[ENG] Hacktivity 2013 - Alice in eXploitland

Alice in eXploitland Attack & defense evolution

Zoltán Balázs

Hacktivity 2013

About:me

OSCP, C|HFI, CISSP, CPTS, MCP

Senior IT security consultant @ Deloitte Hungary

Proud member of the gula.sh team

[email protected]

https://hu.linkedin.com/in/zbalazs

Twitter – zh4ck

What’s next?

Evolution of memory corruption attack & defense

Stack based buffer overflows

Stack canary

Structured Exception Handling

DEP

ASLR

Advanced mitigation

Scope of this presentation

Focus on memory corruption Not Java vulnerabilities

Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits

High level overview only No details like Assembly

Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free

Why you should care about exploits?

If you are a company outside of China (or place your favourite enemy here)

You are a target for intellectual property stealing




Your intellectual property will be stolen

social engineering

software exploits




Your intellectual property will be stolen

social engineering

software exploits

You will find your product on the local Chinese market

half the price


If you are a military team working for the Chinese (or other) government

To steal intellectual property

Your C&C server will be hacked through memory corruption vulnerability


If you are a military team working for the Chinese (or other) government

To steal intellectual property

Your C&C server will be hacked through memory corruption vulnerability

Your „projects” will be revealed by hackers from Luxembourg


If you are a plain user surfing the web

You might be hacked through memory corruption vulnerability (or Java)




Credit card stolen, internet bank hacked

Why you should care?




Identity stolen





Identity stolen

Facebook wall spammed

Function calls

void SayHello(char* userinput) { char buffer[100];

strcpy(buffer, userinput);

printf(„Hello %s\n", buffer); } int main() { SayHello(argv[1]); return 0; }

Function calls 0x00000000

...

New stack frame

ESP - top of stack

....

0xFFFFFFFF

ESP - extended stack pointer


...

ESP - top of stack

ptr to argv[1]

....

0xFFFFFFFF



...

ESP - top of stack

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF

EIP - extended instruction pointer Overwrite this for PROFIT



...

ESP - top of stack

Saved EBP

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF



EBP - extended base pointer


... ESP - top of stack

Space for buffer EBP - frame pointer

Saved EBP

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF






AAAA AAAA

... AAAA

Strcpy

writes EBP - frame pointer this

Saved EBP way

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF




Stack based buffer overflow vulnerability

„Stack overflow happens when the user can put more data on the allocated stack, than available”

If more data is put on the stack (stack overflow) ... magic will happen

Buffer overflow

Stack based buffer overflow

Heap based buffer overflow

Stack overflow 0x00000000


AAAA AAAA

... AAAA

Strcpy


Saved EBP way

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF






AAAA AAAA

... AAAA

Strcpy


Saved EBP AAAA way

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF






AAAA AAAA

... AAAA

Strcpy


Saved EBP AAAA way

Saved EIP AAAA

ptr to argv[1]

....

0xFFFFFFFF






AAAA AAAA

... AAAA

Strcpy


Saved EBP AAAA way

Saved EIP AAAA

ptr to argv[1] AAAA

....

0xFFFFFFFF




Quiz for Hacker Pschorr

Which team created

the first Linux kernel patch

to protect against stack

overflows?

***

Quiz for Hacker Pschorr

Which team created

the first Linux kernel patch

to protect against stack

overflows?

PaX team in 2000

Stack overflow history

1972 – Computer Security Technology Planning Study

1988 – Morris worm

1996 – Smashing the Stack for Fun and Profit (Aleph One)

2000 – NSA – SELinux open sourced

2000 – PaX Team

2003 – SELinux merged into mainline Linux Kernel

2004 – Egghunters - against small buffers

Shellcode

The attacker code what the attacker wants to execute

The instructions given by Alice to the rabbit

Mitigation techniques

All of the following mitigation techniques are used against every memory corruption vulnerabilities

Not just against stack overflow

Stack canary/cookie 0x00000000


AAAA AAAA

... AAAA

Strcpy


Random cookie 27384AB4CD457 way

Saved EBP

Saved EIP

ptr to argv[1]

....

0xFFFFFFFF




Stack canary/cookie 0x00000000


AAAA AAAA

... AAAA

Strcpy


Random cookie 27384AB4CD457 AAAA way

Saved EBP AAAA

Saved EIP AAAA

ptr to argv[1] AAAA

....

0xFFFFFFFF




Stack canary/cookie history (/GS)

1997 - Linux (GCC)

2002 - MS (Visual Studio)

Stack canary/cookie bypass

Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm

Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system

Method 3: Guess/calculate the cookie Static cookie

Method 4: Overwriting stack data in functions up the stack, switch case

Structured Exception Handling exploit

In reality, traditional stack overflow exploits are sometimes

not possible

No EIP overwrite

No jump

Stack cookies

way too complicated to trigger

Structured Exception Handling exploit

In reality, traditional stack overflow exploits are sometimes

not possible

No EIP overwrite

No jump

Stack cookies

Stack cookie not checked at exception handling

way too complicated to trigger

SEH exploit – three step to profit

Step 1. overwriting first element in the exception-handling chain

Step 2. because of the overflow, the exception-handling is triggered

Step 3. via exception handling, return to the malicious shellcode (PROFIT)

SEH exploit metaphor

If chaos occurs disaster recovery process to handle the chaos

Alice can rewrite the address, where the rabbit can find the disaster recovery process manual

SEH exploit mitigation

SafeSEH table which specifies for the operating system about valid exception handlers

only a limited set of addresses where the disaster recovery manual can be found

Alice can not change those

SEHop OS performs SEH chain validation

breaks SEH overwrite exploitation techniques

Stamp from the queen on the addressess where the disaster recovery manual can be found

DEP

DEP - Data Execution Prevention – Windows (OS level)

Protection: mark the stack as non executable

PageExec, W^X, NX, XD

PageExec, W^X, NX, XD, DEP

NX - Never Execute – AMD (CPU level)

XD - eXecution Disabled – Intel (CPU level)

W^X - Write XOR Execute – OpenBSD, OS X (OS level)

Non-Executable Memory – Linux (OS level)

Windows If CPU NX/XD enabled/supported

HW DEP == Real DEP

If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!!

DEP modes Always off OptIn OptOut Always On

PageExec, W^X, NX, XD, DEP

1997 - Openwall – Solar designer

2000 - PaX Team PageExec

2002 - Exec shield (Ingó Molnár)

2003 - OpenBSD

2004 - Linux (Ingó Molnár)

2004 - Windows XP SP2

2006 - OS X

PageExec, W^X, NX, XD, DEP bypass

Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997

PageExec, W^X, NX, XD, DEP bypass

Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed

Does not work on protection „always on”

Method 3: Disable the protection for the process Does not work on protection „always on”

Method 4: Copy shellcode to executable area Exeucatable area usually read only

Allocate new memory with read – write - executable support (virtualalloc)

If attacking browser JavaScript heap spraying

Other magic here

ASLR metaphor

ASLR = Address Space Layout Randomization

Changing the addressess of the memory layout every time

Changing the street names, house numbers every time

Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives

ASLR

1997 - Memco

2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack)

2005 - OpenBSD

2005 - Linux – first implementation weak

2007 - Windows

2007 - OS X

2011 - Android

ASLR bypass

2007 – MS07–017 ANI exploit – Alex Sotirov

Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original”

Method 2: Low entropy in random – brute force Catch all exception block is usually needed

You never write try{ code_her } catch (Every exception) { Do nothing } do you?

ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)

ASLR bypass ...

Method 2: Low entropy in random – brute force

Alice can give 1000 addresses to the rabbit

Rabbit will look for Alice in 1000 house

Finally the rabbit can find Alice

Alice can give him the malicious instructions

PROFIT

ASLR bypass …

Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit

Java 7 ASLR

There are still some static street names, house numbers in eXploitland, that never change

Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland

what the street name and house address will be of the house where Alice is when the rabbit arrives

Collect three gems

Exploiting stack overflow in 2003 on Windows

Exploiting stack overflow in 2013 with ASLR + DEP

You have 3 ammo left

ASLR + DEP bypass

Metasploit windows/browser/ms13_037_svg_dashstyle demo

Scenario 1. Disable ASLR, exploit fixed addresses

Scenario 2. Enable ASLR, exploit is not working

Scenario 3. Java 1.6 ROP with non-ASLR module works

Scenario 4. ASLR with original information leak exploit

Scenario 5. EMET heapspray only blocks exploit

What to do if I’m a user?

Remove Java

If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET

If you use Linux Upgrade to latest OS Use latest browser (Chrome)

If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome)

Upgrade your software

What to do if I’m a CISO?

Remove Java At least in the browsers used for Internet browsing

If you use Windows Upgrade to latest OS

If can’t upgrade, use EMET from GPO (Group policy)

Install Microsoft and 3rd party patches

What to do if I’m a developer?

Remove Java At least in the browsers used for Internet browsing

Learn secure application development

Use switchers in Visual Studio /GS (VS 2002)

/SafeSEH (VS 2003)

/DynamicBase (VS 2005)

/NXCompat (VS 2005)

/HIGHENTROPYVA (VS 2012)

#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005)

BinScope

What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers?

Develop your own backdoor client/server

For details see previous slide

Until it is finished use EMET

Lessons learned

Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection

Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1

Without Java 6 – 1

Number of working IE10 exploits in Metasploit 0

Number of Java7 (2011 July) exploits in Metasploit 16

Price for zero day memory corruption exploit getting higher and higher

[ENG] Hacktivity 2013 - Alice in eXploitland

Technology

Transcript of [ENG] Hacktivity 2013 - Alice in eXploitland