch a branch in ScreenoS to call our code Call ScreenOS functions from our code Create new code and functionality Branch back to callee Infection ii adas MTS ve 10 fell o FTWARE Zombie Loader All Juniper ScreenOS images signed Administrator can load a Juniper certificate to validate firmware Certificate NOT installed by default Administrator can delete this certificate Check is done in the BOOT LOADER which we can modify to authenticate all images or only non Juniper images Delete certificate gt install bogus firmware gt re install certificate Zombie Loader ii empui sr 0 S53 has res bl sub beg erelr bl 13 b lis 28 Hacks Later Hidden shadow configuration file allowing all traffic from one IP through Netscreen network traffic tap Persistent infection via boot loader on ScreenOS upgrade Patch boot loader and login mechanism Javascript code injection in web console aura FTWARE 04 07 08 Sent white paper and firmware to Juniper r
5. re User Manual Live Evisceration Embedded Linux Development Kit has GDB compiled for PowerPC 405 processor No source so create custom gdbinit for PPC registers and stack to provide SofflCE like context on breaks Network connection to the Netscreen and run gdb enable Connect remote gdb via serial console ral Ga aura SOFTWARE Feeding on the Remains Compared many different versions of ScreenoS firmware Revealed a 4 section structure Header size compressed image size 79 bytes sysinfo 00 platform cpu version Stub contains stings relating to LIMA compression algorithm Compressed Binary Update Blob Bub also has a header The header of the Bub appears to be a customised LIMA header Comparative analysis again of different Bub headers The standard LIMA header has 3 fields options dictionary size uncompressed size Bub header has 3 fields options 12BF0 00012c00 gacesnre 00012 BEDAFDAS Bub Can Change Uncompress Bub Cutout the Bub from firmware file Insert an uncompressed size field of value 1 unknown size Modify the dictionary size from 0x lo 090008000 Then we can decompress the Bub using freely available LIMA utilities Compress Bub Compress the binary with standard LIMA utilities Modify the dictionary size field from 0x00002000 to Delete the uncompressed_size fiel
6. ude a back door login mechanism Payload Execute arbitrary code injected into the image All modification hand crafted asm and hex editing the binary First Bite Install Upgrade Checksum and size in header are checked when images loaded over the network via TFTP or Web Checksum is calculated could reverse the algorithm but on loading any bad checksum value is printed fo the console If we modify the firmware to print out the correct checksum value we would have a checksum calculator firmware which we load modified firmware against With correct checksum can now load modified firmware via tftp and web interface 008B50E4 008B60E8 098B50EC 00B860EC 008B60F0 008B60F4 ooss6ora o0eB60FC 09886100 00886104 00886108 Luz cmpw beg lis addi luz bl lis addi dt First Bite ii nr4 x1C r31 r4 contains header checksum r3 ra 4r3 contains calculated checksum Loc_886110 branch away if checksums matched far 4r3 print out calculated checksum r3 aCksumxSizeDeh cksum x size d n r3 r3 aCksumXSizeDel r5 0x10 r31 Print to Console r4 is prin r3 alncorrectFirmigh Incorrect firmare data r3 43 alncorrectFirmel Print to Console One Bit e Maintain Access Console Telnet Web and SSH all compare password hashes and use the same function SSH falls back to password if client does not supply a key unless password authentication has bee

Presentation

Contents

Download Pdf Manuals

Related Search

Related Contents