Welcome to Rootkit Country

Similar documents
Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances

Embedded lightweight unix

Android Bootloader and Verified Boot

Basic Linux Security. Roman Bohuk University of Virginia

TPM v.s. Embedded Board. James Y

Owning the Network: Adventures in Router Rootkits

TUX : Trust Update on Linux Kernel

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Hackveda Training - Ethical Hacking, Networking & Security

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

Subverting the Linux Kernel Linux Kernel Rootkits 101

Linux Systems Security. Security Design NETS Fall 2016

Binary Analysis Tool

Persistent BIOS Infection

UEFI Secure Boot and DRI. Kalyan Kumar N

Firmware Rootkits: The Threat to the Enterprise. John Heasman, Director of Research


Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Adding hardware support to Buildroot

Operating system hardening

5. Easy Installation and Management

ABOUT ZEPCAM SOFTWARE INSTALLATION MANAGEMENT AND BACKUPS. Description What is it Installation requirement Server requirement

OS Security IV: Virtualization and Trusted Computing

1Z Oracle Linux 6 Implementation Essentials Exam Summary Syllabus Questions

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Strategic Infrastructure Security

Installation of Fedora 12 with CD

Host. Computer system #1. Host Hardening

Course 55187B Linux System Administration

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Storage and File System

CIT 480: Securing Computer Systems

Software Vulnerability Assessment & Secure Storage

Advanced Unix System Administration

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Using Linux as a Secure Boot Loader for OpenPOWER Servers

Operating systems and security - Overview

Operating systems and security - Overview

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

Logging In to the Sensor

COMMAND. JTAC support info. request suport information. Restore factory settins

CST8177 Linux II. Linux Boot Process

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

Trusted Computing and O/S Security

I Don't Want to Sleep Tonight:

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

EMBEDDED LINUX ON ARM9 Weekend Workshop

18-642: Security Mitigation & Validation

Introduction p. 1 Why Linux? p. 2 Embedded Linux Today p. 3 Open Source and the GPL p. 3 Free Versus Freedom p. 4 Standards and Relevant Bodies p.

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1

CompTIA Linux+ Guide to Linux Certification Fourth Edition. Chapter 2 Linux Installation and Usage

Linux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage

HITB Amsterdam

Man in the Middle Attacks and Secured Communications

Accessing and Using GRUB Mode

INSTALLATION. Security of Information and Communication Systems

Cisco Secure Boot and Trust Anchor Module Differentiation

SysadminSG RHCSA Study Guide

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Intrusion Prevention Method on LKM (Loadable Kernel Module) Backdoor Attack. Ji-Ho CHO, Han LEE, Jeong-Min KIM and Geuk LEE *

January 28 29, 2014San Jose. Engineering Workshop

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

Viral Infections in Cisco IOS

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

The Big Chill. Freezing Data for Analysis

Accurate study guides, High passing rate! IT TEST BOOK QUESTION & ANSWER. Ittestbook provides update free of charge in one year!

Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33

How To Reinstall Grub In Windows 7 Without Losing Data And Programs

Exam Questions RH133

System Configuration as a Privilege

Alternatives to Solaris Containers and ZFS for Linux on System z

"Charting the Course... MOC B: Linux System Administration. Course Summary

Computer Network Vulnerabilities

Installing caos with Cinch on Floppy Disk

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Docker for HPC? Yes, Singularity! Josef Hrabal

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

(Ubuntu 10.04), the installation command is slightly different.

Gladiator Incident Alert

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Acronis Disk Director 11 Home. Quick Start Guide

Arch Linux Grub You Need To Load The Kernel First

Digging Into The Core of Boot

Storage and File Hierarchy

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem

How To Reinstall Grub In Windows 7 With Cd Rom

COS 318: Operating Systems

FreeSWAN with Netgear ProSafe VPN Client

Simple custom Linux distributions with LinuxKit. Justin Cormack

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

ScreenOS 5.4.0r4 FIPS Reference Note

PRODUCT DOCUMENTATION. Backup & Replication v5.0. User Guide.

OP-TEE Using TrustZone to Protect Our Own Secrets

The Geometry of Innocent Flesh on the Bone

Computer System Administration Homework 3 File Server. fchsieh / zswu

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Transcription:

Welcome to Rootkit Country CanSecWest 03/2011

Graeme Neilson Security Consultant & Researcher Aura Software Security graeme@aurasoftwaresecurity.co.nz

Rootkit == cancerous software A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Wikipedia BIOS Kernel System Applications

Patches and Gum Mandatory access control Memory access restrictions File integrity checks (checksums, hashes) Immutable files (secure run levels, ro filesystems) Signed software Encrypted software

UTMs / Firewalls / Routers? Why are they a target? Route traffic Mirror traffic Layer 2 control VPN endpoint Management network connectivity Choke points for many networks Endpoint physical access can be outside owner's control.

UTMs / Firewalls / Routers? How can they be attacked? Insider Social Engineering Physical Access Supply Chain [ Exploits ] Can I trust the integrity of the operating systems? How easy is it to rootkit these devices?

