What Happens In Windows 7 Stays In Windows 7



Similar documents
Introduction. Figure 1 Schema of DarunGrim2

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Abysssec Research. 1) Advisory information. 2) Vulnerable version

esrever gnireenigne tfosorcim seiranib

Skeletons in Microsoft s Closet - Silently Fixed Vulnerabilities. Andre Protas Steve Manzuik

Reverse Engineering and Computer Security

Software Fingerprinting for Automated Malicious Code Analysis

Microsoft Patch Analysis

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

A Simpler Way of Finding 0day

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014

Hotpatching and the Rise of Third-Party Patches

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

AppUse - Android Pentest Platform Unified

Custom Penetration Testing

Peach Fuzzer Platform

NWEN405: Security Engineering

Off-by-One exploitation tutorial

Introduction to Reverse Engineering

The Hacker Strategy. Dave Aitel Security Research

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Turning your managed Anti-Virus

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

Windows XP SP3 Registry Handling Buffer Overflow

Testing for Security

Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Source Code Review Using Static Analysis Tools

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Mobile Security Framework

Web Application Security

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Course Title: Penetration Testing: Network & Perimeter Testing

For a 64-bit system. I - Presentation Of The Shellcode

0days: How hacking really works. V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Leveraging SANS and NIST to Evaluate New Security Tools

Security within a development lifecycle. Enhancing product security through development process improvement

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Penetration Testing with Kali Linux

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Reversing Android Malware

5 Steps to Advanced Threat Protection

Securing OS Legacy Systems Alexander Rau

Practical Mac OS X Insecurity. Security Concepts, Problems and Exploits on your Mac

Persist It Using and Abusing Microsoft s Fix It Patches

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Vulnerability Assessment for Middleware

Android Security Evaluation Framework

Bruh! Do you even diff? Diffing Microsoft Patches to Find Vulnerabilities

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Will Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

Business Objects. Release Notes. Version: Publication: 07/2014. Automic Software GmbH

ArcGIS for Server: Administrative Scripting and Automation

A CISO s Guide to Ethical Hacking

CS 1133, LAB 2: FUNCTIONS AND TESTING

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Application Intrusion Detection

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

Passing PCI Compliance How to Address the Application Security Mandates

Security Testing in Critical Systems

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

ios Testing Tools David Lindner Director of Mobile and IoT Security

Active Response: Automated Risk Reduction or Manual Action?

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Cyber Security Management

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 1 Web Application (In)security 1

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

Information and Communication Technology. Patch Management Policy

Web security. Live hacking demo. Rick van Tol Arthur Donkers Paul van Maaren Eilko Bos.

Fuzzing in Microsoft and FuzzGuru framework

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

Harnessing Intelligence from Malware Repositories

Enterprise Historian 3BUF D1 Version 3.2/1 Hot Fix 1 for Patch 4 Release Notes

Transcription:

What Happens In Windows 7 Stays In Windows 7 Moti Joseph & Marion Marschalek Troopers Conference 2014

About Us Joseph Moti Security Researcher Marion Marschalek Malware Analyst 8 7 3 1-7 3 6 4-1 9 3 2-9 6 4 6-3 0 4 0

Agenda Vulnerabilities Automated Vulnerability Search An Approach A Solution as Proof of Concept Demo ;) Whats next? TROOPERS 2014

Intro

Can I haz it?? Got a bug in your software?

Chuck Norris On Security. Vulnerabilities are software mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don't get patched, so the Internet is filled with known, exploitable vulnerabilities. TROOPERS 2014

How to find vulnerabilities? Application Penetration Testing Fuzzing Reverse Engineering Source Code Review Or.. Being more advanced: Tracking software bugs, introducing bugs into software, reversing security patches TROOPERS 2014

Who is interested in finding them? Hackers Software Companies Criminals Governments Media

How much does a 0-day vulnerability cost? TROOPERS 2014

White Market When or why to sell to white market? TROOPERS 2014

BlackMarket Broker? Money? Trust? TROOPERS 2014

What happens when you sell to the black market? TROOPERS 2014

And why automate it? It s faster!! The hacker can break more The software company can fix faster Criminals can make more money Governments can... [SECRET] Media has more to write about TROOPERS 2014

The Approach

What happens in Windows7 stays in Windows7... Win7 Win8 quartz.dll xor eax, eax inc eax shl eax, cl... shl eax, 2 push eax ; cb call ds: imp CoTaskMemAlloc@4 Patch it! quartz.dll lea ecx, [ebp+cb] push ecx push 4 push eax mov [esi], eax call?ulongmult@@ygjkkpak@z test eax, eax... push [ebp+cb] ; cb call ds: imp CoTaskMemAlloc@4 TROOPERS 2014

Counting Function Calls Win7 quartz.lib Win8 quartz.lib

Spot The Patch Win7 quartz.lib Win8 quartz.lib TROOPERS 2014

Intsafe.h & Strsafe.h Searching for security patches: Type Conversion Safe Math Functions Buffer Boundary Checks on Strings Set of 130 Signatures of Safe Functions TROOPERS 2014

Safe Functions UInt8ToInt8 UInt8ToChar ByteToInt8 ByteToChar ShortToInt8 ShortToUChar ShortToChar UShortToUInt8 UShortToShort IntToInt8 IntToUChar IntToChar UInt8Add UShortAdd UIntAdd ULongAdd SizeTAdd ULongLongAdd UInt8Sub UShortSub UIntSub ULongSub SizeTSub ULongLongSub StringCbGets StringCbGetsEx StringCbLength StringCbPrintf StringCbPrintfEx StringCbVPrintf StringCbVPrintfEx StringCchCat StringCchCatEx StringCchCatN StringCchCatNEx StringCchCopy... and many many more... TROOPERS 2014

The Approach Windows Library Decompilation or Disassembly Flexible. Extendible. Awesome. Parsing to DB Diffing Library with New Version Checking for Vulnerability TROOPERS 2014

The Solution

Pretty, eh??

Getting the.c Library Conversion using IDA Pro means:.dll ->.idb ->.c TROOPERS 2014

Library Parsing DiffRay on https://github.com/pinkflawd/diffray Parses a library / directory of libraries Manages libraries, functions and signature hits Diff libraries functionwise Based on library ID or library name pattern TROOPERS 2014

The Database MSSql or SQLite TROOPERS 2014

Diff it! Compare libraries on a function basis Extract hits per function per signature 1611-1610-9232-2136-5206 TROOPERS 2014

DiffRay HowTo: Configuration signatures.conf whatever symbols you re searching for sig_mappings.conf mappings for signatures logger.conf logging output and formatting, details to be found at http://docs.python.org/2/howto/logging.html mssql.conf MSSql access credentials TROOPERS 2014

DiffRay HowTo: CMD Parsing Maintenance: python [dir]\src\main.py --create-scheme --update-sigs python [dir]\src\main.py --parse [library_path] --os [Win7 Win8] --type [C LST] python [dir]\src\main.py --dirparse [directory_path] --os [Win7 Win8] --type [C LST] python [dir]\src\main.py --flushall Switches: --backend [mssql sqlite] --no-flush TROOPERS 2014

DiffRay HowTo: CMD Diffing Info Output & Diffing: python [dir]\src\main.py -search_libs [libname_pattern] python [dir]\src\main.py -lib_all_info [lib_id] python [dir]\src\main.py -diff --lib_1 [win7lib] --lib_2 [win8lib] python [dir]\src\main.py -diff_byname [libname_pattern] TROOPERS 2014

WELCO ME to ze FUTURE

DEMO TIME

Findings

Windows 7 (ULongAdd) bcrypt.dll!convertrsaprivateblobtofullrsa

Windows 8 bcrypt.dll!convertrsaprivateblobtofullrsa

Windows 8 (ULongAdd) netlogon.dll! NlpAddResourceGroupsToSamInfo 7248-8111-6932-1904-2648

Windows 7 netlogon.dll! NlpAddResourceGroupsToSamInfo

Windows 8 /ULongLongToUint twext.dll! EscapeField

Windows 7 Integer overflow twext.dll! EscapeField

Drrrivers...

Windows 8 cng.dll! ConvertRsaPrivateBlogToFullRsa

Windows 7 cng.dll! ConvertRsaPrivateBlogToFullRsa

Windows 8 ksecdd.dll! SspiCopyAuthIdentity

Windows 7 ksecdd.dll! SspiCopyAuthIdentity

Windows 8 srvnet.dll! SrvNetAllocatePoolWithTagPriority

Windows 7 srvnet.dll! SrvNetAllocatePoolWithTagPriority

Triggerable? Or not triggerable?

Windows 7 cryptdlg!decodeattrsequence

Windows 8 cryptdlg!decodeattrsequence

What s CryptDll.dll?? TROOPERS 2014

StringCchLength TROOPERS 2014

CryptDecodeObject API TROOPERS 2014

Certificate DialogBox TROOPERS 2014

What s Next

Whats Next Possible Extensions Win8, we re coming!! Extended signatures Symbolic Execution FTW Improvements Transparent DB library Known issues Duplicate hits, false positives, slooow, output is not handy TROOPERS 2014

Happy Diffing.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information