This document summarizes a presentation on detecting web browser heap corruption attacks. The presentation focuses on research into detecting these attacks and an internal tool called "xmon" that is part of a larger system for detecting malicious web content. The document provides background on heap corruption vulnerabilities and exploits, and how techniques like heap spraying and heap feng shui have increased the reliability of such exploits. It then describes xmon's methods for generic detection of exploit techniques through actions like patching virtual function calls and hooking structured exception handlers.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Pentesting? What is Pentesting? Why Pentesting?
Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Pentesting? What is Pentesting? Why Pentesting?
Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
Syed Ubaid Ali Jafri Informed Information Security Students how to conduct black box penetration testing if you do not have prior knowledge about the network environment, Few steps and consideration that should be in mind before conducting black box audit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Vulnerability and exploitation framework designed to ease the burden on security professionals when it comes to performing security assessments.
One of the single most useful auditing tools freely available to security professionals today
Contains an extensive library of "modules.“
Each module has a function, and they are divided up into "exploits", "auxiliary", "post" (post exploitation), "payloads", "encoders", and "nops.
Before start testing web site it’s very important to know about which all testing methods needs to cover.
# The current state of the penetration test practice is far from optimal
# Automating them may bring them to a new level of quality
# But in doing so we will face many technical problems
# It may be a new challenge for the IS industry in the near future
What is Bash?
Bash is the shell, a shell is a program that translates your commands into something the device's OS can understand or command language interpreter, for the operating system. The name is an acronym for the ‘Bourne-Again SHell’, a pun on Stephen Bourne, the author of the direct ancestor of the current Unix shell sh, which appeared in the Seventh Edition Bell Labs Research version of Unix. Bash is the default shell and is quite portable. It currently runs on nearly every version of UNIX and a few other operating.
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
Syed Ubaid Ali Jafri Informed Information Security Students how to conduct black box penetration testing if you do not have prior knowledge about the network environment, Few steps and consideration that should be in mind before conducting black box audit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Vulnerability and exploitation framework designed to ease the burden on security professionals when it comes to performing security assessments.
One of the single most useful auditing tools freely available to security professionals today
Contains an extensive library of "modules.“
Each module has a function, and they are divided up into "exploits", "auxiliary", "post" (post exploitation), "payloads", "encoders", and "nops.
Before start testing web site it’s very important to know about which all testing methods needs to cover.
# The current state of the penetration test practice is far from optimal
# Automating them may bring them to a new level of quality
# But in doing so we will face many technical problems
# It may be a new challenge for the IS industry in the near future
What is Bash?
Bash is the shell, a shell is a program that translates your commands into something the device's OS can understand or command language interpreter, for the operating system. The name is an acronym for the ‘Bourne-Again SHell’, a pun on Stephen Bourne, the author of the direct ancestor of the current Unix shell sh, which appeared in the Seventh Edition Bell Labs Research version of Unix. Bash is the default shell and is quite portable. It currently runs on nearly every version of UNIX and a few other operating.
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Similar to Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph, Blackhat USA 2007 (20)
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack
Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.
This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.
Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph, Blackhat USA 2007
1. Detecting
Web Browser
Heap Corruption
Attacks
Stephan Chenette
Moti Joseph
Websense Security Labs
2. Who we are…
Stephan Chenette
Manager of Websense Security Research/Senior Researcher,
Websense Security Labs
Focus on reverse engineering of malicious web content: obfuscated JavaScript,
malicious code, malware, packers/protectors.
Detection techniques: heuristic malware/exploit detection, user-land/kernel-land
behavior analysis tools, dynamic/static data analysis.
Previously worked at eEye Digital Security as a Security Software engineer.
Moti Joseph
Senior Researcher,
Websense Security Labs
Focus on exploitation techniques, reverse engineering, bug hunting, code
analysis, user-land hooking mechanisms
Previously worked at Checkpoint
3. What are we presenting?
This presentation will focus on our research in the detection of
browser heap corruption attacks.
