Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NanoSec Conference 2018 - Exploitation Era

Nafiez
October 10, 2018

NanoSec Conference 2018 - Exploitation Era

A presentation in NanoSec Conference 2018 held in Malaysia with topic Exploitation Era.

Nafiez

October 10, 2018
Tweet

More Decks by Nafiez

Other Decks in Technology

Transcript

  1. Exploitation Era Past, Present and Future

  2. About Us Nafiez @zeifan - Memory corruption hacker - Fuzzing

    & Vulnerability Research - Live in “paradise” Yeh @iamyeh - Threat Researcher in Carbon Black - Malware Reverse Engineering - Vulnerability Analysis
  3. What’s this talk about?

  4. Introduction • Real world memory corruption exploitation (no XSS, SQLi,

    LFI, etc.) • Mid 90’s until early 2000, introduced types of vulnerabilities and exploitation • Vulnerability classes mostly introduced in Linux • More Windows “in-the wild“ exploitation
  5. Continue… • Since 2014, Windows leading in software security mitigations

    • Exploitation techniques and vulnerability classes killed in modern OS’s • Current exploitation techniques in Windows
  6. 0-Day: Reported new bug last week and got this bounty

    this morning!
  7. The Past

  8. 1988 Morris Worm 1995 - 1997 Buffer Overflow 1998 -

    2000 Exploits Evolution 2001 - 2003 Protections Era 2004 - 2006 Windows Era 2007 - 2010 Evolution of Exploits
  9. Oct 2, 1988 1988

  10. Morris Worm Exploiting 10,000 Computers https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&context=cstech

  11. Oct 20, 1995 1995

  12. Mudge@l0pht released tutorial “How to Write Buffer Overflow” https://insecure.org/stf/mudge_buffer_overflow_tutorial.html

  13. Nov 8, 1996 1996

  14. Smashing the Stack Aleph1 Complete write-up exploiting stack overflow http://phrack.org/issues/49/14.html

  15. Aug 10, 1997 1997

  16. Ret-2-libc Solar Designer Bypassing NX to inject code BUFFER Address

    of system() in libc Return from system() Address of string “/bin/sh” “/bin /sh\0” libc system() ret https://seclists.org/bugtraq/1997/Aug/63
  17. Jan 31, 1999 1999

  18. Heap Overflows w00w00 First tutorial of heap overflow exploitation http://www.w00w00.org/files/articles/heaptut.txt

  19. Sep 20, 1999 1999

  20. Format String proftpd First format string bug (introduced) ftp> ls

    aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %u%u%u%u%u%u%u%u%u%653300u%n https://seclists.org/bugtraq/1999/Sep/328
  21. Nov 8, 2001 2001

  22. Malloc exploitation MaXX Malloc exploitation trick, Phrack 57 http://phrack.org/issues/57/8.html

  23. Nov 8, 2001 2001

  24. Free() Exploitation d45a312a@author.phrack.org (anonymous) free() exploitation pioneer http://phrack.org/issues/57/9.html

  25. Feb 7, 2002 2002

  26. 3rd Generation Exploitation Halvar Flake 1st Generation Exploits - Simple

    stack smashes - Control of EIP (RET instruction) - E.g. strcpy(), gets(), sprintf() - Easy peasy 2nd Generation Exploits - off-by-one - Control of EIP (RET instruction) - E.g. strncat(), strncpy() - No EIP control, EBP manipulation - Hard-to-find in nature 3rd Generation Exploits - Format strings, Heap Structure - E.g. printf(), malloc(), free() - Sometimes trivial to spot - No registers control https://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt
  27. July 30, 2002 2002

  28. Integer Overflow Mark Dowd, Chris Spencer, Neel Metha, Nishad Herath,

    Halvar Flake First introduced to public https://slideplayer.com/slide/9244035/
  29. Aug 2, 2003 2003

  30. Win32 Device Driver Sec-Labs METHOD_NEITHER ioctl memory overwrite targeting Symantec

    AntiVirus http://www.nsfocus.net/vulndb/5247 push 0 push 0 @pushsz "\\.\NAVAP" ;open the device @callx CreateFileA ;yeah - open it! mov ebx,eax ;EBX=DEVICE HANDLE cmp eax,-1 ;error ;/ jne _x00 ;if not jump to _x00 label @debug SPLOIT_TITLE,"Cannot open device ;/",IERROR jmp exit
  31. Sep 8, 2003 2003

  32. Windows Server 2003 David Litchfield Defeating Stack Overflow Protection https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf

  33. Nov 2, 2004 2004

  34. Heap Spraying Skylined Demonstrate against Internet Explorer https://www.exploit-db.com/exploits/612/

  35. Jan 21, 2005 2005

  36. Defeating Heap Protection and DEP Bypass PTSecurity Defeating heap protection

    and bypass DEP against Windows XP SP2. https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf
  37. Feb 17, 2005 2005

  38. Remote Windows Kernel Exploitation Barnaby Jack (RIP) https://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

  39. July 20, 2005 2005

  40. Windows Kernel Pool Overflow Kinvis (SoBeIt) - Beihang University https://web.archive.org/web/20070221124210/http://xcon.xfocus.org/XCon2005/archives/2005/Xcon2005_SoBeIt.pdf

