Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» уязвимости

If You Find One,

There are Probably More!:

A Detection Method of “Reproduced” Vulnerability

Asuka Nakajima @ Positive Hack Days VI

1Copyright©2016 NTT corp. All Rights Reserved.

NTT Confidential

# whoami

Asuka Nakajima- Researcher at NTT Secure Platform Laboratories

- Vulnerability Discovery / Reverse Engineering

Organizer of SECCON CTF- Thank you for playing SECCON CTF

Founder of “CTF for GIRLS”- The first security engineer community for woman in Japan


NTT Confidential

What is “reproduced” vulnerability ?

Software 1 Software 2

Vulnerability which is copied to other

source code or software for some reason

Vulnerable

part

copy


NTT Confidential

Why it happens?

Copy & Paste Source Code Sharing Fork Project

Source A Source BCtrl + C

Ctrl + V


NTT Confidential

Why it happens?

Copy & Paste Source Code Sharing Fork Project

Source A Source BCtrl + C

Ctrl + V


NTT Confidential

The risk of reproduced vulnerability

Software 1

Software 2

TIME

Patch release date

differs maximum

118days[1]

vulnerable

vulnerable

Patch distribution for reproduced vulnerability

New Vulnerability

discoveredPatch

distributed

Patch

distributed

vulnerable

Attacker can analyze the patch & develop

the exploit code for unpatched one[1] A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitraș, “The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability

Patching,” in IEEE Symposium on Security and Privacy, San Jose, CA, 2015.


NTT Confidential

About the research

Source code based approach?

Can not be applied for proprietary software product

・ReDeBug[2]

Detection method that targets binary

executable is necessary[2] Jiyong Jang, Abeer Agrawal, and David Brumley,”ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions”, In Proceedings of

the 33rd IEEE Symposium on Security and Privacy, 2012


NTT Confidential

Previous Works

TEDEM[3]

Cross-Architecture Bug Search in Binary Executables

- Represent the assembly codes

(per basic block) as a S-expression

(Tree structure)

- Targets reproduced vulnerability which resides in different architecture

- Basic Block I/O based similarity calculation

- Uses tree edit distance to specify

the reproduced vulnerability

Can not detect reproduced vulnerability when some types of

source code modification(add multiple lines, I/O Change) occurs [3] Jannik Pewny, Felix Schuster, Lukas Bernhard, Thorsten Holz, Christian Rossow, “Leveraging semantic signatures for bug search in binary programs”, Annual Computer

Security Applications Conference , New Orleans, USA, December 2014.

[4] Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, Thorsten Holz “Cross-Architecture Bug Search in Binary Executables”36th IEEE Symposium on Security and Privacy (Oakland), San Jose, May 2015.


NTT Confidential

Approach (Overview)

Calculate the similarity between the assembly code

by using similar string search algorithm

Workflow

push REG

mov REG REG

mov REG VAL

call MEM・・・

mov REG REG

push REG

mov REG REG

push REG

push REG

mov REG MEM

mov REG MEM

lea REG MEM・・・

Similarity

Calculation

Similarity 80%Same vulnerability？

1.Disassemble&Normalization

2.SimilarityCalculation

3.Discriminate “patched” or “unpatched”

Unpatched part

Assembly

Target Binary

Assembly

4. CheckAttack Vector

Future Work


NTT Confidential

Approach



Disassemble ※Example

Normalization (Operand)

・Binary File(unpatched vuln)

・Target Binary File

Different assembly(operand) will be

generated even the source code is same※

VAL

MEM

REG

Immediate val

Memory

Register

Before After

mov eax ecx mov REG REG


Original Copy

shr rdx,1lea rdi,[rdx+0x4]call 3f3d0

shr rdx,1lea rdi,[rdx+0x4]call 41d630

Original Copy

xor ebx, ebxadd rsp, 38hmov eax, ebxpop rbxpop rbppop r12pop r13retn

xor r12d, r12dadd rsp, 38hmov eax, r12dpop rbxpop rbppop r12pop r13ｒetn

１

２


NTT Confidential

Approach




Similarity Calculation

push REG

mov REG REG

mov REG VAL

call MEM・・・

mov REG REG

push REG

mov REG REG

push REG

push REG

mov REG MEM

mov REG MEM


Similarity

Calculation

Similarity

N%

Unpatched part

Assembly

Target Binary

Assembly

・ Needleman-Wunsch (Semi-global alignment algorithm)

