-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
1/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Fuzzing and Debugging Cisco IOS
Blackhat Europe 2011
Sebastian Muñiz, Alfredo Ortega
Groundworks Technologies
March 18, 2011
Groundworks Technologies Fuzzing and Debugging Cisco IOS
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
2/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Agenda
Cisco IOS ArchitectureDebugger internalsDynamips modication
GDB supportIDA Pro support
Shortcomings of self-checking
routinesDemos:
Malware analysisFuzzing example
Groundworks Technologies Fuzzing and Debugging Cisco IOS
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
3/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Dynamips emulatorBuilt-in GDB server
cisco IOS architecture
Single binary imageShared single address spaceCooperative
priority-basedscheduler
ProcessesPacketBuffers
Kernel Device Drivers
Hardware
Fast
Softw.
Switch
Figure: Cisco IOS process memory
Groundworks Technologies Fuzzing and Debugging Cisco IOS
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
4/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Dynamips emulatorBuilt-in GDB server
Dynamips emulatorCreated by Christophe Fillot 1
Runs on Windows, Linux and Mac OS X.
Equivalent to QEMU/BochsImplements MIPS/PowerPC architecture and
Cisco hardwareSupports the following models:
(a) 7200 (b) 36XX (c) 2691 (d) 3725 (e) 3745 (f) 26XX (g)
17XX
1http://www.ipow.utc.fr/index.php/Cisco 7200
SimulatorGroundworks Technologies Fuzzing and Debugging Cisco
IOS
http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulatorhttp://www.ipflow.utc.fr/index.php/Cisco_7200_Simulatorhttp://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
5/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Dynamips emulatorBuilt-in GDB server
Built-in GDB serverUsed by Cisco developers and support
engineersWorks over Telnet, SSH and Serial consoleSlightly
different GDB protocol
Examine Debug Kernel
Read RegistersWrite Registers
Read Memory
Write MemoryFreeze OS
Remote
Figure: GDB debugging modes
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Ci IOS hi
http://find/http://goback/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
6/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Virtual Machine Debugger internals
Virtual Machine Debugger internals
Dynamips
GDBProtocol
PowerPC GDBServer
MemoryController
MIPS
Special Hard
FPGA
PCI WIC
NM
Figure: GDB Server embedding
CPU/Memory instrumentationNo JIT supportSupported commands
Read/Write CPU Registers
Read/Write MemorySet/Unset Breakpoints
Any standard GDB client supported
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Ci IOS hit t
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
7/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Pros vs ConsWhy isolation is good?I don’t need this, I have the
verify commandShortcomings of self-checking routines
Pros and Cons of Virtual Machine DebuggerPros:
Complete isolation (almost!)
Cost-effectiveControlled debugging environmentBug-hunter
friendly
Cons:
Not 100% exact emulationNot all models or hardware
compatibleFindings need double-check with physical deviceCheck
Cisco EULA before doing anything crazy. Just in case.
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://find/http://goback/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
8/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Pros vs ConsWhy isolation is good?I don’t need this, I have the
verify commandShortcomings of self-checking routines
Why isolation is good?
Analyzing malware
Malware
Cisco IOS
Mirror
Built−In
GDB Stub
Read_MemoryRequest
BytesExpected (fake)
GDB Client
Original memory
Figure: Using built-in GDB
Analyzing malware
GDB Stub
Malware
Cisco IOS
Read_Memory
Malware memory
GDB Client
DYNAMIPS
dump
Figure: Dynamips GDB server
Lesson learned: NEVER analyze malware inside an infected
host.
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
9/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Pros vs ConsWhy isolation is good?I don’t need this, I have the
verify commandShortcomings of self-checking routines
I don’t need this, I have the verify commandCisco Response on
IOS rootkits 2:
Maintain chain of trust when verifying IOS images
Verify IOS image in external host, or before booting itUse the
MD5 File Validation command “verify” on Loadedimage:
Using the MD5 File Validation Feature“The MD5 File Validation
feature, added in Cisco IOS Software Releases12.2(4)T and
12.0(22)S, allows network administrators to calculate theMD5 hash
of a Cisco IOS software image le that is loaded on a device.”
