1 / 26

Reversing Microsoft Patches to reveal Vulnerable code

Reversing Microsoft Patches to reveal Vulnerable code. Harsimran Walia. Introduction. Finding a 0day vulnerability . Microsoft patches. Vulnerability reaches the vendor. Reverse engineer the patch. Vendor finds a fix. Locate the vulnerability patched.

meli
Download Presentation

Reversing Microsoft Patches to reveal Vulnerable code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reversing Microsoft Patches to reveal Vulnerable code HarsimranWalia http://nullcon.net/

  2. Introduction • Finding a 0day vulnerability • Microsoft patches • Vulnerability reaches the vendor • Reverse engineer the patch • Vendor finds a fix • Locate the vulnerability patched • Releases a patch to fix the vulnerability • Highlight the difficulties Discussion in the presentation http://nullcon.net/ Birth of a security patch

  3. Introduction http://nullcon.net/ For reversing and obtaining binary difference in my demos I would be using DarunGrim2 How DarunGrim works? • The schema of DarunGrim is shown in the figure • To generate diffing results • Binaries are disassembled in IDA Pro in the background and darungrim IDA plugin is run which creates the sqlite database • Diffing Engine, the heart of DarunGrim2. The sqlite db from IDA and the binaries from GUI are fed into this engine as inputs

  4. Introduction http://nullcon.net/ Algorithm ? Main algorithm of DarunGrim is Basic block fingerprint hash map Each basic block is 1 entity whose fingerprint is generated from the instruction sequence Fingerprint hash generated by IDA Pro Two fingerprint hash tables one each for unpatched and patched binary For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match All fingerprints in the original binary hash tables are either matched or unmatched

  5. Introduction http://nullcon.net/ Algorithm ? Contd.. • For a function to be called matching, all the basic blocks in the function should be matching • For unmatched functions DarunGrim calculates percentage match • Match rate based on fingerprint string match • Similar to GNU Diff algorithm which is finding longest common subsequence

  6. Introduction http://nullcon.net/ Vulnerability Vs Exploit based signatures Exploit signatures • Created by using byte string patterns or regular expressions • These are exploit specific • They are used widely mainly because of the ease of their creation • Cater to only one type of input satisfying that vulnerability condition • Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail • For eg. Exploit based signature • ESig = “docx?AAAAAAAAAAA...” • It will fail if some exploit uses a long string of B’s instead of A’s

  7. Introduction Vulnerability Signature Exploit Signature http://nullcon.net/ Vulnerability Vs Exploit based signatures Vulnerability signatures • Based on the properties of the vulnerability and not on the properties of the exploit • It is a superset of all the inputs satisfying a particular vulnerability condition • For eg. Vulnerability based signature for previous case • VSig = MATCH_STR (Buffer,"docx?(.*)$",limit) • Matches string in buffer with the regex • It is effective against any alphabet unlike exploit signature

  8. Introduction http://nullcon.net/ Vulnerability Vs Exploit based signatures Vulnerability signatures contd.. • For a good vulnerability signature • It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network. • It should allow very few false positives, as too many false positives may lead to a DoS attack for the system. • The signature matching time should not create a considerable delay for the software and services.

  9. Need http://nullcon.net/ The first step of creating an undisclosed exploit is to find the vulnerability to exploit it. To verify if the patch released by Microsoft is working as per it is designed. To create vulnerability based signatures.

  10. Process http://nullcon.net/

  11. Finding patches • Process Quick-fix Use open source ms-patch-tools to easily get the file versions to compare Problem • GDR or QFE/LDR ?? • FileVersioning http://nullcon.net/ • Pick a vulnerability and download its patch • Pick a vulnerability just before this one that patched the same program or dll • If unavailable, use the same dll from your system

  12. Finding patches • Process http://nullcon.net/ DEMO

  13. Finding patches • Extraction of files • Process Problem • Above method cannot be used on Win7 and Vista patches delivered as msu http://nullcon.net/ • The traditional way of extracting file from patch • <patchfilename>.exe /x • Works only till Windows XP and earlier versions of Windows

  14. Finding patches • Extraction of files Solution • Process http://nullcon.net/ • Use expand command • expand -F:* <Saved_MSU_File_Name>.msu C:\<Folder_to_extract_in> • expand -F:* <Saved_MSU_File_Name>.cab C:\<Folder_to_extract_in>

  15. Finding patches • Extraction of files • Process http://nullcon.net/ DEMO

  16. Finding patches • Extraction of files • Binary Differencing • Process Problem • Not every function %age < 100 is changed • Includes false positives which requires manual analysis http://nullcon.net/ • DarunGrim v2 used for binary difference • Feed in the two binaries to be compared • Generates a list of functions with the %age match between the two files

  17. Finding patches • Extraction of files • Binary Differencing • Process http://nullcon.net/ DEMO

  18. Finding patches • Extraction of files • Binary Differencing • Differencing Analysis • Process http://nullcon.net/ • Manual inspection of functions with less than 100% match • Remove false positives generated by problems like • Instruction reordering Lot of reordering happening over different releases marks even the same blocks as unmatched • Split blocks Block in the graph which has only parent and the parent has only one child leads to a split block. causing a problem in the matching process Can be improved by merging the two blocks and treating as a single block.

  19. Finding patches • Extraction of files • Binary Differencing • Differencing Analysis • Process http://nullcon.net/ • Hot patching Instructions like moveax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block By just ignoring the instruction we can get a match • Compiler optimizations Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference • Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched

  20. Finding patches • Extraction of files • Binary Differencing • Differencing Analysis • Process http://nullcon.net/ DEMO

  21. Finding patches • Extraction of files • push  [ebp-2Ch]  ; unsigned intcall  ??2@YAPAXI@Z ; operator new(uint)movebx, eaxpop   ecxmov   [ebp-18h], ebxmov   [ebp-3Ch], ebxmov   byte ptr [ebp-4], 1push  dwordptr [ebp-2Ch]movecx, esipush  ebxpush    [ebp-30h] call    sub_118000C func(const *,void *,long)movedi, eaxtest    edi, edijge     short  • push    [ebp-2Ch]  ; unsigned intcall    ??2@YAPAXI@Z ; operator new(uint)pop     ecxmov     [ebp-14h], eax;  ebp-14h = pBuffermov     [ebp-40h], eaxmov     byte ptr [ebp-4], 2push    [ebp-2Ch]movecx, esipush    ebxpush    edicall    sub_118000C func(const *,void *,long)movesi, eaxtest    esi, esijge     short loc_118158A • Binary Differencing • Differencing Analysis • Process http://nullcon.net/

  22. Finding patches • Extraction of files • To validate our finding of analysis by debugging • Getting a crash of the application • Creating a malformed file to get the crash • Would be using Immunity Debugger • Binary Differencing • Differencing Analysis • Process • Debugging http://nullcon.net/

  23. Finding patches • Extraction of files DEMO • Binary Differencing • Differencing Analysis • Process • Debugging http://nullcon.net/

  24. Conclusion http://nullcon.net/ Presented an overview of how the 1-day exploits and Vulnerability signatures can be created Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process Only talked about Microsoft patches but concept not limited to this. Concepts presented can be perfected by interested audience

  25. Thanks Questions?? http://nullcon.net/

More Related