Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[ENG] Hacktivity 2013 - Alice in eXploitland

1,224 views

Published on

[ENG] Hacktivity 2013 - Alice in eXploitland - attack and defense evolution

Published in: Technology
  • Be the first to comment

[ENG] Hacktivity 2013 - Alice in eXploitland

  1. 1. Alice in eXploitland Attack & defense evolution Zoltán Balázs Hacktivity 2013
  2. 2. About:me OSCP, C|HFI, CISSP, CPTS, MCP Senior IT security consultant @ Deloitte Hungary Proud member of the gula.sh team zbalazs@deloittece.com https://hu.linkedin.com/in/zbalazs Twitter – zh4ck
  3. 3. What’s next? Evolution of memory corruption attack & defense Stack based buffer overflows Stack canary Structured Exception Handling DEP ASLR Advanced mitigation
  4. 4. Scope of this presentation Focus on memory corruption Not Java vulnerabilities Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits High level overview only No details like Assembly Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
  5. 5. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing
  6. 6. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits
  7. 7. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits You will find your product on the local Chinese market half the price
  8. 8. Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability
  9. 9. Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability Your „projects” will be revealed by hackers from Luxembourg
  10. 10. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java)
  11. 11. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked
  12. 12. Why you should care? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen
  13. 13. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen Facebook wall spammed
  14. 14. Function calls void SayHello(char* userinput) { char buffer[100]; strcpy(buffer, userinput); printf(„Hello %sn", buffer); } int main() { SayHello(argv[1]); return 0; }
  15. 15. Function calls 0x00000000 ... New stack frame ESP - top of stack .... 0xFFFFFFFF ESP - extended stack pointer
  16. 16. Function calls 0x00000000 ... ESP - top of stack ptr to argv[1] .... 0xFFFFFFFF ESP - extended stack pointer
  17. 17. Function calls 0x00000000 ... ESP - top of stack Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer Overwrite this for PROFIT
  18. 18. Function calls 0x00000000 ... ESP - top of stack Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  19. 19. Function calls 0x00000000 ... ESP - top of stack Space for buffer EBP - frame pointer Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  20. 20. Function calls 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  21. 21. Stack based buffer overflow vulnerability „Stack overflow happens when the user can put more data on the allocated stack, than available” If more data is put on the stack (stack overflow) ... magic will happen Buffer overflow Stack based buffer overflow Heap based buffer overflow
  22. 22. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  23. 23. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  24. 24. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  25. 25. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  26. 26. Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? ***
  27. 27. Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? PaX team in 2000
  28. 28. Stack overflow history 1972 – Computer Security Technology Planning Study 1988 – Morris worm 1996 – Smashing the Stack for Fun and Profit (Aleph One) 2000 – NSA – SELinux open sourced 2000 – PaX Team 2003 – SELinux merged into mainline Linux Kernel 2004 – Egghunters - against small buffers
  29. 29. Shellcode The attacker code what the attacker wants to execute The instructions given by Alice to the rabbit
  30. 30. Mitigation techniques All of the following mitigation techniques are used against every memory corruption vulnerabilities Not just against stack overflow
  31. 31. Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 Strcpy writes this way Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  32. 32. Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 AAAA Strcpy writes this way Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  33. 33. Stack canary/cookie history (/GS) 1997 - Linux (GCC) 2002 - MS (Visual Studio)
  34. 34. Stack canary/cookie bypass Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system Method 3: Guess/calculate the cookie Static cookie Method 4: Overwriting stack data in functions up the stack, switch case
  35. 35. Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies way too complicated to trigger
  36. 36. Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies Stack cookie not checked at exception handling way too complicated to trigger
  37. 37. SEH exploit – three step to profit Step 1. overwriting first element in the exception-handling chain Step 2. because of the overflow, the exception-handling is triggered Step 3. via exception handling, return to the malicious shellcode (PROFIT)
  38. 38. SEH exploit metaphor If chaos occurs disaster recovery process to handle the chaos Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
  39. 39. SEH exploit mitigation SafeSEH table which specifies for the operating system about valid exception handlers only a limited set of addresses where the disaster recovery manual can be found Alice can not change those SEHop OS performs SEH chain validation breaks SEH overwrite exploitation techniques Stamp from the queen on the addressess where the disaster recovery manual can be found
  40. 40. DEP DEP - Data Execution Prevention – Windows (OS level) Protection: mark the stack as non executable PageExec, W^X, NX, XD
  41. 41. PageExec, W^X, NX, XD, DEP NX - Never Execute – AMD (CPU level) XD - eXecution Disabled – Intel (CPU level) W^X - Write XOR Execute – OpenBSD, OS X (OS level) Non-Executable Memory – Linux (OS level) Windows If CPU NX/XD enabled/supported HW DEP == Real DEP If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!! DEP modes Always off OptIn OptOut Always On
  42. 42. PageExec, W^X, NX, XD, DEP 1997 - Openwall – Solar designer 2000 - PaX Team PageExec 2002 - Exec shield (Ingó Molnár) 2003 - OpenBSD 2004 - Linux (Ingó Molnár) 2004 - Windows XP SP2 2006 - OS X
  43. 43. PageExec, W^X, NX, XD, DEP bypass Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997
  44. 44. PageExec, W^X, NX, XD, DEP bypass Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed Does not work on protection „always on” Method 3: Disable the protection for the process Does not work on protection „always on” Method 4: Copy shellcode to executable area Exeucatable area usually read only Allocate new memory with read – write - executable support (virtualalloc) If attacking browser JavaScript heap spraying Other magic here
  45. 45. ASLR metaphor ASLR = Address Space Layout Randomization Changing the addressess of the memory layout every time Changing the street names, house numbers every time Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives
  46. 46. ASLR 1997 - Memco 2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack) 2005 - OpenBSD 2005 - Linux – first implementation weak 2007 - Windows 2007 - OS X 2011 - Android
  47. 47. ASLR bypass 2007 – MS07–017 ANI exploit – Alex Sotirov Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original” Method 2: Low entropy in random – brute force Catch all exception block is usually needed You never write try{ code_her } catch (Every exception) { Do nothing } do you? ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
  48. 48. ASLR bypass ... Method 2: Low entropy in random – brute force Alice can give 1000 addresses to the rabbit Rabbit will look for Alice in 1000 house Finally the rabbit can find Alice Alice can give him the malicious instructions PROFIT
  49. 49. ASLR bypass … Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit Java 7 ASLR There are still some static street names, house numbers in eXploitland, that never change Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland what the street name and house address will be of the house where Alice is when the rabbit arrives
  50. 50. EMET
  51. 51. Exploiting stack overflow in 2003 on Windows Collect three gems
  52. 52. Exploiting stack overflow in 2013 with ASLR + DEP You have 3 ammo left
  53. 53. ASLR + DEP bypass Metasploit windows/browser/ms13_037_svg_dashstyle demo Scenario 1. Disable ASLR, exploit fixed addresses Scenario 2. Enable ASLR, exploit is not working Scenario 3. Java 1.6 ROP with non-ASLR module works Scenario 4. ASLR with original information leak exploit Scenario 5. EMET heapspray only blocks exploit
  54. 54. What to do if I’m a user? Remove Java If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET If you use Linux Upgrade to latest OS Use latest browser (Chrome) If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome) Upgrade your software
  55. 55. What to do if I’m a CISO? Remove Java At least in the browsers used for Internet browsing If you use Windows Upgrade to latest OS If can’t upgrade, use EMET from GPO (Group policy) Install Microsoft and 3rd party patches
  56. 56. What to do if I’m a developer? Remove Java At least in the browsers used for Internet browsing Learn secure application development Use switchers in Visual Studio /GS (VS 2002) /SafeSEH (VS 2003) /DynamicBase (VS 2005) /NXCompat (VS 2005) /HIGHENTROPYVA (VS 2012) #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005) BinScope
  57. 57. What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers? Develop your own backdoor client/server For details see previous slide Until it is finished use EMET
  58. 58. Lessons learned Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1 Without Java 6 – 1 Number of working IE10 exploits in Metasploit 0 Number of Java7 (2011 July) exploits in Metasploit 16 Price for zero day memory corruption exploit getting higher and higher

×