0% found this document useful (0 votes)

139 views159 pages

OffensiveCon2018 - The Return of Robin Hood Vs Cisco ASA

The document summarizes a talk given by Cedric Halbronn about finding and exploiting a pre-authentication remote code execution vulnerability in Cisco ASA firewalls. The vulnerability was in the Cisco ASA WebVPN component and could be triggered remotely. Halbronn worked with Cisco to disclose the issue responsibly and protections were added in software updates.

Uploaded by

Jesus Arturo Espinoza

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

139 views159 pages

OffensiveCon2018 - The Return of Robin Hood Vs Cisco ASA

Uploaded by

Jesus Arturo Espinoza

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 159

The Return of Robin Hood vs Cisco ASA

OffensiveCon – February 2018

Speaker
• Cedric Halbronn (@saidelike)
• Previously worked at Sogeti ESEC Lab
• Currently in Exploit Development Group (EDG) at NCC Group
• Vulnerability research
• Reverse engineering
• Exploit development
Agenda
• Find a pre-auth 0-day in Cisco ASA firewalls
• Prove Remote Code Execution
• How to protect against 0-day?

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
The bug is not in IKEv1

• We exploit a bug in WebVPN

• IKEv1 is a helper to achieve code execution
Context
Cisco ASA firewalls
• Entry point to most enterprises
• ASA != IOS
• ASA = Linux + a single “lina” binary / x86 or x86_64
• IOS = proprietary operating system / MIPS? PowerPC?
Disclosure timeline (1)
• 14 Oct 2017 – Vulnerability in WebVPN and POC reported to Cisco PSIRT
• 18 Oct 2017 – Cisco PSIRT replicates the issue
• 14 Dec 2017 – Cisco tells advisory released on 31/01/2018 (CVE-2018-0101)
• 03 Jan 2018 – NCC discovers patches already exist
Disclosure timeline (2)
• 17 Jan 2018 – NCC tests POC against all branches
• 29 Jan 2018 – Cisco PSIRT releases CVE-2018-0101 advisory
• 5 Feb 2018 – NCC releases Recon Brussels’ slides
• 5 Feb 2018 – Cisco PSIRT updates advisory with new attack vectors new

new
Disclosure timeline (3)
• XX
new

new

https://web.archive.org/web/20180202110047/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

https://web.archive.org/web/20180206165532/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
SSL VPN
• WebVPN: client-less (browser)
• AnyConnect: client on Windows, OS X, Linux,
Android, iPhone OS
SSL
SSL
IKE VPN
• A.k.a. IPSec
• Typically static point-to-point VPNs
IKEv1 or IKEv2

• Also supported by native Windows client or even AnyConnect client?

Source: https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html#anc17
Previous work
• 2014
• Various WebVPN ASA version leaks (Alec Stuart-Muirk)
• 2016
• CVE-2016-1287: heap overflow in IKE Cisco fragmentation (Exodus Intel)
• CVE-2016-6366: SNMP OID stack overflow (Shadow Brokers)
• 2017
• Cisco ASA series on NCC blog in 8-parts (so far )

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/cisco-asa-series-part-one-intro-to-the-cisco-asa/
asatools
• All tools in one repo [1]
• asafw: unpack/repack firmware
• asadbg: debug ASA (hardware + qemu)
• libdlmalloc/libptmalloc: heap allocators (version dependent [2])
• libmempool: Cisco ASA specific heap header
• ret-sync: synchronise IDA and gdb (thanks Alex Gazet )
• idahunt: automate IDA cmdline, hunting for symbols
• Tutorial: configure a Cisco ASA test environment from ground zero [3]

[1] https://github.com/nccgroup/asatools

[2] https://github.com/nccgroup/asafw/blob/master/README.md#mitigation-summary

[3] https://github.com/nccgroup/asatools/blob/master/tutorial.md
asadbg - demo
Cisco ASA releases
END OF LIFE STILL PATCHED RECOMMENDED
Only NX if >= 9.3.3.9 or >= 9.4.3
7.x < 1/2/2016 Only ASLR if >= 9.5.1
ASLR & NX
8.x 8.7.1.18 < 1/5/2016 ptmalloc if >= 9.3.2 if >= 9.5.3
9.0 9.0.4.38 9.0.4.40 < 1/2/2017

