This document discusses binary vulnerabilities and methods for identifying and exploiting them. It covers topics like stack overflows, heap overflows, integer overflows, and pointer vulnerabilities. It also discusses vulnerability metrics, identifiers, and tools that can be used for analysis like fuzzers, symbolic execution, and decompilers. Exploitation techniques like bypassing protections and transferring control are also mentioned.

1. Binary vulnerability
Alex Bazhanyuk, @Abazhanyuk
“RE” school, DefCon-UA, 2012

2. vulnerability
● Binary, Logic, Web
● Why vulnerabilities is so interesting?
● Why we need patched our OS? (project MIT)
● Math models for vulnerabilities
● Lang without vulnerabilities
2

3. Metrics
● CVSS
● LPE/RCE
● User/Kernel space
● Probability (0-100%)
3

4. Identifier
● CVE (http://cve.mitre.org/cve/cve.html)
● SA (http://secunia.com/advisories/search)
● Vupen(http://www.vupen.com/english/security-advisories/)
● Vendors
4

5. Web vulnerabilities (not here)
● Cross Site Scripting (XSS)
● Injection Flaws (SQLi)
● Malicious File Execution (RFI)
● Insecure Direct Object Reference
● Cross Site Request Forgery (CSRF)
● Information Leakage and Improper Error Handling
● Broken Authentication and Session Management
● Failure to Restrict URL Access
5

6. Logic vulnerabilities
● Int rand(){return 4;}
● Client decide if authorization successful or not
● [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046:
UXSS and bad history navigation. Credit to Sergey Glazunov.
● GNU C library dynamic linker $ORIGIN expansion Vulnerability
Tavis Ormandy.
6

7. Binary vulnerabilities
7

8. Exploiting
1) rewrite
2) transfer of control
● Bypass:
- DEP/ASLR/safeSEH/SEHOP
- HeapSpray - Nozzle/Bubble
- Sandbox
- Protection NPD
- ROP in win8
● Doesn't have protection:
- SCADA
- Embedded
- Network device
8

9. Generic/Not Generic
● Generic – attacker try to change heap structure.
● Not Generic – attacker try to change object info.
9

10. meta/data-data
● Meta-data = header, checksum,...
● Data-data = user data.
● 95% bugs in meta-data processing
● 5% bugs in user-data processing
10

11. Level vulnerabilities
11

12. overflow
● Stack
● Heap (pool)
● Integer
12

13. Example stack overflow
#include <string.h>
void foo (char *bar)
{
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv)
{
foo(argv[1]);
}
13

14. 14

15. 15

16. Example Heap overflow
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define BUFSIZE 16
#define OVERSIZE 8 /* overflow buf2 by OVERSIZE bytes */
int main(){
u_long diff;
char *buf1 = (char *) malloc(BUFSIZE), *buf2 = (char *) malloc(BUFSIZE);
diff = (u_long) buf2 -(u_long) buf1;
printf("buf 1 = %p, buf2 = %p, diff = 0x% x bytesn", buf1, buf2, diff);
memset(buf2, 'A ', BUFSIZE - 1), buf2[BUFSIZE - 1] = '0';
printf("before overflow: buf2 = %sn", buf2);
memset(buf1, 'B(u_int) (diff + OVERSIZE));
printf("after overflow: buf2 = %sn", buf2);
return 0;
}
16

17. Result of example
./heap
buf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0
bytes
before overflow: buf2 = AAAAAAAAAAAAAAA
after overflow: buf2 = BBBBBBBBAAAAAAA
17

