Binary vulnerability       Alex Bazhanyuk, @Abazhanyuk“RE” school, DefCon-UA, 2012
vulnerability●   Binary, Logic, Web●   Why vulnerabilities is so interesting?●   Why we need patched our OS? (project MIT)...
Metrics●   CVSS●   LPE/RCE●   User/Kernel space●   Probability (0-100%)                               3
Identifier●   CVE (http://cve.mitre.org/cve/cve.html)●   SA (http://secunia.com/advisories/search)●   Vupen(http://www.vup...
Web vulnerabilities (not here)●   Cross Site Scripting (XSS)●   Injection Flaws (SQLi)●   Malicious File Execution (RFI)● ...
Logic vulnerabilities●   Int rand(){return 4;}●   Client decide if authorization successful or not●   [Ch-ch-ch-ch-ching!!...
Binary vulnerabilities                         7
Exploiting    1) rewrite    2) transfer of control●   Bypass:    - DEP/ASLR/safeSEH/SEHOP    - HeapSpray - Nozzle/Bubble  ...
Generic/Not Generic●   Generic – attacker try to change heap structure.●   Not Generic – attacker try to change object inf...
meta/data-data●   Meta-data = header, checksum,...●   Data-data = user data.●   95% bugs in meta-data processing●   5% bug...
Level vulnerabilities                        11
overflow●   Stack●   Heap (pool)●   Integer                             12
Example stack overflow#include <string.h>void foo (char *bar){  char c[12];    strcpy(c, bar); // no bounds checking...}in...
14
15
Example Heap overflow#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>#define BUFSIZE 16#define ...
Result of example./heapbuf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0bytesbefore overflow: buf2 = AAAAAAAAAAAAAAAafter o...
Overflow in disasm●   Rep movsb●   Rep movsd●   Mov in loop                                  18
Integer overflow                   19
Integer overflowInteger overflow -> heap or stack overflowInteger overflow != vulnerability                               ...
Example integer overflowint main(int argc, char **argv) {char chLogin[100]; char chPassword[100]; int intPasswordLength; s...
Result of exampleintPasswordLength = 2147483647(0xFFFFFFFF)2147483647(0xFFFFFFFF) + 1 =Not 2147483648, Its: - 2147483648  ...
Pointer vulnerability●   Heap/Jit Spray●   NPD in user space: 1) Rewrite SEH -handler 2) [eax+bit_value]                  ...
Example NPDRegisters:eax=00000000 ebx=0000003b ecx=0be0f1c0 edx=00000000 esi=0be0f1c0 edi=0bfa3058eip=6a606e58 esp=0233300...
Use after freeFirst chance exceptions are reported before any exception handling.This exception may be expected and handle...
Race Conditionint wmain(int argc, wchar_t *argv[])                                                   DWORD WINAPI Crack(LP...
RE vs tester●   Tester:    - QA: look at and spit on the ceiling    - Functional: Performance and Optimization,    take pa...
tools●   Source code:                    ●   Binary                                        - static : IDA    - frama-c    ...
mutation fuzzer    Simple mutation fuzzer    Smart mutation fuzzer●   Flash: 400 – Tavis Ormandy●   Adobe Reader: 120 – Ch...
COMRaiderCompany iDefenseTarget: ActiveXhttps://github.com/dzzie/COMRaider                                     30
peach, sulley, hotfuzz●   Exception monitor●   Mutation fuzzer●   Configuration schema protocol●   Hotfuzz = peach + wires...
Fuzzgrind, fuzzball●   Based on Valgrind●   Its dbi with solver●   “on-the-spot symbolic execution”●   http://esec-lab.sog...
BitBlaze, BAP●   Dynamic analysis●   Static analysis●   Taint analysis●   Symbolic analysis●   Bitblaze is QEMU-based trac...
Real World●   Browser = ~ 4*10^9 insns●   Not code-based method.●   Not input-based method.●   Only human-based test-case:...
