SlideShare a Scribd company logo

2012 04-18 --source_boston_-_finding_the_weak_link_in_windows_binaries

O
ollierecx

Recx Source Boston 2012 Slides

Technology
1 of 43
Download to read offline
Finding the Weak Link in Windows Binaries Source Conference, Boston – April 18, 2012
Overview •What? •Why? •How? •Conclusions
What?
What? Without debug symbols or source code identify Windows binaries that do not leverage the available defenses
What? • OS provided defenses • Compiler provided defenses • Compiler enabled defenses • Linker enabled defenses • Developer enabled defenses • Developer secure coding practices
What? • Version of compiler / linker • Compiler / linker enabled protections • ASLR • DEP (NX) • Stack cookies • Safe Structured Exception Handling • Developer used defensive APIs • Heap corruption behavior, DEP policy • DLL planting, pointer encoding
What? • SDL banned APIs • Dangerous APIs • undermining compiler/linker protections • UAC / Integrity Level - Developer • .NET security - Developer • Unmanaged code • Strong names • Partially trusted callers
Why?
Why? - Defensive • A product == many vendors • e.g. Adobe Reader 10.0 == [guess?] • License != source code • License != private symbols • SDL assurance… • getting the free security features enabled • End user assurance / threat awareness • Understanding where you need EMET
Or put another way • A vendors SDL is not enough • doesn’t always flow upstream • A vendor who ships doesn’t assure • all third party components • End user organisations taking ownership • of risk • of mitigations
Why? - Offensive • Mitigations are expensive / difficult • Application specific bugs are expensive • Maximize research ROI • if your goal is to exploit • … find the weak link • … reduce headaches
Or put another way • IIS 7.5 FTP DoS • Chris Valasek / Ryan Smith school us • ‘Modern Heap Exploitation using the Low Fragmentation Heap’ • Achieved EIP • … still no win … ASLR • … lets minimize the tears … • … unless you want to info leak to win …
How?
Version of Compiler / Linker • Linker version in the PE header • ‘Rich’ header • Microsoft compiler specific • documented in 29a virus e-zine in 2004 • further documented in 2008 • embeds compiler IDs • XOR encoded
Version of Compiler / Linker
Version of Compiler / Linker • Version mapping exercise undertaken in January 2010 • Visual Studio 6 -> Visual Studio 2010 mapped • Why? • Missing compiler protections • Weaker compiler protections
Compiler / Linker Protections • ASLR compatibility – PE header • Data Execution Prevention – PE header • always on for 64bit no matter what
Compiler / Linker Protections • Stack Cookies – PE Header, Imports and Heuristics • imports • _crt_debugger_hook • heuristics – GS function epilogue / prologue • allows versioning • using FLIRT like signatures
Compiler / Linker Protections • SafeSEH – PE header (32bit only) • SEH == Structured Exception Handling
Compiler / Linker Protections • Load Configuration Directory size • If size of directory entry <> 64 then MS12-001 • NOT the size field in the LCD! • Microsoft Visual C msvcr71.dll == 72 • Anything built with Microsoft Visual C++ .NET 2003 RTM • suprising amount of stuff
Default Process Heap • Default process heap executable • PE header
Shared Sections • Shared sections executable & writeable • PE header • would be mapped across processes
Defensive APIs • HeapSetInformation • HeapEnableTerminationOnCorr uption • SetProcessDEPPolicy • PROCESS_DEP_ENABLE • EncodePointer
SDL Banned APIs • Microsoft SDL banned APIs • parse the Import Address Table • 145 or them • indication of security awareness
Dangerous APIs • VirtualAlloc • doesn’t benefit from ASLR • if mapping pages executable == win • we released VirtualAlloc_s.h • LoadLibrary • if DLL planting mitigations aren’t used
DLL / Executable Planting • Use of LoadLibrary / CreateProcess • But doesn’t use • SetDLLDirectory • SetDefaultDllDirectories • AddDllDirectory • There is also a registry key • more on this later
UAC / Integrity Level • In the binaries manifest
.NET Security • Strong name checks • Allow partially trusted callers • AllowPartiallyTrustedCallersA ttribute
.NET Security
App Containers • New for Windows 8 • a new DLL characteristic • Manifest • detailing capabilities • … for more information refer to our blog …
Miscellaneous • Force Integrity • Company • File Version resource section • Signer • Signature type
Existing tools….
Existing Tools - LookingGlass • from Errata Security • http://www.erratasec.com/ • .NET Based PE Scanner • Scans the file system or running processes • Limitations in checks • No /SafeSEH • No /GS • No HeapSetInformation / SetProcessDEPPolicy
Existing Tools - BinScope • from Microsoft • http://www.microsoft.com/download/en/d etails.aspx?id=11910 • Lots of checks • some of what I’ve discussed, but not all! • Some Extra • non-GS friendly initialization / coverage • ATL version and vulnerable check • Needs private symbols!
New tool…
Demo Recx SDL Binary Assure
Beyond binaries • Defense in depth features via the registry • Needs installer teams buy-in • or after market adoption • Image Execution Options • MitigationOptions • CWDIllegalInDllSearch • DisableExceptionChainValidation
But ….
But even with all these…
Bonus Material - ELF • Similar(ish) tool exists for ELF • readelf && a shell script (checksec.h @ trapkit.de) • RPATH / RUNPATH • contained in a section of an ELF • can override library locations • path doesn’t exist and you can create == win • added to checksec.sh
Conclusions….
Conclusions • Lot of information available in binaries • Help with assurance / assessment • for vendors and / or end organisations • Help with target identification • target lower hanging fruit • less SDL aware components • Without the use of symbols…
Thanks! Questions? Research, Develop, Assess, Consult & Educate https://www.surveymonkey.com/sourceboston12 @RecxLtd ollie@recx.co.uk

Recommended

List Command at Run
List Command at RunList Command at Run
List Command at RunImam Dermawan
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & TricksRaghav Bisht
 
Dos command for hackers
Dos command for hackersDos command for hackers
Dos command for hackersMozaaic Cyber Security
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 

Recommended

List Command at Run
List Command at RunList Command at Run
List Command at RunImam Dermawan
 
Windows Registry Tips & Tricks
Windows Registry Tips & TricksWindows Registry Tips & Tricks
Windows Registry Tips & TricksRaghav Bisht
 
Dos command for hackers
Dos command for hackersDos command for hackers
Dos command for hackersMozaaic Cyber Security
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 

More Related Content

Recently uploaded

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 

Recently uploaded (20)

UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 

2012 04-18 --source_boston_-_finding_the_weak_link_in_windows_binaries

  • 1. Finding the Weak Link in Windows Binaries Source Conference, Boston – April 18, 2012
  • 4. What? Without debug symbols or source code identify Windows binaries that do not leverage the available defenses
  • 5. What? • OS provided defenses • Compiler provided defenses • Compiler enabled defenses • Linker enabled defenses • Developer enabled defenses • Developer secure coding practices
  • 6. What? • Version of compiler / linker • Compiler / linker enabled protections • ASLR • DEP (NX) • Stack cookies • Safe Structured Exception Handling • Developer used defensive APIs • Heap corruption behavior, DEP policy • DLL planting, pointer encoding
  • 7. What? • SDL banned APIs • Dangerous APIs • undermining compiler/linker protections • UAC / Integrity Level - Developer • .NET security - Developer • Unmanaged code • Strong names • Partially trusted callers
  • 9. Why? - Defensive • A product == many vendors • e.g. Adobe Reader 10.0 == [guess?] • License != source code • License != private symbols • SDL assurance… • getting the free security features enabled • End user assurance / threat awareness • Understanding where you need EMET
  • 10. Or put another way • A vendors SDL is not enough • doesn’t always flow upstream • A vendor who ships doesn’t assure • all third party components • End user organisations taking ownership • of risk • of mitigations
  • 11. Why? - Offensive • Mitigations are expensive / difficult • Application specific bugs are expensive • Maximize research ROI • if your goal is to exploit • … find the weak link • … reduce headaches
  • 12. Or put another way • IIS 7.5 FTP DoS • Chris Valasek / Ryan Smith school us • ‘Modern Heap Exploitation using the Low Fragmentation Heap’ • Achieved EIP • … still no win … ASLR • … lets minimize the tears … • … unless you want to info leak to win …
  • 13. How?
  • 14. Version of Compiler / Linker • Linker version in the PE header • ‘Rich’ header • Microsoft compiler specific • documented in 29a virus e-zine in 2004 • further documented in 2008 • embeds compiler IDs • XOR encoded
  • 16. Version of Compiler / Linker • Version mapping exercise undertaken in January 2010 • Visual Studio 6 -> Visual Studio 2010 mapped • Why? • Missing compiler protections • Weaker compiler protections
  • 17. Compiler / Linker Protections • ASLR compatibility – PE header • Data Execution Prevention – PE header • always on for 64bit no matter what
  • 18. Compiler / Linker Protections • Stack Cookies – PE Header, Imports and Heuristics • imports • _crt_debugger_hook • heuristics – GS function epilogue / prologue • allows versioning • using FLIRT like signatures
  • 19. Compiler / Linker Protections • SafeSEH – PE header (32bit only) • SEH == Structured Exception Handling
  • 20. Compiler / Linker Protections • Load Configuration Directory size • If size of directory entry <> 64 then MS12-001 • NOT the size field in the LCD! • Microsoft Visual C msvcr71.dll == 72 • Anything built with Microsoft Visual C++ .NET 2003 RTM • suprising amount of stuff
  • 21. Default Process Heap • Default process heap executable • PE header
  • 22. Shared Sections • Shared sections executable & writeable • PE header • would be mapped across processes
  • 23. Defensive APIs • HeapSetInformation • HeapEnableTerminationOnCorr uption • SetProcessDEPPolicy • PROCESS_DEP_ENABLE • EncodePointer
  • 24. SDL Banned APIs • Microsoft SDL banned APIs • parse the Import Address Table • 145 or them • indication of security awareness
  • 25. Dangerous APIs • VirtualAlloc • doesn’t benefit from ASLR • if mapping pages executable == win • we released VirtualAlloc_s.h • LoadLibrary • if DLL planting mitigations aren’t used
  • 26. DLL / Executable Planting • Use of LoadLibrary / CreateProcess • But doesn’t use • SetDLLDirectory • SetDefaultDllDirectories • AddDllDirectory • There is also a registry key • more on this later
  • 27. UAC / Integrity Level • In the binaries manifest
  • 28. .NET Security • Strong name checks • Allow partially trusted callers • AllowPartiallyTrustedCallersA ttribute
  • 30. App Containers • New for Windows 8 • a new DLL characteristic • Manifest • detailing capabilities • … for more information refer to our blog …
  • 31. Miscellaneous • Force Integrity • Company • File Version resource section • Signer • Signature type
  • 33. Existing Tools - LookingGlass • from Errata Security • http://www.erratasec.com/ • .NET Based PE Scanner • Scans the file system or running processes • Limitations in checks • No /SafeSEH • No /GS • No HeapSetInformation / SetProcessDEPPolicy
  • 34. Existing Tools - BinScope • from Microsoft • http://www.microsoft.com/download/en/d etails.aspx?id=11910 • Lots of checks • some of what I’ve discussed, but not all! • Some Extra • non-GS friendly initialization / coverage • ATL version and vulnerable check • Needs private symbols!
  • 36. Demo Recx SDL Binary Assure
  • 37. Beyond binaries • Defense in depth features via the registry • Needs installer teams buy-in • or after market adoption • Image Execution Options • MitigationOptions • CWDIllegalInDllSearch • DisableExceptionChainValidation
  • 39. But even with all these…
  • 40. Bonus Material - ELF • Similar(ish) tool exists for ELF • readelf && a shell script (checksec.h @ trapkit.de) • RPATH / RUNPATH • contained in a section of an ELF • can override library locations • path doesn’t exist and you can create == win • added to checksec.sh
  • 42. Conclusions • Lot of information available in binaries • Help with assurance / assessment • for vendors and / or end organisations • Help with target identification • target lower hanging fruit • less SDL aware components • Without the use of symbols…
  • 43. Thanks! Questions? Research, Develop, Assess, Consult & Educate https://www.surveymonkey.com/sourceboston12 @RecxLtd ollie@recx.co.uk