ZERT Binary Patching Gil Dabah. ZERT Binary Patching Who Am I? “Israeli programmer and reverse...
-
Upload
travon-lord -
Category
Documents
-
view
220 -
download
2
Transcript of ZERT Binary Patching Gil Dabah. ZERT Binary Patching Who Am I? “Israeli programmer and reverse...
ZERT
Binary Patching
Gil Dabah
ZERT Binary Patching
Who Am I?
“Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek (09/22/06)
“Israeli reverse-engineering specialist Gil Dabah”, CNET (09/25/06)
Computer’s “Hacker” Programmer, working at DigiCash
[2 of 37]
ZERT Binary Patching
About ZERT
Zero-day Emergency Response Team Zero-day meaning? Foundation Goal Incident-Response
[3 of 37]
Menu
Patching In General VML Vulnerability ANI Vulnerability
ZERT Binary Patching [4 of 37]
ZERT Binary Patching
What is Patching?
Changing an existing software data. That data can be either a code or real data
(strings, structures, etc). Usually the goal is to change behavior. Sometimes you enhance the software. Patching can be done on-disc, or in-memory. Known patching is cracking games/software. …or uncracking software like ZERT does.
[5 of 37]
ZERT Binary Patching
Problems with Patching
Different versions (E.G: 23 versions of VGX). Code changes. Code moves. No room for the extra patching code/data. MS Hot Patching MOV EDI, EDI.
Windows File-Protection.
[6 of 37]
ZERT Binary Patching
Patching Alternatives
Every change affect file integrity.
We want to change as less as possible bytes.
1) PE Patching - add a section/fine a cave. In a short development time it’s not possible to make it reliable. Too big a change. Time consuming.
2) Per Version Patching. Requires all versions. Doesn’t support unknowns.
[7 of 37]
ZERT Binary Patching
Patching Alternatives
3) Using Hot Patching Bytes: A few places to patch (all callers, more signatures). 7 bytes are usually not enough. CC, CC, CC, CC, CC, 8B, FF
4) Spot Patching Simple. Search&replace patching. Not always possible Generic
[8 of 37]
ZERT VML PATCHERSection #1
ZERT Binary Patching [9 of 29]
ZERT Binary Patching
VML
Vector Markup Language An XML language used to produce vector
graphics. Submitted as a proposed standard by MS
and Macromedia in ’98 to the W3C. Eventually rejected. But still in use by Internet Explorer and Office
(and Outlook).
[10 of 37]
ZERT Binary Patching
VML Rendering
[11 of 37]
ZERT Binary Patching
VML Zero-Day
Was first seen in September 2006. Officially on the 19th, but actually before. Adam Thomas, a researcher from Sunbelt
Software, found it ITW. The exploitation downloads a trojan or
adware. For example an adware that downloads and
displays popup advertisements.
[12 of 37]
ZERT Binary Patching
VML Vulnerability
Stack-based buffer overflow in the processing of malformed VML "fill method" attributes.
Affected file: VGX.DLL
(symbol: Ptok@TOKENS@_IE5_SHADETYPE_TEXT). Vulnerable systems: all IE versions, with
latest XP SP 2 patches. Surf and get owned. What if DEP is enabled?
[13 of 37]
ZERT Binary Patching
HTML Exploitation
<html xmlns:v="urn:schemas-microsoft-com:vml"><head>
<style>v\:* { behavior: url(#default#VML);}
</style></head><body><v:rect><v:fill method=“AAAA…></v:fill></v:rect></body></html>
[14 of 37]
ZERT Binary Patching
Vulnerability Point
To locate vulnerable image, simply crash IE. Attack ‘fill method’ with a big buffer, raises
access violation. Writing to a pointer which is found on local
stack. Now that we got the vulnerable function we
start analyzing the code.
[15 of 37]
ZERT Binary Patching
Ptok Function Disassembly
mov dx, [ebx+edx*2]
mov [edi], dx
mov edx, [ecx+VML.szInput]
[16 of 37]
ZERT Binary Patching
Code Analysis
class TOKENS { public:
WCHAR *Ptok(void); private:
LPWSTR szInput; // pointer to input string on heapint nSize; // length of input string (in WCHARs)int idxInput; // index used within the for()loopWCHAR szOutput[256]; // output buffer for string
};
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee.
