3. Introduction
Birth of a security patch
Discussion in the presentation
Vulnerability Releases a
Finding a 0day Reverse Vendor finds a
Locate the
Microsoft reaches the patch to fix the
Highlight the
vulnerability engineer the fix
vulnerability
patches vendor vulnerability
difficulties
patch patched
http://null.co.in/ http://nullcon.net/
4. Introduction
For reversing and obtaining binary difference in my demos I
would be using DarunGrim2
How DarunGrim works?
• The schema of DarunGrim is shown in
the figure
• To generate diffing results
– Binaries are disassembled in IDA Pro in the
background and darungrim IDA plugin is run
which creates the sqlite database
– Diffing Engine, the heart of DarunGrim2.
The sqlite db from IDA and the binaries from GUI
are fed into this engine as inputs
http://null.co.in/ http://nullcon.net/
5. Introduction
Algorithm ?
• Main algorithm of DarunGrim is Basic block fingerprint hash map
• Each basic block is 1 entity whose fingerprint is generated from the
instruction sequence
• Fingerprint hash generated by IDA Pro
• Two fingerprint hash tables one each for unpatched and patched binary
• For finding the binary difference, each unique fingerprint from original
binary is searched against the fingerprints of patched binary for a match
• All fingerprints in the original binary hash tables are either matched or
unmatched
http://null.co.in/ http://nullcon.net/
6. Introduction
Algorithm ? Contd..
• For a function to be called matching, all the basic blocks in the function
should be matching
• For unmatched functions DarunGrim calculates percentage match
• Match rate based on fingerprint string match
– Similar to GNU Diff algorithm which is finding longest common subsequence
http://null.co.in/ http://nullcon.net/
7. Introduction
Vulnerability Vs Exploit based signatures
Exploit signatures
• Created by using byte string patterns or regular expressions
• These are exploit specific
• They are used widely mainly because of the ease of their creation
• Cater to only one type of input satisfying that vulnerability condition
• Fail: different attacks can exploit the same vulnerability, so exploit based
signatures will fail
• For eg. Exploit based signature
– ESig = “docx?AAAAAAAAAAA...”
– It will fail if some exploit uses a long string of B’s instead of A’s
http://null.co.in/ http://nullcon.net/
8. Introduction
Vulnerability Vs Exploit based signatures
Vulnerability signatures
• Based on the properties of the vulnerability and not on
the properties of the exploit
Vulnerability
• It is a superset of all the inputs satisfying a particular
Signature
vulnerability condition
• For eg. Vulnerability based signature for previous case
– VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)
– Matches string in buffer with the regex
– It is effective against any alphabet unlike exploit signature Exploit Signature
http://null.co.in/ http://nullcon.net/
9. Introduction
Vulnerability Vs Exploit based signatures
Vulnerability signatures contd..
• For a good vulnerability signature
– It should strictly not allow any false negatives as even one exploit can pwn the system
and create a gateway for the attacker into the network.
– It should allow very few false positives, as too many false positives may lead to a DoS
attack for the system.
– The signature matching time should not create a considerable delay for the software
and services.
http://null.co.in/ http://nullcon.net/
10. Need
• The first step of creating an undisclosed
exploit is to find the vulnerability to exploit it.
• To verify if the patch released by Microsoft is
working as per it is designed.
• To create vulnerability based signatures.
http://null.co.in/ http://nullcon.net/
11. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
Debugging
http://null.co.in/ http://nullcon.net/
12. Process
Finding patches
• Pick a vulnerability and download its patch
• Pick a vulnerability just before this one that patched the same
program or dll
– If unavailable, use the same dll from your system
Quick-fix
Use open source
• GDR or QFE/LDR ?? ms-patch-tools to
easily get the file
• File Versioning versions to
compare
http://null.co.in/ http://nullcon.net/
13. Process
Finding patches
DEMO
http://null.co.in/ http://nullcon.net/
14. Process
Finding patches
Extraction of files
• The traditional way of extracting file from patch
– <patchfilename>.exe /x
– Works only till Windows XP and earlier versions of Windows
• Above method cannot be used on Win7 and Vista patches
delivered as msu
http://null.co.in/ http://nullcon.net/
15. Process
Finding patches
Extraction of files
• Use expand command
– expand -F:* <Saved_MSU_File_Name>.msu C:<Folder_to_extract_in>
– expand -F:* <Saved_MSU_File_Name>.cab C:<Folder_to_extract_in>
http://null.co.in/ http://nullcon.net/
16. Process
Finding patches
Extraction of files
DEMO
http://null.co.in/ http://nullcon.net/
17. Process
Finding patches
Extraction of files
Binary Differencing
• DarunGrim v2 used for binary difference
– Feed in the two binaries to be compared
– Generates a list of functions with the %age match between the two files
• Not every function %age < 100 is changed
• Includes false positives which requires manual analysis
http://null.co.in/ http://nullcon.net/
18. Process
Finding patches
Extraction of files
Binary Differencing
DEMO
http://null.co.in/ http://nullcon.net/
19. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
• Manual inspection of functions with less than 100% match
– Remove false positives generated by problems like
• Instruction reordering
Lot of reordering happening over different releases marks even the same blocks as unmatched
• Split blocks
Block in the graph which has only parent and the parent has only one child leads to a split block.
causing a problem in the matching process
Can be improved by merging the two blocks and treating as a single block.
http://null.co.in/ http://nullcon.net/
20. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
• Hot patching
Instructions like mov eax, eax at the start of functions are a sign of hot patching leading to a
mismatch in the block
By just ignoring the instruction we can get a match
• Compiler optimizations
Different compilers and even different versions of the same compiler perform different
optimizations which also creates problems in getting proper difference
– Eventually reach a function which is indeed modified and might be the fix to
the vulnerability being patched
http://null.co.in/ http://nullcon.net/
21. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
DEMO
http://null.co.in/ http://nullcon.net/
22. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
• push [ebp-2Ch] ; unsigned int • push [ebp-2Ch] ; unsigned int
call ??2@YAPAXI@Z ; operator new(uint) call ??2@YAPAXI@Z ; operator new(uint)
mov ebx, eax pop ecx
pop ecx mov [ebp-14h], eax ; ebp-14h = pBuffer
mov [ebp-18h], ebx mov [ebp-40h], eax
mov [ebp-3Ch], ebx mov byte ptr [ebp-4], 2
mov byte ptr [ebp-4], 1 push [ebp-2Ch]
push dword ptr [ebp-2Ch] mov ecx, esi
mov ecx, esi push ebx
push ebx push edi
push [ebp-30h] call sub_118000C func(const *,void *,long)
call sub_118000C func(const *,void *,long) mov esi, eax
mov edi, eax test esi, esi
test edi, edi jge short loc_118158A
jge short
http://null.co.in/ http://nullcon.net/
23. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
Debugging
• To validate our finding of analysis by debugging
– Getting a crash of the application
– Creating a malformed file to get the crash
• Would be using Immunity Debugger
http://null.co.in/ http://nullcon.net/
24. Process
Finding patches
Extraction of files
Binary Differencing
Differencing Analysis
Debugging
DEMO
http://null.co.in/ http://nullcon.net/
25. Conclusion
• Presented an overview of how the 1-day exploits and
Vulnerability signatures can be created
• Attempt was made to understand the process
involved in reversing and the problems faced during
the execution of the process
• Only talked about Microsoft patches but concept not
limited to this.
• Concepts presented can be perfected by interested
audience
http://null.co.in/ http://nullcon.net/