Мастер-класс: уязвимости нулевого дня <br />Никита Тараканов CISS RT<br />
Типы уязвимостей<br />Stack-based buffer overflow<br />Heap/Pool overflow<br />Integer overflow/underflow/wrap<br />Variou...
Stack-based buffer overflow<br />Smashing data on stack<br />EIP control, not only (ebp) – off-by-one<br />1st surprise – ...
Stack-based buffer overflowFirst steps to security<br />Noexecutable stack(PAX firstly)<br />
Stack-based buffer overflowresearchers answer<br />Ret2libc technique<br />
Stack-based buffer overflowNext defense enhancements<br />Stack cookie aka canary dword(/GS cl.exe flag)<br />Before ret(n...
Stack-based buffer overflowresearchers answer<br />/GS doesn’t set cookie sometimes(ANI sploit)<br />SEH chain overwriting...
Next Security Enhancement- DEP<br />Introduced in Windows XP SP2<br />Kill process if EIP is in non-executable memory area...
Avoiding DEP<br />Non-permanent DEP – disable by ret2libc<br />Permanent DEP – main idea is to create RWX section and jump...
Next Security Enhancement - ASLR<br />After successfully hacking DEP technology, it’s clear that DEP doesn’t  actually hel...
ASLR+DEP<br />So how to write reliable exploit ???<br />Tricky(not true way) – just find non-ASLR module(JRE, mscorie.dll ...
ASLR+DEP Avoiding examples<br />CVE-2010-3654 FlashPlayerActionScript Type Confusion<br />Integer overflow in WebGLArray(c...
Tuesday Patch Day – The Art of Binary Diffing<br />DarunGrim<br />turbodiff<br />patchdiff<br />BinDiff<br />
Tuesday Patch Day – The Art of Binary Diffing<br />DarunGrim<br />turbodiff<br />patchdiff<br />BinDiff<br />
Example: ms11-002<br />Integer overflow somewhere….<br />Unknown impact???<br />
Upcoming SlideShare
Loading in …5
×

Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня

5,768 views
5,671 views

Published on

В рамках мастер-класса будут рассмотрены следующие вопросы:
распространённые уязвимости в клиентском ПО - stack overflow, heap overflow, use-after-free и т.д.;
базовые методы эксплуатации (на примере Windows XP), обход DEP;
продвинутые методы эксплуатации (на примере Windows 7), обход DEP+ASLR;
бинарный анализ security fix'ов (на примере "вторника патчей" от Microsoft).

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,768
On SlideShare
0
From Embeds
0
Number of Embeds
4,425
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня

  1. 1. Мастер-класс: уязвимости нулевого дня <br />Никита Тараканов CISS RT<br />
  2. 2. Типы уязвимостей<br />Stack-based buffer overflow<br />Heap/Pool overflow<br />Integer overflow/underflow/wrap<br />Various memory corruptions<br />Use-after-free<br />Double free<br />
  3. 3. Stack-based buffer overflow<br />Smashing data on stack<br />EIP control, not only (ebp) – off-by-one<br />1st surprise – Morris’s worm (1988)<br />A lot of such vulns in 90-ties<br />
  4. 4. Stack-based buffer overflowFirst steps to security<br />Noexecutable stack(PAX firstly)<br />
  5. 5. Stack-based buffer overflowresearchers answer<br />Ret2libc technique<br />
  6. 6. Stack-based buffer overflowNext defense enhancements<br />Stack cookie aka canary dword(/GS cl.exe flag)<br />Before ret(n) from function, check canary with value on stack<br />Equality – normal control flow<br />Inequality – TerminateProcess()<br />
  7. 7. Stack-based buffer overflowresearchers answer<br />/GS doesn’t set cookie sometimes(ANI sploit)<br />SEH chain overwriting– overwrite exception handler and trigger exception<br />
  8. 8. Next Security Enhancement- DEP<br />Introduced in Windows XP SP2<br />Kill process if EIP is in non-executable memory area<br />First realization has two modes: software(emulation), hardware(NX bit)<br />
  9. 9. Avoiding DEP<br />Non-permanent DEP – disable by ret2libc<br />Permanent DEP – main idea is to create RWX section and jump there<br />Tricky(non true way) methods: ActionScriptByteCodeSpraing, .Net, Java<br />ROP – actually not new, just upgrade of ret2libc: malloc(RWX), memcpy(shellcode),jmp to shellcode<br />
  10. 10. Next Security Enhancement - ASLR<br />After successfully hacking DEP technology, it’s clear that DEP doesn’t actually help security<br />ASLR – each boot randomize base address of each* module<br />But, to enable it, you should compile with that compiler key<br />Reduce successful explotation to 1/256(first realization) next realization got better entropy<br />
  11. 11. ASLR+DEP<br />So how to write reliable exploit ???<br />Tricky(not true way) – just find non-ASLR module(JRE, mscorie.dll and lot more…)<br />True way – just use other vulnerability(memory leak)<br />Not over yet!!! - just avoid everything – LoadLibraryvulns(aka Binary Planting)<br />
  12. 12. ASLR+DEP Avoiding examples<br />CVE-2010-3654 FlashPlayerActionScript Type Confusion<br />Integer overflow in WebGLArray(chrome)<br />Libxslt generate-id heap chunk address leak<br />Not over yet!!! - just avoid everything – LoadLibraryvulns(aka Binary Planting)<br />
  13. 13. Tuesday Patch Day – The Art of Binary Diffing<br />DarunGrim<br />turbodiff<br />patchdiff<br />BinDiff<br />
  14. 14. Tuesday Patch Day – The Art of Binary Diffing<br />DarunGrim<br />turbodiff<br />patchdiff<br />BinDiff<br />
  15. 15. Example: ms11-002<br />Integer overflow somewhere….<br />Unknown impact???<br />

×