Recently, we have noticed a common observation shared by many of the senior executives at our customers. With the increased awareness of cybersecurity as a business challenge, there is a commensurate need to discuss cybersecurity in business terms, specifically around how security can enable organizational agility, not slow it down. At Palo Alto Networks, we have focused on meeting this need with a variety of efforts, and recently took another important step in this regard.
Last week, with our new partner PwC, we released a jointly developed framework to help board members, senior executives, and technical executives (e.g., Chief Information Officers and Chief Information Security Officers) organize their corporate cybersecurity strategies around breach prevention. To position companies to prevent successful cyberattacks and enable organizational agility, we believe organizations must:
Identify organization-specific critical assets, priorities and related governance structures.
Monitor and analyze all traffic to establish visibility of all users, applications and content traversing corporate networks, clouds and endpoints, in order to define and refine organizational information security policies.
Protect from attack by enforcing policy to reduce the organizational attack surface and prevent known and unknown threats.
Detect and respond to the inevitable, successful attack in a manner that incorporates mitigations and protection mechanisms to prevent similar attacks in the future.
Chad Kinzelberg, Palo Alto Networks SVP for Corporate and Business Development, and David Burg, the Global Leader of the Cybersecurity Consulting practice at PwC, recently hosted a webinar on this framework. It includes practical applications of how the framework can help meet two increasingly crucial business needs: securely enabling adoption of cloud technologies and preventing advanced persistent threats. You can view this webinar on demand in ourBrightTalk portal.
We invite you to check out the framework and read the white paper, which discusses the framework in greater detail, and we welcome your feedback. How can this approach help your business prevent successful attacks to securely enable agility and productivity?
Gartner’s 2016 Magic Quadrant for Enterprise Network Firewalls has been released, and Palo Alto Networks is proud to be positioned in the Leaders quadrant for the fifth straight year.
We’re thrilled that Gartner researchers continue to highlight both our ability to execute and the completeness of our vision. Once again, we are one of only two vendors distinguished as Leaders in this space.
Over 30,000 customers in 140 countries have chosen Palo Alto Networks to realize the benefits of a true next-generation security platform, safeguard critical assets and prevent both known and unknown threats. I invite you to download the full 2016 Magic Quadrant for Enterprise Network Firewalls report here:
DISCLAIMER: This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available from Palo Alto Networks at http://go.paloaltonetworks.com/Gartner2016. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
On February 16, 2016 Google described a critical vulnerability in GLIBC’s getaddrinfo function. They provided a crash PoC, and so the task of producing a reliable exploit began. In this post, we will show how CVE-2015-7547 can bypass ASLR-enabled systems.
The Bug
getaddrinfo() is used to resolve a hostname and a service to struct addrinfo. This is done by performing a DNS query to get the corresponding IP address(es).
1
2
3
4
5
intgetaddrinfo(constchar*node,constchar*service,
conststructaddrinfo *hints,
structaddrinfo **res){
...
}
As an optimization, getaddrinfo()’s implementation uses alloca() function (which allocates a buffer on the stack) for the DNS response. In case the response is too long, it allocates a heap buffer and uses that instead. The bug stems from the fact that, under certain circumstances, the code updates the buffer size to the newly allocated heap buffer but keeps using the old stack buffer pointer. This creates a classic stack-bases overflow.
ASLR? ASLR!
The return address of getaddrinfo can be overwritten using this vulnerability, but where should we point it? In ASLR-enabled systems, module addresses are randomized. Therefore an attacker is not able to set the execution flow to a predefined address. In case the exploited application is compiled with PIE (as it should be), we cannot rely on its main executable to be located at a predefined location.
fork()
The standard way to create new processes in Linux is fork(). A typical fork would look like the following:
1
2
3
4
5
6
7
8
pid=fork();
if(0<pid){
/* Parent code goes here… */
}elseif(0==pid){
/* Child code goes here… */
}
…
Code resumes from the same opcode instruction in both parent and child processes. It only differs by the value of “pid”, which is returned by fork(). Unlike Windows, this means that a child process shares many characteristics with its parent — it has the same register state, stack and memory layout.
Sample Application Flow
Let us consider a server application that acts like the following:
A client remotely connects to the application.
In order to handle the client’s request, the application daemon forks itself.
As part of handling the request, the forked child process resolves a hostname using the “getaddrinfo()” function. Thus, it sends a DNS request to its DNS server.
DNS server replies with a valid response for the DNS request.
Child process initiates a connection with the resolved host.
Each time a request is handled by the daemon, it forks itself. This means that all child processes will share the same memory layout – including the addresses where modules are loaded. This simplified scenario is very common for many services such HTTP-proxies, email servers or DNS servers.
Exploitation Flow
For exploitation, we assume an attacker has the ability to answer arbitrary DNS requests performed by the server victim. The way this can be achieved is out of the scope of this paper; but, to name a few, this can be done by local ARP poisoning attack, DNS spoofing, etc.
An attacker initiates a request to the victim server.
In order to handle the attacker’s request, the victim daemon forks itself.
Forked child process performs a DNS request.
Attacker replies with a malicious DNS response that overwrites the child process’ instruction pointer (RIP) to the address. In this example, it sets it to 0x12121212.
Attacker gets a TCP-syn request initiated by the child process using “connect ()”.
If 0x12121212 is indeed the right return address of “getaddrinfo()”, then the application flow is continued as it should and issues the “connect()” right afterward.
1
2
0x000000001212120dcall _getaddrinfo
0x0000000012121212test eax,eax
If this is not the situation, and the attacker transferred the instruction pointer (RIP) to any other address, the application will crash either due to a segmentation fault or invalid opcode execution.
1
2
3
4
0x0000000012121200call _getaddrinfo
0x0000000012121206test eax,eax
..
0x0000000012121212invalid–opcode(RIP)
This behavior can be used as an indication of whether an address is the correct return address of getaddrinfo (if so, a TCP-connection will be created). Since module addresses are not randomized between different forks(), this address remains constant in all child processes. An attacker can abuse this behavior and enumerate all possible addresses until guessed correctly. At each DNS-response, the adversary would reply with a different address, knowing a crash means that address is incorrect.
However, this still requires enumerating ~264, which is not feasible.
Byte-by-Byte Approach
Instead, the attacker can overwrite a single byte every time. For example, assume the return address of getaddrinfo is 0x00007fff01020304:
We first respond with the right amount of bytes that only overwrite the LSB of getaddrinfo’s return address. We overwrite it with 0x00, which is incorrect since, in the above example, the return address LSB is 0x04; getaddrinfo will return to 0x00007fff01020300, which is invalid, and will crash. We repeat this process, but each time we increase the guessed LSB by 1. When we reach 0x04, the application won’t crash – this means 0x04 is the LSB of the return address!
Now we repeat the entire process, enumerating the next byte by overwriting 2 bytes of the return address (0x04 0x00). We set the value of the first byte (LSB) to the previously leaked one, so we only enumerate the second. This is proceeded until the entire return address is leaked (each time enumerating the next byte).
With this approach, the maximum amount of tries is 8 * 28 tries (28 per byte, 8 bytes per address). This enumeration is quite small and feasible within a few seconds.
Finding Exploitable Applications
We used the website http://codesearch.debian.net, which indexes the source of ~18,000 Debian packages. Searching for all the applications that call both “fork()” and “getaddrinfo()”, we found over 1300 potential exploitable apps. We then need to inspect the source code of each app and check if its flow suits our needs.
Tinyproxy
The tinyproxy application matches this flow. A new child process is “fork()d” when it issues an HTTP-connect request. It then calls “getaddrinfo()” to retrieve the IP address of the requested website. Then “connect()”s that host to get the website content.
Exploitation
The diagram previously shown is a simplification of the actual scenario. When overwriting the return address, we also overwrite several stack variables. If the attacker doesn’t set those to the right values beforehand, the application will crash before returning from getaddrinfo. If that happens, the adversary will not be able to overwrite RIP. Thus the attacker would employ the same technique in order to leak them.
Leaking an Arbitrary Stack Pointer
The first crash we encountered happened to be on the following code block:
First, rbx gets overwritten. It is then dereferenced by the “mov BYTE PTR [rbx], sil” instruction. Originally, rbx pointed to a buffer on the stack. This means that, if we use the byte-by-byte approach, we can enumrate its value and leak an address on the stack.
The diagram below (output of /proc/PID/maps) shows the stack’s boundaries. As you can see, its initial size is always greater than 0x1000 bytes.
The address pointed by rbx must be writable (otherwise a segmentation fault will be raised). But it happened to be a flaw in which it doesn’t matter to where we write the value of “sil”. As long as it is a writeable address, the flow will continue correctly. This means that it does not matter what value we set to the lower 12 bits of rbx since it will always be readable due to the size of the stack.
So we leaked an arbitrary pointer within the stack range. What happens when we have to be precise, where the address pointed by a stack variable affects the flow in a considerable way?
Leaking Stack Base
For situations like these, we have to rely on constant offsets. Since the flow of the application is always the same, the stack depth will always be the same. This means we can rely on the offset from stack base to these variables, structs and buffers.
Leaking the stack base is simpler than enumerating an arbitrary address. Since we already have an address within stack range – we can enumerate where the stack base is. We know the stack base is aligned to a page boundary (0x1000), and we also know that it will be the first non-readable address following the stack.
Let us assume that the stack base is at 0x00007fffed008000. We take the arbitrary stack address we leaked and align it to a page boundary – for instance 0x00007fffed000140 is aligned to 0x00007fffed000000. We then enumerate the stack base, starting from this aligned address and incrementing it between each attempt by 0x1000 (page size). After we send a response that overwrites the previously mentioned pointer, we wait for a short while and check if the server tried to connect to our resolved IP. If it did, it means we haven’t reached the stack base yet. If a timeout occurs, we assume the server crashed and we reached our goal.
Stack Base Offset
Before returning from getaddrinfo, the following check is performed:
(@ glibc nss_dns_gethostbyname4_r)
Note the block that is highlighted in red. If we reach it and pass an invalid heap pointer as an argument, the application crashes (as it tries to free an invalid heap block). To bypass this free(), r14 and rdi must be equal. r14 points to the original __alloca() stack buffer. Since the stack base was previously leaked, and the __alloca() buffer’s offset from the stack base should be constant, we didn’t expect to encounter any problem. However, we found out that the offset is slightly different at every run. Why?
Observing the above kernel code, you can see that, if ASLR is enabled, SP (stack-pointer) is decremented by a random number. This means that there will be a random delta between rsp and the stack base on every different run.
Fortunately, this number is quite small – only slightly bigger than the size of your average byte. We can easily enumerate this random offset.
Looking at the above IDA code snippet, we can see that if rdi equals to r14, the code path that attempts to free rdi won’t be taken. Thus, we used our previously leaked stack base, combined with a pre-calculated (i.e., if arch-align stack would return 0), and then attempted all the other 29possibilities.
Leaking LIBC Module
This part is now trivial, as we use the previously mentioned technique to enumerate each byte of the return address.
Code Execution
All that is left to do is to construct a ROP chain. This is very easy and straightforward. We know the offset of system() function from the base of libc, so we just set up its argument and call it using ROP.
Conclusion
“Classic” stack overflow vulnerabilities do not provide address leaks by nature. Still, under certain conditions, an attacker can leverage creative techniques to exploit those vulnerabilities. In this research, we abused the way Linux creates processes to bypass ASLR. In other scenarios, different security mitigations might be evaded.
This technique can be leveraged for other memory corruption bugs. Therefore, a vigilant user should always attempt to secure servers by deploying software patches and updates in a timely fashion. At Palo Alto Networks, developing a deeper understanding of such exploitation methods is a core objective of our mission to help our clients prevent breaches and secure our way of life in the digital age. This type of knowledge allows us to develop better threat intelligence and implement preventive techniques that help our customers stay one step ahead of potential threat actors.
The Center for Cyber Safety and EducationTM has announced the 2016 recipients of its Women’s Cybersecurity Scholarships. The scholarships, totaling US$40,000 in awards, will be provided to seven women from around the world in various levels of study to help them advance their cybersecurity careers. The Center is the nonprofit charitable foundation formed by (ISC)² in 2011 to empower students, parents, teachers and the general public, across all age groups and demographics, to secure their online lives with cybersecurity education and awareness programs.
According to the 2015 (ISC)² Global Information Security Workforce Study, women represent only 10 percent of the cybersecurity workforce. There is a talent gap facing the industry in general, with a shortage estimated at 1.5 million professionals by the year 2020. Increasing the number of women in the field by supporting those who are enrolled in formal education programs is one way that (ISC)² and the Center can help to fill that gap.
The Center teamed up with Raytheon, a technology company specializing in defense, civil government and cybersecurity solutions, to award two of the scholarships to Nicole Krantz and Catherine McLean. Each recipient will receive US$10,000 to support their cybersecurity education. Krantz is beginning the cybersecurity engineering program at George Mason University later this year. McLean is a junior at Northeastern University and is pursuing a bachelor’s degree in computer science cyber operations. She participates in the university’s co-op program and is currently working as an intern at Raytheon.
“I am so honored to accept the 2016 Raytheon’s Women in Cybersecurity Scholarship,” said Krantz. “It is such a wonderful opportunity that will open doors for me in the future. I could not attend George Mason University without it.”
Nicole Krantz
Catherine McLean
“I’m incredibly honored to be awarded Raytheon’s Women in Cybersecurity Scholarship,” said McLean. “This scholarship will enable me to continue pursuing my passion for security, through both classes and my internship at Raytheon COI, and I am excited to fully explore a career in this field.”
Scholarships were also awarded to graduate students Anna Truss of Excelsior College, Saleema Adejumo of the University of Leicester, Keirsten Williams of the University of Maryland, Shivani Singhal of Carnegie Mellon Univeristy and Jingxuan Wang, who is pursuing her Ph.D. at the University of Hong Kong.”With this partnership, the Center for Cyber Safety and Education and Raytheon are actively supporting women who are focused on information security and giving them the opportunity to gain valuable hands-on experience,” said Patrick Craven, director, Center for Cyber Safety and Education.
The cybersecurity field contains a professional charge like few others. Exploding into the commercial landscape over the last decade, the discipline finds itself in a perpetual state of flux. Subject to a myriad of definitions, many hopeful professionals and students know two things about cybersecurity: first, it is important; second, it is growing.
This trend is evident in the highest levels of corporate consciousness. A recent Forrester poll cited a 48 percent increase in executive awareness of information security. As a result, students and professionals worldwide are pursuing the vocation, while companies try hard to hire these professionals.
However, somewhere a disconnect has occurred in the training process because the people who have studied, prepped, certified and sacrificed for these skills and jobs are often deemed unqualified, unproven or unknown by hiring organizations. As a result, both the aspirational professional and the hopeful hiring organization are left wanting. This is underlined by the fact that one of the biggest hiring hurdles organizations face is finding people with the “right stuff.”
The same Forrester poll noted that 59 percent of cybersecurity organizations said finding employees with the right skills was either a challenge or a major challenge. Of those respondents, 59 percent felt keeping their cybersecurity team staffed appropriately was either a challenge or a major challenge. Thus, reinforcing findings of an ISACA/RSA survey State of Cybersecurity: Implications for 2016 that found 27 percent of respondents needed at least three to six months to fill vacancies.
This disruptive cycle of cybersecurity employment disappointment is a direct result of the current education and certification systems, churning out graduates and certificate holders who, while displaying gumption and interest, are rarely evaluated on the level that matters: hands-on performance. True capability in the field of cybersecurity does not rest in the traditional certification or education process, but requires performance-based testing and evaluation in live environments. Only through directly assessing an individual under pressure and time constraints are organizations able to truly place their faith in new hires.
The Problem
It is easy to see why a lot of cybersecurity job hopefuls are struggling. Traditional academic institutions offer advanced degrees in cybersecurity without ever dissecting a packet, instead providing curriculum heavy in policy and guidance. While no cyber education is complete without a thorough understanding of the laws that govern the realm, it is equally important that students learn the practical side of the craft. Meanwhile, many certification programs that vaunt their technical aspects suffer from rampant test and evaluation corruption, wherein students purchase copies of the antiquated knowledge-based exams online, memorizing the answers and cheating the certification process. So it comes as no surprise when most organizations feel that only half of their cybersecurity applicants are qualified upon hire.
The Solution
A cure is at hand: the Cybersecurity Nexus (CSX). CSX is a holistic, grassroots program—developed from the ground up—with real time evaluation of technical skills at its core. With three levels: Practitioner, Specialist and Expert, the program meets hiring organizations’ needs for new, proven talent. Understanding that the greatest skills needs in cybersecurity organizations are skills in security operations, such as device configuration, policy maintenance and intelligence analysis, CSX provides students with consistent, live lab environments, which are accessible anywhere with an Internet connection. Additionally, CSX integrates all of the important governance and policy details of the cybersecurity field, both internationally with ISO and ISA compliance, as well as Cybersecurity Framework elements.
While this is helpful for students, the true value lies in the certification exam that requires them to identify and protect assets, detect and respond to threats, and recover from network incidents in a live environment. They are evaluated in real time, based upon their performance and effectiveness. The end result is competent, proven cybersecurity professionals who provide results on their first day.
Hope for Competence
While the cybersecurity field matures and expands, it is important to remember that accurate evaluation of hands-on skills is the most effective way to assure that potential hires and aspirational professionals are able to prove their abilities. Through applying performance-based instructional and certification mechanisms, like those seen in the CSX program, organizations can feel confident that their new hires are applicable on day one and new employees can take solace in the knowledge that they have effectively proven their worth.
Editor’s note: The CSX Practitioner (CSXP) certification was recently honored by SC Magazine as the Best Professional Certification Program at the SC Awards Gala on Tuesday, March 1, during the RSA Conference. CSXP is the first vendor-neutral, performance-based certification on the market. ISACA’s CISA and CISM certifications were also among the five nominees from industry groups offering certifications to IT security professionals wishing to receive educational experience and credentials.
Frank Downs, Sr. Manager, Cyber/Information Security, ISACA
