Upload
bz98
View
507
Download
0
Embed Size (px)
DESCRIPTION
[ENG] Hacktivity 2013 - Alice in eXploitland - attack and defense evolution
Citation preview
Alice in eXploitland Attack & defense evolution
Zoltán Balázs
Hacktivity 2013
About:me
OSCP, C|HFI, CISSP, CPTS, MCP
Senior IT security consultant @ Deloitte Hungary
Proud member of the gula.sh team
https://hu.linkedin.com/in/zbalazs
Twitter – zh4ck
What’s next?
Evolution of memory corruption attack & defense
Stack based buffer overflows
Stack canary
Structured Exception Handling
DEP
ASLR
Advanced mitigation
Scope of this presentation
Focus on memory corruption Not Java vulnerabilities
Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits
High level overview only No details like Assembly
Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
Why you should care about exploits?
If you are a company outside of China (or place your favourite enemy here)
You are a target for intellectual property stealing
Why you should care about exploits?
If you are a company outside of China (or place your favourite enemy here)
You are a target for intellectual property stealing
Your intellectual property will be stolen
social engineering
software exploits
Why you should care about exploits?
If you are a company outside of China (or place your favourite enemy here)
You are a target for intellectual property stealing
Your intellectual property will be stolen
social engineering
software exploits
You will find your product on the local Chinese market
half the price
Why you should care about exploits?
If you are a military team working for the Chinese (or other) government
To steal intellectual property
Your C&C server will be hacked through memory corruption vulnerability
Why you should care about exploits?
If you are a military team working for the Chinese (or other) government
To steal intellectual property
Your C&C server will be hacked through memory corruption vulnerability
Your „projects” will be revealed by hackers from Luxembourg
Why you should care about exploits?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Why you should care about exploits?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Credit card stolen, internet bank hacked
Why you should care?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Credit card stolen, internet bank hacked
Identity stolen
Why you should care about exploits?
If you are a plain user surfing the web
You might be hacked through memory corruption vulnerability (or Java)
Credit card stolen, internet bank hacked
Identity stolen
Facebook wall spammed
Function calls
void SayHello(char* userinput) { char buffer[100];
strcpy(buffer, userinput);
printf(„Hello %s\n", buffer); } int main() { SayHello(argv[1]); return 0; }
Function calls 0x00000000
...
New stack frame
ESP - top of stack
....
0xFFFFFFFF
ESP - extended stack pointer
Function calls 0x00000000
...
ESP - top of stack
ptr to argv[1]
....
0xFFFFFFFF
ESP - extended stack pointer
Function calls 0x00000000
...
ESP - top of stack
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
Function calls 0x00000000
...
ESP - top of stack
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Function calls 0x00000000
... ESP - top of stack
Space for buffer EBP - frame pointer
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Function calls 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Stack based buffer overflow vulnerability
„Stack overflow happens when the user can put more data on the allocated stack, than available”
If more data is put on the stack (stack overflow) ... magic will happen
Buffer overflow
Stack based buffer overflow
Heap based buffer overflow
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP AAAA way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP AAAA way
Saved EIP AAAA
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Stack overflow 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Saved EBP AAAA way
Saved EIP AAAA
ptr to argv[1] AAAA
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
***
Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
PaX team in 2000
Stack overflow history
1972 – Computer Security Technology Planning Study
1988 – Morris worm
1996 – Smashing the Stack for Fun and Profit (Aleph One)
2000 – NSA – SELinux open sourced
2000 – PaX Team
2003 – SELinux merged into mainline Linux Kernel
2004 – Egghunters - against small buffers
Shellcode
The attacker code what the attacker wants to execute
The instructions given by Alice to the rabbit
Mitigation techniques
All of the following mitigation techniques are used against every memory corruption vulnerabilities
Not just against stack overflow
Stack canary/cookie 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Random cookie 27384AB4CD457 way
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Stack canary/cookie 0x00000000
... ESP - top of stack
AAAA AAAA
... AAAA
Strcpy
writes EBP - frame pointer this
Random cookie 27384AB4CD457 AAAA way
Saved EBP AAAA
Saved EIP AAAA
ptr to argv[1] AAAA
....
