1 / 42

ZERT

ZERT. Binary Patching Gil Dabah. Who Am I?. “Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek ( 09/22/06 ) “Israeli reverse-engineering specialist Gil Dabah”, CNET ( 09/25/06 ) Computer’s “Hacker” Programmer, working at DigiCash. About ZERT.

sandra_john
Download Presentation

ZERT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ZERT Binary Patching Gil Dabah

  2. Who Am I? • “Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek (09/22/06) • “Israeli reverse-engineering specialist Gil Dabah”, CNET (09/25/06) • Computer’s “Hacker” • Programmer, working at DigiCash ZERT Binary Patching

  3. About ZERT • Zero-day Emergency Response Team • Zero-day meaning? • Foundation • Goal • Incident-Response ZERT Binary Patching

  4. Menu • Patching In General • VML Vulnerability • ANI Vulnerability ZERT Binary Patching

  5. What is Patching? • Changing an existing software data. • That data can be either a code or real data (strings, structures, etc). • Usually the goal is to change behavior. • Sometimes you enhance the software. • Patching can be done on-disc, or in-memory. • Known patching is cracking games/software. • …or uncracking software like ZERT does. ZERT Binary Patching

  6. Problems with Patching • Different versions (E.G: 23 versions of VGX). • Code changes. • Code moves. • No room for the extra patching code/data. • MS Hot Patching MOV EDI, EDI. • Windows File-Protection. ZERT Binary Patching

  7. Patching Alternatives Every change affect file integrity. We want to change as less as possible bytes. • PE Patching - add a section/fine a cave. • In a short development time it’s not possible to make it reliable. • Too big a change. • Time consuming. • Per Version Patching. • Requires all versions. • Doesn’t support unknowns. ZERT Binary Patching

  8. Patching Alternatives • Using Hot Patching Bytes: • A few places to patch (all callers, more signatures). • 7 bytes are usually not enough. • CC, CC, CC, CC, CC, 8B, FF • Spot Patching • Simple. • Search&replace patching. • Not always possible  Generic ZERT Binary Patching

  9. Section #1 ZERT VML Patcher ZERT Binary Patching

  10. VML • Vector Markup Language • An XML language used to produce vector graphics. • Submitted as a proposed standard by MS and Macromedia in ’98 to the W3C. • Eventually rejected. • But still in use by Internet Explorer and Office (and Outlook). ZERT Binary Patching

  11. VML Rendering ZERT Binary Patching

  12. VML Zero-Day • Was first seen in September 2006. • Officially on the 19th, but actually before. • Adam Thomas, a researcher from Sunbelt Software, found it ITW. • The exploitation downloads a trojan or adware. • For example an adware that downloads and displays popup advertisements. ZERT Binary Patching

  13. VML Vulnerability • Stack-based buffer overflow in the processing of malformed VML "fill method" attributes. • Affected file: VGX.DLL (symbol:Ptok@TOKENS@_IE5_SHADETYPE_TEXT). • Vulnerable systems: all IE versions, with latest XP SP 2 patches. • Surf and get owned. • What if DEP is enabled? ZERT Binary Patching

  14. HTML Exploitation <html xmlns:v="urn:schemas-microsoft-com:vml"> <head> <style> v\:* { behavior: url(#default#VML);} </style> </head> <body> <v:rect><v:fill method=“AAAA…></v:fill></v:rect> </body> </html> ZERT Binary Patching

  15. Vulnerability Point • To locate vulnerable image, simply crash IE. • Attack ‘fill method’ with a big buffer, raises access violation. • Writing to a pointer which is found on local stack. • Now that we got the vulnerable function we start analyzing the code. ZERT Binary Patching

  16. Ptok Function Disassembly mov edx, [ecx+VML.szInput] mov dx, [ebx+edx*2] mov [edi], dx ZERT Binary Patching

  17. Code Analysis class TOKENS { public: WCHAR *Ptok(void); private: LPWSTR szInput; // pointer to input string on heap int nSize; // length of input string (in WCHARs) int idxInput; // index used within the for()loop WCHAR szOutput[256]; // output buffer for string }; This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee. ZERT Binary Patching