9.1 9.1.6.11 9.1.7.9 9.1.7.23 1/1/2016 - *

9.2 9.2.4.5 9.2.4.14 9.2.4.27 1/1/2016 - *

9.3 9.3.3.7 9.3.3.10 < 1/2/2017

9.4 9.4.2.4 9.4.3.8 9.4.4.16 1/1/2016 - *

9.5 9.5.2.2 9.5.3 < 11/4/2017

9.6 9.6.2 9.6.4.3 20/3/2016 - *

9.7 9.7.1.21 4/4/2017 - *

9.8 9.8.2.20 15/5/2017 - *

9.9 9.9.1.2 4/12/2017 - *

XML parser
IKE heap overflow patch SNMP stack overflow patch double-free patch Hypothetical 0-day
(CVE-2016-1287) (CVE-2016-6366) (CVE-2018-0101) vulnerability
10/2/2016 17/8/2016 31/1/2018

2016 2017 2018 2018

Today
Cisco ASA releases
END OF LIFE STILL PATCHED RECOMMENDED

7.x < 1/2/2016 dlmalloc/No ASLR/No NX

8.x < 1/5/2016

9.0 < 1/2/2017

9.1 9.1.7.23 1/1/2016 - *

9.2 9.2.4.27 1/1/2016 - *

9.3 < 1/2/2017

9.4 9.4.4.16 1/1/2016 - *

9.5 < 11/4/2017

9.6 9.6.4.3 20/3/2016 - *

9.7 9.7.1.21 4/4/2017 - *

9.8 9.8.2.20 15/5/2017 - *

9.9.1.2 4/12/2017 - *

XML parser
double-free patch Hypothetical 0-day
(CVE-2018-0101) vulnerability
31/1/2018

2016 2017 2018 2018

Today
The bug is not in IKEv1

IKEv1 for the feng shui

WebVPN/AnyConnect
SSL to trigger
the bug
The bigger the worse?
• What license to buy?
50 IKE sessions
250 IKE sessions

750 IKE sessions

5000 IKE sessions

• An IKE session limits the quantity of data sent as IKE fragments to 0x8000 bytes
• More sessions  more feng shui
• Exploit is more reliable against expensive Cisco hardware and license
• Possible to rob from the rich and give to the poor
• So I named my vulnerabilityexploit: Robin Hood
Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-ike.html#ID-2441-00000058
Finding a bug
Sniffing SSL AnyConnect

Burp (or similar)

• First message sent by AnyConnect client

XML
Supported XML tags

Reverse engineering

• Initial sample contains

all supported tags
 Input mutation fuzzing
Fuzzing architecture
• Spray/pray/prey 
Mutated XML packet (radamsa)

Ping (still alive?)

NO  save packet

https://github.com/aoh/radamsa

• Speed: 1 test / few seconds… (no gdb attached)

• Want to start fuzzing before going on leave…
• ASA firewall keeps crashing
Understanding the bug
Triage
• asadbg-assisted
• https://github.com/nccgroup/asadbg

Connect GDB

Fire testcase

Save crash info

Replay with gdb script
# will be called next time it stops. Should be when it crashes
# so we log stuff
define hook-stop
set logging file %CRASH_LOG_FILE%
set logging on
set logging redirect on
set logging overwrite on
sync
bbt
i r
set logging off
set logging redirect off
end

continue

# below will be executed after it breaks because of a crash

# and this allows us to exit gdb
detach
quit
One crash to rule them all
• All the same crash
• Both ASAv 64-bit / ASA 32-bit
The smaller the better
Minimization
• Fits in a tweet

• Actually requires us sending the XML packet twice

AnyConnect Host Scan: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_hostscan.html

Back to the trace
• What is it?
• Crash in free()
• Invalid heap metadata?
• Heap overflow?
• UAF?
• Double free?
• Other?

• Interesting functions
• *auth_process_client*
• *FreeParser*
2 days reversing later…
• aggregateAuthParseBuf
• Receive the XML / initialize the libexpat parser
• Cisco-specific callbacks registered
• aggregateAuthStartHandler: called when XML tag opened
• aggregateAuthDataHandler: called when XML data parsed
• aggregateAuthEndHandler: called when XML tag closed
Data handler
Data handler
XML 1
Data handler
XML 1

Allocated chunk
Data handler

XML tag data

copied in chunk

1
Data handler

Chunk is freed

1
Data handler

XML tag data dangling

pointer retained by Cisco
callback

1
Data handler

XML tag data dangling

pointer retained by Cisco
callback

1
Data handler
XML 2

XML tag data dangling

pointer retained by Cisco
callback

1
Data handler

XML tag data

appended in free chunk

1 2
Data handler

XML tag data

appended in free chunk

1 2
Data handler

Chunk is freed (double-free)

