The Jedi Packet Trick takes over the Deathstar

Similar documents
Recon Montreal

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Project 2: Firewall Design (Phase I)

FIPS Security Policy 3Com Embedded Firewall PCI Cards

Hardware Backdooring is practical. Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian)

P2V Best Practices. Joe Christie Technical Trainer

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Type Message Description Probable Cause Suggested Action. Fan in the system is not functioning or room temperature

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Network Incident Report

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

CIT 380: Securing Computer Systems

Yahoo Attack. Is DDoS a Real Problem?

I/O Attacks in Intel-PC Architectures and Countermeasures

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

10 steps to better secure your Mac laptop from physical data theft

Gaurav Gupta CMSC 681

Worms, Trojan Horses and Root Kits

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Network Traffic Analysis

Intego Enterprise Software Deployment Guide

Chapter 11 Phase 5: Covering Tracks and Hiding

v1 System Requirements 7/11/07

Stateful Firewalls. Hank and Foo

Shellshock. Oz Elisyan & Maxim Zavodchik

Networking Driver Performance and Measurement - e1000 A Case Study

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Practical Mac OS X Insecurity. Security Concepts, Problems and Exploits on your Mac

The Value of Physical Memory for Incident Response

Storm Worm & Botnet Analysis

Introducing Ring -3 Rootkits

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Patch and Vulnerability Management Program

Spyware Analysis. Security Event - April 28, 2004 Page 1

A Decision Maker s Guide to Securing an IT Infrastructure

Firewalls and Software Updates

VidyoConferencing Network Administrators Guide

Collecting Packet Traces at High Speed

Using NetBooting on the Mac OS X Server for delivery of mass client deployment

Installation Guide Wireless 4-Port USB Sharing Station. GUWIP204 Part No. M1172-a

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

COUNTERSNIPE

ComTrader 2.1 Technical Requirements. Version 1.3

Certified Ethical Hacker Exam Version Comparison. Version Comparison

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

CRYPTUS DIPLOMA IN IT SECURITY

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Putting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC)

Abstract. Introduction. Section I. What is Denial of Service Attack?

Race to bare metal: UEFI and hypervisors

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

HP Insight Management Agents architecture for Windows servers

The RT module VT6000 (VT6050 / VT6010) can be used to enhance the RT. performance of CANoe by distributing the real-time part of CANoe to a

SECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann

Client Server Registration Protocol

Chapter 10 Troubleshooting

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Seminar Computer Security

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Network Security. Network Packet Analysis

PARALLELS SERVER BARE METAL 5.0 README

Anatomy of an ethical penetration test

Take Your Mac OS X Security to NSA Standards June 19, 2014 by Larry Chafin

White Paper: Wake on LAN Technology Rev 2 June 1, 2006

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Virtually Pwned Pentesting VMware. Claudio

Lesson Objectives. To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

Locking down a Hitachi ID Suite server

Firewalls. Chapter 3

Security: Attack and Defense

ThinLinX TLXOS 64-bit Firmware Installation Guide for the Intel NUC Range. Materials Required

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

A Research Study on Packet Sniffing Tool TCPDUMP

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Packet Sniffing and Spoofing Lab

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

HP Compaq dc7800p Business PC with Intel vpro Processor Technology and Virtual Appliances

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Introduction to Network Security Lab 2 - NMap

Whitepaper. The Top 10 Advantages of 3CX Phone System. Why your next phone system should be software based and by 3CX

The Trivial Cisco IP Phones Compromise

Host Security. Host Security: Pro

Introduction to Operating Systems

How to Remotely Track Any Lost Smartphone, Tablet, or PC

Learn Ethical Hacking, Become a Pentester

CEH Version8 Course Outline

H0/H2/H4 -ECOM100 DHCP & HTML Configuration. H0/H2/H4--ECOM100 DHCP Disabling DHCP and Assigning a Static IP Address Using HTML Configuration

The new frontier of the DATA acquisition using 1 and 10 Gb/s Ethernet links. Filippo Costa on behalf of the ALICE DAQ group

Imaging Computing Server User Guide

Gigabit Ethernet Design

NEW AND IMPROVED! INSTALLING an IRC Server (Internet Relay Chat) on your WRT54G,GS,GL Version 1.02 April 2 nd, Rusty Haddock/AE5AE

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

Table of Contents. Cisco Cisco VPN Client FAQ

Intel Desktop Board DP35DP. MLP Report. Motherboard Logo Program (MLP) 6/17/2008

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Building A Computer: A Beginners Guide

Transcription:

The Jedi Packet Trick takes over the Deathstar (or: taking NIC backdoors to the next level ) Arrigo Triulzi arrigo@sevenseas.org 26th March 2010 1

Previously on Project Maux 2006-2007 the early years find out by accident about NIC offloading of checksum routines... can we hook something to that? Broadcom s Tigon firmware says it is based on MIPS, the firmware is downloadable from the Internet, there is no firmware installation security and I happen to have a DECstation 3000 in the basement... dbx and go! transform a few cards into doorstops and eventually hook the IP checksum... 5 second sniffer in a circular buffer 2

