Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Binary vulnerability       Alex Bazhanyuk, @Abazhanyuk“RE” school, DefCon-UA, 2012
vulnerability●   Binary, Logic, Web●   Why vulnerabilities is so interesting?●   Why we need patched our OS? (project MIT)...
Metrics●   CVSS●   LPE/RCE●   User/Kernel space●   Probability (0-100%)                               3
Identifier●   CVE (http://cve.mitre.org/cve/cve.html)●   SA (http://secunia.com/advisories/search)●   Vupen(http://www.vup...
Web vulnerabilities (not here)●   Cross Site Scripting (XSS)●   Injection Flaws (SQLi)●   Malicious File Execution (RFI)● ...
Logic vulnerabilities●   Int rand(){return 4;}●   Client decide if authorization successful or not●   [Ch-ch-ch-ch-ching!!...
Binary vulnerabilities                         7
Exploiting    1) rewrite    2) transfer of control●   Bypass:    - DEP/ASLR/safeSEH/SEHOP    - HeapSpray - Nozzle/Bubble  ...
Generic/Not Generic●   Generic – attacker try to change heap structure.●   Not Generic – attacker try to change object inf...
meta/data-data●   Meta-data = header, checksum,...●   Data-data = user data.●   95% bugs in meta-data processing●   5% bug...
Level vulnerabilities                        11
overflow●   Stack●   Heap (pool)●   Integer                             12
Example stack overflow#include <string.h>void foo (char *bar){  char c[12];    strcpy(c, bar); // no bounds checking...}in...
14
15
Example Heap overflow#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>#define BUFSIZE 16#define ...
Result of example./heapbuf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0bytesbefore overflow: buf2 = AAAAAAAAAAAAAAAafter o...
Overflow in disasm●   Rep movsb●   Rep movsd●   Mov in loop                                  18
Integer overflow                   19
Integer overflowInteger overflow -> heap or stack overflowInteger overflow != vulnerability                               ...
Example integer overflowint main(int argc, char **argv) {char chLogin[100]; char chPassword[100]; int intPasswordLength; s...
Result of exampleintPasswordLength = 2147483647(0xFFFFFFFF)2147483647(0xFFFFFFFF) + 1 =Not 2147483648, Its: - 2147483648  ...
Pointer vulnerability●   Heap/Jit Spray●   NPD in user space: 1) Rewrite SEH -handler 2) [eax+bit_value]                  ...
Example NPDRegisters:eax=00000000 ebx=0000003b ecx=0be0f1c0 edx=00000000 esi=0be0f1c0 edi=0bfa3058eip=6a606e58 esp=0233300...
Use after freeFirst chance exceptions are reported before any exception handling.This exception may be expected and handle...
Race Conditionint wmain(int argc, wchar_t *argv[])                                                   DWORD WINAPI Crack(LP...
RE vs tester●   Tester:    - QA: look at and spit on the ceiling    - Functional: Performance and Optimization,    take pa...
tools●   Source code:                    ●   Binary                                        - static : IDA    - frama-c    ...
mutation fuzzer    Simple mutation fuzzer    Smart mutation fuzzer●   Flash: 400 – Tavis Ormandy●   Adobe Reader: 120 – Ch...
COMRaiderCompany iDefenseTarget: ActiveXhttps://github.com/dzzie/COMRaider                                     30
peach, sulley, hotfuzz●   Exception monitor●   Mutation fuzzer●   Configuration schema protocol●   Hotfuzz = peach + wires...
Fuzzgrind, fuzzball●   Based on Valgrind●   Its dbi with solver●   “on-the-spot symbolic execution”●   http://esec-lab.sog...
BitBlaze, BAP●   Dynamic analysis●   Static analysis●   Taint analysis●   Symbolic analysis●   Bitblaze is QEMU-based trac...
Real World●   Browser = ~ 4*10^9 insns●   Not code-based method.●   Not input-based method.●   Only human-based test-case:...