2http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtmlGroundworks
Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtmlhttp://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtmlhttp://find/http://goback/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
10/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Pros vs ConsWhy isolation is good?I don’t need this, I have the
verify commandShortcomings of self-checking routines
Shortcomings of self-checking routines
Malware-affected analysisVerify CLI command
User expected
GDB server
MD5 CHK
Cisco IOS
Malware
Login routineMD5 chksum (fake)
Figure: Using built-in GDB
Clean analyis
CiscoIOS
Calculate
HashResult
MD5 Tool
External Trusted environment
Figure: Using Dynamips GDBserver
Lesson learned (again ): NEVER verify code inside an infected
host.
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
11/21
Cisco IOS architectureArchitecture
Analyzing Pros and ConsUse case: IOS malware
Use case: ROMMON debuggingUse cases: Fuzzer
Wrapping up
Use cases: IOS malware
Demo: Backdoored IOS installation
Not trivial to analyze (Many IOS variations)At least,
possible:
Demo!
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
12/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Use case: ROMMON debugging
ROMMON: Cisco bootloader 3
Very easy to verify and analyze (less variations)Read-only in
some modelsContains a basic but privileged debugger
ROMMON itself can be debugged by Dynamips
3Felix ’FX’ Lindner , 25c3, Cisco IOS - Attack & Defense
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://www.phenoelit-us.org/stuff/FX_Phenoelit_25c3_Cisco_IOShttp://www.phenoelit-us.org/stuff/FX_Phenoelit_25c3_Cisco_IOShttp://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
13/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Fuzzing requirementsTiming diagramExample fuzzerTriggered
Vulnerability
Fuzzing requirements
Correct exception handlingReproducible
test-casesLoggingDesirable: Debugging envirment (for
post-analysis)
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
14/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Fuzzing requirementsTiming diagramExample fuzzerTriggered
Vulnerability
Fuzzing timing diagram
Fuzzer
Log
Dynamips
Exception
Restart
GDB
Fuzz case N+1
Registers
Get Regs
Start
Fuzz case N
Signal
Restart
Start
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureh
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
15/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Fuzzing requirementsTiming diagramExample fuzzerTriggered
Vulnerability
Example fuzzer
Attack surface viaProtocol fuzzer (ftp)Trivial
test-casegeneration (just anexample!)
DB
Yes
No
No Yes
Send:Command + "AAA..." (100 A’s)
Start
Connect toFTP
Crash? Save state
Disconnect
MoreCMDs?
End
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureA hit t
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
16/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Fuzzing requirementsTiming diagramExample fuzzerTriggered
Vulnerability
Fuzzer Demo
Demo!
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureArchitecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
17/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Fuzzing requirementsTiming diagramExample fuzzerTriggered
Vulnerability
Triggered Vulnerability
Cisco Security Advisory: Multiple Vulnerabilitiesin the IOS FTP
Server (cisco-sa-20070509-iosftp)30 FTP commands, remote code
execution on
16:(USER,CWD,DELE,RNFR,STOR,NLST,APPE,MKD,RMD,STOU,RETR,LIST,STAT,MDTM,SIZE,
and HELP)
Patched in 2007: Completely remove all FTP server code
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureArchitecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
18/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
How secure is this debugger?
Very.Can be used in a production environment to analyze
maliciouscode?
NoDynamips contains emulation bugs.
Demo!
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureArchitecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
19/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Future Development
HoneypotsMalware analysis LabExploit DevDuplicate exact memory
behaviour (typical VMs problems)
Secure host isolation (squash Dynamips bugs)
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureArchitecture
http://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
20/21
ArchitectureAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
Questions?
Via email:
[email protected]@groundworkstech.com
Please download:
http://www.groundworkstech.com/projects/dynamips-gdb-modPublished
under the GNU General Public Licence (GPL)
Groundworks Technologies Fuzzing and Debugging Cisco IOS
Cisco IOS architectureArchitecture
mailto:[email protected]:[email protected]://www.groundworkstech.com/projects/dynamips-gdb-modhttp://www.groundworkstech.com/projects/dynamips-gdb-modmailto:[email protected]:[email protected]://find/
-
8/19/2019 BlackHat EU 2011 MunizOrtega Cisco IOS-Slides
21/21
c tectu eAnalyzing Pros and Cons
Use case: IOS malwareUse case: ROMMON debugging
Use cases: FuzzerWrapping up
The End
Thanks for listening!
Groundworks Technologies Fuzzing and Debugging Cisco IOS
http://www.groundworkstech.com/http://find/
