A, research background 1.1 Research Network reasons Router, firewall, switches and other network equipment is the entire Internet world link, occupies a very important position, is a computer network of a node. Network security is particularly important, the current situation in various countries and regions for the PC and mobile end security are mentioned a very important height, but the network device due to its hidden rear end of the invisible characteristics that lead to its safety for lack of knowledge, the emergence of various exploits and attack behavior, once the control network equipment, which is connected to various terminal devices will be exposed to the attacker's front, resulting in important data and information leakage, causing serious network security incidents. In recent years, related to the network devices of the vulnerability disclosure and attacks reported is increasing, on the one hand is the attackers start from the network device into attack, on the other hand, people gradually began to pay attention to network security. Table 1-1: In recent years about network security events Time Event 2014-04 Cisco(cisco)and juniper(juniper)found that the presence of the heartbleed Vulnerability, CVE-2 0 1 4-0 1 6 0） 2014-11 Kaspersky Lab released a report disclosing the dark energy BlackEnergy can attack Linux systems and Cisco routers 2015-09 Fireeye（fireeye published on Cisco router SYNful Knock the back door of the report 2015-10 Security company volexity Steven Adair discovered attack Cisco web vpn the case 2015-12 Juniper(juniper)found vulnerability: universal password to log in to devices CVE-2 0 1 5-7 7 5 5, The can decrypt the VPN traffic, CVE-2 0 1 5-7 7 5 6） 2016-01 @esizkur found Fortinet firewall Fortigate presence ssh is not statement of account Vulnerability, CVE-2 0 1 6-5 1 2 5） 2016-08 The equation for Firewall attack tool leaked The face of a growing number of network layer attacks, as committed to building China's Internet network security a part of the team on the part of the network equipment for vulnerabilities using a lot of research and analysis. In a network device of the vulnerability analysis and exploit aspects of network defense against research. 1.2 network device vulnerability characteristics Table 1-2: The 2014.10-2016.6, Cisco firewall asa system appeared vulnerabilities number （ASA） 2014.10-2014.12 2 0 1 5 2016.1-2016.6 Dos 9 9 4 Bypass 1 3 1 Other 8 3 1 Table 1-the 3: 2014.1-2016.5, Cisco ios system appeared vulnerabilities number (CISCO IOS) 2 0 1 4 2 0 1 5 2016.1-2016.5 Dos 3 2 6 8 1 5 Bypass 2 3 0 Other 7 3 2 According to the nearly 3-year CVE number, as can be seen the loopholes are mostly classified in the denial of service vulnerability, and the rest is to bypass the authentication, filtering and other security mechanisms vulnerabilities and other types of vulnerabilities. The network device of the vulnerability of multi-network Protocol vulnerabilities, network Protocol vulnerabilities many of the memory corruption vulnerabilities memory corruption vulnerabilities are mostly classified in denial of service. Cisco IOS is a volume is very large the binary program is run directly in the main CPU, if an exception occurs, memory corruption, or CPU is continuously occupied will cause the device to restart. The Cisco ASA is in an Embedded linux system running on lina_monitor and lina when lina appeared abnormal, lina_monitor is responsible for restarting the equipment. 1.3 research history The earliest publication on the network device exploit research 2 0 0 2 year Felix ‘FX’ Lindner and FtR the“default settings networked embedded systems”, the author shows the Cisco IOS exploits of feasibility. 2 0 0 5-year, Michael Lynn first openly demonstrates reliable use of the Cisco IOS buffer overflow vulnerability. 2 0 0 7 years, Gyan Chawdhary and Varun Uppal discloses the gdb Debugger Cisco IOS shellcode approach, and gives 2 kinds of shellcode demo and code. 2 0 0 8 years, Felix ‘FX’ Lindner developed the Cisco IOS forensic tools CIR. 2 0 1 1 years, SebasEan Muniz, Alfredo Ortega demonstrates Cisco IOS fuzzing it. And Ang Cui,JaEn Kataria, Salvatore J. Stolfo proposed a universal Cisco IOS exploit method. 2 0 1 2 year, Felix ‘FX’ Lindner shows Huawei router security issues. 2 0 1 5 years, George Nosenko demonstrates the shellcode in memory is executed the tcl script. Second, the research content 2.1 research ideas !
Figure 2-1: research ideas 2.2 firmware get 1. Official website download 2. Tftp,ftp,http,scp, etc. from the device, download 3. From flash, cf, etc. memory module read 4. Security researchers share 2.3 firmware unpack Firmware unpack purpose: 1. The solution to the analysis of the program 2. The solution of the simulation when the required file 2.3.1 ASA firmware unpack !
Figure 2-2: ASA firmware format schematic In Figure 2, The vmlinuz is a compressed linux kernel, and initrd is the system the boot process mounts a temporary root file system, pass the string“Direct booting from floppy is no longer supported”and“rootfs. img”determine the vmlinuz and initrd start address. 2.3.2 IOS unpack !