SlideShare a Scribd company logo

Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation

High-Tech Bridge SA (HTBridge)
High-Tech Bridge SA (HTBridge)

In November 2012 High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Novell GroupWise 2012. Details of the vulnerabilities were disclosed in April 2013. This paper demonstrates vulnerability exploitation to execute arbitrary code on the vulnerable system. Link to publication: https://www.htbridge.com/publications/novell_groupwise_untrusted_pointer_dereference_exploitation.html

Technology
1 of 28
Download to read offline
Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation April 3th, 2013 Brian MARIANI & Frédéric BOURLA ©2013 High-Tech Bridge SA – www.htbridge.com
TIMELINE  On the 24th of November 2012, High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Novell GroupWise 2012.  On the 26th November 2012, High-Tech Bridge Security Research Lab informed Novell about these vulnerabilities which existed in two core ActiveX modules.  On the 30th January 2013, Novell published a security bulletin and released a security patch.  Finally, on the 3rd April 2013 High-Tech Bridge Security Research Lab disclosed the vulnerability details.  This paper is a technical explanation of the latter vulnerability and its exploitation. ©2013 High-Tech Bridge SA – www.htbridge.com
ABOUT NOVELL GROUPWISE  According to Wikipedia:  GroupWise is a messaging and collaborative software platform from Novell Inc. that supports email, calendaring, personal information management, instant messaging, and document management.  The platform consists of the client software, which is available for Windows, Mac OS X, Linux, and the server software part which is supported on Windows Server, NetWare and Linux systems.  The latest generation of the platform is GroupWise 2012 which only supports Windows and Linux servers. ©2013 High-Tech Bridge SA – www.htbridge.com
THE VULNERABILITIES  The vulnerabilities exist in the gwmim1.ocx and gwabdlg.dll libraries.  In order to trigger the flaw one should pass a non properly initialized value to the vulnerable methods.  By default any long integer value is assumed to be a proper initialized pointer. This permit to provide a fake pointer to some of the methods and hijack the control flow of the application by redirecting it to a malicious code.  The vulnerability can be abused by preparing the heap area with predictable memory addresses before the bug is triggered. ©2013 High-Tech Bridge SA – www.htbridge.com
COMMON WEAKNESS ENUMERATION  In accordance to MITRE:  The Common Weakness Enumeration is a formal list of software weakness types created to: • Serve as a common language for describing software security weaknesses in architecture, design or code. • Serve as a standard measuring stick for software security tools targeting these weaknesses. • Provide a common baseline standard for weakness identification, mitigation and prevention efforts.  On the of 20th August 2012 High-Tech Bridge Security Research Lab obtained CWE-Compatible Status by MITRE.  This vulnerability was categorized by the weakness ID Untrusted Pointer Dereference [CWE-822]. ©2013 High-Tech Bridge SA – www.htbridge.com
UNTRUSTED POINTER DEREFERENCE  According to MITRE, an untrusted pointer dereference vulnerability is present when:  An attacker can inject a pointer for memory locations that the program is not expecting.  If the pointer is dereferenced for a write operation, the attack might allow modification of critical program state variables, cause a crash or execute code.  If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash or set a program variable to an unexpected value since it will be read from an unexpected memory location. ©2013 High-Tech Bridge SA – www.htbridge.com
MORE DETAILS ABOUT THE ISSUE  Novell GroupWise crashes at three different methods within two modules.  The involved modules are gwabdlg.dll and gwmim1.ocx.  The faulty methods names are InvokeContact, GenerateSummaryPage and SecManageRecipientCertificates.  We will only analyse the issues in the SecManageRecipientCertificates and InvokeContact methods.  This is because the InvokeContact and GenerateSummary methods crash at the same area. Moreover, the exploitation technique used to leverage the vulnerability is the same.  The configuration lab we used is an English Windows XP SP3 operating system (DEP disabled) with Internet Explorer 8. ©2013 High-Tech Bridge SA – www.htbridge.com
PROOF OF CONCEPT CRASH (1)  Here is a working proof of concept in order to crash Internet Explorer by passing a custom pointer to the InvokeContact method. ©2013 High-Tech Bridge SA – www.htbridge.com
PROOF OF CONCEPT CRASH (2)  The following proof of concept crashes Internet Explorer by passing a fake pointer to the SecManageRecipientCertificates method. ©2013 High-Tech Bridge SA – www.htbridge.com
SecManageRecipientCertificates case (1)  Let’s first analyze the SecManageRecipientCertificates case as this is the simpler one.  In the following screenshot we can observe the crash from WinDBG after executing the proof of concept on one of the previous slides:  We can clearly spot that the crash took place at the address 0x10014805 when the code attempts to move the value of the uninitialized pointer into the EDX register.  This one was provided as a long data type (202116108), therefore (0xc0c0c0c) in hexadecimal format. ©2013 High-Tech Bridge SA – www.htbridge.com
SecManageRecipientCertificates case (2)  So far we have a function that crashes when reading a memory address of our choice.  All that we need in order to turn the odds in our favor and maximize the chances of exploitation is that the code instructions that follow permit us in someway to take control of code execution.  In this particular instance, after dissasembling the faulty function, we can observe at the memory address 0x10014807 that the value hold by our pointer is moved into the EAX register.  Eventually, a CALL EAX instruction at the address 0x10014809 will terminate the game. ©2013 High-Tech Bridge SA – www.htbridge.com
