network pixies: abusing pxe - rsa conference pxe boot: what, where, why? 4 centralized os management...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
Andy Wortman
Network Pixies: Abusing PXE
ASD-F03
Staff Research Engineer
Brian WallaceData Scientist
#RSAC
PXE Boot: What, Where, Why?
2
Preboot Execution Environment
Post-BIOS, pre-OS protocol to download an OS over a network.
Built on DHCP and TFTP to handle what files come from where.
Included in UEFI, will continue to be around for a while.
#RSAC
PXE Boot: What, Where, Why?
3
#RSAC
PXE Boot: What, Where, Why?
4
Centralized OS management
Diskless servers/nodes, virtual machines
Remote management applications
Buses?
(Yes, we actually saw this)
Fallback after local disk failure
We’re not sysadmins, this is just what we’ve seen. YMMV.
#RSAC
PXE Boot: What, Where, Why?
5
Makes admin over geographical distance sane!
You know what all your boxes are running.
Can have granular control per-MAC.
Need to reimage? Restart the machine.
No local disk == no local persistence. Nice!
#RSAC
A Quick Poll
6
Show of hands: do you know if your infrastructure relies on PXE?
Alternatively: do you know if PXE boot is enabled?
#RSAC
PXE Implications
7
PXE may provide the first* code machines you operate will run!
If PXE is maintained poorly, nothing after is trustable.
We are not covering PXE administration.
That’s a broad, per-vendor topic. May involve infrastructure, too.
Recommendations at the end, but in line with most best practices.
We are covering what may happen if PXE is deployed poorly.
#RSAC
Research History
8
2005: eEye BootRoot (PXE used to subvert Windows kernel at boot)
2011: Network Nightmare (Defcon 19, PXE to modify local disk data)
2012: Owning One To Rule Them All (Defcon 20, attacking PXE deployment servers)
That’s about it?
#RSAC
Nuts and Bolts
9
PXE extends DHCP, then uses TFTP (or HTTP).
Designed to layer on top of existing infrastructure with no changes.
More on that in a moment
Bare minimum is just that a client specifies DHCP option 60 with the string “PXEClient”.
Ideally the server fills in bootfile, DHCP server provides via TFTP, and it’s all set.
#RSAC
Nuts and More Bolts
10
Designed to layer on? What?
Provisions for rigid infrastructure where changing DHCP config is hard.
In addition to normal DHCP request, PXE may, after getting no boot file path, issue a second request to a “proxyDHCP” server.
#RSAC
proxyDHCP
11
“proxyDHCP” server is just a DHCP server on port 4011.
Specific intent is to augment DHCP with PXE boot info.
Pro: Orignal DHCP server doesn’t have to change.
Con: Anyone who can put a DHCP server on port 4011 can PXE boot your machines.
#RSAC
PXE Deployment: What you expected
12
#RSAC
PXE Deployment: What you got
13
#RSAC
Identifying PXE boot
14
PXE boot requests start by going to port 67 or 4011
Can happen intentionally
Or as a reimaging technique
Or as a backup boot method after disk failure
Or as a primary boot method that no one notices due to no PXE server
— (common-ish for servers by very unscientific sampling)
#RSAC
PXE Dust
15
Couldn’t some tool just tell us when PXE is happening?
Hey, look! It’s Demo Time!
#RSAC
PXE Dust
16
#RSAC
Abusing PXE boot
17
So, say we see PXE boot as an option
What can we do now?
First, how do we most reliably PXE boot?
#RSAC
PXE Client doesn’t use proxyDHCP?
18
Some PXE implementations don’t try again on port 4011
No problem!
Some clients just discard DHCPOFFER without PXE options
#RSAC
PXE Client only sends one request?
19
Some PXE implementations really do request only once
If you miss it, you have to hope they reboot
For reliability, race the DHCP response
#RSAC
PXExploitation
20
Even across different PXE client configs, we can probably get something running if PXE is enabled.
Backdoored kernel? (see: BootRoot)
Tweaked OS image?
Start a hypervisor and boot genuine image inside that?
#RSAC
PXExploitation
21
#RSAC
PXExploitation
22
What would you do if your machine doesn’t join AD?
“Oh, weird. Old creds, or bug. I’ll just type in my creds again”
But really the PXE-booted image had credentials removed
And keystrokes are intercepted by hypervisor
#RSAC
Magic PXE Hypervisor Demo
23
We were going to demo that here…
But what worked under QEMU on Linux at the home lab…
Doesn’t work under VMWare on OS X.
#RSAC
Magic PXE Hypervisor Demo
24
#RSAC
Magic PXE Hypervisor Demo
25
We were going to demo that here…
But what worked under QEMU on Linux at the home lab…
Doesn’t work under VMWare on OSX.
Only perceptible difference is VM’s BIOS + PXE firmware?
#RSAC
Magic PXE Hypervisor Demo (What DID work)
26
#RSAC
Magic PXE Hypervisor Demo
27
VMWare DHCP server30-line python script
Proceeds to TFTP from attacker-provided DHCP server!
#RSAC
Magic PXE Hypervisor Demo
28
Would demo at least racing DHCP responses + booting linux
We can win the race reliably!
Linux wasn’t starting right, other issues with last minute changes
#RSAC
Open questions
29
PXE happens on ALL PXE-capable NICs?
No BIOS we’ve seen lets NIC preference be specified, nor disallowed
iPXE seems to be able to prioritize NICs
USB PXE boot?
For some particularly common ethernet chipsets, this is possible (for <$50!)
WiFi PXE boot?
iPXE (Open source PXE implementation) supports WEP and WPA+WPA2
— Also supports the fairly uncommon option of using NIC non-volatile storage
#RSAC
Recap and takeaways
30
#RSAC
Takeaways
31
Reminder: if PXE is enabled, anyone can control your computer at boot
Caveat, UEFI network boot indicates SecureBoot support.
If PXE isn’t actively used, it may still be available (local disk failure etc)
PXE is a rather serious risk/benefit consideration.
#RSAC
Recommendations
32
Look through PXE manual sections for any hardware you operate.
Specifically look for PXE options to control what NICs try PXE boot.
Restricting which ports in particular would be very convenient.
SecureBoot with PXE wherever possible.
Initial searching for resources here wasn’t encouraging..
Monitor your network for unexpected PXE traffic
If you see PXE communications from an unexpected server, that very is bad.