Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
What Happens In Windows 7
Stays In Windows 7
Moti Joseph & Marion Marschalek
Troopers Conference 2014
About Us
Moti Joseph
Security Researcher
Marion Marschalek
Malware Analyst
Agenda
• Vulnerabilities
• Automated Vulnerability Search
• An Approach
• A Solution as Proof of Concept
• Demo ;)
• Whats...
Intro
Got a bug
in your
software?
Can I haz it??
Chuck Norris On Security.
Vulnerabilities are software mistakes in
specification and design, but mostly mistakes in
progra...
How to find vulnerabilities?
• Application Penetration Testing
• Fuzzing
• Reverse Engineering
• Source Code Review
• Or.....
Who is interested in
finding them?
Hackers
Software Companies
Criminals
Governments
Media
How much does a
0-day vulnerability cost?
TROOPERS 2014
“White Market”
When or why to sell to white market?
TROOPERS 2014
“BlackMarket”
Broker?
Money?
Trust?
TROOPERS 2014
What happens when
you sell to the
black market?
TROOPERS 2014
And why automate it?
It‘s faster!!
–The hacker – can break more
–The software company – can fix faster
–Criminals – can ma...
The
Approach
What happens in Windows7
stays in Windows7...
Win7 Win8
quartz.dll quartz.dll
lea ecx, [ebp+cb]
push ecx
push 4
push eax
m...
Counting Function Calls
Win7 quartz.lib
Win8 quartz.lib
Spot The Patch
Win7 quartz.lib Win8 quartz.lib
TROOPERS 2014
Intsafe.h & Strsafe.h
• Searching for security patches:
–Type Conversion
–Safe Math Functions
–Buffer Boundary Checks on S...
‚Safe Functions‘
UInt8Add
UShortAdd
UIntAdd
ULongAdd
SizeTAdd
ULongLongAdd
UInt8Sub
UShortSub
UIntSub
ULongSub
SizeTSub
UL...
The Approach
Flexible.
Extendible.
Awesome.
Windows Library
Parsing to DB
Checking for
Vulnerability
Decompilation
or Disa...
The
Solution
Pretty, eh??
Getting the .C
Library Conversion using IDA Pro
means: .dll -> .idb -> .c
TROOPERS 2014
Library Parsing
• DiffRay on https://github.com/pinkflawd/DiffRay
• Parses a library / directory of libraries
• Manages li...
The Database
MSSql or SQLite
TROOPERS 2014
Diff it!
• Compare libraries on a function basis
• Extract hits per function per signature
TROOPERS 2014
DiffRay HowTo: Configuration
• signatures.conf – whatever symbols you‘re
searching for
• sig_mappings.conf – mappings for ...
DiffRay HowTo: CMD Parsing
Maintenance:
python [dir]srcMain.py --create-scheme --update-sigs
python [dir]srcMain.py --pars...
DiffRay HowTo: CMD Diffing
Info Output & Diffing:
python [dir]srcMain.py –-search_libs [libname_pattern]
python [dir]srcMa...
DEMO TIME
Findings
Windows 7 (ULongAdd)
bcrypt.dll!ConvertRsaPrivateBlobToFullRsa
Windows 8
bcrypt.dll!ConvertRsaPrivateBlobToFullRsa
Windows 8 (ULongAdd)
netlogon.dll! NlpAddResourceGroupsToSamInfo
Windows 7
netlogon.dll! NlpAddResourceGroupsToSamInfo
Windows 8 /ULongLongToUint
twext.dll! EscapeField
Windows 7 Integer overflow
twext.dll! EscapeField
Drrrivers...
Windows 8
cng.dll! ConvertRsaPrivateBlogToFullRsa
Windows 7
cng.dll! ConvertRsaPrivateBlogToFullRsa
Windows 8
ksecdd.dll! SspiCopyAuthIdentity
Windows 7
ksecdd.dll! SspiCopyAuthIdentity
Windows 8
srvnet.dll!
SrvNetAllocatePoolWithTagPriority
Windows 7
srvnet.dll!
SrvNetAllocatePoolWithTagPriority
Triggerable?
Or not triggerable?
Windows 7
cryptdlg!DecodeAttrSequence
Windows 8
cryptdlg!DecodeAttrSequence
What’s CryptDll.dll??
TROOPERS 2014
StringCchLength
TROOPERS 2014
CryptDecodeObject API
TROOPERS 2014
Certificate DialogBox
TROOPERS 2014
What‘s
Next
Whats Next
• Possible Extensions
– Win8, we‘re coming!!
– Extended signatures
– Symbolic Execution FTW
• Improvements
– Tr...
Happy Diffing.
Troopers Diffray v1.1
Troopers Diffray v1.1
Troopers Diffray v1.1
Nächste SlideShare
Wird geladen in …5
×