0xFFFFFFFF
EIP - extended instruction pointer Overwrite this for PROFIT
ESP - extended stack pointer
EBP - extended base pointer
Stack canary/cookie history (/GS)
1997 - Linux (GCC)
2002 - MS (Visual Studio)
Stack canary/cookie bypass
Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm
Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system
Method 3: Guess/calculate the cookie Static cookie
Method 4: Overwriting stack data in functions up the stack, switch case
Structured Exception Handling exploit
In reality, traditional stack overflow exploits are sometimes
not possible
No EIP overwrite
No jump
Stack cookies
way too complicated to trigger
Structured Exception Handling exploit
In reality, traditional stack overflow exploits are sometimes
not possible
No EIP overwrite
No jump
Stack cookies
Stack cookie not checked at exception handling
way too complicated to trigger
SEH exploit – three step to profit
Step 1. overwriting first element in the exception-handling chain
Step 2. because of the overflow, the exception-handling is triggered
Step 3. via exception handling, return to the malicious shellcode (PROFIT)
SEH exploit metaphor
If chaos occurs disaster recovery process to handle the chaos
Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
SEH exploit mitigation
SafeSEH table which specifies for the operating system about valid exception handlers
only a limited set of addresses where the disaster recovery manual can be found
Alice can not change those
SEHop OS performs SEH chain validation
breaks SEH overwrite exploitation techniques
Stamp from the queen on the addressess where the disaster recovery manual can be found
DEP
DEP - Data Execution Prevention – Windows (OS level)
Protection: mark the stack as non executable
PageExec, W^X, NX, XD
PageExec, W^X, NX, XD, DEP
NX - Never Execute – AMD (CPU level)
XD - eXecution Disabled – Intel (CPU level)
W^X - Write XOR Execute – OpenBSD, OS X (OS level)
Non-Executable Memory – Linux (OS level)
Windows If CPU NX/XD enabled/supported
HW DEP == Real DEP
If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!!
DEP modes Always off OptIn OptOut Always On
PageExec, W^X, NX, XD, DEP
1997 - Openwall – Solar designer
2000 - PaX Team PageExec
2002 - Exec shield (Ingó Molnár)
2003 - OpenBSD
2004 - Linux (Ingó Molnár)
2004 - Windows XP SP2
2006 - OS X
PageExec, W^X, NX, XD, DEP bypass
Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997
PageExec, W^X, NX, XD, DEP bypass
Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed
Does not work on protection „always on”
Method 3: Disable the protection for the process Does not work on protection „always on”
Method 4: Copy shellcode to executable area Exeucatable area usually read only
Allocate new memory with read – write - executable support (virtualalloc)
If attacking browser JavaScript heap spraying
Other magic here
ASLR metaphor
ASLR = Address Space Layout Randomization
Changing the addressess of the memory layout every time
Changing the street names, house numbers every time
Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives
ASLR
1997 - Memco
2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack)
2005 - OpenBSD
2005 - Linux – first implementation weak
2007 - Windows
2007 - OS X
2011 - Android
ASLR bypass
2007 – MS07–017 ANI exploit – Alex Sotirov
Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original”
Method 2: Low entropy in random – brute force Catch all exception block is usually needed
You never write try{ code_her } catch (Every exception) { Do nothing } do you?
ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
ASLR bypass ...
Method 2: Low entropy in random – brute force
Alice can give 1000 addresses to the rabbit
Rabbit will look for Alice in 1000 house
Finally the rabbit can find Alice
Alice can give him the malicious instructions
PROFIT
ASLR bypass …
Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit
Java 7 ASLR
There are still some static street names, house numbers in eXploitland, that never change
Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland
what the street name and house address will be of the house where Alice is when the rabbit arrives
EMET
Collect three gems
Exploiting stack overflow in 2003 on Windows
Exploiting stack overflow in 2013 with ASLR + DEP
You have 3 ammo left
ASLR + DEP bypass
Metasploit windows/browser/ms13_037_svg_dashstyle demo
Scenario 1. Disable ASLR, exploit fixed addresses
Scenario 2. Enable ASLR, exploit is not working
Scenario 3. Java 1.6 ROP with non-ASLR module works
Scenario 4. ASLR with original information leak exploit
Scenario 5. EMET heapspray only blocks exploit
What to do if I’m a user?
Remove Java
If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET
If you use Linux Upgrade to latest OS Use latest browser (Chrome)
If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome)
Upgrade your software
What to do if I’m a CISO?
Remove Java At least in the browsers used for Internet browsing
If you use Windows Upgrade to latest OS
If can’t upgrade, use EMET from GPO (Group policy)
Install Microsoft and 3rd party patches
What to do if I’m a developer?
Remove Java At least in the browsers used for Internet browsing
Learn secure application development
Use switchers in Visual Studio /GS (VS 2002)
/SafeSEH (VS 2003)
/DynamicBase (VS 2005)
/NXCompat (VS 2005)
/HIGHENTROPYVA (VS 2012)
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005)
BinScope
What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers?
Develop your own backdoor client/server
For details see previous slide
Until it is finished use EMET
Lessons learned
Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection
Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1
Without Java 6 – 1
Number of working IE10 exploits in Metasploit 0
Number of Java7 (2011 July) exploits in Metasploit 16
Price for zero day memory corruption exploit getting higher and higher