HEAP SPRAYING  In order to exploit this particular vulnerability we need to spray the heap area on Internet Explorer in a reliable and precise way.  Before the bug is triggered the heap must be already prepared in order to contain the or al,0x0C sled which leads to arbitrary code execution.  The or al,0x0C instruction does not affects any critical data which could stop code execution.  The goal is to "slide" the flow of code to its final destination.  Since the shellcode is sitting in multiple chunks in the heap right after the or al,0x0C sled the probability of arbitrary code execution is very high.  Please check the Microsoft XML issue video for more information on this exploitation technique. ©2013 High-Tech Bridge SA – www.htbridge.com
WINDBG AFTER THE HEAP SPRAYING EXPLOIT (1)  Here is a screenshot of the most important part of the exploit: ©2013 High-Tech Bridge SA – www.htbridge.com
WINDBG AFTER THE HEAP SPRAYING EXPLOIT (2)  The following screenshot shows the state of registers under Windbg after the exploit is executed:  We can clearly observe that instruction pointer register was successfully hijacked. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (1)  As we said on slide 10, finding the way to exploit the SecManageRecipientCertificates method was les complex than the InvokeContact one.  When we run the InvokeContact proof of concept, one would be tempted to conclude that this is just a local denial of service.  However, since the attacker can control the EAX register he could influence the code logic and to enter what seems to be a switch structure.  This means that it would be possible to coerce the code to enter into one of the six available cases, so as to potentially increase our chances of successful exploitation. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (2)  Here is the switch structure containing the six different cases:  In order to go beyond this crash, we need to provide a memory address as a pointer, and from this address plus 4 bytes we supply a dword value who will be the case number in which we would like to enter.  In order to accomplish this task one would need to rely over a previously known address in memory.  If we use a precise heap spraying technique, we can count on the 0xc0c0c0c address. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (3)  After studying the exploitation opportunities that are available to us, we found that at least one of the six cases permits arbitrary code execution.  The following screenshot shows the code instructions when the third case is executed:  Let’s summarize the entire process starting from the injected pointer until code execution is reached. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (4)  We place a breakpoint at the Oleaut32!DispCallFunc function and a second one at the first CALL ECX instruction situated some bytes farther. The second breakpoint is the instruction who calls the method in which we are interested.  After the second break, the code points to the memory address 0x572146b7. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (5)  The code pushes into the stack the improper pointer. At this moment we can observe the reference to the XisDOMAttributeList function.  After the CALL instruction at the address 0x5722D83E, the code continues and pushes again the uninitialized value at the address 0x5722d861 who enters in one more nested function. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (6)  When the code comes into this function the uninitialized pointer is compared to 0. As the pointer’s value is equal to c0c0c0c the conditional jump at address 0x5722D2E8 is not taken.  Later, the untrusted pointer is moved into the EAX register at the address 0x5722D2FE.  At 0x5722D301 address we reach the instruction where the code reads the value of the EAX register plus four bytes. This corresponds to the case in which it will enter. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (7)  In order to push the code to enter into the case three, we sprayed the heap so as to allocate perfect sized and consecutive chunks.  If we take care of the chunks size and the blocks size, we can be pretty sure that the begin of each spray block will be positioned at a predictable address.  Here is the sprayed data starting at the address 0xc0c0c0c:  Consult the document Heap Spraying Demystified under the section Precision Heap Spraying from Corelan for more information. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (8)  Because the heap spray was very precise, the code reads and stores our desired value into the stack at the address 0x5722D304.  This permits us to go beyond the previous crash and enter into the function at the address 0x5722d4b4. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (9)  The untrusted pointer is stored in the stack and will be reused later in order to call another private method from the vftable. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (10)  Later the code dereferences twice the EAX register at the addresses 0x5722D4CA and 0x5722D4D3.  So as to successfully slide the code up to the shellcode, the exploit needs to spray accurately the heap with three pointers:  The shellcode sits right after the 0xc0c0c48 pointer. ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (11)  This is therefore the final payload for the exploit: ©2013 High-Tech Bridge SA – www.htbridge.com
THE INVOKECONTACT METHOD CASE (12)  Code execution is reached: ©2013 High-Tech Bridge SA – www.htbridge.com
References & Links  http://www.youtube.com/watch?v=hNDjRLoN8ug (Exploitation Video)  https://www.htbridge.com/publication/Novell-GroupWise-exploit.rar (password: htbridge)  https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11- heap-spraying demystified/#Heap_Spraying_on_Internet_Explorer_9  http://cwe.mitre.org/data/definitions/822.html  https://www.htbridge.com/vulnerability/  http://en.wikipedia.org/wiki/Novell_GroupWise ©2013 High-Tech Bridge SA – www.htbridge.com
Thank you for reading Your questions are always welcome: brian.mariani [at] htbridge.com frederic.bourla [at] htbridge.com ©2013 High-Tech Bridge SA – www.htbridge.com

