Attacking Nextgen Firewalls

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay next talk it's quite interesting because it's a colleague that's presenting Felix villain from Yan W and it's also a very veteran trooper speaker the topic is taking next-generation firewalls especially a specific product but I won't give too much clues so Felix please hello hello okay so to whom I talk attacking next-generation firewalls with the subtitle breaking Han OS so before we start with the actual content too short an introduction about myself I'm a security researcher working for a year in W research I'm mainly interested in the areas of application and virtualization security and in recent years the research concentrated mostly on hypervisors which we focus on xn and in the last half year year also on security appliances including fire I and now Palo Alto so as mentioned already Palo Alto is to target for this talk so we take a look at Palo Alto next-generation firewall which is running the pan OS operating system so panwa s is basically the software stack that runs on all Palo Alto devices and the device which are analyzed and which is also standing here that's the one making so much noise to blue room it's a Palo Alto PA 500 which is kind of one of the smaller devices but this box I'll talk about our effect all of the different devices because they all use the same software stack even if they have a much more powerful hardware and today's main focus again lies on the text against the device itself so we didn't look too much into like something like intrusion detection systems or functionality instead we wanted to see what's the text surface of these devices and how you can secure them against potentially like advanced attackers or motivated attack that target them specifically when talking about say what kind of features has this device it's marketed as a next-generation firewall which basically means a basic firewall with some additional features in the case of Palo Alto this includes really powerful management interfaces so you have normal like SSH based console management interface you also have a quite interactive web interface for configuration and you also have access to invest API so you can use centralized and autom eyes management of all these devices in your network and additionally includes functionality of your signature matching so you have an intrusion prevention system exploit detection ul filtering there's a feature called white fire which basically is dynamic malware analysis in the cloud and you have app ID which means you can you can set up policies firewall policies based on the application that do the communication so you are not filtering based on simply on TCP ports or eyepiece you can do this on applications and user ID which is really interesting and it's basically the same feature but you filter based on user accounts so you can see say this user can connect to this IP or to this host menendez global protect clove will protect this kind of VPN functionality with additional features that are targeted to to mobile devices mostly so it's management of mobile devices and thinkyou remote access of these devices so of course all these features can't be like analyzed in a real environment in a normal time frame so we decided on looking at some certain ones of them this includes the management interfaces user ID and global protect so these are the three main topics we want to look at today we didn't spend too much time investigating the other stuff so I don't want to like do any any new recommendations or any stuff on that but for example the application ID feature we did like your cursor we look on that and that looks kind of ok so with this that the agenda for today's talk we start with breaking in so as always these kind of security appliances don't give you administer so even if you have administrative success these security blinds don't give you access to the full operating system and we need your success to perform the further research which we present in the later parts of the talk so the first step is performing a jailbreak then we take a look at the architecture of upon us and based on this architecture we defined in a text surface where you again go to the three features or topics are already introduced and of course at the end we have a short conclusion so starting with breaking in the administrative interfaces so in this case we are the owner of the box so we have full administrative access to the box we just want to get like operating system access and we have two interfaces we can work with the comment line interface which is reachable over SSH and is shown to the left-hand side and the web interface you can just use your browser we require this jailbreak to perform like to further further we should research and understand how this device actually works so we started looking at a common line interface and the common line interface is basically restricted to like normal configuration and troubleshooting stuff so you can review logs and you can can look at stuff and if you start playing around with this you see that several of the comment utilities you have are just like wrappers around standard Linux utilities so for example this test SCP server connection just calls down into the normal SCP program you have on every Linux system and unfortunately they don't escape all parameters correctly so in this case we just passed to this test SCP server connection comment and hostname that starts with a - and includes a conflict option that's then passed to SCP or to SSH server used like the same configuration which will define a proxy common data stand triggered when the actual connection attempt is made in this case our and simply changes the shell of the ER and W user from this restricted common line interface shell - fully featured bash so that's like the easiest approach you can choose because then the next time you connect over SSH you won't see the restricted interface instead you get full-blown mixture when you do this you quickly see that that just it's an Linux system and interestingly it's a Linux