Alternative Exploitation Vectors

Similar documents
Is Exploitation Over? Bypassing Memory Protections in Windows 7

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Triconex TriStation Emulator Denial of Service

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Economies of Scale in Hacking Dave Aitel Immunity

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

RBS Asante VMS ActiveXCoat ActiveX Control ConnectToVMS() Method Heap Buffer Overflow of 7

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

WEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS

Infecting the Embedded Supply Chain

Microsoft Office CTaskSymbol Use- After-Free Vulnerability

Malware and Vulnerability Check Point. 1. Find Problems 2. Tell Vendors 3. Share with Community

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Bypassing Browser Memory Protections

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Microsoft Office Protected-View Out-Of- Bound Array Access

Smashing the Buffer. Miroslav Štampar

Apology of 0days. Nicolás Waisman

Challenge Impossible. -- Multiple Exploit On Android. Hanxiang Wen, Xiaodong Wang. C0RE Team

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Windows HIPS evaluation with Slipfest

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

Chapter 1 : Getting Started with Integrity... Chapter 2 : Interface Layout... Chapter 3 : Navigation... Chapter 4 : Printing...

The attacker appears to use an exploit that is derived from the Metasploit FreeBSD Telnet Service Encryption Key ID Buffer Overflow?

WatchGuard AP - Remote Code Execution

9. Security. Safeguard Engine. Safeguard Engine Settings

Revisiting the Kernel Security Enhancements in ios 10 MOSEC Liang Tencent Keen Lab

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Analysis of MS Multiple Excel Vulnerabilities

UNIVERSITY OF TARTU FACULTY OF SCIENCE AND TECHNOLOGY INSTITUTE OF COMPUTER SCIENCE

Computer Architecture Sample Test 1

Exam Questions v8

Title: SEH Overwrites Simplified. Date: October 29 th Author: Aelphaeis Mangarae

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

McAfee Labs: Combating Aurora

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Establishing Technology Trust in a Containerised World

IOActive Security Advisory

New Technologies for Cyber Security

Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016

Exploiting USB/IP in Linux

Exploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development

Remote Buffer Overflow Exploits

Exploiting JRE - JRE Vulnerability: Analysis & Hunting

Intel Software Guard Extensions (SGX) SW Development Guidance for Potential Bounds Check Bypass (CVE ) Side Channel Exploits.

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Pangu 9 Internals. Tielei Wang and Hao Xu

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

How To Remove Internet Explorer 7 And Install 6

Ruckus Wireless Security Advisory ID FAQ

How to Impress Girls with Browser Memory Protection Bypasses

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

PC SECURITY LABS COMPARATIVE TEST. Microsoft Office. Flash. August Remote code execution exploit. mitigations for popular applications

INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION

Update Root Certificates Feature Isn Enabled >>>CLICK HERE<<<

Showing differences between disassembled functions

Penetration Testing with Kali Linux

SEH overwrite and its exploitability. Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer

TOP 10 Vulnerability Trends for By Nevis Labs

Vulnerability Disclosure Policy. v.1.1

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Windows Could Not Start The Sql Server On Local Computer Error Code 3417

Friends, Not Foes: Rethinking the Vendor- Reseacher Relationship. Presented By: Rick Ramgattie KEYNOTE

Manual Internet Explorer 8 For Windows 7 Full Version

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Telecom Systems Chae Y. Lee. Contents. Overview. Issues. Addressing ARP. Adapting Datagram Size Notes

Buffer overflow background

Exploring CVE , a Skeleton key in DNS. Jaime Cochran, Marek Vavrusa

LCD03 - I2C/Serial LCD Technical Documentation

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

Meltdown and Spectre - understanding and mitigating the threats

Microsoft Office Protected-View Out-Of- Bound Array Access

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

NFC Payments: The Art of Relay & Replay Attacks. Salvador Mendoza August 14, 2018

Trends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team

MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

RBS S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities of 14

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Memory Management. Goals of Memory Management. Mechanism. Policies

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

Software Security: Buffer Overflow Attacks (continued)

Computer Security and Privacy

Turn On Windows Firewall Manually Windows 7 Group Policy Server 2003

Abysssec Research. 1) Advisory information. 2) Vulnerable version. : Microsoft Excel SxView Record Parsing Memory Corruption

Heartbleed Bug. Anthony Postiglione. Department of Electrical & Computer Engineering Missouri University of Science and Technology

T Jarkko Turkulainen, F-Secure Corporation

CS 458 Internet Engineering Spring First Exam

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

CSE 565 Computer Security Fall 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018

SA31675 / CVE

MSRPC Auditing Tools and Techniques

7. Checking Your Computers... 9 Configuration Check... 9 Operating System/Browser Check... 9 Whitelist Check Network Consistency Check...

