Alice in eXploitland
Attack & defense evolution
Zoltán Balázs
Hacktivity 2013
About:me
OSCP, C|HFI, CISSP, CPTS, MCP
Senior IT security consultant @ Deloitte Hungary
Proud member of the gula.sh team

...
What’s next?
Evolution of memory corruption attack & defense
Stack based buffer overflows
Stack canary
Structured Exceptio...
Scope of this presentation
Focus on memory corruption
Not Java vulnerabilities

Focus on Windows

Last 15 years Windows wa...
Why you should care about exploits?
If you are a company outside of
China (or place your favourite
enemy here)
You are a t...
Why you should care about exploits?
If you are a company outside of
China (or place your favourite
enemy here)
You are a t...
Why you should care about exploits?
If you are a company outside of
China (or place your favourite
enemy here)
You are a t...
Why you should care about exploits?
If you are a military team working
for the Chinese (or other)
government
To steal inte...
Why you should care about exploits?
If you are a military team working
for the Chinese (or other)
government
To steal inte...
Why you should care about exploits?
If you are a plain user surfing the
web
You might be hacked through
memory corruption ...
Why you should care about exploits?
If you are a plain user surfing the
web
You might be hacked through
memory corruption ...
Why you should care?
If you are a plain user surfing the
web
You might be hacked through
memory corruption vulnerability (...
Why you should care about exploits?
If you are a plain user surfing the
web
You might be hacked through
memory corruption ...
Function calls
void SayHello(char* userinput)
{
char buffer[100];
strcpy(buffer, userinput);
printf(„Hello %sn", buffer);
...
Function calls
0x00000000
...

New stack frame

ESP - top of stack
....
0xFFFFFFFF

ESP - extended stack pointer
Function calls
0x00000000
...

ESP - top of stack
ptr to argv[1]
....
0xFFFFFFFF

ESP - extended stack pointer
Function calls
0x00000000
...

ESP - top of stack
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF

EIP - extended instruction poi...
Function calls
0x00000000
...

ESP - top of stack

Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF

EIP - extended inst...
Function calls
0x00000000
...
ESP - top of stack

Space for buffer
EBP - frame pointer

Saved EBP
Saved EIP
ptr to argv[1]...
Function calls
0x00000000
...
ESP - top of stack

EBP - frame pointer

AAAA
AAAA
...
AAAA

Saved EBP

Strcpy
writes
this

...
Stack based buffer overflow vulnerability
„Stack overflow happens when the user can put more data on the allocated
stack, ...
Stack overflow
0x00000000
...
ESP - top of stack

EBP - frame pointer

AAAA
AAAA
...
AAAA

Saved EBP

Strcpy
writes
this

...
Stack overflow
0x00000000
...
ESP - top of stack

EBP - frame pointer

AAAA
AAAA
...
AAAA

Saved EBP AAAA

Strcpy
writes
t...
Stack overflow
0x00000000
...
ESP - top of stack

EBP - frame pointer

AAAA
AAAA
...
AAAA

Saved EBP AAAA

Strcpy
writes
t...
Stack overflow
0x00000000
...
ESP - top of stack

EBP - frame pointer

AAAA
AAAA
...
AAAA

Saved EBP AAAA

Strcpy
writes
t...
Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
***
Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
PaX team in 20...
Stack overflow history
1972 – Computer Security Technology Planning Study
1988 – Morris worm
1996 – Smashing the Stack for...
Shellcode
The attacker code what the attacker wants to execute
The instructions given by Alice to the rabbit
Mitigation techniques
All of the following mitigation techniques are used against every
memory corruption vulnerabilities
...
Stack canary/cookie
0x00000000
...
ESP - top of stack

