$30 off During Our Annual Pro Sale. View Details »

0-Day 輕鬆談 - Happy Fuzzing Internet Explorer

Orange
July 19, 2013
Technology
14
12k

0-Day 輕鬆談 - Happy Fuzzing Internet Explorer

0-Day 怎麼來?
Fuzzing 做為一種尋找漏洞的方式,讓你連躺著都有 0-Day 進帳。

這是一場輕鬆的演講,
分享一些 Fuzzer 的設計、Fuzzing 上的心得、Fuzzing Internet Explorer 上的方向。

最後為本次 HITCON 揭露一個未公開的 0-Day。

Orange

July 19, 2013
Tweet

More Decks by Orange

See All by Orange
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
35k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
27k
駭客看 Django
p8361
25
12k

Other Decks in Technology

See All in Technology
Making your Kubernetes-based log collection reliable & durable with Vector
palark
0
320
Java in containers and serverless
takesection
0
110
Cloud Security Day 2023パネルディスカッション資料
coconala_engineer
0
150
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
330
なぜコピペで使うコンポーネント集を利用するのか?
mottox2
6
4.6k
cloudflare-workersを使ってslack上に匿名チャットを作った話
sugawani
0
130
2023-12-01 吉祥寺.pm ベストプラクティスと組織とIaC
masasuzu
0
110
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
190
フロントエンドリアーキテクチャリングと開発チームのスキルトランスファーにおける9ヶ月間の奮闘記
wakamsha
5
3.9k
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
160
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
2
3.9k
The Future of encoding/json
iamshunta
2
200

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
31k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Rails Girls Zürich Keynote
gr2m
90
12k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
Code Review Best Practice
trishagee
53
14k
How GitHub (no longer) Works
holman
299
140k
Become a Pro
speakerdeck
PRO
8
3.6k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
10k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
The Pragmatic Product Professional
lauravandoore
23
5.4k
Web Components: a chance to create the future
zenorocha
304
41k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1.1k

Transcript

  1. 0-Day 輕鬆談 (0-Day Easy Talk)

    View Slide

  2. 0-Day 甘苦談 (0-Day WTF Talk)

    View Slide

  3. 這是一場簡單的演講
    This is an Easy Talk

    View Slide

  4. 分享一些我的 Fuzzing 心得
    Share Some Fuzzing Review of Mine

    View Slide

  5. 以及很順便的丟個 0-Day 出來
    And Disclosed a 0-Day in Passing

    View Slide

  6. 大家好
    Hello, Everyone

    View Slide

  7. 我是 Orange
    This is Orange Speaking

    View Slide

  8. 現任大學生
    I am a College Student, Now

    View Slide

  9. CHROOT.org 成員
    Member of CHROOT.org

    View Slide

  10. DevCo.re 打工中
    Part-Time Work at DevCo.re

    View Slide

  11. 揭露過一些弱點
    Disclosed Some Vulnerabilities
    cve 2013-0305
    cve 2012-4775 (MS12-071)

    View Slide

  12. About Me
    •  蔡政達 aka Orange
    •  2009 台灣駭客年會競賽
    冠軍
    •  2011, 2012 全國資安競賽
    金盾獎冠軍
    •  2011 東京 AVTOKYO 講師
    •  2012 香港 VXRLConf 講師
    •  台灣 PHPConf, WebConf,
    PyConf 講師



    •  專精於
    –  駭客攻擊手法
    –  Web Security
    –  Windows Vulnerability
    Exploitation

    View Slide

  13. 如果對我有興趣可以到
    blog.orange.tw
    If You are Interesting at Me. You Can Visit
    blog.orange.tw

    View Slide

  14. 我專注於

    View Slide

  15. 但今天來聊聊 0-Day 以及
    Fuzzing (不是我專門的領域 QQ)
    But Today Let's Talk About 0-Day and Fuzzing
    (I am Not Expert in This, But Just Share)

