Welcome to Rootkit Country

Size: px

Start display at page:

Download "Welcome to Rootkit Country"

Wesley Fowler
5 years ago
Views:

1 Welcome to Rootkit Country CanSecWest 03/2011

2 Graeme Neilson Security Consultant & Researcher Aura Software Security

presence from administrators by subverting standard operating system

3 Rootkit == cancerous software A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Wikipedia BIOS Kernel System Applications

4 Patches and Gum Mandatory access control Memory access restrictions File integrity checks (checksums, hashes) Immutable files (secure run levels, ro filesystems) Signed software Encrypted software

5 UTMs / Firewalls / Routers? Why are they a target? Route traffic Mirror traffic Layer 2 control VPN endpoint Management network connectivity Choke points for many networks Endpoint physical access can be outside owner's control.

6 UTMs / Firewalls / Routers? How can they be attacked? Insider Social Engineering Physical Access Supply Chain [ Exploits ] Can I trust the integrity of the operating systems? How easy is it to rootkit these devices?

7 Platforms

1. Go shopping. Roll your 0wn 1. Obtain firmware. Download, backups, compact flash, hard disk, VM 2. Identify the firmware. Linux, FreeBSD, vxworks, proprietary 3.

8 1. Go shopping. Roll your 0wn 1. Obtain firmware. Download, backups, compact flash, hard disk, VM 2. Identify the firmware. Linux, FreeBSD, vxworks, proprietary 3. Gain root level access. ñ Break restricted shell ñ Crack password ñ Bypass encryption ñ Reverse engineer firmware ñ NO custom hardware 4. Determine layer to attack. BIOS, Kernel, System, Application

9 WatchGuard OS XTMOS Linux Arch Bootloader Storage i686 GRUB Removable CF Firmware Format Gzip image with custom header Restricted Shell Root access Integrity yes Hardcoded password Checksum command

10 SilkGuard Rootkit Root access: add static compiled shell busybox add authorized_key to /root/.ssh/ remount rootfs read write Layers to attack: kernel, libraries and applications

11 Netgear ProSecure OS Linux Arch MIPS Bootloader GRUB Storage Removable CF Firmware Format SquashFS Root access Random password at boot File System RO unionfs Integrity none

12 NetHill Rootkit Root access: squashsfs 3.4 (big-endian support) new rootfs.img with root password blanked Layers to attack: apt-get can be enabled system-map & config present on system /dev/kmem (LKM), libraries, application

CheckPoint Secure Platform OS CP Linux (RHEL) 2.6.

13 CheckPoint Secure Platform OS CP Linux (RHEL) Arch i686 / Virtual Bootloader GRUB Storage ISO Firmware Format ISO Restricted Shell Yes Root access Yes File System ext Integrity none

14 LuckyPoint Rootkit Root access: Built in through expert mode RHEL but no SELinux Layers to attack: System map and config available but /dev/ mem restricted to first 2056 records Libraries and applications

15 Checkpoint Nokia Nokia IP71 common endpoint device for CheckPoint SP - has removable, flashable BIOS - BIOS integrity check is a simple checksum - BIOS modification and rootkit possible

16 Fortinet FortiOS OS Arch Bootloader FortiOS Linux i686 GRUB Storage Firmware Format Gzip Restricted Shell Root access File System Integrity Removable CF yes no Encrypted AES CBC FortiBIOS Firmware encrypted, signed & hashed

filename matching a device & version ID kernel must have a

17 Export-F Rootkit Root access: Fortigate will load firmware with no certificate, no hash, unencrypted start of MBR must contain a filename matching a device & version ID kernel must have a specific name Layers to attack: Load replacement kernel and file system

18 Sonicwall OS Arch Bootloader? Storage SonicOS vxworks i686 Secure Compact Flash Firmware Format Encrypted / Compressed Restricted Shell Root access File System Integrity Yes No vxworks Signature

19 Cancer Free Root access: Removable Storage Compact Flash...but its unreadable... Removable BIOS...but its unreadable... Firmware can be backed up...but its signed...

20 Cisco IOS - Da Los Rootkit Sebastian Muniz, Killing the myth of Cisco IOS rootkits: DIK OS IOS Arch MIPS / PowerPC Bootloader Proprietary Storage Flash Firmware Format Compressed Restricted Shell Yes Root access No File System Memory Integrity Checksum

21 Juniper ScreenOS OS Arch Bootloader Storage ScreenOS PowerPC Proprietary Flash Firmware Format Compressed (modded LZMA or GZIP) Restricted Shell Root access File System Integrity Yes No Memory Checksum, optional signature

l Hand code PowerPC ASM into firmware Junboro Light Rootkit Root Access: l Firmware is compressed (non standard LZMA header) l Reverse engineer format l Disassemble ScreenOS

22 l Hand code PowerPC ASM into firmware Junboro Light Rootkit Root Access: l Firmware is compressed (non standard LZMA header) l Reverse engineer format l Disassemble ScreenOS Reverse engineer firmware checksum algorithm l Firmware is signed but certificate can be loaded and unloaded Layers to attack: l Flat memory, monolithic firmware, access to everything

23 Juniper JUNOS OS Arch Bootloader Storage ScreenOS i686 / Virtual FreeBSD Flash, HDD Firmware Format Package Restricted Shell Root access File System Memory Yes Yes RO iso9660 Restricted access Integrity Veriexec, secure level 1, Package hashes, optional signature

Junboro Rootkit Root access Root by default but there are restrictions JUNOS binaries are symlinks from rw fs to iso9660 ro fs Secure run level 1 is set Veriexec used for integrity and to stop

24 Junboro Rootkit Root access Root by default but there are restrictions JUNOS binaries are symlinks from rw fs to iso9660 ro fs Secure run level 1 is set Veriexec used for integrity and to stop unknown binaries running +x shell scripts will not run directly but will run if invoked by /bin/sh Layers to attack: JUNOS doesn't require/enforce signed packages Install trojaned package using customised +INSTALL script

25 Demos Make Arch OS 1. Fortinet Intel Linux 2. Juniper PPC ScreenOS 3. Juniper VM JUNOS

26 Device & OS Encrypt Sign Immutable Integrity Memory Sonicwall Y Y Y Y - Juniper JUNOS N Y Y Y - Fortinet Y Y N Y - Juniper ScreenOS N Y N Y - Cisco IOS N N N Y - Checkpoint N N N N Y Netgear N N N N N Watchguard N N N N N

27 Conclusion Some platforms don't even try to ensure integrity A PS3 has better integrity protection than most platforms (IP vs your data?) Often signatures and encryption requirements can be bypassed Do periodic offline comparisons of system binary / firmware hashes Check supply chain, third party support

References Runtime Kernel Mem Patching, http://vxheavens.com/lib/vsc07.html, Silvio Cesare Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootkit), http://eusecwest.com/esw08/esw08-muniz.

28 References Runtime Kernel Mem Patching, Silvio Cesare Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootkit), Hacking Grub for fun and profit, Phrack Volume 0x0b, Issue 0x3f, CoolQ Static Kernel Patching, Phrack Volume 0x0b, Issue 0x3c, jbtzhm Playing Games With Kernel Memory... FreeBSD Style, Phrack Volume 0x0b, Issue 0x3f, Joseph Kong Implementing and detecting ACPI BIOS rootkit, BH-Fed-06-Heasman.pdf

29 Questions?

Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances

Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances Cast Graeme Neilson Security Consultant Aura Software Security graeme@aurasoftwaresecurity.co.nz Trailer What if a