1 2
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
 double-free vulnerability on 0x2040-byte chunk
assert() due to invalid metadata
• Inline metadata/header for heap chunks
Hchunk H chunk H Free chunk Hchunk
prev_foot = 0x8180d4d0
head = 0x1d0 (CINUSE|PINUSE)
mh_magic = 0xa11c0123 Allocated
mh_len = 0x1a4 chunk header
mh_refcount = 0x0
mh_unused = 0x0
mh_fd_link = 0xacb85b30
mh_bk_link = 0xa8800604
allocator_pc = 0x86816b3
free_pc = 0x868161d
Same offset
prev_foot = 0x8180d4d0
head = 0x30 (PINUSE)
fd = 0xac825ab8
bk = 0xa880005c
mh_refcount = 0xf3ee0123 Free chunk
mh_unused = 0x0
mh_fd_link = 0x0 header
mh_bk_link = 0x0
allocator_pc = 0x0
free_pc = 0x0

• Hence why our fuzzer caught it!

Exploiting the bug like RobinHood
Objective: mirror write
• Allocated chunks hold pointers to doubly-linked list
prev_foot = 0x8180d4d0
head = 0x1d0 (CINUSE|PINUSE)
mh_magic = 0xa11c0123
mh_len = 0x1a4
mh_refcount = 0x0
mh_unused = 0x0
mh_fd_link = 0xacb85b30
mh_bk_link = 0xa8800604
allocator_pc = 0x86816b3
free_pc = 0x868161d

• Target Cisco mempool alloc lists to get a mirror write

• No safe unlinking on Cisco metadata for allocated chunks (all ASA versions)
• Even if dlmalloc or ptmalloc had safe unlinking for free chunks
• Mirror write: unlinking an element from a doubly-linked list will trigger
two write operations
• One operation is the useful one, the other is a side effect
• Constraint: both need to be writable addresses
• Was already abused in 2016 by Exodus Intel
Exploit strategy
• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly  corrupt linked list pointers
• Trigger mirror writes  corrupt a function pointer
• Send IKE init packet to trigger RCE
Leverage IKE reassembly

Seqno=1 Seqno=2 Seqno=3 Reassembled packet

LastFrag=1

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/cisco-asa-series-part-eight-exploiting-the-cve-2016-1287-heap-
overflow-over-ikev1/
Leverage IKE reassembly
Reassembled packet length: n

Seqno=1

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3

LastFrag=1

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3

LastFrag=1

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3 Reassembled packet

LastFrag=1

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3 Reassembled packet

LastFrag=1
1

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3 Reassembled packet

LastFrag=1
1 2

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3 Reassembled packet

LastFrag=1
1 2 3

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment

Seqno=1 Seqno=2 Seqno=3 Reassembled packet

LastFrag=1
1 2 3

• Leverage techniques learnt from CVE-2016-1287

• IKEv1 fragmentation is a reliable feng shui mechanism
• Reassembled packet length updated when queueing a fragment
• Fragment length not re-checked during reassembly
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/cisco-asa-series-part-eight-exploiting-the-cve-2016-1287-heap-
overflow-over-ikev1/
Max data per IKE session
• XML buffer used by repeatable free primitive is a 0x2000 chunk
• For a given IKEv1 session, accumulated length needs < 0x8000

• With 0x2000-byte chunk granularity

• Can only have up to 4 frags per IKEv1 session (4*0x2000 = 0x8000)
• Also limits how many mirror writes we get…
Max number of mirror writes
• Overlapping chunk’s size dictates max number of mirror writes
• With 0x2040 chunks, it means maximum 2 mirror writes (see above)
0x2040 0x4080 0x2040 0x2040

feng overlapping target1 target2

0x6120

• Solution is to change the granularity and use 0x810 chunks

0x810 0x810 0x2850 0x810 0x810 0x810

overlapping
0x810 0x810 0x48f0 0x810 0x810
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

feng
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

feng feng
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

SeqNo=1

feng feng sess2

Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

SeqNo=1

feng feng sess2 feng

Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

SeqNo=1

feng feng sess2 feng feng

Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

SeqNo=1
SeqNo=2

feng feng sess2 feng feng sess2

LastFrag=1
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

reass

SeqNo=1
SeqNo=2

feng feng sess2 feng feng sess2

LastFrag=1
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

SeqNo=1

reass
sess2

SeqNo=2

feng feng feng feng sess2

LastFrag=1
Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole

SeqNo=1 SeqNo=2

reass
sess2 sess2
LastFrag=1

feng feng feng feng

Primitive 1 - Hole creation with IKEv1
• Session 1 (feng): fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole