RE D BALLOON Security FRAK: Firmware Reverse Analysis konsole Ang Cui a@redballoonsecurity.com Defcon 20 Who am I What do I D O 7.27.2012 5 th Year Ph.D. Candidate Intrusion Detection Systems lab Columbia University Defcon 20 WHO A M I WHAT DO I D O 7.27.2012 5 th Year Ph.D. Candidate Intrusion Detection Systems lab Columbia University co-founderand ceo red balloon security inc. WWW.REDBALLOONSECURITY.COM Defcon 20 WHO A M I WHAT DO I D O 7.27.2012 5 th Year Ph.D. Candidate Intrusion Detection Systems lab Columbia University co-founderand ceo red balloon security inc. WWW.REDBALLOONSECURITY.COM PAST PUBLICATIONS: Pervasive insecurity of embedded Network Devices. [RAID10] • A Quantitative analysis of the insecurity of Embedded Network devices. [ACSAC10] Killing the Myth of Cisco IOS Diversity Towards reliable large-scale Exploitation of Cisco ios. iusenix woot li] DEFENDING LEGACY EMBEDDED SYSTEMS WITH Software Symbiotes. [RAlDll] From Prey to Hunter Transforming legacy Embedded devices into Exploitation Sensor Grids. [ACSAC11] Defcon 20 WHO A M I WHAT DO I D O 7.27.2012 5 th Year Ph.D. Candidate Intrusion Detection Systems lab Columbia University co-founderand ceo red balloon security inc. WWW.REDBALLOONSECURITY.COM PAST EMBEDDED TlNKE RINGS: INTERRUPT-HIJACK CISCO IOS ROOTKIT HP LaserJet Printer rootkit Defcon 20 Interrupt- Hi jack Shellcode [BLACKHATUSA 2011] • 2 ND ~STAGE: EXCEPTION HIJACK AND IOMEM SNOOPING D ISR #1 ISR #2 ISR #3 T 2nd-stage shellcode: init IOMEM Packet Scrubber 2nd-stage shellcode: exit eret ISR #N Load Code Execute Code Exfiltrate Data • THE (MIPS) ERET, OR Exception- Return is an architecture invariant • isr entry point is a binary invariant, typically found at 0X600080180, ETC • CAN JUST HIJACK ENTRY POINT, BUT THERE IS AN ULTERIOR MOTIVE • USE ERET LOCATIONS IN THE IMAGE TO FINGERPRINT IOS VERSION iNTERRUPT-HlJACK SHELLCODE FREES US FROM THE TYRANNIES OF THE WATCHDOG TIMER. PERPETUAL STEALTHY EXECUTION! 7.27.2012 Defcon 20 HP-RFU Vulnerability hp LaserJet 2550 rootkit [28C3] 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] MJ o. i | z 3 Q 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] UNPACKING PROCESS: Parse package Manifest Q 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] UNPACKING PROCESS: For each "Record" Parse Package In Firmware k Manifest DE{CRIPT,COMPRESS} RECORD RECORD RECORD RECORD Digitally SIGNED? Encrypted? COMPRESSED? CHECKSUMMED? Known Algorithm or Proprietary Algorithm? 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] UNPACKING PROCESS: For each "Record" Parse Package In Firmware k Manifest DE{CRIPT,COMPRESS} RECORD Encrypted? Record compressed? RECORD CHECKSUMMED? RECORD Digitally Signed? Known Algorithm or Proprietary Algorithm? For each "unpacked record" In Firmware fileSystem extraction KNOWN FORMAT OR PROPRIETARY FORMAT? 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] $ UNPACKING PROCESS: For each "Record" Parse in Firmware . package Manifest DE{CRIPT,COMPRESS} RECORD Encrypted? Record Compressed? Record Checksummed? Record digitally Signed? known Algorithm or proprietary Algorithm? for each "unpacked record" In Firmware FileSystem Extraction Known Format or Proprietary Format? 