420 likes | 611 Views
ZERT. Binary Patching Gil Dabah. Who Am I?. “Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek ( 09/22/06 ) “Israeli reverse-engineering specialist Gil Dabah”, CNET ( 09/25/06 ) Computer’s “Hacker” Programmer, working at DigiCash. About ZERT.
E N D
ZERT Binary Patching Gil Dabah
Who Am I? • “Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek (09/22/06) • “Israeli reverse-engineering specialist Gil Dabah”, CNET (09/25/06) • Computer’s “Hacker” • Programmer, working at DigiCash ZERT Binary Patching
About ZERT • Zero-day Emergency Response Team • Zero-day meaning? • Foundation • Goal • Incident-Response ZERT Binary Patching
Menu • Patching In General • VML Vulnerability • ANI Vulnerability ZERT Binary Patching
What is Patching? • Changing an existing software data. • That data can be either a code or real data (strings, structures, etc). • Usually the goal is to change behavior. • Sometimes you enhance the software. • Patching can be done on-disc, or in-memory. • Known patching is cracking games/software. • …or uncracking software like ZERT does. ZERT Binary Patching
Problems with Patching • Different versions (E.G: 23 versions of VGX). • Code changes. • Code moves. • No room for the extra patching code/data. • MS Hot Patching MOV EDI, EDI. • Windows File-Protection. ZERT Binary Patching
Patching Alternatives Every change affect file integrity. We want to change as less as possible bytes. • PE Patching - add a section/fine a cave. • In a short development time it’s not possible to make it reliable. • Too big a change. • Time consuming. • Per Version Patching. • Requires all versions. • Doesn’t support unknowns. ZERT Binary Patching
Patching Alternatives • Using Hot Patching Bytes: • A few places to patch (all callers, more signatures). • 7 bytes are usually not enough. • CC, CC, CC, CC, CC, 8B, FF • Spot Patching • Simple. • Search&replace patching. • Not always possible Generic ZERT Binary Patching
Section #1 ZERT VML Patcher ZERT Binary Patching
VML • Vector Markup Language • An XML language used to produce vector graphics. • Submitted as a proposed standard by MS and Macromedia in ’98 to the W3C. • Eventually rejected. • But still in use by Internet Explorer and Office (and Outlook). ZERT Binary Patching
VML Rendering ZERT Binary Patching
VML Zero-Day • Was first seen in September 2006. • Officially on the 19th, but actually before. • Adam Thomas, a researcher from Sunbelt Software, found it ITW. • The exploitation downloads a trojan or adware. • For example an adware that downloads and displays popup advertisements. ZERT Binary Patching
VML Vulnerability • Stack-based buffer overflow in the processing of malformed VML "fill method" attributes. • Affected file: VGX.DLL (symbol:Ptok@TOKENS@_IE5_SHADETYPE_TEXT). • Vulnerable systems: all IE versions, with latest XP SP 2 patches. • Surf and get owned. • What if DEP is enabled? ZERT Binary Patching
HTML Exploitation <html xmlns:v="urn:schemas-microsoft-com:vml"> <head> <style> v\:* { behavior: url(#default#VML);} </style> </head> <body> <v:rect><v:fill method=“AAAA…></v:fill></v:rect> </body> </html> ZERT Binary Patching
Vulnerability Point • To locate vulnerable image, simply crash IE. • Attack ‘fill method’ with a big buffer, raises access violation. • Writing to a pointer which is found on local stack. • Now that we got the vulnerable function we start analyzing the code. ZERT Binary Patching
Ptok Function Disassembly mov edx, [ecx+VML.szInput] mov dx, [ebx+edx*2] mov [edi], dx ZERT Binary Patching
Code Analysis class TOKENS { public: WCHAR *Ptok(void); private: LPWSTR szInput; // pointer to input string on heap int nSize; // length of input string (in WCHARs) int idxInput; // index used within the for()loop WCHAR szOutput[256]; // output buffer for string }; This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee. ZERT Binary Patching
Code Analysis:C++ Translation WCHAR *TOKENS::Ptok(void) { register int idxCurr; if (szInput == NULL) return(NULL); if (nSize >= 256) { // Added by the ZERT patch return(NULL); } for (idxCurr=0; idxInput < nSize && szInput[idxInput] != '\0'; idxInput++) { • if (szInput[idxInput] == ' ') { • if (idxCurr) break; // Encountered non-leading space • else continue; // Encountered leading space • } • szOutput[idxCurr]=szInput[idxInput]; // Copy the WCHAR • idxCurr++; • } • if (idxCurr > 0) { • szOutput[idxCurr]='\0'; // NULL terminate • return(szOutput); • } • return(NULL); • } This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee. ZERT Binary Patching
Using Ptok Rather Than strtok • Ptok is an enhanced strtok, using a class and a local storage. • It supports multiple concurrent readings. • It doesn’t modify the original string! • Tokenize: “We've got explosives! KABOOOOOM!” • Results in: “We’ve”, “got”, “explosives!”, “KABOOOOOM!” • Input string is now nullified: “We’ve\0got\0… ZERT Binary Patching
Writing a Binary Signature • A unique sequence of bytes. • Might be masked or not. • “GIF87A”,”GIF89A” “GIF8*A” • Must be found the exact times you expect. • Genericness is a plus. ZERT Binary Patching
VGX’s Ptok Signature • Ptok is like a library function • (very small, used in one place). • No code changes in all versions. • Goal: Use the whole function as a signature. ZERT Binary Patching
