[PHDays] If You Find One, There are Probably More!: A Detection Method of "Reproduced" Vulnerability

If You Find One,
There are Probably More!:
A Detection Method of “Reproduced” Vulnerability
Asuka Nakajima @ Positive Hack Days VI

1Copyright©2016 NTT corp. All Rights Reserved.
NTT Confidential
# whoami
Asuka Nakajima
- Researcher at NTT Secure Platform Laboratories
- Vulnerability Discovery / Reverse Engineering
Organizer of SECCON CTF
- Thank you for playing SECCON CTF 
Founder of “CTF for GIRLS”
- The first security engineer community for woman in Japan

NTT Confidential
What is “reproduced” vulnerability ?
Software 1 Software 2
Vulnerability which is copied to other
source code or software for some reason
Vulnerable
part
copy

NTT Confidential
Why it happens?
Copy & Paste Source Code Sharing Fork Project
Source A Source B
Ctrl + C
Ctrl + V

NTT Confidential
The risk of reproduced vulnerability
Software 1
Software 2
TIME
Patch release date
differs maximum
118days[1]
vulnerable
vulnerable
Patch distribution for reproduced vulnerability
New Vulnerability
discovered
Patch
distributed
Patch
distributed
vulnerable
Attacker can analyze the patch & develop
the exploit code for unpatched one
[1] A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitraș, “The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability
Patching,” in IEEE Symposium on Security and Privacy, San Jose, CA, 2015.

NTT Confidential
About the research
Source code based approach?
Can not be applied for proprietary software product
・ReDeBug[2]
Detection method that targets binary
executable is necessary
[2] Jiyong Jang, Abeer Agrawal, and David Brumley,”ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions”, In Proceedings of
the 33rd IEEE Symposium on Security and Privacy, 2012

NTT Confidential
Previous Works
TEDEM[3]
Cross-Architecture Bug Search in Binary Executables
- Represent the assembly codes
(per basic block) as a S-expression
(Tree structure)
- Targets reproduced vulnerability which resides in different architecture
- Basic Block I/O based similarity calculation
- Uses tree edit distance to specify
the reproduced vulnerability
Can not detect reproduced vulnerability when some types of
source code modification(add multiple lines, I/O Change) occurs
[3] Jannik Pewny, Felix Schuster, Lukas Bernhard, Thorsten Holz, Christian Rossow, “Leveraging semantic signatures for bug search in binary programs”, Annual Computer
Security Applications Conference , New Orleans, USA, December 2014.
[4] Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, Thorsten Holz “Cross-Architecture Bug Search in Binary Executables”36th IEEE Symposium on Security
and Privacy (Oakland), San Jose, May 2015.

NTT Confidential
Approach (Overview)
Calculate the similarity between the assembly code
by using similar string search algorithm
Workflow
push REG
mov REG REG
mov REG VAL
call MEM
・・・
mov REG REG
push REG
mov REG REG
push REG
push REG
mov REG MEM
mov REG MEM
lea REG MEM
・・・
Similarity
Calculation
Similarity 80%
Same vulnerability？
1.Disassemble&
Normalization
2.Similarity
Calculation
3.Discriminate “patched”
or “unpatched”
Unpatched part
Assembly
Target Binary
Assembly
4. Check
Attack Vector
Future Work

NTT Confidential
Approach
1.Disassemble&
Normalization
2.Similarity
Calculation
Disassemble ※Example
Normalization (Operand)
・Binary File(unpatched vuln)
・Target Binary File
Different assembly(operand) will be
generated even the source code is same※
VAL
MEM
REG
Immediate val
Memory
Register
Before After
mov eax ecx mov REG REG
3.Discriminate “patched” or
“unpatched”
Original Copy
shr rdx,1
lea rdi,[rdx+0x4]
call 3f3d0
shr rdx,1
lea rdi,[rdx+0x4]
call 41d630
Original Copy
xor ebx, ebx
add rsp, 38h
mov eax, ebx
pop rbx
pop rbp
pop r12
pop r13
retn
xor r12d, r12d
add rsp, 38h
mov eax, r12d
pop rbx
pop rbp
pop r12
pop r13
ｒetn
１
２

NTT Confidential
Approach
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”
Similarity Calculation
push REG
mov REG REG
mov REG VAL
call MEM
・・・
mov REG REG
push REG
mov REG REG
push REG
push REG
mov REG MEM
mov REG MEM
lea REG MEM
・・・
Similarity
Calculation
Similarity
N%
Unpatched part
Assembly
Target Binary
Assembly
・ Needleman-Wunsch (Semi-global alignment algorithm)
→Apply “Affine Gap Penalty”
Similar string search algorithm which is used in bioinformatics

NTT Confidential
Approach -Why Needleman-Wunsch?-
Search similar
region between
two given strings
LCS
(Global Alignment)
Smith-Waterman
(Local Alignment)
Needleman-Wunsch
(Semi-Global Alignment)
mov REG REG
mov REG REG
call MEM
test REG REG
push REG REG
push REG REG
call MEM
test REG REG
jmp MEM
xor REG REG
pop REG
pop REG
・
・
mov REG REG
mov REG REG
call MEM
test REG REG
push REG REG
push REG REG
call MEM
test REG REG
jmp MEM
xor REG REG
pop REG
pop REG
・
・
mov REG REG
mov REG REG
call MEM
test REG REG
mov REG REG
push REG REG
push REG REG
call MEM
test REG REG
jmp MEM
xor REG REG
pop REG
pop REG
・
String1
(source)
String2
(dest)
String1
(source)
String2
(dest)
String1
(source)
String2
(dest)
Search all similar
part between
two given string
Search the region
(in string2) that best
matches to string1
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”
Needleman-Wunsch is most suitable

NTT Confidential
Approach
Similarity =
𝑺𝒄𝒐𝒓𝒆 𝒐𝒇 𝑴𝒐𝒔𝒕 𝑺𝒊𝒎𝒊𝒍𝒂𝒓 𝑷𝒂𝒓𝒕
𝑴𝒂𝒙𝒊𝒎𝒖𝒎 𝑺𝒄𝒐𝒓𝒆(𝑨𝒍𝒍 𝑴𝒂𝒕𝒄𝒉𝒆𝒅 𝑪𝒂𝒔𝒆)
Needleman-Wunsch(Normal Gap)
match +2point
mismatch –2point
gap –1point
■Match ■Mismatch ■Gap
pop rax pop rax pop rax push rcx pop rax call rax
pop rax
Needleman-Wunsch (AffineGap)
match +2point
mismatch -2point
open gap※ -3point
extended gap -0.5point
Score Calculation
Distinct
the Gap
※Open gap：The first gap of multiple gaps
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”

NTT Confidential
Approach
Score Calculation
𝑠 𝑎𝑖 , 𝑏𝑗 ＝
𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑎𝑖 = 𝑏𝑗,
𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
A → Unpatched Part Assembly
Calculate ScoreMatrix X,Y, Z
B → Target Binary Assembly
𝑋 = 𝑥𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁
𝑌＝ 𝑦𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁
𝑍 = 𝑧𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁
Matrix Calculation Formula
𝐴 = 𝑎1
𝑀
= 𝑎1, 𝑎2, 𝑎3 … 𝑎 𝑀
𝐵 = 𝑏1
𝑁
= 𝑏1, 𝑏2, 𝑏3 … 𝑏 𝑁
※|A|=M,|B|=N
𝑗 𝑚𝑎𝑥＝ argmax
1≤𝑗≤𝑁
𝑥 𝑀𝑗
Calculate the similarity based
on the max score of matrix X
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”
𝑥𝑖𝑗 =
0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0 ,
𝑖 × 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑗 = 0,
𝑚𝑎𝑥
𝑥𝑖−1,𝑗−1 +𝑠 𝑎𝑖 , 𝑏𝑗 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
𝑦𝑖 ,𝑗
𝑧𝑖 ,𝑗
𝑦𝑖𝑗 =
− ∞ 𝑖𝑓 𝑖 = 0,
0 𝑖𝑓 𝑗 = 0 𝑎𝑛𝑑 𝑖 ≠ 0,
𝑚𝑎𝑥
𝑦𝑖−1,𝑗 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
𝑥𝑖−1,𝑗 + 𝑜 + 𝑒
𝑧𝑖𝑗 =
0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0,
−∞ 𝑖𝑓 𝑗 = 0,
𝑚𝑎𝑥
𝑧𝑖,𝑗−1 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒.
𝑥𝑖,𝑗−1 + 𝑜 + 𝑒