EBP - frame pointer

Random cookie

AAAA
AAAA
...
AAAA

27384AB4CD4...
Stack canary/cookie
0x00000000
...
ESP - top of stack

EBP - frame pointer

Random cookie

AAAA
AAAA
...
AAAA

27384AB4CD4...
Stack canary/cookie history (/GS)
1997 - Linux (GCC)
2002 - MS (Visual Studio)
Stack canary/cookie bypass
Method 1: Replace cookie on stack and in .data
temper the sensor in way where water does not tr...
Structured Exception Handling exploit
In reality, traditional stack overflow
exploits are sometimes
not possible
No EIP ov...
Structured Exception Handling exploit
In reality, traditional stack overflow
exploits are sometimes
not possible
No EIP ov...
SEH exploit – three step to profit
Step 1. overwriting first element in the exception-handling chain
Step 2. because of th...
SEH exploit metaphor
If chaos occurs
disaster recovery process to handle the chaos

Alice can rewrite the address, where t...
SEH exploit mitigation
SafeSEH
table which specifies for the operating system about valid exception handlers

only a limit...
DEP
DEP - Data Execution Prevention – Windows (OS level)
Protection: mark the stack as non executable

PageExec, W^X, NX, ...
PageExec, W^X, NX, XD, DEP
NX - Never Execute – AMD (CPU level)
XD - eXecution Disabled – Intel (CPU level)
W^X - Write XO...
PageExec, W^X, NX, XD, DEP
1997 - Openwall – Solar designer
2000 - PaX Team PageExec
2002 - Exec shield (Ingó Molnár)
2003...
PageExec, W^X, NX, XD, DEP bypass
Method 1: Return oriented Programming (ROP)
Roots from Solar Designer (return-into-libc)...
PageExec, W^X, NX, XD, DEP bypass
Method 2: Mark the stack part as executable
Alice can override the command, that her han...
ASLR metaphor
ASLR = Address Space Layout Randomization
Changing the addressess of the memory layout every time

Changing ...
ASLR
1997 - Memco
2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack)
2005 - OpenBSD
2005 - Linux – first implementa...
ASLR bypass
2007 – MS07–017 ANI exploit – Alex Sotirov
Method 1: overwrite the first two bytes of EIP (low bytes)

High by...
ASLR bypass ...
Method 2: Low entropy in random – brute force
Alice can give 1000 addresses to the rabbit

Rabbit will loo...
ASLR bypass …
Method 3: ASLR not enforced
Java 6 (static) used in Adobe Flash exploit
Java 7 ASLR

There are still some st...
EMET
Exploiting stack overflow in 2003 on Windows

Collect three gems
Exploiting stack overflow in 2013
with ASLR + DEP
You have 3 ammo left
ASLR + DEP bypass
Metasploit windows/browser/ms13_037_svg_dashstyle demo
Scenario 1.
Disable ASLR, exploit fixed addresses...
What to do if I’m a user?
Remove Java
If you use Windows

Upgrade to latest OS
Use latest browser (Chrome/IE)
If can’t upg...
What to do if I’m a CISO?
Remove Java
At least in the browsers used for Internet browsing

If you use Windows
Upgrade to l...
What to do if I’m a developer?
Remove Java
At least in the browsers used for Internet browsing

Learn secure application d...
What to do if I’m working for the Chinese
government running vulnerable Poison Ivy servers?
Develop your own backdoor clie...
Lessons learned
Always use ASLR (Always on, 64 bit) + DEP (Always On) together
+ EMET for additional protection

Number of...
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
Upcoming SlideShare
Loading in …5
×

[ENG] Hacktivity 2013 - Alice in eXploitland

952 views
719 views

Published on

[ENG] Hacktivity 2013 - Alice in eXploitland - attack and defense evolution

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
952
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

