robin hood vs cisco asa anyconnect - ncc group€¦ · cisco asa firewalls • entry point to most...
TRANSCRIPT
![Page 1: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/1.jpg)
Recon Brussels – February 2018
Robin Hood vs Cisco ASA Anyconnect
![Page 2: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/2.jpg)
Speaker
• Cedric Halbronn (@saidelike)
• Previously worked at Sogeti ESEC Lab
• Currently in Exploit Development Group (EDG) at NCC Group
• Vulnerability research
• Reverse engineering
• Exploit development
![Page 3: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/3.jpg)
Agenda
• Find a pre-auth 0-day in a Cisco ASA firewall
• Prove Remote Code Execution
• How to protect against 0-day?
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
![Page 4: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/4.jpg)
Cisco ASA firewalls
• Entry point to most enterprises
• ASA != IOS• ASA = Linux + a single “lina” binary / x86 or x86_64
• dlmalloc or ptmalloc heap allocator [1]
• IOS = proprietary operating system / PowerPC
[1] https://github.com/nccgroup/asafw/blob/master/README.md#mitigation-summary
![Page 5: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/5.jpg)
SSL VPN
• WebVPN: client-less (browser)
• AnyConnect: client on Windows, OS X, Linux,Android, iPhone OS
SSL
SSL
![Page 6: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/6.jpg)
IKE VPN
• A.k.a. IPSec
• Typically static point-to-point VPNs
• Also supported by native Windows client or even AnyConnect?
Source: https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html#anc17
IKEv1 or IKEv2
![Page 7: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/7.jpg)
Previous work
• 2014
• Various WebVPN ASA version leaks (Alec Stuart)
• 2016
• CVE-2016-1287: heap overflow in IKE Cisco fragmentation (Exodus Intel)
• CVE-2016-6366: SNMP OID stack overflow (Shadow Brokers)
• 2017
• Cisco ASA series on NCC blog in 8-parts (so far )
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/cisco-asa-series-part-one-intro-to-the-cisco-asa/
https://github.com/nccgroup/asatools
![Page 8: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/8.jpg)
Vulnerability & feng-shui overview
IKEv1
WebVPN/AnyConnect
SSL
![Page 9: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/9.jpg)
The bigger the worse?
• What license to buy?
• An IKE session limits the quantity of data sent as IKE fragments to 0x8000 bytes
• More sessions more feng shui
• Exploit is more reliable against expensive Cisco hardware and license
• Possible to rob from the rich and give to the poor
• So I named my vulnerabilityexploit: Robin Hood
Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-ike.html#ID-2441-00000058
50 IKE sessions
250 IKE sessions
750 IKE sessions
5000 IKE sessions
![Page 10: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/10.jpg)
Finding a bug
![Page 11: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/11.jpg)
Sniffing SSL AnyConnect
• First message sent by AnyConnect client
XML
Burp (or similar)
![Page 12: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/12.jpg)
Supported XML tags
• Initial sample contains all supported tags
Input mutation fuzzing
Reverse engineering
![Page 13: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/13.jpg)
Fuzzing architecture
• Spray/pray/prey
• Speed: 1 test / few seconds…
• No gdb attached, is that not slow enough?
Mutated XML packet (radamsa)
Ping (still alive?)
NO save packet
https://github.com/aoh/radamsa
![Page 14: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/14.jpg)
The wall is on fire…
• Want to start fuzzing before going on leave…
• ASA firewall keeps crashing
![Page 15: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/15.jpg)
Understanding the bug
![Page 16: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/16.jpg)
Triage
• asadbg-assisted
• https://github.com/nccgroup/asadbg
Fire testcase
Save crash info
Connect GDB
![Page 17: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/17.jpg)
Replay with gdb script# will be called next time it stops. Should be when it crashes
# so we log stuff
define hook-stop
set logging file %CRASH_LOG_FILE%
set logging on
set logging redirect on
set logging overwrite on
sync
bbt
i r
set logging off
set logging redirect off
end
continue
# below will be executed after it breaks because of a crash
# and this allows us to exit gdb
detach
quit
![Page 18: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/18.jpg)
One crash to rule them all
• All the same crash
• Both ASAv 64-bit / ASA 32-bit
![Page 19: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/19.jpg)
The smaller the better
• Fits in a tweet
AnyConnect Host Scan: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_hostscan.html
![Page 20: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/20.jpg)
Back to the trace
• What is it?
