extracting a 19 year old code execution from winrar
play

Extracting a 19-Year-Old Code Execution From WinRAR Introduction | - PowerPoint PPT Presentation

Jan 02, 2023 •10 likes •1.13k views

Extracting a 19-Year-Old Code Execution From WinRAR Introduction | Who Am I? I am a vulnerability researcher @ Check Point Research Worked @ Akamai as a security researcher Worked @ IBM as a malware researcher Twituer: @

  1. ACE 101 | ACE?! • ACE is a data compression archive fjle format • Developed by Marcel Lemke in ~1998, bought by e-merge GmbH • Peak of its popularity 1999–2001, it had a betuer compression rates than RAR • Creatjon/compression of an ACE archive is protected by a patent • Extractjon/decompression of ACE archive is * not* protected by a patent • A shareware named WinAce by e-merge is used to compress ACE fjles • e-merge provided a freeware DLL for ACE decompression

  2. ACE 101 | ACE?!

  3. ACE 101 | ACE?!

  4. ACE 101 | Understanding the ACE fjle format • We found a pure python project named acefjle, its features are: 1. It can extracts ACE archives. 2. It has a helpful feature that prints the fjle format header

  5. ACE 101 | Understanding the ACE fjle format

  6. ACE 101 | Understanding the ACE fjle format

  7. ACE 101 | Understanding the ACE fjle format

  11. Is there a chance to fjnd a critical vulnerability?

  12. It’s a GOLD MINE !

  13. ake #2 | Improved WinRAR generic fuzzer Fuzzing T (CRC bypass) • Changed the corpus to ACE fjle only • We patched the CRC checks in unacv2.dll

  14. ake #2 | Results and Conclusions Fuzzing T (CRC bypass) • WinRAR loads and unloads unacev2.dll for each fuzzing iteratjon • WinAFL generates test cases that triggers other formats parsing code • This fuzzing approach is too slow, we need a difgerent approach!

  15. ake #3 | Creation of a custom harness Fuzzing T (Ace dedicated fuzzer) • RE how WinRAR uses unacev2.dll for ACE fjle extractjon and mimicked it • Quick RE founds that 2 exported functjons should be called in this order: 1. An initjalizatjon functjon named ACEInitDll: 2. An extractjon functjon named ACEExtract:

  16. Let’s Search For An Open Source!

  17. ake #3 | Searching for an open source Fuzzing T (Ace dedicated fuzzer) • Found a project named FarManager that uses unace.dll • FarManager includes a detailed header fjle for the unknown structs: • Loading the headers to IDA, ease the RE of how WInRAR uses the dll • We mimicked our harness in the same way

  18. ake #3 | What is this fjle?! Fuzzing T • Summarize

  19. For example, R:\ACE_FUZZER\output_folders\Slave_2\ Bug Analysis | Quick Bug Analysis • The harness extracts the archive to sub-directories under “output_folders” • Why do we have a new folder named sourbe in the parent folder? • Inside the sourbe folder we found a fjle named RED VERSION

  20. Bug Analysis | Quick Bug Analysis

  23. Our fjrst assumption was the fjrst character of the fjlename fjeld (the ‘\’ char) triggers the vulnerability Bug Analysis | Quick Bug Analysis Conclusions we arrived at these conclusions: 1. The fjrst char should be a ‘\’ 2. * should be included in the fjlename at least once

  24. Bug Analysis | Trying the exploit on WinRAR • YES! The sourbe folder was created in the root of drive C:\sourbe

  25. Bug Analysis | Trying the exploit on WinRAR • What about the fjle?! • It was not created!

  26. Bug Analysis | Why did the harness and WinRAR behave difgerently? Callbacks defjned in the harness difger from those defjned in WinRAR

  27. Bug Analysis | ACE callback functions • We mentjoned this signature when calling the exported functjon • Inner member of ACEInitDllStruc contains pointers to 4 callback functjons

  28. Bug Analysis | ACE callback functions • The callbacks are called by the unacev2.dll during the extractjon process. • The callbacks validate operatjon that about to happen • If the operatjon is allowed, the following constant returned to the dll: ACE_CALLBACK_RETURN_OK • if the operatjon is not allowed by the callback functjon, it returns: • ACE_CALLBACK_RETURN_CANCEL • If the operatjon is not allowed by the callback it will be aborted.

