2018 BSides Toronto: Vincent Lee

third time's the charm solutions exploitation is not encryption would you please put your hands together and give a big b-side strano welcome to Vincent Lee welcome to third time's the charm solution to exploitation it's not encryption before I begin who here works for HPE please raise your hand perfect nobody works for HP so I can speak chesa whatever I want okay so this talk is about how HPE tried and failed to patch some bugs in their product and and at the end they decide not to patch that bug so we have a title change this is a condensed version of a talk that I'll be giving in Mexico next month so will be a little bit tight on time my

name is Vincent Lee I am a vulnerability researcher at zdi at CDI I do root cost analysis and Varion hunting I also provide detection guidance for our product team you can find me on Twitter so what's ZD izd is the largest vendor agnostic bounty program in the world if you have zero days we buy them and if you want to monetize your research but don't want to sell in gray market or black market consider us as your research outlet will buy bucks we are also the organizer for pond to own and mobile phone to own our next event is in Tokyo in November we we have IOT devices like Google home and a Amazon echo and

whatnot and handsets as targets in the Tokyo event so if you have some full-on are full exploit chain in those devices consider joining this competition and win some bounty here's a picture of my hand clicking on a link that will jailbreak this iPhone in a Faraday cage in Tokyo last year and that's the end of my plug this is today's agenda so a little bit background back in November 2016 our program received a collection of bucks in HP intelligent management Center eight of which were command injection vulnerabilities to my knowledge HP s attempted to patch them twice and decide to give up on the third time and a little bit more on the target according to their website HP

intelligent management center enterprise software platform is a comprehensive wired and wireless network management tool supporting the F Capps model provides end-to-end business management of IT blah blah blah blah blah blah okay so some management network network management software so this has this product has a modular design King so these are the list of components that come installed by default it has lots of components lots of moving parts lots of services that are installed by default our vulnerable are our command injection Bucks are located within the DB mangies exe surface which is the one highlighted in blue so this is a control pain that shows a list of processes spawned by this product when installed in a default

setting again command injection bugs are in the DB man surface this thing runs multiple surfaces first DB man surfaces listens on TCP port 28 8 10 and then there's TFTP server which stands for travel File Transfer Protocol that listens on UDP port 69 for some reason HP decide to write their own TFTP server from scratch so it's really buggy and then there's also a Java web server or ec administration there is also IMG exe which is super interesting it listens on port 800 TCP listens for remote connections and dispatch messages to other components what that means is it will grab some message and send to one of these exe s in this list so even though

the process does not or even though one of the process does not listen or actively listen for remote connection you can still reach it through IMG exe by giving it the appropriate message so overall this thing is very buggy this thing has a super large attack surface different types of bugs are in it some are classic some are more than some are esoteric and by buggy I mean very buggy since 2017 we've bought this many bugs that is located in this product and if you want to learn more about these bugs you can read two of my blocks on on zero day initiative comm and the word one of them is about addy serialization bug in

the web interface and then the other one is yet another story of a failed patch which is super interesting highly recommend you reading it so all eight of these command injection vulnerabilities are very similar so I just pick one this is Zvi 17 33 3 3 9 this vulnerability is located in opcode 1 10006 it uses a custom communication protocol that leverages the asn.1 technology it's a classic command injection vulnerability so it's super boring for those who know what command injection vulnerability is but that's not the point the interesting part is in the patch tipping part so uh in short the attacker sends a control data to the surface surface uses it to construct a command and then run system

on the command and then you get code exact so the vulnerability is in restore one local zip file oh one very important point this entire presentation is pretty much based on the work done by Suzy back in who submitted this collection of boxes in November 2016 16 so big thumbs up or shout out to him where was I yes restore one local zip file that's where the command injection vulnerability is so okay so this bucket was tested in IMC 7.2 patch 10 and for those who are not super familiar with asn.1 I have a three minute crash course for you so according to Wikipedia asn.1 is a standard interface description language for defining data structure that can be

serialized and deserialized in a cross-platform way this technology is used in many things such as X dot 509 Kerberos and LDAP the idea is that if a speaks JSON B speaks XML see speaks binary these speaks foo and espeak spar and they want to talk to each other then you need to have 20 different translators but what if they all speak ASN dot one wouldn't it be wonderful you just need ten translators and this is the time when we when I give a host the obligatory xkcd comics so here isn't on the left that's the an example a SN dot one scheme for rocket data structure in this data scheme or a definition a rocket

consists of a sequence of fields and first it there is a name property which is defined as 1 to 16 as utf-8 characters there is a message view and then there is a few property that can be those three types only and then there is a speed property that are defined in two different units and there's another payload which is a sequence of different strings and on the right that's a rocket instance and the values that are associated with it so what if all those ABCDE speaks this underlying schema then they could all translate into this abstract type and then talk to each other that way so uh there is one schema and multiple encoding rules this is one

example of the encoding rules XML so this may be translated into this XML format this same thing may also be translated into a binary format and for those who speak ASCII you can kind of work out there is falcone right there six four sixty four sixty one and then there is car and then GPS a little bit more on the bird encoding it utilizes tag links value data structure where during the encoding the the values they could be nested hence the diagram on the right in here thirty is the tag one b is the link of that entire the rest of of the binary stream and then value is the rocket sequence in the beginning and

