SESSION ID:SESSION ID:

#RSAC

Andy Wortman

Network Pixies: Abusing PXE

ASD-F03

Staff Research Engineer

Brian WallaceData Scientist

#RSAC

PXE Boot: What, Where, Why?

2

Preboot Execution Environment

Post-BIOS, pre-OS protocol to download an OS over a network.

Built on DHCP and TFTP to handle what files come from where.

Included in UEFI, will continue to be around for a while.

#RSAC

PXE Boot: What, Where, Why?

3

#RSAC

PXE Boot: What, Where, Why?

4

Centralized OS management

Diskless servers/nodes, virtual machines

Remote management applications

Buses?

(Yes, we actually saw this)

Fallback after local disk failure

We’re not sysadmins, this is just what we’ve seen. YMMV.

#RSAC

PXE Boot: What, Where, Why?

5

Makes admin over geographical distance sane!

You know what all your boxes are running.

Can have granular control per-MAC.

Need to reimage? Restart the machine.

No local disk == no local persistence. Nice!

#RSAC

A Quick Poll

6

Show of hands: do you know if your infrastructure relies on PXE?

Alternatively: do you know if PXE boot is enabled?

#RSAC

PXE Implications

7

PXE may provide the first* code machines you operate will run!

If PXE is maintained poorly, nothing after is trustable.

We are not covering PXE administration.

That’s a broad, per-vendor topic. May involve infrastructure, too.

Recommendations at the end, but in line with most best practices.

We are covering what may happen if PXE is deployed poorly.

#RSAC

Research History

8

2005: eEye BootRoot (PXE used to subvert Windows kernel at boot)

2011: Network Nightmare (Defcon 19, PXE to modify local disk data)

2012: Owning One To Rule Them All (Defcon 20, attacking PXE deployment servers)

That’s about it?

#RSAC

Nuts and Bolts

9

PXE extends DHCP, then uses TFTP (or HTTP).

Designed to layer on top of existing infrastructure with no changes.

More on that in a moment

Bare minimum is just that a client specifies DHCP option 60 with the string “PXEClient”.

Ideally the server fills in bootfile, DHCP server provides via TFTP, and it’s all set.

#RSAC

Nuts and More Bolts

10

Designed to layer on? What?

Provisions for rigid infrastructure where changing DHCP config is hard.

In addition to normal DHCP request, PXE may, after getting no boot file path, issue a second request to a “proxyDHCP” server.

#RSAC

proxyDHCP

11

“proxyDHCP” server is just a DHCP server on port 4011.

Specific intent is to augment DHCP with PXE boot info.

Pro: Orignal DHCP server doesn’t have to change.

Con: Anyone who can put a DHCP server on port 4011 can PXE boot your machines.

#RSAC

PXE Deployment: What you expected

12

#RSAC

PXE Deployment: What you got

13

#RSAC

Identifying PXE boot

14

PXE boot requests start by going to port 67 or 4011

Can happen intentionally

Or as a reimaging technique

Or as a backup boot method after disk failure

Or as a primary boot method that no one notices due to no PXE server

— (common-ish for servers by very unscientific sampling)

#RSAC

PXE Dust

15

Couldn’t some tool just tell us when PXE is happening?

Hey, look! It’s Demo Time!

#RSAC

PXE Dust

16

#RSAC

Abusing PXE boot

17

So, say we see PXE boot as an option

What can we do now?

First, how do we most reliably PXE boot?

#RSAC

PXE Client doesn’t use proxyDHCP?

18

Some PXE implementations don’t try again on port 4011

No problem!

Some clients just discard DHCPOFFER without PXE options

#RSAC

PXE Client only sends one request?

19

Some PXE implementations really do request only once

If you miss it, you have to hope they reboot

For reliability, race the DHCP response

#RSAC

PXExploitation

20

Even across different PXE client configs, we can probably get something running if PXE is enabled.

Backdoored kernel? (see: BootRoot)

Tweaked OS image?

Start a hypervisor and boot genuine image inside that?

#RSAC

PXExploitation

21

#RSAC

PXExploitation

22

What would you do if your machine doesn’t join AD?

“Oh, weird. Old creds, or bug. I’ll just type in my creds again”

But really the PXE-booted image had credentials removed

And keystrokes are intercepted by hypervisor

#RSAC

Magic PXE Hypervisor Demo

23

We were going to demo that here…

But what worked under QEMU on Linux at the home lab…

Doesn’t work under VMWare on OS X.

#RSAC

Magic PXE Hypervisor Demo

24

#RSAC

Magic PXE Hypervisor Demo

25

We were going to demo that here…

But what worked under QEMU on Linux at the home lab…

Doesn’t work under VMWare on OSX.

Only perceptible difference is VM’s BIOS + PXE firmware?

#RSAC

Magic PXE Hypervisor Demo (What DID work)

26

#RSAC

Magic PXE Hypervisor Demo

27

VMWare DHCP server30-line python script

Proceeds to TFTP from attacker-provided DHCP server!

#RSAC

Magic PXE Hypervisor Demo

28

Would demo at least racing DHCP responses + booting linux

We can win the race reliably!

Linux wasn’t starting right, other issues with last minute changes

#RSAC

Open questions

29

PXE happens on ALL PXE-capable NICs?

No BIOS we’ve seen lets NIC preference be specified, nor disallowed

iPXE seems to be able to prioritize NICs

USB PXE boot?

For some particularly common ethernet chipsets, this is possible (for <$50!)

WiFi PXE boot?

iPXE (Open source PXE implementation) supports WEP and WPA+WPA2

— Also supports the fairly uncommon option of using NIC non-volatile storage

#RSAC

Recap and takeaways

30

#RSAC

Takeaways

31

Reminder: if PXE is enabled, anyone can control your computer at boot

Caveat, UEFI network boot indicates SecureBoot support.

If PXE isn’t actively used, it may still be available (local disk failure etc)

PXE is a rather serious risk/benefit consideration.

#RSAC

Recommendations

32

Look through PXE manual sections for any hardware you operate.

Specifically look for PXE options to control what NICs try PXE boot.

Restricting which ports in particular would be very convenient.

SecureBoot with PXE wherever possible.

Initial searching for resources here wasn’t encouraging..

Monitor your network for unexpected PXE traffic

If you see PXE communications from an unexpected server, that very is bad.