Fermín J. Serna – MSRC Engineering @ Microsoft

EXPLOITS & MITIGATIONS: EMET
Fermín J. Serna – MSRC @ Microsoft

Agenda

 Introduction
   Exploits
   Mitigations
 EMET
   V.1.02 (public availabl...
Fermín J. Serna – MSRC @ Microsoft

Introduction

 Who am I?
   Security Engineer at MSRC Engineering React (former
    ...
Fermín J. Serna – MSRC @ Microsoft

Exploits

  A bit of history on the windows side…
    Old days were good and easy to...
Fermín J. Serna – MSRC @ Microsoft

Exploits

  Stack overflows
                         Target SEH record
     0x4141414...
Fermín J. Serna – MSRC @ Microsoft

Exploits

      SEH record overwrite



 N     H     app!_except_handler4   N      H ...
Fermín J. Serna – MSRC @ Microsoft

Exploits

  Heap overflows
    Target heap structures (unlink exploits)
    Target ...
Fermín J. Serna – MSRC @ Microsoft

Exploits

  C++ touch already freed objects
    Somehow object was deleted but there...
Fermín J. Serna – MSRC @ Microsoft

Exploits

  Return oriented programming

   Crash at call [ecx + 100h]
   We assume a...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

  Had been introduced historically in new OS and its
   Service Packs.
 ...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 GS (stack cookie)
   Arguments to the            Arguments to the
     ...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 GS (stack cookie)
   Prevents
     Saved Return address overwrite usa...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 DEP (Hardware one)
   Processor check check when executing instruction...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 DEP (Hardware one)
   ASLR makes it more robust
   Full ASLR + DEP + ...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 ASLR
  Randomizes:
    Modules base address
    Heap allocations
   ...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 ASLR
          Boot 1                  Boot 2                     Boot ...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 /SAFESEH (also refered as Software DEP)
   When a SEH is called:
    ...
Fermín J. Serna – MSRC @ Microsoft

Mitigations

 SEHOP
  32 bits OS mitigation
  When an exception happens the SEH cha...
Fermín J. Serna – MSRC @ Microsoft

Exploits

     SEHOP operation record overwrite


    Valid SEH Chain                ...
Fermín J. Serna – MSRC @ Microsoft

EMET

 Purpose of EMET:
   Break current exploitation techniques, exploits
    and s...
Fermín J. Serna – MSRC @ Microsoft

EMET

 v1.02
   Free (with limited support)
   Published on November
   Mitigation...
Fermín J. Serna – MSRC @ Microsoft

EMET

 DEP per process
   Easy one… enable DEP if SetProcessDepPolicy()
    exists i...
Fermín J. Serna – MSRC @ Microsoft

EMET

 SEHOP
  Similar to the OS SEHOP version
  OS version final «handler» is
   n...
Fermín J. Serna – MSRC @ Microsoft

EMET

 Common memory pages pre-allocation
   Common browser exloits rely on fixed ad...
Fermín J. Serna – MSRC @ Microsoft

EMET

 Next version…
   Available soon
   Potential new mitigations in next version...
Fermín J. Serna – MSRC @ Microsoft

EMET

 EAT hardware breakpoint mitigation
   Metasploit’s and most shellcodes do:
  ...
Fermín J. Serna – MSRC @ Microsoft

EMET

 EAT hardware breakpoint mitigation
   X86 has 4 debug registers… acting as da...
Fermín J. Serna – MSRC @ Microsoft

EMET

 Stack pivot mitigation
   Hook some interesting functions:
    NtAllocateVirt...
Fermín J. Serna – MSRC @ Microsoft

EMET

 Mandatory ASLR
   ASLR aware modules contains DYNAMIC BASE
    on its Dll Cha...
Fermín J. Serna – MSRC @ Microsoft

Greetings

 Thank you guys!
   MSRC/MSEC (former SWI): Andrew Roths,
    Matt Miller...
Fermín J. Serna – MSRC @ Microsoft

Questions

  Now or...



                      Twitter: fjserna
              http://...
Upcoming SlideShare
Loading in...5
×

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]

2,644

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,644
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
192
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]

  1. 1. Fermín J. Serna – MSRC Engineering @ Microsoft EXPLOITS & MITIGATIONS: EMET
  2. 2. Fermín J. Serna – MSRC @ Microsoft Agenda  Introduction  Exploits  Mitigations  EMET  V.1.02 (public available)  Next version (soon to be available)  QA
  3. 3. Fermín J. Serna – MSRC @ Microsoft Introduction  Who am I?  Security Engineer at MSRC Engineering React (former SWI).  Technical background of MSRC for externally reported security issues: MSo8-67, Aurora IE case …  HPUX PA-RISC, Solaris SPARC: assembly, shellcode and exploit lover.  Published several docs and exploits: Phrack (58-9) HP- UX PA-RISC exploitation techniques long time ago, …  Developer of a PAX implementation on win32 long time ago…
  4. 4. Fermín J. Serna – MSRC @ Microsoft Exploits  A bit of history on the windows side…  Old days were good and easy to write exploits…  Smash the * for fun and profit: stack, heap, vtable,…  These days is more difficult but challenges are fun  Better code…  Mitigations…  Mitigations…  Did I say mitigations?  No… wait… something is left… Mitigations!!!
  5. 5. Fermín J. Serna – MSRC @ Microsoft Exploits  Stack overflows Target SEH record 0x41414141 SEH record Arguments to the 0x41414141 function Target saved EIP… one return needed 0x41414141 Saved EIP 0x41414141 Saved EBP Target saved EBP… two returns needed AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA Local Variables Target a local variable pointer.
  6. 6. Fermín J. Serna – MSRC @ Microsoft Exploits  SEH record overwrite N H app!_except_handler4 N H 0x7c1408ac N H k32!_except_handler4 pop eax 0x414106eb pop eax 0xffffffff [jmp +6] ret
  7. 7. Fermín J. Serna – MSRC @ Microsoft Exploits  Heap overflows  Target heap structures (unlink exploits)  Target an object vtable  Any variable/structure at the heap could be interesting for a write AV.
  8. 8. Fermín J. Serna – MSRC @ Microsoft Exploits  C++ touch already freed objects  Somehow object was deleted but there are references to it on other objects… (ref counting bugs)  Target vtable calls: call [reg+offset]  Any member variable at the heap could be interesting for a write AV.
  9. 9. Fermín J. Serna – MSRC @ Microsoft Exploits  Return oriented programming Crash at call [ecx + 100h] We assume attacker controls content of [ecx- 500h,ecx+500h] Attacker places at [ecx+100h] some fixed address of: mov esp, ecx; «some other non-deref ins»; ret Esp is pointing inside the controlled range Next ret will grab arguments and saved eip from controlled range. Chain of Virtualloc, strcpy, jmp will defeat DEP Full ASLR breaks ROP!!!!
  10. 10. Fermín J. Serna – MSRC @ Microsoft Mitigations  Had been introduced historically in new OS and its Service Packs.  XPSP2 was a big security push: /SAFESEH, DEP, /GS, SAFE Unlinking…  Server 2k3 SP2: Improved GS  Vista: User mode ASLR + DEP (big win), heap structures encoded  Vista SP1: Kernel mode ASLR + SEHOP (disabled by default)  Server 2k8: SEHOP (enabled by default)
  11. 11. Fermín J. Serna – MSRC @ Microsoft Mitigations  GS (stack cookie) Arguments to the Arguments to the function function Saved EIP 0x41414141 Saved EIP Saved EBP 0x41414141 Saved EBP GS cookie != 0x41414141 GS cookie AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA Local Variables Local Variables
  12. 12. Fermín J. Serna – MSRC @ Microsoft Mitigations  GS (stack cookie)  Prevents  Saved Return address overwrite usage  Saved EBP overwrite usage  Local function pointers usage (new /GS)  Does not prevent  SEH overwrite usage  Other local varibles usage  Weird overwrites MS08-67
  13. 13. Fermín J. Serna – MSRC @ Microsoft Mitigations  DEP (Hardware one)  Processor check check when executing instructions.  Page’s protection can be RWX (Read, Write and Executable) + other properties Logic behind: if (has_exec_bit((PAGE_PROTECTION(eip))==FALSE) { Raise_exception(); }
  14. 14. Fermín J. Serna – MSRC @ Microsoft Mitigations  DEP (Hardware one)  ASLR makes it more robust  Full ASLR + DEP + no memory leaks = robust mitigation  Prevents  Placing and executing shellcode at writable pages: recv() buffers, javascript strings, …  Old type of exploits need to be re-written
  15. 15. Fermín J. Serna – MSRC @ Microsoft Mitigations  ASLR  Randomizes:  Modules base address  Heap allocations  Stack base  TEB address …  Prevents  Fixed address assumptions…  F.i. ROP or return into ntdll for DEP bypass (Uninformed – technique).
  16. 16. Fermín J. Serna – MSRC @ Microsoft Mitigations  ASLR Boot 1 Boot 2 Boot 3 user32.dll kernel32.dll app.exe app.exe process user32.dll ntdll.dll address space kernel32.dll app.exe ntdll.dll ntdll.dll user32.dll kernel32.dll Region Entropy Image 8 bits Heap 5 bits Stack 14 bits