system running on the mips64 processor and to be honest it's the first device I ever had in my hand that's running mips64 so it's kind of an exotic architecture at least for me and it's running a cavium accion plus processor which has some kind of interesting features as we will see later on so the main focus of our research originally laid on the pan OS 6 a1 so nowadays they even they also have a panel s7 version so the vulnerabilities affect both versions but like the architecture overview and the kernel version are for the sixth version interestingly you can buy virtual appliances from palo alto so appliances to run in the cloud or a new VMware environment and of course they aren't running on myth 64 instead they are like normal internal x64 architectures so this whole pan where software stack kind of has support for multiple architectures so there's definitely possibility that if you buy like a different kind of box maybe you get a def different processor architecture the network processing features so all the standard like networking stack is built on the top of the standard Linux networking capabilities this is a good thing because there's nothing more like battle-hardened than the Linux networking stack so it's much more or it's the best better idea to just implement or we use standard Linux utilities then writing your own TCP stack or your own IP tables firewall or whatever of course there are some many advanced features that can't simply be implemented using these mechanisms and these are implemented on top as a proprietary Linux teams so this is a really high-level overview it does clewd a lot of stuff but that gives you a bit of an impression what's running on the system so as I said before you have Linux kernel as as the foundation of the system and then you have some kind of normal gnu/linux stack so you have this normal user space utilities you can work one you have chels and you have an open SSH so that kind of looks like a normal Linux system but then you have these demons running or colored in blue and these are like the core core parts of the panelized architecture so every one of them is like a core piece of this just this whole software stack for example like the crypto deep is responsible for decryption and encryption of all kind of input it also supports for example hardware security module so if you use a harder security module the crypto demon will communicate with this we have the master d which basically is a watchdog that restarts and kills processes that will that misbehave you have to sis D which is the central demon for the inter process communication so all these different demons make heavily use of EPC and they are all going through this is D demon and you have the authentication daemon which is deeply integrated in this whole Linux Pam stack so this is the one handling all the authentications using SSH or the web interface or even your VPN authentication the IP C protocol at speaking that spoken guys mostly examine L based and it's used for a wide Verity of use cases on top of these four core demons then you have like the specialized demons that are like doing a single task or responsible for a single feature for example you have the user ID daemon on the left top corner which as a name suggest just is used for implementing user ID and one thing that's really interesting is a heavy reliance on a kind of software stack called embed this app web sweep this is an open-source HTTP server optimized for embedded devices and is used to implement all web interfaces you can find on these devices and they don't simply use this web server they use this web server PHP support and implement most of the functionality if not all of the functionality of these web interfaces as native PHP extensions that are then interned called by PHP scripts so you have very small PHP scripts like five lines long that just call in to a native PHP function which is implemented a native code and compiled as a PHP extension now you might see web interfaces aren't that interesting or why are they weapon to faces on this box interestingly we have three different weapon two faces running on this box for one the management interface I already mentioned then you have to hold close protect an SSL VPN stick is implemented and on top of this web server stack and you have a captive portal which is a feature of user ID I will talk about later so when looking at this architecture and looking at a text surface then we can quickly see we have of course we have the management interfaces there are always kind of a popular texture face and if you see a lot of research on these kind of devices you always see vulnerabilities on the management interfaces they're kind of an easy target because most of the time they're pretty insecure but of course they should be on an isolated interface so the practical relevance of these vulnerabilities isn't too high if you have a hardened environment of course some of you work in big corporations and they probably know this this isolation on these interfaces doesn't happen that often so they're still kind of interesting now even more interesting are these dis user ID and app ID features because by design they operate on kind of untrusted Network segments for example on guest Wi-Fi or network ports that can be reached easily by an attacker so they are something that's more interesting for us as an attacker and then finally we have these parts of the functionality that by design are reachable by an completely external attacker so of course if you haven't deep and it's probably exposed to the internet somewhere otherwise it wouldn't work so this is like the really critical stuff where if you find vulnerabilities and this stuff it's starting to get really interesting but we work from the top to the bottom say we start with the management web interface I mentioned that before but we have a web UI that's used for menu management and the REST API for this automated access so you can like script your own management clients or use a software photo all of this is implemented on top of apps we end as a PHP environment