  29. Bug Analysis | ACE callback functions • WinRAR does validatjon for the extracted fjlename • In case of abort code the fjle will be deleted (already empty) by the dll

  31. Bug Analysis | WinRAR’s Callback / Validation Functions 1. The fjrst char does not equal “\” or “/”. 2. The fjle name doesn’t start with “Path Traversal” sequences like: a. “..\” b. “../” 3. The following “Path Traversal” sequences don’t exist in the string: c. “\..\” d. “\../” e. “/../” f. “/..\”

  32. Bug Analysis | WinRAR’s Callback / Validation Functions • The following string passes to the WinRAR callback’s validator: “\sourbe\RED VERSION_¶” • Because it start with “\” The return code is: ACE_CALLBACK_RETURN_CANCEL • The fjle write operatjon is aborted and a call to a DeleteFile() is made

  33. Bug Analysis | Why is * vital for the Path Traversal? • There is a check in unacev2.dll code that aborts the extractjon operatjon if: • relatjve path string starts with “ \ ” • This checks is triggered before the CreateFile() • However our fjlename starts with “\” “\sourbe\RED VERSION * ¶” • By adding “*” or “ ? ” characters this check is skipped !

  34. Bug Analysis | Recap • We found a Path Traversal vulnerability in unacev2.dll . • Two constraints lead to the Path Traversal vulnerability 1. The fjrst char should be ‘\’ 2. ‘*’ should be included in the fjlename at least once • WinRAR is partjally vulnerable to this Path Traversal bug

  35. Let’s Find The Root Cause!

  36. Bug Analysis | Understanding the root cause 1. We used DynamoRio to record the code coverage in unacev2.dll of: a. regular ACE fjle b. exploit fjle which triggered the bug drrun -t drcov -- harness.exe [regular ace archive path] drrun -t drcov -- harness.exe [exploit archive path] 2. We then used the lighthouse plugin for IDA • To subtracted the coverage of our exploit archive from regular ACE archive 3. we analyze the difgerence basic blocks and found the root cause

  37. Bug Analysis | Understanding the root cause

  39. • GetDevicePathLen checks if the device or drive name prefjx appears in the Path parameter, and returns the length of that string • For Example, the functjon returns: C:\some_folder\some_fjle.ext => 3 \some_folder\some_fjle.ext => 1 \\LOCALHOST\C$\some_folder\some_fjle.ext => 15 \\?\Harddisk0Volume1\some_folder\some_fjle.ext => 21 some_folder\some_fjle.ext => 0

  41. Bug Analysis | Understanding the root cause

  42. C:\some_folder\some_fjle.ext UnACE_GetDevicePathLen() Returns 3

  43. C:\some_folder\some_fjle.ext UnACE_GetDevicePathLen() Returns 3

  44. C:\some_folder\some_fjle.ext Unknown_Clean_Functjon() “some_folder\some_fjle.ext” UnACE_GetDevicePathLen() Returns 0

  45. Bug Analysis | Finding the Unknown Function • We searched in IDA strings window, references to “:” and “\” • We found several functjons that use these string • We put BP on all the suspected functjons and started a debug session • The Unknown functjon have been found afuer 5 minutes of debugging • Let’s call the unknown functjon CleanPath

  47. Bug Analysis | CleanPath() • The functjon omits all the path traversal sequences of ..\ • It omits these sequences only once from the beginning of Path: • C:\ - fjrst omits it and updates the new path • C: - omits it only if the next char is not \ • It just check of *:\ and *: (* means any char) 1. C:\try1.exe => try1.exe 2. C:try2.exe => try2.exe 3. C:\C:try3.exe => try3.exe 4. C:\C:\try4.exe => C:\try4.exe

