Alice in exploitland Attack & defense evolution. Zoltán Balázs Hacktivity 2013

Transcription

1 Alice in exploitland Attack & defense evolution Zoltán Balázs Hacktivity 2013

2 About:me OSCP, C HFI, CISSP, CPTS, MCP Senior IT security Deloitte Hungary Proud member of the gula.sh team zbalazs@deloittece.com Twitter zh4ck

3 What s next? Evolution of memory corruption attack & defense Stack based buffer overflows Stack canary Structured Exception Handling DEP ASLR Advanced mitigation

4 Scope of this presentation Focus on memory corruption Not Java vulnerabilities Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits High level overview only No details like Assembly Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free

5 Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing

6 Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits

7 Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits You will find your product on the local Chinese market half the price

8 Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability

9 Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability Your projects will be revealed by hackers from Luxembourg

10 Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java)

11 Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked

12 Why you should care? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen

13 Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen Facebook wall spammed

14 Function calls void SayHello(char* userinput) { char buffer[100]; } strcpy(buffer, userinput); printf( Hello %s\n", buffer); int main() { SayHello(argv[1]); return 0; }

15 Function calls 0x New stack frame ESP - top of stack... 0xFFFFFFFF ESP - extended stack pointer

16 Function calls 0x ESP - top of stack ptr to argv[1]... 0xFFFFFFFF ESP - extended stack pointer

17 Function calls 0x ESP - top of stack Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer Overwrite this for PROFIT

18 Function calls 0x ESP - top of stack Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

19 Function calls ESP - top of stack 0x Space for buffer EBP - frame pointer Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

20 Function calls ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

21

22 Stack based buffer overflow vulnerability Stack overflow happens when the user can put more data on the allocated stack, than available If more data is put on the stack (stack overflow)... magic will happen Buffer overflow Stack based buffer overflow Heap based buffer overflow

23 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

24 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP AAAA Saved EIP ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

25 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP AAAA Saved EIP AAAA ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

26 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT

27

28 Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? ***

29 Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? PaX team in 2000

30 Stack overflow history 1972 Computer Security Technology Planning Study 1988 Morris worm 1996 Smashing the Stack for Fun and Profit (Aleph One) 2000 NSA SELinux open sourced 2000 PaX Team 2003 SELinux merged into mainline Linux Kernel 2004 Egghunters - against small buffers

31 Shellcode The attacker code what the attacker wants to execute The instructions given by Alice to the rabbit

32 Mitigation techniques All of the following mitigation techniques are used against every memory corruption vulnerabilities Not just against stack overflow

33 Stack canary/cookie ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Strcpy writes Random cookie 27384AB4CD457 way Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer this Overwrite this for PROFIT

34 Stack canary/cookie ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Strcpy writes Random cookie 27384AB4CD457 AAAA way Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer this Overwrite this for PROFIT

35

36 Stack canary/cookie history (/GS) Linux (GCC) MS (Visual Studio)

37 Stack canary/cookie bypass Method 1: Replace cookie on stack and in.data temper the sensor in way where water does not trigger an alarm Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system Method 3: Guess/calculate the cookie Static cookie Method 4: Overwriting stack data in functions up the stack, switch case

38 Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies way too complicated to trigger

39 Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies Stack cookie not checked at exception handling way too complicated to trigger

40 SEH exploit three step to profit Step 1. overwriting first element in the exception-handling chain Step 2. because of the overflow, the exception-handling is triggered Step 3. via exception handling, return to the malicious shellcode (PROFIT)

41 SEH exploit metaphor If chaos occurs disaster recovery process to handle the chaos Alice can rewrite the address, where the rabbit can find the disaster recovery process manual

42 SEH exploit mitigation SafeSEH table which specifies for the operating system about valid exception handlers only a limited set of addresses where the disaster recovery manual can be found Alice can not change those SEHop OS performs SEH chain validation breaks SEH overwrite exploitation techniques Stamp from the queen on the addressess where the disaster recovery manual can be found