and like if you pass this log in screen then you have like a lot of features available you can configure the complete device so of course this is like a gigantic attack surface but luckily most of this requires authentication so without authentication you don't really have that much to interact with the REST API on the other hand can be reached if you post a request to the slash API ul and the first thing that will happen if you call this slash API ul is that this we quest will pass to a native function which is called API W get filter so the web gets utility from the name function and this happens before any kind of authentication occurs so this is functionality native PHP extension functionality that we can reach community unauthenticated and then they do some kind of sir I honestly I don't understand the mechanism completely because it's kind of strange but if you request you're sent to this ul connect contains to get parameter client equals W get then they use curl internally associative the Palo Alto device called the curl comment on its local system and checks against an internal service to like perform the actual authentication check now this car comment uses or includes user input and in this case it's the key weakest parameter ha HTTP authentication had us if you sent them and to remote IP so the IP you as an user they can use the tcp/ip so like the IP that originates from the network stack but if you said to X will IP header the HTTP header they use this one instead that's of course not idea because this HTTP header can be easily faked by an attacker it's just part of the HTTP request so we can put an arbitrary value in there now they don't simply pass them they also escaped them luckily otherwise it would be too simple so they have like a single quote at the end and a single quote at the beginning and or single quotes in there are escaped so that kind of works okay but if you look at like how this function actually performs its work so this is not official source code of Palo Alto it's just soy code web presentation in Python style code that does more or less the same thing the Oh genetic code would do and we can see we check if we have this key parameter if we have it and it's escaped but this escape shell argument function returns something a negative number so it indicates an error then we abort the connection we do the same for the basic out header but the interesting thing is that this does not happen in the same way for the HTTP ex real IP header so they still escape it but the return value of this function is never checked so how can we make this function fail if you look at the second argument it's thousand 24 bytes and it turns out this is the length of the output buffer so this is the length of the buffer where the escaped value is written to now if you send a really long HTTP header will IP header in there then the escaping function will fail because the buffer won't be long enough and if it fails and behaves in the way that the single quote at the beginning of the value is in the buffer but it will never write the single quote at the end of the buffer so we have like an off by one in the single quoting and this is open standard like simple command injection because the key value should normally be escaped with a single quote but there is a single quote missing so instead the single quote that's implemented or and better before the the key parameter closes like the first quotation and now we have a direct command injection that we can use for example in this case to create arbitrary files this is pre authentication and it's a completely remote command and execution against the management interface now there's a reason why I have to speak box standing down there so I can do life demos and it's kind of really not that simple set up so some of them might fail but I'm hoping it's working for now so we just open up a shell on our local system and we connect Tudor and so this is the internal IP so if you see a IP with one point one so that once are like the internal IP later on we will go into it external IP which will be included by the two so this is one that we can just reach if we are actually in the management a network segment and if we start to exploit we directly see we get a reversed connection and we have a shell running on the system thank you and so it's it's running with nobody right so they make this that's that's a good hardening measure they like the web service running is nobody we have a local privilege escalation you exploit at the end so don't worry about that for now but it's it's good defensive depth so that's really positive and you can see like Linux currently running on our test device and finally the actual request this kind of simple you basically just send something like this so we send an x:real IP and i with a lot of ace it has to be a post request but the post content is like irrelevant and then we just so the key this is like a well encoded but this includes directly the command injection I just showed on the on the last slide so that's the first without it makes you kind of hopeful you find more in this box but and it's like it's unauthenticated 100% stable so that's always a good good thing but in a hard environment it shouldn't really work so hopefully you wouldn't be able to like exploit us the other attack surface that we have is seems to be much more interesting so let's look at user ID and user ID is quite interesting because it's one of the main selling point of the palo alto devices and it's actually a really cool feature so it's really useful for a lot of administrators the idea is you can implement your firewall policies not based on like IP addresses or network segments instead you simply arrive your routes something like this so you can say if to use a bob at corporations so Bob's your main administrator he should be able to connect to my domain controller on the RDP port and that should work so that's the idea of user ID you regardless of the IP address or path or which device he uses or if he's coming over VPN or sitting somewhere in the office building and of