Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sixnet network switch inception


Published on

Hacking switches. Once they are owned, what can we do with them?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Sixnet network switch inception

  1. 1. Network Switch Inception: Going Deeper K. Reid Wightman Digital Bond Labs
  2. 2. Not a talk about Switch Vulns • See Switches Get Stitches and related CVEs • Real drivers for this talk: – Cisco router rootkits – Juniper VPN/router backdoors – Cisco NX-OS backdoor – Clearly, network infrastructure is both weak, and under attack – …so switch vulns, just how bad are they?
  3. 3. This is a talk about post- exploitation • We have a Layer 2 managed network switch. • We hacked the switch! • [[Insert underpants gnome sequence here]] • But really: Now what?
  4. 4. The Victim
  5. 5. The Victim • ARM9 CPU @ 200Mhz • Some flash memory (oops, forgot pics) • Some SRAM (oops, forgot pics) • Marvel 88E6083 10-port switch chip (10/100mbps)
  6. 6. The Exploit • Directory Traversal, we root the switch, we maintain access. • Yawn.
  7. 7. Post-Exploitation • You’ve got admin on a switch. • Now what?
  8. 8. Post-Exploitation • “Boring” attacks – Disable network interfaces – Disable mirror port – Lock admins out • Official story: Layer 2 switch is limited in functionality – Switching fabric is ‘just’ a packet-matching engine – Sends packet to its destination port based on MAC address – (and disabling ports will get you noticed)
  9. 9. Lying Liar that Lies!
  10. 10. Unstitching Switch Chips • Network switch chips controlled via ‘MDIO’ protocol – Serial protocol for reading and writing configuration registers in switch fabric – Not much to it; OS+MCU will handle the gory details • Network switch chip is ‘just’ a packet matching engine – But highly configurable – VLAN Tagging and Port Mirroring are our downfall – Most modern chips even do Layer 3/Routing!
  11. 11. A Little Background
  12. 12. Mo Money Mo Problems • Dirty secret of all network switches: CPU Port – Connected internally to save money (two less PHYs, one less network cable for end user) – Side Effect: CPU can both reconfigure switch fabric, and eavesdrop on traffic • This functionality prevented by firmware… • …but we own the firmware now, so… • …we can eavesdrop on traffic and reconfigure switch fabric on-the-fly. • L2 switches can all become Routers. Who knew?
  13. 13. ET-9MS Details • Need to learn which port on the case maps to which port on the Marvell switch chip • Two methods: – Beep it out – Read /etc/switch/swm.config • Reading the config file is plenty easy: – C0:9,C1:7,C2:6,C3:5,C4:4,C5:3,C6:2,C7:1,C8:0,C9:8 – So Port 0 (C0, as in ‘Case port 0 [which isn’t exposed to the user]’) is our MCU interface
  14. 14. ET-9MS Details • Next: need to learn how to interface with MDIO interface – Easy(ish): shared library – We will build our own application to use this library – Sample header files in – Crossbuild environment is kind of fun, recommend ELDK 4.1 on Fedora Core 7
  15. 15. A slight diversion: Reverse engineering SO files • To compile our own code, we need a header file for the proprietary ‘libswm’ library – Shared libraries don’t contain hints about parameters – Calling conventions change over time, so we’ll also need a similar-era GCC/GLIBC/LD – Sixnet promised to release an SDK for this switch, but never did – So, to IDA • Easy example follows
  16. 16. Bumbling around with an API
  17. 17. Bumbling around with an API • registerDump() takes one argument – Apparently it’s a data structure – Apparently it’s some kind of MDIO object that we have to initialize – Looks kinda like an mii_bus struct, but maybe with some fields moved around? – Wild Guess: ‘findSwm()’ function takes no arguments, and returns a pointer to a weird struct… • Maybe this is the same struct? • Try it and find out
  18. 18. When in Doubt, void* it out Test.c: void* findSwm(); int registerDump(void* thing); int main(){ void* thing = findSwm(); registerDump(thing); }
  19. 19. Output Global registers: 0x00: 0x0840 0x3000 0x01: 0x01a0 0x782d … etc • Compare to 8063 Datasheet – Settings match what we expect for current Switch Configuration! – Let’s continue reverse engineering
  20. 20. Two critical functions int mdio_read(void* thing, int phyaddr, int regnum); int mdio_write(void* thing, int phyaddr, int regnum, int value);