→Apply “Affine Gap Penalty”

Similar string search algorithm which is used in bioinformatics


NTT Confidential

Approach -Why Needleman-Wunsch?-

Search similar region between

two given strings

LCS(Global Alignment)

Smith-Waterman(Local Alignment)

Needleman-Wunsch

(Semi-Global Alignment)

mov REG REGmov REG REG

call MEMtest REG REG

push REG REGpush REG REG


jmp MEMxor REG REG

pop REGpop REG

・・



push REG REGpush REG REG


jmp MEMxor REG REG

pop REGpop REG

・・



mov REG REGpush REG REGpush REG REG


jmp MEMxor REG REG

pop REGpop REG

・

String1(source)

String2(dest)

String1(source)

String2(dest)

String1(source)

String2(dest)

Search all similar part between

two given string

Search the region(in string2) that bestmatches to string1




Needleman-Wunsch is most suitable


NTT Confidential

Approach

Similarity=𝑺𝒄𝒐𝒓𝒆 𝒐𝒇𝑴𝒐𝒔𝒕 𝑺𝒊𝒎𝒊𝒍𝒂𝒓 𝑷𝒂𝒓𝒕

𝑴𝒂𝒙𝒊𝒎𝒖𝒎 𝑺𝒄𝒐𝒓𝒆(𝑨𝒍𝒍 𝑴𝒂𝒕𝒄𝒉𝒆𝒅 𝑪𝒂𝒔𝒆)

Needleman-Wunsch(Normal Gap)

match +2point

mismatch –2point

gap –1point

■Match ■Mismatch ■Gap

pop rax pop rax pop rax push rcx pop rax call rax

pop rax

Needleman-Wunsch (AffineGap)

match +2point

mismatch -2point

open gap※ -3point

extended gap -0.5point

Score Calculation

Distinctthe Gap

※Open gap：The first gap of multiple gaps





NTT Confidential

Approach

Score Calculation

𝑠 𝑎𝑖 , 𝑏𝑗 ＝ 𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑎𝑖 = 𝑏𝑗 ,

𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.

A → Unpatched Part Assembly

Calculate ScoreMatrix X,Y, Z

B → Target Binary Assembly

𝑋 = 𝑥𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁

𝑌＝ 𝑦𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁

𝑍 = 𝑧𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁

Matrix Calculation Formula

𝐴 = 𝑎1𝑀 = 𝑎1, 𝑎2, 𝑎3…𝑎𝑀

𝐵 = 𝑏1𝑁 = 𝑏1, 𝑏2, 𝑏3…𝑏𝑁

※|A|=M,|B|=N

𝑗𝑚𝑎𝑥＝ argmax1≤𝑗≤𝑁

𝑥𝑀𝑗

Calculate the similarity based on the max score of matrix X




𝑥𝑖𝑗 =

0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0 ,𝑖 × 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑗 = 0,

𝑚𝑎𝑥

𝑥𝑖−1,𝑗−1 +𝑠 𝑎𝑖 , 𝑏𝑗 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.𝑦𝑖 ,𝑗𝑧𝑖 ,𝑗

𝑦𝑖𝑗 =

−∞ 𝑖𝑓 𝑖 = 0,

0 𝑖𝑓 𝑗 = 0 𝑎𝑛𝑑 𝑖 ≠ 0,

𝑚𝑎𝑥 𝑦𝑖−1,𝑗 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.

𝑥𝑖−1,𝑗 + 𝑜 + 𝑒

𝑧𝑖𝑗 =

0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0,

−∞ 𝑖𝑓 𝑗 = 0,

𝑚𝑎𝑥 𝑧𝑖,𝑗−1 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.

