Device Drivers: Dont build a house on a shaky foundation

1
Device DriversDont build a house on a shaky
foundation

• johnny cache, researcher
• david maynor, SecureWorks

2
Overview

• Problems
• Nifty Fingerprinting Stuff
• Finding and Exploiting Vulns
• Shellcode Design
• DEMOS!!!!!!

3
Problems?

• Speed to market is so important.
• Some things dont get tested properly
• New hardware and committee designed protocols are
  especially susceptible.

4
Problems (cont)

• Although what follows is mostly focused on
  802.11a/b/g the lessons learned can be applied to
  lots of things
• Bluetooth
• New 802.11 specs
• Wireless data (EDGE, EV-DO, HSDPA)

5
Have Device Drivers been a problem in the past?

• http//www.microsoft.com/technet/security/Bulletin
  /MS05-019.mspx
• TCP/IP
• http//www.microsoft.com/technet/security/bulletin
  /ms06-035.mspx
• SRV.sys
• ftp//ftp.freebsd.org/pub/FreeBSD/CERT/advisories/
  FreeBSD-SA-0605.80211.asc
• Freebsd WIFI integer overflow

6
Recent Developments
7
802.11

• Why is it so complicated
• Does it have to be
• Can we fix it?
• Consequences of complexity
• Fingerprinting 802.11 implementations
• Exploiting device drivers

8
Why so complicated?

• "Fear leads to anger. Anger leads to hate. Hate
  leads to protocols designed by committee.
  --warlord (?)

9
Why so complicated

• Partly to ambitious, partly attempting to deal
  with legitimate problems.
• -hidden nodes
• -unreliable links
• -other networks on same channel

10
Can we fix it

• Yes, all it costs is standards compliance.
• Ignore management frames
• Ignore (some?) control frames
• Remove extras (more on these later),

11
Why is this interesting?

• Complexity is a hackers best friend.
• If its not complex theres no room for bugs. No
  bugs means no fun.
• 802.11 is not lacking in complexity.

12
Ethernet

• 3 fields src, dst, type.

13
802.11

• Version
• Type
• Subtype
• 8 flags.
• 1,2,3 or 4 addresses, variable positions
• Frag num
• Sequence num

14
Not done yet..

• Positive acknowledgement
• 11 management frames
• 6 control frames
• ..lots of subtypes for each.
• ..various encryption fields (IV, MIC/ICV, etc)

15
More features!

• Ad-Hoc
• Power savings
• 2 types of MAC (PCF vs DCF)
• .11e QoS
• Geo-locating proposed? WTH does media access
  control have to do with geo-locating

16
What do you get when you remove the extras?
Nintendo DS
No Wi-Fi certification
Nowhere near 802.11 compliant
Ignores de-auth/disassociates
Possibly ignores control packets
Works great!
(probably doesnt roam very well)
17
Fingerprinting 802.11

• Why bother
• Target exploits
• WIDS can monitor users chipset, driver.
• Possibly refine OS fingerprints

18
Fingerprinting 802.11

• Why is this cool
• No other link layer protocol fingerprints that I
  know of
• Why is this possible?
• Complexity of the protocol

19
How far down can you go?

• Chipset families
• Distinct drivers for chipsets
• Different versions of the same driver
• Firmware (?)

20
Specific fingerprints

• RTS/CTS window honouring
• Association Redirection
• Duration analysis
• very possible to remotely version chipset
• cant really distinguish different drivers
• - active technique, requires you to transmit
  packets.

21
Duration analysis

• Totally passive
• Very accurate
• Easy to automate
• Only basic statistical techniques used.

22
What is a duration?
23
What influences duration values.

• Rate (.11b, .11g)
• Short slot time (g only)
• Short pre amble

24
Example atheros fingerprint
Well behaved atheros card
Total packet types 5 Unique (packet_type,
duration) tuples 7 ----------------------------
-------------- Packet-Type (duration
value prob) ------------------------------------
------ Assoc Request (314 100)
probe request ( 0 97) (314 3)
Authentication (314 100)
Data (162 60) ( 0 40) Null
Function (162 100) -------------------------
----------------- probs with get_count ( 0
19) (162 80) (314 1)
25
Example prism fingerprint
poorly behaved prism card
Total packet types 5 Unique (packet_type,
duration) tuples 7 ---------------------------
-------------- Packet-Type (duration value
prob) -----------------------------------------
Assoc Request (258 100) probe
request ( 0 100) Authentication
(53389 100) Data (213
94) ( 0 4) (223 2) Null
Function (37554 100) ----------------------
------------------- probs with get_count ( 0
7) (213 87) (223 1) (258
2) (314 0) (37554 1) (53389
1)
26
Simple example

• Duration match 2 prints here

27
Realistic example (airport).
./duration-print-matcher -a 000A95F32FAB -p
./print-db/lexie/pcaps/5-1-lexie.pcap -P
./print-db/lexie/
28
performance testing
./duration-print-grader -P ./print-db/lexie
--Zeroized score (total number of mis-orderings)
9 average (random) score 6133 234 234/9
30.33 times better than random.
29
So hows it work?

• 5 algorithms
• SimpleCompare
• MediumCompare
• ComplexCompare
• BayesCompare
• 1/2BayesCompare

30
SimpleCompare -duration
31
How well does this do?
32
SimpleCompare
Layovert text here
33
How well does this do?
34
Combine them and get
35
how accurate is it?
36

• Finding and exploiting vulns in drivers.

37
Ways to find bugs?

• Static auditing
• Binary analysis
• Source code analysis
• Fuzzing
• Built-in wireless cards
• 3rd party cards
• Embedded devices/access points

38
Things to think about

• Fuzzing can be frustrating
• A bug could be triggered by something 8 packet
  chains ago
• Hard to track down in ring0

39
fuzz-e
40
fuzz-e
( johnycsh_at_dizfuzz-e )./fuzz-e -R -A -P ath0
-n 500 -r rt2570 -i rausb0 -c 11 -D
./dest-addys.txt -w u20000 -s 00070EB974BB
-b 00070EB974BB -E log.txt
-R random delays -A autonomous mode
(dont stop) -P passive interface to sniff
on -n 500 send 500 packets per
cycle -r rt2570 driver to inject with -i
rausb0 inject on rausb0 -c 11 set channel to
11 -D dest-addys specify list of victims -w
u20000 wait 200000 usecs (max) -s source
address of packets -b bssid of packets -E
log events to log.txt
41
Wi-fuzz

• A little different than fuzz-e
• Relies on long series of packet chains
• Newer code exercises decryption and decompression
  code
• Original packet input is defined by a psuedo
  rules file
• New packet types can be added quickly
• Can be extended to more than just wifi link layer

42
Shellcode

• Most often a direct return shell is not possible.
• Shellcode executes at kernel level, most generic
  overflow protection tools cannot stop it.
• No matter what sales reps say
• Bots or other malicious shellcode have to be
  designed.

43

• DEMOS
• (Howdy!)