• Crash in free()
• Invalid heap metadata?
• Heap overflow?
• UAF?
• Double free?
• Other?
• Interesting functions
• *auth_process_client*
• *FreeParser*
![Page 21: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/21.jpg)
2 days reversing later…
• aggregateAuthParseBuf
• Receive the XML / initialize the libexpat parser
• Cisco-specific callbacks registered
• aggregateAuthStartHandler: called when XML tag opened
• aggregateAuthDataHandler: called when XML data parsed
• aggregateAuthEndHandler: called when XML tag closed
![Page 22: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/22.jpg)
Data handler
![Page 23: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/23.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
![Page 24: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/24.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
XML 1
![Page 25: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/25.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
XML 1
Allocated chunk
![Page 26: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/26.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
1
XML tag data
copied in chunk
![Page 27: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/27.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
1
Chunk is freed
![Page 28: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/28.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
XML tag data dangling
pointer retained by Cisco
callback
1
![Page 29: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/29.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
XML tag data dangling
pointer retained by Cisco
callback
1
![Page 30: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/30.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
XML tag data dangling
pointer retained by Cisco
callback
XML 21
![Page 31: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/31.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
21
XML tag data
appended in free chunk
![Page 32: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/32.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
1 2
XML tag data
appended in free chunk
![Page 33: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/33.jpg)
Data handler
• First packet with <host-scan-reply> tag
• Allocate heap buffer for data, copy data, free it (but dangling pointer)
• Second packet with <host-scan-reply> tag
• No reallocation, copy data, free it
• Tags’ data copied and appended in the same chunk
double-free vulnerability on 0x2040-byte chunk
1 2
Chunk is freed (double-free)
![Page 34: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/34.jpg)
assert() due to invalid metadata
• Inline metadata/header for heap chunks
prev_foot = 0x8180d4d0head = 0x1d0 (CINUSE|PINUSE)mh_magic = 0xa11c0123mh_len = 0x1a4mh_refcount = 0x0mh_unused = 0x0mh_fd_link = 0xacb85b30mh_bk_link = 0xa8800604allocator_pc = 0x86816b3free_pc = 0x868161d
prev_foot = 0x8180d4d0head = 0x30 (PINUSE)fd = 0xac825ab8bk = 0xa880005cmh_refcount = 0xf3ee0123mh_unused = 0x0mh_fd_link = 0x0mh_bk_link = 0x0allocator_pc = 0x0 free_pc = 0x0
• Hence why our fuzzer caught it!
Same offset
chunkH chunkH chunkHFree chunkH
Allocated
chunk header
Free chunk
header
![Page 35: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/35.jpg)
Exploiting the bug like RobinHood
![Page 36: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/36.jpg)
Objective: mirror write
• Allocated chunks hold pointers to alloc listsprev_foot = 0x8180d4d0head = 0x1d0 (CINUSE|PINUSE)mh_magic = 0xa11c0123mh_len = 0x1a4mh_refcount = 0x0mh_unused = 0x0mh_fd_link = 0xacb85b30mh_bk_link = 0xa8800604allocator_pc = 0x86816b3free_pc = 0x868161d
• Target mempool alloc lists to get a mirror write• No safe unlinking on Cisco specific metadata on all ASA versions• Even if dlmalloc or ptmalloc had safe unlinking for free chunks
• Mirror write: unlinking an element from a doubly-linked list will trigger two write operations• One operation is the useful one, the other is a side effect• Constraint: both need to be writable addresses
• Was already abused in 2016 by Exodus Intel
![Page 37: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/37.jpg)
Exploit strategy
Use double free
Create confusion state on the heap
Overflow some memory
Overwrite linked list pointers
Trigger mirror write primitives
Overwrite a function pointer
Get RCE
![Page 38: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/38.jpg)
Use what you got
• Leverage what you learnt from CVE-2016-1287 (IKE heap overflow)• IKEv1 feng shui is quite reliable
• IKE fragmentation can be used to overflow memory
• Simple IKE reassembly
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/november/cisco-asa-series-part-eight-exploiting-the-cve-2016-1287-heap-overflow-over-ikev1/
Seqno=1 Seqno=2 Seqno=3
LastFrag=1
Reassembled packet
1 2 3
![Page 39: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/39.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
![Page 40: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/40.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1
![Page 41: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/41.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1sess1
![Page 42: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/42.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1 sess2sess1
SeqNo=1
![Page 43: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/43.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1 sess2 sess1sess1
SeqNo=1
![Page 44: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/44.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1 sess2 sess1 sess1sess1
SeqNo=1
![Page 45: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/45.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1 sess2 sess1 sess1sess2
LastFrag=1
sess1
SeqNo=1SeqNo=2
![Page 46: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/46.jpg)
reass
