0
Reversing Microsoft Patches to reveal Vulnerable code<br />HarsimranWalia<br />http://null.co.in/<br />http://nullcon.net/...
http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />Finding a 0day vulnerability <br />Vulnerability reache...
For reversing and obtaining binary difference in my demos I would be using DarunGrim2<br />	How DarunGrim works?<br />The ...
 Algorithm ?<br />Main algorithm of DarunGrim is Basic block fingerprint hash map<br />Each basic block is 1 entity whose ...
 Algorithm ? Contd..<br />For a function to be called matching, all the basic blocks in the function should be matching<br...
 Vulnerability Vs Exploit based signatures<br />	Exploit signatures<br />Created by using byte string patterns or regular ...
http://null.co.in/<br />http://nullcon.net/<br />Introduction<br /> Vulnerability Vs Exploit based signatures<br />	Vulner...
 Vulnerability Vs Exploit based signatures<br />	 Vulnerability signatures contd..<br />For a good vulnerability signature...
The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.<br />To verify if the patch ...
http://null.co.in/<br />http://nullcon.net/<br />Process<br />
http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Pick a vulnerability and download its patch<br />Pic...
FileVersioning</li></li></ul><li>http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />DEMO<br />Process<b...
http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />The traditional way of extr...
http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />DEMO<br />Process<br />
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Da...
Includes false positives which requires manual analysis</li></li></ul><li>Finding patches<br />http://null.co.in/<br />htt...
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Di...
http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />Binary Differencing<br />Di...
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Di...
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Di...
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Di...
Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Di...
Conclusion<br />Presented an overview of how the 1-day exploits and Vulnerability signatures can be created<br />Attempt w...
Thanks<br />Questions??<br />http://null.co.in/<br />http://nullcon.net/<br />
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
Upcoming SlideShare
Loading in...5
×

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

2,015

Published on

Reversing MicroSoft patches to reveal vulnerable code by Harsimran Walia

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,015
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
40
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code"

  1. 1. Reversing Microsoft Patches to reveal Vulnerable code<br />HarsimranWalia<br />http://null.co.in/<br />http://nullcon.net/<br />
  2. 2.
  3. 3. http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />Finding a 0day vulnerability <br />Vulnerability reaches the vendor<br />Vendor finds a fix<br />Releases a patch to fix the vulnerability<br />Microsoft patches<br />Reverse engineer the patch<br />Locate the vulnerability patched<br />Highlight the difficulties<br />Birth of a security patch<br />Discussion in the presentation<br />
  4. 4. For reversing and obtaining binary difference in my demos I would be using DarunGrim2<br /> How DarunGrim works?<br />The schema of DarunGrim is shown in <br /> the figure<br />To generate diffing results<br />Binaries are disassembled in IDA Pro in the<br /> background and darungrim IDA plugin is run<br /> which creates the sqlite database<br />Diffing Engine, the heart of DarunGrim2.<br /> The sqlite db from IDA and the binaries from GUI<br /> are fed into this engine as inputs <br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />
  5. 5. Algorithm ?<br />Main algorithm of DarunGrim is Basic block fingerprint hash map<br />Each basic block is 1 entity whose fingerprint is generated from the instruction sequence<br />Fingerprint hash generated by IDA Pro<br />Two fingerprint hash tables one each for unpatched and patched binary<br />For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match<br />All fingerprints in the original binary hash tables are either matched or unmatched<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />
  6. 6. Algorithm ? Contd..<br />For a function to be called matching, all the basic blocks in the function should be matching<br />For unmatched functions DarunGrim calculates percentage match<br />Match rate based on fingerprint string match<br />Similar to GNU Diff algorithm which is finding longest common subsequence<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />
  7. 7. Vulnerability Vs Exploit based signatures<br /> Exploit signatures<br />Created by using byte string patterns or regular expressions <br />These are exploit specific <br />They are used widely mainly because of the ease of their creation<br />Cater to only one type of input satisfying that vulnerability condition<br />Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail <br />For eg. Exploit based signature<br />ESig = “docx?AAAAAAAAAAA...”<br />It will fail if some exploit uses a long string of B’s instead of A’s<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />
  8. 8. http://null.co.in/<br />http://nullcon.net/<br />Introduction<br /> Vulnerability Vs Exploit based signatures<br /> Vulnerability signatures<br />Based on the properties of the vulnerability and not on the properties of the exploit<br />It is a superset of all the inputs satisfying a particular vulnerability condition<br />For eg. Vulnerability based signature for previous case<br />VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)<br />Matches string in buffer with the regex<br />It is effective against any alphabet unlike exploit signature<br />Vulnerability<br />Signature<br />Exploit Signature<br />
  9. 9. Vulnerability Vs Exploit based signatures<br /> Vulnerability signatures contd..<br />For a good vulnerability signature<br />It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.<br />It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.<br />The signature matching time should not create a considerable delay for the software and services.<br />http://null.co.in/<br />http://nullcon.net/<br />Introduction<br />
  10. 10. The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.<br />To verify if the patch released by Microsoft is working as per it is designed.<br />To create vulnerability based signatures.<br />http://null.co.in/<br />http://nullcon.net/<br />Need<br />
  11. 11. http://null.co.in/<br />http://nullcon.net/<br />Process<br />
  12. 12. http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Pick a vulnerability and download its patch<br />Pick a vulnerability just before this one that patched the same program or dll<br />If unavailable, use the same dll from your system<br />Process<br />Quick-fix<br />Use open source ms-patch-tools to easily get the file versions to compare<br />Problem<br /><ul><li>GDR or QFE/LDR ??
  13. 13. FileVersioning</li></li></ul><li>http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />DEMO<br />Process<br />
  14. 14. http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />The traditional way of extracting file from patch <br /><patchfilename>.exe /x<br />Works only till Windows XP and earlier versions of Windows<br />Process<br />Problem<br /><ul><li>Above method cannot be used on Win7 and Vista patches delivered as msu</li></li></ul><li>http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />Solution<br />Process<br />Use expand command<br />expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in> <br />expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in> <br />
  15. 15. http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />DEMO<br />Process<br />
  16. 16. Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />DarunGrim v2 used for binary difference<br />Feed in the two binaries to be compared<br />Generates a list of functions with the %age match between the two files <br />Process<br />Problem<br /><ul><li>Not every function %age < 100 is changed
  17. 17. Includes false positives which requires manual analysis</li></li></ul><li>Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Process<br />DEMO<br />
  18. 18. Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Manual inspection of functions with less than 100% match<br />Remove false positives generated by problems like<br />Instruction reordering<br />Lot of reordering happening over different releases marks even the same blocks as unmatched<br />Split blocks<br />Block in the graph which has only parent and the parent has only one child leads to a split block.<br />causing a problem in the matching process<br />Can be improved by merging the two blocks and treating as a single block.<br />
  19. 19. http://null.co.in/<br />http://nullcon.net/<br />Finding patches<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Hot patching<br />Instructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block<br />By just ignoring the instruction we can get a match<br />Compiler optimizations <br />Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference<br />Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched<br />
  20. 20. Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />DEMO<br />
  21. 21. Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />push  [ebp-2Ch]  ; unsigned intcall  ??2@YAPAXI@Z    ; operator new(uint)mov   ebx, eaxpop   ecxmov   [ebp-18h], ebxmov   [ebp-3Ch], ebxmov   byte ptr [ebp-4], 1push  dwordptr [ebp-2Ch]mov   ecx, esipush  ebxpush    [ebp-30h]<br />call    sub_118000C func(const *,void *,long)mov     edi, eaxtest    edi, edijge     short <br />push    [ebp-2Ch]  ; unsigned intcall    ??2@YAPAXI@Z    ; operator new(uint)pop     ecxmov     [ebp-14h], eax ;  ebp-14h = pBuffermov     [ebp-40h], eaxmov     byte ptr [ebp-4], 2push    [ebp-2Ch]mov     ecx, esipush    ebxpush    edicall    sub_118000C func(const *,void *,long)mov     esi, eaxtest    esi, esijge     short loc_118158A<br />
  22. 22. Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Debugging<br />To validate our finding of analysis by debugging<br />Getting a crash of the application<br />Creating a malformed file to get the crash<br />Would be using Immunity Debugger<br />
  23. 23. Finding patches<br />http://null.co.in/<br />http://nullcon.net/<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Debugging<br />DEMO<br />
  24. 24. Conclusion<br />Presented an overview of how the 1-day exploits and Vulnerability signatures can be created<br />Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process<br />Only talked about Microsoft patches but concept not limited to this.<br />Concepts presented can be perfected by interested audience <br />http://null.co.in/<br />http://nullcon.net/<br />
  25. 25. Thanks<br />Questions??<br />http://null.co.in/<br />http://nullcon.net/<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×