Step 1: EXTRABACON
The first step is to gain access to the Firewall. EXTRABACON ( CVE-2016-6366 ) leverages an overflow in the SNMP daemon on the Cisco ASA and PIX firewalls. The exploit enables and disables the password-checking functions of the firewall. By removing the password, access can now be granted to the firewall to any remote user. The exploit code targets only certain ASA versions, but it is relatively easy to readjust the exploit for other versions of software. Here’s what it looks like in action:
Img1. Cisco ASA getting BACON-ed.
It worked flawlessly with our ASA. We did not modify the code to test the PIX, but based on Cisco’s advisory, the flaw exists on that platform as well.
Step 2: EPICBANANA
Once you have set the password to nothing, EPICBANANA (CVE-2016-6367) is the next tool of choice. EPICBANANA exploits a local command line buffer overflow. It plants command and control shellcode into the PIX/ASA firewall. Each vulnerable version has two shellcode types contained in the exploit package; one is a “test message” NOP sled, the other is referenced as “BM”.
NOP
When the nop option is used, the shellcode is simply a large section of NOPs (\x90) followed by an interrupt request. This shellcode makes the console print out the message “!!! SUCCESS !!!”.
Img2: Shellcode printing out !!! Success !!!
BM
When specifying the BM payload option, the script goes through a similar set of operations. However, instead of seeing a success message print out on the console of the target, it simply logs that a buffer overflow occurred. On the attacker side the script sends an escape code \x10 and checks to see if the response is the string mtu. If it is, it reports back that the exploit has worked successfully.
Img3: Shellcode loading BM module
Img4: Checks in exploit code for return values from shellcode injection
We tested this local exploit on both our Cisco ASA and PIX. Both appeared to be exploited correctly without issue for both the NOP and BM payloads. Interestingly, EPICBANANA has been labeled as a privilege escalation exploit and vulnerability, although as we will see below, the exploit code allows much more than enable access to occur.
Step 3: BANALRIDE (“BRIDE”) and BANALMONKEY
But then the questions become “What did BM do?” “What does BM stand for?” Looking at some documentation in Firewall/SCRIPTS/EPBA. script, we see that we should be able to use a tool called bride to connect to our firewall and load BANANAGLEE:
Img5: Instructions on EPICBANANA
These instructions show the connection between EPICBANANA, BANALRIDE, and BANANAGLEE. We should be able to communicate with our firewall using BANALRIDE after sending the EPICBANANA exploit, which will then allow us to load BANAGLEE implant code. We first attempted to use BANALRIDE with our ASA firewall, but never managed to elicit a response from the firewall. However, a few weeks later, we found an old Cisco PIX we had in QA. Using the same steps again we managed to get a response from the firewall:
Img6: Using BRIDE
SUCCESS! We have basic CnC packets for examination! The first packet seen is the ‘listening post’ (aka: the attacker) sending out a 21-byte UDP packet to the firewall when command 1 is executed. If you are playing along at home and see no packets being generated, it is likely that /dev/urandom entropy is low. Bang on the keyboard for a while, and you should get a packet generated.
The first CnC packet looks like this:
Img7: Command and Control Initial Send
This first byte is always 0xA8. That leaves 20 bytes of payload. Those bytes are always “random” with each request. The response to the challenge is the follow 17 bytes:
Img8: Command and Control response
The first byte of the response is always 0xA9, which is followed by 16 bytes of random payload.
Considering the console output and 128-bit number, the two packets are most likely sending 128-bit keys to each other using Diffie-Hellman. The additional 4 bytes sent by the CnC listening post to the firewall might be a checksum, nonce, salt, or some other crypto element. Further communication appears to be encrypted completely including the control codes, as no data is repetitious after the initial exchange.
If you are interested in examining the command and control traffic yourself, but don’t want to run any exploit code (or don’t have the necessary exploitable firewall) you can get this PCAP. It has a connection initialization, downloads 24 bytes of memory located at 0x05e26490 on the PIX, and then disconnects gracefully. The DH key printed out in this example was c4524cf9ca8d15b38926883a8e7784d9.
Some interesting features observed from the command and control data:
- Open to scanning/replay attacks
- The payload generated by BANALRIDE can be played back with netcat to get a response from the firewall
- The response from implanted firewall is different to the same request. This implies a changing key on firewall.