The potential vulnerability.●   Static – very bad (~0.1%).●   Dynamic (taint, symbolic execution) – bad    (~2%).●   Dynam...
Thanks :)virvdova@gmail.com                     36
Upcoming SlideShare
Loading in …5
×

3

  • Login to see the comments

  • Be the first to like this

3

  1. 1. Binary vulnerability Alex Bazhanyuk, @Abazhanyuk“RE” school, DefCon-UA, 2012
  2. 2. vulnerability● Binary, Logic, Web● Why vulnerabilities is so interesting?● Why we need patched our OS? (project MIT)● Math models for vulnerabilities● Lang without vulnerabilities 2
  3. 3. Metrics● CVSS● LPE/RCE● User/Kernel space● Probability (0-100%) 3
  4. 4. Identifier● CVE (http://cve.mitre.org/cve/cve.html)● SA (http://secunia.com/advisories/search)● Vupen(http://www.vupen.com/english/security-advisories/)● Vendors 4
  5. 5. Web vulnerabilities (not here)● Cross Site Scripting (XSS)● Injection Flaws (SQLi)● Malicious File Execution (RFI)● Insecure Direct Object Reference● Cross Site Request Forgery (CSRF)● Information Leakage and Improper Error Handling● Broken Authentication and Session Management● Failure to Restrict URL Access 5
  6. 6. Logic vulnerabilities● Int rand(){return 4;}● Client decide if authorization successful or not● [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.● GNU C library dynamic linker $ORIGIN expansion Vulnerability Tavis Ormandy. 6
  7. 7. Binary vulnerabilities 7
  8. 8. Exploiting 1) rewrite 2) transfer of control● Bypass: - DEP/ASLR/safeSEH/SEHOP - HeapSpray - Nozzle/Bubble - Sandbox - Protection NPD - ROP in win8● Doesnt have protection: - SCADA - Embedded - Network device 8
  9. 9. Generic/Not Generic● Generic – attacker try to change heap structure.● Not Generic – attacker try to change object info. 9
  10. 10. meta/data-data● Meta-data = header, checksum,...● Data-data = user data.● 95% bugs in meta-data processing● 5% bugs in user-data processing 10
  11. 11. Level vulnerabilities 11
  12. 12. overflow● Stack● Heap (pool)● Integer 12
  13. 13. Example stack overflow#include <string.h>void foo (char *bar){ char c[12]; strcpy(c, bar); // no bounds checking...}int main (int argc, char **argv){ foo(argv[1]);} 13
  14. 14. 14
  15. 15. 15
  16. 16. Example Heap overflow#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>#define BUFSIZE 16#define OVERSIZE 8 /* overflow buf2 by OVERSIZE bytes */int main(){u_long diff;char *buf1 = (char *) malloc(BUFSIZE), *buf2 = (char *) malloc(BUFSIZE);diff = (u_long) buf2 -(u_long) buf1;printf("buf 1 = %p, buf2 = %p, diff = 0x% x bytesn", buf1, buf2, diff);memset(buf2, A , BUFSIZE - 1), buf2[BUFSIZE - 1] = 0;printf("before overflow: buf2 = %sn", buf2);memset(buf1, B(u_int) (diff + OVERSIZE));printf("after overflow: buf2 = %sn", buf2); return 0; } 16
  17. 17. Result of example./heapbuf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0bytesbefore overflow: buf2 = AAAAAAAAAAAAAAAafter overflow: buf2 = BBBBBBBBAAAAAAA 17
  18. 18. Overflow in disasm● Rep movsb● Rep movsd● Mov in loop 18