[ENG] Hacktivity 2013 - Alice in eXploitland

  1. 1. Alice in eXploitland Attack & defense evolution Zoltán Balázs Hacktivity 2013
  2. 2. About:me OSCP, C|HFI, CISSP, CPTS, MCP Senior IT security consultant @ Deloitte Hungary Proud member of the gula.sh team zbalazs@deloittece.com https://hu.linkedin.com/in/zbalazs Twitter – zh4ck
  3. 3. What’s next? Evolution of memory corruption attack & defense Stack based buffer overflows Stack canary Structured Exception Handling DEP ASLR Advanced mitigation
  4. 4. Scope of this presentation Focus on memory corruption Not Java vulnerabilities Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits High level overview only No details like Assembly Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
  5. 5. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing
  6. 6. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits
  7. 7. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits You will find your product on the local Chinese market half the price
  8. 8. Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability
  9. 9. Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability Your „projects” will be revealed by hackers from Luxembourg
  10. 10. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java)
  11. 11. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked
  12. 12. Why you should care? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen
  13. 13. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen Facebook wall spammed
  14. 14. Function calls void SayHello(char* userinput) { char buffer[100]; strcpy(buffer, userinput); printf(„Hello %sn", buffer); } int main() { SayHello(argv[1]); return 0; }
  15. 15. Function calls 0x00000000 ... New stack frame ESP - top of stack .... 0xFFFFFFFF ESP - extended stack pointer
  16. 16. Function calls 0x00000000 ... ESP - top of stack ptr to argv[1] .... 0xFFFFFFFF ESP - extended stack pointer
  17. 17. Function calls 0x00000000 ... ESP - top of stack Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer Overwrite this for PROFIT
  18. 18. Function calls 0x00000000 ... ESP - top of stack Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  19. 19. Function calls 0x00000000 ... ESP - top of stack Space for buffer EBP - frame pointer Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  20. 20. Function calls 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  21. 21. Stack based buffer overflow vulnerability „Stack overflow happens when the user can put more data on the allocated stack, than available” If more data is put on the stack (stack overflow) ... magic will happen Buffer overflow Stack based buffer overflow Heap based buffer overflow
  22. 22. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  23. 23. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  24. 24. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  25. 25. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  26. 26. Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? ***
  27. 27. Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? PaX team in 2000
  28. 28. Stack overflow history 1972 – Computer Security Technology Planning Study 1988 – Morris worm 1996 – Smashing the Stack for Fun and Profit (Aleph One) 2000 – NSA – SELinux open sourced 2000 – PaX Team 2003 – SELinux merged into mainline Linux Kernel 2004 – Egghunters - against small buffers
  29. 29. Shellcode The attacker code what the attacker wants to execute The instructions given by Alice to the rabbit
  30. 30. Mitigation techniques All of the following mitigation techniques are used against every memory corruption vulnerabilities Not just against stack overflow
  31. 31. Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 Strcpy writes this way Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  32. 32. Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 AAAA Strcpy writes this way Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  33. 33. Stack canary/cookie history (/GS) 1997 - Linux (GCC) 2002 - MS (Visual Studio)
  34. 34. Stack canary/cookie bypass Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system Method 3: Guess/calculate the cookie Static cookie Method 4: Overwriting stack data in functions up the stack, switch case
  35. 35. Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies way too complicated to trigger
  36. 36. Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies Stack cookie not checked at exception handling way too complicated to trigger
  37. 37. SEH exploit – three step to profit Step 1. overwriting first element in the exception-handling chain Step 2. because of the overflow, the exception-handling is triggered Step 3. via exception handling, return to the malicious shellcode (PROFIT)
  38. 38. SEH exploit metaphor If chaos occurs disaster recovery process to handle the chaos Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