    View Slide

  16. Conference-Driven 0-Day
    n. 名詞

    釋義: 為了研討會生 0-Day

    View Slide

  17. 在找 0-Day 中的一些筆記
    Some Notes in Finding 0-Day

    View Slide

  18. 這次我們討論 IE
    This Time We Talk About IE

    View Slide

  19. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-
    days-an-price-list-for-hackers-secret-software-exploits/

    View Slide



  20. Hacker's Good Friend

    View Slide

  21. 方法

    •  White Box
    – Code Review (IE5.5 Source Code)
    – 二話不說丟進 IDA
    •  Black Box
    – Fuzzing

    View Slide

  22. Fuzzing

    •  Garbage in Garbage out
    •  理論上可以找到所有漏洞
    – 前提是你有無限的時間…

    View Slide

  23. 「時間越多,
    0-Day 越多」

    -⾙貝拉克.歐巴⾺馬





    View Slide

  24. Fuzzing Model
    Generator
    Debugger
    Result
    Logger

    View Slide

  25. http://youtube.com/watch?v=m7Xg-YnMisE

    View Slide

  26. Debugger
    •  Windows Debug API
    – DebugActiveProcess
    – WaitForDebugEvent
    – ContinueDebugEvent
    – 好麻煩…

    •  快速、客制化的 Debugger

    View Slide

  27. PyDBG
    A Pure Python Windows Debugger
    Interface

    View Slide

  28. Debug a Process

    >>> import pydbg
    >>> dbg = pydbg()
    >>> dbg.load( file ) # or dbg.attach( pid )
    >>> dbg.run()

    View Slide

  29. Set Breakpoint
    >>> dbg.bp_set( address, callback )
    >>> dbg.set_callback( exception_code, callback )

    View Slide

  30. Memory Manipulation
    >>> dbg.read( address, length )
    >>> dbg.write( address, length )

    View Slide

  31. Crash Dump Report
    >>> bin = utils.crash_binning.crash_binning()
    >>> bin.record_crash( dbg )
    >>> bin.crash_synopsis()

    View Slide

  32. Logger (Filter)
    •  滿山滿谷的 崩潰
    •  不是所有的 Crash 能成
    為 Exploit
    •  九成以上是 Null Pointer
    只能當 DoS 用
    –  mov eax, [ebx+0x70]
    –  ; ebx = 0
    •  EIP
    •  Disassemble
    –  jmp reg
    –  call reg
    –  call [reg + CONST]
    •  Stack
    •  SHE Chain

    View Slide

  33. EIP = ffffffff !!?

    View Slide

  34. 0x50000 = 327680 = (65535 / 2)*10

    View Slide

  35. File Generator
    The Most Important Part of Fuzzing

    View Slide

  36. File Generator
    •  內容越機歪越好,當然還是要符合 Spec
    – 熟讀 Spec 熟悉 File Structure
    – 想像力是你的超能力

    View Slide

  37. Fuzzing 方向
    1)  找新型態弱點
    (麻煩但可通用)
    2)  找已知型態弱點 (快速但有針對性)

    View Slide

  38. 新型態弱點
    •  試試比較新、或比較少人用的
    – HTML5 Canvas
    – SVG
    – VML
    •  cve-2013-2551 / VML Integer Overflow / Pwn2own / VUPEN
    – WebGL
    •  IE11 Begin to Support

    View Slide

  39. 啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec 啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec 啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec
    啃 Spec

    View Slide

  40. 已知型態弱點
    •  研究以往的弱點我們可以知道
    •  Internet Explorer is Not Good at
    – Parsing DOM Tree
    – Parsing with &
    – Parsing with
    •  CTreeNode & CTableLayout

    View Slide

  41. Pseudo Scenario of Use-After-Free

    1. 
    2. 
    3. 
    4.  ……
    5. 
    6. 
    7. 
    1.  <br/>2.  var x = <br/>document.getElementById( 'x' ); <br/>3.  var y = <br/>document.getElementById( 'y' ); <br/>4.  x.innerHTML = 'AAAA…'; <br/>5.  y.length = 100px; <br/>6. 

    View Slide

  42. Ex: CVE-2011-1260 (Not Full Version)
    1. 
    2.  <br/>3.  document.body.innerHTML += "<object …>TAG_1</object>"; <br/>4.  document.body.innerHTML += "<aid='tag_3' style='…'>TAG_3</a>"; <br/>5.  document.body.innerHTML +="AAAAAAA"; <br/>6.  document.body.innerHTML += "<strong style='…'>TAG_11</strong>"; <br/>7. 
    8. 

    View Slide

  43. Ex: CVE-2012-1876 (Heap Overflow)
    1.  setTimeout("trigger();",1);
    2. 
    3. 
    4. 
    5. 
    1.  function trigger() {
    2.  var obj_col =
    document.getElementById("132");
    3.  obj_col.width = "42765";
    4.  obj_col.span = 1000;
    5.  }

    View Slide

  44. Fuzzing with DOM Tree
    https://www.facebook.com/zztao
    •  Using DOM Methods to
    Manipulate Objects
    –  CreateElement
    –  removeChild appendChild
    –  InnerHTML outerText
    –  createRange
    –  addEventListener
    –  select
    –  …

    View Slide

  45. Putting All Together
    1)  Randomize HTML Node for Initial
    2)  Manipulated Nodes with DOM Method
    ( Can Also Play with CSS at the Same Time)

    View Slide

  46. View Slide

  47. 「運氣不好,
    是⼈人品問題」

    -⾙貝拉克.歐巴⾺馬





    View Slide

  48. Generally, Single Machine Run Can
    Find 1 or 2 IE 0-Day in a Month
    I Have Successfully Found 0-Days from IE6 to IE9,
    For IE10+ I Haven't Tried Because I am Too Lazy : (

    View Slide

  49. So I Found a 0-Day For HITCON
    1)  Work on Internet Explore 8
    2)  Mshtml.dll 8.0.6001.23501

    View Slide

  50. http://www.zdnet.com/ie8-zero-day-flaw-targets-u-s-nuke-researchers-all-versions-
    of-windows-affected-7000014908/

    View Slide

  51. WinXP 還能再戰十年

    View Slide

  52. Proof-of-Concept

    View Slide

  53. View Slide

  54. Microsoft is Our Sponsor
    I Can't Say More Detail Until Patched : (

    View Slide

  55. Call Stack

    View Slide

  56. call edx

    (e10.950): Access violation - code c0000005 (!!! second chance !!!)
    eax=3dbf00a4 ebx=0019bb30 ecx=037f12c8 edx=085d8b53
    esi=0172b130 edi=00000000
    eip=085d8b53 esp=0172b100 ebp=0172b11c iopl=0 nv up ei pl
    zr na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
    efl=00000246
    085d8b53 ?? ???

    View Slide

  57. Writing Exploit
    •  Windows Protection
    – DEP
    – Luckily If Windows XP We Don't Care About ASLR
    – Luckily It is Not IE10+ that It Hasn't vTable Guard

    View Slide

  58. So, Writing Exploit is Easy
    Heap Spray + ROP Enough

    View Slide

  59. Demo

    View Slide

  60. http://youtube.com/watch?v=QwKkfUcq_VA

    View Slide

  61. 本來故事到這有個美滿的結局
    Originally, This Story Have a Happy Ending

    View Slide

  62. But
    人生最精彩的就是這個 But

    View Slide

  63. 0-Day 在 HITCON 前一週被修掉了
    Silent Fixed Before a Week of HITCON

    View Slide

  64. What the

    View Slide

  65. Proof-of-Concept
    1. 
    2. 
    3. 
    4. 
    5.  O
    6. 
    7. 
    8. 
    9. 

    View Slide

  66. Work on
    •  mshtml.dll ……
    # ……
    •  mshtml.dll …...
    # 2013 / 05 / 14
    •  mshtml.dll 8.0.6001.23501 # 2013 / 06 / 11
    •  mshtml.dll 8.0.6001.23507 # 2013 / 07 / 09

    View Slide

  67. Reference
    •  VUEPN Blog
    – http://www.vupen.com/blog/
    •  Paimei
    – https://github.com/OpenRCE/paimei
    •  Special Thank tt & nanika

    View Slide

  68. Thanks

    View Slide