course I think everyone who has ever managed like networks should agree that that is a kind of a cool feature so you you want to have that in your environment so the next question of course house is implemented how are they guaranteed to do this who support it and the core idea of user ID is that you always need to have an active mapping between the IP addresses and to active user account so you always need to keep this mapping somehow alive and their five main waste is a supported and we just go through them one by one so first of all we have server monitoring ancient list and this is quite simple it's also kind of not too terrible from security perspective so all the examples are like based on an Active Directory infrastructure they also support just basic LDAP and stuff like that but for simplification we we talk about Active Directory and you just create dedicated user that can log into the main controller and read its event logs it shouldn't be on domain administrator but it has to have the server operation operator permissions which are kind of it's an interesting permission set and can be used to connect you to domain controller and read the event logs you have to store the credentials on the firewall it says so on the Palo Alto appliance so appliance can connect in regular intervals which event logs and then like create this mapping between IP address and active user account you can use the domain controller for this you can also work with the exchange server so like the mail server or something where a lot of people regularly log on with the windows credentials that's kind of a simple mechanism the problem is of course and you now have like two main credentials thought on the Palo Alto devices that might not be adhere if you have different back to like pop device or the appliance and then you can use this for for further attacks and of course it doesn't really scale if you have a really large amount of these different devices or just different appliances and every one of them needs to connect to the domain controller then it's probably kind of a lot of processing going on so the next step you can do is you do server monitoring but you include an user ID agent so this is simply a Windows binary that's provided by Palo Alto and you can install it on in an arbitrary server on your like in your Windows environment and it opens the connection on TCP port 500 seven waits for incoming connections from the Palo Alto firewall and then goes to the domain controller and performs basically the same step the Palo Alto firewall did before so we are still in an ongoing disclosure process regarding this user ID agent so I won't provide any details but our recommendation is to to filter this agent so the only one that should be able to connect to the agent is the Palo Alto appliance so that's a good defense in that measure so you might not want to use the agent or you don't want to use server monitoring so you can also use the captive portal and the captive portal works by looking for connections to pod 80 or 443 if you also have like SSL interception enabled and then you basically something like this you see this user identification portal which just wants you to log in to the website again we are inner in the disclosure process we are in the captive portal and of course what I just want to say is again we have this app web Sui web server and we have PHP extensions which pose a significant attack surface yes so you should keep this in mind if you use the captive portal and of course one problem with this captive portal is that it might be just not feasible so if you have a device that that never uses HTTP or HTTPS then you will never use the captive portal and we totally relying on the event logs on the domain controllers also that kind best way because they might be stale they might be old it might need a lot of time until the user logins again stuff like that so they have a feature called client probing and as the name suggests it does exactly this so you try to connect to something through the power of ultra blind so you want to connect to some kind of filter port and the parallel to basically asks the window server agent or performs the operation itself but the idea is the client is asked hey client what's the user or what's your currently active user ID and some people might already think that doesn't sound like it's completely secure interestingly is enabled by default it's based on net buyers or vme and it just works like that so if you connect to a device that had user ID enabled and Clym probing you will you will see that you will see that the device is just connecting back to you logging with start credentials using that bios of EMI and asking for a currently active user so this just leads to a number of problems what I find really interesting and this is research done by web 7 + HD more in this project so no release they performed a large scan of like the whole internet and they noticed they get a lot of connection so they see connections going to the scanning boxes over net beers and VMI and they see these connection attempts include credentials and if you look at the user IDs and like the past so you can't password hashes out of that and if you look at that you see oh they all have something to do with Palo Alto and that's because some administrators enabled client probing on the external interfaces so they have an interface that goes out to the internet and then decide oh I see you connection attempt let's check if he's an user in our domain and go out to that domain of course this is not a classical security vulnerability in this device so in this future it's just a Mis configuration but still that can happen if you just click all the boxes now even if you configure it correctly and it only uses like you use it on internal interfaces that still I mean imagine you have a Linux server and or a Linux client and um this network and now somebody connects to you and asks you hey what's your youness domain and user account there might be possibility I just answer you something I'm just thinking of right now so I have demo for