18. Overflow in disasm
● Rep movsb
● Rep movsd
● Mov in loop
18

19. Integer overflow
19

20. Integer overflow
Integer overflow -> heap or stack overflow
Integer overflow != vulnerability
20

21. Example integer overflow
int main(int argc, char **argv) {
char chLogin[100];
char chPassword[100];
int intPasswordLength;
strcpy(chLogin, argv[1]);
strcpy(chPassword, argv[2]);
intPasswordLength=atoi(argv[3]);
int admin=0;
char chOriginalPassword[100]="administrator";
if(intPasswordLength<1) intPasswordLength=0;
intPasswordLength++;
if(chLogin="admin"){
admin=1;
for(i=0;i<=intPasswordLength;i++)
if((chPassword[i])!=chOriginalPassword[i])
admin=0;
}
setUserStastusAdmin(admin);
}
21

22. Result of example
intPasswordLength = 2147483647(0xFFFFFFFF)
2147483647(0xFFFFFFFF) + 1 =
Not 2147483648, It's: - 2147483648
22

23. Pointer vulnerability
● Heap/Jit Spray
● NPD in user space: 1) Rewrite SEH -handler 2) [eax+bit_value]
.
23

24. Example NPD
Registers:
eax=00000000 ebx=0000003b ecx=0be0f1c0 edx=00000000 esi=0be0f1c0 edi=0bfa3058
eip=6a606e58 esp=02333000 ebp=0233300c iopl=0 no up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
Code disassembly:
6A606E48 | 80cc04 | or ah, 0x4
6A606E4B | 0000 | add [eax], al
6A606E4D | 8d4dff | lea ecx, [ebp-0x1]
6A606E50 | 51 | push ecx
6A606E51 | 52 | push edx
6A606E52 | 8bce | mov ecx, esi
6A606E54 | c645ff00 | mov byte [ebp-0x1], 0x0
6A606E58 | ffd0 | call eax
6A606E5A | 807dff00 | cmp byte [ebp-0x1], 0x0
6A606E5E | 750c | jnz mshtml!createhtmlpropertypage+0x31ec1
6A606E60 | 8b16 | mov edx, [esi]
6A606E62 | 8b82c8040000 | mov eax, [edx+0x4c8]
24

25. Use after free
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=008a0000 ebx=0011ff7c ecx=00000000 edx=00000000 esi=00c12408 edi=05b71000
eip=6bdff979 esp=0011fee8 ebp=0011ff88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
SharedOFFICE14MSPTLS.DLL -
MSPTLS!LssbFIsSublineEmpty+0x2fdb9:
6bdff979 ff943888020000 call dword ptr <Unloaded_0.DLL>+0x287 (00000288)[eax+edi] ds:0023:06411288=????????
0:000> K
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0011ff88 6bdce474 MSPTLS!LssbFIsSublineEmpty+0x2fdb9
0011ffb4 3179dc17 MSPTLS!LsQueryLineCpPpoint+0xb0
0011ffe0 3179dbad wwlib!GetAllocCounters+0xb6e4f
00120010 319a2cf4 wwlib!GetAllocCounters+0xb6de5
0012003c 319a2875 wwlib!DllGetLCID+0xc52fe
001200bc 31a94d48 wwlib!DllGetLCID+0xc4e7f
001204ec 31a9a05d wwlib!DllGetLCID+0x1b7352
0012052c 31a9aab5 wwlib!DllGetLCID+0x1bc667
0012064c 31785b8c wwlib!DllGetLCID+0x1bd0bf
001207a0 3176fab7 wwlib!GetAllocCounters+0x9edc4
001207c4 3176f1e5 wwlib!GetAllocCounters+0x88cef
00120808 3176b644 wwlib!GetAllocCounters+0x8841d
00120834 317691e4 wwlib!GetAllocCounters+0x8487c
00120890 31769016 wwlib!GetAllocCounters+0x8241c
001209b0 31768f9a wwlib!GetAllocCounters+0x8224e
001209d4 317642cd wwlib!GetAllocCounters+0x821d2
00120ad4 31761e22 wwlib!GetAllocCounters+0x7d505
00120afc 31761deb wwlib!GetAllocCounters+0x7b05a
00120d64 31732d59 wwlib!GetAllocCounters+0x7b023
001212b4 31926f9a wwlib!GetAllocCounters+0x4bf91
6bdff979 ff943888020000 call dword ptr <Unloaded_0.DLL>+0x287 (00000288)[eax+edi] ds:0023:06411288=????????
25