  18. Code Analysis:C++ Translation WCHAR *TOKENS::Ptok(void) { register int idxCurr; if (szInput == NULL) return(NULL); if (nSize >= 256) { // Added by the ZERT patch return(NULL); } for (idxCurr=0; idxInput < nSize && szInput[idxInput] != '\0'; idxInput++) { • if (szInput[idxInput] == ' ') { • if (idxCurr) break; // Encountered non-leading space • else continue; // Encountered leading space • } • szOutput[idxCurr]=szInput[idxInput]; // Copy the WCHAR • idxCurr++; • } • if (idxCurr > 0) { • szOutput[idxCurr]='\0'; // NULL terminate • return(szOutput); • } • return(NULL); • } This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee. ZERT Binary Patching

  19. Using Ptok Rather Than strtok • Ptok is an enhanced strtok, using a class and a local storage. • It supports multiple concurrent readings. • It doesn’t modify the original string! • Tokenize: “We've got explosives! KABOOOOOM!” • Results in: “We’ve”, “got”, “explosives!”, “KABOOOOOM!” • Input string is now nullified: “We’ve\0got\0… ZERT Binary Patching

  20. Writing a Binary Signature • A unique sequence of bytes. • Might be masked or not. • “GIF87A”,”GIF89A”  “GIF8*A” • Must be found the exact times you expect. • Genericness is a plus. ZERT Binary Patching

  21. VGX’s Ptok Signature • Ptok is like a library function • (very small, used in one place). • No code changes in all versions. • Goal: Use the whole function as a signature. ZERT Binary Patching

  22. Compiler’s Bad Day??? • >>> import distorm • >>> distorm.Decode(0,"\x66\x8b\x14\x53")[0][2] • 'MOV DX, [EBX+EDX*2]' • >>> distorm.Decode(0,"\x0f\xb7\x14\x53")[0][2] • 'MOVZX EDX, [EBX+EDX*2]' ZERT Binary Patching

  23. Closing The Vulnerability [v1] ;Removed leading space checks,added input-size test. mov edx, [ecx] push ebx push esi xor esi, esi cmp edx, esi ; if (szInput == NULL) push edi jz short Return ; return NULL cmp dword [ecx+4], 0x100 ; if (nSize >= 0x100) jae Return ; return NULL ZERT Binary Patching

  24. Bypassing WFP • Examining VGX.DLL’s export table: DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer. • VGX.DLL is a COM in-proc DLL. • Can be registered and unregistered. • Anti Virus issues. ZERT Binary Patching

  25. ZERT Patcher • Read vgx.dll file to memory. • Search for binary signature. • Apply patch. • Save data to a new file “patchedvgx.dll”. • Unregister original “vgx.dll”. • Register “patchedvgx.dll”. * Supports both GUI and Console versions. ZERT Binary Patching

  26. ZERT’s Patch VS. MS’s • MS can simply recompile. • We have to: • Make room for the input size test. • Preserve functionality. • MS patch: Copy until buffer is full (< 0xfe). • Our V1 patch: Don’t copy if length >= 0x100. • Patch V2 is MS code but crunched into 0x5b bytes (from 0x63). ZERT Binary Patching

  27. 64 Bits Patching Challenges • Finding VP (Ptok) without Windows 64. • RIP Relative. • MS code was changed from 32 bits version, yet unpatched. ZERT Binary Patching

  28. 32bits VS 64bits VGX.DLL ZERT Binary Patching

  29. Pre-Patched ZERT Binary Patching

  30. Section #2 ZERT ANI Patcher ZERT Binary Patching

  31. Windows Animated Cursors • It all began in 2005, eEye discovered a vulnerability in USER32.DLL handling .ANI files. • (Incompletely) fixed by MS05-002 – XPSP2 was already immune. • In 2006, a similar vulnerability discovered by Determina (Alexander Sotirov). • Public Disclosure - March 28, 2007. ZERT Binary Patching