  39. 39. SEH exploit mitigation SafeSEH table which specifies for the operating system about valid exception handlers only a limited set of addresses where the disaster recovery manual can be found Alice can not change those SEHop OS performs SEH chain validation breaks SEH overwrite exploitation techniques Stamp from the queen on the addressess where the disaster recovery manual can be found
  40. 40. DEP DEP - Data Execution Prevention – Windows (OS level) Protection: mark the stack as non executable PageExec, W^X, NX, XD
  41. 41. PageExec, W^X, NX, XD, DEP NX - Never Execute – AMD (CPU level) XD - eXecution Disabled – Intel (CPU level) W^X - Write XOR Execute – OpenBSD, OS X (OS level) Non-Executable Memory – Linux (OS level) Windows If CPU NX/XD enabled/supported HW DEP == Real DEP If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!! DEP modes Always off OptIn OptOut Always On
  42. 42. PageExec, W^X, NX, XD, DEP 1997 - Openwall – Solar designer 2000 - PaX Team PageExec 2002 - Exec shield (Ingó Molnár) 2003 - OpenBSD 2004 - Linux (Ingó Molnár) 2004 - Windows XP SP2 2006 - OS X
  43. 43. PageExec, W^X, NX, XD, DEP bypass Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997
  44. 44. PageExec, W^X, NX, XD, DEP bypass Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed Does not work on protection „always on” Method 3: Disable the protection for the process Does not work on protection „always on” Method 4: Copy shellcode to executable area Exeucatable area usually read only Allocate new memory with read – write - executable support (virtualalloc) If attacking browser JavaScript heap spraying Other magic here
  45. 45. ASLR metaphor ASLR = Address Space Layout Randomization Changing the addressess of the memory layout every time Changing the street names, house numbers every time Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives
  46. 46. ASLR 1997 - Memco 2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack) 2005 - OpenBSD 2005 - Linux – first implementation weak 2007 - Windows 2007 - OS X 2011 - Android
  47. 47. ASLR bypass 2007 – MS07–017 ANI exploit – Alex Sotirov Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original” Method 2: Low entropy in random – brute force Catch all exception block is usually needed You never write try{ code_her } catch (Every exception) { Do nothing } do you? ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
  48. 48. ASLR bypass ... Method 2: Low entropy in random – brute force Alice can give 1000 addresses to the rabbit Rabbit will look for Alice in 1000 house Finally the rabbit can find Alice Alice can give him the malicious instructions PROFIT
  49. 49. ASLR bypass … Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit Java 7 ASLR There are still some static street names, house numbers in eXploitland, that never change Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland what the street name and house address will be of the house where Alice is when the rabbit arrives
  50. 50. EMET
  51. 51. Exploiting stack overflow in 2003 on Windows Collect three gems
  52. 52. Exploiting stack overflow in 2013 with ASLR + DEP You have 3 ammo left
  53. 53. ASLR + DEP bypass Metasploit windows/browser/ms13_037_svg_dashstyle demo Scenario 1. Disable ASLR, exploit fixed addresses Scenario 2. Enable ASLR, exploit is not working Scenario 3. Java 1.6 ROP with non-ASLR module works Scenario 4. ASLR with original information leak exploit Scenario 5. EMET heapspray only blocks exploit
  54. 54. What to do if I’m a user? Remove Java If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET If you use Linux Upgrade to latest OS Use latest browser (Chrome) If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome) Upgrade your software
  55. 55. What to do if I’m a CISO? Remove Java At least in the browsers used for Internet browsing If you use Windows Upgrade to latest OS If can’t upgrade, use EMET from GPO (Group policy) Install Microsoft and 3rd party patches
  56. 56. What to do if I’m a developer? Remove Java At least in the browsers used for Internet browsing Learn secure application development Use switchers in Visual Studio /GS (VS 2002) /SafeSEH (VS 2003) /DynamicBase (VS 2005) /NXCompat (VS 2005) /HIGHENTROPYVA (VS 2012) #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005) BinScope
  57. 57. What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers? Develop your own backdoor client/server For details see previous slide Until it is finished use EMET
  58. 58. Lessons learned Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1 Without Java 6 – 1 Number of working IE10 exploits in Metasploit 0 Number of Java7 (2011 July) exploits in Metasploit 16 Price for zero day memory corruption exploit getting higher and higher

×