Troopers Diffray v1.1

5.406 Aufrufe

Veröffentlicht am

slides from our troopers talk march 2014

Veröffentlicht in: Technologie
  • Login to see the comments

Troopers Diffray v1.1

  1. 1. What Happens In Windows 7 Stays In Windows 7 Moti Joseph & Marion Marschalek Troopers Conference 2014
  2. 2. About Us Moti Joseph Security Researcher Marion Marschalek Malware Analyst
  3. 3. Agenda • Vulnerabilities • Automated Vulnerability Search • An Approach • A Solution as Proof of Concept • Demo ;) • Whats next? TROOPERS 2014
  4. 4. Intro
  5. 5. Got a bug in your software? Can I haz it??
  6. 6. Chuck Norris On Security. Vulnerabilities are software mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don't get patched, so the Internet is filled with known, exploitable vulnerabilities. TROOPERS 2014
  7. 7. How to find vulnerabilities? • Application Penetration Testing • Fuzzing • Reverse Engineering • Source Code Review • Or.. Being more advanced: – Tracking software bugs, introducing bugs into software, reversing security patches TROOPERS 2014
  8. 8. Who is interested in finding them? Hackers Software Companies Criminals Governments Media
  9. 9. How much does a 0-day vulnerability cost? TROOPERS 2014
  10. 10. “White Market” When or why to sell to white market? TROOPERS 2014
  11. 11. “BlackMarket” Broker? Money? Trust? TROOPERS 2014
  12. 12. What happens when you sell to the black market? TROOPERS 2014
  13. 13. And why automate it? It‘s faster!! –The hacker – can break more –The software company – can fix faster –Criminals – can make more money –Governments – can ... [SECRET] –Media – has more to write about TROOPERS 2014
  14. 14. The Approach
  15. 15. What happens in Windows7 stays in Windows7... Win7 Win8 quartz.dll quartz.dll lea ecx, [ebp+cb] push ecx push 4 push eax mov [esi], eax call ?ULongMult@@YGJKKPAK@Z test eax, eax ... push [ebp+cb] ; cb call ds:__imp__CoTaskMemAlloc@4 xor eax, eax inc eax shl eax, cl ... shl eax, 2 push eax ; cb call ds:__imp__CoTaskMemAlloc@4 Patch it! TROOPERS 2014
  16. 16. Counting Function Calls Win7 quartz.lib Win8 quartz.lib
  17. 17. Spot The Patch Win7 quartz.lib Win8 quartz.lib TROOPERS 2014
  18. 18. Intsafe.h & Strsafe.h • Searching for security patches: –Type Conversion –Safe Math Functions –Buffer Boundary Checks on Strings • Set of 130 Signatures of ‚Safe Functions‘ TROOPERS 2014
  19. 19. ‚Safe Functions‘ UInt8Add UShortAdd UIntAdd ULongAdd SizeTAdd ULongLongAdd UInt8Sub UShortSub UIntSub ULongSub SizeTSub ULongLongSub UInt8ToInt8 UInt8ToChar ByteToInt8 ByteToChar ShortToInt8 ShortToUChar ShortToChar UShortToUInt8 UShortToShort IntToInt8 IntToUChar IntToChar StringCbGets StringCbGetsEx StringCbLength StringCbPrintf StringCbPrintfEx StringCbVPrintf StringCbVPrintfEx StringCchCat StringCchCatEx StringCchCatN StringCchCatNEx StringCchCopy ... and many many more .... TROOPERS 2014
  20. 20. The Approach Flexible. Extendible. Awesome. Windows Library Parsing to DB Checking for Vulnerability Decompilation or Disassembly Diffing Library with New Version TROOPERS 2014
