Upload
mooniam
View
225
Download
0
Embed Size (px)
Citation preview
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
1/21
0day: reason why you (or
companies) should not use XP
anymore
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
2/21
About me
@ca0nguyen
ResearchExploit developement: Windows, Linux
Malware analysis
Reverse engineering
https://twitter.com/ca0nguyenhttps://twitter.com/ca0nguyen8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
3/21
0day (zero-day)
What is 0day exploit?
Security vulnerability
Successful attack
0day hunting, is it easy?
Its not an easy job, but always possible
0ne 0day can own your system
Easier on XP
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
4/21
Microsoft
Initial release:August 24, 2001; 12 years ago
Latest stable release:5.1 Build 2600: Service Pack 3
April 21, 2008; 5 years ago
Support is endingApril 8, 2014; 3 months left
No security updates
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
5/21
Does it matter?
0day exploit will last forever
Antivirus cant save youFrom public exploit with some modifications
0day!
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
6/21
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
7/21
Desktop Browser
NetApplication November, 2013, 2013
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
8/21
Security features
Data Execution Prevention (DEP)
From XP SP2
Still good, but not enough
Address space layout randomization (ASLR)
Important feature
But just from Vista
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
9/21
Application exploitability
Easy: no dream team (DEP+ASLR)
Be able to predict the allocated address
Exploit scenarioControl IP (Instruction Pointer)
Jump to controlled address
Bypass DEP: play ret2lib, ROP Run shellcode
PWNED!
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
10/21
Internet Explorer
Windows XP SP3 comes with IE8
XP is main platform
Exploitation on IE8/XP is easier than the other
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
11/21
IE8/XP exploit
Just following the rules
Browser bugsUse-after-free
Type confusion
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
12/21
IE8/XP exploit
Use after free
Replace object freed by other one, e.g. string
Heap spray with ROP chain
Take control EIP: calling function from fake vtable
Play ROP chain: VirtualProtect()
Trigger shellcode
PWNED: run calc.exe
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
13/21
ASLR in exploitation
Use after free
Replace object freed by other one, e.g. string
Bypass ASLR: leak mem, non-ASLR module
Heap spray with ROP chain
Take control EIP: calling function from fake vtable
Play ROP chain: VirtualProtect()
Trigger shellcode
PWNED: run calc.exe
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
14/21
Bypass ASLR
Non-ASLR module
JRE6
HXDS.DLL (Office 2007, 2010)
Other browser plugins: IDM,
Only working on IE8, IE9
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
15/21
Bypass ASLR
Using SharedUserData
Fixed in 0x7ffe0000
LdrHotPatchRoutine: remote dll loading
Patched in MS13-063
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
16/21
Bypass ASLR
Leak memory address
Changing size of string/array object
Reading extra memory
Do not crash targeted application
JIT spraying
Javascript
Actionscript
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
17/21
Targeted attack
CVE-2012-4792, CVE-2013-3893, CVE-2013-
3897
Windows XP + IE8
Windows 7 + IE8 + non-ASLR module
Same author(?)
Same range of victims
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
18/21
CVE-2013-5065
NDPROXY
Interface WAN drivers to TAPI services
TAPI enables computer telephony integration
Off-by-one/Out of array index
Array size vs. array index
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
19/21
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
20/21
Conclusion
Windows XP is old
Out of date security features
Support is ending
Internet Explorer 8
Easy to breaking down
What we can do
Upgrade to Window 7, 8, 8.1
Use EMET
8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore
21/21
Thanks