Compiler’s Bad Day??? • >>> import distorm • >>> distorm.Decode(0,"\x66\x8b\x14\x53")[0][2] • 'MOV DX, [EBX+EDX*2]' • >>> distorm.Decode(0,"\x0f\xb7\x14\x53")[0][2] • 'MOVZX EDX, [EBX+EDX*2]' ZERT Binary Patching
Closing The Vulnerability [v1] ;Removed leading space checks,added input-size test. mov edx, [ecx] push ebx push esi xor esi, esi cmp edx, esi ; if (szInput == NULL) push edi jz short Return ; return NULL cmp dword [ecx+4], 0x100 ; if (nSize >= 0x100) jae Return ; return NULL ZERT Binary Patching
Bypassing WFP • Examining VGX.DLL’s export table: DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer. • VGX.DLL is a COM in-proc DLL. • Can be registered and unregistered. • Anti Virus issues. ZERT Binary Patching
ZERT Patcher • Read vgx.dll file to memory. • Search for binary signature. • Apply patch. • Save data to a new file “patchedvgx.dll”. • Unregister original “vgx.dll”. • Register “patchedvgx.dll”. * Supports both GUI and Console versions. ZERT Binary Patching
ZERT’s Patch VS. MS’s • MS can simply recompile. • We have to: • Make room for the input size test. • Preserve functionality. • MS patch: Copy until buffer is full (< 0xfe). • Our V1 patch: Don’t copy if length >= 0x100. • Patch V2 is MS code but crunched into 0x5b bytes (from 0x63). ZERT Binary Patching
64 Bits Patching Challenges • Finding VP (Ptok) without Windows 64. • RIP Relative. • MS code was changed from 32 bits version, yet unpatched. ZERT Binary Patching
32bits VS 64bits VGX.DLL ZERT Binary Patching
Pre-Patched ZERT Binary Patching
Section #2 ZERT ANI Patcher ZERT Binary Patching
Windows Animated Cursors • It all began in 2005, eEye discovered a vulnerability in USER32.DLL handling .ANI files. • (Incompletely) fixed by MS05-002 – XPSP2 was already immune. • In 2006, a similar vulnerability discovered by Determina (Alexander Sotirov). • Public Disclosure - March 28, 2007. ZERT Binary Patching
Bug Description • ANI files store animated cursors. Based on RIFF multimedia file format, which is a series of tagged chunks. • LoadCursorIconFromFileMap only validated the first ‘anih’ size before parsing the rest of the chunks by calling LoadAniIcon. • LoadAniIcon parses the chunks, including ‘anih’. This time without size validation. ZERT Binary Patching
Malformed ANI Sample RIFF....ACONanih $...$........... ................ ........anihX... AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA • First header chunk, so far so good. • Now! this is tricky , oh yeah. ZERT Binary Patching
Attack Vectors • Internet Explorer loading HTML file - style="CURSOR: url(‘malformed.ani')“. • Outlook. • Windows Explorer. ZERT Binary Patching
The Patcher • USER32.DLL – Requires in-memory patching. • Using “Known DLLs” to load our .DLL to every process. • Our DllMain will locate USER32.DLL and find its code section and begin its magic work. ZERT Binary Patching
Vulnerable Code - LoadAniIcon 000433E0 038B 75F8 8B45 D83D 7365 7120 0F84 7C01 ..u..E.=seq ..|. 000433F0 0000 3D4C4953540F 84CB 0000 003D 7261 ..=LIST......=ra 00043400 7465 0F84 A600 0000 3D616E69680F 85DF te......=anih... 00043410 0000 008D 45B4 508D 45D8 5053 E8E4FAFF ....E.P.E.PS.... 00043420 FF85 C00F 84E7 0100 0083 EC24 6A09 598B ...........$j.Y. 00043430 FC8D 75B4 F3A5 E844 FBFF FF85 C00F 84CA ..u....D........ 00043440 0100 008B 45BC 8B7D B88B 35F0 12D4 776A ....E..}..5...wj CMP EAX, ‘ qes’ JZ 0x187 CMP EAX, ‘TSIL’ JZ 0xe1 CMP EAX, ‘etar’ JZ 0xc7 CMP EAX, ‘hina’ JNZ 0x10b LEA EAX, [EBP-0x4c] PUSH EAX LEA EAX, [EBP-0x28] PUSH EAX PUSH EBX CALL Readchunk ZERT Binary Patching
Runtime Generic Patching • 3 X-Refs to the ReadChunk function, only one needs a fix (LoadCursorIconFromFileMap). • Search for a static signature. Look back for another static signature. Disassemble forward until next call is found. • Now that we found the indirectly-call to memcpy, we have to patch it, but how? ZERT Binary Patching
The Fix • A pre-compiled version of the ReadChunk function, this time with size validation. • The ReadChunk internally calls to ReadFilePtrCopy, which really copies the data and overflows the stack. • Fix our pre-compiled code to call the correct ReadFilePtrCopy – calculate relative 32 bits offset. • Allocate an executable memory for the new function. • Once it’s ready, we can simply relocate the original vulnerable CALL instruction to our new immune function. ZERT Binary Patching
Potential Problems • Multiple threads might run the patched code – we patch only a DWORD. • Searching for a DWORD – must be byte-aligned. • Finding the CALL instruction – a disassembler must be used. • If-then statements code generation – following branches. ZERT Binary Patching
The Sad Truths • There is a function which validates the ANI header parameters after it copies it locally. • The VML vulnerability didn’t exist in IE5, which had the size validation of the buffer back then. Probably to code regression it slipped away. ZERT Binary Patching
Questions ??? ZERT Binary Patching
The End arkon@ragestorm.net Thanks to: CCC ZERT Members ZERT - http://isotf.org/zert http://isotf.org/zert/papers/vml-details-20061004.pdf http://www.milw0rm.com/exploits/2425 - Exploit POC ZERT Binary Patching