Let's Make Windows Defender Angry: Antivirus can be an oracle!

Transcript

1. Let's Make Windows Defender Angry: Antivirus can be an oracle!

   Ryo Ichikawa (icchy) CODE BLUE 2019, 10/29

2. Who am I • icchy (a.k.a. t0nk42) • CTF enthusiast

   ◦ TokyoWesterns captain ◦ Web, Forensics • CTF Oraganizer ◦ TokyoWesterns CTF ▪ Challenge authoring, Infrastructure maintainance ◦ CODE BLUE CTF ▪ Bull's Eye system developer

3. Question • Can you point out the vulnerability? ◦ You'll

   know what the vulnerability is after this talk

4. https://www.rambus.com/blogs/an-introduction-to-side-channel-attacks/ Side-channel attack

5. Side-channel attacks basics • Ordinary exploits ◦ Remote Code Execution

   ◦ Path traversal • Side-channel attacks ◦ Leak sensitive data from side-effects everywhere ◦ Spectre: time difference between cache hit ◦ XS-Search: unprocted attributes of JavaScript (ex. iframe.length) ◦ Padding oracle: padding error tell us plain text • They are recovering info from side-effects (i.e. oracles)

6. What is the target of side-channel attack? • CPU ◦

   Spectre • Content auditor ◦ XSS auditor • Crypto ◦ Padding oracle (ex. POODLE) • Hardware ◦ Power analysis

7. Content auditors • Content auditors protect users ◦ XSS Auditor

   ◦ WAF (Web Application Firewall) ◦ Antivirus software • Content auditors know the content to be audited • Content auditors sometimes have evaluation

8. Side-channel attacks against content auditor • XS-Search ◦ Triggering false

   positive for XSS Auditor in Chrome • Reflected XSS would be detected and blocked ◦ http://target/?<script>var secret = '1234';</script> ◦ query malformed url to leak secret ▪ <script>var secret = '1232';</script> ▪ <script>var secret = '1233';</script> ▪ <script>var secret = '1234';</script> blocked! • Let's call this kind of attack Auditor Based Oracle • How about antivirus software?
9. None

10. Antivirus Technologies • one of the most common software we

    use today ◦ Avast ◦ ESET ◦ Kaspersky Security ◦ McAfee ◦ Norton Security ◦ Symantec Endpoint Protection ◦ Trendmicro Virus Buster Cloud ◦ Windows Defender ◦ … • Protect users from malicious attempts by auditing ◦ File content ◦ Network traffics ◦ etc.

11. audit([secret] + [user input])

12. Abusing Antivirus Technologies • What if attacker can control data

    partially? ◦ as saving input with sensitive data ◦ attacker can trigger false positive • [secret] + [user input] => auditor fired? ◦ attacker may leak [secret] by changing [user input] • Antivirus can be an oracle as well! ◦ Various analyzers for contents

13. Abusing Antivirus Technologies • Antivirus Software is blackbox ◦ When

    they work? ◦ What they will do? ◦ How they detect malware? ◦ How is their architecture? ◦ Which files are required to run them? ◦ etc. • Let's dig into Windows Defender ◦ Most popular ◦ Running on Windows by default

14. Windows Defender • What content will be detected as malicious?

    ◦ They have their own malware list ▪ https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes ◦ Probably other vendors have similar ones. ◦ No details published • We need to analyze Windows Defender!

15. Black-box Windows Defender analysis • Run audit process on… ◦

    file access ◦ command execution ◦ if (malicious) ▪ block access from user and notify to user • Analyzers for various content ◦ Encoding ▪ Base64 ◦ Archive, Compression ▪ ZIP, GZip, ... ◦ Executables ▪ PE, WSH (VBS, JScript), … • Black-box analyzing is super tiresome work

16. How to analyze Windows Defender efficiently?

17. Windows Defender analysis is tiresome work • "MpCmdRun.exe" can trigger

    the engine directly ◦ still some issues are there

18. Windows Defender analysis is tiresome work • Unexpected behavior of

    Windows Defender ◦ timing issue ◦ neutralization (deletion) • We have to regenerate payloads ◦ ...bunch of times • No debug information ◦ Hard to know why one is detected or not detected • Any useful tools? ◦ several works are there

19. Windows Defender is ported to Linux! • github.com/taviso/loadlibrary ◦ emulating

    mpengine.dll execution ◦ enables us to do try and error ◦ show us some debug output ~$ ./mpclient ../files/eicar main(): Scanning ../files/eicar... EngineScanCallback(): Scanning input EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified. ~$ ./mpclient ../files/eicar.b64 main(): Scanning ../files/eicar.b64... EngineScanCallback(): Scanning input EngineScanCallback(): Scanning input->(Base64) EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified.

20. Some tips about taviso/loadlibrary • You can get PDB symbol

    file in older version ◦ refer github.com/0xAlexei/WindowsDefenderTools ◦ MD5=e95d3f9e90ba3ccd1a4b8d63cbd88d1b => 1.271.81.0 ◦ Download older version of mpam-fe.exe then use cabextract ▪ mpengine.dll is core engine • Debug features ◦ enable DEBUG flag to trace API calls inside

21. Windows Defender internals • Windows Defender signature format: *.vdm ◦

    mpasbase.vdm ◦ somehow encrypted • WDExtract would be helpful ◦ github.com/hfiref0x/WDExtract • Let's see the contents decrypted

22. Windows Defender internals • Windows Defender uses Lua

23. Windows Defender internals signature name signature definition (string)

24. Windows Defender internals • handlers for various file format

25. After white-box (?) Windows Defender analysis • Windows Defender has

    JScript analyzer ◦ with DOM API supported • Not just parsing, but also emulating • If JScript calls eval(str) , str would also be audited ◦ eval("EICAR") => detected • What happens if combined

26. Attack to demo application • Simple application for PoC ◦

    GET /?c1=controllable1&c2=controllable2 ▪ save data with simple format ▪ user cannot see the content of Secret ◦ GET /:name ▪ check existence and integrity • How to leak the Secret ?

27. Building exploit • We have Windows Defender emulator! ◦ with

    debug information • JScript eval function also evaluates argument ◦ threat detected if argument contains malicious • eval("EICA" + input) => ? ◦ threat detected → input is "R" ◦ nothing detected → input is not "R"

28. Some issues in JScript engine • if statement will never

    be evaluated ◦ if (true) {eval("EICA" + "R")} → not detected ◦ object accessing will help you: {0: "a", 1: "b", ...}[input] • parser stops on null byte ◦ eval("EICA" + "R[NULL]") → syntax error ◦ how to deal with null bytes?

29. Another feature in mpengine.dll • They can analyze HTML document

    ◦ some html tags would be a trigger (ex. <script>) ◦ parser will not stop on null byte • JScript can access the elements :) ◦ if they have <body> tag ◦ <script>document.body.innerHTML[0]</script><body>[secret]</body> • Now you have an oracle!

30. Building exploit • JavaScript ◦ $idx and $c would be

    iterated • Windows Defender get angry if $c is appropriate • It requires 256 times try for each $idx :( var body = document.body.innerHTML; var eicar = "EICA"; var n = body[$idx].charCodeAt(0); eicar = eicar + String.fromCharCode(n^$c); eval(eicar);

31. Building exploit • much more faster! ◦ Math.min is also

    available, do binary search • $c < [input]: detected • $c > [input]: not detected ◦ then do binary search! var body = document.body.innerHTML; var eicar = "EICA"; var n = body[$idx].charCodeAt(0); eicar = eicar + {$c: 'k'}[Math.min($c, n)]; eval(eicar);

32. Building exploit • Now everything is ready :) ◦ Controllable1:

    <script>...</script><body> ◦ Secret: [secret] ◦ Controllable2: </body> • to get oracle: accessing /:name after querying / ◦ detected → Internal Server Error ◦ not detected → you can see the response ...<script>[script]</script><body>...[secret]...</body>...