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] >5 z UNPACKING PROCESS: For each "Record" Parse In Firmware k Package Manifest DE{CRIPT,COMPRESS} RECORD RECORD RECORD Record Digitally Signed? ENCRYPTED? COMPRESSED? CHECKSUMMED? Known Algorithm or Proprietary Algorithm? FOR EACH "unpacked record" In Firmware FileSystem Extraction KNOWN FORMAT OR PROPRIETARY FORMAT? Re-Pack Modified file System known format or proprietary format? FOR EACH "UNPACKED RECORD" In Firmware RE-PACKING PROCESS 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] >5 z UNPACKING PROCESS: Parse Package Manifest For each "Record" In FIRMWARE DE{CRIPT,COMPRESS} RECORD RECORD RECORD Record Digitally Signed? ENCRYPTED? COMPRESSED? CHECKSUMMED? Known Algorithm or Proprietary Algorithm? for each "unpacked record" In Firmware FileSystem Extraction KNOWN FORMAT OR PROPRIETARY FORMAT? RtHcript.compress}, recalculate Checksum, etc RECORD Encrypted? Record Compressed? Record checksummed? RECORD digitally Signed? known Algorithm or proprietary Algorithm? rl-Pack Modified file System known format or proprietary format? FOR EACH "UNPACKED RECORD" In Firmware Re-Packing process 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] >5 z UNPACKING PROCESS: Parse Package Manifest For each "Record" In FIRMWARE DE{CRIPT,COMPRESS} RECORD RECORD RECORD Record Digitally Signed? ENCRYPTED? COMPRESSED? CHECKSUMMED? Known Algorithm or Proprietary Algorithm? for each "unpacked record" In Firmware FileSystem Extraction KNOWN FORMAT OR PROPRIETARY FORMAT? REPACK All Binary "records" RtHcript.compress}, recalculate Checksum, etc RECORD Encrypted? Record Compressed? Record checksummed? RECORD digitally Signed? known Algorithm or proprietary Algorithm? rl-Pack Modified file System known format or proprietary format? FOR EACH "UNPACKED RECORD" In Firmware Re-Packing process 7.27.2012 Defcon 20 WORKFLOW [XYZ Embedded {Offense I Defense}] i UNPACKING PROCESS: Parse Package Manifest For each "Record" In firmware De{cript,compress} RECORD RECORD RECORD Record Digitally Signed? Encrypted? COMPRESSED? CHECKSUMMED? Known Algorithm or Proprietary Algorithm? For each "unpacked record" In Firmware FileSystem Extraction KNOWN FORMAT OR PROPRIETARY FORMAT? Re- generate Package Manifest repack A — , All Binary A — \i — ' "records" \i — RE~{CRIPT,COMPRESS}, RECALCULATE CHECKSUM, ETC RECORD Encrypted? RECORD COMPRESSED? Record checksummed? RECORD digitally Signed? known Algorithm or Proprietary Algorithm? repack Modified file System known Format or Proprietary Format? FOR EACH "UNPACKED RECORD" In Firmware Re-Packing process 7.27.2012 Defcon 20 payload Design 7.27.2012 Defcon 20 Reasons why Ang stays home on Friday night payload Design PAYLOAD DEVELOP EMENT 7.27.2012 Reasons why Ang stays home on Friday night payload Design PAYLOAD DEVELOP EMENT payload Testing 7.27.2012 Defcon 20 Reasons why Ang stays home on Friday night PAYLOAD DESIGN PAYLOAD DEVELOP EMENT payload Testing STARE @ BINARY BLOB 7.27.2012 Reasons why Ang stays home on Friday night PAYLOAD DESIGN PAYLOAD DEVELOPEMENT payload Testing STARE BINARY BLOB Reasons why Ang stays home on Friday night THIS PART Defcon 20 R A IRMWARE EVERSE NALYSIS ON SOLE [Better Living Through Software Engineering] 7.27.2012 Defcon 20 Firmware Unpacking Engine Firmware Modification engine Programmatic API 7. 