positive hack days. Тараканов. Мастер-класс: уязвимости...
DESCRIPTION
В рамках мастер-класса будут рассмотрены следующие вопросы: распространённые уязвимости в клиентском ПО - stack overflow, heap overflow, use-after-free и т.д.; базовые методы эксплуатации (на примере Windows XP), обход DEP; продвинутые методы эксплуатации (на примере Windows 7), обход DEP+ASLR; бинарный анализ security fix'ов (на примере "вторника патчей" от Microsoft).TRANSCRIPT
Мастер-класс: уязвимости нулевого дня
Никита Тараканов CISS RT
Типы уязвимостей
• Stack-based buffer overflow• Heap/Pool overflow• Integer overflow/underflow/wrap• Various memory corruptions• Use-after-free• Double free
Stack-based buffer overflow
• Smashing data on stack• EIP control, not only (ebp) – off-by-one• 1st surprise – Morris’s worm (1988)• A lot of such vulns in 90-ties
Stack-based buffer overflowFirst steps to security
• Noexecutable stack(PAX firstly)
Stack-based buffer overflowresearchers answer
• Ret2libc technique
Stack-based buffer overflowNext defense enhancements
• Stack cookie aka canary dword(/GS cl.exe flag)• Before ret(n) from function, check canary with
value on stack• Equality – normal control flow• Inequality – TerminateProcess()
Stack-based buffer overflowresearchers answer
• /GS doesn’t set cookie sometimes(ANI sploit)• SEH chain overwriting – overwrite exception
handler and trigger exception
Next Security Enhancement- DEP
• Introduced in Windows XP SP2• Kill process if EIP is in non-executable memory
area• First realization has two modes:
software(emulation), hardware(NX bit)
Avoiding DEP
• Non-permanent DEP – disable by ret2libc• Permanent DEP – main idea is to create RWX
section and jump there• Tricky(non true way) methods: ActionScript
ByteCode Spraing, .Net, Java• ROP – actually not new, just upgrade of
ret2libc: malloc(RWX), memcpy(shellcode),jmp to shellcode
Next Security Enhancement - ASLR
• After successfully hacking DEP technology, it’s clear that DEP doesn’t actually help security
• ASLR – each boot randomize base address of each* module
• But, to enable it, you should compile with that compiler key
• Reduce successful explotation to 1/256(first realization) next realization got better entropy
ASLR+DEP
• So how to write reliable exploit ???• Tricky(not true way) – just find non-ASLR
module(JRE, mscorie.dll and lot more…)• True way – just use other
vulnerability(memory leak)• Not over yet!!! - just avoid everything –
LoadLibrary vulns(aka Binary Planting)
ASLR+DEP Avoiding examples
• CVE-2010-3654 FlashPlayer ActionScript Type Confusion
• Integer overflow in WebGLArray(chrome)• Libxslt generate-id heap chunk address leak• Not over yet!!! - just avoid everything –
LoadLibrary vulns(aka Binary Planting)
Tuesday Patch Day – The Art of Binary Diffing
• DarunGrim• turbodiff• patchdiff• BinDiff
Tuesday Patch Day – The Art of Binary Diffing
• DarunGrim• turbodiff• patchdiff• BinDiff
Example: ms11-002
• Integer overflow somewhere….• Unknown impact???