  48. Bug Analysis | The Bug in CleanPath Function • It doesn’t omit ../ • It doesn’t check recursively the path afuer omittjng a sequence • Let’s check this sequence fjrst: C:\C:\some_folder\some_fjle.ext

  49. C:\C:\some_folder\some_fjle.ext UnACE_ CleanPath() CVE-2018-20250 C:\some_folder\some_fjle.ext UnACE_ GetDevicePathLen() returns 3 CreateFile() WinRAR_ CallBack() WriteFile()

  50. Exploitation process | Building an Exploit = RCE • We can extract the fjle to an arbitrary locatjon • Files in Startup Folder will be executed in boot tjme • There are 2 types of Startup Folder: • C:\ProgramData\Microsofu\Windows\Start Menu\Programs\StartUp • C:\Users \ <user name> \AppData\Roaming\Microsofu\Windows\Start Menu\ Programs\Startup • The fjrst demands high privileges / high integrity level

  51. Exploitation process | Building an Exploit • If UAC is disabled in the victjm machine we can use this path: • C:\ProgramData\Microsofu\Windows\Start Menu\Programs\StartUp • Otherwise, embed many fjles in the archive with guessed user names: • C:\Users \ John \AppData\Roaming\Microsofu\Windows\Start Menu\Programs\ Startup • C:\Users \ Robert \AppData\Roaming\Microsofu\Windows\Start Menu\ Programs\Startup • If UAC is disabled we have 100% success • If UAC is enabled the odds for success are low (guessing game)

  52. Exploitation process | Exploit Limitation WinRAR_callback() or/and CleanPath() omit these sequences: all the occurrence of these 3 sequences: 1. ..\ 3. /../ 2. \../ If path starts by these 6 sequences, they will be omitued only once: 8. C: 9. C:\ 10. C:\C: 7. / 5. ../ 6. \

  53. Exploitation process | Most Powerful Exploit • The sequence C: translated in Windows to the CWD of the process • WinRAR CWD’s is being set by the WinRAR’s shell extension • The shell extension set the CWD to the folder of the selected fjle/fjles

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Flicker: Flicker: Minimal TCB Code Execution Minimal TCB Code Execution Jonathan M. McCune

Flicker: Flicker: Minimal TCB Code Execution Minimal TCB Code Execution Jonathan M. McCune

Flicker: Flicker: Minimal TCB Code Execution Minimal TCB Code Execution Jonathan M. McCune Carnegie Mellon University March 25, 2008 Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter 1 Password Reuse People often use 1

748 views • 49 slides
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by Compilers Processors ( out-of-order execution) SMP Cache Management Understanding execution order in a multithreaded context is out of reach

600 views • 48 slides
Dynamic Code Generation and Execution for Monte Carlo Simulations Vaivaswatha Nagaraj Steve

Dynamic Code Generation and Execution for Monte Carlo Simulations Vaivaswatha Nagaraj Steve

Dynamic Code Generation and Execution for Monte Carlo Simulations Vaivaswatha Nagaraj Steve Karmesin Talk ID: 23282 Outline Introduction Code Generation Compilation &amp; Execution Results Conclusion and Future Work

518 views • 30 slides
Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky DoxPara Research http://www.doxpara.com Introduction (Who am I?) Fifth Year Of Public Security Research Subjects: SSH, TCP/IP, DNS Code:

597 views • 57 slides
Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky DoxPara Research http://www.doxpara.com Introduction (Who am I?) Fifth Year Of Public Security Research Subjects: SSH, TCP/IP, DNS Code:

544 views • 53 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Unifying Execution of Imperative and Declarative Code Aleksandar Milicevic Massachusetts

Unifying Execution of Imperative and Declarative Code Aleksandar Milicevic Massachusetts

Motivation Outline Framework Translation Data Abstractions Evaluation Discussion Summary Unifying Execution of Imperative and Declarative Code Aleksandar Milicevic Massachusetts Institute of Technology Cambridge, MA RQE Defense, MIT

1.48k views • 99 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
a classroom experiment for Year 7 upwards Dr Kathryn Scott Research Administrator, Zitzmann

a classroom experiment for Year 7 upwards Dr Kathryn Scott Research Administrator, Zitzmann

Extracting DNA from cheek cells: a classroom experiment for Year 7 upwards Dr Kathryn Scott Research Administrator, Zitzmann Group, Department of Biochemistry Lecturer in Biochemistry, Christ Church Extracting Human DNA in the Classroom

1.28k views • 39 slides
PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I?

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I?

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I? Brad Spengler The only grsecurity developer NOT a PaX developer Computer Engineering major, Mathematics minor What is PaX? Quite

596 views • 37 slides
ObfusMem: A Low-Overhead Access Obfuscation fo for Trusted Memories Amro Awad 1 , Yipeng Wang 2 ,

ObfusMem: A Low-Overhead Access Obfuscation fo for Trusted Memories Amro Awad 1 , Yipeng Wang 2 ,

ObfusMem: A Low-Overhead Access Obfuscation fo for Trusted Memories Amro Awad 1 , Yipeng Wang 2 , Deborah Shands 3 , Yan Solihin 2 1 Sandia National Laboratories 2 North Carolina State University 3 National Science Foundation ISCA 2017 Presented

811 views • 24 slides
Using iPad for Teaching: My Experiences and Best Practices Chen-Wei Wang EECS, Lassonde, York

Using iPad for Teaching: My Experiences and Best Practices Chen-Wei Wang EECS, Lassonde, York

Using iPad for Teaching: My Experiences and Best Practices Chen-Wei Wang EECS, Lassonde, York August 28, 2020 Pre-Tutorial Exercise You considered a Java example in 3 slides: Q1. How would you teach this example? Hint. Will you restrict your

376 views • 10 slides
Java In the Database Rick Hillegas Apache Derby August 28, 2006 General Overview Derby

Java In the Database Rick Hillegas Apache Derby August 28, 2006 General Overview Derby

Java In the Database Rick Hillegas Apache Derby August 28, 2006 General Overview Derby Overview User Code in the Database SQL Support Demo Overview Demo SQL Derby Overview Lightweight, 0-admin, pure Java database

300 views • 27 slides
Towards Automated Computationally Faithful Specify protocol participants as processes following

Towards Automated Computationally Faithful Specify protocol participants as processes following

2 Security Analysis a la Dolev-Yao Towards Automated Computationally Faithful Specify protocol participants as processes following Dolev, Yao 1982: In addition to Verification of Cryptoprotocols expected participants, model attacker who: Jan

146 views • 4 slides
USING GIT WITH, AND AUTOMATING MUNKI Adam Reed The Australian National University Hashtag : #xw13

USING GIT WITH, AND AUTOMATING MUNKI Adam Reed The Australian National University Hashtag : #xw13

USING GIT WITH, AND AUTOMATING MUNKI Adam Reed The Australian National University Hashtag : #xw13 Please leave comments on this talk at auc.edu.au/xworld/sessions 1 Git Powerful Version Control System 2 Version Control What is it and why

683 views • 37 slides
A year of pkgsrc 2014 - 2015 Sevan Janiyan sevan@NetBSD.org sevan.mit.edu Total number of

A year of pkgsrc 2014 - 2015 Sevan Janiyan sevan@NetBSD.org sevan.mit.edu Total number of

A year of pkgsrc 2014 - 2015 Sevan Janiyan sevan@NetBSD.org sevan.mit.edu Total number of packages: 15114 Successfully built: 8501 Packages breaking the most other packages Package

476 views • 24 slides
Mokken Scale Analysis Alternative names: Unidimensional Latent Variable Model (e.g., Holland &amp;

Mokken Scale Analysis Alternative names: Unidimensional Latent Variable Model (e.g., Holland &amp;

Monotone Homogeneity Model (MHM) Notation: X 1 , ..., X j , ..., X J : item scores; : latent trait MHM (Mokken, 1971) : General IRT model for P( X j = x |) Mokken Scale Analysis Alternative names: Unidimensional Latent Variable Model

485 views • 4 slides
Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of

Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of

Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH

609 views • 21 slides

More recommend