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1 sess2 sess1 sess1sess2
LastFrag=1
sess1
SeqNo=1SeqNo=2
![Page 47: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/47.jpg)
reass
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1
sess2
sess1 sess1sess2
LastFrag=1
sess1
SeqNo=1
SeqNo=2
![Page 48: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/48.jpg)
reass
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1
sess2
sess1 sess1
sess2
LastFrag=1
sess1
SeqNo=1 SeqNo=2
![Page 49: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/49.jpg)
Primitive 1 - Hole creation with IKEv1
• Session 1: fill holes
• Session 2: only two fragments
• Frag 1: future hole
• Frag 2: trigger reassembly, hence creating hole
sess1 sess1 sess1sess1
![Page 50: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/50.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
![Page 51: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/51.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
![Page 52: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/52.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1
![Page 53: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/53.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1
![Page 54: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/54.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
![Page 55: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/55.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
![Page 56: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/56.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
![Page 57: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/57.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1
![Page 58: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/58.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1
![Page 59: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/59.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
![Page 60: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/60.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
![Page 61: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/61.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
![Page 62: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/62.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1
![Page 63: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/63.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
![Page 64: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/64.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
sess1
![Page 65: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/65.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
sess1
![Page 66: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/66.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
sess1
![Page 67: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/67.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
Reassembled packetsess1
![Page 68: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/68.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
Reassembled packet
sess1
sess1
![Page 69: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/69.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1
sess1
![Page 70: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/70.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
sess1
![Page 71: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/71.jpg)
Primitive 2 - Overflow with IKEv1
Note: for the sake of simplicity, we do not show sequence numbers anymore
1. Reduce the accumulated length (CVE-2016-1287)
2. Increase fragment length (overflow primitive)
sess1 sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflow
sess1 sess1
LastFrag=1
Reassembled packet
sess1 sess1 sess1
Heap overflowsess1
N
N-18
N+18
![Page 72: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/72.jpg)
Limited overflow (18-byte on 32-bit)
![Page 73: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/73.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng
![Page 74: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/74.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
fengXML tag
data feng fengfeng
![Page 75: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/75.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng
XML tag data
dangling
pointer
![Page 76: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/76.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng sess
XML tag data
dangling
pointer
F
![Page 77: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/77.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng sess
XML tag data
dangling
pointer
session frag
F
![Page 78: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/78.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng sess
XML tag data
dangling
pointer
XML
packet 2
session frag
F
![Page 79: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/79.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng
XML tag data
dangling
pointer
session frag
![Page 80: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/80.jpg)
Primitive 3 – Repeatable free with XML
• XML data allocated for first packet, then freed
• Allocate IKEv1 fragment in same hole
• Free IKEv1 fragment using the double free primitive
• Allocate another IKEv1 fragment in same hole
Interesting confusion state
feng feng fengfeng
XML tag data
dangling
pointer
replacement frag
repl
session frag
“confused”
![Page 81: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/81.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
Robin Hood uses IKEv1 sessions
Adjacent on the heap Somewhere else on the heap
…
![Page 82: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/82.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
0x2040
feng
Robin Hood uses IKEv1 sessions
• Blue: separators
Adjacent on the heap Somewhere else on the heap
…
![Page 83: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/83.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
0x2040
feng
0x2040
feng
Robin Hood uses IKEv1 sessions
• Blue: separators
Adjacent on the heap Somewhere else on the heap
…
![Page 84: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/84.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
0x2040
creat1
0x2040
feng
0x2040
feng
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
Adjacent on the heap Somewhere else on the heap
…
![Page 85: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/85.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng
0x2040
creat1
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
Adjacent on the heap Somewhere else on the heap
…
![Page 86: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/86.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2
0x2040 0x2040
creat1
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
Adjacent on the heap Somewhere else on the heap
…
![Page 87: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/87.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2
0x2040 0x2040
creat1
0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
Adjacent on the heap Somewhere else on the heap
…
![Page 88: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/88.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1
0x2040 0x2040
creat1
0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
Adjacent on the heap Somewhere else on the heap
…
![Page 89: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/89.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040
creat1
0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
Adjacent on the heap Somewhere else on the heap
…
![Page 90: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/90.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040
creat1
0x2040
creat1
LastFrag=1
0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
Adjacent on the heap Somewhere else on the heap
…
![Page 91: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/91.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
Adjacent on the heap Somewhere else on the heap
…
![Page 92: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/92.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
XML
packet 1
Adjacent on the heap Somewhere else on the heap
…
![Page 93: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/93.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
XML
tag
Adjacent on the heap Somewhere else on the heap
…
![Page 94: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/94.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
XML tag data
dangling pointer
Adjacent on the heap Somewhere else on the heap
…
![Page 95: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/95.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
sess
XML tag data
dangling pointer
F
Adjacent on the heap Somewhere else on the heap
…
![Page 96: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/96.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
sess
XML tag data
dangling pointer session frag
F
Adjacent on the heap Somewhere else on the heap
…
![Page 97: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/97.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
sess
XML tag data
dangling pointer session frag
XML
packet 2F
Adjacent on the heap Somewhere else on the heap
…
![Page 98: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/98.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
XML tag data
dangling pointer session frag
Adjacent on the heap Somewhere else on the heap
…
![Page 99: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/99.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
XML tag data
dangling pointer session frag replacement frag
repl
Adjacent on the heap Somewhere else on the heap
…
![Page 100: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/100.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
XML tag data
dangling pointer session frag replacement frag
repl
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 101: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/101.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng creat2 creat2 target1 target2 creat2
LastFrag=1
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
XML tag data
dangling pointer session frag replacement frag
repl
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 102: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/102.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
XML tag data
dangling pointer session frag replacement frag
repl
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 103: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/103.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040 0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
XML tag data
dangling pointer session frag replacement frag
repl sess
LastFrag=1
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 104: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/104.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2R F
0x2040 0x2040
0x4050 0x30
0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 105: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/105.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040
R
0x4050 0x20d0
F
0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 106: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/106.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040
F
0x6120
0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 107: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/107.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040
0x6120
O
0x2040 0x2040 0x20400x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
• Grey: overlapping packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 108: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/108.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040
