Reason Why You (Or_companies) Should Not Use XP Anymore

8/13/2019 Reason Why You (Or_companies) Should Not Use XP Anymore

1/21

0day: reason why you (or

companies) should not use XP

anymore


2/21

About me

@ca0nguyen

ResearchExploit developement: Windows, Linux

Malware analysis

Reverse engineering
https://twitter.com/ca0nguyenhttps://twitter.com/ca0nguyen


3/21

0day (zero-day)

What is 0day exploit?

Security vulnerability

Successful attack

0day hunting, is it easy?

Its not an easy job, but always possible

0ne 0day can own your system

Easier on XP


4/21

Microsoft

Initial release:August 24, 2001; 12 years ago

Latest stable release:5.1 Build 2600: Service Pack 3

April 21, 2008; 5 years ago

Support is endingApril 8, 2014; 3 months left

No security updates


5/21

Does it matter?

0day exploit will last forever

Antivirus cant save youFrom public exploit with some modifications

0day!


6/21


7/21

Desktop Browser

NetApplication November, 2013, 2013


8/21

Security features

Data Execution Prevention (DEP)

From XP SP2

Still good, but not enough

Address space layout randomization (ASLR)

Important feature

But just from Vista


9/21

Application exploitability

Easy: no dream team (DEP+ASLR)

Be able to predict the allocated address

Exploit scenarioControl IP (Instruction Pointer)

Jump to controlled address

Bypass DEP: play ret2lib, ROP Run shellcode

PWNED!


10/21

Internet Explorer

Windows XP SP3 comes with IE8

XP is main platform

Exploitation on IE8/XP is easier than the other


11/21

IE8/XP exploit

Just following the rules

Browser bugsUse-after-free

Type confusion


12/21

IE8/XP exploit

Use after free

Replace object freed by other one, e.g. string

Heap spray with ROP chain

Take control EIP: calling function from fake vtable

Play ROP chain: VirtualProtect()

Trigger shellcode

PWNED: run calc.exe


13/21

ASLR in exploitation

Use after free

Replace object freed by other one, e.g. string

Bypass ASLR: leak mem, non-ASLR module

Heap spray with ROP chain

Take control EIP: calling function from fake vtable

Play ROP chain: VirtualProtect()

Trigger shellcode

PWNED: run calc.exe


14/21

Bypass ASLR

Non-ASLR module

JRE6

HXDS.DLL (Office 2007, 2010)

Other browser plugins: IDM,

Only working on IE8, IE9


15/21

Bypass ASLR

Using SharedUserData

Fixed in 0x7ffe0000

LdrHotPatchRoutine: remote dll loading

Patched in MS13-063


16/21

Bypass ASLR

Leak memory address

Changing size of string/array object

Reading extra memory

Do not crash targeted application

JIT spraying

Javascript

Actionscript


17/21

Targeted attack

CVE-2012-4792, CVE-2013-3893, CVE-2013-

3897

Windows XP + IE8

Windows 7 + IE8 + non-ASLR module

Same author(?)

Same range of victims


18/21

CVE-2013-5065

NDPROXY

Interface WAN drivers to TAPI services

TAPI enables computer telephony integration

Off-by-one/Out of array index

Array size vs. array index


19/21


20/21

Conclusion

Windows XP is old

Out of date security features

Support is ending

Internet Explorer 8

Easy to breaking down

What we can do

Upgrade to Window 7, 8, 8.1

Use EMET


21/21

Thanks

Documents

Reason Why You (Or_companies) Should Not Use XP Anymore