# eth2 is the LAN side, eth1 is the WAN side
echo 1 >> /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 
/sbin/iptables -A FORWARD -i eth2 -j ACCEPT # Let LAN traffic through
/sbin/iptables -A FORWARD -o eth2 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

2009-01-14

Fuzzy Logic; Fuzzing BGP

The most recent BreakingPoint StrikePack adds support for BGP, the latest in a series of new fuzzers for routing protocols. Since the last blog post about our Routing Information Protocol (RIP) fuzzers focused more on usage and the BreakingPoint UI, this time the focus will be placed on how BreakingPoint implements it's fuzzers.

What's BGP, you ask?
The Border Gateway Protocol is yet another protocol that is used by routers to share their network topology information and status with other routers. Unlike RIP and OSPF, BGP is an exterior gateway protocol, meaning mostly used to connect (peer) large networks and ISPs together. Also unlike the other routing protocols BGP takes on a very different implementation using a stateful TCP connection and a database of all known router information instead of the more mathematical approach of minimal UDP broadcasts.

Whats in a fuzzer anyway?
Why would someone want to send strange or invalid data to themselves? In short, invalid data is better at getting to the little tested parts of an application and putting it through it's paces. Fuzzers have long been part of the Security Auditor's toolkit, but more and more projects are beginning to use fuzzing as part of their normal Q/A process.

BreakingPoint fuzzers are supported by the Security component in the form of special Strikes. On the BreakingPoint Labs side, a protocol library is written in Ruby and various test cases are created using this code. Each test case is then written up in the BreakingPoint Strike XML format and presented to the user as an individual strike. There are currently 33 such fuzzer strikes provided for the BGP protocol.

Each fuzzer strike typically targets a specific data value or packet type and tries a multitude of different values in turn. The goal is to provide malicious data or to provide too much data in hopes that something will break, showing the user where he needs to focus bug fixing efforts.

When inserting bad data, strings usually get filled with lots of quotes, null characters, and format or other special character sequences in order to try to make the application fail. Integer data types usually get hit with a list of commonly special values like powers of two.

Other types of fuzzers can benchmark certain constraints on the input data. For example, a data packet's size can be increased repeatedly until its maximum size is determined and reported to the user.

Peeking at the BGP Fuzzer

BGP Packet Header
The BGP header is rather simple. It consists of a 16-byte magic value (marker) field to signify itself as the BGP protocol, an 8-bit message type id, and a payload length. Here close attention is paid to the length-encoded payload field. A very common mistake made by application developers is access invalid memory because a length field is not checked.

• header_bad_marker_strings.xml
• header_bad_payload_strings.xml
• header_random_long_payloads.xml
• header_random_payload_bad_length.xml

KeepAlive Message
The KeepAlive message by design has no extra data included in addition to what is sent in the header. Here we add random data to the header's payload section, even though it is not expecting anything. Again the payload lengths are also fuzzed.

• keepalive_extraneous_payload_data_bad_lengths.xml
• keepalive_extraneous_payload_data.xml

Notification Message
There are only two fields in this message type, code and subcode, which are used to convey errors and other messages within the BGP session. All possible valid code combination's are sent, as well as totally random ones.

• notification_all_capability_codes.xml
• notification_all_cease_codes.xml
• notification_all_message_header_codes.xml
• notification_all_open_message_codes.xml
• notification_all_update_message_codes.xml
• notification_random_codes.xml

Open Message
This message type is the most complex of all because it must negotiate a multitude of options between client and server. Since these options consist of several nested layers of length-encoded bit structures, they are a good place to look for parser bugs.

• open_bad_payload_strings.xml
• open_params_bad_parameter_fields.xml
• open_params_bad_string_capabilities.xml
• open_params_invalid_field_length.xml
• open_params_invalid_length_capabilities_entries.xml
• open_params_invalid_length_parameter_entries.xml
• open_params_long_capabilities_entries.xml
• open_params_long_parameter_entries.xml
• open_params_long_parameter_fields.xml
• open_params_random_capability_types.xml
• open_params_random_parameters.xml
• open_params_random_parameter_types.xml
• open_random_bgp_id.xml
• open_random_hold_time.xml
• open_random_version.xml

Update Message
The update message is the main workhorse of BGP. It is responsible for the transfer of routing information to other routers. Again as with the Open type, we have quite a few of variable length-encoded structures to fuzz here.

• update_long_nlri.xml
• update_long_random_path_attributes_bad_length.xml
• update_long_random_path_attributes.xml
• update_long_withdrawn_routes_bad_lengths.xml
• update_long_withdrawn_routes.rb
• update_path_attributes_bad_length.xml
• update_random_path_attributes.xml

 

2008-12-12

Fuzzing the Routing Information Protocol (RIP)

As of the time of this writing, BreakingPoint has implemented 115 unique fuzzer strikes for 13 different protocols, most recently we added support for RIP and OSPF and a fuzzer for BGP will be coming soon. Since BreakingPoint's fuzzers are implemented as security strikes, our users are free to create any number of combinations of individual fuzzer test cases by building a custom strike-set in the Attack Manager. You can also globally tweak certain protocol parameters such as IP fragmentation or enabling several IPS evasion profiles.

Additionally, because we are talking about BreakingPoint testing tools, you can do all of your fuzzing while concurrently sending 10+ gigabits of realistic application traffic.

RIP Background

One of the best features of the modern Internet its amazing level of interconnectedness and fault tolerance. The Internet is able to repair itself as needed because of its fundamental design. As old routers fail or new ones are added, information about those routers is automatically spread around to facilitate the optimization of its resources. The Routing Information Protocol (RIP) is the oldest and simplest of routing protocols still in use today. Its current incarnation (RIP Version 2) is defined by RFC2453, adding several improvements like support for CIDR and authentication. RIP was originally implemented as the “routed” daemon for BSD Unix. Although newer protocols have largely obsoleted RIP, it is still in use today.

RIP takes a very simplistic approach to disseminating routing information based on the Bellman-Ford algorithm for finding shortest paths. This is a distance vector algorithm, meaning the hop count between routers is used to weight which route the protocol sees as optimal. Due to constraints and limitations of the protocol itself, modern RIP only gets limited use as an Interior Gateway Protocol on smaller internal networks.

Getting started

BreakingPoint users can easily set up a custom fuzzer within the BreakingPoint Control Center and create a new Attack Series containing the fuzzer strike-sets that you want to use.  You can then create a new test with a security component that uses your new attack series. It is a pretty quick and intuitive process using the same general process you would use to run any of the BreakingPoint fuzzers:

• Figure 1: The Attack Manager screen

After logging on, go to the Attack Manager screen by selecting that option from the “Managers” drop down menu on the top of the screen.

• Figure 2: Creating a new Attack Series

With the Attack Manager screen open, find the panel (in the left middle) labeled “Attack Series” and click the red plus sign button. This creates an empty list of strikes that you will fill with fuzzer strikes and link to a new test later on.

Now you'll need to populate your new attack series with some strikes. To do this locate the panel labeled “Strikes and Strikesets” on the right of the Attack Manager. Click the red plus sign to search for strikes to add.

• Figure 3: Adding the RIP strike set

Select RIP and hit the right arrow button to add it. If you leave all the search fields blank and ensure that the “Return Type” is set to “Strikesets” (default), then you should find the strike set for RIP on page two of the results. Feel free to look around for other strikes adding them as you please. Then hit the “add strikes” button at the bottom of the screen to save your list.

 

• Figure 4: Creating the test

Now, from the top menu, go to “Test →New Test” and a setup a new test. Add a security component and configure that to use your new Attack Series. This setting is listed under the “Parameters” tab in the security component's setting. The Attack Series you just created should be listed in the available options.

 

• Figure 5: Running the test

From this point everything works just like any normal test. Click “Save and Run” to start it up. Be sure to monitor your test device for any errors that the fuzzers might induce.

Finally, if you get tired of seeing “test failed” every time you run because your device passes some of the fuzzer traffic, you can go to the “Define Test Criteria” menu from the test screen and click “Disable all default criteria” so that your test will always list as passed.

 

2008-10-01

Toorcon X Mini Wrap-Up

On the whole, I was very happy to have attended the 10th Toorcon in San Diego, CA. Toorcon is probably my favorite small con. The attendance isn't massive but the people are generally more interested and knowledgeable in hacking and security. Not to mention that downtown San Diego is a blast and the weather is absolutely perfect. These were my highlights:

The Future of Lockpicking, datagram
I was glad to see a talk on lock picking that went beyond the realm of a simple how to or a single type attack.  Datagram didn't spend too long explaining the lockpicking techniques even though he did have some good animated visual aids. Instead, he focused a lot on how a lock vendor would react to new attacks getting media publicity. Just like in the software security world, some vendors wouldn't ever go beyond a PR response. Some vendors would add a metal plate in a certain place, much like a software patch, and others still redesigned the locks entirely. Some very interesting industry parallels.

Owning Telephone Entry Systems, Joshua Brashers
So many apartment complexes, condos, and gated communities have computerized panels that visitors can use to ask permission to gain entry. The talk outlined many different types of attacks against these types of systems. Most of these appear to be serviced by 3rd parties and allow you to remotely dial-in. And of course, default passwords are rarely changed. He showed how he was able to “back door the front gate” by adding a new entry that played a “Rick Roll” instead of calling a resident and later opened the gate. Another and more scary attack he outlined was the ability to proxy normal entry calls to his apartment using a VoIP server to perform the MiTM. This looked like it was a lot of fun.

How To Impress Girls With Browser Memory Protection Bypasses, Alexander Sotirov
This was a great talk. Although Dowd and Sotirov gave this talk at Blackhat almost two months ago. It was still a fun and entertaining talk to sit though. Alex outlined the implementations of the newer Microsoft memory protection schemes like SafeSEH, DEP, and ASLR. Then showed how and why none of them were effective in defending Internet Explorer from attacks and how much that impressed the ladies. The paper is here.