-
Be the first to like this
Upcoming SlideShare
Positive Hack Days. Тараканов. Мастер-класс: уязвимости нулевого дня
- 1. Мастер-класс: уязвимости нулевого дня <br />Никита Тараканов CISS RT<br />
- 2. Типы уязвимостей<br />Stack-based buffer overflow<br />Heap/Pool overflow<br />Integer overflow/underflow/wrap<br />Various memory corruptions<br />Use-after-free<br />Double free<br />
- 3. Stack-based buffer overflow<br />Smashing data on stack<br />EIP control, not only (ebp) – off-by-one<br />1st surprise – Morris’s worm (1988)<br />A lot of such vulns in 90-ties<br />
- 4. Stack-based buffer overflowFirst steps to security<br />Noexecutable stack(PAX firstly)<br />
- 5. Stack-based buffer overflowresearchers answer<br />Ret2libc technique<br />
- 6. Stack-based buffer overflowNext defense enhancements<br />Stack cookie aka canary dword(/GS cl.exe flag)<br />Before ret(n) from function, check canary with value on stack<br />Equality – normal control flow<br />Inequality – TerminateProcess()<br />
- 7. Stack-based buffer overflowresearchers answer<br />/GS doesn’t set cookie sometimes(ANI sploit)<br />SEH chain overwriting– overwrite exception handler and trigger exception<br />
- 8. Next Security Enhancement- DEP<br />Introduced in Windows XP SP2<br />Kill process if EIP is in non-executable memory area<br />First realization has two modes: software(emulation), hardware(NX bit)<br />
- 9. Avoiding DEP<br />Non-permanent DEP – disable by ret2libc<br />Permanent DEP – main idea is to create RWX section and jump there<br />Tricky(non true way) methods: ActionScriptByteCodeSpraing, .Net, Java<br />ROP – actually not new, just upgrade of ret2libc: malloc(RWX), memcpy(shellcode),jmp to shellcode<br />
- 10. Next Security Enhancement - ASLR<br />After successfully hacking DEP technology, it’s clear that DEP doesn’t actually help security<br />ASLR – each boot randomize base address of each* module<br />But, to enable it, you should compile with that compiler key<br />Reduce successful explotation to 1/256(first realization) next realization got better entropy<br />
- 11. ASLR+DEP<br />So how to write reliable exploit ???<br />Tricky(not true way) – just find non-ASLR module(JRE, mscorie.dll and lot more…)<br />True way – just use other vulnerability(memory leak)<br />Not over yet!!! - just avoid everything – LoadLibraryvulns(aka Binary Planting)<br />
- 12. ASLR+DEP Avoiding examples<br />CVE-2010-3654 FlashPlayerActionScript Type Confusion<br />Integer overflow in WebGLArray(chrome)<br />Libxslt generate-id heap chunk address leak<br />Not over yet!!! - just avoid everything – LoadLibraryvulns(aka Binary Planting)<br />
- 13. Tuesday Patch Day – The Art of Binary Diffing<br />DarunGrim<br />turbodiff<br />patchdiff<br />BinDiff<br />
- 14. Tuesday Patch Day – The Art of Binary Diffing<br />DarunGrim<br />turbodiff<br />patchdiff<br />BinDiff<br />
- 15. Example: ms11-002<br />Integer overflow somewhere….<br />Unknown impact???<br />
Be the first to comment