  32. Bug Description • ANI files store animated cursors. Based on RIFF multimedia file format, which is a series of tagged chunks. • LoadCursorIconFromFileMap only validated the first ‘anih’ size before parsing the rest of the chunks by calling LoadAniIcon. • LoadAniIcon parses the chunks, including ‘anih’. This time without size validation. ZERT Binary Patching

  33. Malformed ANI Sample RIFF....ACONanih $...$........... ................ ........anihX... AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA • First header chunk, so far so good. • Now! this is tricky , oh yeah. ZERT Binary Patching

  34. Attack Vectors • Internet Explorer loading HTML file - style="CURSOR: url(‘malformed.ani')“. • Outlook. • Windows Explorer. ZERT Binary Patching

  35. The Patcher • USER32.DLL – Requires in-memory patching. • Using “Known DLLs” to load our .DLL to every process. • Our DllMain will locate USER32.DLL and find its code section and begin its magic work. ZERT Binary Patching

  36. Vulnerable Code - LoadAniIcon 000433E0 038B 75F8 8B45 D83D 7365 7120 0F84 7C01 ..u..E.=seq ..|. 000433F0 0000 3D4C4953540F 84CB 0000 003D 7261 ..=LIST......=ra 00043400 7465 0F84 A600 0000 3D616E69680F 85DF te......=anih... 00043410 0000 008D 45B4 508D 45D8 5053 E8E4FAFF ....E.P.E.PS.... 00043420 FF85 C00F 84E7 0100 0083 EC24 6A09 598B ...........$j.Y. 00043430 FC8D 75B4 F3A5 E844 FBFF FF85 C00F 84CA ..u....D........ 00043440 0100 008B 45BC 8B7D B88B 35F0 12D4 776A ....E..}..5...wj CMP EAX, ‘ qes’ JZ 0x187 CMP EAX, ‘TSIL’ JZ 0xe1 CMP EAX, ‘etar’ JZ 0xc7 CMP EAX, ‘hina’ JNZ 0x10b LEA EAX, [EBP-0x4c] PUSH EAX LEA EAX, [EBP-0x28] PUSH EAX PUSH EBX CALL Readchunk ZERT Binary Patching

  37. Runtime Generic Patching • 3 X-Refs to the ReadChunk function, only one needs a fix (LoadCursorIconFromFileMap). • Search for a static signature. Look back for another static signature. Disassemble forward until next call is found. • Now that we found the indirectly-call to memcpy, we have to patch it, but how? ZERT Binary Patching

  38. The Fix • A pre-compiled version of the ReadChunk function, this time with size validation. • The ReadChunk internally calls to ReadFilePtrCopy, which really copies the data and overflows the stack. • Fix our pre-compiled code to call the correct ReadFilePtrCopy – calculate relative 32 bits offset. • Allocate an executable memory for the new function. • Once it’s ready, we can simply relocate the original vulnerable CALL instruction to our new immune function. ZERT Binary Patching

  39. Potential Problems • Multiple threads might run the patched code – we patch only a DWORD. • Searching for a DWORD – must be byte-aligned. • Finding the CALL instruction – a disassembler must be used. • If-then statements code generation – following branches. ZERT Binary Patching

  40. The Sad Truths • There is a function which validates the ANI header parameters after it copies it locally. • The VML vulnerability didn’t exist in IE5, which had the size validation of the buffer back then. Probably to code regression it slipped away. ZERT Binary Patching

  41. Questions ??? ZERT Binary Patching

  42. The End arkon@ragestorm.net Thanks to: CCC ZERT Members ZERT - http://isotf.org/zert http://isotf.org/zert/papers/vml-details-20061004.pdf http://www.milw0rm.com/exploits/2425 - Exploit POC ZERT Binary Patching

More Related