that and this would distant most kind of so the problem is you can't be really sure about the client probing decides to come so it might take a while it might not happen immediately but I'm hopeful so I can show you so what I'm looking at here is I'm under on the command line interface of the Palo Alto devices and to show this IP user mapping which is the mechanism used by my user ID and we can see for my IP address at the moment there is not any ill any recall so I'm not logged into any winners to me so what I'm now going to do so I start this magic - script I'm not going to tell you exactly what it does but it uses the impact library which might give you a hint and on the bottom I'm just going to trigger some connection to the device so this is like this will trigger or will hopefully trigger the client probing event so it does try to connect to pod 1 2 3 which will fail or time out because it's filtered and if I now wait a couple of minutes hopefully we will see that I get a user IP user mapping as I said before this might take a couple of minutes so I probably just continue with the slides and then we will see the like other this luckily and now you can see now we can see I'm the user Felix at the domain fish Pollard cop and of course so I'm not even restricted to using a user I can send like yeah all these users like hundreds of them and if you find a single user that has like the permission to connect to every device I mean all of you guys probably have in copper environment where you have like this one magic admin user that can connect everywhere and if you find that out by prude forcing or by luck or by whatever and then basically you can just send him that yeah and that please let me in so that's kind of a cool feature to have okay so now two demos worked I have last demos probably will fail terribly otherwise I'm too lucky so I mentioned before last feature that can be used for this user ID feature global protect now global protect is a VPN solution with support for mobile devices it includes support for SSL VPN and for IPSec and it works like you have the clients software available for all popular systems so you have four desktop clients you also have it for all the mobile platforms and and you can also setup it that you use global protect without EVP and functionality and just use like the clients to authenticate because if the client used like this globe will protect our education in the internal network then they will have a valid user ID mapping so you are not restricted to your only use global protect for VPN interestingly if you look at global protect you can see that everything that has to do with the SSL VPN and also all the configuration TI's or like so so basically for example the the mobile app will report if two devices jailbreak so it has like a jailbreak detection and if you look how this works it connects to the the ssl port used by the ssl VPN and clove will protect and cause a special special URL and send it report and all of this is again implemented with app map 3 and PHP and this if you use global protect and use global protect in a way that you can support VPN connectivity this stack will be exposed to the Internet so this is like the most interesting attack surface because it's basically just a VPN server and there's some functionality you can at least like so you can call all the US and all the API so of course most of them would simply fail because you are not authenticated correctly but you're kind of a code surface you can interact with and it turns out some of these code isn't exactly the most stable so quite early I discovered the simple denial of service will ability that is triggered by a lot of A's in the password so you just send the password consisting of something like 50 k-8 sandbox just so the web server of the Box just crashed down and I was wondering why is this happening and the joke is that it uses the unescape stream for xml and the unescape string for xml function decides to allocate dynamically allocate memory not using like a Maalox so that's allocated on the heap but instead it uses to stack for this and on mice more mips64 device the stack size is heavily limited so if you start allocating like 50k of stack space you will access invalid memory and box just crash depending on what kind of architecture you have this is also might be exploitable but we continued looking for more interesting bugs that can also be exploited on this device now the next thing we noticed and this one is quite interesting so khlo will protect users cookies and these cookies are encrypted and if you look how to our encrypted it uses something called the device master key Safford version of the device master key but this shuffling is simply to reverse and by default is device master key is Palo Alto with a couple of numbers in between so not exactly random and so if you set up the system normally and you don't follow the hunting guide or you don't look at the Harlan guide this password won't be changed and from my understanding from the documentation it basically tells you yeah Jesus used to like encrypt configuration files lying on the system which don't sound like it's too interesting so if you don't change it you probably don't know that now all your clothes will protect cookies can be faked by an attacker and this has kind of opens up the possibility for very interesting attacks we couldn't like proof-of-concept the whole authentication bypass because then you need a more complex setup with multiple global protect gateways and stuff so I would have needed a couple of more of these devices which I didn't get getting money for so that failed but so this is something you might want to look into and so definitely change the device master key to be fair to Palo Alto this is also recommended if you actually read like the handling guide of these devices and this is also the reason why this is not really considered a security vulnerability so there isn't a patch you just have to harden your configuration so if you use global protect please change your device master key otherwise interesting things