Title: Device Drivers: Dont build a house on a shaky foundation
1Device DriversDont build a house on a shaky
foundation
- johnny cache, researcher
- david maynor, SecureWorks
2Overview
- Problems
- Nifty Fingerprinting Stuff
- Finding and Exploiting Vulns
- Shellcode Design
- DEMOS!!!!!!
3Problems?
- Speed to market is so important.
- Some things dont get tested properly
- New hardware and committee designed protocols are
especially susceptible.
4Problems (cont)
- Although what follows is mostly focused on
802.11a/b/g the lessons learned can be applied to
lots of things - Bluetooth
- New 802.11 specs
- Wireless data (EDGE, EV-DO, HSDPA)
5Have Device Drivers been a problem in the past?
- http//www.microsoft.com/technet/security/Bulletin
/MS05-019.mspx - TCP/IP
- http//www.microsoft.com/technet/security/bulletin
/ms06-035.mspx - SRV.sys
- ftp//ftp.freebsd.org/pub/FreeBSD/CERT/advisories/
FreeBSD-SA-0605.80211.asc - Freebsd WIFI integer overflow
6Recent Developments
7802.11
- Why is it so complicated
- Does it have to be
- Can we fix it?
- Consequences of complexity
- Fingerprinting 802.11 implementations
- Exploiting device drivers
8Why so complicated?
- "Fear leads to anger. Anger leads to hate. Hate
leads to protocols designed by committee.
--warlord (?)
9Why so complicated
- Partly to ambitious, partly attempting to deal
with legitimate problems. - -hidden nodes
- -unreliable links
- -other networks on same channel
10Can we fix it
- Yes, all it costs is standards compliance.
- Ignore management frames
- Ignore (some?) control frames
- Remove extras (more on these later),
11Why is this interesting?
- Complexity is a hackers best friend.
- If its not complex theres no room for bugs. No
bugs means no fun. - 802.11 is not lacking in complexity.
12Ethernet
13802.11
- Version
- Type
- Subtype
- 8 flags.
- 1,2,3 or 4 addresses, variable positions
- Frag num
- Sequence num
14Not done yet..
- Positive acknowledgement
- 11 management frames
- 6 control frames
- ..lots of subtypes for each.
- ..various encryption fields (IV, MIC/ICV, etc)
15More features!
- Ad-Hoc
- Power savings
- 2 types of MAC (PCF vs DCF)
- .11e QoS
- Geo-locating proposed? WTH does media access
control have to do with geo-locating
16What do you get when you remove the extras?
Nintendo DS
No Wi-Fi certification
Nowhere near 802.11 compliant
Ignores de-auth/disassociates
Possibly ignores control packets
Works great!
(probably doesnt roam very well)
17Fingerprinting 802.11
- Why bother
- Target exploits
- WIDS can monitor users chipset, driver.
- Possibly refine OS fingerprints
18Fingerprinting 802.11
- Why is this cool
- No other link layer protocol fingerprints that I
know of - Why is this possible?
- Complexity of the protocol
19How far down can you go?
- Chipset families
- Distinct drivers for chipsets
- Different versions of the same driver
- Firmware (?)
20Specific fingerprints
- RTS/CTS window honouring
- Association Redirection
- Duration analysis
- very possible to remotely version chipset
- cant really distinguish different drivers
- - active technique, requires you to transmit
packets.
21Duration analysis
- Totally passive
- Very accurate
- Easy to automate
- Only basic statistical techniques used.
22What is a duration?
23What influences duration values.
- Rate (.11b, .11g)
- Short slot time (g only)
- Short pre amble
24Example atheros fingerprint
Well behaved atheros card
Total packet types 5 Unique (packet_type,
duration) tuples 7 ----------------------------
-------------- Packet-Type (duration
value prob) ------------------------------------
------ Assoc Request (314 100)
probe request ( 0 97) (314 3)
Authentication (314 100)
Data (162 60) ( 0 40) Null
Function (162 100) -------------------------
----------------- probs with get_count ( 0
19) (162 80) (314 1)
25Example prism fingerprint
poorly behaved prism card
Total packet types 5 Unique (packet_type,
duration) tuples 7 ---------------------------
-------------- Packet-Type (duration value
prob) -----------------------------------------
Assoc Request (258 100) probe
request ( 0 100) Authentication
(53389 100) Data (213
94) ( 0 4) (223 2) Null
Function (37554 100) ----------------------
------------------- probs with get_count ( 0
7) (213 87) (223 1) (258
2) (314 0) (37554 1) (53389
1)
26Simple example
- Duration match 2 prints here
27Realistic example (airport).
./duration-print-matcher -a 000A95F32FAB -p
./print-db/lexie/pcaps/5-1-lexie.pcap -P
./print-db/lexie/
28performance testing
./duration-print-grader -P ./print-db/lexie
--Zeroized score (total number of mis-orderings)
9 average (random) score 6133 234 234/9
30.33 times better than random.
29So hows it work?
- 5 algorithms
- SimpleCompare
- MediumCompare
- ComplexCompare
- BayesCompare
- 1/2BayesCompare
30SimpleCompare -duration
31How well does this do?
32SimpleCompare
Layovert text here
33How well does this do?
34Combine them and get
35how accurate is it?
36- Finding and exploiting vulns in drivers.
37Ways to find bugs?
- Static auditing
- Binary analysis
- Source code analysis
- Fuzzing
- Built-in wireless cards
- 3rd party cards
- Embedded devices/access points
38Things to think about
- Fuzzing can be frustrating
- A bug could be triggered by something 8 packet
chains ago - Hard to track down in ring0
39fuzz-e
40fuzz-e
( johnycsh_at_dizfuzz-e )./fuzz-e -R -A -P ath0
-n 500 -r rt2570 -i rausb0 -c 11 -D
./dest-addys.txt -w u20000 -s 00070EB974BB
-b 00070EB974BB -E log.txt
-R random delays -A autonomous mode
(dont stop) -P passive interface to sniff
on -n 500 send 500 packets per
cycle -r rt2570 driver to inject with -i
rausb0 inject on rausb0 -c 11 set channel to
11 -D dest-addys specify list of victims -w
u20000 wait 200000 usecs (max) -s source
address of packets -b bssid of packets -E
log events to log.txt
41Wi-fuzz
- A little different than fuzz-e
- Relies on long series of packet chains
- Newer code exercises decryption and decompression
code - Original packet input is defined by a psuedo
rules file - New packet types can be added quickly
- Can be extended to more than just wifi link layer
42Shellcode
- Most often a direct return shell is not possible.
- Shellcode executes at kernel level, most generic
overflow protection tools cannot stop it. - No matter what sales reps say
- Bots or other malicious shellcode have to be
designed.
43