  19. 19. Integer overflow 19
  20. 20. Integer overflowInteger overflow -> heap or stack overflowInteger overflow != vulnerability 20
  21. 21. Example integer overflowint main(int argc, char **argv) {char chLogin[100]; char chPassword[100]; int intPasswordLength; strcpy(chLogin, argv[1]); strcpy(chPassword, argv[2]); intPasswordLength=atoi(argv[3]); int admin=0; char chOriginalPassword[100]="administrator";if(intPasswordLength<1) intPasswordLength=0; intPasswordLength++; if(chLogin="admin"){admin=1;for(i=0;i<=intPasswordLength;i++)if((chPassword[i])!=chOriginalPassword[i])admin=0; } setUserStastusAdmin(admin);} 21
  22. 22. Result of exampleintPasswordLength = 2147483647(0xFFFFFFFF)2147483647(0xFFFFFFFF) + 1 =Not 2147483648, Its: - 2147483648 22
  23. 23. Pointer vulnerability● Heap/Jit Spray● NPD in user space: 1) Rewrite SEH -handler 2) [eax+bit_value] . 23
  24. 24. Example NPDRegisters:eax=00000000 ebx=0000003b ecx=0be0f1c0 edx=00000000 esi=0be0f1c0 edi=0bfa3058eip=6a606e58 esp=02333000 ebp=0233300c iopl=0 no up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202Code disassembly: 6A606E48 | 80cc04 | or ah, 0x4 6A606E4B | 0000 | add [eax], al 6A606E4D | 8d4dff | lea ecx, [ebp-0x1] 6A606E50 | 51 | push ecx 6A606E51 | 52 | push edx 6A606E52 | 8bce | mov ecx, esi 6A606E54 | c645ff00 | mov byte [ebp-0x1], 0x0 6A606E58 | ffd0 | call eax 6A606E5A | 807dff00 | cmp byte [ebp-0x1], 0x0 6A606E5E | 750c | jnz mshtml!createhtmlpropertypage+0x31ec1 6A606E60 | 8b16 | mov edx, [esi] 6A606E62 | 8b82c8040000 | mov eax, [edx+0x4c8] 24
  25. 25. Use after freeFirst chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=008a0000 ebx=0011ff7c ecx=00000000 edx=00000000 esi=00c12408 edi=05b71000eip=6bdff979 esp=0011fee8 ebp=0011ff88 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246SharedOFFICE14MSPTLS.DLL -MSPTLS!LssbFIsSublineEmpty+0x2fdb9:6bdff979 ff943888020000 call dword ptr <Unloaded_0.DLL>+0x287 (00000288)[eax+edi] ds:0023:06411288=????????0:000> KChildEBP RetAddrWARNING: Stack unwind information not available. Following frames may be wrong.0011ff88 6bdce474 MSPTLS!LssbFIsSublineEmpty+0x2fdb90011ffb4 3179dc17 MSPTLS!LsQueryLineCpPpoint+0xb00011ffe0 3179dbad wwlib!GetAllocCounters+0xb6e4f00120010 319a2cf4 wwlib!GetAllocCounters+0xb6de50012003c 319a2875 wwlib!DllGetLCID+0xc52fe001200bc 31a94d48 wwlib!DllGetLCID+0xc4e7f001204ec 31a9a05d wwlib!DllGetLCID+0x1b73520012052c 31a9aab5 wwlib!DllGetLCID+0x1bc6670012064c 31785b8c wwlib!DllGetLCID+0x1bd0bf001207a0 3176fab7 wwlib!GetAllocCounters+0x9edc4001207c4 3176f1e5 wwlib!GetAllocCounters+0x88cef00120808 3176b644 wwlib!GetAllocCounters+0x8841d00120834 317691e4 wwlib!GetAllocCounters+0x8487c00120890 31769016 wwlib!GetAllocCounters+0x8241c001209b0 31768f9a wwlib!GetAllocCounters+0x8224e001209d4 317642cd wwlib!GetAllocCounters+0x821d200120ad4 31761e22 wwlib!GetAllocCounters+0x7d50500120afc 31761deb wwlib!GetAllocCounters+0x7b05a00120d64 31732d59 wwlib!GetAllocCounters+0x7b023001212b4 31926f9a wwlib!GetAllocCounters+0x4bf916bdff979 ff943888020000 call dword ptr <Unloaded_0.DLL>+0x287 (00000288)[eax+edi] ds:0023:06411288=???????? 25