Buffer overflow prevention, and other attacks

Karthik Bharathy Program Manager, SQL Server Microsoft

Transcription:

Alternative Exploitation Vectors A study of CVE-2010-3333 [1] By George Nicolaou

Presentation Objectives Share some Experience with Reverse Engineering Driven Exploitation Challenge what you know about Software Exploitation CVE-2010-3333 (Microsoft Office RTF Buffer Overflow Vulnerability)

Presentation Outline History of CVE-2010-3333 What was published What was not published Overview of the RTF vulnerability Typical Exploitation Scenario (Live Demo) Alternate Vectors: Rewriting Exploit for Windows XP/Vista/7 (Live Demo) Conclusions

History of CVE-2010-3333 Discovered by team509 working with VeriSign idefence Labs [2]. Disclosure Timeline August 12, 2009 Initial Vendor Notification August 12, 2009 Initial Vendor Reply November 9, 2010 Coordinated Public Disclosure Vulnerabilities in RTF File format was a known fact

History of CVE-2010-3333 Rumour has it that CVE-2010-3333 was discovered in public (Unverified) Vulnerability was patched by Microsoft prior to disclosure [3] Microsoft Office 2003 (KB2289187) Microsoft Office 2007 (KB2289158) etc

What was published SecurityFocus clamed that all program versions from Microsoft Office are vulnerable [4] In Microsoft Windows 98 Up to Microsoft Windows XP No reference of the vulnerability affecting Windows Vista or 7.

What was published An example document [6] A MetaSploit Module [5] SEH Overflow Based With Windows Vista/7 offsets only if ASLR and SafeSEH was disabled: # In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed.

What was not published The vulnerability can be turned into a typical Buffer Overflow without passing through Structured Exception Handling (SEH) The vulnerability is indeed exploitable on all Windows Operating Systems.

Overview of the RTF vulnerability Basic Shape Object Format [7] The basic format for drawing objects in RTF is as follows: { \shp... { \*\shpinst { \spp { \sn... } { \sp... } } } { \shprslt... } }

Overview of the RTF vulnerability Drawing Object Properties The bulk of a drawing object is defined as a series of properties. The { \shp... control word is followed by { \*\shpinst Following the { \*\shpinst is a list of all the properties of a shape. Each of the properties is in the following format: { \sp { \sn PropertyName } { \sv PropertyValueInformation } } The control word for the drawing object property is \sp. Each property has a pair of name (\sn) and value (\sv) control words placed in the shape property group. For example, the vertical flip property is represented as: {\sp{\sn fflipv}{\sv 1}}

Overview of the RTF vulnerability Drawing Object Properties Property Meaning Type of value Default pfragments Array Fragments are optional, additional parts to the shape. They allow the shape to contain multiple paths and parts. This property lists the fragments of the shape. NULL

Overview of the RTF vulnerability Drawing Object Properties Arrays are formatted as a sequence of numbers separated by semicolons. The first number tells the size of each element in the array in bytes. The number of bytes per element may be 2, 4, or 8. When the size of the element is 8, each element is represented as a group of two numbers. The second number tells the number of elements in the array. For example, the points of a square polygon are written as: {sv 8;4;{0,0};{100,0};{100,100};{0,100}} \sv Destination for a drawing property value

Overview of the RTF vulnerability Drawing Object Properties With this structure it is very simple to dispatch an RTF control word. Once the reader isolates the RTF control word and its (possibly associated) value, the reader then searches an array of SYM structures to find the RTF control word. If the control word is not found, the RTF reader ignores it, unless the previous control was \*, in which case the reader must scan past an entire group

Overview of the RTF vulnerability Typical File format {\rtf1 {\shp {\sp } } } {\sn pfragments {\sv x;y;[control_word1][control_word2][control_word3] [array] } }

Overview of the RTF vulnerability Typical File format x Must not be equal to 2, 4, 8 y can be any decimal number [control_word1] cannot be zero [control_word2] cannot be greater than [control_word1] [control_word3] is the size of the array (which we control) [array] is the actual array

Typical Exploitation Scenario (Live Demo) Live Demo

Alternate Vectors: Rewriting Exploit for Windows XP/Vista/7 (Live Demo) Live Demo

Conclusions Don t believe everything your told about software vulnerabilities (obvious) Assembly and Reverse Engineering knowledge is a MUST in software exploitation

Questions? Questions?

References 1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3333 2. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id= 880 (Try Google Cache) 3. http://technet.microsoft.com/en-us/security/bulletin/ms10-087 4. http://www.securityfocus.com/bid/44652/info 5. http://downloads.securityfocus.com/vulnerabilities/exploits/44652.r b 6. http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc 7. Rich Text Format (RTF) Specification, Microsoft Technical Support, 2001 Word 2002 RTF Specification

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback