1. RED
BALLOON
Security
FRAK: Firmware Reverse Analysis Konsole
Ang Cui
a@redballoonsecurity.com
7.27.2012
Defcon
20

2. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
W h o a m
I
What do I
DO
7.27.2012
Defcon
20

3. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I
What do I
DO
7.27.2012
Defcon
20

4. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I Past publications:
•
What do I Pervasive Insecurity of Embedded Network
Devices. [RAID10]
• A Quantitative Analysis of the Insecurity
DO
of Embedded Network Devices. [ACSAC10]
• Killing the Myth of Cisco IOS Diversity:
Towards Reliable Large-Scale Exploitation
of Cisco IOS. [USENIX WOOT 11]
• Defending Legacy Embedded Systems with
Software Symbiotes. [RAID11]
• From Prey to Hunter: Transforming
Legacy Embedded Devices Into
Exploitation Sensor Grids. [ACSAC11]
7.27.2012
Defcon
20

5. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I Past Embedded Tinkerings:
•
What do I •
Interrupt-Hijack Cisco IOS Rootkit
HP LaserJet Printer Rootkit
DO
7.27.2012
Defcon
20

6. Interrupt-Hijack Shellcode
[blackhat USA 2011]
7.27.2012
Defcon
20

7. HP-RFU Vulnerability
HP LaserJet 2550 Rootkit
[28c3]
Attacker
4. Win: Reverse Shell
Server -> Kitteh
1. Reverse Proxy
Printer -> Attacker
Firewall
2. Reverse Proxy
Printer -> Victim
Server
Network Printer
3. Attacker -> Server
Via Reverse Proxy
7.27.2012
Defcon
20

8. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
Binary Firmware Image
Analysis and Manipulation
Firmware
Re-Packing Process
7.27.2012
Defcon
20

9. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
Binary Firmware Image
Parse
Analysis and Manipulation
Package
Manifest
Firmware
Re-Packing Process
7.27.2012
Defcon
20

10. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress}
Binary Firmware Image
For each
"Record"
Record
Parse In Firmware Record Record Record
Digitally
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm?
Firmware
Re-Packing Process
7.27.2012
Defcon
20

11. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
Re-Packing Process
7.27.2012
Defcon
20

12. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
Re-Packing Process
7.27.2012
Defcon
20

13. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Record"
Re-Pack Modified In Firmware
File System
Known Format or Proprietary Format?
Re-Packing Process
7.27.2012
Defcon
20

14. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re-Pack Modified In Firmware
Record
Record Record Record
Digitally File System
Encrypted? Compressed? Checksummed?
Signed?
Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20

15. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re-Pack Modified In Firmware
Repack Record
Record Record Record
Digitally File System
All Binary Encrypted? Compressed? Checksummed?
Signed?
"records"
Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20

16. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re- Re-Pack Modified In Firmware
Repack Record
generate Record Record Record
Digitally File System
All Binary Encrypted? Compressed? Checksummed?
Package Signed?
"records"
Manifest Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20

17. Payload Design
Reasons why Ang stays
home on Friday night
7.27.2012
Defcon
20

18. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
7.27.2012
Defcon
20

19. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
Payload Testing
7.27.2012
Defcon
20

20. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
Payload Testing
STARE
@
BINARY
BLOB
7.27.2012
Defcon
20

21. Payload Design
Reasons why Ang stays
home on Friday night
Payload
DevelopementDesign
Payload
Payload Design
Payload
Payload Testing
Developement
STARE
THIS PART
@
BINARY L
BLOB
7.27.2012
Defcon
20

22. F R A K
irmware everse nalysis onsole
[Better Living Through Software Engineering]
7.27.2012
Defcon
20

23. F R A K
irmware everse nalysis onsole
Firmware Unpacking Firmware Analysis
Engine Engine
Firmware Modification Firmware Repacking
Engine Engine
Programmatic API Interactive Console
7.27.2012
ACCESS Defcon
20
Access

24. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access

25. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked
Firmware
Binary
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access

26. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked XYZ Dynamic
Firmware Software Instrumentation
Binary Symbiotes &
Rootkit
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access

27. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked XYZ Dynamic
Firmware Software Instrumentation
Binary Symbiotes &
Rootkit
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access

28. F R A K irmware everse nalysis onsole
Unpack, Analyze, Modify, Repack: Cisco IOS
7.27.2012
Defcon
20

29. Payload Design
Payload Reasons why Ang stays
Developement
home on Friday night
Payload
Developement
Payload Testing
Payload Design
Payload Testing
STARE @ BINARY
BLOB
?
STARE
THIS PART
@
BINARY L
BLOB Thanks FRAK!
7.27.2012
Defcon
20

30. Demos
• Packer/Repacker for Cisco IOS, HP-RFU
• Automagic Binary Analysis
• IDA-Pro Integration
• Entropy-related Analysis
• Automated IOS/RFU Rootkit Injection
7.27.2012
Defcon
20

31. FRAK Konsole
7.27.2012
Defcon
20

32. FRAK is still WIP. For Early Access
Contact
Frak-request@redballoonsecurity.com
7.27.2012
Defcon
20

33. 7.27.2012
Defcon
20