𝑥𝑖,𝑗−1 + 𝑜 + 𝑒


NTT Confidential

Approach

push REGmov REG REGmov REG REGcall MEMmov REG REG

mov REG REGmov REG REGpush REGpush REGmov REG REGmov REG REGcall MEM

Max Score4.5 p

Similarity

45%

𝟒. 𝟓

𝟏𝟎※all matched case2p×5=10 = 45%




Unpatched PartAssembly

Target BinaryAssembly

Matrix X

Matrix Y Matrix Z


NTT Confidential

Approach

Affine Gap penalty can mitigate the significant

score drop due to the source code modification

int main(int argc, char* argv[]){

if(argc !=2){

printf("Usage:%s <your name>¥n", argv[0]);

return 1;

}

printf(“Argument:%d,%s¥n",argc,argv[1]);

printf("Hello World! %s¥n", argv[1]);

return 0;

}

push ebpmov ebp,espand esp,0xfffffff0sub esp,0x10cmp DWORD PTR [ebp+0x8],0x2je 0x8048448 <main+43>mov eax,DWORD PTR [ebp+0xc]mov eax,DWORD PTR [eax]mov DWORD PTR [esp+0x4],eaxmov DWORD PTR [esp],0x8048520call 0x80482f0 <printf@plt>mov eax,0x1jmp 0x8048484 <main+103>mov eax,DWORD PTR [ebp+0xc]add eax,0x4mov eax,DWORD PTR [eax]mov DWORD PTR [esp+0x8],eaxmov eax,DWORD PTR [ebp+0x8]mov DWORD PTR [esp+0x4],eaxmov DWORD PTR [esp],0x8048536call 0x80482f0 <printf@plt>mov eax,DWORD PTR [ebp+0xc]add eax,0x4mov eax,DWORD PTR [eax]mov DWORD PTR [esp+0x4],eaxmov DWORD PTR [esp],0x8048546call 0x80482f0 <printf@plt>mov eax,0x0leave ret

■ Normal gap

■ Affine Gap

Total36p

22×2 = 44

Total37.5p

Adding 1L Source Code =

Adding 8L Assembly Code

8 ×-1 = -8

22×2 = 441 ×-3 =-3

7×-0.5 =-3.5




Source Code Assembly


NTT Confidential

Approach

Extract when Unpatched part(Sim①) > Patched part (Sim②)

push REG

mov REG REG

mov REG VAL

call MEM・・・

push REG

mov REG REG

mov REG VAL

call MEM・・・

mov REG REG

push REG

mov REG REG

push REG

push REG

mov REG MEM

mov REG MEM


Unpatched Part

Assembly

Patched Part

Assembly

SimilarityCalculation①

SimilarityCalculation②

Sim①：80%

Sim②：55%

Extract

Target Binary

Assembly




vulnerability

candidate


NTT Confidential

Calculate the similarity between original and copied binary

Vuln1 (CVE-2008-4314)

Original

Vuln2 (CVE-2008-5023)

Original

Vuln1 (CVE-2008-4314)

Copy

Vuln2 (CVE-2008-5023)

Copy

?%

Vuln1 (CVE-2008-4314)

Original

Vuln2 (CVE-2008-5023)

Original

?%

Dataset(432 binary)

Ubuntu12.04

/bin,/usr/lib

(x86-64/ELF)

[GOAL] Evaluate the validity of the approach

[score setting] Match2p, Mismatch -2p, Opengap-3p, Extendedgap-0.5p

Experiment 1 [Overview]

Calculate the similarity between original and dataset binary


NTT Confidential

Case1: CVE-2008-4316 (Source Code)

g_base64_encode (const guchar *data,gsize len){

gchar *out;

gint state = 0, outlen;

gint save = 0;

g_return_val_if_fail (data != NULL, NULL);

g_return_val_if_fail (len > 0, NULL);

out = g_malloc (len * 4 / 3 + 4);

outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);

outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);

out[outlen] = '¥0';

return (gchar *) out;

}

seahorse_base64_encode (const guchar *data,gsize len){

gchar *out;

gint state = 0, outlen;

gint save = 0;

out = g_malloc (len * 4 / 3 + 4);

outlen = seahorse_base64_encode_step (data, len, FALSE, out, &state, &save);

outlen += seahorse_base64_encode_close (FALSE,out + outlen,&state,&save);

out[outlen] = '¥0';

return (gchar *) out;