might happen to your cookies okay but we still have like one open question left we want to have remote unattended compromised off the device over global protect and the unauthenticated attack surface that you have is quite limited mostly this goes directly into this login functions so even the stack based buffer overflow order the stack a locker overflow I just showed you was in the login functionality it was the password so what's the second parameter we can influence a new login functionality it's the username so wait for it we have to escape string folks ml function and that escapes to username you Center it before then sending it as an XML encoded IPC message to the authentication daemon I mentioned at the beginning now the function itself does not perform any length checks and the destination sizes stack is thousand 24 bytes long but the user sslvpn field filter check function that checks the length of the username before so this is some dead check David it looks like a valid username let's put it this way so you can't simply send like a lot of ace that won't work you need much more advanced to take I'll show you next so how does this dysfunction work to split it is this field filter check user function it basically looks at a username and splits it into a user part and two into a domain part so if you have something like user adds whatever then you have a user and the main part for each of these two parts it performs the function call to is valid utf-8 which only returns true if it's consisting completely of utf-8 characters without any s key characters so you're not allowed to put ASCII characters in there otherwise the function will fail then you have a length check and after that you have a reg X check that checks that the user name only contains alphanumeric values interestingly if you send a username that only consists of UTF utf-8 characters that are not asking characters then complete check user functions simply returns true and if you listen carefully you might have noticed that the length check is skipped so what might happen if we send a lot of a's like the air they are a with the dots at the top so the German listeners notice letter this is also detect it's much easier to execute for German users because we already have two keys on our keyboard so just send a lot of these special German letters and the box will crash again because then of course we bypass the length check your overwatch stack buffer and it's game over and so it puts us in your padding lists a lot of 8th is important now the question of course for this mug is remote code execution possible and as it turns out that's actually not quite as trivial as I expected in the beginning so oftentimes when I fight this kind of box I'm like going back to my chair for to to to my boss and I know and I'm like yeah I have this really cool bag it should be exploitable so we just reported and then go on and then like I'm two weeks before my talk and I still need to do this demo and then it's starting to get exciting because you realize it's not that easy so way to code execution we have a destination buffer that's the fixed size stack buffer we don't have any stack calories so it looks kind of straightforward the executable itself isn't positioned independent so we always have to call it some kind of code at a static location and the libraries so all the libraries just use the standard our Solera you have one on a loop system now the problem with just positioning just just binary at a static location that it's really really small it's actually something like forty four kilobytes in size because it only contains like ten functions that directly call into this main library and the library is a randomized location so this will bite us later and make exploitation a bit more more difficult now it's running on mips64 and I think that's the most interesting aspect of the whole explored mips64 isn't that much documented in a way I found on the Internet it's configured as a big-endian system so the most significant bytes are the first ones and it's the first mips system I ever saw that has something like non-executable memory so by default mips doesn't support non-executable memory but they have so this car via mock T on processor has a feature called execute and inhibit which is basically DEP order and expect so they actually support non-executable memory and then the way they did they add support for 64-bit in like this architectures kind of strange because if we look at the address space all of it is 32-bit so you only have asserted two bit address space and also all like point so normal function pointers you see in the program and you see in the normal registers are all searched to be long but what happens is so their MIPS has a special register for a return to us and this one is 64-bit white this is of course kind of a problem because it will always have a lot of zeros in the upper half of the register which makes it quite hard to overwrite in the stack overflow interestingly even the GNU debugger I use to do right to exploit doesn't realize that this register is 64 bit long and kind of just strips the upper half away which took me try the time to realize and that my debugger is lying to me and this register is actually larger than I expected so the first problem we have is the username cannot contain any Eska characters this makes exploitation kind of hard because you can only use like this movie by dou t f8 values so that definitely doesn't work so what we can do is we use this user at domain split use user which is this utf-8 string of arbitrary length to fill up like till buffer and then just the end is this alphanumeric s key string so we still have to jump to an alphanumeric address but we at least we can use ASCII so we can use like normal byte values it has to be shorter than 250 bytes as well now as I mentioned before the 64 bit architecture and the return address is a 64-bit value and it's big-endian so you start at the beginning of the address and the beginning of the address is completely zero so we have four zero bytes at the beginning of the address