0x6120
O
0x2040 0x2040 0x2040
H H
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
• Grey: overlapping packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 109: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/109.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1 target2
0x2040 0x2040
0x6120
O
0x2040 0x2040
LastFrag=1
0x2040
H H
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
• Grey: overlapping packet
XML tag data
dangling pointer session frag replacement frag
target2
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 110: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/110.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1
0x2040 0x2040
0x6120
O
0x2040 0x2040 0x2040
H H
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
• Grey: overlapping packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 111: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/111.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng target1
0x2040 0x2040
0x6120
O
0x2040
LastFrag=1
0x2040 0x2040
H H
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
• Grey: overlapping packet
XML tag data
dangling pointer session frag replacement frag
target1
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 112: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/112.jpg)
Exploit in a (coco)nut shell• Hole creation primitive with IKEv1
• Allocate XML data in hole / freed at the end
• Allocate fragment in same hole
• Repeatable free primitive with XML
• Allocate fragment with larger size in same hole
• Trigger reassembly corrupt linked list pointers
• Trigger mirror writes corrupt a function pointer
feng
0x2040 0x2040
0x6120
O
0x2040 0x2040 0x2040
H H
0x2040
feng
0x2040
feng
0x2040
Robin Hood uses IKEv1 sessions
• Blue: separators
• Green: hole creation
• Orange: targets for mirror writes
• Red: confused session reassembled
• Brown: replacement frag
• Purple: reassembled packet
• Grey: overlapping packet
XML tag data
dangling pointer session frag replacement frag
“confused”
Adjacent on the heap Somewhere else on the heap
…
![Page 113: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/113.jpg)
Key facts• We need sess/repl frags in same hole with len(repl) > len(sess)(gdb) dlchunk 0xad854108 -c 2 -p 0x440xad854108 M sz:0x02030 fl:CP alloc_pc:ike_receiver_process_data+0x3ed 0x6262 bb0xad856138 F sz:0x00010 fl:-P 0x0000 hex(07c8)(gdb) python print(frag_payload(0xad854108+0x28+0x1c))struct frag_payload @ 0xad85414c {next_payload = 0x0
critical_bit = 0x0
payload_length = 0x1fe6id = 0x10seqno = 0x2last_frag = 0x1
(gdb) dlchunk 0xad854108 -c 1 -p 0x440xad854108 M sz:0x02040 fl:CP alloc_pc:ike_receiver_process_data+0x3ed 0x6666 ff(gdb) python print(frag_payload(0xad854108+0x28+0x1c))struct frag_payload @ 0xad85414c {next_payload = 0x0critical_bit = 0x0payload_length = 0x1ff2id = 0x20seqno = 0x2last_frag = 0x1
• We leave a small free chunk behind sess
• Confusion state: IKEv1 frags with different length in same chunk
feng fengsess
repl
F
session frag replacement frag
“confused”
![Page 114: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/114.jpg)
Key facts (2)
• Overlapping chunk’s size dictates max number of mirror writes
• For a given session, total accumulated length needs < 0x8000
• XML buffer used by double free primitive is 0x2040 chunk
• With 0x2040 chunks, it means maximum 2 mirror writes (see above)
• Solution is to change the granularity and use 0x810 chunks
feng target1 target2
0x2040
overlapping
0x6120
0x2040 0x2040 0x20400x2040
0x48f0
0x810 0x810
0x810 0x810
0x810 0x810
0x810 0x810
0x2850 0x810
overlapping
![Page 115: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/115.jpg)
Other approaches
1. Having one frag / the reassembled packet in the same chunk
• But when reassembly fails, results in another double-free
2. XML data is appended with strncat()
• Overwrite first fragment to change its length?
• Need a strncat()-friendly character
• Can’t use very large length due to reassembly incomplete check
• But still need to allocate something else anyway to avoid double-free
• Took 2 weeks to build an exploit
• Prior to that, took months to write asatools
![Page 116: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/116.jpg)
Conclusions
![Page 117: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/117.jpg)
Lessons learnt
• Fuzzing just the tags list is enough to find the bug
• Radamsa was useless in our case
• Working exploit on 32-bit (no ASLR/DEP)
• Note: some old 64-bit don’t have ASLR either [1]
• 7-year old bug? – AnyConnect Host Scan available since 2011
• Cisco-specific handlers, not libexpat
• IKEv1 frag primitive to overflow memory / create mirror writes
• Confusion state: one chunk used for two different IKEv1 packets
• IKEv1 feng shui useful for any heap-based bug[1] https://github.com/nccgroup/asafw/blob/master/README.md#mitigation-summary
![Page 118: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/118.jpg)
Next steps
• WebVPN/AnyConnect exploit only (not relying on IKEv1)?
• Turn a repeatable free into a memory revelation primitive?
• Bypass ASLR on recent 64-bit?
• Something like BENIGNCERTAIN on Cisco IOS [1]?
• XML grammar-based fuzzer to find new 0-day?
• Support for tags, attributes, etc.
[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
![Page 119: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/119.jpg)
Protect against 0-day vulnerabilities?
![Page 120: Robin Hood vs Cisco ASA Anyconnect - NCC Group€¦ · Cisco ASA firewalls • Entry point to most enterprises • ASA != IOS • ASA = Linux + a single “lina” binary / x86 or](https://reader035.vdocuments.site/reader035/viewer/2022062414/5f08275d7e708231d4209b00/html5/thumbnails/120.jpg)
Questions
• Special thanks to
• My colleague Aaron Adams for the help on exploiting this
• Terri Grant from Cisco PSIRT for handling this
• Contact
• @saidelike
• cedric(dot)halbronn(at)nccgroup(dot)trust