Rootkit == cancerous software“A rootkit is software that enables continued privileged access to acomputer while actively hiding its presence from administrators bysubverting standard operating system functionality or other applications.”Wikipedia BIOS Kernel System Applications
Patches and Gum• Mandatory access control• Memory access restrictions• File integrity checks (checksums, hashes)• Immutable files (secure run levels, ro filesystems)• Signed software• Encrypted software
UTMs / Firewalls / Routers?Why are they a target?• Route traffic• Mirror traffic• Layer 2 control• VPN endpoint• Management network connectivity• Choke points for many networksEndpoint physical access can be outside ownerscontrol.
UTMs / Firewalls / Routers?How can they be attacked?• Insider• Social Engineering• Physical Access• Supply Chain• [ Exploits ]Can I trust the integrity of the operating systems?How easy is it to rootkit these devices?
1. Go shopping. Roll your 0wn1. Obtain firmware. Download, backups, compact flash, hard disk,VM2. Identify the firmware. Linux, FreeBSD, vxWorks, proprietary3. Gain root level access. ñ Break restricted shell ñ Crack password ñ Bypass encryption ñ Reverse engineer firmware ñ NO custom hardware4. Determine layer to attack. BIOS, Kernel, System, Application
WatchGuardOS XTMOS Linux 2.6.21Arch i686Bootloader GRUBStorage Removable CFFirmware Format Gzip image with custom headerRestricted Shell yesRoot access Hardcoded passwordIntegrity Checksum command
SilkGuard RootkitRoot access:• add static compiled shell busybox• add authorized_key to /root/.ssh/• remount rootfs read writeLayers to attack:• kernel, libraries and applications
Netgear ProSecureOS Linux 2.6.21Arch MIPSBootloader GRUBStorage Removable CFFirmware Format SquashFSRoot access Random password at bootFile System RO unionfsIntegrity none
NetHill RootkitRoot access:• squashsfs 3.4 (big-endian support)• new rootfs.img with root passwordblankedLayers to attack:• apt-get can be enabled• system-map & config present on system• /dev/kmem (LKM), libraries, application
CheckPoint Secure PlatformOS CP Linux (RHEL) 2.6.18Arch i686 / VirtualBootloader GRUBStorage ISOFirmware Format ISORestricted Shell YesRoot access YesFile System extIntegrity none
LuckyPoint RootkitRoot access:• Built in through “expert” mode• RHEL but no SELinuxLayers to attack:• System map and config available but /dev/mem restricted to first 2056 records• Libraries and applications
Checkpoint NokiaNokia IP71 common endpoint device for CheckPoint SP- has removable, flashable BIOS- BIOS integrity check is a simple checksum- BIOS modification and rootkit possible
Fortinet FortiOSOS FortiOS LinuxArch i686Bootloader GRUBStorage Removable CFFirmware Format GzipRestricted Shell yesRoot access noFile System Encrypted AES CBCIntegrity FortiBIOS Firmware encrypted, signed & hashed
Export-F RootkitRoot access:Fortigate will load firmware with• no certificate, no hash, unencrypted• start of MBR must contain a filename matching a device & version ID• kernel must have a specific nameLayers to attack:• Load replacement kernel and file system
SonicwallOS SonicOS vxWorksArch i686Bootloader ?Storage Secure Compact FlashFirmware Format Encrypted / CompressedRestricted Shell YesRoot access NoFile System vxWorksIntegrity Signature
Cancer FreeRoot access:• Removable Storage Compact Flash ...but its unreadable...• Removable BIOS ...but its unreadable...• Firmware can be backed up ...but its signed...
Cisco IOS - Da Los Rootkit Sebastian Muniz, Killing the myth of Cisco IOS rootkits: DIKOS IOSArch MIPS / PowerPCBootloader ProprietaryStorage FlashFirmware Format CompressedRestricted Shell YesRoot access NoFile System MemoryIntegrity Checksum
Juniper ScreenOSOS ScreenOSArch PowerPCBootloader ProprietaryStorage FlashFirmware Format Compressed (modded LZMA or GZIP)Restricted Shell YesRoot access NoFile System MemoryIntegrity Checksum, optional signature
Junboro Light RootkitRoot Access:l Firmware is compressed (non standard LZMA header)l Reverse engineer formatl Disassemble ScreenOS• Reverse engineer firmware checksum algorithml Firmware is signed but certificate can be loaded and unloadedLayers to attack:l Flat memory, monolithic firmware, access to everythingl Hand code PowerPC ASM into firmware
Junboro RootkitRoot access• Root by default but there are restrictions• JUNOS binaries are symlinks from rw fs to iso9660 ro fs• Secure run level 1 is set• Veriexec used for integrity and to stop unknown binaries running• +x shell scripts will not run directly but will run if invoked by /bin/shLayers to attack:• JUNOS doesnt require/enforce signed packages• Install trojaned package using customised +INSTALL script
Demos Make Arch OS 1. Fortinet Intel Linux 2. Juniper PPC ScreenOS 3. Juniper VM JUNOS
Device & OS Encrypt Sign Immutable Integrity MemorySonicwall Y Y Y Y -Juniper N Y Y Y -JUNOSFortinet Y Y N Y -Juniper N Y N Y -ScreenOSCisco IOS N N N Y -Checkpoint N N N N YNetgear N N N N NWatchguard N N N N N
Conclusion • Some platforms dont even try to ensure integrity • A PS3 has better integrity protection than most platforms (IP vs your data?) • Often signatures and encryption requirements can be bypassed • Do periodic offline comparisons of system binary / firmware hashes • Check supply chain, third party support
ReferencesRuntime Kernel Mem Patching,http://vxheavens.com/lib/vsc07.html, Silvio CesareKilling the myth of Cisco IOS rootkits: DIK (Da Ios rootKit),http://eusecwest.com/esw08/esw08-muniz.pdfHacking Grub for fun and profit,Phrack Volume 0x0b, Issue 0x3f, CoolQStatic Kernel Patching,Phrack Volume 0x0b, Issue 0x3c, jbtzhmPlaying Games With Kernel Memory ... FreeBSD Style,Phrack Volume 0x0b, Issue 0x3f, Joseph KongImplementing and detecting ACPI BIOS rootkit,http://www.blackhat.com/presentations/bh-federal-06/ BH-Fed-06-Heasman.pdf