33
RED BALLOON Security FRAK: Firmware Reverse Analysis Konsole Ang Cui [email protected] 7.27.2012 Defcon 20

DefCon 2012 - Finding Firmware Vulnerabilities

Tags:

Embed Size (px)

Citation preview

Page 1: DefCon 2012 - Finding Firmware Vulnerabilities

R E D BALLOON

S e c u r i t y

FRAK: Firmware Reverse Analysis Konsole

Ang Cui [email protected]

7.27.2012   Defcon  20  

Page 2: DefCon 2012 - Finding Firmware Vulnerabilities

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

7.27.2012   Defcon  20  

Page 3: DefCon 2012 - Finding Firmware Vulnerabilities

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

7.27.2012   Defcon  20  

Page 4: DefCon 2012 - Finding Firmware Vulnerabilities

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

Past publications:

•  Pervasive Insecurity of Embedded Network Devices. [RAID10]

•  A Quantitative Analysis of the Insecurity of Embedded Network Devices. [ACSAC10]

•  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11]

•  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11]

•  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11]

7.27.2012   Defcon  20  

Page 5: DefCon 2012 - Finding Firmware Vulnerabilities

W h o a m

I W h a t d o I

D O

5th Year Ph.D. Candidate Intrusion Detection Systems Lab

Columbia University

Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com

Past Embedded Tinkerings:

•  Interrupt-Hijack Cisco IOS Rootkit •  HP LaserJet Printer Rootkit

7.27.2012   Defcon  20  

Page 6: DefCon 2012 - Finding Firmware Vulnerabilities

Interrupt-Hijack Shellcode [blackhat USA 2011]

7.27.2012   Defcon  20  

Page 7: DefCon 2012 - Finding Firmware Vulnerabilities

HP-RFU Vulnerability HP LaserJet 2550 Rootkit

[28c3]

Firewall

Network Printer

Attacker

Server

1. Reverse ProxyPrinter -> Attacker

2. Reverse ProxyPrinter -> Victim

3. Attacker -> Server Via Reverse Proxy

4. Win: Reverse ShellServer -> Kitteh

7.27.2012   Defcon  20  

Page 8: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 9: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 10: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 11: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 12: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 13: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 14: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 15: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 16: DefCon 2012 - Finding Firmware Vulnerabilities

Unpacking Process:

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Bin

ary

Fir

mw

are

Imag

e

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

Unpacking Process:

Parse Package Manifest

De{cript,compress}

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

For each "Record"

In Firmware

Known Format or Proprietary Format?

FileSystem Extraction

For each "unpacked Record"

In Firmware

Fir

mw

are

An

alys

is a

nd

Man

ipu

lati

on

Re-Packing Process

Known Format or Proprietary Format?

Re-Pack ModifiedFile System

Re-{cript,compress}, Recalculate Checksum, etc

Known Algorithm or Proprietary Algorithm?

RecordEncrypted?

RecordCompressed?

RecordChecksummed?

RecordDigitally Signed?

RepackAll Binary"records"

Re-generatePackageManifest

Bin

ary

Fir

mw

are

Imag

e

For each "unpacked Record"

In Firmware

WORKFLOW [XYZ Embedded {Offense|Defense}]

7.27.2012   Defcon  20  

Page 17: DefCon 2012 - Finding Firmware Vulnerabilities

Reasons why Ang stays home on Friday night

Payload Design

7.27.2012   Defcon  20  

Page 18: DefCon 2012 - Finding Firmware Vulnerabilities

Reasons why Ang stays home on Friday night

Payload Developement

Payload Design

7.27.2012   Defcon  20  

Page 19: DefCon 2012 - Finding Firmware Vulnerabilities

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

7.27.2012   Defcon  20  

Page 20: DefCon 2012 - Finding Firmware Vulnerabilities

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

7.27.2012   Defcon  20  

Page 21: DefCon 2012 - Finding Firmware Vulnerabilities

Reasons why Ang stays home on Friday night

Payload DesignPayload

Developement

Payload DesignPayload

Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

THIS PART

L  7.27.2012   Defcon  20  

Page 22: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

[Better Living Through Software Engineering]

7.27.2012   Defcon  20  

Page 23: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

7.27.2012   Defcon  20  

Page 24: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

7.27.2012   Defcon  20  

Page 25: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

7.27.2012   Defcon  20  

Page 26: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

7.27.2012   Defcon  20  

Page 27: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

Binary

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

Firmware Unpacking Engine

Firmware ModificationEngine

Firmware Analysis Engine

Programmatic API ACCESS

Interactive ConsoleAccess

Firmware Repacking Engine

HP-RFUModule

Cisco IOSModule

Cisco-CNUModule

XYZ-FormatModule

ArbitraryFirmware Image

of Unknown Format

Unpacked Firmware

BinarySoftware Symbiotes

XYZ DynamicInstrumentation

&Rootkit

7.27.2012   Defcon  20  

Page 28: DefCon 2012 - Finding Firmware Vulnerabilities

F R A K irmware everse nalysis onsole

Unpack, Analyze, Modify, Repack: Cisco IOS

7.27.2012   Defcon  20  

Page 29: DefCon 2012 - Finding Firmware Vulnerabilities

Reasons why Ang stays home on Friday night

Payload Developement

Payload Testing

Payload Design

Payload Developement

Payload Testing

Payload Design

STARE

@

BINARY

BLOB

THIS PART

L  

Payload Developement

Payload Testing

Payload Design

STARE @ BINARY BLOB

?Thanks FRAK!

