Your SlideShare is downloading. ×
Reversing Microsoft Patches to                 reveal Vulnerable code                       Harsimran Waliahttp://null.co....
Introduction   Need  Process
Introduction                             Birth of a security patch                             Discussion in the presentat...
Introduction      For reversing and obtaining binary difference in my demos I        would be using DarunGrim2           H...
Introduction       Algorithm ?      • Main algorithm of DarunGrim is Basic block fingerprint hash map      • Each basic bl...
Introduction       Algorithm ? Contd..      • For a function to be called matching, all the basic blocks in the function  ...
Introduction       Vulnerability Vs Exploit based signatures           Exploit signatures      •    Created by using byte ...
Introduction       Vulnerability Vs Exploit based signatures        Vulnerability signatures      • Based on the propertie...
Introduction       Vulnerability Vs Exploit based signatures        Vulnerability signatures contd..      • For a good vul...
Need      • The first step of creating an undisclosed        exploit is to find the vulnerability to exploit it.      • To...
Process      Finding patches             Extraction of files                     Binary Differencing                      ...
Process      Finding patches      • Pick a vulnerability and download its patch      • Pick a vulnerability just before th...
Process      Finding patches                        DEMOhttp://null.co.in/                http://nullcon.net/
Process      Finding patches             Extraction of files      • The traditional way of extracting file from patch     ...
Process      Finding patches             Extraction of files      • Use expand command             – expand -F:* <Saved_MS...
Process      Finding patches             Extraction of files                                   DEMOhttp://null.co.in/     ...
Process      Finding patches        Extraction of files                Binary Differencing   • DarunGrim v2 used for binar...
Process      Finding patches        Extraction of files                Binary Differencing                                ...
Process      Finding patches        Extraction of files          Binary Differencing                       Differencing An...
Process      Finding patches        Extraction of files          Binary Differencing                      Differencing Ana...
Process      Finding patches        Extraction of files          Binary Differencing                     Differencing Anal...
Process      Finding patches        Extraction of files          Binary Differencing                     Differencing Anal...
Process      Finding patches        Extraction of files          Binary Differencing             Differencing Analysis    ...
Process      Finding patches        Extraction of files          Binary Differencing             Differencing Analysis    ...
Conclusion      • Presented an overview of how the 1-day exploits and        Vulnerability signatures can be created      ...
Thanks                     Questions??http://null.co.in/                 http://nullcon.net/
Upcoming SlideShare
Loading in...5
×

Reversing Microsoft patches to reveal vulnerable code

526

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
526
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Reversing Microsoft patches to reveal vulnerable code"

