nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

Reversing Microsoft Patches to reveal Vulnerable codeHarsimranWaliahttp://null.co.in/http://nullcon.net/

http://null.co.in/http://nullcon.net/IntroductionFinding a 0day vulnerability Vulnerability reaches the vendorVendor finds a fixReleases a patch to fix the vulnerabilityMicrosoft patchesReverse engineer the patchLocate the vulnerability patchedHighlight the difficultiesBirth of a security patchDiscussion in the presentation

For reversing and obtaining binary difference in my demos I would be using DarunGrim2 How DarunGrim works?The schema of DarunGrim is shown in the figureTo generate diffing resultsBinaries are disassembled in IDA Pro in the background and darungrim IDA plugin is run which creates the sqlite databaseDiffing Engine, the heart of DarunGrim2. The sqlite db from IDA and the binaries from GUI are fed into this engine as inputs http://null.co.in/http://nullcon.net/Introduction

Algorithm ?Main algorithm of DarunGrim is Basic block fingerprint hash mapEach basic block is 1 entity whose fingerprint is generated from the instruction sequenceFingerprint hash generated by IDA ProTwo fingerprint hash tables one each for unpatched and patched binaryFor finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a matchAll fingerprints in the original binary hash tables are either matched or unmatchedhttp://null.co.in/http://nullcon.net/Introduction

Algorithm ? Contd..For a function to be called matching, all the basic blocks in the function should be matchingFor unmatched functions DarunGrim calculates percentage matchMatch rate based on fingerprint string matchSimilar to GNU Diff algorithm which is finding longest common subsequencehttp://null.co.in/http://nullcon.net/Introduction

Vulnerability Vs Exploit based signatures Exploit signaturesCreated by using byte string patterns or regular expressions These are exploit specific They are used widely mainly because of the ease of their creationCater to only one type of input satisfying that vulnerability conditionFail: different attacks can exploit the same vulnerability, so exploit based signatures will fail For eg. Exploit based signatureESig = “docx?AAAAAAAAAAA...”It will fail if some exploit uses a long string of B’s instead of A’shttp://null.co.in/http://nullcon.net/Introduction

http://null.co.in/http://nullcon.net/Introduction Vulnerability Vs Exploit based signatures Vulnerability signaturesBased on the properties of the vulnerability and not on the properties of the exploitIt is a superset of all the inputs satisfying a particular vulnerability conditionFor eg. Vulnerability based signature for previous caseVSig = MATCH_STR (Buffer,"docx?(.*)$",limit)Matches string in buffer with the regexIt is effective against any alphabet unlike exploit signatureVulnerabilitySignatureExploit Signature

Vulnerability Vs Exploit based signatures Vulnerability signatures contd..For a good vulnerability signatureIt should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.The signature matching time should not create a considerable delay for the software and services.http://null.co.in/http://nullcon.net/Introduction

The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.To verify if the patch released by Microsoft is working as per it is designed.To create vulnerability based signatures.http://null.co.in/http://nullcon.net/Need

http://null.co.in/http://nullcon.net/Process

http://null.co.in/http://nullcon.net/Finding patchesPick a vulnerability and download its patchPick a vulnerability just before this one that patched the same program or dllIf unavailable, use the same dll from your systemProcessQuick-fixUse open source ms-patch-tools to easily get the file versions to compareProblemGDR or QFE/LDR ??

FileVersioninghttp://null.co.in/http://nullcon.net/Finding patchesDEMOProcess

http://null.co.in/http://nullcon.net/Finding patchesExtraction of filesThe traditional way of extracting file from patch <patchfilename>.exe /xWorks only till Windows XP and earlier versions of WindowsProcessProblemAbove method cannot be used on Win7 and Vista patches delivered as msuhttp://null.co.in/http://nullcon.net/Finding patchesExtraction of filesSolutionProcessUse expand commandexpand -F:* <Saved_MSU_File_Name>.msu C:\<Folder_to_extract_in> expand -F:* <Saved_MSU_File_Name>.cab C:\<Folder_to_extract_in>

http://null.co.in/http://nullcon.net/Finding patchesExtraction of filesDEMOProcess

Finding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingDarunGrim v2 used for binary differenceFeed in the two binaries to be comparedGenerates a list of functions with the %age match between the two files ProcessProblemNot every function %age < 100 is changed

Includes false positives which requires manual analysisFinding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingProcessDEMO

Finding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingDifferencing AnalysisProcessManual inspection of functions with less than 100% matchRemove false positives generated by problems likeInstruction reorderingLot of reordering happening over different releases marks even the same blocks as unmatchedSplit blocksBlock in the graph which has only parent and the parent has only one child leads to a split block.causing a problem in the matching processCan be improved by merging the two blocks and treating as a single block.

http://null.co.in/http://nullcon.net/Finding patchesExtraction of filesBinary DifferencingDifferencing AnalysisProcessHot patchingInstructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the blockBy just ignoring the instruction we can get a matchCompiler optimizations Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper differenceEventually reach a function which is indeed modified and might be the fix to the vulnerability being patched

Finding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingDifferencing AnalysisProcessDEMO

Finding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingDifferencing AnalysisProcesspush [ebp-2Ch] ; unsigned intcall ??2@YAPAXI@Z ; operator new(uint)mov ebx, eaxpop ecxmov [ebp-18h], ebxmov [ebp-3Ch], ebxmov byte ptr [ebp-4], 1push dwordptr [ebp-2Ch]mov ecx, esipush ebxpush [ebp-30h]call sub_118000C func(const *,void *,long)mov edi, eaxtest edi, edijge short push [ebp-2Ch] ; unsigned intcall ??2@YAPAXI@Z ; operator new(uint)pop ecxmov [ebp-14h], eax ; ebp-14h = pBuffermov [ebp-40h], eaxmov byte ptr [ebp-4], 2push [ebp-2Ch]mov ecx, esipush ebxpush edicall sub_118000C func(const *,void *,long)mov esi, eaxtest esi, esijge short loc_118158A

Finding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingDifferencing AnalysisProcessDebuggingTo validate our finding of analysis by debuggingGetting a crash of the applicationCreating a malformed file to get the crashWould be using Immunity Debugger

Finding patcheshttp://null.co.in/http://nullcon.net/Extraction of filesBinary DifferencingDifferencing AnalysisProcessDebuggingDEMO

ConclusionPresented an overview of how the 1-day exploits and Vulnerability signatures can be createdAttempt was made to understand the process involved in reversing and the problems faced during the execution of the processOnly talked about Microsoft patches but concept not limited to this.Concepts presented can be perfected by interested audience http://null.co.in/http://nullcon.net/

ThanksQuestions??http://null.co.in/http://nullcon.net/

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code

More Related Content

What's hot (20)

Similar to nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code (20)

More from n|u - The Open Security Community (20)

Recently uploaded (20)

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code