Platforms

1. Go shopping. Roll your 0wn 1. Obtain firmware. Download, backups, compact flash, hard disk, VM 2. Identify the firmware. Linux, FreeBSD, vxworks, proprietary 3. Gain root level access. ñ Break restricted shell ñ Crack password ñ Bypass encryption ñ Reverse engineer firmware ñ NO custom hardware 4. Determine layer to attack. BIOS, Kernel, System, Application

WatchGuard OS XTMOS Linux 2.6.21 Arch Bootloader Storage i686 GRUB Removable CF Firmware Format Gzip image with custom header Restricted Shell Root access Integrity yes Hardcoded password Checksum command

SilkGuard Rootkit Root access: add static compiled shell busybox add authorized_key to /root/.ssh/ remount rootfs read write Layers to attack: kernel, libraries and applications

Netgear ProSecure OS Linux 2.6.21 Arch MIPS Bootloader GRUB Storage Removable CF Firmware Format SquashFS Root access Random password at boot File System RO unionfs Integrity none

NetHill Rootkit Root access: squashsfs 3.4 (big-endian support) new rootfs.img with root password blanked Layers to attack: apt-get can be enabled system-map & config present on system /dev/kmem (LKM), libraries, application

CheckPoint Secure Platform OS CP Linux (RHEL) 2.6.18 Arch i686 / Virtual Bootloader GRUB Storage ISO Firmware Format ISO Restricted Shell Yes Root access Yes File System ext Integrity none

LuckyPoint Rootkit Root access: Built in through expert mode RHEL but no SELinux Layers to attack: System map and config available but /dev/ mem restricted to first 2056 records Libraries and applications

Checkpoint Nokia Nokia IP71 common endpoint device for CheckPoint SP - has removable, flashable BIOS - BIOS integrity check is a simple checksum - BIOS modification and rootkit possible

Fortinet FortiOS OS Arch Bootloader FortiOS Linux i686 GRUB Storage Firmware Format Gzip Restricted Shell Root access File System Integrity Removable CF yes no Encrypted AES CBC FortiBIOS Firmware encrypted, signed & hashed

Export-F Rootkit Root access: Fortigate will load firmware with no certificate, no hash, unencrypted start of MBR must contain a filename matching a device & version ID kernel must have a specific name Layers to attack: Load replacement kernel and file system

Sonicwall OS Arch Bootloader? Storage SonicOS vxworks i686 Secure Compact Flash Firmware Format Encrypted / Compressed Restricted Shell Root access File System Integrity Yes No vxworks Signature

Cancer Free Root access: Removable Storage Compact Flash...but its unreadable... Removable BIOS...but its unreadable... Firmware can be backed up...but its signed...

Cisco IOS - Da Los Rootkit Sebastian Muniz, Killing the myth of Cisco IOS rootkits: DIK OS IOS Arch MIPS / PowerPC Bootloader Proprietary Storage Flash Firmware Format Compressed Restricted Shell Yes Root access No File System Memory Integrity Checksum

Juniper ScreenOS OS Arch Bootloader Storage ScreenOS PowerPC Proprietary Flash Firmware Format Compressed (modded LZMA or GZIP) Restricted Shell Root access File System Integrity Yes No Memory Checksum, optional signature

l Hand code PowerPC ASM into firmware Junboro Light Rootkit Root Access: l Firmware is compressed (non standard LZMA header) l Reverse engineer format l Disassemble ScreenOS Reverse engineer firmware checksum algorithm l Firmware is signed but certificate can be loaded and unloaded Layers to attack: l Flat memory, monolithic firmware, access to everything

Juniper JUNOS OS Arch Bootloader Storage ScreenOS i686 / Virtual FreeBSD Flash, HDD Firmware Format Package Restricted Shell Root access File System Memory Yes Yes RO iso9660 Restricted access Integrity Veriexec, secure level 1, Package hashes, optional signature

Junboro Rootkit Root access Root by default but there are restrictions JUNOS binaries are symlinks from rw fs to iso9660 ro fs Secure run level 1 is set Veriexec used for integrity and to stop unknown binaries running +x shell scripts will not run directly but will run if invoked by /bin/sh Layers to attack: JUNOS doesn't require/enforce signed packages Install trojaned package using customised +INSTALL script

Demos Make Arch OS 1. Fortinet Intel Linux 2. Juniper PPC ScreenOS 3. Juniper VM JUNOS

Device & OS Encrypt Sign Immutable Integrity Memory Sonicwall Y Y Y Y - Juniper JUNOS N Y Y Y - Fortinet Y Y N Y - Juniper ScreenOS N Y N Y - Cisco IOS N N N Y - Checkpoint N N N N Y Netgear N N N N N Watchguard N N N N N

Conclusion Some platforms don't even try to ensure integrity A PS3 has better integrity protection than most platforms (IP vs your data?) Often signatures and encryption requirements can be bypassed Do periodic offline comparisons of system binary / firmware hashes Check supply chain, third party support

References Runtime Kernel Mem Patching, http://vxheavens.com/lib/vsc07.html, Silvio Cesare Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootkit), http://eusecwest.com/esw08/esw08-muniz.pdf Hacking Grub for fun and profit, Phrack Volume 0x0b, Issue 0x3f, CoolQ Static Kernel Patching, Phrack Volume 0x0b, Issue 0x3c, jbtzhm Playing Games With Kernel Memory... FreeBSD Style, Phrack Volume 0x0b, Issue 0x3f, Joseph Kong Implementing and detecting ACPI BIOS rootkit, http://www.blackhat.com/presentations/bh-federal-06/ BH-Fed-06-Heasman.pdf

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback