[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO
-
Upload
gangseok-lee -
Category
Education
-
view
321 -
download
3
Transcript of [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO
![Page 1: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/1.jpg)
IE 1Day Case Study
www.CodeEngn.com2014 CodeEngn Conference 11
![Page 2: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/2.jpg)
목차
* 소개* 배경* CVE-2014-0322* CVE-2014-1776* Q&A
![Page 3: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/3.jpg)
소개
* 박세한- 취약점 발견- 익스플로잇 개발
* 넷가디언 (Feat. 김재용)* Wiseguyz & B10S
![Page 4: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/4.jpg)
배경
* MS 패치에서 use-after-free 유형의 취약점을 많이 볼 수 있다.
* use-after-free 취약점은 FSB, BOF 에 비해 최신 소프트웨어서 흔한 취약점이다.
![Page 5: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/5.jpg)
데모!
![Page 6: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/6.jpg)
배경
* IE에서 계산기가 실행되었다?! 뭘까?
* 예제를 통한 스텝 by 스텝으로 접근하면복잡한 익스플로잇도 이해가 쉽다.
![Page 7: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/7.jpg)
배경
* Use After Free (Dangling Pointers)- 프로그램의 서로 다른 부분의 행위가 결합되면서 발생한다.
- 오브젝트를 메모리를 할당 해제하는 코드와 오브젝트에 접근하는 코드!!
![Page 8: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/8.jpg)
CVE-2014-0322
![Page 9: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/9.jpg)
CVE-2014-0322
STEP1minimized POC code
![Page 10: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/10.jpg)
CVE-2014-0322
![Page 11: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/11.jpg)
![Page 12: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/12.jpg)
CVE-2014-0322
![Page 13: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/13.jpg)
CVE-2014-0322
STEP2filling a freed object's memory
![Page 14: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/14.jpg)
CVE-2014-0322
![Page 15: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/15.jpg)
CVE-2014-0322
00410000 = "A"004100410000 = "AA"
0041004100410000 = "AAA"
![Page 16: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/16.jpg)
![Page 17: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/17.jpg)
![Page 18: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/18.jpg)
![Page 19: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/19.jpg)
eax=0x41414141
![Page 20: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/20.jpg)
CVE-2014-0322
STEP3memory leak
![Page 21: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/21.jpg)
![Page 22: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/22.jpg)
![Page 23: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/23.jpg)
size unknown data1 data2data3 data4 data5 data6data.. data.. data.. data..data.. data.. data.. data..data1007 data1008 Null Null
![Page 24: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/24.jpg)
CVE-2014-0322
STEP4modify object size
![Page 25: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/25.jpg)
![Page 26: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/26.jpg)
0x12120ff1 + 0x10 = 121210010x000003f0
[edx+esi*4+8],eaxeax = valueesi = offsetedx = buffer
![Page 27: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/27.jpg)
![Page 28: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/28.jpg)
CVE-2014-0322
STEP5EIP Control
![Page 29: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/29.jpg)
![Page 30: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/30.jpg)
Main Class Object Leak!Free & New Allocation
V-Table Overwrite
![Page 31: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/31.jpg)
![Page 32: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/32.jpg)
Faked V-Table reference
![Page 33: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/33.jpg)
CVE-2014-0322
![Page 34: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/34.jpg)
CVE-2014-0322
![Page 35: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/35.jpg)
CVE-2014-1776
* CVE-2014-0322 와 유사한 전형적인 UAF 취약점이다.
* CVE-2014-0322 와 매우 유사한 방법으로익스플로잇 코드 작성이 가능하다.
![Page 36: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/36.jpg)
![Page 37: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/37.jpg)
![Page 38: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/38.jpg)
Workshop
![Page 39: [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO](https://reader030.fdocuments.net/reader030/viewer/2022020123/55a2538e1a28abd1758b480f/html5/thumbnails/39.jpg)
Q&A
Questions?https://withgit.com/hdarwin89/codeengn-2014-ie-1day-case-study
www.CodeEngn.com2014 CodeEngn Conference 11