nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code


Published on

Reversing MicroSoft patches to reveal vulnerable code by Harsimran Walia

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

  1. 1. Reversing Microsoft Patches to reveal Vulnerable code<br />HarsimranWalia<br /><br /><br />
  2. 2.
  3. 3.<br /><br />Introduction<br />Finding a 0day vulnerability <br />Vulnerability reaches the vendor<br />Vendor finds a fix<br />Releases a patch to fix the vulnerability<br />Microsoft patches<br />Reverse engineer the patch<br />Locate the vulnerability patched<br />Highlight the difficulties<br />Birth of a security patch<br />Discussion in the presentation<br />
  4. 4. For reversing and obtaining binary difference in my demos I would be using DarunGrim2<br /> How DarunGrim works?<br />The schema of DarunGrim is shown in <br /> the figure<br />To generate diffing results<br />Binaries are disassembled in IDA Pro in the<br /> background and darungrim IDA plugin is run<br /> which creates the sqlite database<br />Diffing Engine, the heart of DarunGrim2.<br /> The sqlite db from IDA and the binaries from GUI<br /> are fed into this engine as inputs <br /><br /><br />Introduction<br />
  5. 5. Algorithm ?<br />Main algorithm of DarunGrim is Basic block fingerprint hash map<br />Each basic block is 1 entity whose fingerprint is generated from the instruction sequence<br />Fingerprint hash generated by IDA Pro<br />Two fingerprint hash tables one each for unpatched and patched binary<br />For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match<br />All fingerprints in the original binary hash tables are either matched or unmatched<br /><br /><br />Introduction<br />
  6. 6. Algorithm ? Contd..<br />For a function to be called matching, all the basic blocks in the function should be matching<br />For unmatched functions DarunGrim calculates percentage match<br />Match rate based on fingerprint string match<br />Similar to GNU Diff algorithm which is finding longest common subsequence<br /><br /><br />Introduction<br />
  7. 7. Vulnerability Vs Exploit based signatures<br /> Exploit signatures<br />Created by using byte string patterns or regular expressions <br />These are exploit specific <br />They are used widely mainly because of the ease of their creation<br />Cater to only one type of input satisfying that vulnerability condition<br />Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail <br />For eg. Exploit based signature<br />ESig = “docx?AAAAAAAAAAA...”<br />It will fail if some exploit uses a long string of B’s instead of A’s<br /><br /><br />Introduction<br />
  8. 8.<br /><br />Introduction<br /> Vulnerability Vs Exploit based signatures<br /> Vulnerability signatures<br />Based on the properties of the vulnerability and not on the properties of the exploit<br />It is a superset of all the inputs satisfying a particular vulnerability condition<br />For eg. Vulnerability based signature for previous case<br />VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)<br />Matches string in buffer with the regex<br />It is effective against any alphabet unlike exploit signature<br />Vulnerability<br />Signature<br />Exploit Signature<br />
  9. 9. Vulnerability Vs Exploit based signatures<br /> Vulnerability signatures contd..<br />For a good vulnerability signature<br />It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.<br />It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.<br />The signature matching time should not create a considerable delay for the software and services.<br /><br /><br />Introduction<br />
  10. 10. The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.<br />To verify if the patch released by Microsoft is working as per it is designed.<br />To create vulnerability based signatures.<br /><br /><br />Need<br />
  11. 11.<br /><br />Process<br />
  12. 12.<br /><br />Finding patches<br />Pick a vulnerability and download its patch<br />Pick a vulnerability just before this one that patched the same program or dll<br />If unavailable, use the same dll from your system<br />Process<br />Quick-fix<br />Use open source ms-patch-tools to easily get the file versions to compare<br />Problem<br /><ul><li>GDR or QFE/LDR ??
  13. 13. FileVersioning</li></li></ul><li><br /><br />Finding patches<br />DEMO<br />Process<br />
  14. 14.<br /><br />Finding patches<br />Extraction of files<br />The traditional way of extracting file from patch <br /><patchfilename>.exe /x<br />Works only till Windows XP and earlier versions of Windows<br />Process<br />Problem<br /><ul><li>Above method cannot be used on Win7 and Vista patches delivered as msu</li></li></ul><li><br /><br />Finding patches<br />Extraction of files<br />Solution<br />Process<br />Use expand command<br />expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in> <br />expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in> <br />
  15. 15.<br /><br />Finding patches<br />Extraction of files<br />DEMO<br />Process<br />
  16. 16. Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />DarunGrim v2 used for binary difference<br />Feed in the two binaries to be compared<br />Generates a list of functions with the %age match between the two files <br />Process<br />Problem<br /><ul><li>Not every function %age < 100 is changed
  17. 17. Includes false positives which requires manual analysis</li></li></ul><li>Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />Process<br />DEMO<br />
  18. 18. Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Manual inspection of functions with less than 100% match<br />Remove false positives generated by problems like<br />Instruction reordering<br />Lot of reordering happening over different releases marks even the same blocks as unmatched<br />Split blocks<br />Block in the graph which has only parent and the parent has only one child leads to a split block.<br />causing a problem in the matching process<br />Can be improved by merging the two blocks and treating as a single block.<br />
  19. 19.<br /><br />Finding patches<br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Hot patching<br />Instructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block<br />By just ignoring the instruction we can get a match<br />Compiler optimizations <br />Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference<br />Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched<br />
  20. 20. Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />DEMO<br />
  21. 21. Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />push  [ebp-2Ch]  ; unsigned intcall  ??2@YAPAXI@Z    ; operator new(uint)mov   ebx, eaxpop   ecxmov   [ebp-18h], ebxmov   [ebp-3Ch], ebxmov   byte ptr [ebp-4], 1push  dwordptr [ebp-2Ch]mov   ecx, esipush  ebxpush    [ebp-30h]<br />call    sub_118000C func(const *,void *,long)mov     edi, eaxtest    edi, edijge     short <br />push    [ebp-2Ch]  ; unsigned intcall    ??2@YAPAXI@Z    ; operator new(uint)pop     ecxmov     [ebp-14h], eax ;  ebp-14h = pBuffermov     [ebp-40h], eaxmov     byte ptr [ebp-4], 2push    [ebp-2Ch]mov     ecx, esipush    ebxpush    edicall    sub_118000C func(const *,void *,long)mov     esi, eaxtest    esi, esijge     short loc_118158A<br />
  22. 22. Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Debugging<br />To validate our finding of analysis by debugging<br />Getting a crash of the application<br />Creating a malformed file to get the crash<br />Would be using Immunity Debugger<br />
  23. 23. Finding patches<br /><br /><br />Extraction of files<br />Binary Differencing<br />Differencing Analysis<br />Process<br />Debugging<br />DEMO<br />
  24. 24. Conclusion<br />Presented an overview of how the 1-day exploits and Vulnerability signatures can be created<br />Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process<br />Only talked about Microsoft patches but concept not limited to this.<br />Concepts presented can be perfected by interested audience <br /><br /><br />
  25. 25. Thanks<br />Questions??<br /><br /><br />