3. Introduction
Birth of a security patch
Discussion in the presentation
Vulnerability Releases a
Finding a 0day Reverse Vendor finds a
Locate the
Microsoft reaches the patch to fix the
Highlight the
vulnerability engineer the fix
vulnerability
patches vendor vulnerability
difficulties
patch patched
http://null.co.in/ http://nullcon.net/
4. Introduction
For reversing and obtaining binary difference in my demos I
would be using DarunGrim2
How DarunGrim works?
β’ The schema of DarunGrim is shown in
the figure
β’ To generate diffing results
β Binaries are disassembled in IDA Pro in the
background and darungrim IDA plugin is run
which creates the sqlite database
β Diffing Engine, the heart of DarunGrim2.
The sqlite db from IDA and the binaries from GUI
are fed into this engine as inputs
http://null.co.in/ http://nullcon.net/
5. Introduction
Algorithm ?
β’ Main algorithm of DarunGrim is Basic block fingerprint hash map
β’ Each basic block is 1 entity whose fingerprint is generated from the
instruction sequence
β’ Fingerprint hash generated by IDA Pro
β’ Two fingerprint hash tables one each for unpatched and patched binary
β’ For finding the binary difference, each unique fingerprint from original
binary is searched against the fingerprints of patched binary for a match
β’ All fingerprints in the original binary hash tables are either matched or
unmatched
http://null.co.in/ http://nullcon.net/
6. Introduction
Algorithm ? Contd..
β’ For a function to be called matching, all the basic blocks in the function
should be matching
β’ For unmatched functions DarunGrim calculates percentage match
β’ Match rate based on fingerprint string match
β Similar to GNU Diff algorithm which is finding longest common subsequence
http://null.co.in/ http://nullcon.net/
7. Introduction
Vulnerability Vs Exploit based signatures
Exploit signatures
β’ Created by using byte string patterns or regular expressions
β’ These are exploit specific
β’ They are used widely mainly because of the ease of their creation
β’ Cater to only one type of input satisfying that vulnerability condition
β’ Fail: different attacks can exploit the same vulnerability, so exploit based
signatures will fail
β’ For eg. Exploit based signature
β ESig = βdocx?AAAAAAAAAAA...β
β It will fail if some exploit uses a long string of Bβs instead of Aβs
http://null.co.in/ http://nullcon.net/
8. Introduction
Vulnerability Vs Exploit based signatures
Vulnerability signatures
β’ Based on the properties of the vulnerability and not on
the properties of the exploit
Vulnerability
β’ It is a superset of all the inputs satisfying a particular
Signature
vulnerability condition
β’ For eg. Vulnerability based signature for previous case
β VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)
β Matches string in buffer with the regex
β It is effective against any alphabet unlike exploit signature Exploit Signature
http://null.co.in/ http://nullcon.net/
9. Introduction
Vulnerability Vs Exploit based signatures
Vulnerability signatures contd..
β’ For a good vulnerability signature
β It should strictly not allow any false negatives as even one exploit can pwn the system
and create a gateway for the attacker into the network.
β It should allow very few false positives, as too many false positives may lead to a DoS
attack for the system.
β The signature matching time should not create a considerable delay for the software
and services.
http://null.co.in/ http://nullcon.net/
10. Need
β’ The first step of creating an undisclosed
exploit is to find the vulnerability to exploit it.
β’ To verify if the patch released by Microsoft is
working as per it is designed.
β’ To create vulnerability based signatures.
http://null.co.in/ http://nullcon.net/
11. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
Debugging
http://null.co.in/ http://nullcon.net/
12. Process
Finding patches
β’ Pick a vulnerability and download its patch
β’ Pick a vulnerability just before this one that patched the same
program or dll
β If unavailable, use the same dll from your system
Quick-fix
Use open source
β’ GDR or QFE/LDR ?? ms-patch-tools to
easily get the file
β’ File Versioning versions to
compare
http://null.co.in/ http://nullcon.net/
13. Process
Finding patches
DEMO
http://null.co.in/ http://nullcon.net/
14. Process
Finding patches
Extraction of files
β’ The traditional way of extracting file from patch
β <patchfilename>.exe /x
β Works only till Windows XP and earlier versions of Windows
β’ Above method cannot be used on Win7 and Vista patches
delivered as msu
http://null.co.in/ http://nullcon.net/
15. Process
Finding patches
Extraction of files
β’ Use expand command
β expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in>
β expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in>
http://null.co.in/ http://nullcon.net/
16. Process
Finding patches
Extraction of files
DEMO
http://null.co.in/ http://nullcon.net/
17. Process
Finding patches
Extraction of files
Binary Differencing
β’ DarunGrim v2 used for binary difference
β Feed in the two binaries to be compared
β Generates a list of functions with the %age match between the two files
β’ Not every function %age < 100 is changed
β’ Includes false positives which requires manual analysis
http://null.co.in/ http://nullcon.net/
18. Process
Finding patches
Extraction of files
Binary Differencing
DEMO
http://null.co.in/ http://nullcon.net/
19. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
β’ Manual inspection of functions with less than 100% match
β Remove false positives generated by problems like
β’ Instruction reordering
Lot of reordering happening over different releases marks even the same blocks as unmatched
β’ Split blocks
Block in the graph which has only parent and the parent has only one child leads to a split block.
causing a problem in the matching process
Can be improved by merging the two blocks and treating as a single block.
http://null.co.in/ http://nullcon.net/
20. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
β’ Hot patching
Instructions like mov eax, eax at the start of functions are a sign of hot patching leading to a
mismatch in the block
By just ignoring the instruction we can get a match
β’ Compiler optimizations
Different compilers and even different versions of the same compiler perform different
optimizations which also creates problems in getting proper difference
β Eventually reach a function which is indeed modified and might be the fix to
the vulnerability being patched
http://null.co.in/ http://nullcon.net/
21. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
DEMO
http://null.co.in/ http://nullcon.net/
22. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
β’ push [ebp-2Ch] ; unsigned int β’ push [ebp-2Ch] ; unsigned int
call ??2@YAPAXI@Z ; operator new(uint) call ??2@YAPAXI@Z ; operator new(uint)
mov ebx, eax pop ecx
pop ecx mov [ebp-14h], eax ; ebp-14h = pBuffer
mov [ebp-18h], ebx mov [ebp-40h], eax
mov [ebp-3Ch], ebx mov byte ptr [ebp-4], 2
mov byte ptr [ebp-4], 1 push [ebp-2Ch]
push dword ptr [ebp-2Ch] mov ecx, esi
mov ecx, esi push ebx
push ebx push edi
push [ebp-30h] call sub_118000C func(const *,void *,long)
call sub_118000C func(const *,void *,long) mov esi, eax
mov edi, eax test esi, esi
test edi, edi jge short loc_118158A
jge short
http://null.co.in/ http://nullcon.net/
23. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
Debugging
β’ To validate our finding of analysis by debugging
β Getting a crash of the application
β Creating a malformed file to get the crash
β’ Would be using Immunity Debugger
http://null.co.in/ http://nullcon.net/
24. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
Debugging
DEMO
http://null.co.in/ http://nullcon.net/
25. Conclusion
β’ Presented an overview of how the 1-day exploits and
Vulnerability signatures can be created
β’ Attempt was made to understand the process
involved in reversing and the problems faced during
the execution of the process
β’ Only talked about Microsoft patches but concept not
limited to this.
β’ Concepts presented can be perfected by interested
audience
http://null.co.in/ http://nullcon.net/