Recon 2011

Guillaume Delugré
Day Saturday - 2011-07-09
Room Grand Salon
Start time 16:00
Duration 01:00
ID 120
Event type Lecture
Track Main

How to develop a rootkit for Broadcom NetExtreme network cards

Among all possible devices, network cards are particularly interesting for a attacker wishing to develop a rootkit : - They offer direct communication with the attacker over the network link - They offer direct memory access to kernel physical pages over the PCI link

Despite the fact that the feasability of a rootkit in a network card had already been considered (A. Triulzi, PacSec 2008; L. Duflot & Y-A. Perez, CSW 2010), no public proof-of-concept of such a rootkit has ever been exposed.

Actually, the development of a network card rootkit is no easy task and can be quite challenging on many technical sides. Getting code execution on the network card is just the very beginning of a long path with many obstacles. Rootkit development on embedded devices implies the following constraints: 1) setting strong requirements on CPU and memory usage 2) making use of undocumented device features 3) bypassing inherent hardware limitations 4) keeping the device and the driver to work properly all the time

Having spent a lot of time on reverse engineering the Broadcom NetExtreme cards firmware, I began writing my own rootkit firmware from scratch in C language. Hopefully, the firmware code in Broadcom cards is not signed and it is possible to burn custom MIPS code into the device's EEPROM so that it gets loaded during the device bootstrap sequence. I will quickly come back on the way I did to reverse engineer the Broadcom firmware : developing my own firmware debuggers (InVitroDbg/InVivoDbg), getting code execution on the NIC, etc. This work has been already presented in the past, so this presentation will now mainly focus on the practical rootkit development part.