- Source/Destination IP/ports do not impact communication
- Using netcat to replay the payload above with different source/destination ports still generated a response
- They might be filtered by firewall policy before being ‘handled’ by the exploit code
- Examples in the leak suggest sending/receiving over UDP port 500, but this is probably used to mask the data as IPSec traffic
- Five-minute timeout
- Sending a replayed challenge request only created a response once every five minutes
- There is a clean “close connection” ability in BRIDE, which allowed immediate reconnection
- Packet sizes are predictable for initial handshakes
- Set your IDS signatures to stun
- 21 Byte request with \xA8 as first byte
- 17 Byte response with \xA9 as first byte
Step 4: Implanting BANANAGLEE
It appears that the implant management code (config_implant) was not leaked. It unfortunately seems to be a crucial step to build the BANANAGLEE implant code to be injected with BANALRIDE:
Img9: config_implant is mentioned in a lot of places
The assumption is that config_implant will build a device-specific binary implant to provide command and control capabilities for your Cisco ASA/PIX and Juniper SRX firewalls. It also looks like config_implant keys the implant code to be mission specific, so that it will not respond to other attempts to communicate. Some of the implant modules for BANANAGLEE are included. Many of them are located at /Fire wall/BANANAGLEE/BG2200/Install/LP/Modules/PIX. In it are a variety of “.mod” files that contain XML attributes describing what each module supports.
For example, here are the contents of BBALL_AM29FA-2201.mod:
Img10: Example of a BANANAGLEE module
List of modules available
Here is a full list of available modules for use with BANANAGLEE:
- BBALL_*.mod: Read and Write to Firewall’s BIOS
- BCANDY-2201.mod: Start a console session
- BFLEA-2201.mod: Read and Write to Flash Memory
- BMASSACRE-2201.mod: Packet Toolkit. Control Firewall rules table, copy packets to a third destinations
- BPATROL-2201.mod: Packet Capture
- BPIE-2201.mod: IPv4 Profiler
- IVL-5000-6-2201.mod: Unknown
- SecondDate-2211.mod: Unknown
Step 5: Persist with JETPLOW and SCREAMPLOW
From studying the NSA ANT catalogue, BANANAGLEE, if implanted, is only temporary (a reboot clears it). If a user wants to make the implant permanent, they need to install JETPLOW or SCREAMPLOW. The steps to install SCREAMPLOW are listed in /Firewall/SCRIPTS/screamplow-INSTALL.txt.
Img11: Using the Listening Post
We need to use the lp command (which is located in many places) with a key file. Luckily, a key file was left in the dump, located at /FIREWALL/BANANAGLEE/BG2100/Install/JP/temp.key. Using this key allows us to cause the listening post code to send out packets for analysis.
Running the following command, gets us into the lp binary:
Img12: Listening Post available commands
And when we run option 1 (Open Session with firewall), we get packets that look like this:
Img13: Listening Post packets produce no response
44 Bytes of seemingly meaningless gibberish and no response from our FW. It appears that the BANANAGLEE loading step with a keyed image is crucial to leverage JETPLOW and advanced Listening Post toolkits.
What Were Those Code Words Again?
Trying to remember all of the code words that are in use can be difficult, so I came up with this handy reference guide:
EXTRABACON
Vulnerability Exploited: SNMP Buffer Overflow.
What it does: Turns command line password on or off.
EPICBANANA
Vulnerability Exploited: Local Buffer Overflow on command line.
What it does: Embeds BANALMONKEY command and control code.
BANALMONKEY
Vulnerability Exploited: None.
What it does: Provides raw memory access and secondary stage loading.
BANALRIDE
Vulnerability Exploited: None.
What it does: Communicates with BANALMONKEY. Provides mechanism for loading BANANAGLEE or other payloads.
BANANAGLEE
Vulnerability Exploited: None.
What it does: Advanced command and control code to operate firewalls. Redirection of traffic, duplication of traffic, filtering.
JETPLOW
Vulnerability Exploited: None.
What it does: Provides persistent BANANAGLEE between reboots.
And the exploit chain:
- EXTRABACON (REMOVE PASSWORD)
- EPIC BANANA (LOADS)
- BANALMONKEY (CONTROLLED BY)
- BANALRIDE (INSTALLS)
- BANANAGLEE (PERSISTED BY)
- JETPLOW (CONTROL)
Whats in NSA Eq Groups dumps:
Exploits
EGREGIOUSBLUNDER A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability. It affects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. The model of the firewall is detected by examining the ETag in the HTTP headers of the firewall. This is not CVE-2006-6493 as detected by Avast.
ELIGIBLEBACHELOR An exploit for TOPSEC firewalls running the TOS operation system, affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. The attack vector is unknown but it has an XML-like payload that starts with
.
ELIGIBLEBOMBSHELL A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1. Version detection by ETag examination.
WOBBLYLLAMA A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.002.030.8_003.
FLOCKFORWARD A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.005.066.1.
HIDDENTEMPLE A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.2.8840.1.
CONTAINMENTGRID A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.3.005.066.1.
GOTHAMKNIGHT A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.2.100.010.8_pbc_27. Has no BLATSTING support.
ELIGIBLECANDIDATE A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1.
ELIGIBLECONTESTANT A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1. This exploit can be tried after ELIGIBLECANDIDATE.
EPICBANANA A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices. Exploitation takes advantage of default Cisco credentials (password: cisco). Affects ASA versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 and PIX versions 711, 712, 721, 722, 723, 724, 804.
ESCALATEPLOWMAN A privilege escalation exploit against WatchGuard firewalls of unknown versions that injects code via the
ifconfig
command.
EXTRABACON A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target’s uptime and software version.
BOOKISHMUTE An exploit against an unknown firewall using Red Hat 6.0.
FALSEMOREL Allows for the deduction of the “enable” password from data freely offered by an unspecified firewall (likely Cisco) and obtains privileged level access using only the hash of the “enable” password. Requires telnet to be installed on the firewall’s inside interface.
Implants
BLATSTING A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC).
BANANAGLEE A non-persistent firewall software implant for Cisco ASA and PIX devices that is installed by writing the implant directly to memory. Also mentioned in the previously leaked NSA ANT catalogue.
BANANABALLOT A BIOS module associated with an implant (likely BANANAGLEE).
BEECHPONY A firewall implant that is a predecessor of BANANAGLEE.
JETPLOW A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue.
SCREAMINGPLOW Similar to JETPLOW.
BARGLEE A firewall software implant for Juniper NetScreen firewalls.
BUZZDIRECTION A firewall software implant for Fortigate firewalls.
FEEDTROUGH A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen firewalls. Also mentioned in the previously leaked NSA ANT catalogue.
JIFFYRAUL A module loaded into Cisco PIX firewalls with BANANAGLEE.
BANNANADAIQUIRI An implant associated with SCREAMINGPLOW. Yes, banana is spelled with three Ns this time.
POLARPAWS A firewall implant. Unknown vendor.
POLARSNEEZE A firewall implant. Unknown vendor.
ZESTYLEAK A firewall software implant for Juniper NetScreen firewalls that is also listed as a module for BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue.
SECONDDATE A packet injection module for BANANAGLEE and BARGLEE.
BARPUNCH A module for BANANAGLEE and BARGLEE implants.
BBALL A module for BANANAGLEE implants.
BBALLOT A module for BANANAGLEE implants.
BBANJO A module for BANANAGLEE implants.
BCANDY A module for BANANAGLEE implants.
BFLEA A module for BANANAGLEE implants.
BMASSACRE A module for BANANAGLEE and BARGLEE implants.
BNSLOG A module for BANANAGLEE and BARGLEE implants.
BPATROL A module for BANANAGLEE implants.
BPICKER A module for BANANAGLEE implants.
BPIE A module for BANANAGLEE and BARGLEE implants.
BUSURPER A module for BANANAGLEE implants.
CLUCKLINE A module for BANANAGLEE implants.
Tools
BILLOCEAN Retrieves the serial number of a firewall, to be recorded in operation notes. Used in conjunction with EGREGIOUSBLUNDER for Fortigate firewalls.
FOSHO A Python library for creating HTTP exploits.
BARICE A tool that provides a shell for installing the BARGLEE implant.
DURABLENAPKIN A tool for injecting packets on LANs.
BANANALIAR A tool for connecting to an unspecified implant (likely BANANAGLEE).
PANDAROCK A tool for connecting to a POLARPAWS implant.
TURBOPANDA A tool that can be used to communicate with a HALLUXWATER implant. Also mentioned in the previously leaked NSA ANT catalogue.
TEFLONDOOR A self-destructing post-exploitation shell for executing an arbitrary file. The arbitrary file is first encrypted with a key.