a zero byte is of course not alphanumeric ASCII so you can't simply overwrite a return address or that won't work out and so luckily if you look at these functions where this this whole login functionality is called you have a PHP context start of the stack so we are inside the PHP runtime environment and the PHP runtime has like one central context object that is used is reduced for every college PHP functions and before this function with the buffer overflow returns you will see you have this call to PHP board which is a PHP function and which uses this context the context has a pointer to a pointer to a function pointer so it's kind of a lot of in directions and the new value we have to put instead of the original context object is has to be nice phenomenal pointer so the only way we can do this is by performing a heap spray because basically normally you won't have anything interesting that supports like double references of pointers at an address in memory debtors alphanumeric so we looked at how can you like spray the app that Sri heap and fortunately this map server is kind of easy to spray because so you just open the socket and send like one megabyte of arbitrary binary flop over the socket and as long as it doesn't contain like this two new lines then you just the webserver won't close good connection and you are fine and just remember we will stay allocated in the heap and the idea we are using is that you just open a lot of connections in parallel so like 200 400 connections sent us one megabyte plop to the server and then keep the connection alive by just sending like single bytes and keeping the socket alive and this gives us around like 50 percent reliability to allocate our payload so the stuff we want to allocate at this address in memory which turns out so if you decode the hex into ASCII it's an alphanumeric string so we can overwrite the context at the PHP context object pointer with this value and it will point intro or payload now this this p so we have noticed this over Whitten context object and we have this PHP body write function and you can see so this is output of the lip PHP library that's compiled for lips and what's happening is so a pointer is wet out of the a to register which points to a heap spray it's written and s we register and then we start with the s we register we to value again in the 4-1 register with from 4-1 we won and start in t9 so finally in t9 there's a function pointer and if we do it like this so like basically our our hip spread just points back to the hips we're at a different offset again we can store the address of an arbitrary gets it into t9 register which gives us the possibility to execute like our own code or the drop gadget because our own code so normally on a normal MIPS device so all these Reuters are stuff you would find like in your kitchen this would be came over already because then we just said we put the address of our heaps pair in this registers jump to it and execute our own shellcode but this is not possible because the KVM actor and processor as mentioned before is the only one that actually supports non-executable memory or the only one I ever played with so we can't perform a simple heaps pair of that so what we need is Rob so we need to perform return oriented programming to execute our own shellcode so the problem with MIPS Rob so if you ever did you journal and read programming on like the intel architecture you can jump off the middle into the middle of instructions of multipied instructions and generate like new accidential codes you can execute so you can even if you have only a small binary you will find a lot of interesting code functionality you can reuse for MIPS this is not possible because all instructions are for byte aligned and if you jump into an offset so if you jump into the middle of an instruction to processor will crash so you can't like find gadgets or you can only use code it's actually in the binary now the only object at the kerbs and address is this whole app web 3 binary which as I mentioned before is just 44k in size it contains only 10 functions and all these functions don't do anything interesting because they just call into this randomized shared libraries so finding like a suitable option that gives you our baterry execution of MIPS check is really hard so what I did instead I discovered two gadgets that allow me to creation of arbitrary files basically we have this gadget and when we jump into this gadget we control both the s-1 register as well as the s4 register and this allows me to so by controlling the s-1 register which points to our hips spray again we can put an arbitrary value again in t9 and by controlling the s4 register we can send an asset an arbitrary value into the a1 register and a1 register is the second argument that's passed to the next function and what we are now doing is we jump to the M our start logging function which is a function that's used by this app web server and and it's basically normally it initializes like all this logging procedure but a side effect of this function is that it just creates the file at a pass dot in the second argument so now this whole buffer overflow heaps pairing return-oriented programming just gives us the possibility to create an arbitrary named file somewhere on the file system so as it turns out luckily this gives you the route shell because we can combine this with another local park it's I can't describe him too much detail because it's not patched yet but in the end it will pass this file and if you include like special characters in this file name you can do a command injection with that and because the tool doing the passing runs as the root user you get like this automatic local privilege escalation to route included in this and by combining this so it's kind of interesting because if you would just like if you would stop here and find a rope chain then it will come out with a nobody shell because again the VPN you VPN service is running as nobody but parent starts triggering in Nava backtest only which should be locally normally we can get a remote