SlideShare a Scribd company logo
SESSION ID:
#RSAC
Stephen Sims
Bruh! Do you even diff?
Diffing Microsoft Patches to Find
Vulnerabilities
HT-T10
Security Researcher
SANS Institute
@Steph3nSims
#RSAC
Part I – Binary Diffing
#RSAC
Binary Diffing
3
Security patches are often made to applications, libraries, driver files, etc.
When a new version is released it can be difficult to locate what changes
were made
Some are new features or general application changes
Some are security fixes
Some changes are intentional to thwart reversing
Some vendors make it clear as to reasoning for the update to the binary
Binary diffing tools can help us locate the changes
#RSAC
Can you spot the difference?
4
#RSAC
Oh, there it is!
5
#RSAC
How do they Work?
6
Diffing tools determine matched and unmatched blocks and
functions using various techniques
Same name matching
Same assembly, same decompiled code, same edges
Equal calls to and from functions
Block count from within a function and lines of disassembly
Many, many other techniques…
#RSAC
A Basic Example of a Diff
7
Below is an example of a code block within a function from two
different versions of the same file
Unpatched Patched
#RSAC
Why Diff Binaries and Patches?
8
0-day exploit sales and bug bounties are very popular and profitable
In early 2014, Yang Yu earned $100K disclosing 3 exploit mitigation bypass
techniques to MS
At CanSecWest Pwn2Own 2014 Vupen took home $400K and in 2015 Jung
Hoon Lee took home $225K!
Google paid over $1.5M in 2014 in bug bounties
1-day exploit pricing depends on the severity of the bug, the number
of affected users, and how quickly it is developed after a
patch is released
Exploit writing is very competitive http://www.forbes.com/sites/andygreenbe
rg/2012/03/23/shopping-for-zero-days-an-
price-list-for-hackers-secret-software-
exploits/#535dbe366033
#RSAC
Part II – Binary Diffing Tools
#RSAC
Popular Binary Diffing Tools
10
The following is a list of well-known binary diffing tools:
Zynamics/Google’s BinDiff
Joxean Koret’s Diaphora
Core Security’s turbodiff
DarunGrim 4 by Jeongwook Oh
patchdiff2 by Nicolas Pouvesle
There are others, but we will focus on BinDiff and Diaphora
#RSAC
BinDiff
11
Originally from Zynamics
prior to being acquired by Google
in 2011
Plugin to IDA
Not currently maintained
Available for $200*
* The source code was released in 2015 for some of the Zynamics products, and some of it pulled back. It is
sometimes easy to find for purchasing and then other times seems to be unavailable.
#RSAC
Diaphora
12
A free binary diffing tool written and actively maintained by Joxean
Koret at: https://github.com/joxeankoret/diaphora/
Uses a large number of heuristics to determine differences
Can take time to
run on large files
#RSAC
Basic Binary Diffing Demonstration
13
Demonstration of a diff between two C programs using different
functions to display “Hello World!”
HelloWorld1
Uses the printf() function; however, GCC optimizations convert it to a
puts() call
HelloWorld2
Uses the fprintf() function which is not changed by GCC
#RSAC
Part III – Microsoft Patches
#RSAC
Patch Tuesday
15
Microsoft releases patches on the second Tuesday of each month,
for now…
An effort to help simplify the patching process
Random patch releases caused many users to miss patches
However, waiting up to 30 days for the next patch has security concerns
Emergency patches are released out-of-cycle
Many exploits released in the days following
Analyzing Microsoft packages can help you understand how they fix
bugs, helping with finding unknown bugs
#RSAC
Patch Distribution
16
Windows Update
Website available at http://update.microsoft.com
Automatic Updates
Vista, 7, 8, 10 & Server 2008/2012/2016
Automatic Updates has expanded functionality
Windows Server Update Service (WSUS)
Enterprise patch management solution
Control over patch distribution
Third-party Patch Management Solutions
Deprecated
#RSAC
Obtaining Patches
17
Security
Bulletin
Assignment
#RSAC
Patch Extraction
18
Once a patch has been downloaded…
Download the previous most recent update to that same file (e.g.
Updates replaced)
Use the “expand” tool at command line to extract both patch files
e.g. expand –F:* <.msu file> <dest>
Do the same for the extracted .cab file
Do not double-click or it will attempt to install
Analyze the General Distribution Release (GDR) file as it is limited to
security fixes | QFE files may included unwanted changes
#RSAC
Windows 10 Patches
19
Microsoft says, “Windows 10 updates are cumulative. Therefore,