33. Demo • AVOracle attack against simple demo application

34. Pros and Cons • Pros ◦ Attacker can use this

    method blindly ◦ No need to know target structure well, just put part of payloads everywhere • Cons ◦ Attacker need to put two pieces of payloads ◦ Only data between payloads would be leaked • Any other variants? ◦ It would be great if there is way to leak previous / following data ◦ No PoC so far

35. Any other victims?

36. Potential victims • So many applications are saving user input

    with sensitive data • Session file ◦ TokyoWesterns CTF 2019 phpnote ◦ leak HMAC secret stored in PHP session (not visible from user) • Log file ◦ Apache, Nginx, IIS • Database ◦ file-based DBMS (ex. SQLite3) • Cache file ◦ browser, byte code cache

37. Antivirus as file modifier • Antivirus deletes / modifies file

    if detected ◦ Windows Defender replaces matched part by spaces (in case of HTML script tag) • Attacker can delete content partially • Even attacker cannot leak data, there might be something to do data<script>eval('EICAR');</script>data data<script> </script>data

38. Wiping out evidence • Attacker can delete part of log

    1. put <script>/* before beginning attack 2. do malicious attempts 3. put */;eval('EICAR');</script> after attack x.x.x.x - - [29/Oct/2019:00:00:00 +0000] "GET /<script>/*" x.x.x.x - - [29/Oct/2019:00:00:10 +0900] "GET /attack.php" ... [some malicious attempts] ... x.x.x.x - - [29/Oct/2019:00:00:00 +0000] "GET /*/;eval('EICAR')</script>"

39. Wiping out evidence • Attacker can delete part of log

    1. put <script>/* before beginning attack 2. do malicious attempts 3. put */;eval('EICAR');</script> after attack x.x.x.x - - [29/Oct/2019:00:00:00 +0000] "GET /<script> </script>"

40. Antivirus as DoS • Deleting matched malicious over structural boundary

    • Structure metadata would be destroyed ◦ replaced by spaces • If two part will not over the boundary ◦ attacker can overwrite other data

41. How about other antivirus?

42. Targeting other antivirus • VirusTotal is the best friend :)

    • Which antivirus suppoorts JScript emulator? ◦ eval('EICA'+'R'); // should be detected ◦ eval('EICA'+'#'); // should not be detected • 4 antivirus passed ◦ Cyren ◦ DrWeb ◦ Microsoft ◦ NANO-Antivirus • TrendMicro ◦ false positive

43. Targeting other antivirus • Further testing • Which antivirus supports

    DOM API? ◦ eval('EICA'+innerHTML[0]);<body>R</body> // should be detected ◦ eval('EICA'+innerHTML[0]);<body>#</body> // should not be detected • Only Microsoft passed ◦ That's why they are vulnerable to AVOracle • SUPERAntiSpyware ◦ false positive

44. Windows Defender is too smart

45. How to prevent this attack? • IMO: no generic way

    to patch ◦ standard behavior, not vulnerability • Disable auditor engine is one way ◦ Chromium XSS auditor is removed ◦ but Microsoft would not remove the engine • Application developers should ... ◦ know about this attack ◦ not save secret with controllable data • … but it is not developer's fault! ◦ Antivirus vendor should take care about that

46. Conclusions • Auditor Based Oracle is everywhere ◦ Antivirus is

    one big example ◦ it would be oracle if it has intelligent engine • Windows Defender is too smarter than other antivirus ◦ resulted in an effective oracle ◦ more smarter engine will get more oracles • Antivirus behavior would be sometimes harmful ◦ not only data leakage, also DoS • DO NOT store any secret surrounded by user input ◦ or your application would be vulnerable to AVOracle

47. Any Questions? @t0nk42 icchy