[17 of 37]
ZERT Binary Patching
WCHAR *TOKENS::Ptok(void){
register int idxCurr;if (szInput == NULL) return(NULL);
Code Analysis:C++ Translation
for (idxCurr=0; idxInput < nSize && szInput[idxInput] != '\0'; idxInput++) { if (szInput[idxInput] == ' ') { if (idxCurr) break; // Encountered non-leading space else continue; // Encountered leading space } szOutput[idxCurr]=szInput[idxInput]; // Copy the WCHAR idxCurr++; } if (idxCurr > 0) { szOutput[idxCurr]='\0'; // NULL terminate return(szOutput); } return(NULL);}
if (nSize >= 256) {
// Added by the ZERT patch
return(NULL);
}
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee.[18 of 37]
ZERT Binary Patching
Using Ptok Rather Than strtok
Ptok is an enhanced strtok, using a class and a local storage.
It supports multiple concurrent readings. It doesn’t modify the original string! Tokenize: “We've got explosives!
KABOOOOOM!” Results in: “We’ve”, “got”, “explosives!”,
“KABOOOOOM!” Input string is now nullified: “We’ve\0got\0…
[19 of 37]
ZERT Binary Patching
Writing a Binary Signature
A unique sequence of bytes. Might be masked or not.
“GIF87A”,”GIF89A” “GIF8*A” Must be found the exact times you expect. Genericness is a plus.
[20 of 37]
ZERT Binary Patching
VGX’s Ptok Signature
Ptok is like a library function (very small, used in one place).
No code changes in all versions. Goal: Use the whole function as a signature.
[21 of 37]
ZERT Binary Patching
Compiler’s Bad Day???
>>> import distorm >>> distorm.Decode(0,"\x66\x8b\x14\x53")[0]
[2] 'MOV DX, [EBX+EDX*2]' >>> distorm.Decode(0,"\x0f\xb7\x14\x53")[0]
[2] 'MOVZX EDX, [EBX+EDX*2]'
[22 of 37]
ZERT Binary Patching
Closing The Vulnerability [v1]
;Removed leading space checks,added input-size test.mov edx, [ecx]push ebxpush esixor esi, esicmp edx, esi ; if (szInput == NULL)push edijz short Return ; return NULLcmp dword [ecx+4], 0x100 ; if (nSize >= 0x100)jae Return ; return NULL
[23 of 37]
ZERT Binary Patching
Bypassing WFP
Examining VGX.DLL’s export table: DllCanUnloadNow, DllGetClassObject, DllRegisterServer,
DllUnregisterServer. VGX.DLL is a COM in-proc DLL. Can be registered and unregistered. Anti Virus issues.
[24 of 37]
ZERT Binary Patching
ZERT Patcher
1) Read vgx.dll file to memory.
2) Search for binary signature.
3) Apply patch.
4) Save data to a new file “patchedvgx.dll”.
5) Unregister original “vgx.dll”.
6) Register “patchedvgx.dll”.
* Supports both GUI and Console versions.
[25 of 37]
ZERT Binary Patching
ZERT’s Patch VS. MS’s
MS can simply recompile. We have to:
Make room for the input size test. Preserve functionality.
MS patch: Copy until buffer is full (< 0xfe). Our V1 patch: Don’t copy if length >= 0x100. Patch V2 is MS code but crunched into 0x5b
bytes (from 0x63).
[26 of 37]
ZERT Binary Patching
64 Bits Patching Challenges
Finding VP (Ptok) without Windows 64. RIP Relative. MS code was changed from 32 bits version,
yet unpatched.
[27 of 37]
ZERT Binary Patching
32bits VS 64bits VGX.DLL
[28 of 37]
ZERT Binary Patching
Pre-Patched
Version Compilation Timestamp
Date Pre-Patched?
5.0.3014.1003 0x38439A32 Nov 30 1999 Yes
7.0.5112.0 0x43D80C1D Jan 26 2006 No
7.0.5450.4 0x449C16C7 Jun 23 2006 Yes
[29 of 29]
ZERT ANI PATCHERSection #2
ZERT Binary Patching [30 of 29]
Windows Animated Cursors
It all began in 2005, eEye discovered a vulnerability in USER32.DLL handling .ANI files.
