nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

Reversing Microsoft Patches to reveal Vulnerable code
HarsimranWalia
http://null.co.in/
http://nullcon.net/

http://null.co.in/
http://nullcon.net/
Introduction
Finding a 0day vulnerability
Vulnerability reaches the vendor
Vendor finds a fix
Releases a patch to fix the vulnerability
Microsoft patches
Reverse engineer the patch
Locate the vulnerability patched
Highlight the difficulties
Birth of a security patch
Discussion in the presentation

For reversing and obtaining binary difference in my demos I would be using DarunGrim2
How DarunGrim works?
The schema of DarunGrim is shown in
the figure
To generate diffing results
Binaries are disassembled in IDA Pro in the
background and darungrim IDA plugin is run
which creates the sqlite database
Diffing Engine, the heart of DarunGrim2.
The sqlite db from IDA and the binaries from GUI
are fed into this engine as inputs
http://null.co.in/
http://nullcon.net/
Introduction

Algorithm ?
Main algorithm of DarunGrim is Basic block fingerprint hash map
Each basic block is 1 entity whose fingerprint is generated from the instruction sequence
Fingerprint hash generated by IDA Pro
Two fingerprint hash tables one each for unpatched and patched binary
For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match
All fingerprints in the original binary hash tables are either matched or unmatched
http://null.co.in/
http://nullcon.net/
Introduction

Algorithm ? Contd..
For a function to be called matching, all the basic blocks in the function should be matching
For unmatched functions DarunGrim calculates percentage match
Match rate based on fingerprint string match
Similar to GNU Diff algorithm which is finding longest common subsequence
http://null.co.in/
http://nullcon.net/
Introduction

Vulnerability Vs Exploit based signatures
Exploit signatures
Created by using byte string patterns or regular expressions
These are exploit specific
They are used widely mainly because of the ease of their creation
Cater to only one type of input satisfying that vulnerability condition
Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail
For eg. Exploit based signature
ESig = “docx?AAAAAAAAAAA...”
It will fail if some exploit uses a long string of B’s instead of A’s
http://null.co.in/
http://nullcon.net/
Introduction

http://null.co.in/
http://nullcon.net/
Introduction
Vulnerability signatures
Based on the properties of the vulnerability and not on the properties of the exploit
It is a superset of all the inputs satisfying a particular vulnerability condition
For eg. Vulnerability based signature for previous case
VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)
Matches string in buffer with the regex
It is effective against any alphabet unlike exploit signature
Vulnerability
Signature
Exploit Signature

Vulnerability signatures contd..
For a good vulnerability signature
It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.
It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.
The signature matching time should not create a considerable delay for the software and services.
http://null.co.in/
http://nullcon.net/
Introduction

The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.
To verify if the patch released by Microsoft is working as per it is designed.
To create vulnerability based signatures.
http://null.co.in/
http://nullcon.net/
Need

http://null.co.in/
http://nullcon.net/
Process

http://null.co.in/
http://nullcon.net/
Finding patches
Pick a vulnerability and download its patch
Pick a vulnerability just before this one that patched the same program or dll
If unavailable, use the same dll from your system
Process
Quick-fix
Use open source ms-patch-tools to easily get the file versions to compare
Problem
GDR or QFE/LDR ??
FileVersioning

http://null.co.in/
http://nullcon.net/
Finding patches
DEMO
Process

http://null.co.in/
http://nullcon.net/
Finding patches
Extraction of files
The traditional way of extracting file from patch
<patchfilename>.exe /x
Works only till Windows XP and earlier versions of Windows
Process
Problem
Above method cannot be used on Win7 and Vista patches delivered as msu

http://null.co.in/
http://nullcon.net/
Finding patches
Extraction of files
Solution
Process
Use expand command
expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in>
expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in>

http://null.co.in/
http://nullcon.net/
Finding patches
Extraction of files
DEMO
Process

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
DarunGrim v2 used for binary difference
Feed in the two binaries to be compared
Generates a list of functions with the %age match between the two files
Process
Problem
Not every function %age < 100 is changed
Includes false positives which requires manual analysis

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
Process
DEMO

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
Differencing Analysis
Process
Manual inspection of functions with less than 100% match
Remove false positives generated by problems like
Instruction reordering
Lot of reordering happening over different releases marks even the same blocks as unmatched
Split blocks
Block in the graph which has only parent and the parent has only one child leads to a split block.
causing a problem in the matching process
Can be improved by merging the two blocks and treating as a single block.

http://null.co.in/
http://nullcon.net/
Finding patches
Extraction of files
Binary Differencing
Process
Hot patching
Instructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block
By just ignoring the instruction we can get a match
Compiler optimizations
Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference
Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
Process
DEMO

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
Process
push [ebp-2Ch] ; unsigned intcall ??2@YAPAXI@Z ; operator new(uint)mov ebx, eaxpop ecxmov [ebp-18h], ebxmov [ebp-3Ch], ebxmov byte ptr [ebp-4], 1push dwordptr [ebp-2Ch]mov ecx, esipush ebxpush [ebp-30h]
call sub_118000C func(const *,void *,long)mov edi, eaxtest edi, edijge short
push [ebp-2Ch] ; unsigned intcall ??2@YAPAXI@Z ; operator new(uint)pop ecxmov [ebp-14h], eax ; ebp-14h = pBuffermov [ebp-40h], eaxmov byte ptr [ebp-4], 2push [ebp-2Ch]mov ecx, esipush ebxpush edicall sub_118000C func(const *,void *,long)mov esi, eaxtest esi, esijge short loc_118158A

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
Process
Debugging
To validate our finding of analysis by debugging
Getting a crash of the application
Creating a malformed file to get the crash
Would be using Immunity Debugger

Finding patches
http://null.co.in/
http://nullcon.net/
Extraction of files
Binary Differencing
Process
Debugging
DEMO

Conclusion
Presented an overview of how the 1-day exploits and Vulnerability signatures can be created
Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process
Only talked about Microsoft patches but concept not limited to this.
Concepts presented can be perfected by interested audience
http://null.co.in/
http://nullcon.net/

Thanks
Questions??
http://null.co.in/
http://nullcon.net/

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

by n|u - The Open Security Community on Mar 10, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 30

Statistics

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code — Presentation Transcript

http://null.co.in	29
http://nullcon.net	1