The potential vulnerability.●   Static – very bad (~0.1%).●   Dynamic (taint, symbolic execution) – bad    (~2%).●   Dynam...
Thanks :)virvdova@gmail.com                     36
Upcoming SlideShare
Loading in …5
×

Marat-Slides

543 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
543
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Marat-Slides

  1. 1. Binary vulnerability Alex Bazhanyuk, @Abazhanyuk“RE” school, DefCon-UA, 2012
  2. 2. vulnerability● Binary, Logic, Web● Why vulnerabilities is so interesting?● Why we need patched our OS? (project MIT)● Math models for vulnerabilities● Lang without vulnerabilities 2
  3. 3. Metrics● CVSS● LPE/RCE● User/Kernel space● Probability (0-100%) 3
  4. 4. Identifier● CVE (http://cve.mitre.org/cve/cve.html)● SA (http://secunia.com/advisories/search)● Vupen(http://www.vupen.com/english/security-advisories/)● Vendors 4
  5. 5. Web vulnerabilities (not here)● Cross Site Scripting (XSS)● Injection Flaws (SQLi)● Malicious File Execution (RFI)● Insecure Direct Object Reference● Cross Site Request Forgery (CSRF)● Information Leakage and Improper Error Handling● Broken Authentication and Session Management● Failure to Restrict URL Access 5
  6. 6. Logic vulnerabilities● Int rand(){return 4;}● Client decide if authorization successful or not● [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.● GNU C library dynamic linker $ORIGIN expansion Vulnerability Tavis Ormandy. 6
  7. 7. Binary vulnerabilities 7
  8. 8. Exploiting 1) rewrite 2) transfer of control● Bypass: - DEP/ASLR/safeSEH/SEHOP - HeapSpray - Nozzle/Bubble - Sandbox - Protection NPD - ROP in win8● Doesnt have protection: - SCADA - Embedded - Network device 8
  9. 9. Generic/Not Generic● Generic – attacker try to change heap structure.● Not Generic – attacker try to change object info. 9
  10. 10. meta/data-data● Meta-data = header, checksum,...● Data-data = user data.● 95% bugs in meta-data processing● 5% bugs in user-data processing 10
  11. 11. Level vulnerabilities 11
  12. 12. overflow● Stack● Heap (pool)● Integer 12
  13. 13. Example stack overflow#include <string.h>void foo (char *bar){ char c[12]; strcpy(c, bar); // no bounds checking...}int main (int argc, char **argv){ foo(argv[1]);} 13
  14. 14. 14
  15. 15. 15
  16. 16. Example Heap overflow#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>#define BUFSIZE 16#define OVERSIZE 8 /* overflow buf2 by OVERSIZE bytes */int main(){u_long diff;char *buf1 = (char *) malloc(BUFSIZE), *buf2 = (char *) malloc(BUFSIZE);diff = (u_long) buf2 -(u_long) buf1;printf("buf 1 = %p, buf2 = %p, diff = 0x% x bytesn", buf1, buf2, diff);memset(buf2, A , BUFSIZE - 1), buf2[BUFSIZE - 1] = 0;printf("before overflow: buf2 = %sn", buf2);memset(buf1, B(u_int) (diff + OVERSIZE));printf("after overflow: buf2 = %sn", buf2); return 0; } 16
  17. 17. Result of example./heapbuf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0bytesbefore overflow: buf2 = AAAAAAAAAAAAAAAafter overflow: buf2 = BBBBBBBBAAAAAAA 17
  18. 18. Overflow in disasm● Rep movsb● Rep movsd● Mov in loop 18
  19. 19. Integer overflow 19
  20. 20. Integer overflowInteger overflow -> heap or stack overflowInteger overflow != vulnerability 20
  21. 21. Example integer overflowint main(int argc, char **argv) {char chLogin[100]; char chPassword[100]; int intPasswordLength; strcpy(chLogin, argv[1]); strcpy(chPassword, argv[2]); intPasswordLength=atoi(argv[3]); int admin=0; char chOriginalPassword[100]="administrator";if(intPasswordLength<1) intPasswordLength=0; intPasswordLength++; if(chLogin="admin"){admin=1;for(i=0;i<=intPasswordLength;i++)if((chPassword[i])!=chOriginalPassword[i])admin=0; } setUserStastusAdmin(admin);} 21
  22. 22. Result of exampleintPasswordLength = 2147483647(0xFFFFFFFF)2147483647(0xFFFFFFFF) + 1 =Not 2147483648, Its: - 2147483648 22
  23. 23. Pointer vulnerability● Heap/Jit Spray● NPD in user space: 1) Rewrite SEH -handler 2) [eax+bit_value] . 23
  24. 24. Example NPDRegisters:eax=00000000 ebx=0000003b ecx=0be0f1c0 edx=00000000 esi=0be0f1c0 edi=0bfa3058eip=6a606e58 esp=02333000 ebp=0233300c iopl=0 no up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202Code disassembly: 6A606E48 | 80cc04 | or ah, 0x4 6A606E4B | 0000 | add [eax], al 6A606E4D | 8d4dff | lea ecx, [ebp-0x1] 6A606E50 | 51 | push ecx 6A606E51 | 52 | push edx 6A606E52 | 8bce | mov ecx, esi 6A606E54 | c645ff00 | mov byte [ebp-0x1], 0x0 6A606E58 | ffd0 | call eax 6A606E5A | 807dff00 | cmp byte [ebp-0x1], 0x0 6A606E5E | 750c | jnz mshtml!createhtmlpropertypage+0x31ec1 6A606E60 | 8b16 | mov edx, [esi] 6A606E62 | 8b82c8040000 | mov eax, [edx+0x4c8] 24
  25. 25. Use after freeFirst chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=008a0000 ebx=0011ff7c ecx=00000000 edx=00000000 esi=00c12408 edi=05b71000eip=6bdff979 esp=0011fee8 ebp=0011ff88 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246SharedOFFICE14MSPTLS.DLL -MSPTLS!LssbFIsSublineEmpty+0x2fdb9:6bdff979 ff943888020000 call dword ptr <Unloaded_0.DLL>+0x287 (00000288)[eax+edi] ds:0023:06411288=????????0:000> KChildEBP RetAddrWARNING: Stack unwind information not available. Following frames may be wrong.0011ff88 6bdce474 MSPTLS!LssbFIsSublineEmpty+0x2fdb90011ffb4 3179dc17 MSPTLS!LsQueryLineCpPpoint+0xb00011ffe0 3179dbad wwlib!GetAllocCounters+0xb6e4f00120010 319a2cf4 wwlib!GetAllocCounters+0xb6de50012003c 319a2875 wwlib!DllGetLCID+0xc52fe001200bc 31a94d48 wwlib!DllGetLCID+0xc4e7f001204ec 31a9a05d wwlib!DllGetLCID+0x1b73520012052c 31a9aab5 wwlib!DllGetLCID+0x1bc6670012064c 31785b8c wwlib!DllGetLCID+0x1bd0bf001207a0 3176fab7 wwlib!GetAllocCounters+0x9edc4001207c4 3176f1e5 wwlib!GetAllocCounters+0x88cef00120808 3176b644 wwlib!GetAllocCounters+0x8841d00120834 317691e4 wwlib!GetAllocCounters+0x8487c00120890 31769016 wwlib!GetAllocCounters+0x8241c001209b0 31768f9a wwlib!GetAllocCounters+0x8224e001209d4 317642cd wwlib!GetAllocCounters+0x821d200120ad4 31761e22 wwlib!GetAllocCounters+0x7d50500120afc 31761deb wwlib!GetAllocCounters+0x7b05a00120d64 31732d59 wwlib!GetAllocCounters+0x7b023001212b4 31926f9a wwlib!GetAllocCounters+0x4bf916bdff979 ff943888020000 call dword ptr <Unloaded_0.DLL>+0x287 (00000288)[eax+edi] ds:0023:06411288=???????? 25
  26. 26. Race Conditionint wmain(int argc, wchar_t *argv[]) DWORD WINAPI Crack(LPVOID Context){ { ZwOpenKey = (_ZwOpenKey *) GetProcAddress(GetModuleHandle(L"ntdll.dll"), POBJECT_ATTRIBUTES oa = (POBJECT_ATTRIBUTES) Context;"ZwOpenKey"); DWORD *ptr = (DWORD*)&oa->ObjectName->Buffer; OBJECT_ATTRIBUTES oa; wchar_t wcKeyName[] = L"REGISTRYMACHINESOFTWAREMicrosoftDrWatson"; UNICODE_STRING KeyName = { SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST); sizeof wcKeyName - sizeof wcKeyName[0], SetEvent(hStartEvent); sizeof wcKeyName, wcKeyName while ( true ) { }; *ptr = 0x90909090; if ( WaitForSingleObject(hStopEvent, 1) == WAIT_OBJECT_0 ) break; DWORD ptr = (DWORD)KeyName.Buffer; } InitializeObjectAttributes(&oa, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL); return 0; DWORD ThreadId; } HANDLE hThread = CreateThread(NULL, 0, Crack, &oa, 0, &ThreadId); while ( !_kbhit() ) { HANDLE hKey; oa.ObjectName->Buffer NTSTATUS rc = ZwOpenKey(&hKey, STANDARD_RIGHTS_READ, &oa); if ( !NT_SUCCESS(rc) ) printf("Error: %xn", rc); else { CloseHandle(hKey); }}... return 0;} 26
  27. 27. RE vs tester● Tester: - QA: look at and spit on the ceiling - Functional: Performance and Optimization, take part in development loop.● RE: exception, bug, disasm and another crap. 27
  28. 28. tools● Source code: ● Binary - static : IDA - frama-c - dynamic: - Coverity 1) mutation fuzzer, smart fuzzer - bddbddb 2) peach, sulley 3) hotfuzz - Saturn 4) inmemfuzzer, fuzzgrind - PathFinder 5) KLEE - CoreDet 6) S2E 7) Bitblaze - Coccinelle 8) BAP - http://www.checkmycode.org/ 28
  29. 29. mutation fuzzer Simple mutation fuzzer Smart mutation fuzzer● Flash: 400 – Tavis Ormandy● Adobe Reader: 120 – Charlie Miller 29
  30. 30. COMRaiderCompany iDefenseTarget: ActiveXhttps://github.com/dzzie/COMRaider 30
  31. 31. peach, sulley, hotfuzz● Exception monitor● Mutation fuzzer● Configuration schema protocol● Hotfuzz = peach + wireshark (tshark) http://peachfuzzer.com/ http://hotfuzz.sourceforge.net/ https://github.com/OpenRCE/sulley 31
  32. 32. Fuzzgrind, fuzzball● Based on Valgrind● Its dbi with solver● “on-the-spot symbolic execution”● http://esec-lab.sogeti.com/pages/Fuzzgrind 32
  33. 33. BitBlaze, BAP● Dynamic analysis● Static analysis● Taint analysis● Symbolic analysis● Bitblaze is QEMU-based tracing system. http://bitblaze.cs.berkeley.edu/● BAP is PIN-based tracing system. http://bap.ece.cmu.edu/ 33
  34. 34. Real World● Browser = ~ 4*10^9 insns● Not code-based method.● Not input-based method.● Only human-based test-case: cross_fuzz 34
  35. 35. The potential vulnerability.● Static – very bad (~0.1%).● Dynamic (taint, symbolic execution) – bad (~2%).● Dynamic (fuzzing, debugger) – not bad (~5%). 35
  36. 36. Thanks :)virvdova@gmail.com 36

×