FREERTOS OPERATING SYSTEM EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM ▸ Joel Sandin ([email protected] / @PartyTimeDotEXE) ▸ Do security and write software for fun and professionally ▸ Previously: ▸ Senior Security Consultant at Matasano Security (part of NCC Group) ▸ Helped write and support security and safety monitoring systems for the Akamai Platform as a Senior Systems Software Engineer 2 ABOUT ME 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM RESEARCH OBJECTIVES ▸ Learn more about embedded systems internals and vulnerabilities ▸ Embedded systems a new area for me ▸ Interested in things from an OS perspective ▸ What kind of bugs arise in this context? ▸ What does exploitation look like in practice? ▸ Think like an attacker to understand the impact 3 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHY FREERTOS? ▸ One of many operating systems (Contiki, RIOT, TinyOS, NodeMCU) either purpose-built or seeing new interest in context of IoT ▸ Great OS and representative example: ▸ Flexible licensing, used commercially ▸ Major vendors (Atmel, Texas Instruments, STMicro, Olimex) provide ports to tons of platforms ▸ Big developer community, open source 4 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHATS THE RISK WITH THESE TYPES OF SYSTEMS? ▸ New generation of developers using C on this platform ▸ Wonderful OS, but (like others) doesn’t protect the developer / lacks mitigation protection: ▸ no W^X*, no ASLR (* only certain parts of lx106 memory map eXecutable) ▸ MPU supported on Cortex-M3, but not commonly used (and doesn’t raise the bar…) ▸ otherwise everything running in supervisor mode 5 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM NOT TALKING ABOUT BUGS *IN* FREERTOS! ▸ Message of the talk isn’t that FreeRTOS has bugs ▸ FreeRTOS isn’t designed to make an attackers job hard ▸ Up to developer to make sure applications are secure ▸ What we’ll see is that the consequences of a mistake are catastrophic ▸ Focus was exploitation of applications in the context of FreeRTOS and LwIP 6 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM PREVIOUS WORK ▸ Recent VXWorks research by Yannick Formaggio is amazing! ▸ Barnaby Jack's (RIP) vector rewrite attacks and subsequent two talks are a big inspiration ▸ Awesome past Phenoelit talks about embedded exploitation from FX and FtR predate this work by over 10 years ▸ Tactical Network Solutions has some great blog posts about advanced embedded / commercial RTOS exploitation ▸ Work on baseband security has also dealt with memory corruption in that context (commercial RTOSes) 7 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM TALK OUTLINE ▸ Bug hunting ▸ Security relevant internals for FreeRTOS and LwIP ▸ Stack smashing in practice (with discussion of other bug classes) ▸ Step through example of end-to- end exploitation 8 

BUG HUNTING 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHAT KIND OF BUGS? ▸ Authn/Authz issues, backdoors are prevalent but not our focus ▸ Interested in memory corruption only: ▸ Everything from the OS, to servers and libraries they rely on, to the applications themselves are in C ▸ Expecting the usual suspects here: buffer overflows, heap corruption 10 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM HOW WERE THEY FOUND ▸ Audited whatever I could get my hands on: ▸ FreeRTOS itself, lwIP, Espressif RTOS SDK + apps, contributed servers on github, FatFS, CoAP, mDNS implementations, more ▸ Bugs found via code review and fuzzing ▸ Some of the most serious bugs were easy to spot 11 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHERE ARE THEY ▸ Lots of places where I *didn’t* find bugs ▸ FreeRTOS itself, lwIP - found no bugs ▸ Found bugs in contributed servers, vendor SDKs, FreeRTOS- based IoT platform from Espressif: ▸ Disclosed and fixed: stack buffer overflows (4), heap overflows (12), static buffer overflows (3) ▸ Problems disclosing some stuff, and more crashes still waiting to be triaged… 12 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM BUFFER OVERFLOW EXAMPLE (FIXED) ▸ ESP8266 IOT Platform, processing nonce in server response (from cloud), user_esp_platform.c: ▸ Overflow with an oversized nonce in JSON, trigger with “nonce”: AAAAAAAAAAAAAAAA… 13 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM HEAP OVERFLOW EXAMPLE (FIXED) ▸ Heap corruption in user_webserver.c url parsing code, trigger with a POST request to http://system_ip/ config?command=AAAAAAAABBBBBBBB… ▸ purl_frame->pFilename holds 40 bytes 14 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM THE 90S NEVER ENDED ▸ These aren’t “deep” bugs ▸ Memory corruption easy for developers to introduce: ▸ HTTP request handling, as well as requests for protocols like CoAP, mDNS, that violate standard ▸ Vendors don’t always help: disable “debugging” assertions that actually are security checks, include outdated versions in SDKs 15 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITATION ▸ So what is actually happening under the hood when one of these bugs is triggered? ▸ Want to understand the impact - can we exploit these bugs? ▸ To put these bugs in context, lets first lets look at OS internals 16 