7.27.2012   Defcon  20  

Page 30: DefCon 2012 - Finding Firmware Vulnerabilities

Demos •  Packer/Repacker for Cisco IOS, HP-RFU •  Automagic Binary Analysis •  IDA-Pro Integration •  Entropy-related Analysis •  Automated IOS/RFU Rootkit Injection

7.27.2012   Defcon  20  

Page 31: DefCon 2012 - Finding Firmware Vulnerabilities

FRAK Konsole

7.27.2012   Defcon  20  

Page 32: DefCon 2012 - Finding Firmware Vulnerabilities

FRAK is still WIP. For Early Access

Contact [email protected]

7.27.2012   Defcon  20  

Page 33: DefCon 2012 - Finding Firmware Vulnerabilities

7.27.2012   Defcon  20  


Attacking JBoss - Defcon

Attacking JBoss - Defcon

Documents
FOX GROUP · 2021. 3. 22. · Nasce DEFCON 5. DEFCON 5 is born. DEFCON 5 diventa fornitore ufficiale NATO. DEFCON 5 becomes official NATO dealer. Fondazione di Euroknives: produzione

FOX GROUP · 2021. 3. 22. · Nasce DEFCON 5. DEFCON 5 is born. DEFCON 5 diventa fornitore ufficiale NATO. DEFCON 5 becomes official NATO dealer. Fondazione di Euroknives: produzione

Documents
Defcon - Veil-Pillage

Defcon - Veil-Pillage

Technology
Blackjacking - Defcon 14

Blackjacking - Defcon 14

Documents
2011 Defcon

2011 Defcon

Documents
Defcon Moscow #9 - Oleg Kupreev "Telecommunication Hardware Vulnerabilities"

Defcon Moscow #9 - Oleg Kupreev "Telecommunication Hardware Vulnerabilities"

Government & Nonprofit
Defcon 23 Comedy inception

Defcon 23 Comedy inception

Documents
DefCon 2012 - Firmware Vulnerability Hunting with FRAK

DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Technology
DefCon 2011 - Vulnerabilities in Wireless Water Meters

DefCon 2011 - Vulnerabilities in Wireless Water Meters

Technology
Defcon CTF quals

Defcon CTF quals

Technology
Printer Hacking - DEFCON Presentation

Printer Hacking - DEFCON Presentation

Technology
DEFCON 25 Voting Machine Hacking Village CON 25 voting village... · DEFCON 25 Voting Machine Hacking Village Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases,

DEFCON 25 Voting Machine Hacking Village CON 25 voting village... · DEFCON 25 Voting Machine Hacking Village Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases,

Documents
DEFCOn - cdn.cloudflare.steamstatic.com

DEFCOn - cdn.cloudflare.steamstatic.com

Documents
Defcon - Manual

Defcon - Manual

Documents
KRAV MAGA DEFCON® IM PULS - puls-stuttgart.de · KRAV MAGA DEFCON® IM PULS Was ist KRAV MAGA DEFCON®? KRAV MAGA DEFCON® (KMD) ist ein hochmodernes und äußerst effizientes Selbstverteidigungssystem

KRAV MAGA DEFCON® IM PULS - puls-stuttgart.de · KRAV MAGA DEFCON® IM PULS Was ist KRAV MAGA DEFCON®? KRAV MAGA DEFCON® (KMD) ist ein hochmodernes und äußerst effizientes Selbstverteidigungssystem

Documents
Defcon Indice2014

Defcon Indice2014

Documents
DEFCON Presentation

DEFCON Presentation

Documents
INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities

INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities

Documents
Could Your Security Vulnerabilities Cause Network Gridlock? · PDF file6 Car hacking tricks revealed at Vegas hacking conference At Defcon 21, Charlie Miller, a security engineer at

Could Your Security Vulnerabilities Cause Network Gridlock? · PDF file6 Car hacking tricks revealed at Vegas hacking conference At Defcon 21, Charlie Miller, a security engineer at

Documents
How-to modify ARM Cortex-M based firmware: A step-by ......How-to modify ARM Cortex-M based firmware: A step-by-step approach for Xiaomi IoT Devices DEFCON 26 IoT Village –Dennis

How-to modify ARM Cortex-M based firmware: A step-by ......How-to modify ARM Cortex-M based firmware: A step-by-step approach for Xiaomi IoT Devices DEFCON 26 IoT Village –Dennis

Documents
Defcon 16-pilosov-kapela

Defcon 16-pilosov-kapela

Technology
Defcon 16 Perry

Defcon 16 Perry

Documents
Why Firmware Vulnerabilities Matter - Firmware …...Connected IoT Device Security - Why Firmware Vulnerabilities Matter We live in a world of connected embedded devices. The newer

Why Firmware Vulnerabilities Matter - Firmware …...Connected IoT Device Security - Why Firmware Vulnerabilities Matter We live in a world of connected embedded devices. The newer

Documents
defcon catalog

defcon catalog

Documents
Electronic Weapons - Defcon

Electronic Weapons - Defcon

Documents
BitSec AB - Defcon

BitSec AB - Defcon

Documents
Firmalice - Automatic Detection of Authentication …chris/research/doc/ndss15_fir...Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware Yan

Firmalice - Automatic Detection of Authentication …chris/research/doc/ndss15_fir...Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware Yan

Documents
FIE on Firmware: Finding Vulnerabilities in Embedded Systems

FIE on Firmware: Finding Vulnerabilities in Embedded Systems

Documents
Download - Defcon

Download - Defcon

Documents
Qark DefCon 23

Qark DefCon 23

Software