this package contains all previously released fixes.” e.g.
https://support.microsoft.com/en-us/kb/3135174
You can get stand-alone packages from Microsoft’s Update Catalog
website: http://catalog.update.microsoft.com/v7/site/home.aspx
…but, they still contain all fixes, which makes determining what
change corresponds to a particular CVE more difficult
For now, it’s easiest just to use updates for Windows, Vista, 7, and 8
#RSAC
Part IV – Diffing a Microsoft Patch
#RSAC
MS16-014 & MS16-009
21
Microsoft Security Bulletin MS16-014 – Important
Security Update for Microsoft Windows to Address Remote Code Execution
(3134228) – Private Disclosure - Discovered by Greg Linares
Microsoft Security Bulletin MS16-009 – Critical
Cumulative Security Update for Internet Explorer (3134220)
Both have fixes that apply in relation to CVE-2016-0041 – DLL Loading
Remote Code Execution Vulnerability
Corrects how Windows and IE validates input before loading DLL files
Affected Windows Vista through Windows 10 and IE 9/10/11
The file urlmon.dll is patched as part of MS16-009
#RSAC
Diffing urlmon.dll
22
When diffing urlmon.dll, only one function has a change
BuildUserAgentStringMobileHelper()
It is nearly identical at 99% similarity
#RSAC
Visual Diff of Function Changes
23
Unpatched
Patched
#RSAC
LoadLibraryExW()
24
LoadLibraryExW() is the Unicode name for LoadLibraryEx(), and is the
function called where the arguments were changed by the patch
HMODULE WINAPI LoadLibraryEx(
_In_ LPCTSTR lpFileName,
_Reserved_ HANDLE hFile,
_In_ DWORD dwFlags
);
Per MSDN, “This function loads the specified module into the address
space of the calling process.”
One argument is dwFlags which can be used to specify how and from
where DLL’s can be loaded
#RSAC
The Vulnerability
25
In the unpatched function, a value of 0 is being passed as the
dwFlags argument
A value of 0 will cause the behavior of LoadLibraryEx() to model that
of the LoadLibrary() function
This may allow for the loading of malicious DLL’s
dwFlags value is 0
#RSAC
The Fix
26
In the patched function, a value of 0x800 is being passed as the
dwFlags argument
This value’s name is “LOAD_LIBRARY_SEARCH_SYSTEM32”
This ensures that only “%windows%system32” is searched,
preventing the loading of malicious DLL’s
dwFlags value is 0x800
#RSAC
Part V – Demonstration and Exploitation
#RSAC
How can we exploit this bug?
28
The DLL urlmon.dll is loaded automatically when you start IE and
many other Microsoft applications
We need urlmon.dll to attempt to load PhoneInfo.dll
**PhoneInfo.dll does not come with windows 10**
BuildUserAgentStringMobileHelper() from within urlmon.dll attempts to
load PhoneInfo.dll where we saw the patch applied
If we can get this line executed we can put a malicious DLL somewhere late
in the SafeDLLSearchMode order
A simple text search in IDA shows you the locations where PhoneInfo.dll is
passed as an argument to LoadLibraryExW()
#RSAC
SafeDLLSearchMode Order
29
Per MSDN
If SafeDllSearchMode is enabled, the search order is as follows:
1) The directory from which the application loaded.
2) The system directory. Use the GetSystemDirectory function to get the
path of this directory.
3) The 16-bit system directory. There is no function that obtains the path of
this directory, but it is searched.
4) The Windows directory. Use the GetWindowsDirectory function to get
the path of this directory.
5) The current directory.
6) The directories that are listed in the PATH environment variable. Note
that this does not include the per-application path specified by the App
Paths registry key. The App Paths key is not used when computing the
DLL search path.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
#RSAC
Demonstration
30
In this demo we will place our own PhoneInfo.dll file into a
location listed in the PATH environment variable and get it
loaded into IE11
#RSAC
31
Defense – Understand the threat…
Audit the patch management process in your organization
How long are your systems unpatched after patches are released?
When patches are released, is someone prioritizing and determining
whether or not a vulnerability affects your organization?
Offense – Diff to generate exploits and profit…
Use the aforementioned tools and steps to diff Microsoft patches to
quickly develop an exploit from private disclosures
Practice, Practice, Practice!
Apply What You Have Learned Today
#RSAC
Questions?
32
Thank you…
Stephen Sims
stephen@deadlisting.com
@Steph3nSims
…and remember