  21. 21. Enough with RE • mdio_read() and mdio_write() are all we need • These allow us to read and write the switch configuration registers • We know enough to start hacking
  22. 22. Attack! • Want to accomplish two goals: – Fakemirror, to hide from IDS/NSM – Filtering, to let us manipulate control and view • Want to avoid using ‘chipisms’ – Switch chip in this switch (88e6083) is advanced – Easy to turn the switch into a router – Generic techniques are painful, but better
  23. 23. Normal Mirroring Switch Port1 Port2 CPUMirror L2 LAN PLC IDS
  24. 24. Leverett Attack HOWTO 1) Find the port that the user is mirroring 2) Redirect the port to mirror to MCU 3) Sniff traffic on MCU 4) Decide if incoming packets should be seen on mirror 5) If supposed to mirror: – Temporarily enable mirror with MCU source port – Send packet – Disable MCU mirror MCU
  25. 25. Leverett Attack Mirror redirect Switch Port1 Port2 CPUMirror L2 LAN PLC IDS
  26. 26. Leverett Attack Decide if packet should be seen Switch Port1 Port2 CPUMirror L2 LAN PLC IDS
  27. 27. Leverett Attack Retransmit (if appropriate) Switch Port1 Port2 CPUMirror L2 LAN PLC IDS Re-transmit Packet
  28. 28. ET-9MS specifics • Not much extra code needed to pull this off! • Sixnet kind enough to include libpcap 0.9.4 in the switch firmware – Just had to grab headers and add them to ELDK cross compile environment • Fully linked fakemirror binary is < 12kB
  29. 29. Leverett Attack • Problem 1: DUPs – DUPs go to Real Target – (No DUPs to mirror though) • Problem 2: Latency – Switch is normally 0.6-1.2mS round-trip – While under Leverett’s Power, mirror sees 2-5mS round-trip (can reduce with kernel module) • Problem 3: Mirroring ‘admin’ traffic – If an admin logs in, the mirror may accidentally see it, and the gig is up
  30. 30. Leverett Attack Code • See that github address. Example code is provided in ‘fakemirror.c’ • Quite reliable IDS/NSM evasion, provided you compromise a network switch first! • Bonus: Switch configuration GUI is files-based and doesn’t poll the Switch Chip to find out if config has changed. – This means you get stealth for free! – Other switches probably do the same thing.
  31. 31. Quick Survey • Are you thinking about elephants?
  32. 32. Klein Attack
  33. 33. Klein Attack • Mirroring is fun, but can we filter traffic? – Modify data that is being sent across a network switch – Inside the switch itself – Without using ARP poisoning? • (Because that is boring and dumb and noisy) • (Besides, everybody does ARP poison detection right?) • You can probably guess that the answer is YES.
  34. 34. Klein Attack • Many ways to pull it off. Most generic: • Mirror two target ports to switch MCU • VLAN Tagging for the win – Place target1 and target2 ports on separate VLANs – Swap MCU switchport from target1 to target2 VLAN as appropriate – This works really well against ICS, because protocols are poll-response • We can preemptively switch VLANs to shave a little latency • In hindsight, probably could do Leverett Attack in the same way…
  35. 35. Klein Attack – Both Ports Mirror to CPU Switch Target Port1 CPU Target Port2 System1 System2 VLAN1 VLAN2
  36. 36. Klein Attack – Receive mirrored packet Switch Target Port1 CPU Target Port2 System1 System2 VLAN1 VLAN2 Mirrored Packet
  37. 37. Klein Attack – Configure CPU to VLAN2 Switch Target Port1 CPU Target Port2 System1 System2 VLAN1 VLAN2 Modified Packet
  38. 38. Who is vulnerable? • Any network switch without firmware signing • And many that do have it – …vendors love to sign the update during installation, but never verify the sig with secure bootloader – …this means that any bugs in the firmware could result in a rooted switch • Any network switch with ‘hidden’ CPU interface – Basically: if you plug a network cable into a normal switchport, and can load the web/ssh/telnet manager, it has these issues
  39. 39. Takeaways • L2 Switches at least as important as Routers for data integrity • Switch rootkits probably already exist for popular switches • Seldom are these devices patched • Impossible to audit network switches without destroying them – We could in this case, but only by modifying the firmware (which potentially destroys evidence)
  40. 40. FIN Questions? Twitters: @ReverseICS, @DigitalBondLabs Emails: Internets: