"Embedded Device Firmware Vulnerability Hunting Using FRAK, the Firmware Reverse Analysis Konsole -- FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images.
We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. "
Boost PC performance: How more available memory can improve productivity
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
1. RED
BALLOON
Security
FRAK: Firmware Reverse Analysis Konsole
Ang Cui
a@redballoonsecurity.com
7.27.2012
Defcon
20
2. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
W h o a m
I
What do I
DO
7.27.2012
Defcon
20
3. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I
What do I
DO
7.27.2012
Defcon
20
4. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I Past publications:
•
What do I Pervasive Insecurity of Embedded Network
Devices. [RAID10]
• A Quantitative Analysis of the Insecurity
DO
of Embedded Network Devices. [ACSAC10]
• Killing the Myth of Cisco IOS Diversity:
Towards Reliable Large-Scale Exploitation
of Cisco IOS. [USENIX WOOT 11]
• Defending Legacy Embedded Systems with
Software Symbiotes. [RAID11]
• From Prey to Hunter: Transforming
Legacy Embedded Devices Into
Exploitation Sensor Grids. [ACSAC11]
7.27.2012
Defcon
20
5. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I Past Embedded Tinkerings:
•
What do I •
Interrupt-Hijack Cisco IOS Rootkit
HP LaserJet Printer Rootkit
DO
7.27.2012
Defcon
20
10. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress}
Binary Firmware Image
For each
"Record"
Record
Parse In Firmware Record Record Record
Digitally
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm?
Firmware
Re-Packing Process
7.27.2012
Defcon
20
11. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
Re-Packing Process
7.27.2012
Defcon
20
12. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
Re-Packing Process
7.27.2012
Defcon
20
13. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Record"
Re-Pack Modified In Firmware
File System
Known Format or Proprietary Format?
Re-Packing Process
7.27.2012
Defcon
20
14. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re-Pack Modified In Firmware
Record
Record Record Record
Digitally File System
Encrypted? Compressed? Checksummed?
Signed?
Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20
15. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re-Pack Modified In Firmware
Repack Record
Record Record Record
Digitally File System
All Binary Encrypted? Compressed? Checksummed?
Signed?
"records"
Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20
16. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re- Re-Pack Modified In Firmware
Repack Record
generate Record Record Record
Digitally File System
All Binary Encrypted? Compressed? Checksummed?
Package Signed?
"records"
Manifest Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20
17. Payload Design
Reasons why Ang stays
home on Friday night
7.27.2012
Defcon
20
18. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
7.27.2012
Defcon
20
19. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
Payload Testing
7.27.2012
Defcon
20
20. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
Payload Testing
STARE
@
BINARY
BLOB
7.27.2012
Defcon
20
21. Payload Design
Reasons why Ang stays
home on Friday night
Payload
DevelopementDesign
Payload
Payload Design
Payload
Payload Testing
Developement
STARE
THIS PART
@
BINARY L
BLOB
7.27.2012
Defcon
20
22. F R A K
irmware everse nalysis onsole
[Better Living Through Software Engineering]
7.27.2012
Defcon
20
23. F R A K
irmware everse nalysis onsole
Firmware Unpacking Firmware Analysis
Engine Engine
Firmware Modification Firmware Repacking
Engine Engine
Programmatic API Interactive Console
7.27.2012
ACCESS Defcon
20
Access
24. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
25. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked
Firmware
Binary
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
26. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked XYZ Dynamic
Firmware Software Instrumentation
Binary Symbiotes &
Rootkit
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
27. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked XYZ Dynamic
Firmware Software Instrumentation
Binary Symbiotes &
Rootkit
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
28. F R A K irmware everse nalysis onsole
Unpack, Analyze, Modify, Repack: Cisco IOS
7.27.2012
Defcon
20
29. Payload Design
Payload Reasons why Ang stays
Developement
home on Friday night
Payload
Developement
Payload Testing
Payload Design
Payload Testing
STARE @ BINARY
BLOB
?
STARE
THIS PART
@
BINARY L
BLOB Thanks FRAK!
7.27.2012
Defcon
20