root shell and I also have a demo for that so this one as I said before the hip spray is kind of reliable so it sometimes works on the first choice sometimes I need to try a second time so hopefully you don't have to wait you know so again I have a new reverse show and I start the day as well VPN exploit so again we are coming from the internet I'm not Santa cated and attack this device so it's like the perfect bug to exploit this and you can see the pews or the single connection attempts so we are doing the heap spraying and after the heap spraying waits we have to wait until so possibly it's like a minute we have to wait because of like a cron job that's triggering the loader privilege escalation attack so it might take a minute after the server crashed before we see like the reverse connection coming up on the right hand side and then we should have a root shell so this should happen we are after we created with the file we just let the web server die a horrible death because we don't repaired so it just crashed but the file is created and now if I'm lucky we get a connection if I'm not lucky we have to do it again and again and again so that you might miss your lunch break but that's ok I hope it will it takes until a minute so I'm kind of hoping it works yeah I should have opened my sleeper something like that yeah that would be good right I should have just slipped and then countdown but I can do it like my hand it's like 10 9 hopefully yeah and now we can see we're actually root so this is like complete Remo donors completely unauthenticated over unpaid device and I like so I mean it's it's a cool Parker sink okay so all the demos worked so now I'm like kind of excited and I just have to do like the final recommendations and the summary so step one isolated management interface there we're future which and they're hard to secure completely step two if you use user ID for security critical filtering as opposed to like business internal filter in between different business divisions or something you might want to do something with strong authentication or something that supports it and we don't recommend it to isolate management interfaces because then we have like if you have a back-end user ID you you bypass the isolation you exploit the management interface in the book this game over so this is kind of think about that but you are already good to go or it's improves the situation a lot if you just add the client probing so you should never use client probing in the security sense of an environment if you used to use the ID agent and use a host based filtering mechanism to only allow the firewall to connect to this user ID agent change the master password so you are protected against this Clos will protect cookie attack and just keep your system updated because Palo Alto was really professional and responsive to our security contacts so we are really happy to a palo alto handle this so it was a really professional response and patches are released for like the most critical of these vulnerabilities and of course a choice that if you have a firewall that is not just simply a stupid like packet filter if you have more features then you have a bigger attack surface and this of course leads to more vulnerabilities while these vulnerabilities are not really great I mean you saw em it's not exactly the most great thing to have on your device we are kind of positive about the response from the vendor and the chose to have like the right mindset and we are really positive about the future progress so we hope that this was kind of a wake-up call and in the future you won't find such vulnerabilities anymore on these devices so thanks for your attention I think we have some short question answers yeah so feel free to ask any questions yeah so wait thanks for this one question here from the device that you see that you saw are things like certificates or SSH keys generated upon installation or is this also a default value like a house of keys problem so like the authentication you have to submit your own passport also and you didn't see any signs of this typical vector support passwords or something so we didn't see any of that the device will pop up like an an SSL certificate but this is configured like on installation so it is unique for device for each device screen seems to be kind of fine things yeah appear the you said that they have a feature that aligns the user with an IP address so can't you just spoof an IP of the admin if you kind of just brute or brute force the IP address or that's like of course if you are like in the same network segment as the admin and you have DHCP server and you like / on the laptop of the administrator and the DHCP server gives you type uterus you might have a time range where you can use like the permissions or the policies that I had sat for the admin users there's no way around that and the what you said with the utf-8 was this kind of a back that they didn't apply the length check there or did this have any intention I'm not sure I think it's a simple part but of course it's kind of hard to like so they didn't want to do like t-rex because you can't use like the alpha numerics check against utf-8 characters that wouldn't work so they're neither to skip the red X and then I skip probably skip the length check by accident at least I think so okay so feeling one yeah all right yeah wait wait wait wicked know what understands how's Mike do you see a normal Linux distribution on the base operating system or do they are using their own stuff no it's kind of a stripped-down Linux system so I'm not exactly sure what distribution it is but it's it looks kind of standard it's probably something sent to airspace torso okay thank you okay so was last question thank you very much Felix and I think it's time for lunch so see you after lunch Blake

Info

Channel: TROOPERScon

Views: 10,181

Rating: undefined out of 5

Keywords: TR16, TROOPERS16, ERNW, Conference, Talks, Heidelberg, Print Media Academy

Id: ZoCf9yWC32g

Channel Id: undefined

Length: 56min 35sec (3395 seconds)

Published: Fri Apr 01 2016