  26. 26. Race Conditionint wmain(int argc, wchar_t *argv[]) DWORD WINAPI Crack(LPVOID Context){ { ZwOpenKey = (_ZwOpenKey *) GetProcAddress(GetModuleHandle(L"ntdll.dll"), POBJECT_ATTRIBUTES oa = (POBJECT_ATTRIBUTES) Context;"ZwOpenKey"); DWORD *ptr = (DWORD*)&oa->ObjectName->Buffer; OBJECT_ATTRIBUTES oa; wchar_t wcKeyName[] = L"REGISTRYMACHINESOFTWAREMicrosoftDrWatson"; UNICODE_STRING KeyName = { SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST); sizeof wcKeyName - sizeof wcKeyName[0], SetEvent(hStartEvent); sizeof wcKeyName, wcKeyName while ( true ) { }; *ptr = 0x90909090; if ( WaitForSingleObject(hStopEvent, 1) == WAIT_OBJECT_0 ) break; DWORD ptr = (DWORD)KeyName.Buffer; } InitializeObjectAttributes(&oa, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL); return 0; DWORD ThreadId; } HANDLE hThread = CreateThread(NULL, 0, Crack, &oa, 0, &ThreadId); while ( !_kbhit() ) { HANDLE hKey; oa.ObjectName->Buffer NTSTATUS rc = ZwOpenKey(&hKey, STANDARD_RIGHTS_READ, &oa); if ( !NT_SUCCESS(rc) ) printf("Error: %xn", rc); else { CloseHandle(hKey); }}... return 0;} 26
  27. 27. RE vs tester● Tester: - QA: look at and spit on the ceiling - Functional: Performance and Optimization, take part in development loop.● RE: exception, bug, disasm and another crap. 27
  28. 28. tools● Source code: ● Binary - static : IDA - frama-c - dynamic: - Coverity 1) mutation fuzzer, smart fuzzer - bddbddb 2) peach, sulley 3) hotfuzz - Saturn 4) inmemfuzzer, fuzzgrind - PathFinder 5) KLEE - CoreDet 6) S2E 7) Bitblaze - Coccinelle 8) BAP - http://www.checkmycode.org/ 28
  29. 29. mutation fuzzer Simple mutation fuzzer Smart mutation fuzzer● Flash: 400 – Tavis Ormandy● Adobe Reader: 120 – Charlie Miller 29
  30. 30. COMRaiderCompany iDefenseTarget: ActiveXhttps://github.com/dzzie/COMRaider 30
  31. 31. peach, sulley, hotfuzz● Exception monitor● Mutation fuzzer● Configuration schema protocol● Hotfuzz = peach + wireshark (tshark) http://peachfuzzer.com/ http://hotfuzz.sourceforge.net/ https://github.com/OpenRCE/sulley 31
  32. 32. Fuzzgrind, fuzzball● Based on Valgrind● Its dbi with solver● “on-the-spot symbolic execution”● http://esec-lab.sogeti.com/pages/Fuzzgrind 32
  33. 33. BitBlaze, BAP● Dynamic analysis● Static analysis● Taint analysis● Symbolic analysis● Bitblaze is QEMU-based tracing system. http://bitblaze.cs.berkeley.edu/● BAP is PIN-based tracing system. http://bap.ece.cmu.edu/ 33
  34. 34. Real World● Browser = ~ 4*10^9 insns● Not code-based method.● Not input-based method.● Only human-based test-case: cross_fuzz 34
  35. 35. The potential vulnerability.● Static – very bad (~0.1%).● Dynamic (taint, symbolic execution) – bad (~2%).● Dynamic (fuzzing, debugger) – not bad (~5%). 35
  36. 36. Thanks :)virvdova@gmail.com 36

×