NanoSec Conference 2018 - Exploitation Era

Transcript

1. Exploitation Era Past, Present and Future

2. About Us Nafiez @zeifan - Memory corruption hacker - Fuzzing

   & Vulnerability Research - Live in “paradise” Yeh @iamyeh - Threat Researcher in Carbon Black - Malware Reverse Engineering - Vulnerability Analysis

3. What’s this talk about?

4. Introduction • Real world memory corruption exploitation (no XSS, SQLi,

   LFI, etc.) • Mid 90’s until early 2000, introduced types of vulnerabilities and exploitation • Vulnerability classes mostly introduced in Linux • More Windows “in-the wild“ exploitation

5. Continue… • Since 2014, Windows leading in software security mitigations

   • Exploitation techniques and vulnerability classes killed in modern OS’s • Current exploitation techniques in Windows

6. 0-Day: Reported new bug last week and got this bounty

   this morning!

7. The Past

8. 1988 Morris Worm 1995 - 1997 Buffer Overflow 1998 -

   2000 Exploits Evolution 2001 - 2003 Protections Era 2004 - 2006 Windows Era 2007 - 2010 Evolution of Exploits

9. Oct 2, 1988 1988

10. Morris Worm Exploiting 10,000 Computers https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&context=cstech

11. Oct 20, 1995 1995

12. Mudge@l0pht released tutorial “How to Write Buffer Overflow” https://insecure.org/stf/mudge_buffer_overflow_tutorial.html

13. Nov 8, 1996 1996

14. Smashing the Stack Aleph1 Complete write-up exploiting stack overflow http://phrack.org/issues/49/14.html

15. Aug 10, 1997 1997

16. Ret-2-libc Solar Designer Bypassing NX to inject code BUFFER Address

    of system() in libc Return from system() Address of string “/bin/sh” “/bin /sh\0” libc system() ret https://seclists.org/bugtraq/1997/Aug/63

17. Jan 31, 1999 1999

18. Heap Overflows w00w00 First tutorial of heap overflow exploitation http://www.w00w00.org/files/articles/heaptut.txt

19. Sep 20, 1999 1999

20. Format String proftpd First format string bug (introduced) ftp> ls

    aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %u%u%u%u%u%u%u%u%u%653300u%n https://seclists.org/bugtraq/1999/Sep/328

21. Nov 8, 2001 2001

22. Malloc exploitation MaXX Malloc exploitation trick, Phrack 57 http://phrack.org/issues/57/8.html

23. Nov 8, 2001 2001

24. Free() Exploitation [email protected] (anonymous) free() exploitation pioneer http://phrack.org/issues/57/9.html

25. Feb 7, 2002 2002

26. 3rd Generation Exploitation Halvar Flake 1st Generation Exploits - Simple

    stack smashes - Control of EIP (RET instruction) - E.g. strcpy(), gets(), sprintf() - Easy peasy 2nd Generation Exploits - off-by-one - Control of EIP (RET instruction) - E.g. strncat(), strncpy() - No EIP control, EBP manipulation - Hard-to-find in nature 3rd Generation Exploits - Format strings, Heap Structure - E.g. printf(), malloc(), free() - Sometimes trivial to spot - No registers control https://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt

27. July 30, 2002 2002

28. Integer Overflow Mark Dowd, Chris Spencer, Neel Metha, Nishad Herath,

    Halvar Flake First introduced to public https://slideplayer.com/slide/9244035/

29. Aug 2, 2003 2003

30. Win32 Device Driver Sec-Labs METHOD_NEITHER ioctl memory overwrite targeting Symantec

    AntiVirus http://www.nsfocus.net/vulndb/5247 push 0 push 0 @pushsz "\\.\NAVAP" ;open the device @callx CreateFileA ;yeah - open it! mov ebx,eax ;EBX=DEVICE HANDLE cmp eax,-1 ;error ;/ jne _x00 ;if not jump to _x00 label @debug SPLOIT_TITLE,"Cannot open device ;/",IERROR jmp exit

31. Sep 8, 2003 2003

32. Windows Server 2003 David Litchfield Defeating Stack Overflow Protection https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf

33. Nov 2, 2004 2004

34. Heap Spraying Skylined Demonstrate against Internet Explorer https://www.exploit-db.com/exploits/612/

35. Jan 21, 2005 2005

36. Defeating Heap Protection and DEP Bypass PTSecurity Defeating heap protection

    and bypass DEP against Windows XP SP2. https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf

37. Feb 17, 2005 2005

38. Remote Windows Kernel Exploitation Barnaby Jack (RIP) https://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

39. July 20, 2005 2005

40. Windows Kernel Pool Overflow Kinvis (SoBeIt) - Beihang University https://web.archive.org/web/20070221124210/http://xcon.xfocus.org/XCon2005/archives/2005/Xcon2005_SoBeIt.pdf

41. Oct 2, 2005 2005

42. DEP Bypass Hardware- Based Skape & skywing http://uninformed.org/index.cgi?v=all&a=11

43. Dec 7, 2005 2005

44. Freelist[0] Exploitation Technique Brett Moore http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

45. Jan 19, 2007 2007

46. Double-Free Vulnerabilities Matthew Conover https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-1 https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-2 Before: freelist [n-1][0x003401b8] Flink

    0x003401b8 Blink 0x003401b8 freelist [n][0x003401c0] Flink 0x00341fb0 Blink 0x00341fb0 chunk [0x00341fa8] Flink 0x003401c0 Blink 0x003401c0 After: freelist [n-1] same freelist [n] same chunk [0x00341fa8] Flink 0x003401bc Blink 0x003401c4

47. Mar 27, 2007 2007

48. Heap Feng Shui Alex Sotirov Heap Feng Shui using JavaScript

    attacking browser https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf

49. Feb 17, 2008 2008

50. ASLR Smack Tilo Muller Complete write-up exploiting stack overflow https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/aslr.pdf

51. Aug 4, 2008 2008

52. Return Oriented Programming Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav

    Shacham https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

53. Case Study: Emsisoft Internet Security - IOCTL Vulnerability

54. Overview • Found in 2015 via fuzzing • Responsible disclosure

    to vendor (Emsisoft) • Vulnerable IOCTL 0x22e010 • Trivial to exploit: ◦ Lead to overflow and allow to write in memory and perform execution
55. None
56. None
57. None

58. Stack Overflow Windows Kernel Exploitation Process 01 Spawn processes 02

    Get handle to vulnerable device 03 Get vulnerable IOCTL function 04 Allocate buffer (shellcode) 05 Create buffer redirects execution into shellcode

59. Present

60. Use-After-Free Use-After-Free vulnerability found. In order to exploit the vulnerability,

    chain vulnerability with Adobe Flash. Full Code Execution Exploitation were trivial to gain. ROP + Info Leak Create ROP chain using UAF vulnerability in browser and chained using Adobe Flash. ASLR bypass required, using info leak method. 03 01 02 Past Exploitation Development

61. What happened? Developer Developer failed to audit legacy code, do

    not made any changes, using old framework, etc. Vulnerability Classes Vulnerability types and classes were still exists. Patching Patch introduced new vulnerability. Exploitation Exploitation getting more complex requires chain of vulnerability.

62. What has changed?

63. http://gaasedelen.blogspot.com/2014/03/exploiting-icofx-26-cve-2013-4988.html

64. NX / DEP SEHOP / ASLR MemGC CFG ACG /

    RFG Hyper-V Based Security (VBS) - Kernel level (enabling ACG, CIG, RFG, CFG), CFI Windows Memory Safety Mitigations

65. Edge Attack Surface Reduction Remove whatever feature Internet Explorer has.

    Memory Garbage Collection (MemGC) Focusing on DOM engine and turn UAF in DOM non-exploitable. Type Confusion Protection Additional checks to eliminate recurring bad casts and wrong branching on CTreePos Vulnerability Classes Killer https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf Stack corruption essentially eliminated Use-After-Free attack decreased Raise of Out-of-Bounds, DLL Planting and Type Confusion

66. Use-After-Free Vulnerability found was Use-After-Free, in order to to gain

    info leak, it needs to turn to type confusion. For some cases it doesn’t need to do so. Type Confusion Usually used as part of vulnerability chain. Information Leak To bypass ASLR, an information leak needs to be done. This will help to make the exploit reliable. Full Code Execution Achieve full code execution (including remote) with full mitigation bypasses. Sandbox & Mitigation Bypass Current mitigations in Windows required multiple chains of bypass, including CFG, and ACG. 05 01 02 03 04 Current Exploitation Development

67. Case Study: (PSIRT-8422) Adobe Flash ActiveX - NULL Pointer

68. Overview • Found via manual audit ◦ Focus on Adobe

    Flash Player ActiveX (29.0.0.171) • Responsible disclosure to vendor (Adobe) • Integer Overflow in ActiveX turns NULL Pointer ◦ Adobe failed to set Kill Bit in registry by default • Exploit attempt failed ◦ Due to memory safety mitigation
69. None

70. Future (Past)

71. • Exploitation much more harder • Hardware based mitigations and

    bypasses • Past vulnerability classes remain stay • More chain types of exploitation • Software mitigations improvement • Advanced exploitation could evade security perimeter

72. Intel Control-flow Enforcement Technology (CET) ➢ Shadow Stack (bypass?) ◦

    Second stack for program that used for control transfer operations ◦ Separate from data stack and can be enable for operation via user mode or supervisor mode ◦ Protecting return address and defend against ROP ➢ Indirect Branch Tracking (bypass?) ◦ New instruction named ENDBRANCH used to mark valid indirect CALL/JMP targets in the program ◦ Protecting free branch against JOP / COP https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

73. Conclusion

74. None

75. References & Thanks • Thanks to KLKS - for reviewing

    our slide • NanoSec crew • Haroon Meer BlackHat 2010 Paper on Memory Corruption History ◦ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History -of-Memory-Corruption-Attacks-wp.pdf • ...and many paper that we used as references :) • Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation and reverse engineering.