43 DEP DEP - Data Execution Prevention Windows (OS level) Protection: mark the stack as non executable PageExec, W^X, NX, XD

44

45 PageExec, W^X, NX, XD, DEP NX - Never Execute AMD (CPU level) XD - execution Disabled Intel (CPU level) W^X - Write XOR Execute OpenBSD, OS X (OS level) Non-Executable Memory Linux (OS level) Windows If CPU NX/XD enabled/supported HW DEP == Real DEP If CPU NX/XD disabled/not supported Software DEP == SafeSEH!!! DEP modes Always off OptIn OptOut Always On

46 PageExec, W^X, NX, XD, DEP Openwall Solar designer PaX Team PageExec Exec shield (Ingó Molnár) OpenBSD Linux (Ingó Molnár) Windows XP SP OS X

47 PageExec, W^X, NX, XD, DEP bypass Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc)

48 PageExec, W^X, NX, XD, DEP bypass Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed Does not work on protection always on Method 3: Disable the protection for the process Does not work on protection always on Method 4: Copy shellcode to executable area Exeucatable area usually read only Allocate new memory with read write - executable support (virtualalloc) If attacking browser JavaScript heap spraying Other magic here

49 ASLR metaphor ASLR = Address Space Layout Randomization Changing the addressess of the memory layout every time Changing the street names, house numbers every time Alice can only go to a house she won t know what will be the address at the time when the rabbit arrives

50 ASLR Memco PaX Team (RandExec/RandMmap/RandUStack/RandKStack) OpenBSD Linux first implementation weak Windows OS X Android

51 ASLR bypass 2007 MS ANI exploit Alex Sotirov Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like 4 house to the left, next to the original Method 2: Low entropy in random brute force Catch all exception block is usually needed You never write try{ code_her } catch (Every exception) { Do nothing } do you? ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)

52 ASLR bypass... Method 2: Low entropy in random brute force Alice can give 1000 addresses to the rabbit Rabbit will look for Alice in 1000 house Finally the rabbit can find Alice Alice can give him the malicious instructions PROFIT

53 ASLR bypass Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit Java 7 ASLR There are still some static street names, house numbers in exploitland, that never change Method 4: address space information disclosure Alice can ask an inhabitant in exploitland what the street name and house address will be of the house where Alice is when the rabbit arrives

54 EMET

55 Exploiting stack overflow in 2003 on Windows Collect three gems

56 Exploiting stack overflow in 2013 with ASLR + DEP You have 3 ammo left

57 ASLR + DEP bypass Metasploit windows/browser/ms13_037_svg_dashstyle demo Scenario 1. Disable ASLR, exploit fixed addresses Scenario 2. Enable ASLR, exploit is not working Scenario 3. Java 1.6 ROP with non-aslr module works Scenario 4. ASLR with original information leak exploit Scenario 5. EMET heapspray only blocks exploit

58 What to do if I m a user? Remove Java If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can t upgrade, use EMET If you use Linux Upgrade to latest OS Use latest browser (Chrome) If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome) Upgrade your software

59 What to do if I m a CISO? Remove Java At least in the browsers used for Internet browsing If you use Windows Upgrade to latest OS If can t upgrade, use EMET from GPO (Group policy) Install Microsoft and 3rd party patches

60 What to do if I m a developer? Remove Java At least in the browsers used for Internet browsing Learn secure application development Use switchers in Visual Studio /GS (VS 2002) /SafeSEH (VS 2003) /DynamicBase (VS 2005) /NXCompat (VS 2005) /HIGHENTROPYVA (VS 2012) #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005) BinScope

61 What to do if I m working for the Chinese government running vulnerable Poison Ivy servers? Develop your own backdoor client/server For details see previous slide Until it is finished use EMET

62 Lessons learned Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection Number of working IE9 (2011 March) exploits in Metasploit With Java 6 1 Without Java 6 1 Number of working IE10 exploits in Metasploit 0 Number of Java7 (2011 July) exploits in Metasploit 16 Price for zero day memory corruption exploit getting higher and higher