}

2 lines are

deleted Original[Glib]

Copy[Seahorse]


NTT Confidential

Case2: CVE-2008-5023 (Source Code)

PRBool nsXBLBinding::AllowScripts(){PRBool result;mPrototypeBinding->GetAllowScripts(&result);…nsCOMPtr<nsIDocument> ourDocument;mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument));PRBool canExecute;nsresult rv = mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute);return NS_SUCCEEDED(rv) && canExecute;

}

PRBool nsXBLBinding::AllowScripts(){PRBool result;mPrototypeBinding->GetAllowScripts(&result);…nsCOMPtr<nsIDocument> ourDocument;mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument));

nsIPrincipal* principal = ourDocument->GetPrincipal();if (!principal) {

return PR_FALSE;}PRBool canExecute;

nsresult rv = mgr->CanExecuteScripts(cx, principal, &canExecute);return NS_SUCCEEDED(rv) && canExecute;

}

Original[Firefox]

Copy[Seamonkey]

4 lines are added & 1 line is modified


NTT Confidential

Experiment 1 [Result]

CVE-ID Original CopySimilarity

(unpatched)

Similarity

(patched)

Max similarity

(Dataset)

CVE-

2008-4316Glib Seahorse 60.7% 11.5% 9.2%

CVE-

2008-5023Firefox Seamonkey 68.8% 38.0% 9.7%

The extracted part was the copied vulnerable part

Threshold should be around 20%

Similarity between the dataset was maximum 9.7%

Detected reproduced vulnerability in binary executables,

even there was source code modification


NTT Confidential

Experiment 2 [Overview]

21 Vulnerabilities 40945 binary filesCVE-2015-1635

CVE-2014-0301

CVE-2013-5058

CVE-2013-0030

CVE-2011-2005

CVE-2011-0658

CVE-2010-0816

?%CVE-2010-0028

CVE-2008-4250

CVE-2008-4028

CVE-2007-1794

CVE-2007-0024

CVE-2006-4691

CVE-2006-0021

Windows XP.Windows Vista,

Windows 7Windows 8.1

Windows ServerVirus Total(NSRL)

[Score setting]match2p,mismatch-2p,opengap-3p,extendedgap-0.5p[Threshold] 20%

CVE-2015-1793

CVE-2015-1790

CVE-2015-1789

CVE-2015-0292

CVE-2015-0288

CVE-2015-0287

CVE-2015-0286

14 vulnerabilities from Windows

7 vulnerabilities from OpenSSL

[GOAL] Detect reproduced vulnerability

from real world software product


NTT Confidential

Details of the vulnerabilities

14 vulnerabilities from WindowsCVE-ID Type of Vuln Function name File name

CVE-2015-1635 Integer Over Flow UlpParseRange http.sys

CVE-2014-0301 Double Free LoadJPEGImageNewBuffer qedit.dll

CVE-2013-5058 Integer Over Flow RFONTOBJ::bTextExtent win32k.sys

CVE-2013-0030 Buffer Over Flow SavePathSeg vgx.dll

CVE-2011-2005 Memory error AfdJoinLeaf afd.sys

CVE-2011-0658 Integer Under Flow _PictLoadMetaFileRaw oleaut32.dll

CVE-2010-0816 Integer Over Flow CPOP3Transport::ResponseSTAT inetcomm.dll

CVE-2010-0028 Integer Over Flow CBMPStream::Write mspaint.exe

CVE-2008-4250 Buffer Over Flow sub_5925A26B netapi32.dll

CVE-2008-4028 Buffer Under Flow SrvIssueQueryDirectoryRequest srv.sys

CVE-2007-1794 Integer Under Flow CDownloadSink::OnDataAvailable vgx.dll

CVE-2007-0024 Integer Over Flow CVMLRecolorinfo::InternalLoad vgx.dll

CVE-2006-4691 Buffer Over Flow NetpManageIPCConnect netapi32.dll

CVE-2006-0021 DoS IGMPRcvQuery tcpip.sys


NTT Confidential

Details of the vulnerabilities

Collected unpatched & patched part

which resides in single function

CVE-ID Type of Vuln Function name File name

CVE-2015-1793 Certificate forgery X509_verify_cert libeay32.dll

CVE-2015-1790 DoS(Null pointer) PKCS7_dataDecode libeay32.dll

CVE-2015-1789 DoS X509_cmp_time libeay32.dll

CVE-2015-0292 Integer Underflow EVP_DecodeUpdate libeay32.dll

CVE-2015-0288 DoS(Null pointer) X509_to_X509_REQ libeay32.dll

CVE-2015-0287 DoS ASN1_item_ex_d2i libeay32.dll

CVE-2015-0286 DoS ASN1_TYPE_cmp libeay32.dll

7 vulnerabilities from OpenSSL


NTT Confidential

Collected binary files

Source # of files

Virus Total(NSRL) 7580

Windows XP 3479

Windows Vista 6933

Windows 7 5981

Windows8.1 5048

Windows Server 2003 3984

Windows Server 2008 7940

Details of 40945 binary files


NTT Confidential

Experiment 2 [Result]

Candidate of reproduced vulnerability

CVE-ID Original Copy Similarity Result

CVE-2008-4250netapi32.dll

(5.1.2600.2952)

netlogon.dll(5.2.3790.1830) 37.7%

CVE-2011-0658oleaut32.dll

(5.2.3790.4202)

olepro32.dll(6.1.7601.17514) 75.1%

Deadcode

CVE-2015-1789libeay32.dll

(0.9.8.31)

JunosPulseVpnBg.dll(1.0.0.206) 43.9%

CVE-2015-1793libeay32.dll

(1.0.1.15)

JunosPulseVpnBg.dll(1.0.0.206) 39.0%

No attack

vector


NTT Confidential

CVE-2008-4520 (MS08-067)

Details- It was real case “reproduced” BoF vulnerability !

- [original] netapi32.dll [copy] netlogon.dll

Original Copy

→ Vulnerability which was used by ConfickerWorm


NTT Confidential

CVE-2008-4520 (MS08-067)

Distribution of patch

Patch for netapi32.dll

KB958644

Patch for netlogon.dll

KB961853

Oct/2008 Jan/2009TIME

Patch distribution date differs three month a part

3 month


NTT Confidential

CVE-2011-0658 (MS11-038)

Details- [original] oleaut32.dll [copy] olepro32.dll

- Integer Underflow Vulnerability

Vulnerable part was dead code(function forwarding)

Original Copy


NTT Confidential

CVE-2015-1789 (OpenSSL)

Details- [original] libeay32.dll [copy] JunosPulseVpnBg.dll

- Used by “Windows In-Box Junos Pulse Client (VPN Client)”※

※“Microsoft Windows 8.1 introduced

Junos Pulse client as part of the

Windows operating system. (Microsoft

calls this an “in-box” application.)” [5]

[5]Windows In-Box Junos Pulse Client Quick Start Guidehttps://www.juniper.net/techpubs/software/pulse/guides/j-pulse-windows-inbox-client-qsg.pdf

- Originally used by Pulse Client


NTT Confidential


Original Copy


NTT Confidential


Pulse(Desktop) Client:

Resolved in 5.0R13/5.1R5

(CVE-2015-1789)

Vulnerable


NTT Confidential


Vulnerability Fixed Date

Vulnerability Fixed

(OpenSSL)

Update Released

(Pulse Secure)

June/2015 Aug/2015TIME

Fixed date differs two month a part

2 month

When I found the

vulnerability

July/2015


NTT Confidential


Details

- Alternative Chain Certificate Forgery

- [original] libeay32.dll [copy] JunosPulseVpnBg.dll

Original Copy


NTT Confidential


“This issue does not affect Pulse Secure products

as it only exists in very recent version of OpenSSL code that we do not utilize“


NTT Confidential

Conclusion & Future Work

Conclusion- Proposed method can detect reproduced vulnerability in binary files, even there was source code modification

- Found real world reproduced vulnerability !

Future Work

- Consider the method which can find whether the attack vector exists or not

- Consider the method which can detect reproduced vulnerability,which resides in multiple functions

[email protected]

Q&A

Technology

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» уязвимости