then you can I can see 80 it's the string name that is six ASCII character long and then Falcon and then that's few type and then that's the speed and then you can see there's the gray box there is a sequence that encloses the payload which says car and GPS and they have their respective tags and length so that's a super quick crash course on a SN dot one and to trigger this bug we need to speak DB man exe and it utilizes a custom protocol as I said and this is the custom protocol you on the wire you 10006 and then the length of the pelo and then SN dot one encoded payload and

then that's how you talk to you DB man exe this is the schema for the 10006 packet so you need to create such a data structure and then plop it into that data field to talk to a TV man exe and then the fields highlighted in blue are used in the construction of a command line that means any one of those fields could let you get codecs second this is this is the disassembly for restore one local zip file this is where the command injection buck is located closer to the bottom Barry's run command it run commands takes in a command and runs it the function calls about our C++ call to constructing a command string

and here's the the compiler output you can see there is the operator plus that concatenates the commands together and then it runs command closer to the bottom and run command runs command without runs command so so we back one slide about we can see that in this function it takes the payload from the ASN dot one data structure and then puts it directly into the operator plus so it it construct the command string without any sanitization and that's where the bug is so this is how it looks when you run it in win debug at the moment when this this call is run command this is the injected command so as you can see our researcher has decided to write ok

Google restore one local zip file into file and C Drive and this is how it looks so HP has attempted to patch this exact bug or this collection of command injection buck twice and this is their patch once once they've released the patch our researcher actually submitted in Suffolk a failed patch but so resubmitted the bug again and I put in a pin dipping pool and this is the vulnerable function and it says exactly nothing was changed so that's what it is so uh yeah so what did they do when performing been dipping it's very important to know what to look for and think like a programmer so say if your programmer that rut writes this

product and you want you have a service that handles different op codes how would you write it you probably will have a receive lip and then have a switch statement inside and each case handles it handles one opcode and that is exactly what they did this diagram is the gigantic switch deal message it's what they've named it the turquoise block on the right there is where they hand out opcode one zero is zero six the orange the two orange boxes are two other vulnerabilities so in here we know from switch from the big switch to the vulnerable function they have one more function in between and they have not touched restore one localized zip file and so the patch must be in that

unnamed function and it is it is in there this is another view this is the binary different view of the the middle function it's called restore zip file as you can see on the left that's the unpatched version on the right it's the patched version you can see they've put a lot of stuff in the middle so we're interested in the area highlighted in red boxes so here's this enhanced view on the left the unpatched version you can see that's the function prologue it enters the function and then calls the vulnerable while they were no

good okay cool so on the left the vulnerable function is called very quickly or on the right you can see they've done a bunch of stuff and then cause the vulnerable function on the right and in fact the function prologue is not even in in the view it's like the function prologue is somewhere in the above so in the red box highlighted there they've called an extra function called DB man BB man decode link so this is a pseudo code of what they've done in a patch do something in DB Mandy coat link and then it's success called a vulnerable function and then you die or you get code exec there this is a call graph that the coat

length has you can see besides the obvious function name decrypt message we can see that it calls EVP decrypt final which is an open SSL API so we know it does some sort of crypto in this function and in fact this is what it does it generates a key from some hardware configuration stored in IM c HW Kampf and then generate a key you decrypt another key sort on file named KS stop that and once they've decrypt the secondary key they used that secondary key to encrypt the message on on the wire so this is how the custom protocol looks in the new in the patch surface you can see the payload is just encrypted so this is

how I imagine the HP developers fix their code they run the POC surf getting crashed and then do something breaks the POC runs the POC again hey it doesn't work great we fix it let's push it but oh well so the heart of the problem here is that HP used cryptography to - they're trying to solve an authentication problem with encryption and encryption is great it provides confidentiality but that's not what the vulnerability is the vulnerability is about authentication like anyone can send whatever spoofed message to DB man it will just run whatever so that's that's a problem there so the story is please just fix the underlying code and they hence the talk like solution to

exploitation it's not encryption so patch bypass how do we bypass that since the underlying command injection vulnerability was not patched it still is not patched we can bypass that we can do that in two approaches one way is to figure out what store in the those two files the other way is to overwrite them and in fact that's what CDC did he found two more bugs in the product and overwritten those two files with known values now he can generate a proper message that the product will will understand and happily execute whatever payload he's given and uh everyone gets a no date this command injection vulnerability or remains unpatched we have released an zero day advisory about

this 20 days ago they were giving given chances to patch them but they've decided not to patch them so that's where we're at today so a conclusion when you're doing patch tipping know what to look for think like a programmer you open bend it and then no it won't just pop out like he's the bug you've got a look for it so that's my tip for you everyone gets in O'Day the moral of the story is attacker is one info bug info leak bug away from system for those who are developers please fix underlying issue instead of just putting a band-aid and then another shout out to CDC who did an amazing job finding these bugs

and yeah that's all I have

questions

perfectly thank you thank you [Applause]