Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Similar documents
Is Exploitation Over? Bypassing Memory Protections in Windows 7

SEH overwrite and its exploitability. Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Smashing the Buffer. Miroslav Štampar

How to Impress Girls with Browser Memory Protection Bypasses

Bypassing Browser Memory Protections

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

Runtime Defenses against Memory Corruption

N e xt G e n e ra tio n S e c u rity S o f t w a r e Lt d. Blind Exploitation of Stack Overflow

Return-orientated Programming

MSRPC Heap Overflow Part II

Lecture 08 Control-flow Hijacking Defenses

Writing Exploits. Nethemba s.r.o.

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

INTRODUCTION TO EXPLOIT DEVELOPMENT

CS 161 Computer Security

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

CS 161 Computer Security

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

SoK: Eternal War in Memory

Preventing the Exploitation of SEH Overwrites

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

16.317: Microprocessor Systems Design I Fall 2014

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Università Ca Foscari Venezia

Apology of 0days. Nicolás Waisman

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Defenses

Biography. Background

Buffer Overflows Defending against arbitrary code insertion and execution

Advanced Buffer Overflow

buffer overflow exploitation

Playing God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016

From Over ow to Shell

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Software Security II: Memory Errors - Attacks & Defenses

Advanced Buffer Overflow

Assembly Language: Function Calls

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

Assembly Language: Function Calls" Goals of this Lecture"

On Compilers, Memory Errors and Control-Flow Integrity

Writing your first windows exploit in less than one hour

Shellzer: a tool for the dynamic analysis of malicious shellcode

16.317: Microprocessor Systems Design I Fall 2015

Inject malicious code Call any library functions Modify the original code

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Outline. Memory Exploit

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

Title: SEH Overwrites Simplified. Date: October 29 th Author: Aelphaeis Mangarae

CSC 2400: Computer Systems. Using the Stack for Function Calls

CSE 361S Intro to Systems Software Lab Assignment #4

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]

16.317: Microprocessor Systems Design I Spring 2015

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

CSC 8400: Computer Systems. Using the Stack for Function Calls

Shellcode Analysis. Chapter 19

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform

Buffer Overflow Attack (AskCypert CLaaS)

March 10, Linux Live Patching. Adrien schischi Schildknecht. Why? Who? How? When? (consistency model) Conclusion

CSE 127 Computer Security

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

CSE 127 Computer Security

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

The Geometry of Innocent Flesh on the Bone

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Practical Malware Analysis

Digital Forensics Lecture 3 - Reverse Engineering

Vivisection of an Exploit: What To Do When It Isn't Easy. Dave Aitel Immunity, Inc

ESET Research Whitepapers // January 2018 // Author: Filip Kafka ESET S GUIDE TO DEOBFUSCATING AND DEVIRTUALIZING FINFISHER

ht IE exploit analysis

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Memory Safety (cont d) Software Security

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Digital Forensics Lecture 02 PDF Structure

CSE 565 Computer Security Fall 2018

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Outline. Format string attack layout. Null pointer dereference

Exploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

Expanding the control over the operating system from the database. Bernardo Damele Assumpção Guimarães Guido Landi

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CSE 127 Computer Security

«Defeating DEP through a mapped file»

SA28083 / CVE

An NCC Group Publication. Exploiting CVE Prepared by: Katy Winterborn. Copyright 2015 NCC Group

Transcription:

Bypassing SEHOP Stéfan Le Berre s.leberre@sysdream.com Damien Cauquil d.cauquil@sysdream.com

Table of contents 0. Introduction...3 1. SEHOP specifications (short version)...3 2. Dealing with SEHOP when exploiting a stack overflow...6 2.1. Breaking out the classical exploitation scheme...6 2.2. The tricky part...7 3. Proof Of Concept...7 3.1. Target program & constraints...7 3.2. crash and exploitation...8 4. Conclusion...9 5. Credits...10 6. Bibliography...10

