Finding the WeakLink in WindowsBinariesSource Conference, Boston – April 18, 2012
Overview•What?•Why?•How?•Conclusions
What?
What?   Without debug symbols or source   code identify Windows binaries   that do not leverage the   available defenses
What?• OS provided defenses• Compiler provided defenses• Compiler enabled defenses• Linker enabled defenses• Developer ena...
What?• Version of compiler / linker• Compiler / linker enabled protections • ASLR • DEP (NX) • Stack cookies • Safe Struct...
What?• SDL banned APIs• Dangerous APIs • undermining compiler/linker protections• UAC / Integrity Level - Developer• .NET ...
Why?
Why? - Defensive• A product == many vendors • e.g. Adobe Reader 10.0 == [guess?]• License != source code• License != priva...
Or put another way• A vendors SDL is not enough • doesn’t always flow upstream• A vendor who ships doesn’t assure • all th...
Why? - Offensive• Mitigations are expensive / difficult• Application specific bugs are expensive• Maximize research ROI • ...
Or put another way• IIS 7.5 FTP DoS• Chris Valasek / Ryan Smith school us • ‘Modern Heap Exploitation using the Low   Frag...
How?
Version of Compiler / Linker• Linker version in the PE header• ‘Rich’ header • Microsoft compiler specific • documented in...
Version of Compiler / Linker
Version of Compiler / Linker• Version mapping exercise undertaken in  January 2010• Visual Studio 6 -> Visual Studio 2010 ...
Compiler / Linker Protections• ASLR compatibility – PE header• Data Execution Prevention – PE header • always on for 64bit...
Compiler / Linker Protections• Stack Cookies – PE Header, Imports and  Heuristics • imports   • _crt_debugger_hook • heuri...
Compiler / Linker Protections• SafeSEH – PE header (32bit only) • SEH == Structured Exception Handling
Compiler / Linker Protections• Load Configuration Directory size • If size of directory entry <> 64 then MS12-001    • NOT...
Default Process Heap• Default process heap executable • PE header
Shared Sections• Shared sections executable & writeable • PE header • would be mapped across processes
Defensive APIs• HeapSetInformation  • HeapEnableTerminationOnCorr    uption• SetProcessDEPPolicy • PROCESS_DEP_ENABLE• Enc...
SDL Banned APIs• Microsoft SDL banned APIs • parse the Import Address Table • 145 or them • indication of security awareness
Dangerous APIs• VirtualAlloc • doesn’t benefit from ASLR • if mapping pages executable == win • we released VirtualAlloc_s...
DLL / Executable Planting• Use of LoadLibrary /  CreateProcess• But doesn’t use • SetDLLDirectory • SetDefaultDllDirectori...
UAC / Integrity Level• In the binaries manifest
.NET Security• Strong name checks• Allow partially trusted callers • AllowPartiallyTrustedCallersA   ttribute
.NET Security
App Containers• New for Windows 8 • a new DLL characteristic• Manifest • detailing capabilities• … for more information re...
Miscellaneous• Force Integrity• Company • File Version resource section• Signer• Signature type
Existing tools….
Existing Tools - LookingGlass• from Errata Security • http://www.erratasec.com/• .NET Based PE Scanner • Scans the file sy...
Existing Tools - BinScope• from Microsoft  • http://www.microsoft.com/download/en/d    etails.aspx?id=11910• Lots of check...
New tool…
Demo Recx SDL Binary Assure
Beyond binaries• Defense in depth features via the registry• Needs installer teams buy-in• or after market adoption• Image...
But ….
But even with all these…
Bonus Material - ELF• Similar(ish) tool exists for ELF  • readelf && a    shell script (checksec.h    @ trapkit.de)• RPATH...
Conclusions….
Conclusions• Lot of information available in binaries• Help with assurance / assessment • for vendors and / or end organis...
Thanks! Questions? Research, Develop, Assess, Consult & Educate  https://www.surveymonkey.com/sourceboston12  @RecxLtd    ...
Upcoming SlideShare
Loading in …5
×

2012 04-18 --source_boston_-_finding_the_weak_link_in_windows_binaries

2,189 views

Published on

Recx Source Boston 2012 Slides

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,189
On SlideShare
0
From Embeds
0
Number of Embeds
818
Actions
Shares
0
Downloads
40
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2012 04-18 --source_boston_-_finding_the_weak_link_in_windows_binaries

  1. 1. Finding the WeakLink in WindowsBinariesSource Conference, Boston – April 18, 2012
  2. 2. Overview•What?•Why?•How?•Conclusions
  3. 3. What?
  4. 4. What? Without debug symbols or source code identify Windows binaries that do not leverage the available defenses
  5. 5. What?• OS provided defenses• Compiler provided defenses• Compiler enabled defenses• Linker enabled defenses• Developer enabled defenses• Developer secure coding practices
  6. 6. What?• Version of compiler / linker• Compiler / linker enabled protections • ASLR • DEP (NX) • Stack cookies • Safe Structured Exception Handling• Developer used defensive APIs • Heap corruption behavior, DEP policy • DLL planting, pointer encoding
  7. 7. What?• SDL banned APIs• Dangerous APIs • undermining compiler/linker protections• UAC / Integrity Level - Developer• .NET security - Developer • Unmanaged code • Strong names • Partially trusted callers
  8. 8. Why?
  9. 9. Why? - Defensive• A product == many vendors • e.g. Adobe Reader 10.0 == [guess?]• License != source code• License != private symbols• SDL assurance… • getting the free security features enabled• End user assurance / threat awareness • Understanding where you need EMET
  10. 10. Or put another way• A vendors SDL is not enough • doesn’t always flow upstream• A vendor who ships doesn’t assure • all third party components• End user organisations taking ownership • of risk • of mitigations
  11. 11. Why? - Offensive• Mitigations are expensive / difficult• Application specific bugs are expensive• Maximize research ROI • if your goal is to exploit • … find the weak link • … reduce headaches
  12. 12. Or put another way• IIS 7.5 FTP DoS• Chris Valasek / Ryan Smith school us • ‘Modern Heap Exploitation using the Low Fragmentation Heap’• Achieved EIP• … still no win … ASLR• … lets minimize the tears …• … unless you want to info leak to win …
  13. 13. How?
  14. 14. Version of Compiler / Linker• Linker version in the PE header• ‘Rich’ header • Microsoft compiler specific • documented in 29a virus e-zine in 2004 • further documented in 2008 • embeds compiler IDs • XOR encoded
  15. 15. Version of Compiler / Linker
  16. 16. Version of Compiler / Linker• Version mapping exercise undertaken in January 2010• Visual Studio 6 -> Visual Studio 2010 mapped• Why? • Missing compiler protections • Weaker compiler protections
  17. 17. Compiler / Linker Protections• ASLR compatibility – PE header• Data Execution Prevention – PE header • always on for 64bit no matter what
  18. 18. Compiler / Linker Protections• Stack Cookies – PE Header, Imports and Heuristics • imports • _crt_debugger_hook • heuristics – GS function epilogue / prologue • allows versioning • using FLIRT like signatures
  19. 19. Compiler / Linker Protections• SafeSEH – PE header (32bit only) • SEH == Structured Exception Handling
  20. 20. Compiler / Linker Protections• Load Configuration Directory size • If size of directory entry <> 64 then MS12-001 • NOT the size field in the LCD! • Microsoft Visual C msvcr71.dll == 72 • Anything built with Microsoft Visual C++ .NET 2003 RTM • suprising amount of stuff
  21. 21. Default Process Heap• Default process heap executable • PE header
  22. 22. Shared Sections• Shared sections executable & writeable • PE header • would be mapped across processes
  23. 23. Defensive APIs• HeapSetInformation • HeapEnableTerminationOnCorr uption• SetProcessDEPPolicy • PROCESS_DEP_ENABLE• EncodePointer
  24. 24. SDL Banned APIs• Microsoft SDL banned APIs • parse the Import Address Table • 145 or them • indication of security awareness
  25. 25. Dangerous APIs• VirtualAlloc • doesn’t benefit from ASLR • if mapping pages executable == win • we released VirtualAlloc_s.h• LoadLibrary • if DLL planting mitigations aren’t used
  26. 26. DLL / Executable Planting• Use of LoadLibrary / CreateProcess• But doesn’t use • SetDLLDirectory • SetDefaultDllDirectories • AddDllDirectory• There is also a registry key • more on this later
  27. 27. UAC / Integrity Level• In the binaries manifest
  28. 28. .NET Security• Strong name checks• Allow partially trusted callers • AllowPartiallyTrustedCallersA ttribute
  29. 29. .NET Security
  30. 30. App Containers• New for Windows 8 • a new DLL characteristic• Manifest • detailing capabilities• … for more information refer to our blog …
  31. 31. Miscellaneous• Force Integrity• Company • File Version resource section• Signer• Signature type
  32. 32. Existing tools….
  33. 33. Existing Tools - LookingGlass• from Errata Security • http://www.erratasec.com/• .NET Based PE Scanner • Scans the file system or running processes• Limitations in checks • No /SafeSEH • No /GS • No HeapSetInformation / SetProcessDEPPolicy
  34. 34. Existing Tools - BinScope• from Microsoft • http://www.microsoft.com/download/en/d etails.aspx?id=11910• Lots of checks • some of what I’ve discussed, but not all!• Some Extra • non-GS friendly initialization / coverage • ATL version and vulnerable check• Needs private symbols!
  35. 35. New tool…
  36. 36. Demo Recx SDL Binary Assure
  37. 37. Beyond binaries• Defense in depth features via the registry• Needs installer teams buy-in• or after market adoption• Image Execution Options • MitigationOptions • CWDIllegalInDllSearch • DisableExceptionChainValidation
  38. 38. But ….
  39. 39. But even with all these…
  40. 40. Bonus Material - ELF• Similar(ish) tool exists for ELF • readelf && a shell script (checksec.h @ trapkit.de)• RPATH / RUNPATH • contained in a section of an ELF • can override library locations • path doesn’t exist and you can create == win • added to checksec.sh
  41. 41. Conclusions….
  42. 42. Conclusions• Lot of information available in binaries• Help with assurance / assessment • for vendors and / or end organisations• Help with target identification • target lower hanging fruit • less SDL aware components• Without the use of symbols…
  43. 43. Thanks! Questions? Research, Develop, Assess, Consult & Educate https://www.surveymonkey.com/sourceboston12 @RecxLtd ollie@recx.co.uk

×