Tweet
Tweet

Slide 1

Slide 1 text

Exploitation Era Past, Present and Future

Slide 2

Slide 2 text

About Us Nafiez @zeifan - Memory corruption hacker - Fuzzing & Vulnerability Research - Live in “paradise” Yeh @iamyeh - Threat Researcher in Carbon Black - Malware Reverse Engineering - Vulnerability Analysis

Slide 3

Slide 3 text

What’s this talk about?

Slide 4

Slide 4 text

Introduction ● Real world memory corruption exploitation (no XSS, SQLi, LFI, etc.) ● Mid 90’s until early 2000, introduced types of vulnerabilities and exploitation ● Vulnerability classes mostly introduced in Linux ● More Windows “in-the wild“ exploitation

Slide 5

Slide 5 text

Continue… ● Since 2014, Windows leading in software security mitigations ● Exploitation techniques and vulnerability classes killed in modern OS’s ● Current exploitation techniques in Windows

Slide 6

Slide 6 text

0-Day: Reported new bug last week and got this bounty this morning!

Slide 7

Slide 7 text

The Past

Slide 8

Slide 8 text

1988 Morris Worm 1995 - 1997 Buffer Overflow 1998 - 2000 Exploits Evolution 2001 - 2003 Protections Era 2004 - 2006 Windows Era 2007 - 2010 Evolution of Exploits

Slide 9

Slide 9 text

Oct 2, 1988 1988

Slide 10

Slide 10 text

Morris Worm Exploiting 10,000 Computers https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1701&context=cstech

Slide 11

Slide 11 text

Oct 20, 1995 1995

Slide 12

Slide 12 text

Mudge@l0pht released tutorial “How to Write Buffer Overflow” https://insecure.org/stf/mudge_buffer_overflow_tutorial.html

Slide 13

Slide 13 text

Nov 8, 1996 1996

Slide 14

Slide 14 text

Smashing the Stack Aleph1 Complete write-up exploiting stack overflow http://phrack.org/issues/49/14.html

Slide 15

Slide 15 text

Aug 10, 1997 1997

Slide 16

Slide 16 text

Ret-2-libc Solar Designer Bypassing NX to inject code BUFFER Address of system() in libc Return from system() Address of string “/bin/sh” “/bin /sh\0” libc system() ret https://seclists.org/bugtraq/1997/Aug/63

Slide 17

Slide 17 text

Jan 31, 1999 1999

Slide 18

Slide 18 text

Heap Overflows w00w00 First tutorial of heap overflow exploitation http://www.w00w00.org/files/articles/heaptut.txt

Slide 19

Slide 19 text

Sep 20, 1999 1999

Slide 20

Slide 20 text

Format String proftpd First format string bug (introduced) ftp> ls aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %u%u%u%u%u%u%u%u%u%653300u%n https://seclists.org/bugtraq/1999/Sep/328

Slide 21

Slide 21 text

Nov 8, 2001 2001

Slide 22

Slide 22 text

Malloc exploitation MaXX Malloc exploitation trick, Phrack 57 http://phrack.org/issues/57/8.html

Slide 23

Slide 23 text

Nov 8, 2001 2001

Slide 24

Slide 24 text

Free() Exploitation [email protected] (anonymous) free() exploitation pioneer http://phrack.org/issues/57/9.html

Slide 25

Slide 25 text

Feb 7, 2002 2002

Slide 26

Slide 26 text

3rd Generation Exploitation Halvar Flake 1st Generation Exploits - Simple stack smashes - Control of EIP (RET instruction) - E.g. strcpy(), gets(), sprintf() - Easy peasy 2nd Generation Exploits - off-by-one - Control of EIP (RET instruction) - E.g. strncat(), strncpy() - No EIP control, EBP manipulation - Hard-to-find in nature 3rd Generation Exploits - Format strings, Heap Structure - E.g. printf(), malloc(), free() - Sometimes trivial to spot - No registers control https://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt

Slide 27

Slide 27 text

July 30, 2002 2002

Slide 28

Slide 28 text

Integer Overflow Mark Dowd, Chris Spencer, Neel Metha, Nishad Herath, Halvar Flake First introduced to public https://slideplayer.com/slide/9244035/

Slide 29

Slide 29 text

Aug 2, 2003 2003

Slide 30

Slide 30 text

Win32 Device Driver Sec-Labs METHOD_NEITHER ioctl memory overwrite targeting Symantec AntiVirus http://www.nsfocus.net/vulndb/5247 push 0 push 0 @pushsz "\\.\NAVAP" ;open the device @callx CreateFileA ;yeah - open it! mov ebx,eax ;EBX=DEVICE HANDLE cmp eax,-1 ;error ;/ jne _x00 ;if not jump to _x00 label @debug SPLOIT_TITLE,"Cannot open device ;/",IERROR jmp exit

Slide 31

Slide 31 text

Sep 8, 2003 2003

Slide 32

Slide 32 text

Windows Server 2003 David Litchfield Defeating Stack Overflow Protection https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf

Slide 33

Slide 33 text

Nov 2, 2004 2004

Slide 34

Slide 34 text

Heap Spraying Skylined Demonstrate against Internet Explorer https://www.exploit-db.com/exploits/612/

Slide 35

Slide 35 text

Jan 21, 2005 2005

Slide 36

Slide 36 text

Defeating Heap Protection and DEP Bypass PTSecurity Defeating heap protection and bypass DEP against Windows XP SP2. https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf

Slide 37

Slide 37 text

Feb 17, 2005 2005

Slide 38

Slide 38 text

Remote Windows Kernel Exploitation Barnaby Jack (RIP) https://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

Slide 39

Slide 39 text

July 20, 2005 2005

Slide 40

Slide 40 text

Windows Kernel Pool Overflow Kinvis (SoBeIt) - Beihang University https://web.archive.org/web/20070221124210/http://xcon.xfocus.org/XCon2005/archives/2005/Xcon2005_SoBeIt.pdf

Slide 41

Slide 41 text

Oct 2, 2005 2005

Slide 42

Slide 42 text

DEP Bypass Hardware- Based Skape & skywing http://uninformed.org/index.cgi?v=all&a=11

Slide 43

Slide 43 text

Dec 7, 2005 2005

Slide 44

Slide 44 text

Freelist[0] Exploitation Technique Brett Moore http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

Slide 45

Slide 45 text

Jan 19, 2007 2007

Slide 46

Slide 46 text

Double-Free Vulnerabilities Matthew Conover https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-1 https://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-2 Before: freelist [n-1][0x003401b8] Flink 0x003401b8 Blink 0x003401b8 freelist [n][0x003401c0] Flink 0x00341fb0 Blink 0x00341fb0 chunk [0x00341fa8] Flink 0x003401c0 Blink 0x003401c0 After: freelist [n-1] same freelist [n] same chunk [0x00341fa8] Flink 0x003401bc Blink 0x003401c4

Slide 47

Slide 47 text

Mar 27, 2007 2007

Slide 48

Slide 48 text

Heap Feng Shui Alex Sotirov Heap Feng Shui using JavaScript attacking browser https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf

Slide 49

Slide 49 text

Feb 17, 2008 2008

Slide 50

Slide 50 text

ASLR Smack Tilo Muller Complete write-up exploiting stack overflow https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/aslr.pdf

Slide 51

Slide 51 text

Aug 4, 2008 2008

Slide 52

Slide 52 text

Return Oriented Programming Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

Slide 53

Slide 53 text

Case Study: Emsisoft Internet Security - IOCTL Vulnerability

Slide 54

Slide 54 text

Overview ● Found in 2015 via fuzzing ● Responsible disclosure to vendor (Emsisoft) ● Vulnerable IOCTL 0x22e010 ● Trivial to exploit: ○ Lead to overflow and allow to write in memory and perform execution

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

Stack Overflow Windows Kernel Exploitation Process 01 Spawn processes 02 Get handle to vulnerable device 03 Get vulnerable IOCTL function 04 Allocate buffer (shellcode) 05 Create buffer redirects execution into shellcode