  17. 17. Fermín J. Serna – MSRC @ Microsoft Mitigations  /SAFESEH (also refered as Software DEP)  When a SEH is called:  Verifies if SEH record is in executable memory  Verifies if the SEH function is inside a module  Also verifies if the function is defined in the module Safe SEH table located at the PE binary  If the PE file was not compiled with /SAFESEH it allows the handler execution  Attackers are taking advantage of this “app compat” scenario 64 bits processes SEH works differently…
  18. 18. Fermín J. Serna – MSRC @ Microsoft Mitigations  SEHOP  32 bits OS mitigation  When an exception happens the SEH chain is verified.  Last SEH record points to ntdll!FinalExceptionHandler? (SEHOP without ASLR = no sense)  Yes? chain is not corrupted  No? chain is corrupted and could lead to untrusted code execution… stop the process!
  19. 19. Fermín J. Serna – MSRC @ Microsoft Exploits  SEHOP operation record overwrite Valid SEH Chain Invalid SEH Chain N H app!_except_handler4 N H app!_main+0x1c N H k32!_except_handler4 0x41414141 ntdll!FinalExceptionHandle N H r ? Can’t reach validation frame!
  20. 20. Fermín J. Serna – MSRC @ Microsoft EMET  Purpose of EMET:  Break current exploitation techniques, exploits and shellcodes  Bring to older OS current mitigations  Per process opt-in  Test potential future OS mitiations  Some of the mitigations can by bypassed.  Yes ,we know… but they will break exploits as they are publicly developed currently.
  21. 21. Fermín J. Serna – MSRC @ Microsoft EMET  v1.02  Free (with limited support)  Published on November  Mitigations:  Enable DEP per process  SEHOP (similar but no the same)  Common memory pages pre-allocation
  22. 22. Fermín J. Serna – MSRC @ Microsoft EMET  DEP per process  Easy one… enable DEP if SetProcessDepPolicy() exists in the system  API available at XPSP3 +, Vista SP1+ and 2k8/Win7
  23. 23. Fermín J. Serna – MSRC @ Microsoft EMET  SEHOP  Similar to the OS SEHOP version  OS version final «handler» is ntdll!FinalExceptionHandler  EMET’s version final «record» is at a random offset of a random page.  A Vector Exception Handler (VEH) validates the exception chain before any SEH is executed  Works downlevel!
  24. 24. Fermín J. Serna – MSRC @ Microsoft EMET  Common memory pages pre-allocation  Common browser exloits rely on fixed addresses to be allocated… 0x0c0c0c0c, 0x0d0d0d0d, …  Pages address can be added at the registry  Pre-allocate them as PAGE_NOACCESS so a heap spray cannot get them  NULL allocation in case a new technique for allocating it comes into play
  25. 25. Fermín J. Serna – MSRC @ Microsoft EMET  Next version…  Available soon  Potential new mitigations in next version:  EAT Hardware breakpoint mitigation  Stack pivot mitigation  Mandatory ASLR  Some can be circunvented… we know how to do it… but breaks a lot of currnet shellcodes/exploits 
  26. 26. Fermín J. Serna – MSRC @ Microsoft EMET  EAT hardware breakpoint mitigation  Metasploit’s and most shellcodes do:  Go to the TEB fs:[0]  Grab a pointer to the PEB TEB[30] – fs:[30]  Go the Ldr structures at the PEB  Linked list of loaded modules  Contains name and image base  Loop through all modules looking for specific exported functions at the Export Addess Table (EAT)  Once found go to EAT.AddressOffunctions[offset] for the address of the required function
  27. 27. Fermín J. Serna – MSRC @ Microsoft EMET  EAT hardware breakpoint mitigation  X86 has 4 debug registers… acting as data breakpoints  On windows 4 per thread since they are saved when OS switch to other tasks  Place a 4 byte read data breakpoint at:  Kernel32!EAT.AddressOffunctions  Ntdll!EAT.AddressOfFunctions  A VEH will monitor accesses to these: single step exception  Is eip inside a module? 
  28. 28. Fermín J. Serna – MSRC @ Microsoft EMET  Stack pivot mitigation  Hook some interesting functions: NtAllocateVirtualMemory, NtProtectVirtualMemory, LdrLoadDll, NtSetInformationProcess, …  At the hook check:  Is esp inside the bounds defined at the TEB: StackBase, StackLimit?  Mitigates all aurora exploits I have seen 
  29. 29. Fermín J. Serna – MSRC @ Microsoft EMET  Mandatory ASLR  ASLR aware modules contains DYNAMIC BASE on its Dll Characteristics at the PE Header.  Hook ntdll!LdrLoadDll, check if the module is ASLR aware.  Yes? Allow the dll load  No? Allocate a page at its imagebase and let the OS figure out if it can relocate it   Only works for dll loads after EMET has been loaded and not for imports…
  30. 30. Fermín J. Serna – MSRC @ Microsoft Greetings  Thank you guys!  MSRC/MSEC (former SWI): Andrew Roths, Matt Miller, Damian Hasse and Ken Johnson.
  31. 31. Fermín J. Serna – MSRC @ Microsoft Questions Now or... Twitter: fjserna http://zhodiac.hispahack.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×