  1. 1. Reversing Microsoft Patches to reveal Vulnerable code Harsimran Waliahttp://null.co.in/ http://nullcon.net/
  2. 2. Introduction Need Process
  3. 3. Introduction Birth of a security patch Discussion in the presentation Vulnerability Releases a Finding a 0day Reverse Vendor finds a Locate the Microsoft reaches the patch to fix the Highlight the vulnerability engineer the fix vulnerability patches vendor vulnerability difficulties patch patchedhttp://null.co.in/ http://nullcon.net/
  4. 4. Introduction For reversing and obtaining binary difference in my demos I would be using DarunGrim2 How DarunGrim works? • The schema of DarunGrim is shown in the figure • To generate diffing results – Binaries are disassembled in IDA Pro in the background and darungrim IDA plugin is run which creates the sqlite database – Diffing Engine, the heart of DarunGrim2. The sqlite db from IDA and the binaries from GUI are fed into this engine as inputshttp://null.co.in/ http://nullcon.net/
  5. 5. Introduction Algorithm ? • Main algorithm of DarunGrim is Basic block fingerprint hash map • Each basic block is 1 entity whose fingerprint is generated from the instruction sequence • Fingerprint hash generated by IDA Pro • Two fingerprint hash tables one each for unpatched and patched binary • For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match • All fingerprints in the original binary hash tables are either matched or unmatchedhttp://null.co.in/ http://nullcon.net/
  6. 6. Introduction Algorithm ? Contd.. • For a function to be called matching, all the basic blocks in the function should be matching • For unmatched functions DarunGrim calculates percentage match • Match rate based on fingerprint string match – Similar to GNU Diff algorithm which is finding longest common subsequencehttp://null.co.in/ http://nullcon.net/
  7. 7. Introduction Vulnerability Vs Exploit based signatures Exploit signatures • Created by using byte string patterns or regular expressions • These are exploit specific • They are used widely mainly because of the ease of their creation • Cater to only one type of input satisfying that vulnerability condition • Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail • For eg. Exploit based signature – ESig = “docx?AAAAAAAAAAA...” – It will fail if some exploit uses a long string of B’s instead of A’shttp://null.co.in/ http://nullcon.net/
  8. 8. Introduction Vulnerability Vs Exploit based signatures Vulnerability signatures • Based on the properties of the vulnerability and not on the properties of the exploit Vulnerability • It is a superset of all the inputs satisfying a particular Signature vulnerability condition • For eg. Vulnerability based signature for previous case – VSig = MATCH_STR (Buffer,"docx?(.*)$",limit) – Matches string in buffer with the regex – It is effective against any alphabet unlike exploit signature Exploit Signaturehttp://null.co.in/ http://nullcon.net/
  9. 9. Introduction Vulnerability Vs Exploit based signatures Vulnerability signatures contd.. • For a good vulnerability signature – It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network. – It should allow very few false positives, as too many false positives may lead to a DoS attack for the system. – The signature matching time should not create a considerable delay for the software and services.http://null.co.in/ http://nullcon.net/
  10. 10. Need • The first step of creating an undisclosed exploit is to find the vulnerability to exploit it. • To verify if the patch released by Microsoft is working as per it is designed. • To create vulnerability based signatures.http://null.co.in/ http://nullcon.net/
  11. 11. Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugginghttp://null.co.in/ http://nullcon.net/
  12. 12. Process Finding patches • Pick a vulnerability and download its patch • Pick a vulnerability just before this one that patched the same program or dll – If unavailable, use the same dll from your system Quick-fix Use open source • GDR or QFE/LDR ?? ms-patch-tools to easily get the file • File Versioning versions to comparehttp://null.co.in/ http://nullcon.net/
  13. 13. Process Finding patches DEMOhttp://null.co.in/ http://nullcon.net/
  14. 14. Process Finding patches Extraction of files • The traditional way of extracting file from patch – <patchfilename>.exe /x – Works only till Windows XP and earlier versions of Windows • Above method cannot be used on Win7 and Vista patches delivered as msuhttp://null.co.in/ http://nullcon.net/
  15. 15. Process Finding patches Extraction of files • Use expand command – expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in> – expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in>http://null.co.in/ http://nullcon.net/
  16. 16. Process Finding patches Extraction of files DEMOhttp://null.co.in/ http://nullcon.net/
  17. 17. Process Finding patches Extraction of files Binary Differencing • DarunGrim v2 used for binary difference – Feed in the two binaries to be compared – Generates a list of functions with the %age match between the two files • Not every function %age < 100 is changed • Includes false positives which requires manual analysishttp://null.co.in/ http://nullcon.net/
  18. 18. Process Finding patches Extraction of files Binary Differencing DEMOhttp://null.co.in/ http://nullcon.net/
  19. 19. Process Finding patches Extraction of files Binary Differencing Differencing Analysis • Manual inspection of functions with less than 100% match – Remove false positives generated by problems like • Instruction reordering Lot of reordering happening over different releases marks even the same blocks as unmatched • Split blocks Block in the graph which has only parent and the parent has only one child leads to a split block. causing a problem in the matching process Can be improved by merging the two blocks and treating as a single block.http://null.co.in/ http://nullcon.net/
  20. 20. Process Finding patches Extraction of files Binary Differencing Differencing Analysis • Hot patching Instructions like mov eax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block By just ignoring the instruction we can get a match • Compiler optimizations Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference – Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patchedhttp://null.co.in/ http://nullcon.net/
  21. 21. Process Finding patches Extraction of files Binary Differencing Differencing Analysis DEMOhttp://null.co.in/ http://nullcon.net/
  22. 22. Process Finding patches Extraction of files Binary Differencing Differencing Analysis • push [ebp-2Ch] ; unsigned int • push [ebp-2Ch] ; unsigned int call ??2@YAPAXI@Z ; operator new(uint) call ??2@YAPAXI@Z ; operator new(uint) mov ebx, eax pop ecx pop ecx mov [ebp-14h], eax ; ebp-14h = pBuffer mov [ebp-18h], ebx mov [ebp-40h], eax mov [ebp-3Ch], ebx mov byte ptr [ebp-4], 2 mov byte ptr [ebp-4], 1 push [ebp-2Ch] push dword ptr [ebp-2Ch] mov ecx, esi mov ecx, esi push ebx push ebx push edi push [ebp-30h] call sub_118000C func(const *,void *,long) call sub_118000C func(const *,void *,long) mov esi, eax mov edi, eax test esi, esi test edi, edi jge short loc_118158A jge shorthttp://null.co.in/ http://nullcon.net/
  23. 23. Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging • To validate our finding of analysis by debugging – Getting a crash of the application – Creating a malformed file to get the crash • Would be using Immunity Debuggerhttp://null.co.in/ http://nullcon.net/
  24. 24. Process Finding patches Extraction of files Binary Differencing Differencing Analysis Debugging DEMOhttp://null.co.in/ http://nullcon.net/
  25. 25. Conclusion • Presented an overview of how the 1-day exploits and Vulnerability signatures can be created • Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process • Only talked about Microsoft patches but concept not limited to this. • Concepts presented can be perfected by interested audiencehttp://null.co.in/ http://nullcon.net/
  26. 26. Thanks Questions??http://null.co.in/ http://nullcon.net/

×