This research inspired an internal tool we call “xmon” (exploitation
monitor), which is part of a larger malicious web content detection
network.
It is important to note, we are presenting detection techniques. We
will NOT cover in any detail any existing exploitation protection
measures i.e. DEP, SAFESEH, ASLR, etc.
We are going to give some background in web browser based heap
attacks, so if you’ve seen Alexander Sotirov’s presentation (we
hope you have), then there will be some repetition of background
information. Hopefully it will reaffirm your understanding of the
subject.
4. What do web browser exploits look like?
At first glance, most malicious web pages simply look like a
regular webpage
5. What do web browser exploits look like?
If we actually look at the source code we can see what is
really going on… the attacker is using the MS06-071 (XML
Core Services) vulnerability.
6. What do heap corruption vulns look like?
Vulnerability in Vector Markup Language Could Allow
Remote Code Execution (MS07-004)
The VML bug was a pure integer overflow vulnerability
7. What do heap corruption vulns look like?
Vulnerability in Microsoft XML Core Services Could Allow
Remote Code Execution (MS06-071)
The XMLHTTP bug was a double free vulnerability
8. Heap corruption exploits
Exploitable heap corruptions are caused when user-
controllable data can corrupt the heap in a predictable way.
In order to allow remote code execution, the attacker must
be able to use this memory corruption to influence the
instruction pointer.
Corruption of heap headers and function pointers are two
common ways this is achieved.
9. History lesson...
Older heap exploits were extremely unreliable.
For a few reasons:
– Many exploit-writers found heap exploits too hard to
write or were only accustomed to writing stack based
overflows, so their proof of concept (POC) were often
created to simply crash the browser instead of executing
a payload.
– Some exploits that were created, used random areas of
heap memory to store their shellcode (e.g., images,
movie files, html tags, etc). The location of this data was
extremely unreliable as memory arrangement and
location of that data often varied.
10. More reliability needed… heap spraying.
Developed by Blazde and SkyLined and first used in a POC
exploit for the IFRAME SRC NAME heap overflow
vulnerability.
This method allowed us to place shellcode onto the heap by
allocating space on the heap using JavaScript code and
copying our shellcode to our newly allocated buffer.
The idea behind this method is to spray enough of the heap
with NOPs followed by shellcode and then trigger the
vulnerability which has been set up to jump to the heap.
11. How reliable is heap spraying?
Not as reliable as you might think…
Demo…
12. The next step in reliable heap exploitation…
Alexander Sotirov’s “Heap Feng Shui” (HeapLib)
– Released this year at Blackhat Europe
– Integrated with Metasploit 3
13. Commonality
What do all these methods have in common?
How can we detect these generically?
15. Large scale exploit detection …. enter xmon
Generic detection of exploit techniques
Minimal configuration
Part of larger framework
Multiple methods used for detection
Signatures for optional vulnerability identification only
Main concerns: speed and accuracy.
16. Method 1
Patch all calls to virtual functions and function pointers
– Use IDA plug-in to scan for pointers
– Patching is an ongoing process
• Patch all calls at start
• Patch calls as modules are loaded dynamically
When call is made check to see where the execution is
directed to
17. Method 2
Hooking Structured Exception Handlers (SEH)
– When an exception occurs, verify the location of the
exception handler
18. Method X
Hook all known universal pointers
– Top-level SEH
– Fast PEB lock
– Other global function pointers
Method X+n?
– More …
22. Finding The Middle Ground
Greatly increase performance levels
Accurate detection of both known and unknown exploits
Eliminate the need to monitor or restore system state
Reduce uncertainty – no more notion of “suspicious”
24. Problems?
Not all malicious websites use actual exploits
Vulnerable control or component not installed
Uses jmp ptr/technique we haven’t seen before
Others …
Detection in depth
25. Thank you for coming!
Questions?
Contact Info:
– Stephan Chenette
• schenette || websense.com
– Moti Joseph
• mjoseph || websense.com