More Related Content

Similar to Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities

Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
Satyamevjayte Haxor
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
viaForensics
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
n|u - The Open Security Community
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
Yury Chemerkin
 
Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
Availity Fore Support Services pvt ltd
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28
Max Kleiner
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
Felipe Prado
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Interview Question of Aspdotnet
Interview Question of AspdotnetInterview Question of Aspdotnet
Interview Question of Aspdotnet
MohitKumar1985
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
Copmuter Languages
Copmuter LanguagesCopmuter Languages
Copmuter Languages
actanimation
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
LicensingLive! - SafeNet
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
Chuck Walker
 
Windows sys admin interview questions
Windows sys admin interview questionsWindows sys admin interview questions
Windows sys admin interview questions
Student
 
Dotnet Basics Presentation
Dotnet Basics PresentationDotnet Basics Presentation
Dotnet Basics Presentation
Sudhakar Sharma
 
Rootkit case
Rootkit caseRootkit case
Rootkit case
Artem I. Baranov
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 

Similar to Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities (20)

Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
 
DLL Tutor maXbox starter28
DLL Tutor maXbox starter28DLL Tutor maXbox starter28
DLL Tutor maXbox starter28
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Interview Question of Aspdotnet
Interview Question of AspdotnetInterview Question of Aspdotnet
Interview Question of Aspdotnet
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
 
Copmuter Languages
Copmuter LanguagesCopmuter Languages
Copmuter Languages
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
 
Windows sys admin interview questions
Windows sys admin interview questionsWindows sys admin interview questions
Windows sys admin interview questions
 
Dotnet Basics Presentation
Dotnet Basics PresentationDotnet Basics Presentation
Dotnet Basics Presentation
 
Rootkit case
Rootkit caseRootkit case
Rootkit case
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 

More from Priyanka Aash

(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
Priyanka Aash
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 

More from Priyanka Aash (20)

(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
 
(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 

Recently uploaded

[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 

Recently uploaded (20)