(Incompletely) fixed by MS05-002 – XPSP2 was already immune.
In 2006, a similar vulnerability discovered by Determina (Alexander Sotirov).
Public Disclosure - March 28, 2007.
ZERT Binary Patching [31 of 37]
Bug Description
ANI files store animated cursors. Based on RIFF multimedia file format, which is a series of tagged chunks.
LoadCursorIconFromFileMap only validated the first ‘anih’ size before parsing the rest of the chunks by calling LoadAniIcon.
LoadAniIcon parses the chunks, including ‘anih’. This time without size validation.
ZERT Binary Patching [32 of 37]
Malformed ANI Sample
RIFF....ACONanih
...........$...$
................
........anihX...
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAZERT Binary Patching [33 of 37]
First header chunk, so far so good.
Now! this is tricky, oh yeah.
Attack Vectors
Internet Explorer loading HTML file - style="CURSOR: url(‘malformed.ani')“.
Outlook. Windows Explorer.
ZERT Binary Patching [34 of 37]
The Patcher
USER32.DLL – Requires in-memory patching.
Using “Known DLLs” to load our .DLL to every process.
Our DllMain will locate USER32.DLL and find its code section and begin its magic work.
ZERT Binary Patching [35 of 37]
Vulnerable Code - LoadAniIcon
000433E0 038B 75F8 8B45 D83D 7365 7120 0F84 7C01 ..u..E.=seq ..|.
000433F0 0000 3D4C 4953 540F 84CB 0000 003D 7261 ..=LIST......=ra
00043400 7465 0F84 A600 0000 3D61 6E69 680F 85DF te......=anih...
00043410 0000 008D 45B4 508D 45D8 5053 E8E4 FAFF ....E.P.E.PS....
00043420 FF85 C00F 84E7 0100 0083 EC24 6A09 598B ...........$j.Y.
00043430 FC8D 75B4 F3A5 E844 FBFF FF85 C00F 84CA ..u....D........
00043440 0100 008B 45BC 8B7D B88B 35F0 12D4 776A ....E..}..5...wj
ZERT Binary Patching
CMP EAX, ‘ qes’
JZ 0x187
CMP EAX, ‘TSIL’
JZ 0xe1
CMP EAX, ‘etar’
JZ 0xc7
CMP EAX, ‘hina’
JNZ 0x10b
LEA EAX, [EBP-0x4c]
PUSH EAX
LEA EAX, [EBP-0x28]
PUSH EAX
PUSH EBX
CALL Readchunk
[36 of 37]
Runtime Generic Patching
3 X-Refs to the ReadChunk function, only one needs a fix (LoadCursorIconFromFileMap).
Search for a static signature. Look back for another static signature. Disassemble forward until next call is found.
Now that we found the indirectly-call to memcpy, we have to patch it, but how?
ZERT Binary Patching [37 of 37]
The Fix
A pre-compiled version of the ReadChunk function, this time with size validation.
The ReadChunk internally calls to ReadFilePtrCopy, which really copies the data and overflows the stack.
Fix our pre-compiled code to call the correct ReadFilePtrCopy – calculate relative 32 bits offset.
Allocate an executable memory for the new function. Once it’s ready, we can simply relocate the original
vulnerable CALL instruction to our new immune function.
[38 of 37]ZERT Binary Patching
Potential Problems
Multiple threads might run the patched code – we patch only a DWORD.
Searching for a DWORD – must be byte-aligned.
Finding the CALL instruction – a disassembler must be used.
If-then statements code generation – following branches.
[39 of 37]ZERT Binary Patching
The Sad Truths
There is a function which validates the ANI header parameters after it copies it locally.
The VML vulnerability didn’t exist in IE5, which had the size validation of the buffer back then. Probably to code regression it slipped away.
[40 of 37]ZERT Binary Patching
ZERT Binary Patching
Questions???
[41 of 37]
ZERT Binary Patching
The End
Thanks to:
CCCZERT Members
ZERT - http://isotf.org/zerthttp://isotf.org/zert/papers/vml-details-20061004.pdf
http://www.milw0rm.com/exploits/2425 - Exploit POC