  41. Oct 2, 2005 2005

  42. DEP Bypass Hardware- Based Skape & skywing http://uninformed.org/index.cgi?v=all&a=11

  43. Dec 7, 2005 2005

  44. Freelist[0] Exploitation Technique Brett Moore http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

  45. Jan 19, 2007 2007

  46. Double-Free Vulnerabilities Matthew Conover https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-1 https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-2 Before: freelist [n-1][0x003401b8] Flink

    0x003401b8 Blink 0x003401b8 freelist [n][0x003401c0] Flink 0x00341fb0 Blink 0x00341fb0 chunk [0x00341fa8] Flink 0x003401c0 Blink 0x003401c0 After: freelist [n-1] same freelist [n] same chunk [0x00341fa8] Flink 0x003401bc Blink 0x003401c4
  47. Mar 27, 2007 2007

  48. Heap Feng Shui Alex Sotirov Heap Feng Shui using JavaScript

    attacking browser https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf
  49. Feb 17, 2008 2008

  50. ASLR Smack Tilo Muller Complete write-up exploiting stack overflow https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/aslr.pdf

  51. Aug 4, 2008 2008

  52. Return Oriented Programming Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav

    Shacham https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
  53. Case Study: Emsisoft Internet Security - IOCTL Vulnerability

  54. Overview • Found in 2015 via fuzzing • Responsible disclosure

    to vendor (Emsisoft) • Vulnerable IOCTL 0x22e010 • Trivial to exploit: ◦ Lead to overflow and allow to write in memory and perform execution
  55. None
  56. None
  57. None
  58. Stack Overflow Windows Kernel Exploitation Process 01 Spawn processes 02

    Get handle to vulnerable device 03 Get vulnerable IOCTL function 04 Allocate buffer (shellcode) 05 Create buffer redirects execution into shellcode
  59. Present

  60. Use-After-Free Use-After-Free vulnerability found. In order to exploit the vulnerability,

    chain vulnerability with Adobe Flash. Full Code Execution Exploitation were trivial to gain. ROP + Info Leak Create ROP chain using UAF vulnerability in browser and chained using Adobe Flash. ASLR bypass required, using info leak method. 03 01 02 Past Exploitation Development
  61. What happened? Developer Developer failed to audit legacy code, do

    not made any changes, using old framework, etc. Vulnerability Classes Vulnerability types and classes were still exists. Patching Patch introduced new vulnerability. Exploitation Exploitation getting more complex requires chain of vulnerability.
  62. What has changed?

  63. http://gaasedelen.blogspot.com/2014/03/exploiting-icofx-26-cve-2013-4988.html

  64. NX / DEP SEHOP / ASLR MemGC CFG ACG /

    RFG Hyper-V Based Security (VBS) - Kernel level (enabling ACG, CIG, RFG, CFG), CFI Windows Memory Safety Mitigations
  65. Edge Attack Surface Reduction Remove whatever feature Internet Explorer has.

    Memory Garbage Collection (MemGC) Focusing on DOM engine and turn UAF in DOM non-exploitable. Type Confusion Protection Additional checks to eliminate recurring bad casts and wrong branching on CTreePos Vulnerability Classes Killer https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf Stack corruption essentially eliminated Use-After-Free attack decreased Raise of Out-of-Bounds, DLL Planting and Type Confusion
  66. Use-After-Free Vulnerability found was Use-After-Free, in order to to gain

    info leak, it needs to turn to type confusion. For some cases it doesn’t need to do so. Type Confusion Usually used as part of vulnerability chain. Information Leak To bypass ASLR, an information leak needs to be done. This will help to make the exploit reliable. Full Code Execution Achieve full code execution (including remote) with full mitigation bypasses. Sandbox & Mitigation Bypass Current mitigations in Windows required multiple chains of bypass, including CFG, and ACG. 05 01 02 03 04 Current Exploitation Development
  67. Case Study: (PSIRT-8422) Adobe Flash ActiveX - NULL Pointer

  68. Overview • Found via manual audit ◦ Focus on Adobe

    Flash Player ActiveX (29.0.0.171) • Responsible disclosure to vendor (Adobe) • Integer Overflow in ActiveX turns NULL Pointer ◦ Adobe failed to set Kill Bit in registry by default • Exploit attempt failed ◦ Due to memory safety mitigation
  69. None
  70. Future (Past)

  71. • Exploitation much more harder • Hardware based mitigations and

    bypasses • Past vulnerability classes remain stay • More chain types of exploitation • Software mitigations improvement • Advanced exploitation could evade security perimeter
  72. Intel Control-flow Enforcement Technology (CET) ➢ Shadow Stack (bypass?) ◦

    Second stack for program that used for control transfer operations ◦ Separate from data stack and can be enable for operation via user mode or supervisor mode ◦ Protecting return address and defend against ROP ➢ Indirect Branch Tracking (bypass?) ◦ New instruction named ENDBRANCH used to mark valid indirect CALL/JMP targets in the program ◦ Protecting free branch against JOP / COP https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
  73. Conclusion

  74. None
  75. References & Thanks • Thanks to KLKS - for reviewing

    our slide • NanoSec crew • Haroon Meer BlackHat 2010 Paper on Memory Corruption History ◦ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History -of-Memory-Corruption-Attacks-wp.pdf • ...and many paper that we used as references :) • Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation and reverse engineering.