  21. 21. The Solution
  22. 22. Pretty, eh??
  23. 23. Getting the .C Library Conversion using IDA Pro means: .dll -> .idb -> .c TROOPERS 2014
  24. 24. Library Parsing • DiffRay on https://github.com/pinkflawd/DiffRay • Parses a library / directory of libraries • Manages libraries , functions and signature hits • Diff libraries functionwise – Based on library ID or library name pattern TROOPERS 2014
  25. 25. The Database MSSql or SQLite TROOPERS 2014
  26. 26. Diff it! • Compare libraries on a function basis • Extract hits per function per signature TROOPERS 2014
  27. 27. DiffRay HowTo: Configuration • signatures.conf – whatever symbols you‘re searching for • sig_mappings.conf – mappings for signatures • logger.conf – logging output and formatting, details to be found at http://docs.python.org/2/howto/logging.html • mssql.conf – MSSql access credentials TROOPERS 2014
  28. 28. DiffRay HowTo: CMD Parsing Maintenance: python [dir]srcMain.py --create-scheme --update-sigs python [dir]srcMain.py --parse [library_path] --os [Win7|Win8] --type [C|LST] python [dir]srcMain.py --dirparse [directory_path] --os [Win7|Win8] --type [C|LST] python [dir]srcMain.py --flushall Switches: --backend [mssql|sqlite] --no-flush TROOPERS 2014
  29. 29. DiffRay HowTo: CMD Diffing Info Output & Diffing: python [dir]srcMain.py –-search_libs [libname_pattern] python [dir]srcMain.py –-lib_all_info [lib_id] python [dir]srcMain.py –-diff --lib_1 [win7lib] --lib_2 [win8lib] python [dir]srcMain.py –-diff_byname [libname_pattern] TROOPERS 2014
  30. 30. DEMO TIME
  31. 31. Findings
  32. 32. Windows 7 (ULongAdd) bcrypt.dll!ConvertRsaPrivateBlobToFullRsa
  33. 33. Windows 8 bcrypt.dll!ConvertRsaPrivateBlobToFullRsa
  34. 34. Windows 8 (ULongAdd) netlogon.dll! NlpAddResourceGroupsToSamInfo
  35. 35. Windows 7 netlogon.dll! NlpAddResourceGroupsToSamInfo
  36. 36. Windows 8 /ULongLongToUint twext.dll! EscapeField
  37. 37. Windows 7 Integer overflow twext.dll! EscapeField
  38. 38. Drrrivers...
  39. 39. Windows 8 cng.dll! ConvertRsaPrivateBlogToFullRsa
  40. 40. Windows 7 cng.dll! ConvertRsaPrivateBlogToFullRsa
  41. 41. Windows 8 ksecdd.dll! SspiCopyAuthIdentity
  42. 42. Windows 7 ksecdd.dll! SspiCopyAuthIdentity
  43. 43. Windows 8 srvnet.dll! SrvNetAllocatePoolWithTagPriority
  44. 44. Windows 7 srvnet.dll! SrvNetAllocatePoolWithTagPriority
  45. 45. Triggerable? Or not triggerable?
  46. 46. Windows 7 cryptdlg!DecodeAttrSequence
  47. 47. Windows 8 cryptdlg!DecodeAttrSequence
  48. 48. What’s CryptDll.dll?? TROOPERS 2014
  49. 49. StringCchLength TROOPERS 2014
  50. 50. CryptDecodeObject API TROOPERS 2014
  51. 51. Certificate DialogBox TROOPERS 2014
  52. 52. What‘s Next
  53. 53. Whats Next • Possible Extensions – Win8, we‘re coming!! – Extended signatures – Symbolic Execution FTW • Improvements – Transparent DB library • Known issues – Duplicate hits, false positives, slooow, output is not handy TROOPERS 2014
  54. 54. Happy Diffing.

×