2b. 2012 ACCESS F R A K IRMWARE EVERSE NALYSIS ONSOLE Firmware analysis Engine Firmware Repacking ENGINE Interactive Console De fcon 20 ACCESS HP-RFU Module Cisco ios Module ClSCO-CNU MODULE V vv Firmware Unpacking engine FIRMWARE MODIFICATION ENGINE PROGRAMMATIC API ACCESS F R A K IRMWARE EVERSE NALYSIS ONSOLE XYZ- Format Module Arbitrary Firmware image of Unknown format t Firmware Analysis Engine Firmware Repacking Engine Interactive Console dfcon 20 Access HP-RFU Module CISCO IOS Module CISCO-CNU Module Firmware Unpacking Engine Unpacked Firmware m- B I NARY + XYZ- Format Module F R A K IRMWARE EVERSE Arbitrary firmware image of unknown FORMAT Firmware Analysis Engine NALYSIS ONSOLE FIRMWARE REPACKING ENGINE INTERACTIVE CONSOLE DeJfcon 20 ACCESS F R A K IRMWARE EVERSE HP-RFU Module CISCO IOS Module CISCO-CNU Module XYZ-FORMAT MODULE Firmware Unpacking Engine Unpacked Firmware Binary £ Firmware Modification engine Arbitrary Firmware image of unknown Format Firmware Analysis Engine Software Symbiotes XYZ Dynamic INSTRUMENTATION & Root kit FIRMWARE REPACKING ENGINE NALYSIS ONSOLE 7.2 '.2012 Programmatic API ACCESS Interactive Console dfcon 20 Access F R A K IRMWARE EVERSE NALYSIS ONSOLE HP-RFU Module CISCO IOS Module ClSCO-CNU Module XYZ-FORMAT MODULE Arbitrary firmware image of unknown FORMAT Firmware Unpacking Engine Unpacked Firmware Binary Firmware Analysis Engine Software Symbiotes xyz dynamic instrumentation & Root kit F R A K IRMWARE EVERSE NALYSIS ONSOLE Unpack, Analyze, Modify, repack: Cisco ios test_img = " . . //test -data/ cisco-ios/ c72Q0-a3jk9s -mz. 124- 2 5d.bin" fmObj = Fi rmwareOb] ec t (f Name = tes t_i mg) fmOb] . registerUnpacker(FrakUripackerFactory.giveUripacker( M cisco-ios-unpacker" )) f mObj . unpack( ) childOb] = fmObj .getFi rmwareOb] (VI") chi Id Ob] . registerUnpacker(FrakUnpackerFactory.giveUnpacker("generic-unzip-unpacker")) chi IdObj . unpack( ) meat = fmObj .getFi rmwareOb] ( '/I/O' ) meat.registerModifierCFrakModifierFactory.giveModifierC'cisco-ios-showversion-modifier')) meat . modi f y ( ) chi IdObj . regi s ter Packer (FrakPackerFac tory . gi vePacker ( "pkzi p- packer " ) ) chi IdObj . pack( ) f mObj . regi s ter Packer (FrakPackerFac tory . gi vePacker ( "ci sco-i os- packer " ) ) result = fmObj . pack( ) print " tada! " 7.27.2012 Defcon 20 PAYLOAD Develop ement payload Testing PAYLOAD DESIGN STARE @ BINARY BLOB 7.27.2012 Reasons why Ang stays home on Friday night THIS PART Thanks frak! Defcon 20 Demos • PACKER/REPACKER FOR CISCO IOS, HP-RFU • AUTOMAGIC BINARY ANALYSIS • IDA-PRO INTEGRATION • ENTROPY-RELATED ANALYSIS • Automated IOS/RFU rootkit injection 7.27.2012 Defcon 20 FRAK KONSOLE ane Name: help Avai Table - unpacker_add | Uc - help - f i rmware_analyze - unpacker_remove | - f i rmware_i mpor t | - f i rmware_unpack j - f i rmware_expor t j - qui t - modi f i er_remove | - toggle_debug | dt - exi t - show_panes - fi rmware_load | 1 - packer_list | pi - analysi s_show | c - analyzer_add | as - packer_add | pa - f i rmware modi f y I i mpor t export - f i rmware_show | f s - modi f i er_li s t j ml - set_pane - f i rmware_pack | f p | - modi fi er_add | ma - clear - q - toggle_verbose | vb - unpacker_li s t | ul - analyzer_li s t | al - toggle_au to_analysi s Last Cmd : h Last Status: command not found frak is still wip. for early access Contact frak-request@redballoonsecurity.com 7.27.2012 Defcon 20