1 / 39

Chun Feng Microsoft Corporation

Chun Feng Microsoft Corporation. The Butterfly Effect and the “Shellcode Storm”. Butterfly Effect. Tiny change. Large-scale alterations. Butterfly Effect in Computer Security Systems. CVE-2010-1297 CVE-2010-2884 CVE-2010-3654 CVE-2011-0609 Clean SWF file Exploit. 1 byte change.

merlin
Download Presentation

Chun Feng Microsoft Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chun Feng Microsoft Corporation The Butterfly Effect and the “Shellcode Storm”

  2. Butterfly Effect Tiny change Large-scale alterations

  3. Butterfly Effect in Computer Security Systems • CVE-2010-1297 • CVE-2010-2884 • CVE-2010-3654 • CVE-2011-0609 Clean SWF file Exploit 1 byte change

  4. Adobe Flash is Pervasive 99% http://www.adobe.com/products/player_census/flashplayer/

  5. Attacks on Adobe Flash Player

  6. How Adobe Flash File Works User Developer ActionScript3 Compile

  7. Code Example ActionScript 3: public function add8(a:int): int { return a+8; } MIR (intermediate machine independent language): @5 arg 0 @10 ldop 4(@5) @22 def @10 @37 use @22 [1] @38 imm 8 @42 add @37 @38 X86 native code: mov eax, 16(ebp) mov edx, 4(eax) mov -84(ebp), edx mov ecx, -84(ebp) add ecx, 8 mov -76(ebp), ecx mov eax, -76(ebp) Adobe Byte Code(stack machine): pushscope getlocal_1 pushbyte 8 add returnvalue

  8. CVE-2010-1297 Overview Time: Early June, 2010 Adobe Flash player version <= 10.0.45.2 Adobe Reader version <= 9.3.2 Sample contains 0-day exploit hosted on a webpage (malformed SWF + JavaScript heap spray)

  9. CVE-2010-1297 Demo

  10. CVE-2010-1297 Analysis 1 byte changed in function: Public RadioButton.configUI ( ):void 4F D2 02 00 callpropvoid fl.controls:LabelButton.configUI, 0 40D2 02 newfunction TextInput:drawBackground 00

  11. Debugging Obstacles • Pageguard exception • Trouble with Ollydbg; use Windbg, type command “sxi gp” • 15 seconds timeout • Less intrusive debugging - can’t use single step / trace! • Understand JIT compiled code

  12. CVE-2010-1297 Analysis • How is the control transferred to shellcode? • The root cause of this vulnerability

  13. Control Transfer Analysis- Method 1 (Quick & Dirty) • Remove the JavaScript heap spray code to cause a crash rather than have shellcode executed • Locate the instruction causing the crash Problems: • May not be 100% accurate • Doesn’t work if the heap spray code is encrypted

  14. Analyze Control Transfer – Method 2 (More Precise) Assumption: Transferred via call instruction The return address for this call will be pushed onto the stack 463bd28d ff510c call dword ptr [ecx+0Ch] ;[4198000c]=0c050c05 463bd290 83c40c add esp,0Ch Dump stack at the 1st instruction of shellcode (address 0c050c05) 463bd290 41980000 00000000 0013e364 Stack

  15. Analyze Control Transfer – Method 2 (contd.) At the 1st instruction of the shellcode, the return address is at the top of the stack Problems – we are unable stop there: • The address of 1st instruction of the shellcode is not predictable • Single step doesn’t work (15 secs timeout)

  16. Analyze Control Transfer – Method 2 (contd.) or al, 5, ; pseudo NOP start ESP = ESP0 // … or al, 5 ; pseudo NOP end ESP = ESP0 or al,00C; 1st instruction of shellcode ESP= ESP0 // ... more code (more bytes pushed onto the stack) Call URLDownloadToFileA; ESP = ESP1 ESP1 Ret. address of call ESP0 delta = ESP0-ESP1 is calculable! Put breakpoint at URLDownloadToFileA(), then calculate ESP0 = ESP1 + Delta Stack

  17. Control Transfer Analysis Demo

  18. Control Transfer Found! 463bd270 movecx, dwordptr [ebx+34h] ; [431492b4]=4313e080 463bd276 movedx,dwordptr [ecx+8]; [4313e088]=42fb208a 463bd27b movecx,dwordptr [edx+284h]; [42fb230e]=41980000 463bd28d call dwordptr [ecx+0Ch]; [4198000c]=0c050c05

  19. CVE-2010-1297 Analysis • How is the control transferred to shellcode? • The root cause of this vulnerability

  20. What’s Really Wrong? 463bd270 movecx, dwordptr [ebx+34h] ; [431492b4]=4313e080 463bd276 movedx,dwordptr [ecx+8]; [4313e088]=42fb208a 463bd27b movecx,dwordptr [edx+284h]; [42fb230e]=41980000 463bd28d call dwordptr [ecx+0Ch]; [4198000c]=0c050c05 • No document for JIT compiler • No PDB symbol file available

  21. Useful Trick Revealed by http://jpauclair.net Windows: C:\Documents and Settings\<username>\mm.cfg AS3Verbose = 1 Details of JIT runtime trace: C:\Documents and Settings\<username>\Application Data\Macromedia\Flash Player\Logs\flashlog.txt