0. Introduction Microsoft has recently implemented in many Windows versions a new security feature named «Structured Exception Handling Overwrite Protection» [1 & 2]. Those systems are: Microsoft Windows 2008 SP0 Microsoft Windows Vista SP1 Microsoft Windows 7 We did not found any known attack aiming at defeating this new feature but only many papers describing the feature itself and its robustness. Indeed, SEHOP seems to be so reliable that Microsoft released a patch in order to activate this security feature by default on all programs. Is it already the end of stack overflows under Microsoft Windows? Not yet, but under some circumstances, as we will explain below. 1. SEHOP specifications (short version) SEHOP is an extension of Structured Exception Handling and implements more security checks on SEH structures used by programs. The core feature of SEHOP checks the chaining of all SEH structures present on the process stack and especially the last one, which should have a special handler value pointing right onto a function located in ntdll. Here is a classical SEH chain: Each SEH structure points to the next structure and the last one contains a specific handler pointing to ntdll!_except_handler4. When exploiting by overwriting a given SEH structure onto the stack, the next SEH pointer is overwritten in order to contain some bytecode and the SEH handler is overwritten to point to a sequence of «POP POP RET» instructions located in a non-safeseh module.

The validation algorithm used in SEHOP has been exposed by A. Sotirov during Black Hat in year 2008 [3]. Let's have a look at it: BOOL RtlIsValidHandler(handler) { if (handler is in an image) { if (image has the IMAGE_DLLCHARACTERISTICS_NO_SEH flag set) return FALSE; if (image has a SafeSEH table) if (handler found in the table) return TRUE; else return FALSE; if (image is a.net assembly with the ILonly flag set) return FALSE; // fall through if (handler is on a non-executable page) { if (ExecuteDispatchEnable bit set in the process flags) return TRUE; else // enforce DEP even if we have no hardware NX raise ACCESS_VIOLATION; if (handler is not in an image) { if (ImageDispatchEnable bit set in the process flags) return TRUE; else return FALSE; // don't allow handlers outside of images // everything else is allowed return TRUE; [...] // Skip the chain validation if the DisableExceptionChainValidation bit is set if (process_flags & 0x40 == 0) { // Skip the validation if there are no SEH records on the // linked list if (record!= 0xFFFFFFFF) { // Walk the SEH linked list do { // The record must be on the stack if (record < stack_bottom record > stack_top) goto corruption; // The end of the record must be on the stack if ((char*)record + sizeof(exception_registration) > stack_top) goto corruption; // The record must be 4 byte aligned if ((record & 3)!= 0)

goto corruption; handler = record->handler; // The handler must not be on the stack if (handler >= stack_bottom && handler < stack_top) goto corruption; record = record->next; while (record!= 0xFFFFFFFF); // End of chain reached // Is bit 9 set in the TEB->SameTebFlags field? // This bit is set in ntdll!rtlinitializeexceptionchain, // which registers FinalExceptionHandler as an SEH handler // when a new thread starts. if ((TEB->word_at_offset_0xFCA & 0x200)!= 0) { // The final handler must be ntdll!finalexceptionhandler if (handler!= &FinalExceptionHandler) goto corruption; We have to take in consideration some constraints: SEH handler should point onto a non-safeseh module The page should be executable The SEH chain should not be altered and must end with a SEH structure containing a special value (0xFFFFFFFF as next SEH structure pointer and a specific value as SEH handler) All SEH structures should be 4-byte aligned Last SEH structure's handler should point right into ntdll to ntdll!finalexceptionhandler routine All SEH pointers should point to stack locations

2. Dealing with SEHOP when exploiting a stack overflow 2.1. Breaking out the classical exploitation scheme Here is the classical exploitation scheme used: The SEH handler points to a «POP POP RET» instruction sequence, and the first member of the structure contains code instead of a valid stack address. While handling an exception, Windows transfers control to exception handlers, following the SEH chain. Our first exception handler has been overwritten and the execution flow is redirected onto the «POP POP RET» sequence (instead of really handling the exception). This sequence transfers the execution to the first two bytes of the first member of the current SEH structure, which is a jump instruction (0xEB06) to our shellcode. By doing this, the SEH chain has broke up: The first two bytes of the first DWORD of the SEH structure are never executed and could be altered in order to make the DWORD a valid stack address. It is also possible to alter the other two bytes to make the DWORD point to a valid stack address we control and to define those two bytes as a jump instruction. The DWORD can be evaluated both as a valid stack address and a valid instruction doing a jump when called. If we put some fake SEH structure at stack address pointed by this first DWORD, we can fake an entire SEH chain and control the second SEH structure referenced by the first one in order to make it valid.

