About Us Nafiez @zeifan - Memory corruption hacker - Fuzzing & Vulnerability Research - Live in “paradise” Yeh @iamyeh - Threat Researcher in Carbon Black - Malware Reverse Engineering - Vulnerability Analysis
Introduction ● Real world memory corruption exploitation (no XSS, SQLi, LFI, etc.) ● Mid 90’s until early 2000, introduced types of vulnerabilities and exploitation ● Vulnerability classes mostly introduced in Linux ● More Windows “in-the wild“ exploitation
Continue… ● Since 2014, Windows leading in software security mitigations ● Exploitation techniques and vulnerability classes killed in modern OS’s ● Current exploitation techniques in Windows
Ret-2-libc Solar Designer Bypassing NX to inject code BUFFER Address of system() in libc Return from system() Address of string “/bin/sh” “/bin /sh\0” libc system() ret https://seclists.org/bugtraq/1997/Aug/63
Format String proftpd First format string bug (introduced) ftp> ls aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %u%u%u%u%u%u%u%u%u%653300u%n https://seclists.org/bugtraq/1999/Sep/328
Defeating Heap Protection and DEP Bypass PTSecurity Defeating heap protection and bypass DEP against Windows XP SP2. https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf
Windows Kernel Pool Overflow Kinvis (SoBeIt) - Beihang University https://web.archive.org/web/20070221124210/http://xcon.xfocus.org/XCon2005/archives/2005/Xcon2005_SoBeIt.pdf
Return Oriented Programming Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
Overview ● Found in 2015 via fuzzing ● Responsible disclosure to vendor (Emsisoft) ● Vulnerable IOCTL 0x22e010 ● Trivial to exploit: ○ Lead to overflow and allow to write in memory and perform execution
Stack Overflow Windows Kernel Exploitation Process 01 Spawn processes 02 Get handle to vulnerable device 03 Get vulnerable IOCTL function 04 Allocate buffer (shellcode) 05 Create buffer redirects execution into shellcode
Use-After-Free Use-After-Free vulnerability found. In order to exploit the vulnerability, chain vulnerability with Adobe Flash. Full Code Execution Exploitation were trivial to gain. ROP + Info Leak Create ROP chain using UAF vulnerability in browser and chained using Adobe Flash. ASLR bypass required, using info leak method. 03 01 02 Past Exploitation Development
What happened? Developer Developer failed to audit legacy code, do not made any changes, using old framework, etc. Vulnerability Classes Vulnerability types and classes were still exists. Patching Patch introduced new vulnerability. Exploitation Exploitation getting more complex requires chain of vulnerability.
Edge Attack Surface Reduction Remove whatever feature Internet Explorer has. Memory Garbage Collection (MemGC) Focusing on DOM engine and turn UAF in DOM non-exploitable. Type Confusion Protection Additional checks to eliminate recurring bad casts and wrong branching on CTreePos Vulnerability Classes Killer https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf Stack corruption essentially eliminated Use-After-Free attack decreased Raise of Out-of-Bounds, DLL Planting and Type Confusion
Use-After-Free Vulnerability found was Use-After-Free, in order to to gain info leak, it needs to turn to type confusion. For some cases it doesn’t need to do so. Type Confusion Usually used as part of vulnerability chain. Information Leak To bypass ASLR, an information leak needs to be done. This will help to make the exploit reliable. Full Code Execution Achieve full code execution (including remote) with full mitigation bypasses. Sandbox & Mitigation Bypass Current mitigations in Windows required multiple chains of bypass, including CFG, and ACG. 05 01 02 03 04 Current Exploitation Development
Overview ● Found via manual audit ○ Focus on Adobe Flash Player ActiveX (29.0.0.171) ● Responsible disclosure to vendor (Adobe) ● Integer Overflow in ActiveX turns NULL Pointer ○ Adobe failed to set Kill Bit in registry by default ● Exploit attempt failed ○ Due to memory safety mitigation
● Exploitation much more harder ● Hardware based mitigations and bypasses ● Past vulnerability classes remain stay ● More chain types of exploitation ● Software mitigations improvement ● Advanced exploitation could evade security perimeter
Intel Control-flow Enforcement Technology (CET) ➢ Shadow Stack (bypass?) ○ Second stack for program that used for control transfer operations ○ Separate from data stack and can be enable for operation via user mode or supervisor mode ○ Protecting return address and defend against ROP ➢ Indirect Branch Tracking (bypass?) ○ New instruction named ENDBRANCH used to mark valid indirect CALL/JMP targets in the program ○ Protecting free branch against JOP / COP https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
References & Thanks ● Thanks to KLKS - for reviewing our slide ● NanoSec crew ● Haroon Meer BlackHat 2010 Paper on Memory Corruption History ○ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History -of-Memory-Corruption-Attacks-wp.pdf ● ...and many paper that we used as references :) ● Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation and reverse engineering.