Recommended

Web app security - owasp top 10
Web app security - owasp top 10Web app security - owasp top 10
Web app security - owasp top 10Digicomp Academy AG
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Jsse
JsseJsse
Jssevantinhkhuc
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)High-Tech Bridge SA (HTBridge)
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Animals in danger
Animals in dangerAnimals in danger
Animals in dangermgmaganna
 
Final idea
Final ideaFinal idea
Final ideaJanet Lunkusé
 

Recommended

Web app security - owasp top 10
Web app security - owasp top 10Web app security - owasp top 10
Web app security - owasp top 10Digicomp Academy AG
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Jsse
JsseJsse
Jssevantinhkhuc
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)High-Tech Bridge SA (HTBridge)
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Animals in danger
Animals in dangerAnimals in danger
Animals in dangermgmaganna
 
Final idea
Final ideaFinal idea
Final ideaJanet Lunkusé
 
Wows
WowsWows
WowsAneesah Bakker
 
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...prasu1995
 
Masgnb seminar itr_2013-program
Masgnb seminar itr_2013-programMasgnb seminar itr_2013-program
Masgnb seminar itr_2013-programRussian website "About Trenchless"
 
Pengenalan Kepada Teknologi Multimedia Part 3
Pengenalan Kepada Teknologi Multimedia Part 3Pengenalan Kepada Teknologi Multimedia Part 3
Pengenalan Kepada Teknologi Multimedia Part 3Noor Hafizah Abd. Rahim
 
