How Safe is your Link ?
Upcoming SlideShare
Loading in...5
×
 

How Safe is your Link ?

on

  • 382 views

As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap ...

As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…

Statistics

Views

Total Views
382
Views on SlideShare
382
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Outline :"I will start by reviewing the checks performed by SafeLink and the processing - (un)validating of the block headers. Following that, i will present the approach which can be used to satisfy the conditions of the linking/un-linking algorithm, and rule encoding mittagations as well. As next step i will show less strict approach which satisfy exploitation conditions of most of x86 binaries.After that, i will look deeper at conditions to full comprimise even x64 application on win7sp1 (/win8CP), present idea, look at the results and show live demo on win7sp1 - x64 application. Some conclusions follows.At the end of the talk, i will show video demo of exploitation of vulnerable proof-of-concept application (win8 x64, x86 plugin for IE, IE10). "

How Safe is your Link ? How Safe is your Link ? Presentation Transcript

  • How safe is your link ? Old school exploitation vs new mitigations
  • • Peter Hlavatý • Specialized Software Engineer at ESET • Points of interest : • vulnerability research • exploit mitigations • kernel development • bootkit research • malware detection and removal algo • @zer0mem • research blog : http://zer0mem.sk/ #whoami
  • • As nico mentioned in his talk, Aleatory Persistent Threat, old school heap specific exploiting is dying • windows version ++  attack difficulty ++ • weak implementation == place for exploiting of mechanism Introduction
  • Windows memory management Lets take a look at algo
  • Quick lookup at RtlpAllocateHeap FreeLists-UnLink-Search Algorithm Really, some security improvements in algorithm are obvious... • Validating / Encoding headers • RtlpAnalyzeHeapFailure • SafeLinking
  • • code1 = _Heap.EncodeFlagsMask ? code1 ^ _Heap.Encoding.Code1 : code1 • valid = code1.Flags ^ (BYTE)code1.Size ^ (code1.Size >> 8) == code1.SmallTagIndex • size = code1.Size • _Heap.EncodeFlagsMask initialy set to default value • _Heap.Encoding.Code1 set to random value I.Validating / Encoding headers
  • • cs:RtlpDiSableBreakOnFailureCookie • x64 by default, x86 not! • x86Win binaries by default • What about 3rd party ? • RtlpGetModifiedProcessCookie • call NtQueryInformationProcess II. RtlpAnalyzeHeapFailure
  • • heap_entry.flink.blink != heap_entry.blink.flink || heap_entry.flink.blink != heap_entry • Pretty easy check don’t you think ? III. SafeLinking
  • RtlpHeapAlloc search in FreeLists
  • • FreeListsSearch • missing validation checks ? • RtlpAnalyzeHeapFailure • Results in : kill app or not? 3rd party ? • SafeLink Check • Is implemented smart enough? Problems ?
  • Exploitation 1 Show me your gong-fu :: technique
  • BuildOwnHeap - IDEA
  • RULLING UNDER ENCODING LOGIC • LowerBoundary of HEAP_ENTRY.Size : • Interesting test : _Heap.EncodeFlagsMask & HEAP_ENTRY.Code1 • If not matched, then it is not XORED! • What about 0-size ?  Implementation shortcut
  • RULLING UNDER ENCODING LOGIC • UpperBoundary (I.) of HEAP_ENTRY.Size : • Interesting xoring value : _Heap.Encoding.Code1 set to random value • this case  too much random == too much predicatability • If (HEAP_ENTRY.Size set to 0101010101010101b) then (_Heap.Encoding.Code1 ^ HEAP_ENTRY.Size)  high probability to be big number  Implementation shortcut
  • RULLING UNDER ENCODING LOGIC • UpperBoundary (II.) of HEAP_ENTRY.Size : • based on XOR • two heap_entry chunks on freelist • 1st set HEAP_ENTRY.Size to 0x8000 • 2nd set HEAP_ENTRY.Size to 0x0 • After XOR one of HEAP_ENTRY.Size will be for sure equal to 0x8000 which is big number  Implementation shortcut
  • BuildOwnHeap - implementation • Looka looka - SafeLink Check ?
  • Attack!
  • • SafeLink Check • HeapSpray fake list fulfill conditions • Validation & RtlpAnalyzeHeapFailure? • I am 3rd Party • Problems : • Works for x86 binaries • Already fixed in win7sp1 Results ?
  • Good enough ? … not ... Can it be improved ?
  • Seems familiar ? • Validating / Encoding headers • RtlpAnalyzeHeapFailure • SafeLinking Quick lookup to RtlpFreeHeap FreeLists-Link-Search Algorithm
  • • heap_entry.Blink.Flink != heap_entry • … SafeLinking, changed !?
  • • Again, no validation here required • Performance vs security ? RtlpFreeHeap search in FreeLists
  • Previous IDEA – imporving .. • What do you think happen with valid chunk, with size is bigger than size of already overwritten HEAP_ENTRY, when it is attempted to be freed ? 
  • 1) Memory leak! 2) Relinking already used memory! Final Exploitation
  • Exploitation 2 - showtime …improving, improving, success…
  • • Same as in first attack : • HeapSpray attack • sizeof(HEAP_ENTRY) + sizeof(LIST_ENTRY>Flink) overflow, that cause overwritting HEAP_ENTRY on FreeList • Second attack specific : • Ability to force application to free already used ‘good sized’ memory  memory leak • RW access to our heapsprayed buffer  relinking Prerequisites
  • Attack!
  • Visualisation of exploitation - init
  • Visualisation of exploitation - heapspray
  • Visualisation of exploitation - overwrite
  • Visualisation of exploitation – free(*)
  • • Success! Results
  • Live Demo Win7 SP1
  • • Conclusions : • Mitigations are as good as they weakest point ! • Implement minimalistic approach, but cover all responsibilities of the code • Speed performance < safe environment Done
  • • Reported to microsoft about 2 years ago • But still present in win7sp1, and was usable even in win8CP ! • In final release of win8 it is finally patched! • FreeListSearch algo now validate each walked HEAP_ENTRY Addition technique info
  • Video Demo win8 CP, ie10
  • References Brett Moore : Exploiting Freelist[0] On XP Service Pack 2 http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service %20Pack%202.pdf Chris Valasek : Understanding the Low Fragmentation Heap http://illmatics.com/Understanding_the_LFH.pdf Brett Moore : Heaps About Heaps http://seclists.org/vuln-dev/2008/Jul/0 Alexander Sotirov : Heap Feng Shui in JavaScript http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf Nico Waisman : Aleatory Persistent Threat http://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf … and many others usefull exploit techniques related materials …