How safe is your link? Old school exploitation vs new mitigations

Transcription

1 How safe is your link? Old school exploitation vs new mitigations

2 #whoami Peter Hlavatý Specialized Software Engineer at ESET Points of interest : vulnerability research exploit mitigations kernel development bootkit research malware detection and removal research blog :

3 Introduction As nico mentioned in his talk, Aleatory Persistent Threat, old school heap specific exploiting is dying windows version ++ attack difficulty ++ weak implementation == place for exploiting of mechanism

4 Windows memory management Lets take a look at algo

5 Quick lookup at RtlpAllocateHeap FreeLists-UnLink-Search Algorithm Really, some security improvements in algorithm are obvious... Validating / Encoding headers RtlpAnalyzeHeapFailure SafeLinking

6 I.Validating / Encoding headers code1 = _Heap.EncodeFlagsMask? code1 ^ _Heap.Encoding.Code1 : code1 valid = code1.flags ^ (BYTE)code1.Size ^ (code1.size >> 8) == code1.smalltagindex size = code1.size _Heap.EncodeFlagsMask initialy set to default value _Heap.Encoding.Code1 set to random value

7 II. RtlpAnalyzeHeapFailure cs:rtlpdisablebreakonfailurecookie x64 by default, x86 not! x86win binaries by default What about 3 rd party? RtlpGetModifiedProcessCookie call NtQueryInformationProcess

8 III. SafeLinking heap_entry.flink.blink!= heap_entry.blink.flink heap_entry.flink.blink!= heap_entry Pretty easy check don t you think?

9 RtlpHeapAlloc search in FreeLists

10 Problems? FreeListsSearch missing validation checks? RtlpAnalyzeHeapFailure Results in : kill app or not? 3 rd party? SafeLink Check Is implemented smart enough?

11 Exploitation 1 Show me your gong-fu :: technique

12 BuildOwnHeap - IDEA

13 Implementation shortcut RULLING UNDER ENCODING LOGIC LowerBoundary of HEAP_ENTRY.Size : Interesting test : _Heap.EncodeFlagsMask & HEAP_ENTRY.Code1 If not matched, then it is not XORED! What about 0-size?

14 Implementation shortcut RULLING UNDER ENCODING LOGIC UpperBoundary (I.) of HEAP_ENTRY.Size : Interesting xoring value : _Heap.Encoding.Code1 set to random value this case too much random == too much predicatability If (HEAP_ENTRY.Size set to b) then (_Heap.Encoding.Code1 ^ HEAP_ENTRY.Size) high probability to be big number

15 Implementation shortcut RULLING UNDER ENCODING LOGIC UpperBoundary (II.) of HEAP_ENTRY.Size : based on XOR two heap_entry chunks on freelist 1st set HEAP_ENTRY.Size to 0x8000 2nd set HEAP_ENTRY.Size to 0x0 After XOR one of HEAP_ENTRY.Size will be for sure equal to 0x8000 wich is big number

16 BuildOwnHeap - implementation Looka looka - SafeLink Check?

17 Attack!

18 Results? SafeLink Check HeapSpray fake list fulfill conditions Validation & RtlpAnalyzeHeapFailure? I am 3 rd Party Problems : Works for x86 binaries Already fixed in win7sp1

19 Good enough? not... Can it be improved?

20 Quick lookup to RtlpFreeHeap FreeLists-Link-Search Algorithm Seems familiar? Validating / Encoding headers RtlpAnalyzeHeapFailure SafeLinking

21 SafeLinking, changed!? heap_entry.blink.flink!= heap_entry

22 RtlpFreeHeap search in FreeLists Again, no validation here required Performance vs security?

23 Previous IDEA imporving.. What do you think happen with valid chunk, with size is bigger than size of already overwritten HEAP_ENTRY, when it is attempted to be freed?

24 Final Exploitation 1) Memory leak! 2) Relinking already used memory!

25 Exploitation 2 - showtime improving, improving, success

26 Prerequisites Same as in first attack : HeapSpray attack sizeof(heap_entry) + sizeof(list_entry>flink) overflow, that cause overwritting HEAP_ENTRY on FreeList Second attack specific : Ability to force application to free already used good sized memory memory leak RW access to our heapsprayed buffer relinking

27 Attack!

28 Visualisation of exploitation - init

29 Visualisation of exploitation - heapspray

30 Visualisation of exploitation - overwrite

31 Visualisation of exploitation free(*)

32 Results Success!

33 Live Demo Win7 SP1

34 Done Conclusions : Mitigations are as good as they weakest point! Implement minimalistic approach, but cover all responsibilities of the code Speed performance < safe environment

35 Addition technique info Reported to microsoft about 2 years ago But still present in win7sp1, and was usable even in win8cp! In final release of win8 it is finally patched! FreeListSearch algo now validate each walked HEAP_ENTRY

36 Video Demo win8 CP, ie10

37 References Brett Moore : Exploiting Freelist[0] On XP Service Pack 2 %20Pack%202.pdf Chris Valasek : Understanding the Low Fragmentation Heap Brett Moore : Heaps About Heaps Alexander Sotirov : Heap Feng Shui in JavaScript Nico Waisman : Aleatory Persistent Threat and many others usefull exploit techniques related materials