Slide 59

Slide 59 text

Present

Slide 60

Slide 60 text

Use-After-Free Use-After-Free vulnerability found. In order to exploit the vulnerability, chain vulnerability with Adobe Flash. Full Code Execution Exploitation were trivial to gain. ROP + Info Leak Create ROP chain using UAF vulnerability in browser and chained using Adobe Flash. ASLR bypass required, using info leak method. 03 01 02 Past Exploitation Development

Slide 61

Slide 61 text

What happened? Developer Developer failed to audit legacy code, do not made any changes, using old framework, etc. Vulnerability Classes Vulnerability types and classes were still exists. Patching Patch introduced new vulnerability. Exploitation Exploitation getting more complex requires chain of vulnerability.

Slide 62

Slide 62 text

What has changed?

Slide 63

Slide 63 text

http://gaasedelen.blogspot.com/2014/03/exploiting-icofx-26-cve-2013-4988.html

Slide 64

Slide 64 text

NX / DEP SEHOP / ASLR MemGC CFG ACG / RFG Hyper-V Based Security (VBS) - Kernel level (enabling ACG, CIG, RFG, CFG), CFI Windows Memory Safety Mitigations

Slide 65

Slide 65 text

Edge Attack Surface Reduction Remove whatever feature Internet Explorer has. Memory Garbage Collection (MemGC) Focusing on DOM engine and turn UAF in DOM non-exploitable. Type Confusion Protection Additional checks to eliminate recurring bad casts and wrong branching on CTreePos Vulnerability Classes Killer https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf Stack corruption essentially eliminated Use-After-Free attack decreased Raise of Out-of-Bounds, DLL Planting and Type Confusion

Slide 66

Slide 66 text

Use-After-Free Vulnerability found was Use-After-Free, in order to to gain info leak, it needs to turn to type confusion. For some cases it doesn’t need to do so. Type Confusion Usually used as part of vulnerability chain. Information Leak To bypass ASLR, an information leak needs to be done. This will help to make the exploit reliable. Full Code Execution Achieve full code execution (including remote) with full mitigation bypasses. Sandbox & Mitigation Bypass Current mitigations in Windows required multiple chains of bypass, including CFG, and ACG. 05 01 02 03 04 Current Exploitation Development

Slide 67

Slide 67 text

Case Study: (PSIRT-8422) Adobe Flash ActiveX - NULL Pointer

Slide 68

Slide 68 text

Overview ● Found via manual audit ○ Focus on Adobe Flash Player ActiveX (29.0.0.171) ● Responsible disclosure to vendor (Adobe) ● Integer Overflow in ActiveX turns NULL Pointer ○ Adobe failed to set Kill Bit in registry by default ● Exploit attempt failed ○ Due to memory safety mitigation

Slide 69

Slide 69 text

No content

Slide 70

Slide 70 text

Future (Past)

Slide 71

Slide 71 text

● Exploitation much more harder ● Hardware based mitigations and bypasses ● Past vulnerability classes remain stay ● More chain types of exploitation ● Software mitigations improvement ● Advanced exploitation could evade security perimeter

Slide 72

Slide 72 text

Intel Control-flow Enforcement Technology (CET) ➢ Shadow Stack (bypass?) ○ Second stack for program that used for control transfer operations ○ Separate from data stack and can be enable for operation via user mode or supervisor mode ○ Protecting return address and defend against ROP ➢ Indirect Branch Tracking (bypass?) ○ New instruction named ENDBRANCH used to mark valid indirect CALL/JMP targets in the program ○ Protecting free branch against JOP / COP https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

Slide 73

Slide 73 text

Conclusion

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

References & Thanks ● Thanks to KLKS - for reviewing our slide ● NanoSec crew ● Haroon Meer BlackHat 2010 Paper on Memory Corruption History ○ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History -of-Memory-Corruption-Attacks-wp.pdf ● ...and many paper that we used as references :) ● Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation and reverse engineering.