26. Race Condition
int wmain(int argc, wchar_t *argv[]) DWORD WINAPI Crack(LPVOID Context)
{ {
ZwOpenKey = (_ZwOpenKey *) GetProcAddress(GetModuleHandle(L"ntdll.dll"), POBJECT_ATTRIBUTES oa = (POBJECT_ATTRIBUTES) Context;
"ZwOpenKey");
DWORD *ptr = (DWORD*)&oa->ObjectName->Buffer;
OBJECT_ATTRIBUTES oa;
wchar_t wcKeyName[] = L"REGISTRYMACHINESOFTWAREMicrosoftDrWatson";
UNICODE_STRING KeyName = { SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);
sizeof wcKeyName - sizeof wcKeyName[0], SetEvent(hStartEvent);
sizeof wcKeyName,
wcKeyName
while ( true ) {
};
*ptr = 0x90909090;
if ( WaitForSingleObject(hStopEvent, 1) == WAIT_OBJECT_0 ) break;
DWORD ptr = (DWORD)KeyName.Buffer;
}
InitializeObjectAttributes(&oa, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);
return 0;
DWORD ThreadId;
}
HANDLE hThread = CreateThread(NULL, 0, Crack, &oa, 0, &ThreadId);
while ( !_kbhit() ) {
HANDLE hKey;
oa.ObjectName->Buffer
NTSTATUS rc = ZwOpenKey(&hKey, STANDARD_RIGHTS_READ, &oa);
if ( !NT_SUCCESS(rc) )
printf("Error: %xn", rc);
else {
CloseHandle(hKey);
}}
...
return 0;}
26

27. RE vs tester
● Tester:
- QA: look at and spit on the ceiling
- Functional: Performance and Optimization,
take part in development loop.
● RE: exception, bug, disasm and another crap.
27

28. tools
● Source code: ● Binary
- static : IDA
- frama-c
- dynamic:
- Coverity 1) mutation fuzzer, smart fuzzer
- bddbddb 2) peach, sulley
3) hotfuzz
- Saturn
4) inmemfuzzer, fuzzgrind
- PathFinder 5) KLEE
- CoreDet 6) S2E
7) Bitblaze
- Coccinelle
8) BAP
- http://www.checkmycode.org/
28

29. mutation fuzzer
Simple mutation fuzzer
Smart mutation fuzzer
● Flash: 400 – Tavis Ormandy
● Adobe Reader: 120 – Charlie Miller
29

30. COMRaider
Company iDefense
Target: ActiveX
https://github.com/dzzie/COMRaider
30

31. peach, sulley, hotfuzz
● Exception monitor
● Mutation fuzzer
● Configuration schema protocol
● Hotfuzz = peach + wireshark (tshark)
http://peachfuzzer.com/
http://hotfuzz.sourceforge.net/
https://github.com/OpenRCE/sulley
31

32. Fuzzgrind, fuzzball
● Based on Valgrind
● It's dbi with solver
● “on-the-spot symbolic execution”
● http://esec-lab.sogeti.com/pages/Fuzzgrind
32

33. BitBlaze, BAP
● Dynamic analysis
● Static analysis
● Taint analysis
● Symbolic analysis
● Bitblaze is QEMU-based tracing system.
http://bitblaze.cs.berkeley.edu/
● BAP is PIN-based tracing system.
http://bap.ece.cmu.edu/
33

34. Real World
● Browser = ~ 4*10^9 insns
● Not code-based method.
● Not input-based method.
● Only human-based test-case: cross_fuzz
34

35. The potential vulnerability.
● Static – very bad (~0.1%).
● Dynamic (taint, symbolic execution) – bad
(~2%).
● Dynamic (fuzzing, debugger) – not bad (~5%).
35

36. Thanks :)
virvdova@gmail.com
36