1212/DEHEX Converts hexademical strings to an IP addresses and ports.
XTRACTPLEASING Extracts something from a file and produces a PCAP file as output.
NOPEN A post-exploitation shell consisting of a client and a server that encrypts data using RC6. The server is installed on the target machine.
BENIGNCERTAIN A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to a remote host and parsing the response.
multiple vulnerabilities in Decision Group‘s E-Detective “Real-Time Network Forensics and Lawful Interception System”.
E-Detective is a real-time Internet interception, monitoring and forensics system that captures, decodes, and reconstructs various types of Internet traffic. It is commonly used for organization Internet behavioral monitoring, auditing, record keeping, forensics analysis, and investigation, as well as, legal and lawful interception for lawful enforcement agencies such as Police Intelligence, Military Intelligence, Cyber Security Departments, National Security Agencies, Criminal Investigation Agencies, Counter Terrorism Agencies etc. It also can provide a compliance solution for many standards or acts like Sarbanes Oxley Act (SOX), HIPAA, GLBA, SEC, NASD, E-Discovery and many others.
Decision Group also claims that its products are used by “more than 100 law enforcement agencies”, including the National Security Bureau of the Republic of China.
1. Unauthenticated Local File Disclosure
The
common/download.php
script in the web root allows for unauthenticated users to read arbitrary files on the system. This may include database credentials and captured data intercepts.
The
file
URL query parameter of the script is “protected” by the following encoding which is trivially reversible: base64 followed by rot40.
2. Authenticated Remote Code Execution
Combining this vulnerability with the Local File Disclosure vulnerability above can result in unauthenticated remote code execution.
The restore feature on the “config backup” page extracts a .tar file encrypted with Blowfish using OpenSSL into the system’s root directory (/) as root.
The .tar file must be encrypted with the static key
/tmp/.charlie
. Yes, that’s the actual key – the software passes the wrong argument to OpenSSL. -K
is used to pass the keyfile instead of -kfile
, meaning that the key is the path of the keyfile rather than the contents of the keyfile.
This allows an attacker to upload a shell into the web root, or overwrite any sensitive system files such as
/etc/shadow
/.
Related info:
Protocols
Based off of this report from the US-CERT and the wonderful write-up by Christian Rossow we plan on probing everything listed by both. While we were at it, we added a few other ports/protocols of significant security interest.
There are links below to the scan results from our currently implemented protocols. Those that don’t have links are on our “to-do” list. Expect more interpretation of scan results in future posts.
Amplification Protocols:
- BitTorrent (any)
- CharGEN (UDP/19)
- DNS (UDP/53) (Open Resolver Project)
- Kad (UDP/6429)
- MS-SQL (UDP/1434)
- NetBIOS (UDP 137 to 139)
- NTP Mode 6 (UDP/123) (Open NTP Project)
- NTP Mode 7 (UDP/123)
- QOTD (UDP/17)
- Quake Network Protocol (UDP/26000 and UDP/27960)
- SNMPv2 (UDP/161) (Open SNMP Project)
- SSDP (UDP/1900) (Open SSDP Project)
- Steam Protocol (Many – UDP/27015)
Botnet Protocols:
- Conficker (TCP/445)
- Gameover Zeus (Takedown by the FBI on 2014-05-30)
- Sality
- Zeroaccess
Protocols That Should not be Exposed:
- DB2 (UDP/523)
- Elastic Search (TCP/9200)
- HDFS (TCP/50070, TCP/50075, TCP/50090, TCP/50105, TCP/50030, TCP/50060)
- IPMI (UDP/623)
- mDNS (UDP/5353)
- MemCached (TCP/11211)
- MongoDB (TCP/27017, TCP/27018, TCP/27019, TCP/28017)
- NAT-PMP (UDP/5351)
- NetBIOS (TCP/137 to 139)
- Portmapper (UDP/111)
- RDP (TCP/3389 and UDP/3389)
- REDIS (TCP/6379)
- rlogin (TCP/451)
- SSDP (TCP/1900)
- TFTP (UDP/69)
- telnet (TCP/23)
- XDMCP (UDP/177)
Protocols That are Vulnerable:
- ISAKMP (UDP/500)
- Netcore/Netis Router (UDP/53413)
- SSL/FREAK (TCP/443)
- SSLv3 (TCP/443)
- Synful Knock (TCP/80)
No comments:
Post a Comment