NTT Confidential
Approach
push REG
mov REG REG
mov REG REG
call MEM
mov REG REG
mov REG REG
mov REG REG
push REG
push REG
mov REG REG
mov REG REG
call MEM
Max Score
4.5 p
Similarity
45%
𝟒. 𝟓
𝟏𝟎
※all matched case
2p×5=10 = 45%
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”
Unpatched Part
Assembly
Target Binary
Assembly
Matrix X
Matrix Y Matrix Z

NTT Confidential
Approach
Affine Gap penalty can mitigate the significant
score drop due to the source code modification
int main(int argc, char* argv[]){
if(argc !=2){
printf("Usage:%s <your name>¥n", argv[0]);
return 1;
}
printf(“Argument:%d,%s¥n",argc,argv[1]);
printf("Hello World! %s¥n", argv[1]);
return 0;
}
push ebp
mov ebp,esp
and esp,0xfffffff0
sub esp,0x10
cmp DWORD PTR [ebp+0x8],0x2
je 0x8048448 <main+43>
mov eax,DWORD PTR [ebp+0xc]
mov eax,DWORD PTR [eax]
mov DWORD PTR [esp+0x4],eax
mov DWORD PTR [esp],0x8048520
call 0x80482f0 <printf@plt>
mov eax,0x1
jmp 0x8048484 <main+103>
add eax,0x4
mov eax,DWORD PTR [ebp+0x8]
add eax,0x4
mov eax,0x0
leave
ret
■ Normal gap
■ Affine Gap
Total36p
22×2 = 44
Total37.5p
Adding 1L Source Code =
Adding 8L Assembly Code
8 ×-1 = -8
22×2 = 44
1 ×-3 =-3
7×-0.5 =-3.5
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”
Source Code Assembly

NTT Confidential
Approach
Extract when Unpatched part(Sim①) > Patched part (Sim②)
push REG
mov REG REG
mov REG VAL
call MEM
・・・
push REG
mov REG REG
mov REG VAL
call MEM
・・・
mov REG REG
push REG
mov REG REG
push REG
push REG
mov REG MEM
mov REG MEM
lea REG MEM
・・・
Unpatched Part
Assembly
Patched Part
Assembly
Similarity
Calculation①
Similarity
Calculation②
Sim①：80%
Sim②：55%
Extract
Target Binary
Assembly
1.Disassemble&
Normalization
2.Similarity
Calculation
“unpatched”
vulnerability
candidate

NTT Confidential
Calculate the similarity between original and copied binary
Vuln1 (CVE-2008-4314)
Original
Vuln2 (CVE-2008-5023)
Original
Vuln1 (CVE-2008-4314)
Copy
Vuln2 (CVE-2008-5023)
Copy
?%
Vuln1 (CVE-2008-4314)
Original
Vuln2 (CVE-2008-5023)
Original
?%
Dataset(432 binary)
Ubuntu12.04
/bin,/usr/lib
(x86-64/ELF)
[GOAL] Evaluate the validity of the approach
[score setting] Match2p, Mismatch -2p, Opengap-3p, Extendedgap-0.5p
Experiment 1 [Overview]
Calculate the similarity between original and dataset binary

NTT Confidential
Case1: CVE-2008-4316 (Source Code)
g_base64_encode (const guchar *data,gsize len){
gchar *out;
gint state = 0, outlen;
gint save = 0;
g_return_val_if_fail (data != NULL, NULL);
g_return_val_if_fail (len > 0, NULL);
out = g_malloc (len * 4 / 3 + 4);
outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
out[outlen] = '¥0';
return (gchar *) out;
}
seahorse_base64_encode (const guchar *data,gsize len){
gchar *out;
gint state = 0, outlen;
gint save = 0;
out = g_malloc (len * 4 / 3 + 4);
outlen = seahorse_base64_encode_step (data, len, FALSE, out, &state, &save);
outlen += seahorse_base64_encode_close (FALSE,out + outlen,&state,&save);
out[outlen] = '¥0';
return (gchar *) out;
}
2 lines are
deletedOriginal
[Glib]
Copy
[Seahorse]

NTT Confidential
Case2: CVE-2008-5023 (Source Code)
PRBool nsXBLBinding::AllowScripts(){
PRBool result;
mPrototypeBinding->GetAllowScripts(&result);
…
nsCOMPtr<nsIDocument> ourDocument;
mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument));
PRBool canExecute;
nsresult rv = mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute);
return NS_SUCCEEDED(rv) && canExecute;
}
PRBool nsXBLBinding::AllowScripts(){
PRBool result;
mPrototypeBinding->GetAllowScripts(&result);
…
nsCOMPtr<nsIDocument> ourDocument;
mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument));
nsIPrincipal* principal = ourDocument->GetPrincipal();
if (!principal) {
return PR_FALSE;
}
PRBool canExecute;
nsresult rv = mgr->CanExecuteScripts(cx, principal, &canExecute);
return NS_SUCCEEDED(rv) && canExecute;
}
Original
[Firefox]
Copy
[Seamonkey]
4 lines are added &
1 line is modified

NTT Confidential
Experiment 1 [Result]
CVE-ID Original Copy
Similarity
(unpatched)
Similarity
(patched)
Max similarity
(Dataset)
CVE-
2008-4316
Glib Seahorse 60.7% 11.5% 9.2%
CVE-
2008-5023
Firefox Seamonkey 68.8% 38.0% 9.7%
The extracted part was the copied vulnerable part
Threshold should be around 20%
Similarity between the dataset was maximum 9.7%
Detected reproduced vulnerability in binary executables,
even there was source code modification

NTT Confidential
Experiment 2 [Overview]
21 Vulnerabilities 40945 binary files
CVE-2015-1635
CVE-2014-0301
CVE-2013-5058
CVE-2013-0030
CVE-2011-2005
CVE-2011-0658
CVE-2010-0816
?%
CVE-2010-0028
CVE-2008-4250
CVE-2008-4028
CVE-2007-1794
CVE-2007-0024
CVE-2006-4691
CVE-2006-0021
Windows XP.
Windows Vista,
Windows 7
Windows 8.1
Windows Server
Virus Total(NSRL)
[Score setting]match2p,mismatch-2p,opengap-3p,extendedgap-0.5p
[Threshold] 20%
CVE-2015-1793
CVE-2015-1790
CVE-2015-1789
CVE-2015-0292
CVE-2015-0288
CVE-2015-0287
CVE-2015-0286
14vulnerabilitiesfromWindows
7 vulnerabilitiesfromOpenSSL
[GOAL] Detect reproduced vulnerability
from real world software product

NTT Confidential
Details of the vulnerabilities
14 vulnerabilities from Windows
CVE-ID Type of Vuln Function name File name
CVE-2015-1635 Integer Over Flow UlpParseRange http.sys
CVE-2014-0301 Double Free LoadJPEGImageNewBuffer qedit.dll
CVE-2013-5058 Integer Over Flow RFONTOBJ::bTextExtent win32k.sys
CVE-2013-0030 Buffer Over Flow SavePathSeg vgx.dll
CVE-2011-2005 Memory error AfdJoinLeaf afd.sys
CVE-2011-0658 Integer Under Flow _PictLoadMetaFileRaw oleaut32.dll
CVE-2010-0816 Integer Over Flow CPOP3Transport::ResponseSTAT inetcomm.dll
CVE-2010-0028 Integer Over Flow CBMPStream::Write mspaint.exe
CVE-2008-4250 Buffer Over Flow sub_5925A26B netapi32.dll
CVE-2008-4028 Buffer Under Flow SrvIssueQueryDirectoryRequest srv.sys
CVE-2007-1794 Integer Under Flow CDownloadSink::OnDataAvailable vgx.dll
CVE-2007-0024 Integer Over Flow CVMLRecolorinfo::InternalLoad vgx.dll
CVE-2006-4691 Buffer Over Flow NetpManageIPCConnect netapi32.dll
CVE-2006-0021 DoS IGMPRcvQuery tcpip.sys

