Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress,...
Transcript of Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress,...
![Page 1: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/1.jpg)
compass-security.com 1
Windows Exploit Mitigations
![Page 2: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/2.jpg)
compass-security.com 2
Some statements:
▪ “Windows is insecure”
▪ “Firefox is more secure than IE”
In respect of memory corruptions – Are these statements (still) true?
Windows Exploit Mitigations
![Page 3: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/3.jpg)
compass-security.com 3
Stack Canaries
Windows Exploit Mitigation
![Page 4: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/4.jpg)
compass-security.com 4
Stack Canaries
▪ Integrated in Visual Studio
▪ /gs
▪ Since Visual Studio 2002
▪ Deployed in: XP SP2
Version
▪ GS v1 (2002)
▪ GS v1.1 (2003)
▪ GS v2 (2005)
▪ GS v3 (2010)
Windows: Stack Canary
![Page 5: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/5.jpg)
compass-security.com 5
SEH / AntiSEH
Windows Exploit
![Page 6: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/6.jpg)
compass-security.com 6
SEH Overwrite
▪ Structured Exception Handler
▪ Located on the stack
▪ To handle exceptions
Favorite target for Windows exploits for years
https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-
exception-handler-seh-overwrites-with-sehop/
Windows: SEH
![Page 7: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/7.jpg)
compass-security.com 7
Windows: SEH
Argument 1
SIP
SBP
Local Variables
&SEH
&next SEHSEH
![Page 8: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/8.jpg)
compass-security.com 8
SIP
Windows: SEH
Argument 1
SBP
Local Variables
&SEH
&next SEHSEH
![Page 9: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/9.jpg)
compass-security.com 9
Mitigation: SafeSEH
▪ VS2003: /SafeSEH
▪ Whitelist of safe exception handlers
Mitigation: Dynamic SafeSEH
▪ End of SEH List has a validation frame
▪ The complete SEH list has to be valid (*next)
Mitigation: SEHOP
▪ Default active in Windows Server 2008, Vista SP2 (?)
▪ SEH Overwrite Protection
Windows: SEH
![Page 10: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/10.jpg)
compass-security.com 10
Ret2libc
Windows Exploits
![Page 11: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/11.jpg)
compass-security.com 11
Call convention:
▪ “Stdcall” call convention
▪ Caller pushes arguments
▪ Callee pops arguments (unlike linux!)
Can call Windows library functions
▪ E.g: VirtualProtect()
▪ Changes the permission of a memory region
▪ Can make it executable again (removing DEP)
Windows: Call convention
![Page 12: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/12.jpg)
compass-security.com 12
VirtualProtect: Set memory protection bits
BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress,_In_ SIZE_T dwSize,_In_ DWORD flNewProtect,_Out_ PDWORD lpflOldProtect
);
Windows: ret2libc
![Page 13: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/13.jpg)
compass-security.com 13
Ret2libc chaining:
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
Windows: ret2libc
&blubb
SIP (&<VirtualProtect>)
SFP
isAdmin
firstname
&blubb&jmp esp
lpAddress
dwSize
flNewProtect
lpflOldProtect
<shellcode>
![Page 14: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/14.jpg)
compass-security.com 14
Ret2libc chaining:
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
Windows: ret2libc
&blubb
SIP (&<VirtualProtect>)
SFP
isAdmin
firstname
&blubb&jmp esp
&shellcode
len(shellcode)
RWX
&writeableAddr
<shellcode>
![Page 15: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/15.jpg)
compass-security.com 15
Ret2libc chaining:
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
Windows: ret2libc
&blubb
SIP (&<VirtualProtect>)
SFP
isAdmin
firstname
&blubb&jmp esp
&shellcode
len(shellcode)
RWX
&writeableAddr
<shellcode>
![Page 16: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/16.jpg)
compass-security.com 16
Conclusion:
Possible to chain library calls
Like ROP, just for function calls
Can defeat DEP (or be used for other things)
Windows: ret2libc
![Page 17: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/17.jpg)
compass-security.com 17
ASLR
Windows Exploit Mitigation
![Page 18: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/18.jpg)
compass-security.com 18
ASLR in Windows
▪ Introduced in Windows Vista
Windows 7
▪ Randomized: Heap and Stack
▪ Not randomized: VirtualAlloc, MapViewOfFile
▪ A little randomized: PEBs, TEPBs
Windows 8
▪ Opt-in:
▪ More things are randomized
▪ A little bit more randomized: PEBs, TEPBs
▪ High entropy ASLR for 64 bit processes
▪ Anti heap-spray
Windows: ASLR
![Page 19: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/19.jpg)
compass-security.com 19
Windows ASLR problems
▪ Not all binaries are compiled with relocation
▪ Windows Vista: Relocation on Boot
▪ Brute force able
▪ Heap spraying
▪ Not all libraries are compiled with relocation!
▪ Adobe Flash…
▪ Adobe PDF…
▪ Java…
▪ Some Antivirus inject(ed) DLLs
▪ On every process
▪ On static addresses…
Windows: ASLR
![Page 20: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/20.jpg)
compass-security.com 20
Pidgin DLL ASLR status:
Windows: ASLR
![Page 21: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/21.jpg)
compass-security.com 21
Dexpot DLL injection
Windows: ASLR
![Page 22: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/22.jpg)
compass-security.com 22
Windows: ASLR
![Page 23: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/23.jpg)
compass-security.com 23
HEAP
Windows Exploit Mitigation
![Page 24: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/24.jpg)
compass-security.com 24
Heap Protections:
▪ 2004: Safe unlinking
▪ 2006: Vista heap hardening
▪ Win8:
▪ Additional Heap metadata structure improvements
▪ Guard pages
▪ Allocation order randomization
▪ Makes HEAP massaging more difficult
Windows: Heap
![Page 25: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/25.jpg)
compass-security.com 25
EMET
Windows Exploit Mitigations
![Page 26: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/26.jpg)
compass-security.com 26
Enhanced Mitigation Experience Toolkit
▪ DEP
▪ SEHOP
▪ NullPage
▪ HeapSpray
▪ EAF, EAF+ (Export Address Filtering)
▪ ASLR
▪ ROP Caller check
▪ Stack Pivot
▪ ASR (Attack Surface Reduction)
Windows: EMET
![Page 27: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/27.jpg)
compass-security.com 27
EMET Settings example
Windows: EMET
![Page 28: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/28.jpg)
compass-security.com 28
Use it
No really, use it
▪ 0-Day Protection
▪ Automatic configuration is OK
▪ Protect every program which is handling untrusted data
▪ All network services
▪ Tools like PDF readers, Chat programs, Photoshop etc.
Downsides:
▪ Download manually…
▪ Not updated via windows update
▪ Not localized (…)
▪ Incompatible programs will crash
▪ It may confuse users
Windows: EMET
![Page 29: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/29.jpg)
compass-security.com 29
Update 2017: EMET is dead?
▪ EOL July 31, 2018
Windows: EMET
![Page 30: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/30.jpg)
compass-security.com 30
History
Windows Exploit Mitigation
![Page 31: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/31.jpg)
compass-security.com 31
Windows History
![Page 32: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/32.jpg)
compass-security.com 32
http://www.welivesecurity.com/wp-content/uploads/2017/01/Windows-Exploitation-2016-A4.pdf
Windows History
![Page 33: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/33.jpg)
compass-security.com 33
Bill Gates’ “Trustworthy Compting Memo” from 2012
Aka “Stop the fuck you are doing right now, get 6 months of education on how to do things
securely”
Security: The data our software and services store on behalf of our customers should be
protected from harm and used or modified only in appropriate ways. Security models should be
easy for developers to understand and build into their applications.
https://news.microsoft.com/2012/01/11/memo-from-bill-gates/
Windows History
![Page 34: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/34.jpg)
compass-security.com 34
The move was reportedly prompted by the fact that they "...had been under fire from some of its
larger customers–government agencies, financial companies and others–about the security
problems in Windows, issues that were being brought front and center by a series of self-
replicating worms and embarrassing attacks." such as Code Red, Nimda and Klez.
Windows History
![Page 35: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/35.jpg)
compass-security.com 35
Virus:
▪ Self replicating
▪ File based
▪ Requires some user interaction
Worm:
▪ Self replicating
▪ Network based
▪ Requires no user interaction
Trojan:
▪ Fake some good functionality
▪ But perform evil actions
Backdoor:
▪ Bypass authentication/authorization
Windows History
Malware!
![Page 36: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/36.jpg)
compass-security.com 36
SDL: Security Development Lifecycle
Windows History
![Page 37: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/37.jpg)
compass-security.com 37
SDL: Security Development Lifecycle
Windows History
![Page 38: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/38.jpg)
compass-security.com 38
SDL: Security Development Lifecycle
Windows History
![Page 39: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/39.jpg)
compass-security.com 39
Windows XP SP2
▪ First big step in anti-exploiting
▪ Compiled with /GS /SAFESEH
▪ DEP
Windows Vista
▪ ASLR
Windows History
![Page 40: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/40.jpg)
compass-security.com 40
Windows 8
/GS:
▪ Better heuristics
▪ VS now performs bounds checks on array
ASLR:
▪ Force ASLR on all DLLs of a process (Force ASLR option)
Windows History
![Page 41: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/41.jpg)
compass-security.com 41
Windows 10
▪ Control Flow Guard (CFG)
▪ Anti ROP
▪ Needs help from compiler (Visual studio)
▪ Pretty damn awesome
▪ IE11 @Win8 Update 3
▪ Edge
▪ EDGE: MemGC
▪ Use-After-Free exploit mitigation
▪ Improved Kernel ASLR
▪ EPM (Enhanced Protected Mode, Sandbox for IE)
Windows History
![Page 42: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/42.jpg)
compass-security.com 42
Control Flow Integrity (CFI)
/guard:cf
▪ Control Flow Guard
https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/
Windows History
![Page 43: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/43.jpg)
compass-security.com 43
Example: Windows 10 IE11 + EPM + EMET exploit;
▪ Find UAF
▪ Heap massage
▪ Overwrite arraybuffer length for write-what-where
▪ Re-enable God-Mode (Compiler fail…)
▪ Without ROP (because of CFI)
▪ Execute ActiveX
▪ -> Still in EPM Sandbox
▪ Create local web server via ActiveX
▪ Netbios DNS spoof/bruteforce to fake hostname so website is in trusted zone
▪ Perform above exploit again in 32bit
▪ Full RCE
Windows History
![Page 44: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/44.jpg)
compass-security.com 44
Windows 10
![Page 45: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/45.jpg)
compass-security.com 45
http://www.welivesecurity.com/wp-content/uploads/2017/01/Windows-Exploitation-2016-A4.pdf
Windows 10 Protections
![Page 46: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/46.jpg)
compass-security.com 46
Hypervisor based security
▪ DeviceGuard, Credential Guard, Hypervisor Code Integrity (HVCI)
▪ Use separate VM’s for sensitive tasks
Windows 10 Protections
![Page 47: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/47.jpg)
compass-security.com 47
Hypervisor based security
▪ Windows Defender Application Guard
However, when an employee browses to a site that is not recognized or trusted by
the network administrator, Application Guard steps in to isolate the potential
threat. As shown in the mode outlined in red above, Application Guard creates a
new instance of Windows at the hardware layer, with an entirely separate copy of
the kernel and the minimum Windows Platform Services required to run Microsoft
Edge. The underlying hardware enforces that this separate copy of Windows has no
access to the user’s normal operating environment.
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/#SI3kumwvwgYoTPiL.97
Windows 10 Protections
![Page 48: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/48.jpg)
compass-security.com 48
Hypervisor based security
▪ Windows Defender Application Guard
However, when an employee browses to a site that is not recognized or trusted by
the network administrator, Application Guard steps in to isolate the potential
threat. As shown in the mode outlined in red above, Application Guard creates a
new instance of Windows at the hardware layer, with an entirely separate copy of
the kernel and the minimum Windows Platform Services required to run Microsoft
Edge. The underlying hardware enforces that this separate copy of Windows has no
access to the user’s normal operating environment.
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/#SI3kumwvwgYoTPiL.97
Windows 10 Protections
![Page 49: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/49.jpg)
compass-security.com 49
Windows Exploit Mitigations
Conclusion
![Page 50: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/50.jpg)
compass-security.com 50
Its not 2001 anymore…
▪ We don’t need to reboot Windows to change IP address anymore
▪ We don’t have IE6 anymore (IE7 was a partial rewrite after the Bill Gates Memo)
▪ Current Windows versions have anti exploiting techniques, which:
▪ Are superiour to Linux one’s
▪ Enabled by default
▪ But still not complete
Windows: Conclusion
![Page 51: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/51.jpg)
compass-security.com 51
Main problems:
▪ Backwards compatibility / technical depth
▪ Parts of UI in Kernelspace
▪ Pass the hash / Kerberos…
▪ 3rd party programs
▪ Adobe (Flash, PDF Reader)
▪ Oracle (Java)
▪ Cisco (Webex)
▪ HP (Data “Protector”)
▪ Monocolture (everybody has the same Windows version)
▪ Unsavy users
▪ Worse: Unsavy administrators
Windows: Conclusion
![Page 52: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/52.jpg)
compass-security.com 52
References
![Page 53: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/53.jpg)
compass-security.com 53
References:
https://media.blackhat.com/bh-us-
12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
https://www.rsaconference.com/writable/presentations/file_upload/exp-r01_patching-exploits-with-
duct-tape-bypassing-mitigations-and-backward-steps.pdf
References
![Page 54: Windows Exploit Mitigations · Ret2libc chaining: BOOL WINAPI VirtualProtect(_In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect); Windows:](https://reader034.fdocuments.in/reader034/viewer/2022051814/6035b5937898b046e830bca0/html5/thumbnails/54.jpg)
compass-security.com 54
http://www.welivesecurity.com/wp-content/uploads/2017/01/Windows-Exploitation-2016-A4.pdf
http://www.welivesecurity.com/wp-content/uploads/2016/01/Windows_Exploitation_in_2015.pdf
http://www.welivesecurity.com/wp-content/uploads/2015/01/Windows-Exploitation-in-2014.pdf
http://www.welivesecurity.com/2014/02/11/windows-exploitation-in-2013/
http://slides.com/revskills/fzbrowsers#/
References