Fuego domingo
Fuego domingoFuego domingo
Fuego domingoAmigazos De Cristo
 
Production log continuted
Production log continuted Production log continuted
Production log continuted Janet Lunkusé
 
Pembelajaran bi
Pembelajaran biPembelajaran bi
Pembelajaran biSolihin Utjok
 
I dati più curiosi di facebook
I dati più curiosi di facebookI dati più curiosi di facebook
I dati più curiosi di facebookFrancesco Bondielli
 
Market Snapshot-23/11/2012
Market Snapshot-23/11/2012Market Snapshot-23/11/2012
Market Snapshot-23/11/2012Abhijit Mitra
 
presentation slides
presentation slidespresentation slides
presentation slidesJanet Lunkusé
 
Proiectele eTwinning cale spre cunoasterea culturii europene
Proiectele eTwinning cale spre cunoasterea culturii europeneProiectele eTwinning cale spre cunoasterea culturii europene
Proiectele eTwinning cale spre cunoasterea culturii europeneGrigore Gheorghita
 
Forgiveness
ForgivenessForgiveness
ForgivenessEducator
 
Food of the future
Food of the futureFood of the future
Food of the futureKari900
 
Chapter 1 elements of nuclear physics
Chapter 1 elements of nuclear physicsChapter 1 elements of nuclear physics
Chapter 1 elements of nuclear physicsROBERT ESHUN
 
A cross-layer approach to energy management in manufacturing
A cross-layer approach to energy management in manufacturingA cross-layer approach to energy management in manufacturing
A cross-layer approach to energy management in manufacturingFAST-Lab. Factory Automation Systems and Technologies Laboratory, Tampere University of Technology
 
Social media & organisations - A presentation for AmCham Belgium
Social media & organisations - A presentation for AmCham BelgiumSocial media & organisations - A presentation for AmCham Belgium
Social media & organisations - A presentation for AmCham BelgiumOutsource Communications
 
Business snapshots
Business snapshotsBusiness snapshots
Business snapshotsPaula Burba
 
Grammar book#2
Grammar book#2Grammar book#2
Grammar book#2Sadiaa24
 
Mrs craig final exam 3
Mrs craig final exam 3Mrs craig final exam 3
Mrs craig final exam 3cmhagc
 
Els presocrátics (físics)
Els presocrátics (físics)Els presocrátics (físics)
Els presocrátics (físics)martabarrosoisidoro
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
Manipulating Memory for Fun and Profit
Manipulating Memory for Fun and ProfitManipulating Memory for Fun and Profit
Manipulating Memory for Fun and ProfitJovi Umawing
 

More Related Content

Viewers also liked

Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...prasu1995
 
Pengenalan Kepada Teknologi Multimedia Part 3
Pengenalan Kepada Teknologi Multimedia Part 3Pengenalan Kepada Teknologi Multimedia Part 3
Pengenalan Kepada Teknologi Multimedia Part 3Noor Hafizah Abd. Rahim
 
Production log continuted
Production log continuted Production log continuted
Production log continuted Janet Lunkusé
 
Market Snapshot-23/11/2012
Market Snapshot-23/11/2012Market Snapshot-23/11/2012
Market Snapshot-23/11/2012Abhijit Mitra
 
Proiectele eTwinning cale spre cunoasterea culturii europene
Proiectele eTwinning cale spre cunoasterea culturii europeneProiectele eTwinning cale spre cunoasterea culturii europene
Proiectele eTwinning cale spre cunoasterea culturii europeneGrigore Gheorghita
 
Forgiveness
ForgivenessForgiveness
ForgivenessEducator
 
Food of the future
Food of the futureFood of the future
Food of the futureKari900
 
Chapter 1 elements of nuclear physics
Chapter 1 elements of nuclear physicsChapter 1 elements of nuclear physics
Chapter 1 elements of nuclear physicsROBERT ESHUN
 