[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 

Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities

  • 1. SESSION ID: #RSAC Stephen Sims Bruh! Do you even diff? Diffing Microsoft Patches to Find Vulnerabilities HT-T10 Security Researcher SANS Institute @Steph3nSims
  • 2. #RSAC Part I – Binary Diffing
  • 3. #RSAC Binary Diffing 3 Security patches are often made to applications, libraries, driver files, etc. When a new version is released it can be difficult to locate what changes were made Some are new features or general application changes Some are security fixes Some changes are intentional to thwart reversing Some vendors make it clear as to reasoning for the update to the binary Binary diffing tools can help us locate the changes
  • 4. #RSAC Can you spot the difference? 4
  • 6. #RSAC How do they Work? 6 Diffing tools determine matched and unmatched blocks and functions using various techniques Same name matching Same assembly, same decompiled code, same edges Equal calls to and from functions Block count from within a function and lines of disassembly Many, many other techniques…
  • 7. #RSAC A Basic Example of a Diff 7 Below is an example of a code block within a function from two different versions of the same file Unpatched Patched
  • 8. #RSAC Why Diff Binaries and Patches? 8 0-day exploit sales and bug bounties are very popular and profitable In early 2014, Yang Yu earned $100K disclosing 3 exploit mitigation bypass techniques to MS At CanSecWest Pwn2Own 2014 Vupen took home $400K and in 2015 Jung Hoon Lee took home $225K! Google paid over $1.5M in 2014 in bug bounties 1-day exploit pricing depends on the severity of the bug, the number of affected users, and how quickly it is developed after a patch is released Exploit writing is very competitive http://www.forbes.com/sites/andygreenbe rg/2012/03/23/shopping-for-zero-days-an- price-list-for-hackers-secret-software- exploits/#535dbe366033
  • 9. #RSAC Part II – Binary Diffing Tools
  • 10. #RSAC Popular Binary Diffing Tools 10 The following is a list of well-known binary diffing tools: Zynamics/Google’s BinDiff Joxean Koret’s Diaphora Core Security’s turbodiff DarunGrim 4 by Jeongwook Oh patchdiff2 by Nicolas Pouvesle There are others, but we will focus on BinDiff and Diaphora
  • 11. #RSAC BinDiff 11 Originally from Zynamics prior to being acquired by Google in 2011 Plugin to IDA Not currently maintained Available for $200* * The source code was released in 2015 for some of the Zynamics products, and some of it pulled back. It is sometimes easy to find for purchasing and then other times seems to be unavailable.
  • 12. #RSAC Diaphora 12 A free binary diffing tool written and actively maintained by Joxean Koret at: https://github.com/joxeankoret/diaphora/ Uses a large number of heuristics to determine differences Can take time to run on large files
  • 13. #RSAC Basic Binary Diffing Demonstration 13 Demonstration of a diff between two C programs using different functions to display “Hello World!” HelloWorld1 Uses the printf() function; however, GCC optimizations convert it to a puts() call HelloWorld2 Uses the fprintf() function which is not changed by GCC
  • 14. #RSAC Part III – Microsoft Patches
  • 15. #RSAC Patch Tuesday 15 Microsoft releases patches on the second Tuesday of each month, for now… An effort to help simplify the patching process Random patch releases caused many users to miss patches However, waiting up to 30 days for the next patch has security concerns Emergency patches are released out-of-cycle Many exploits released in the days following Analyzing Microsoft packages can help you understand how they fix bugs, helping with finding unknown bugs
  • 16. #RSAC Patch Distribution 16 Windows Update Website available at http://update.microsoft.com Automatic Updates Vista, 7, 8, 10 & Server 2008/2012/2016 Automatic Updates has expanded functionality Windows Server Update Service (WSUS) Enterprise patch management solution Control over patch distribution Third-party Patch Management Solutions Deprecated
  • 18. #RSAC Patch Extraction 18 Once a patch has been downloaded… Download the previous most recent update to that same file (e.g. Updates replaced) Use the “expand” tool at command line to extract both patch files e.g. expand –F:* <.msu file> <dest> Do the same for the extracted .cab file Do not double-click or it will attempt to install Analyze the General Distribution Release (GDR) file as it is limited to security fixes | QFE files may included unwanted changes
  • 19. #RSAC Windows 10 Patches 19 Microsoft says, “Windows 10 updates are cumulative. Therefore, this package contains all previously released fixes.” e.g. https://support.microsoft.com/en-us/kb/3135174 You can get stand-alone packages from Microsoft’s Update Catalog website: http://catalog.update.microsoft.com/v7/site/home.aspx …but, they still contain all fixes, which makes determining what change corresponds to a particular CVE more difficult For now, it’s easiest just to use updates for Windows, Vista, 7, and 8
  • 20. #RSAC Part IV – Diffing a Microsoft Patch
  • 21. #RSAC MS16-014 & MS16-009 21 Microsoft Security Bulletin MS16-014 – Important Security Update for Microsoft Windows to Address Remote Code Execution (3134228) – Private Disclosure - Discovered by Greg Linares Microsoft Security Bulletin MS16-009 – Critical Cumulative Security Update for Internet Explorer (3134220) Both have fixes that apply in relation to CVE-2016-0041 – DLL Loading Remote Code Execution Vulnerability Corrects how Windows and IE validates input before loading DLL files Affected Windows Vista through Windows 10 and IE 9/10/11 The file urlmon.dll is patched as part of MS16-009
  • 22. #RSAC Diffing urlmon.dll 22 When diffing urlmon.dll, only one function has a change BuildUserAgentStringMobileHelper() It is nearly identical at 99% similarity
  • 23. #RSAC Visual Diff of Function Changes 23 Unpatched Patched
  • 24. #RSAC LoadLibraryExW() 24 LoadLibraryExW() is the Unicode name for LoadLibraryEx(), and is the function called where the arguments were changed by the patch HMODULE WINAPI LoadLibraryEx( _In_ LPCTSTR lpFileName, _Reserved_ HANDLE hFile, _In_ DWORD dwFlags ); Per MSDN, “This function loads the specified module into the address space of the calling process.” One argument is dwFlags which can be used to specify how and from where DLL’s can be loaded
  • 25. #RSAC The Vulnerability 25 In the unpatched function, a value of 0 is being passed as the dwFlags argument A value of 0 will cause the behavior of LoadLibraryEx() to model that of the LoadLibrary() function This may allow for the loading of malicious DLL’s dwFlags value is 0
  • 26. #RSAC The Fix 26 In the patched function, a value of 0x800 is being passed as the dwFlags argument This value’s name is “LOAD_LIBRARY_SEARCH_SYSTEM32” This ensures that only “%windows%system32” is searched, preventing the loading of malicious DLL’s dwFlags value is 0x800
  • 27. #RSAC Part V – Demonstration and Exploitation
  • 28. #RSAC How can we exploit this bug? 28 The DLL urlmon.dll is loaded automatically when you start IE and many other Microsoft applications We need urlmon.dll to attempt to load PhoneInfo.dll **PhoneInfo.dll does not come with windows 10** BuildUserAgentStringMobileHelper() from within urlmon.dll attempts to load PhoneInfo.dll where we saw the patch applied If we can get this line executed we can put a malicious DLL somewhere late in the SafeDLLSearchMode order A simple text search in IDA shows you the locations where PhoneInfo.dll is passed as an argument to LoadLibraryExW()
  • 29. #RSAC SafeDLLSearchMode Order 29 Per MSDN If SafeDllSearchMode is enabled, the search order is as follows: 1) The directory from which the application loaded. 2) The system directory. Use the GetSystemDirectory function to get the path of this directory. 3) The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. 4) The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. 5) The current directory. 6) The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
  • 30. #RSAC Demonstration 30 In this demo we will place our own PhoneInfo.dll file into a location listed in the PATH environment variable and get it loaded into IE11
  • 31. #RSAC 31 Defense – Understand the threat… Audit the patch management process in your organization How long are your systems unpatched after patches are released? When patches are released, is someone prioritizing and determining whether or not a vulnerability affects your organization? Offense – Diff to generate exploits and profit… Use the aforementioned tools and steps to diff Microsoft patches to quickly develop an exploit from private disclosures Practice, Practice, Practice! Apply What You Have Learned Today