2. About:me
OSCP, C|HFI, CISSP, CPTS, MCP
Senior IT security consultant @ Deloitte Hungary
Proud member of the gula.sh team
zbalazs@deloittece.com
https://hu.linkedin.com/in/zbalazs
Twitter – zh4ck
3. What’s next?
Evolution of memory corruption attack & defense
Stack based buffer overflows
Stack canary
Structured Exception Handling
DEP
ASLR
Advanced mitigation
4. Scope of this presentation
Focus on memory corruption
Not Java vulnerabilities
Focus on Windows
Last 15 years Windows was the biggest target for memory corruption exploits
High level overview only
No details like Assembly
Mostly stack overflow vulnerability
No heap overflow
No format string
No null pointer dereference
No integer overflow (just a little bit)
No use after free
5. Why you should care about exploits?
If you are a company outside of
China (or place your favourite
enemy here)
You are a target for intellectual
property stealing
6. Why you should care about exploits?
If you are a company outside of
China (or place your favourite
enemy here)
You are a target for intellectual
property stealing
Your intellectual property will be
stolen
social engineering
software exploits
7. Why you should care about exploits?
If you are a company outside of
China (or place your favourite
enemy here)
You are a target for intellectual
property stealing
Your intellectual property will be
stolen
social engineering
software exploits
You will find your product on the
local Chinese market
half the price
8. Why you should care about exploits?
If you are a military team working
for the Chinese (or other)
government
To steal intellectual property
Your C&C server will be
hacked through memory
corruption vulnerability
9. Why you should care about exploits?
If you are a military team working
for the Chinese (or other)
government
To steal intellectual property
Your C&C server will be
hacked through memory
corruption vulnerability
Your „projects” will be revealed
by hackers from Luxembourg
10. Why you should care about exploits?
If you are a plain user surfing the
web
You might be hacked through
memory corruption vulnerability (or
Java)
11. Why you should care about exploits?
If you are a plain user surfing the
web
You might be hacked through
memory corruption vulnerability (or
Java)
Credit card stolen, internet bank
hacked
12. Why you should care?
If you are a plain user surfing the
web
You might be hacked through
memory corruption vulnerability (or
Java)
Credit card stolen, internet bank
hacked
Identity stolen
13. Why you should care about exploits?
If you are a plain user surfing the
web
You might be hacked through
memory corruption vulnerability (or
Java)
Credit card stolen, internet bank
hacked
Identity stolen
Facebook wall spammed
17. Function calls
0x00000000
...
ESP - top of stack
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
Overwrite this
for PROFIT
18. Function calls
0x00000000
...
ESP - top of stack
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
19. Function calls
0x00000000
...
ESP - top of stack
Space for buffer
EBP - frame pointer
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
20. Function calls
0x00000000
...
ESP - top of stack
EBP - frame pointer
AAAA
AAAA
...
AAAA
Saved EBP
Strcpy
writes
this
way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
21.
22. Stack based buffer overflow vulnerability
„Stack overflow happens when the user can put more data on the allocated
stack, than available”
If more data is put on the stack (stack overflow) ...
magic will happen
Buffer overflow
Stack based buffer overflow
Heap based buffer overflow
23. Stack overflow
0x00000000
...
ESP - top of stack
EBP - frame pointer
AAAA
AAAA
...
AAAA
Saved EBP
Strcpy
writes
this
way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
24. Stack overflow
0x00000000
...
ESP - top of stack
EBP - frame pointer
AAAA
AAAA
...
AAAA
Saved EBP AAAA
Strcpy
writes
this
way
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
25. Stack overflow
0x00000000
...
ESP - top of stack
EBP - frame pointer
AAAA
AAAA
...
AAAA
Saved EBP AAAA
Strcpy
writes
this
way
Saved EIP AAAA
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
26. Stack overflow
0x00000000
...
ESP - top of stack
EBP - frame pointer
AAAA
AAAA
...
AAAA
Saved EBP AAAA
Strcpy
writes
this
way
Saved EIP AAAA
ptr to argv[1] AAAA
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
27.
28. Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
***
29. Quiz for Hacker Pschorr
Which team created
the first Linux kernel patch
to protect against stack
overflows?
PaX team in 2000
30. Stack overflow history
1972 – Computer Security Technology Planning Study
1988 – Morris worm
1996 – Smashing the Stack for Fun and Profit (Aleph One)
2000 – NSA – SELinux open sourced
2000 – PaX Team
2003 – SELinux merged into mainline Linux Kernel
2004 – Egghunters - against small buffers
31. Shellcode
The attacker code what the attacker wants to execute
The instructions given by Alice to the rabbit
32. Mitigation techniques
All of the following mitigation techniques are used against every
memory corruption vulnerabilities
Not just against stack overflow
33. Stack canary/cookie
0x00000000
...
ESP - top of stack
EBP - frame pointer
Random cookie
AAAA
AAAA
...
AAAA
27384AB4CD457
Strcpy
writes
this
way
Saved EBP
Saved EIP
ptr to argv[1]
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
34. Stack canary/cookie
0x00000000
...
ESP - top of stack
EBP - frame pointer
Random cookie
AAAA
AAAA
...
AAAA
27384AB4CD457 AAAA
Strcpy
writes
this
way
Saved EBP AAAA
Saved EIP AAAA
ptr to argv[1] AAAA
....
0xFFFFFFFF
EIP - extended instruction pointer
ESP - extended stack pointer
EBP - extended base pointer
Overwrite this
for PROFIT
37. Stack canary/cookie bypass
Method 1: Replace cookie on stack and in .data
temper the sensor in way where water does not trigger an alarm
Method 2: Not protected buffer (no string buffer)
use a pot which is not equipped with alarm system
Method 3: Guess/calculate the cookie
Static cookie
Method 4: Overwriting stack data in functions up the stack, switch case
38. Structured Exception Handling exploit
In reality, traditional stack overflow
exploits are sometimes
not possible
No EIP overwrite
No jump
Stack cookies
way too complicated to trigger
39. Structured Exception Handling exploit
In reality, traditional stack overflow
exploits are sometimes
not possible
No EIP overwrite
No jump
Stack cookies
Stack cookie not checked at exception
handling
way too complicated to trigger
40. SEH exploit – three step to profit
Step 1. overwriting first element in the exception-handling chain
Step 2. because of the overflow, the exception-handling is triggered
Step 3. via exception handling, return to the malicious shellcode (PROFIT)
41. SEH exploit metaphor
If chaos occurs
disaster recovery process to handle the chaos
Alice can rewrite the address, where the rabbit can find the disaster
recovery process manual
42. SEH exploit mitigation
SafeSEH
table which specifies for the operating system about valid exception handlers
only a limited set of addresses where the disaster recovery manual can be found
Alice can not change those
SEHop
OS performs SEH chain validation
breaks SEH overwrite exploitation techniques
Stamp from the queen on the addressess where the disaster recovery manual can be
found
43. DEP
DEP - Data Execution Prevention – Windows (OS level)
Protection: mark the stack as non executable
PageExec, W^X, NX, XD
44.
45. PageExec, W^X, NX, XD, DEP
NX - Never Execute – AMD (CPU level)
XD - eXecution Disabled – Intel (CPU level)
W^X - Write XOR Execute – OpenBSD, OS X (OS level)
Non-Executable Memory – Linux (OS level)
Windows
If CPU NX/XD enabled/supported
HW DEP == Real DEP
If CPU NX/XD disabled/not supported
Software DEP == SafeSEH !!!
DEP modes
Always off
OptIn
OptOut
Always On
46. PageExec, W^X, NX, XD, DEP
1997 - Openwall – Solar designer
2000 - PaX Team PageExec
2002 - Exec shield (Ingó Molnár)
2003 - OpenBSD
2004 - Linux (Ingó Molnár)
2004 - Windows XP SP2
2006 - OS X
47. PageExec, W^X, NX, XD, DEP bypass
Method 1: Return oriented Programming (ROP)
Roots from Solar Designer (return-into-libc) - 1997
48. PageExec, W^X, NX, XD, DEP bypass
Method 2: Mark the stack part as executable
Alice can override the command, that her handwritten orders can not be executed
Does not work on protection „always on”
Method 3: Disable the protection for the process
Does not work on protection „always on”
Method 4: Copy shellcode to executable area
Exeucatable area usually read only
Allocate new memory with read – write - executable support (virtualalloc)
If attacking browser
JavaScript heap spraying
Other magic here
49. ASLR metaphor
ASLR = Address Space Layout Randomization
Changing the addressess of the memory layout every time
Changing the street names, house numbers every time
Alice can only go to a house
she won’t know what will be the address at the time when the rabbit arrives
50. ASLR
1997 - Memco
2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack)
2005 - OpenBSD
2005 - Linux – first implementation weak
2007 - Windows
2007 - OS X
2011 - Android
51. ASLR bypass
2007 – MS07–017 ANI exploit – Alex Sotirov
Method 1: overwrite the first two bytes of EIP (low bytes)
High bytes are random - we need that info, so won’t change it
Low bytes are modified to point to piece of code useful for attacker
Alice case: we specify return address like „4 house to the left, next to the original”
Method 2: Low entropy in random – brute force
Catch all exception block is usually needed
You never write try{ code_her } catch (Every exception) { Do nothing }
do you?
ASLR on 32 bit OS is 14m3
ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
52. ASLR bypass ...
Method 2: Low entropy in random – brute force
Alice can give 1000 addresses to the rabbit
Rabbit will look for Alice in 1000 house
Finally the rabbit can find Alice
Alice can give him the malicious instructions
PROFIT
53. ASLR bypass …
Method 3: ASLR not enforced
Java 6 (static) used in Adobe Flash exploit
Java 7 ASLR
There are still some static street names, house numbers in eXploitland, that never
change
Method 4: address space information disclosure
Alice can ask an inhabitant in eXploitland
what the street name and house address will be of the house where Alice is when the rabbit
arrives
57. ASLR + DEP bypass
Metasploit windows/browser/ms13_037_svg_dashstyle demo
Scenario 1.
Disable ASLR, exploit fixed addresses
Scenario 2.
Enable ASLR, exploit is not working
Scenario 3.
Java 1.6 ROP with non-ASLR module works
Scenario 4.
ASLR with original information leak exploit
Scenario 5.
EMET heapspray only blocks exploit
58. What to do if I’m a user?
Remove Java
If you use Windows
Upgrade to latest OS
Use latest browser (Chrome/IE)
If can’t upgrade, use EMET
If you use Linux
Upgrade to latest OS
Use latest browser (Chrome)
If you use OS X
Upgrade to latest OS
Use latest browser (Safari/Chrome)
Upgrade your software
59. What to do if I’m a CISO?
Remove Java
At least in the browsers used for Internet browsing
If you use Windows
Upgrade to latest OS
If can’t upgrade, use EMET from GPO (Group policy)
Install Microsoft and 3rd party patches
60. What to do if I’m a developer?
Remove Java
At least in the browsers used for Internet browsing
Learn secure application development
Use switchers in Visual Studio
/GS (VS 2002)
/SafeSEH (VS 2003)
/DynamicBase (VS 2005)
/NXCompat (VS 2005)
/HIGHENTROPYVA (VS 2012)
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005)
BinScope
61. What to do if I’m working for the Chinese
government running vulnerable Poison Ivy servers?
Develop your own backdoor client/server
For details see previous slide
Until it is finished use EMET
62. Lessons learned
Always use ASLR (Always on, 64 bit) + DEP (Always On) together
+ EMET for additional protection
Number of working IE9 (2011 March) exploits in Metasploit
With Java 6 – 1
Without Java 6 – 1
Number of working IE10 exploits in Metasploit
0
Number of Java7 (2011 July) exploits in Metasploit
16
Price for zero day memory corruption exploit
getting higher and higher