Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Safe is your Link ?

945 views

Published on

As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How Safe is your Link ?

  1. 1. How safe is your link ? Old school exploitation vs new mitigations
  2. 2. • Peter Hlavatý • Specialized Software Engineer at ESET • Points of interest : • vulnerability research • exploit mitigations • kernel development • bootkit research • malware detection and removal algo • @zer0mem • research blog : http://zer0mem.sk/ #whoami
  3. 3. • As nico mentioned in his talk, Aleatory Persistent Threat, old school heap specific exploiting is dying • windows version ++  attack difficulty ++ • weak implementation == place for exploiting of mechanism Introduction
  4. 4. Windows memory management Lets take a look at algo
  5. 5. Quick lookup at RtlpAllocateHeap FreeLists-UnLink-Search Algorithm Really, some security improvements in algorithm are obvious... • Validating / Encoding headers • RtlpAnalyzeHeapFailure • SafeLinking
  6. 6. • code1 = _Heap.EncodeFlagsMask ? code1 ^ _Heap.Encoding.Code1 : code1 • valid = code1.Flags ^ (BYTE)code1.Size ^ (code1.Size >> 8) == code1.SmallTagIndex • size = code1.Size • _Heap.EncodeFlagsMask initialy set to default value • _Heap.Encoding.Code1 set to random value I.Validating / Encoding headers
  7. 7. • cs:RtlpDiSableBreakOnFailureCookie • x64 by default, x86 not! • x86Win binaries by default • What about 3rd party ? • RtlpGetModifiedProcessCookie • call NtQueryInformationProcess II. RtlpAnalyzeHeapFailure
  8. 8. • heap_entry.flink.blink != heap_entry.blink.flink || heap_entry.flink.blink != heap_entry • Pretty easy check don’t you think ? III. SafeLinking
  9. 9. RtlpHeapAlloc search in FreeLists
  10. 10. • FreeListsSearch • missing validation checks ? • RtlpAnalyzeHeapFailure • Results in : kill app or not? 3rd party ? • SafeLink Check • Is implemented smart enough? Problems ?
  11. 11. Exploitation 1 Show me your gong-fu :: technique
  12. 12. BuildOwnHeap - IDEA
  13. 13. RULLING UNDER ENCODING LOGIC • LowerBoundary of HEAP_ENTRY.Size : • Interesting test : _Heap.EncodeFlagsMask & HEAP_ENTRY.Code1 • If not matched, then it is not XORED! • What about 0-size ?  Implementation shortcut
  14. 14. RULLING UNDER ENCODING LOGIC • UpperBoundary (I.) of HEAP_ENTRY.Size : • Interesting xoring value : _Heap.Encoding.Code1 set to random value • this case  too much random == too much predicatability • If (HEAP_ENTRY.Size set to 0101010101010101b) then (_Heap.Encoding.Code1 ^ HEAP_ENTRY.Size)  high probability to be big number  Implementation shortcut
  15. 15. RULLING UNDER ENCODING LOGIC • UpperBoundary (II.) of HEAP_ENTRY.Size : • based on XOR • two heap_entry chunks on freelist • 1st set HEAP_ENTRY.Size to 0x8000 • 2nd set HEAP_ENTRY.Size to 0x0 • After XOR one of HEAP_ENTRY.Size will be for sure equal to 0x8000 which is big number  Implementation shortcut
  16. 16. BuildOwnHeap - implementation • Looka looka - SafeLink Check ?
  17. 17. Attack!
  18. 18. • SafeLink Check • HeapSpray fake list fulfill conditions • Validation & RtlpAnalyzeHeapFailure? • I am 3rd Party • Problems : • Works for x86 binaries • Already fixed in win7sp1 Results ?
  19. 19. Good enough ? … not ... Can it be improved ?
  20. 20. Seems familiar ? • Validating / Encoding headers • RtlpAnalyzeHeapFailure • SafeLinking Quick lookup to RtlpFreeHeap FreeLists-Link-Search Algorithm
  21. 21. • heap_entry.Blink.Flink != heap_entry • … SafeLinking, changed !?
  22. 22. • Again, no validation here required • Performance vs security ? RtlpFreeHeap search in FreeLists
  23. 23. Previous IDEA – imporving .. • What do you think happen with valid chunk, with size is bigger than size of already overwritten HEAP_ENTRY, when it is attempted to be freed ? 
  24. 24. 1) Memory leak! 2) Relinking already used memory! Final Exploitation
  25. 25. Exploitation 2 - showtime …improving, improving, success…
  26. 26. • Same as in first attack : • HeapSpray attack • sizeof(HEAP_ENTRY) + sizeof(LIST_ENTRY>Flink) overflow, that cause overwritting HEAP_ENTRY on FreeList • Second attack specific : • Ability to force application to free already used ‘good sized’ memory  memory leak • RW access to our heapsprayed buffer  relinking Prerequisites
  27. 27. Attack!
  28. 28. Visualisation of exploitation - init
  29. 29. Visualisation of exploitation - heapspray
  30. 30. Visualisation of exploitation - overwrite
  31. 31. Visualisation of exploitation – free(*)
  32. 32. • Success! Results
  33. 33. Live Demo Win7 SP1
  34. 34. • Conclusions : • Mitigations are as good as they weakest point ! • Implement minimalistic approach, but cover all responsibilities of the code • Speed performance < safe environment Done
  35. 35. • Reported to microsoft about 2 years ago • But still present in win7sp1, and was usable even in win8CP ! • In final release of win8 it is finally patched! • FreeListSearch algo now validate each walked HEAP_ENTRY Addition technique info
  36. 36. Video Demo win8 CP, ie10
  37. 37. References Brett Moore : Exploiting Freelist[0] On XP Service Pack 2 http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service %20Pack%202.pdf Chris Valasek : Understanding the Low Fragmentation Heap http://illmatics.com/Understanding_the_LFH.pdf Brett Moore : Heaps About Heaps http://seclists.org/vuln-dev/2008/Jul/0 Alexander Sotirov : Heap Feng Shui in JavaScript http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf Nico Waisman : Aleatory Persistent Threat http://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf … and many others usefull exploit techniques related materials …

×