FREERTOS INTERNALS 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM FREERTOS AND LWIP OVERVIEW ▸ FreeRTOS: real-time operating system made by Real Time Engineers Ltd. ▸ Provides task creation and management, IPC, synchronization primitives, memory management - that’s about it! ▸ Tiny: ~19k lines, 1k platform specific lines for a port ▸ Can run in under 1k memory ▸ LwIP: popular embedded TCP/IP stack originally written by Adam Dunkels, with support for different protocols (SNMP, DNS) and many contributed servers 18 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM DATA FOOTPRINT OF A TASK 19 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM KEY DATA STRUCTURES ▸ Tasks: ▸ Fixed stack region allocated on the system heap (combines settings for stack and heap overflow) ▸ Scheduler: ▸ Lists: ready, suspended, terminated etc ▸ Task control blocks (TCBs) for all executing tasks ▸ pxCurrentTCB points to TCB of currently executing task ▸ Multiple heaps: ▸ System heap: all tasks (and kernel) share a single heap ▸ lwIP heap: used for packet data, network connection data structures, etc. ▸ System stack 20 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM CONTEXT SWITCHING ▸ Real systems have multiple tasks - at the very least, server / network thread, and an “idle” task ▸ When switching context, the scheduler: 1. Stores task’s register state (including PC) on task stack 2. Updates task’s TCB->pxTopOfStack 3. Picks a task to run and restores state (including PC) using its TCB 21 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM CONTEXT SWITCHING (BEFORE) 22 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM CONTEXT SWITCHING (AFTER) 23 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM HEAP IMPLEMENTATION(S) ▸ Shared by whole system ▸ Singly-linked list of free chunks: chunk header is a size and next-chunk pointer ▸ When memory is requested, uses first-fit allocation, sets the next-chunk to NULL, add unused part to free list ▸ When memory is freed adjacent chunks are coalesced 24 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM LWIP STACK ▸ Supports multiple APIs: native, netconn API, bsd sockets ▸ netconn API common and simple: ▸ Client registers handler that is called when events occur ▸ udp_handler(void *arg, struct udp_pcb *pcb, struct pbuf *p, struct ip_addr *addr, u16_t port) ▸ Uses a separate memory manager / memory region for inbound packet data 25 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM STACK OVERFLOW DETECTION ▸ Optionally halt on stack overflow detection (inc/ StackMacros.h) ▸ Isn’t meant to detect overflow of stack-allocated buffers 26 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM MEMORY PROTECTION UNIT (MPU) SUPPORT ▸ Only on ARM Cortex-M3: ▸ Supports restricted tasks that can only write to own stack and up to 3 configurable memory regions ▸ No controls that prevent restricted tasks from creating regular tasks and thus elevating privileges ▸ Protects peripherals and data, not intended as a security control 27 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITATION IN PRACTICE ▸ We’ve seen some bugs, and seen internals ▸ Lots of you probably already connecting the two ▸ Lets think like an attacker and talk about vulnerabilities, with a focus on stack buffer overflows 28 