Previously on Project Maux 2007-2008 Mummy, mummy, I want a shell! nvidia releases the CUDA development toolkit the GPU becomes interesting r00t, firmware, OS-independent PCI-to-PCI transfers are not marshalled by the OS PCI-to-PCI between the NIC and the GPU the NIC gets to see the packets first we use the checksum hook to interpret and forward a PCI card has DMA over the whole RAM we can play in memory and the OS shall never know 3

Previously on Project Maux 2007-2008 net result: nicssh no installer no GPU persistence archimede:~/nicssh$ nicssh 10.4.4.233 Connecting to 10.4.4.233 ICMP Echo Reply from OS - no nicfw archimede:~/nicssh$ nicssh 10.4.4.234 Connecting to 10.4.4.234 ICMP Echo Reply from nicfw (Windows system) Requesting tcp/80 with cloaking nicssh>? help memory* sniff* send* reboot cleanup quit nicssh> Stop press: it is called ASF/RCMP and is Allez Loïc! shipped by default with Broadcom cards! 4

Previously on Project Maux 2007-2008 now what? Jedi Packet Trick: if I have two (vulnerable) NICs in a card what can I possibly do? How about sending packets between them over the PCI bus? Driver Takeover aka attack from below : drivers tend to assume that NICs will not attack them... Installation and Persistence: hey, click here to use my new firmware only works a few times, not at every boot... 5

I have a cunning plan (once again) Jedi Packet Trick: easy take over NIC1, inject nicssh, use nicssh to take over NIC2 magic packets travel between NIC1 and NIC2 over the PCI bus Driver Takeover: OS-dependent, not for me Installation: remote factory diagnostics Persistence: EFI module 6

Some preliminary notes This is still not a funded project but personal curiosity driven what-if research, I am using the old stock of NICs I bought back in 2008 to replace the doorstops, The old motto still holds: Given no prior knowledge, the Internet, a cheap 10-pack of NICs and a PC can we develop the ultimate rootkit? 7

Deathstar Mk.I design vulnerable EAL level 1 10 23 firewall with two NICs NIC1 is the external interface NIC2 is the internal interface nvidia GPU But of course, all firewalls have EFI BIOS... and an EFI BIOS! gaming GPUs! 8

Jedi Packet Trick nicssh extended with: findnic to find other NICs on the system by scanning the PCI bus (lifted code from BSD) grabnic to take it over by injecting the modified firmware into the other card simulating an OS pushing new firmware forward to set up forwarding: like good old overlays it never returns... this turns nicssh into a two-way pipe between NICs. All magic packets are forwarded between NICs. nice but... it requires a suitable GPU 9

Jedi Packet Trick archimede:~/nicssh$ nicssh 10.4.4.230 Connecting to 10.4.4.230 ICMP Echo Reply from nicfw (Linux system) Requesting tcp/80 with cloaking nicssh>? help memory* sniff* send* findnic* grabnic* forward* reboot cleanup quit nicssh> findnic 0 3 21 Hunting on bus0... nope Hunting on bus3... 3:0:0: Tigon 5:0:0: Tigon Hunting on bus21... 21:0:0: Intel 82571EB 21:0:1: Intel 82571EB nicssh> grabnic 3:0:0 My man, it already runs nicfw! nicssh> grabnic 5:0:0 Trying...done nicssh> forward 3:0:0 5:0:0 Forwarding starting - shell being replaced now I'm afraid. I'm afraid, Dave. Dave, my mind is going. I can feel it... We want NIC-to-NIC! We want NIC-to-NIC! 10

Jedi Packet Trick NIC-to-NIC requires installation PCI bus scan to locate other NICs initiating a firmware update pushing firmware to the other NIC communication PCI-to-PCI device data transfer suitable marshalling of the above 11

Jedi Packet Trick The problems begin... the space in the firmware is not huge so a PCI bus scanner is not really on the books where do I get the firmware image from? how do I efficiently push it? (assuming we solve the above) how do we make sure our firewall bypass is not too obvious? 12

Jedi Packet Trick Firmware is small... Type: Ethernet Controller Bus: PCI Vendor ID: 0x10de Device ID: 0x0ab0 Subsystem Vendor ID: 0x10de Subsystem ID: 0xcb79 Revision ID: 0x00b1 don t perform a true PCI bus scan but cheat: we are looking for cards which look like us so how about we restrict ourselves to the identifiers we want? and the image is large... so why don t we just copy our own image over since we are the same NIC as we only scanned for close relatives? 13

Jedi Packet Trick Now we need to push the image: this takes time and as it happens the NIC is nonresponsive... we could wait for a reboot and push it as part of our NIC initialisation routine? wait for a quiescent time and then push it? just make the firewall hang for 30 seconds and who cares! 14