Social media & organisations - A presentation for AmCham Belgium
Social media & organisations - A presentation for AmCham BelgiumSocial media & organisations - A presentation for AmCham Belgium
Social media & organisations - A presentation for AmCham BelgiumOutsource Communications
 
Business snapshots
Business snapshotsBusiness snapshots
Business snapshotsPaula Burba
 
Grammar book#2
Grammar book#2Grammar book#2
Grammar book#2Sadiaa24
 
Mrs craig final exam 3
Mrs craig final exam 3Mrs craig final exam 3
Mrs craig final exam 3cmhagc
 

Viewers also liked (20)

Wows
WowsWows
Wows
 
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
Галимуллина Н.М., Коршунова О.Н. Коммуникационные инструменты исполнительной ...
 
Masgnb seminar itr_2013-program
Masgnb seminar itr_2013-programMasgnb seminar itr_2013-program
Masgnb seminar itr_2013-program
 
Pengenalan Kepada Teknologi Multimedia Part 3
Pengenalan Kepada Teknologi Multimedia Part 3Pengenalan Kepada Teknologi Multimedia Part 3
Pengenalan Kepada Teknologi Multimedia Part 3
 
Fuego domingo
Fuego domingoFuego domingo
Fuego domingo
 
Production log continuted
Production log continuted Production log continuted
Production log continuted
 
Pembelajaran bi
Pembelajaran biPembelajaran bi
Pembelajaran bi
 
I dati più curiosi di facebook
I dati più curiosi di facebookI dati più curiosi di facebook
I dati più curiosi di facebook
 
Market Snapshot-23/11/2012
Market Snapshot-23/11/2012Market Snapshot-23/11/2012
Market Snapshot-23/11/2012
 
presentation slides
presentation slidespresentation slides
presentation slides
 
Proiectele eTwinning cale spre cunoasterea culturii europene
Proiectele eTwinning cale spre cunoasterea culturii europeneProiectele eTwinning cale spre cunoasterea culturii europene
Proiectele eTwinning cale spre cunoasterea culturii europene
 
Forgiveness
ForgivenessForgiveness
Forgiveness
 
Food of the future
Food of the futureFood of the future
Food of the future
 
Chapter 1 elements of nuclear physics
Chapter 1 elements of nuclear physicsChapter 1 elements of nuclear physics
Chapter 1 elements of nuclear physics
 
A cross-layer approach to energy management in manufacturing
A cross-layer approach to energy management in manufacturingA cross-layer approach to energy management in manufacturing
A cross-layer approach to energy management in manufacturing
 
Social media & organisations - A presentation for AmCham Belgium
Social media & organisations - A presentation for AmCham BelgiumSocial media & organisations - A presentation for AmCham Belgium
Social media & organisations - A presentation for AmCham Belgium
 
Business snapshots
Business snapshotsBusiness snapshots
Business snapshots
 
Grammar book#2
Grammar book#2Grammar book#2
Grammar book#2
 
Mrs craig final exam 3
Mrs craig final exam 3Mrs craig final exam 3
Mrs craig final exam 3
 
Els presocrátics (físics)
Els presocrátics (físics)Els presocrátics (físics)
Els presocrátics (físics)
 

Similar to Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation

CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
Manipulating Memory for Fun and Profit
Manipulating Memory for Fun and ProfitManipulating Memory for Fun and Profit
Manipulating Memory for Fun and ProfitJovi Umawing
 
Manipulating memory for fun and profit
Manipulating memory for fun and profitManipulating memory for fun and profit
Manipulating memory for fun and profitYury Chemerkin
 
Manipulating memory for fun and profit
Manipulating memory for fun and profitManipulating memory for fun and profit
Manipulating memory for fun and profitYury Chemerkin
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blockerakila_mano
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsIRJET Journal
 
LogMeIn Security White Paper
LogMeIn Security White PaperLogMeIn Security White Paper
LogMeIn Security White PaperLogMeIn
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsemanuele_nl
 

Similar to Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation (20)

CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
 
Manipulating Memory for Fun and Profit
Manipulating Memory for Fun and ProfitManipulating Memory for Fun and Profit
Manipulating Memory for Fun and Profit
 
Manipulating memory for fun and profit
Manipulating memory for fun and profitManipulating memory for fun and profit
Manipulating memory for fun and profit
 
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
 
Manipulating memory for fun and profit
Manipulating memory for fun and profitManipulating memory for fun and profit
Manipulating memory for fun and profit
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_Presentation
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)
 
Enterprise serverless
Enterprise serverlessEnterprise serverless
Enterprise serverless
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention Methods
 
LogMeIn Security White Paper
LogMeIn Security White PaperLogMeIn Security White Paper
LogMeIn Security White Paper
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformations
 

More from High-Tech Bridge SA (HTBridge)

Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackHigh-Tech Bridge SA (HTBridge)
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatHigh-Tech Bridge SA (HTBridge)
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 

More from High-Tech Bridge SA (HTBridge) (12)

Welcome in the World Wild Web
Welcome in the World Wild WebWelcome in the World Wild Web
Welcome in the World Wild Web
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
 
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
 
Inline Hooking in Windows
Inline Hooking in WindowsInline Hooking in Windows
Inline Hooking in Windows
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in Windows
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in Windows
 
Structured Exception Handler Exploitation
Structured Exception Handler ExploitationStructured Exception Handler Exploitation
Structured Exception Handler Exploitation
 
Fake malware and virus scanners
Fake malware and virus scannersFake malware and virus scanners
Fake malware and virus scanners
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacks
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation

  • 1. Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation April 3th, 2013 Brian MARIANI & Frédéric BOURLA ©2013 High-Tech Bridge SA – www.htbridge.com
  • 2. TIMELINE  On the 24th of November 2012, High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Novell GroupWise 2012.  On the 26th November 2012, High-Tech Bridge Security Research Lab informed Novell about these vulnerabilities which existed in two core ActiveX modules.  On the 30th January 2013, Novell published a security bulletin and released a security patch.  Finally, on the 3rd April 2013 High-Tech Bridge Security Research Lab disclosed the vulnerability details.  This paper is a technical explanation of the latter vulnerability and its exploitation. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 3. ABOUT NOVELL GROUPWISE  According to Wikipedia:  GroupWise is a messaging and collaborative software platform from Novell Inc. that supports email, calendaring, personal information management, instant messaging, and document management.  The platform consists of the client software, which is available for Windows, Mac OS X, Linux, and the server software part which is supported on Windows Server, NetWare and Linux systems.  The latest generation of the platform is GroupWise 2012 which only supports Windows and Linux servers. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 4. THE VULNERABILITIES  The vulnerabilities exist in the gwmim1.ocx and gwabdlg.dll libraries.  In order to trigger the flaw one should pass a non properly initialized value to the vulnerable methods.  By default any long integer value is assumed to be a proper initialized pointer. This permit to provide a fake pointer to some of the methods and hijack the control flow of the application by redirecting it to a malicious code.  The vulnerability can be abused by preparing the heap area with predictable memory addresses before the bug is triggered. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 5. COMMON WEAKNESS ENUMERATION  In accordance to MITRE:  The Common Weakness Enumeration is a formal list of software weakness types created to: • Serve as a common language for describing software security weaknesses in architecture, design or code. • Serve as a standard measuring stick for software security tools targeting these weaknesses. • Provide a common baseline standard for weakness identification, mitigation and prevention efforts.  On the of 20th August 2012 High-Tech Bridge Security Research Lab obtained CWE-Compatible Status by MITRE.  This vulnerability was categorized by the weakness ID Untrusted Pointer Dereference [CWE-822]. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 6. UNTRUSTED POINTER DEREFERENCE  According to MITRE, an untrusted pointer dereference vulnerability is present when:  An attacker can inject a pointer for memory locations that the program is not expecting.  If the pointer is dereferenced for a write operation, the attack might allow modification of critical program state variables, cause a crash or execute code.  If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash or set a program variable to an unexpected value since it will be read from an unexpected memory location. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 7. MORE DETAILS ABOUT THE ISSUE  Novell GroupWise crashes at three different methods within two modules.  The involved modules are gwabdlg.dll and gwmim1.ocx.  The faulty methods names are InvokeContact, GenerateSummaryPage and SecManageRecipientCertificates.  We will only analyse the issues in the SecManageRecipientCertificates and InvokeContact methods.  This is because the InvokeContact and GenerateSummary methods crash at the same area. Moreover, the exploitation technique used to leverage the vulnerability is the same.  The configuration lab we used is an English Windows XP SP3 operating system (DEP disabled) with Internet Explorer 8. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 8. PROOF OF CONCEPT CRASH (1)  Here is a working proof of concept in order to crash Internet Explorer by passing a custom pointer to the InvokeContact method. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 9. PROOF OF CONCEPT CRASH (2)  The following proof of concept crashes Internet Explorer by passing a fake pointer to the SecManageRecipientCertificates method. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 10. SecManageRecipientCertificates case (1)  Let’s first analyze the SecManageRecipientCertificates case as this is the simpler one.  In the following screenshot we can observe the crash from WinDBG after executing the proof of concept on one of the previous slides:  We can clearly spot that the crash took place at the address 0x10014805 when the code attempts to move the value of the uninitialized pointer into the EDX register.  This one was provided as a long data type (202116108), therefore (0xc0c0c0c) in hexadecimal format. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 11. SecManageRecipientCertificates case (2)  So far we have a function that crashes when reading a memory address of our choice.  All that we need in order to turn the odds in our favor and maximize the chances of exploitation is that the code instructions that follow permit us in someway to take control of code execution.  In this particular instance, after dissasembling the faulty function, we can observe at the memory address 0x10014807 that the value hold by our pointer is moved into the EAX register.  Eventually, a CALL EAX instruction at the address 0x10014809 will terminate the game. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 12. HEAP SPRAYING  In order to exploit this particular vulnerability we need to spray the heap area on Internet Explorer in a reliable and precise way.  Before the bug is triggered the heap must be already prepared in order to contain the or al,0x0C sled which leads to arbitrary code execution.  The or al,0x0C instruction does not affects any critical data which could stop code execution.  The goal is to "slide" the flow of code to its final destination.  Since the shellcode is sitting in multiple chunks in the heap right after the or al,0x0C sled the probability of arbitrary code execution is very high.  Please check the Microsoft XML issue video for more information on this exploitation technique. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 13. WINDBG AFTER THE HEAP SPRAYING EXPLOIT (1)  Here is a screenshot of the most important part of the exploit: ©2013 High-Tech Bridge SA – www.htbridge.com