STACK SMASHING 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM TEST SETUP AND WORKFLOW ▸ Once you’ve spotted a potential bug in source, need to investigate ▸ Deploy the software on real hardware and develop payloads to trigger vuln ▸ Accumulated a lot of hardware in the process, some pictured 30 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM TEST SETUP AND WORKFLOW (2) ▸ Some development boards and JTAG adapters I used: ▸ ATSAM4E-EK with Atmel SAM-ICE (ARM Cortex-M4) ▸ Olimex esp8266-EVB with Segger J-Link (lx106) ▸ Support for JTAG and can use open source tools (gcc, gdb) 31 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM STACK OVERFLOWS ▸ We see that when we redirect execution via a stack overflow, happens in the context of a Task ▸ Unlike simpler systems, dedicated stack for task (not used by interrupt handlers) ▸ The scheduler will keep everything running while our payload executes ▸ On ARM, payload can be anywhere - on task stack or elsewhere 32 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITING STACK BUFFER OVERFLOWS ‣ Want to execute (small) payload that gives us full RCE ▸ Two questions we need to answer for exploitation: 1. Where to redirect execution? 2. How to clean things up when done: task itself needs to keep functioning ‣ In practice this isn’t hard 33 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM REDIRECTING EXECUTION, 90S STYLE ▸ What address do we put on stack? Lots of options: ‣ Address of a payload on task stack (if architecture allows it): ‣ Task stacks allocated at system start, we know the location ‣ Most likely know exactly where data lives on stack ‣ If not, window of addresses where it can be is probably small (task stack size passed on input) 34 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM BETTER APPROACH - USING ROP ‣ If we have a register that contains address of our payload, can use ROP to manipulate register and call payload ‣ Not trying to bypass NX - use this because gadget addresses are predictable (even if payload address isn’t) ▸ Trampoline into full payload (on stack, in heap…) ▸ Chain to perform full exploitation 35 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM REDIRECTING EXECUTION - “HELP” FROM OS ▸ Also have platform-specific options: ‣ predictable address of static data structure that we populated or even overflowed (36 bytes in this case) 36 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM REDIRECTING EXECUTION - “HELP” FROM OS ▸ Also have platform-specific options: ‣ Ring-buffer for inbound network traffic can fall on predictable addresses (will be driver specific) ‣ Send packets to device to fill this buffer and jump to them! ‣ Hail Mary option if nothing else possible 37 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHAT DO WE DO WHEN DONE ▸ Don’t want to break target task: May be lwIP’s own thread! ▸ In practice we annihilate preserved registers of caller ▸ *Can* piece together a safe place to return, safe values… ▸ Better: return to start of task ▸ For lwIP callback, return to tcpip_thread() ▸ uses static mbox, keeps functioning ▸ May leak memory (allocated by intermediate functions) but works 38 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM OTHER BUG CLASSES ▸ Use of static buffers is common, what if they’re overflowed? ▸ Impact depends on placement of the buffer in relation to other static data - yet to find an interesting example ▸ Still a good place to put data for other purposes ▸ Heap corruption complicated in practice and still an open problem (but very interesting) - no time to cover it, talk to me after talk 39 

EXPLOITATION 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITATION OBJECTIVES ▸ We have stack overflow in a lwIP callback on FreeRTOS (on ARM Cortex-M4) ▸ Go from executing very small (<100 byte) stager in our original request (or “nearby”) to being able to reliably execute arbitrary code on system ▸ Don’t destabilize system: Keep target service running ▸ We’ll use facilities in the OS to make it easy 41 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM ATTACK OUTLINE ▸ Rough outline of an approach: 1. Exploit vulnerability to give us code execution of a “staging” payload 2. write a second-stage payload to unused area of memory 3. add network hook to get system to run payload as callback 4. callback listens for inbound packets and executes them 42 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 1. CODE EXECUTION ▸ Briefly illustrate alternative for the bug I’m discussing: ▸ r1 always pointing 4 bytes behind part of request we control, so put stager there and used ROP to branch to r1+4+1 (gdb) x/3x $r1 0x2000a90e: 0xffffff3f 0xf2a7466f 0x4738173f ▸ Why increment r1? Annoying thing about Cortex-M is LSB always needs to be set on branch targets ▸ So we’ll use ROP to do the arithmetic and branch - we don’t have a lot of space to work with (48 bytes or 12 addresses), then restart thread as discussed 43 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 1B. REGISTER ARITHMETIC WITH ROP 44 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 2. PAYLOAD HIDING ▸ Solved the first problem: stager execution ▸ Need to write code for a lwIP callback somewhere safe: ▸ Lots of places to put it (using memcpy): ▸ (my choice) Past end of system stack buffer ▸ System heap (call malloc) ▸ In LwIP’s heap ▸ In stack of exploited task (use currentTCB->pxStack) ▸ On ESP8266, need to place payload in iram 45 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 3. WIRING IN THE PAYLOAD: LWIP CALLBACKS ▸ This is ideal: Doesn’t interfere with task scheduling, no priority considerations, very simple: 1. ptel_pcb = udp_new(); 2. udp_bind(ptel_pcb, IP_ADDR_ANY, 53); 3. udp_recv(ptel_pcb, &payload, NULL); ▸ Now payload runs when we send udp traffic to 53 46 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 3B. ALTERNATIVE APPROACH: TASK INSERTION ▸ If callback not an option, can create a new task ▸ Easiest to just use OS facilities to add our task: xTaskCreate(&payload, “rce service", configMINIMAL_STACK_SIZE, NULL, 0, NULL); ▸ To avoid starving other processes, make task block for “a while” after execution ▸ Task implements our server 47 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 4. PAYLOAD IMPLEMENTATION: RCE SERVICE ▸ What does our callback (or task) do? ▸ Waits for inbound packets, and runs them! ▸ Mark our packet with a magic value to indicate that its safe to run - callback branches to packet (*on lx106, first copy to iram) ▸ Inbound packet can implement more complex logic if needed ▸ Now we can execute larger payloads reliably 48 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM SAMPLE IMPLEMENTATION (ARM) 49 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHAT CAN WE DO WITH IT? ▸ This all lives in system memory, gone on reset: ▸ Can write to flash to make it permanent ▸ Can send traffic off a secondary interface ▸ Access peripherals ▸ Ask me for a demo 50 

CONCLUSIONS 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM RECOMMENDATIONS ▸ Tell developers to manage memory safely in C… (welcome to another decade of memory corruption) ▸ Isolate these devices from rest of the network ▸ Security professionals: audit this technology and help fix vulnerabilities ▸ Vendors: opportunity and potential demand for additional protections (canaries, heap pointer integrity, W^X, randomized layout at least as an option) 52 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM FUTURE WORK ▸ Easily a dozen platforms out there, more network stacks, plenty more to look at for anyone interested ▸ Only scratched the surface with auditing done so far - keep looking for bugs ▸ Additional challenges with ESP8266/lx106 that were only briefly mentioned in this talk ▸ FreeRTOS heap very interesting - look out for more details ▸ White paper in progress - follow me (@PartyTimeDotEXE) for release. 53 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM THANKS AND PLUGS ▸ Siavash from NCC Group for suggesting RTOSes as a research area. ▸ Stephen Ridley and Stephen Lawler for their excellent ARM Exploitation training ▸ Referenced researchers (RIP Barnaby Jack) and anything I forgot ▸ Reviewers and friends who gave me feedback ▸ Shmoocon organizers and volunteers ▸ YOU! 54 

Q/A 

EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM ART AND IMAGE CREDITS ▸ Shmoo Group - Shmoocon logo ▸ Zhao Yichao & Zhang Mingtang - “Riding up a Mountain Path” ▸ Pieter Bruegel the Elder “The Hunters in the Snow” ▸ Theodor Kittelsen “Pesta i trappen” and “Nøkken” 56