Jedi Packet Trick PCI-to-PCI transfer is simply a replacement of the nicssh channel with one to the other NIC, everything else stays the same. Stealth is our middle name so we cannot afford to have our NIC-to-NIC channel reduce the performance of the firewall: rate-limit the NIC-to-NIC channel to approx. 64kbps. This is empirically slow enough that the kink during heavy load is not too noticeable. if the transfer rate from the driver starts getting heavy simply shut the channel down. 15

Jedi Packet Trick PCI-to-PCI NIC Firmware Firmware Maux PCI Maux NIC bus Hook IP checksum OS driver put packet on wire 16

Jedi Packet Trick So what? complete bypass of any OS-based firewall as the OS is oblivious to the traffic being passed between the NICs How do you catch it then? timing analysis is one possibility: the hidden channel will rob your firewall of performance IDS on both sides testing the validity of the ruleset 17

Installation Project Maux Mk. I & II suffered from a major drawback: installation required admin privileges to run the firmware update. At the same time looking at the firmware there were hints of a remote update capability (at least in the cards I have). 18

Installation The remote update capability appears to be linked to some sort of factory testing. Once it completes it initiates a factory test on the firmware. The remote update works by sending a WOL followed by a UDP packet in a special format containing a header followed by as many UDP packets as needed for the firmware. 19

Installation UDP is good and bad... easy to spoof: we could send our firmware updates from anywhere on the Internet hard to confirm that the packet got there: how do we know that all the parts of the update got to the card? Net result: it works in the lab. 20

Installation archimede:~/nicssh$ sudo nicssh -i nicfw.bin 10.4.4.230 Sending UDP magic to 10.4.4.230...done ICMP Echo Reply from nicfw (Linux system) Injection successful archimede:~/nicssh$ nicssh -gi gpussh.bin 10.4.4.230 Connecting to 10.4.4.230 Preparing to send GPU code ICMP Echo Reply from nicfw (Linux system) Requesting GPU RAM injection Sending GPU code...done archimede:~/nicssh$ nicssh 10.4.4.230 Connecting to 10.4.4.230 [...] 21

Installation But is remote installation so important? probably not: we have plenty of remote vectors which can be used to push the firmware at the OS level once the initial install is done we can leverage the remote firmware update capability of the Jedi Packet Trick 22

Persistence (or there s a 2006 Intel imac there doing nothing! ) Intel imacs come with EFI EFI is modular Apple has an EFI Dev Kit on their Developer Connection... Why don t I write an EFI module to load the NIC firmware and nicssh 2.0? Why don t I hide the EFI module on the IDE/SATA disk? 23

Persistence EFI module design responsible for loading NIC firmware responsible for installing nicssh in GPU responsible for maintaining hidden location on IDE/SATA disk All of the above still under development 24

Persistence What works? EFI module which loads NIC firmware EFI module which loads nicssh What doesn t work? storing it on the IDE/SATA disk loading the EFI module correctly Looking at PGP WDE for OS X design for ideas... 25

Putting it all together A staged attack against a firewall remote update over UDP to NIC1 firmware update of NIC2 push EFI module into SATA disk to defend against NIC reflashing (we reflash it too!) Initiate Jedi Packet Trick 26

What now? Attack cards with proper firmware security: crypto vulnerabilities bad key management (OEMs come to mind) remote management (nice one Loïc!) Go further... how about CPU µcode? 27

µcode Yet another cunning plan... most modern CPUs have µcode update functionality to patch errata in the CPU implementation there is often more than one µcode update released during the lifetime of the CPU each CPU µcode update has to contain the previous ones plus the new one each erratum is known as manufacturers publish them each µcode update states which errata are fixed by it 28

µcode Let s say that your family contains a former µcode guru then, in theory, he could figure out some µcode for a given set of errata you could then look at the µcode before and after the errata and, in theory, you could have some known plaintext with which to attack the µcode update... 29

µcode let s say that with enough known plaintext you recover the encryption key... then you could start modifying µcode for injection now you have to worry about reboots as µcode updates are not persistent across reboots (which is good for testing!) EFI comes to the rescue there... 30

µcode The ultimate hack modify the NIC firmware remotely install nicssh for backdooring push modified µcode which blocks anything we believe hostile (e.g. using the GPU memory where our nicssh lives) install EFI module for persistence of all the above 31

Thanks My family their! patience while I play with my toys (and for having a µcode guru in it), Toby, Ryan and Brian for keeping the hard questions coming, Maya for project naming, lcars for being my ever-present simulacrum, C 8 H 10 N 4 O 2 32

References Broadcom firmware development kit: http://www.broadcom.com/products/ communications_processors_downloads.php Papers by John Heasman (ACPI, BIOS and PCI rootkits): http://www.nextgenss.com/research/papers/ Implementing_And_Detecting_A_PCI_Rootkit.pdf Network Interface Firmware Back Door with Tigon2, eeye Industry Newsletter, 25th April 2007, http://www.eeye.com/html/resources/newsletters/vice/vi20070425.html A. Singh, Mac OS X Internals, Addison-Wesley, 2006, http://osxbook.com/book/bonus/chapter4/efiprogramming/ Rowan Atkinson, Blackadder, BBC TV series. 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information