  • 14. WINDBG AFTER THE HEAP SPRAYING EXPLOIT (2)  The following screenshot shows the state of registers under Windbg after the exploit is executed:  We can clearly observe that instruction pointer register was successfully hijacked. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 15. THE INVOKECONTACT METHOD CASE (1)  As we said on slide 10, finding the way to exploit the SecManageRecipientCertificates method was les complex than the InvokeContact one.  When we run the InvokeContact proof of concept, one would be tempted to conclude that this is just a local denial of service.  However, since the attacker can control the EAX register he could influence the code logic and to enter what seems to be a switch structure.  This means that it would be possible to coerce the code to enter into one of the six available cases, so as to potentially increase our chances of successful exploitation. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 16. THE INVOKECONTACT METHOD CASE (2)  Here is the switch structure containing the six different cases:  In order to go beyond this crash, we need to provide a memory address as a pointer, and from this address plus 4 bytes we supply a dword value who will be the case number in which we would like to enter.  In order to accomplish this task one would need to rely over a previously known address in memory.  If we use a precise heap spraying technique, we can count on the 0xc0c0c0c address. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 17. THE INVOKECONTACT METHOD CASE (3)  After studying the exploitation opportunities that are available to us, we found that at least one of the six cases permits arbitrary code execution.  The following screenshot shows the code instructions when the third case is executed:  Let’s summarize the entire process starting from the injected pointer until code execution is reached. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 18. THE INVOKECONTACT METHOD CASE (4)  We place a breakpoint at the Oleaut32!DispCallFunc function and a second one at the first CALL ECX instruction situated some bytes farther. The second breakpoint is the instruction who calls the method in which we are interested.  After the second break, the code points to the memory address 0x572146b7. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 19. THE INVOKECONTACT METHOD CASE (5)  The code pushes into the stack the improper pointer. At this moment we can observe the reference to the XisDOMAttributeList function.  After the CALL instruction at the address 0x5722D83E, the code continues and pushes again the uninitialized value at the address 0x5722d861 who enters in one more nested function. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 20. THE INVOKECONTACT METHOD CASE (6)  When the code comes into this function the uninitialized pointer is compared to 0. As the pointer’s value is equal to c0c0c0c the conditional jump at address 0x5722D2E8 is not taken.  Later, the untrusted pointer is moved into the EAX register at the address 0x5722D2FE.  At 0x5722D301 address we reach the instruction where the code reads the value of the EAX register plus four bytes. This corresponds to the case in which it will enter. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 21. THE INVOKECONTACT METHOD CASE (7)  In order to push the code to enter into the case three, we sprayed the heap so as to allocate perfect sized and consecutive chunks.  If we take care of the chunks size and the blocks size, we can be pretty sure that the begin of each spray block will be positioned at a predictable address.  Here is the sprayed data starting at the address 0xc0c0c0c:  Consult the document Heap Spraying Demystified under the section Precision Heap Spraying from Corelan for more information. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 22. THE INVOKECONTACT METHOD CASE (8)  Because the heap spray was very precise, the code reads and stores our desired value into the stack at the address 0x5722D304.  This permits us to go beyond the previous crash and enter into the function at the address 0x5722d4b4. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 23. THE INVOKECONTACT METHOD CASE (9)  The untrusted pointer is stored in the stack and will be reused later in order to call another private method from the vftable. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 24. THE INVOKECONTACT METHOD CASE (10)  Later the code dereferences twice the EAX register at the addresses 0x5722D4CA and 0x5722D4D3.  So as to successfully slide the code up to the shellcode, the exploit needs to spray accurately the heap with three pointers:  The shellcode sits right after the 0xc0c0c48 pointer. ©2013 High-Tech Bridge SA – www.htbridge.com
  • 25. THE INVOKECONTACT METHOD CASE (11)  This is therefore the final payload for the exploit: ©2013 High-Tech Bridge SA – www.htbridge.com
  • 26. THE INVOKECONTACT METHOD CASE (12)  Code execution is reached: ©2013 High-Tech Bridge SA – www.htbridge.com
  • 27. References & Links  http://www.youtube.com/watch?v=hNDjRLoN8ug (Exploitation Video)  https://www.htbridge.com/publication/Novell-GroupWise-exploit.rar (password: htbridge)  https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11- heap-spraying demystified/#Heap_Spraying_on_Internet_Explorer_9  http://cwe.mitre.org/data/definitions/822.html  https://www.htbridge.com/vulnerability/  http://en.wikipedia.org/wiki/Novell_GroupWise ©2013 High-Tech Bridge SA – www.htbridge.com
  • 28. Thank you for reading Your questions are always welcome: brian.mariani [at] htbridge.com frederic.bourla [at] htbridge.com ©2013 High-Tech Bridge SA – www.htbridge.com