  22. Example of the Useful Trick 26:callpropvoid fl.controls:BaseButton::drawBackground 0 @63 ldop 16(@62) @64 ldop 812(@63) …… @63 ldop 16(@62) 060BD6E4 moveax, 16(ebx) active: eax(63-64) ebx(62-69) edi(2-142) @64 ldop 812(@63) 060BD6E7 movecx, 812(eax) active: ecx(64-70) ebx(62-69) edi(2-142)

  23. Internals of JIT Compiled Code Each JIT compiled function has three parameters: func(MethodEnv*, intargc, uint32 *ap) For example: RadioButton.configUI ():void • argc = 0 • ap[0] = RadioButton instance (“this” pointer)

  24. Using the Useful Trick protected function drawBackground():void { varbg:DisplayObject = background; varstyleName:String = (enabled) ? "upSkin" : "disabledSkin"; … } 463bd270 movecx, dwordptr [ebx+34h] ; [431492b4]=4313e080 463bd276 movedx,dwordptr [ecx+8]; [4313e088]=42fb208a 463bd27b movecx,dwordptr [edx+284h]; [42fb230e]=41980000 463bd28d call dwordptr [ecx+0Ch]; [4198000c]=0c050c05

  25. Using the Useful Trick (contd.) The control transfer is in JIT compiled code for TextInput.drawBackground( ) TextInput.drawBackground(MethodEnv*, intargc, uint32 *ap) 463bd1bc push ebp 463bd1bd movebp,esp 463bd1bf sub esp,50h 463bd1c5 moveax,dwordptr [ebp+10h] ; [0013e290]=43169301 463bd1c8 moveax,dwordptr [eax]; [43169301] = ??? (Unaligned pointer)

  26. Tracking Back In TextInput.as TextInput.draw( ) calls TextInput.drawBackground( ) In JIT compiled code TextInput.draw( ): After 1 byte change => newfunctionTextInput.drawBackground 463bcbdb 83c801 or eax,1 ; make it unaligned! … call TextInput.drawBackground( ) ; Overloaded !

  27. Atom Internal representations Lowest 3 bit used for type 1 0 2 31 Untagged 000(0) Object 001(1) String 010 (2) NameSpace011(3) Undefined 100(4) Boolean 101(5) Integer 110 (6) Double 111 (7) 0x43169301 Type: Object Actual Value: 0x43169300

  28. The Whole Picture of the Butterfly Effect RadioButton.configUI( ) 1 byte changed TextInput.drawBackground ( ) func obj. created TextInput.draw( ) emits the wrong code / parameter when calling TextInput.drawBackground( ) (which has been “overloaded”) TextInput.drawBackground( ) doesn’t handle it correctly when “enabled” property is referenced Invalid memory accessed, shellcode executed

  29. CVE-2010-1297 Analysis • How is the control transferred to shellcode? • The root cause of this vulnerability

  30. CVE-2010-3654 Case Study Time: Early Nov 2010 Adobe Flash Player version <= 10.1.85.3 Adobe Reader version <=9.4 Sample containing 0-day exploit distributed as a PDF file with a malformed SWF embedded

  31. CVE-2010-3654 Case Study 1 byte change in MultiName constant pool (07 02 16 -> 07 02 07) CleanMalicious 0x07 // [[17]CONSTANT_QName 0x02 // NsIndex = 2(0x02) 0x07 // NameIndex = 7(0x07) 0x07 // [17]CONSTANT_QName 0x02 // NsIndex = 2(0x02) 0x16 // NameIndex = 22(0x16) “RadioButtonGroup” “Button” “fl.controls.RadioButtonGroup” -> “fl.controls.Button”

  32. The Whole Picture of the Butterfly Effect MultiName constant pool: NameIndex changed fl.controls.RadioButtonGroup-> fl.controls.Button RadioButtonGroup.set_groupName-> Button.set_groupName Invalid memory accessed, shellcode executed

  33. CVE-2011-0609 Case Study Time: March 2011 Adobe Flash Player version <= 10.2.152.33 Adobe Reader version <= 10.0.1 Sample containing 0-day exploit distributed as an Excel file with one SWF file embedded

  34. CVE-2011-0609 Case Study (contd.) Clean 4CC4 10 07 00 00 jump loc_4CCF … 4CCF 80 2C coerce com.greensock.core.SimpleTimeline Malicious 3EA1 10 29 00 00 jump loc_3ECE …. 3ECE 66 D6 02 getproperty <namespace_set>.paused Jump destination is changed!

  35. Shellcode Storm Example 1 – CVE-2010-1297 Shellcode payload: • Downloads an encrypted PE file • Decrypts it (xor 0x95 skipping 0x00 and 0x95) Decrypted PE file(Win32/Poison): • Keylogger • Backdoor: Shellcode Length 0 4

  36. Shellcode Backdoor versus C&C Backdoor Receives shellcode rather than command Pros: • Thin client – just executes whatever receives • Easy to implement new command • Payload code not written on disk Cons: • Coding complexity – coding in shellcode • Platform dependent

  37. Shellcode Storm Example 2 – CVE-2010-3654 Shellcode matryoshka Shellcode decrypts PE file from PDF stream Shellcode(in decrypted PE file) decrypts a DLL from resource Shellcode(in decrypted DLL) decrypts and loads a PE file(Win32/Hupigon, aka Win32/Pigeon)

  38. Conclusion • Threats have been targeting Adobe flash player since it is popular and platform-independent • 1 byte change in SWF may cause significant consequences. Attackers have been using dummy fuzzing to find vulnerabilities • The attacks on Adobe Flash Player are likely to continue to be prevalent in the future

  39. Q & A

More Related