NTT Confidential
Details of the vulnerabilities
Collected unpatched & patched part
which resides in single function
CVE-ID Type of Vuln Function name File name
CVE-2015-1793 Certificate forgery X509_verify_cert libeay32.dll
CVE-2015-1790 DoS(Null pointer) PKCS7_dataDecode libeay32.dll
CVE-2015-1789 DoS X509_cmp_time libeay32.dll
CVE-2015-0292 Integer Underflow EVP_DecodeUpdate libeay32.dll
CVE-2015-0288 DoS(Null pointer) X509_to_X509_REQ libeay32.dll
CVE-2015-0287 DoS ASN1_item_ex_d2i libeay32.dll
CVE-2015-0286 DoS ASN1_TYPE_cmp libeay32.dll
7 vulnerabilities from OpenSSL

NTT Confidential
Collected binary files
Source # of files
Virus Total(NSRL) 7580
Windows XP 3479
Windows Vista 6933
Windows 7 5981
Windows8.1 5048
Windows Server 2003 3984
Windows Server 2008 7940
Details of 40945 binary files

NTT Confidential
Experiment 2 [Result]
Candidate of reproduced vulnerability
CVE-ID Original Copy Similarity Result
CVE-2008-4250
netapi32.dll
(5.1.2600.2952)
netlogon.dll
(5.2.3790.1830) 37.7% 
CVE-2011-0658
oleaut32.dll
(5.2.3790.4202)
olepro32.dll
(6.1.7601.17514) 75.1% 
Deadcode
CVE-2015-1789
libeay32.dll
(0.9.8.31)
JunosPulseVpnBg.dll
(1.0.0.206) 43.9% 
CVE-2015-1793
libeay32.dll
(1.0.1.15)
JunosPulseVpnBg.dll
(1.0.0.206) 39.0%

No attack
vector

NTT Confidential
CVE-2008-4520 (MS08-067)
Details
- It was real case “reproduced” BoF vulnerability !
- [original] netapi32.dll [copy] netlogon.dll
Original Copy
→ Vulnerabilitywhichwas usedby ConfickerWorm

NTT Confidential
CVE-2008-4520 (MS08-067)
Distribution of patch
Patch for netapi32.dll
KB958644
Patch for netlogon.dll
KB961853
Oct/2008 Jan/2009
TIME
Patch distribution date differs three month a part
3 month

NTT Confidential
CVE-2011-0658 (MS11-038)
Details
- [original] oleaut32.dll [copy] olepro32.dll
- Integer Underflow Vulnerability
Vulnerable part was dead code(function forwarding)
Original Copy

NTT Confidential
CVE-2015-1789 (OpenSSL)
Details
- [original] libeay32.dll [copy] JunosPulseVpnBg.dll
- Used by “Windows In-Box Junos Pulse Client (VPN Client)”※
※“Microsoft Windows 8.1 introduced
Junos Pulse client as part of the
Windows operating system. (Microsoft
calls this an “in-box” application.)” [5]
[5]Windows In-Box Junos Pulse Client Quick Start Guide
https://www.juniper.net/techpubs/software/pulse/guides/j-pulse-windows-inbox-client-qsg.pdf
- Originally used by Pulse Client

NTT Confidential
Original Copy

NTT Confidential
Pulse(Desktop) Client:
Resolved in 5.0R13/5.1R5
(CVE-2015-1789)
Vulnerable

NTT Confidential
Vulnerability Fixed Date
Vulnerability Fixed
(OpenSSL)
Update Released
(Pulse Secure)
June/2015 Aug/2015
TIME
Fixed date differs two month a part
2 month
When I found the
vulnerability
July/2015

NTT Confidential
Details
- Alternative Chain Certificate Forgery
- [original] libeay32.dll [copy] JunosPulseVpnBg.dll
Original Copy

NTT Confidential
“This issue does not affect Pulse Secure products
as it only exists in very recent version of
OpenSSL code that we do not utilize“

NTT Confidential
Conclusion & Future Work
Conclusion
- Proposed method can detect reproduced vulnerability in
binary files, even there was source code modification
- Found real world reproduced vulnerability !
Future Work
- Consider the method which can find whether the attack
vector exists or not
- Consider the method which can detect reproduced vulnerability,
which resides in multiple functions

nakajima.asuka@lab.ntt.co.jp
Q&A

[PHDays] If You Find One, There are Probably More!: A Detection Method of "Reproduced" Vulnerability

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Empfohlen

Empfohlen (20)

[PHDays] If You Find One, There are Probably More!: A Detection Method of "Reproduced" Vulnerability