Code Graphology

Transcript

1. View Slide

2. View Slide

3. Code graphology definition
   Case study on an LPE: CVE-2021-1732
   Extracting relevant artifacts
   Creating a hunting Yara rule
   

   View Slide

4. Particularly useful in exploit hunting as exploit writers tend to use
   similar mechanisms throughout multiple exploits.
   First discussed by CheckPoint researchers in 2020 at VirusBulletin,
   @megabeets_ and @EyalItkin.
   

   View Slide

5. CVE-2021-1732 is a Local Privilege Escalation (LPE) exploit
   on Windows 10.
   This exploit has been reported by Dbapp Security in February
   2021 and allegedly used by the Bitter APT.
   This kernel exploit is a Win32k window object type confusion
   leading to an OOB write (out-of-bounds).
   

   View Slide

6. View Slide

7. Leaking
   Technique
   Strings
   Exploit
   Primitives
   OS Fingerprinting
   Token Swapping
   

   View Slide

8. Another uniq string part of the binary:
   "T$hH9T$ptf"
   PDB Path:
   “C:\Users\Win10\source\repos\KSP_EPL\x64\Release\
   ConsoleApplication13.pdb”
   Kaspersky process fingerprinted at the
   beginning:
   "avp.exe"
   Strings to create the class and the window:
   “normalClass”
   “magicClass”
   “somewnd”
   

   View Slide

9. IsWOW64Process function to check if it is a
   64-bit or 32-bit version.
   Common mechanism in exploit development
   to correctly setup the exploitation.
   The running version must be larger than
   0x3FE1 and 0x471C (Windows10 build 16353
   and Windows 10 build 18204) to continue
   the execution.
   

   View Slide

10. Many exploits are using a kernel leak primitive that utilizes the known technique
    HMValidateHandle to get a kernel memory address.
    The online documentation refers to this technique as leveraging the function IsMenu and
    then parsing it to find the HMValidateHandle function.
    

    View Slide

11. ClientAllocWinClassExtraByte
    NtUserConsolControl
    GetMenuBarInfo
    

    View Slide

12. In most LPE, the exploit will swap the
    token of the current process to elevate
    privileges.
    At the end of the exploitation this is
    exactly the case for our sample.
    

    View Slide

13. View Slide

14. 187
    SAMPLES
    CVE-2021-1732
    CVE-2022-21882
    

    View Slide

15. Hash 914b6125f6e39168805fdf57be61cf20dd11acd708d7db7fa37ff75bf1abfc29
    PDB C:\Users\Win10\source\repos\KSP_EPL\x64\Release\ConsoleApplication13.pdb
    Compile
    TimeStamp
    2020-05-05 05:10:29 UTC
    Version x64 Bit
    ee2d53303e2c5a2787dad11e3a0abce5ea0ff9a4219e963e69a4054a11efc628
    C:\Users\Win10\source\repos\SOPHOS_EPL\Release\sophos.pdb
    2020-07-10 06:30:28 UTC
    x32 bit
    First Sample Second Sample
    

    View Slide

16. To exploit vulnerability attackers relies on known techniques.
    Identifying those techniques and studying the structure of the
    exploit may help to build a relevant hunting or detection rule.
    In this presentation, we uncovered an unknown new sample
    that uses the same strings convention as the original one.
    

    View Slide

17. 
    
    https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/
    https://vblocalhost.com/uploads/VB2020-04.pdf
    https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-
    2021-1732/
    https://ti.dbappsecurity.com.cn/blog/articles/2021/02/10/windows-kernel-zero-day-exploit-
    is-used-by-bitter-apt-in-targeted-attack/
    https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-
    used-in-the-wild
    https://www.avira.com/en/blog/anatomy-of-an-exploit-in-windows-win32k-cve-2022-21882
    

    View Slide

18. View Slide