Welcome to Rootkit Country CanSecWest 03/2011
Graeme Neilson Security Consultant & Researcher Aura Software Security graeme@aurasoftwaresecurity.co.nz
Rootkit == cancerous software A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Wikipedia BIOS Kernel System Applications
Patches and Gum Mandatory access control Memory access restrictions File integrity checks (checksums, hashes) Immutable files (secure run levels, ro filesystems) Signed software Encrypted software
UTMs / Firewalls / Routers? Why are they a target? Route traffic Mirror traffic Layer 2 control VPN endpoint Management network connectivity Choke points for many networks Endpoint physical access can be outside owner's control.
UTMs / Firewalls / Routers? How can they be attacked? Insider Social Engineering Physical Access Supply Chain [ Exploits ] Can I trust the integrity of the operating systems? How easy is it to rootkit these devices?
Platforms
1. Go shopping. Roll your 0wn 1. Obtain firmware. Download, backups, compact flash, hard disk, VM 2. Identify the firmware. Linux, FreeBSD, vxworks, proprietary 3. Gain root level access. ñ Break restricted shell ñ Crack password ñ Bypass encryption ñ Reverse engineer firmware ñ NO custom hardware 4. Determine layer to attack. BIOS, Kernel, System, Application
WatchGuard OS XTMOS Linux 2.6.21 Arch Bootloader Storage i686 GRUB Removable CF Firmware Format Gzip image with custom header Restricted Shell Root access Integrity yes Hardcoded password Checksum command
SilkGuard Rootkit Root access: add static compiled shell busybox add authorized_key to /root/.ssh/ remount rootfs read write Layers to attack: kernel, libraries and applications
Netgear ProSecure OS Linux 2.6.21 Arch MIPS Bootloader GRUB Storage Removable CF Firmware Format SquashFS Root access Random password at boot File System RO unionfs Integrity none
NetHill Rootkit Root access: squashsfs 3.4 (big-endian support) new rootfs.img with root password blanked Layers to attack: apt-get can be enabled system-map & config present on system /dev/kmem (LKM), libraries, application
CheckPoint Secure Platform OS CP Linux (RHEL) 2.6.18 Arch i686 / Virtual Bootloader GRUB Storage ISO Firmware Format ISO Restricted Shell Yes Root access Yes File System ext Integrity none
LuckyPoint Rootkit Root access: Built in through expert mode RHEL but no SELinux Layers to attack: System map and config available but /dev/ mem restricted to first 2056 records Libraries and applications
Checkpoint Nokia Nokia IP71 common endpoint device for CheckPoint SP - has removable, flashable BIOS - BIOS integrity check is a simple checksum - BIOS modification and rootkit possible
Fortinet FortiOS OS Arch Bootloader FortiOS Linux i686 GRUB Storage Firmware Format Gzip Restricted Shell Root access File System Integrity Removable CF yes no Encrypted AES CBC FortiBIOS Firmware encrypted, signed & hashed
Export-F Rootkit Root access: Fortigate will load firmware with no certificate, no hash, unencrypted start of MBR must contain a filename matching a device & version ID kernel must have a specific name Layers to attack: Load replacement kernel and file system
Sonicwall OS Arch Bootloader? Storage SonicOS vxworks i686 Secure Compact Flash Firmware Format Encrypted / Compressed Restricted Shell Root access File System Integrity Yes No vxworks Signature
Cancer Free Root access: Removable Storage Compact Flash...but its unreadable... Removable BIOS...but its unreadable... Firmware can be backed up...but its signed...
Cisco IOS - Da Los Rootkit Sebastian Muniz, Killing the myth of Cisco IOS rootkits: DIK OS IOS Arch MIPS / PowerPC Bootloader Proprietary Storage Flash Firmware Format Compressed Restricted Shell Yes Root access No File System Memory Integrity Checksum
Juniper ScreenOS OS Arch Bootloader Storage ScreenOS PowerPC Proprietary Flash Firmware Format Compressed (modded LZMA or GZIP) Restricted Shell Root access File System Integrity Yes No Memory Checksum, optional signature
l Hand code PowerPC ASM into firmware Junboro Light Rootkit Root Access: l Firmware is compressed (non standard LZMA header) l Reverse engineer format l Disassemble ScreenOS Reverse engineer firmware checksum algorithm l Firmware is signed but certificate can be loaded and unloaded Layers to attack: l Flat memory, monolithic firmware, access to everything
Juniper JUNOS OS Arch Bootloader Storage ScreenOS i686 / Virtual FreeBSD Flash, HDD Firmware Format Package Restricted Shell Root access File System Memory Yes Yes RO iso9660 Restricted access Integrity Veriexec, secure level 1, Package hashes, optional signature
Junboro Rootkit Root access Root by default but there are restrictions JUNOS binaries are symlinks from rw fs to iso9660 ro fs Secure run level 1 is set Veriexec used for integrity and to stop unknown binaries running +x shell scripts will not run directly but will run if invoked by /bin/sh Layers to attack: JUNOS doesn't require/enforce signed packages Install trojaned package using customised +INSTALL script
Demos Make Arch OS 1. Fortinet Intel Linux 2. Juniper PPC ScreenOS 3. Juniper VM JUNOS
Device & OS Encrypt Sign Immutable Integrity Memory Sonicwall Y Y Y Y - Juniper JUNOS N Y Y Y - Fortinet Y Y N Y - Juniper ScreenOS N Y N Y - Cisco IOS N N N Y - Checkpoint N N N N Y Netgear N N N N N Watchguard N N N N N
Conclusion Some platforms don't even try to ensure integrity A PS3 has better integrity protection than most platforms (IP vs your data?) Often signatures and encryption requirements can be bypassed Do periodic offline comparisons of system binary / firmware hashes Check supply chain, third party support
References Runtime Kernel Mem Patching, http://vxheavens.com/lib/vsc07.html, Silvio Cesare Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootkit), http://eusecwest.com/esw08/esw08-muniz.pdf Hacking Grub for fun and profit, Phrack Volume 0x0b, Issue 0x3f, CoolQ Static Kernel Patching, Phrack Volume 0x0b, Issue 0x3c, jbtzhm Playing Games With Kernel Memory... FreeBSD Style, Phrack Volume 0x0b, Issue 0x3f, Joseph Kong Implementing and detecting ACPI BIOS rootkit, http://www.blackhat.com/presentations/bh-federal-06/ BH-Fed-06-Heasman.pdf
Questions?