2.2. The tricky part An issue remains: which jump instruction could be coded with a bytecode representing a 4-byte aligned address? Only one instruction fits here: JE (coded as 0x74). This instruction is a conditional jump: the jump is done only if Z flag is set. Z flag is not set by default when Windows handles an exception, we have to set it by executing an instruction computing a zero value for instance. The «Xor» operator seems to be a good choice, and our solution is then clear: we have to jump onto a «XOR, POP, POP, RET» sequence in order to interpret the JE instruction as a JMP. This was the tricky part of this SEHOP bypass technique. «XOR, POP, POP, RET» instructions are not so difficult to find, we can find some sequences by looking at end of functions returning a null result: XOR EAX, EAX POP ESI POP EBP RET In order to ensure the exploitation, we put in our Proof of Concept a «XOR, POP, POP, RET» sequence. Say we have a first SEH structure at 0x0022FD48, we could create a second one at 0x0022FD74 containing a next SEH pointer with a value of 0xFFFFFFFF and handler pointing to ntdll! FinalExceptHandler. If we set the first SEH structure's handler to point onto a «XOR, POP, POP, RET» sequence, we can redirect the execution flow to whatever we want without really breaking the chain. Concretely, we recreate a valid fake SEH chain that redirects the execution onto a specific shellcode. A major limitation resides in the ASLR feature present in Microsoft Windows 7 and Vista. The exploitation relies on the fact we know the address of ntdll!finalexcepthandler but in reality this address changes at each reboot of the target machine. Ntdll's ImageBase is randomized at boot time and makes exploitation harder. We made some tests onto the ASLR (without reversing it) and it seems that only 9 bits on the 16 representing the ImageBase are randomized, which represents 1 chance over 512 to successfully exploit a stack overflow with SEHOP bypass. 3. Proof Of Concept 3.1. Target program & constraints We created a little program to demonstrate our technique on Windows 7. This program just copies the content of a file («OwnMe.txt») into memory and smashes the stack during this operation, thus raising an exception caught by the exception handler. All we have to do is: create a valid fake SEH chain set the last SEH structure's handler to point to ntdll!finalexceptionhandler put a shellcode onto the stack (Windows 7 compliant) locate a «XOR, POP, POP, RET» sequence into memory

First of all, the «XOR, POP, POP, RET» sequence is known because we put it in the program's code. We can find this sequence at memory address 0x004018E1. 3.2. crash and exploitation When program crashes, we have: 0012F700 41414141 Pointer to next SEH record 0012F704 41414141 SE handler Then we need to create a valid fake SEH chain with a second SEH structure stored at 0x0012F774 containing 0xFFFFFFFF as first member of the structure (next SEH pointer) and ntdll! FinalExceptionHandler as SEH handler. SEH structure located at 0x0012F700 is then modified in order to point to the fake SEH structure we have just created, and the handler is set to 0x004018E1. A jump instruction (JMP +8) is placed before each SEH structure in order to avoid data execution. When exploiting, execution should work as following:

This shellcode will only launch calc.exe: NB: The target program and a working exploit are available in the zip joined to this white paper. You can also download it from Sysdream's website [4]. 4. Conclusion SEHOP is not the ultimate protection against stack overflows if used alone. Since this SafeSEH extension was released, too many people consider it as unbreakable. We just demonstrated that it is possible to bypass the Structured Exception Handling Overwrite Protection under some circumstances. But SEHOP is an excellent native security feature when used in conjunction with ASLR and DEP, we cannot deny it.

5. Credits http://sysdream.com/ http://ghostsinthestack.org/ http://virtualabs.fr/ 6. Bibliography [1] Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwriteswith-sehop.aspx [2] SEHOP per-process opt-in support in Windows 7: http://blogs.technet.com/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows- 7.aspx [3] Bypassing Browser Memory Protections: http://taossa.com/archive/bh08sotirovdowd.pdf [4] ZIP containing our target program & exploit http://www.sysdream.com/sehop.zip

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback