Cigarette VS Bubble Gum


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cigarette VS Bubble Gum

  1. 1. Welcome to Rootkit Country CanSecWest 03/2011
  2. 2. Graeme NeilsonSecurity Consultant & Researcher Aura Software Security
  3. 3. Rootkit == cancerous software“A rootkit is software that enables continued privileged access to acomputer while actively hiding its presence from administrators bysubverting standard operating system functionality or other applications.”Wikipedia BIOS Kernel System Applications
  4. 4. Patches and Gum•  Mandatory access control•  Memory access restrictions•  File integrity checks (checksums, hashes)•  Immutable files (secure run levels, ro filesystems)•  Signed software•  Encrypted software
  5. 5. UTMs / Firewalls / Routers?Why are they a target?•  Route traffic•  Mirror traffic•  Layer 2 control•  VPN endpoint•  Management network connectivity•  Choke points for many networksEndpoint physical access can be outside ownerscontrol.
  6. 6. UTMs / Firewalls / Routers?How can they be attacked?•  Insider•  Social Engineering•  Physical Access•  Supply Chain•  [ Exploits ]Can I trust the integrity of the operating systems?How easy is it to rootkit these devices?
  7. 7. Platforms
  8. 8. 1.  Go shopping. Roll your 0wn1.  Obtain firmware. Download, backups, compact flash, hard disk,VM2.  Identify the firmware. Linux, FreeBSD, vxWorks, proprietary3.  Gain root level access. ñ  Break restricted shell ñ  Crack password ñ  Bypass encryption ñ  Reverse engineer firmware ñ  NO custom hardware4.  Determine layer to attack. BIOS, Kernel, System, Application
  9. 9. WatchGuardOS XTMOS Linux 2.6.21Arch i686Bootloader GRUBStorage Removable CFFirmware Format Gzip image with custom headerRestricted Shell yesRoot access Hardcoded passwordIntegrity Checksum command
  10. 10. SilkGuard RootkitRoot access:•  add static compiled shell busybox•  add authorized_key to /root/.ssh/•  remount rootfs read writeLayers to attack:•  kernel, libraries and applications
  11. 11. Netgear ProSecureOS Linux 2.6.21Arch MIPSBootloader GRUBStorage Removable CFFirmware Format SquashFSRoot access Random password at bootFile System RO unionfsIntegrity none
  12. 12. NetHill RootkitRoot access:•  squashsfs 3.4 (big-endian support)•  new rootfs.img with root passwordblankedLayers to attack:•  apt-get can be enabled•  system-map & config present on system•  /dev/kmem (LKM), libraries, application
  13. 13. CheckPoint Secure PlatformOS CP Linux (RHEL) 2.6.18Arch i686 / VirtualBootloader GRUBStorage ISOFirmware Format ISORestricted Shell YesRoot access YesFile System extIntegrity none
  14. 14. LuckyPoint RootkitRoot access:•  Built in through “expert” mode•  RHEL but no SELinuxLayers to attack:•  System map and config available but /dev/mem restricted to first 2056 records•  Libraries and applications
  15. 15. Checkpoint NokiaNokia IP71 common endpoint device for CheckPoint SP- has removable, flashable BIOS- BIOS integrity check is a simple checksum- BIOS modification and rootkit possible
  16. 16. Fortinet FortiOSOS FortiOS LinuxArch i686Bootloader GRUBStorage Removable CFFirmware Format GzipRestricted Shell yesRoot access noFile System Encrypted AES CBCIntegrity FortiBIOS Firmware encrypted, signed & hashed
  17. 17. Export-F RootkitRoot access:Fortigate will load firmware with•  no certificate, no hash, unencrypted•  start of MBR must contain a filename matching a device & version ID•  kernel must have a specific nameLayers to attack:•  Load replacement kernel and file system
  18. 18. SonicwallOS SonicOS vxWorksArch i686Bootloader ?Storage Secure Compact FlashFirmware Format Encrypted / CompressedRestricted Shell YesRoot access NoFile System vxWorksIntegrity Signature
  19. 19. Cancer FreeRoot access:•  Removable Storage Compact Flash ...but its unreadable...•  Removable BIOS ...but its unreadable...•  Firmware can be backed up ...but its signed...
  20. 20. Cisco IOS - Da Los Rootkit Sebastian Muniz, Killing the myth of Cisco IOS rootkits: DIKOS IOSArch MIPS / PowerPCBootloader ProprietaryStorage FlashFirmware Format CompressedRestricted Shell YesRoot access NoFile System MemoryIntegrity Checksum
  21. 21. Juniper ScreenOSOS ScreenOSArch PowerPCBootloader ProprietaryStorage FlashFirmware Format Compressed (modded LZMA or GZIP)Restricted Shell YesRoot access NoFile System MemoryIntegrity Checksum, optional signature
  22. 22. Junboro Light RootkitRoot Access:l  Firmware is compressed (non standard LZMA header)l  Reverse engineer formatl  Disassemble ScreenOS•  Reverse engineer firmware checksum algorithml  Firmware is signed but certificate can be loaded and unloadedLayers to attack:l  Flat memory, monolithic firmware, access to everythingl  Hand code PowerPC ASM into firmware
  23. 23. Juniper JUNOSOS ScreenOSArch i686 / VirtualBootloader FreeBSDStorage Flash, HDDFirmware Format PackageRestricted Shell YesRoot access YesFile System RO iso9660Memory Restricted accessIntegrity Veriexec, secure level 1, Package hashes, optional signature
  24. 24. Junboro RootkitRoot access•  Root by default but there are restrictions•  JUNOS binaries are symlinks from rw fs to iso9660 ro fs•  Secure run level 1 is set•  Veriexec used for integrity and to stop unknown binaries running•  +x shell scripts will not run directly but will run if invoked by /bin/shLayers to attack:•  JUNOS doesnt require/enforce signed packages•  Install trojaned package using customised +INSTALL script
  25. 25. Demos Make Arch OS 1. Fortinet Intel Linux 2. Juniper PPC ScreenOS 3. Juniper VM JUNOS
  26. 26. Device & OS Encrypt Sign Immutable Integrity MemorySonicwall Y Y Y Y -Juniper N Y Y Y -JUNOSFortinet Y Y N Y -Juniper N Y N Y -ScreenOSCisco IOS N N N Y -Checkpoint N N N N YNetgear N N N N NWatchguard N N N N N
  27. 27. Conclusion •  Some platforms dont even try to ensure integrity •  A PS3 has better integrity protection than most platforms (IP vs your data?) •  Often signatures and encryption requirements can be bypassed •  Do periodic offline comparisons of system binary / firmware hashes •  Check supply chain, third party support
  28. 28. ReferencesRuntime Kernel Mem Patching,, Silvio CesareKilling the myth of Cisco IOS rootkits: DIK (Da Ios rootKit), Grub for fun and profit,Phrack Volume 0x0b, Issue 0x3f, CoolQStatic Kernel Patching,Phrack Volume 0x0b, Issue 0x3c, jbtzhmPlaying Games With Kernel Memory ... FreeBSD Style,Phrack Volume 0x0b, Issue 0x3f, Joseph KongImplementing and detecting ACPI BIOS rootkit, BH-Fed-06-Heasman.pdf
  29. 29. Questions?