nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
Upcoming SlideShare
Loading in...5
×
 

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

on

  • 2,150 views

Reversing MicroSoft patches to reveal vulnerable code by Harsimran Walia

Reversing MicroSoft patches to reveal vulnerable code by Harsimran Walia

Statistics

Views

Total Views
2,150
Views on SlideShare
2,088
Embed Views
62

Actions

Likes
3
Downloads
39
Comments
0

3 Embeds 62

http://null.co.in 60
http://nullcon.net 1
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code Presentation Transcript

  • Reversing Microsoft Patches to reveal Vulnerable code
    HarsimranWalia
    http://null.co.in/
    http://nullcon.net/
  • http://null.co.in/
    http://nullcon.net/
    Introduction
    Finding a 0day vulnerability
    Vulnerability reaches the vendor
    Vendor finds a fix
    Releases a patch to fix the vulnerability
    Microsoft patches
    Reverse engineer the patch
    Locate the vulnerability patched
    Highlight the difficulties
    Birth of a security patch
    Discussion in the presentation
  • For reversing and obtaining binary difference in my demos I would be using DarunGrim2
    How DarunGrim works?
    The schema of DarunGrim is shown in
    the figure
    To generate diffing results
    Binaries are disassembled in IDA Pro in the
    background and darungrim IDA plugin is run
    which creates the sqlite database
    Diffing Engine, the heart of DarunGrim2.
    The sqlite db from IDA and the binaries from GUI
    are fed into this engine as inputs
    http://null.co.in/
    http://nullcon.net/
    Introduction
  • Algorithm ?
    Main algorithm of DarunGrim is Basic block fingerprint hash map
    Each basic block is 1 entity whose fingerprint is generated from the instruction sequence
    Fingerprint hash generated by IDA Pro
    Two fingerprint hash tables one each for unpatched and patched binary
    For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match
    All fingerprints in the original binary hash tables are either matched or unmatched
    http://null.co.in/
    http://nullcon.net/
    Introduction
  • Algorithm ? Contd..
    For a function to be called matching, all the basic blocks in the function should be matching
    For unmatched functions DarunGrim calculates percentage match
    Match rate based on fingerprint string match
    Similar to GNU Diff algorithm which is finding longest common subsequence
    http://null.co.in/
    http://nullcon.net/
    Introduction
  • Vulnerability Vs Exploit based signatures
    Exploit signatures
    Created by using byte string patterns or regular expressions
    These are exploit specific
    They are used widely mainly because of the ease of their creation
    Cater to only one type of input satisfying that vulnerability condition
    Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail
    For eg. Exploit based signature
    ESig = “docx?AAAAAAAAAAA...”
    It will fail if some exploit uses a long string of B’s instead of A’s
    http://null.co.in/
    http://nullcon.net/
    Introduction
  • http://null.co.in/
    http://nullcon.net/
    Introduction
    Vulnerability Vs Exploit based signatures
    Vulnerability signatures
    Based on the properties of the vulnerability and not on the properties of the exploit
    It is a superset of all the inputs satisfying a particular vulnerability condition
    For eg. Vulnerability based signature for previous case
    VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)
    Matches string in buffer with the regex
    It is effective against any alphabet unlike exploit signature
    Vulnerability
    Signature
    Exploit Signature
  • Vulnerability Vs Exploit based signatures
    Vulnerability signatures contd..
    For a good vulnerability signature
    It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.
    It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.
    The signature matching time should not create a considerable delay for the software and services.
    http://null.co.in/
    http://nullcon.net/
    Introduction
  • The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.
    To verify if the patch released by Microsoft is working as per it is designed.
    To create vulnerability based signatures.
    http://null.co.in/
    http://nullcon.net/
    Need
  • http://null.co.in/
    http://nullcon.net/
    Process
  • http://null.co.in/
    http://nullcon.net/
    Finding patches
    Pick a vulnerability and download its patch
    Pick a vulnerability just before this one that patched the same program or dll
    If unavailable, use the same dll from your system
    Process
    Quick-fix
    Use open source ms-patch-tools to easily get the file versions to compare
    Problem
    • GDR or QFE/LDR ??
    • FileVersioning
  • http://null.co.in/
    http://nullcon.net/
    Finding patches
    DEMO
    Process
  • http://null.co.in/
    http://nullcon.net/
    Finding patches
    Extraction of files
    The traditional way of extracting file from patch
    <patchfilename>.exe /x
    Works only till Windows XP and earlier versions of Windows
    Process
    Problem
    • Above method cannot be used on Win7 and Vista patches delivered as msu
  • http://null.co.in/
    http://nullcon.net/
    Finding patches
    Extraction of files
    Solution
    Process
    Use expand command
    expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in>
    expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in>
  • http://null.co.in/
    http://nullcon.net/
    Finding patches
    Extraction of files
    DEMO
    Process
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    DarunGrim v2 used for binary difference
    Feed in the two binaries to be compared
    Generates a list of functions with the %age match between the two files
    Process
    Problem
    • Not every function %age < 100 is changed
    • Includes false positives which requires manual analysis
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    Process
    DEMO
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    Differencing Analysis
    Process
    Manual inspection of functions with less than 100% match
    Remove false positives generated by problems like
    Instruction reordering
    Lot of reordering happening over different releases marks even the same blocks as unmatched
    Split blocks
    Block in the graph which has only parent and the parent has only one child leads to a split block.
    causing a problem in the matching process
    Can be improved by merging the two blocks and treating as a single block.
  • http://null.co.in/
    http://nullcon.net/
    Finding patches
    Extraction of files
    Binary Differencing
    Differencing Analysis
    Process
    Hot patching
    Instructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block
    By just ignoring the instruction we can get a match
    Compiler optimizations
    Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference
    Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    Differencing Analysis
    Process
    DEMO
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    Differencing Analysis
    Process
    push  [ebp-2Ch]  ; unsigned intcall  ??2@YAPAXI@Z    ; operator new(uint)mov   ebx, eaxpop   ecxmov   [ebp-18h], ebxmov   [ebp-3Ch], ebxmov   byte ptr [ebp-4], 1push  dwordptr [ebp-2Ch]mov   ecx, esipush  ebxpush    [ebp-30h]
    call    sub_118000C func(const *,void *,long)mov     edi, eaxtest    edi, edijge     short 
    push    [ebp-2Ch]  ; unsigned intcall    ??2@YAPAXI@Z    ; operator new(uint)pop     ecxmov     [ebp-14h], eax ;  ebp-14h = pBuffermov     [ebp-40h], eaxmov     byte ptr [ebp-4], 2push    [ebp-2Ch]mov     ecx, esipush    ebxpush    edicall    sub_118000C func(const *,void *,long)mov     esi, eaxtest    esi, esijge     short loc_118158A
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    Differencing Analysis
    Process
    Debugging
    To validate our finding of analysis by debugging
    Getting a crash of the application
    Creating a malformed file to get the crash
    Would be using Immunity Debugger
  • Finding patches
    http://null.co.in/
    http://nullcon.net/
    Extraction of files
    Binary Differencing
    Differencing Analysis
    Process
    Debugging
    DEMO
  • Conclusion
    Presented an overview of how the 1-day exploits and Vulnerability signatures can be created
    Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process
    Only talked about Microsoft patches but concept not limited to this.
    Concepts presented can be perfected by interested audience
    http://null.co.in/
    http://nullcon.net/
  • Thanks
    Questions??
    http://null.co.in/
    http://nullcon.net/