Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761.

Published byClaude Justin Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761."— Presentation transcript:

1 PCIT417

2 CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761 (RTF) CVE-2013-3906 (OGL) CVE-2013-1331 (PNG) CVE-2012-0158 (MSCOMCTL) Office CVE-2014-0497 (Flash) CVE-2013-5330 (Flash) CVE-2013-5065 (PDF+EoP) CVE-2013-0640 (PDF XFA) Adobe

3

4

5

6 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

7

8 app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space

9 Exploit: Partial overwrite Only the high-order two bytes are randomized in image mappings Low-order two bytes can be overwritten to return into another location within a mapping Overwriting 0x1446047c with 0x14461846 Target address can be used to pivot Local Variables Saved EBP Return addres s Buffer overflow memcpy( dest,  Stack buf src,  Controlled length);  Controlled

10 app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll Boot 1 Boot 2Boot 3 process address space

11

12 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

13

14 void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j szIn i szOut

15 Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j = 0x0 szIn i C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30” szOut= 0x05040504

16 Pushed Arguments Return address = 0x30B0116C EBP = 0x65656565 Higher Addresses Function main () stack area j = 0x65656565 szOut= AAAAAAAA szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” Return address of main() changed to point to a malicious code area

17 Pushed Arguments Return address = 0x30B0116C EBP = 0x65656565 Higher Addresses Function main () stack area Malicious Code szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” !!pwn3d!!

18 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

19 Local variables Previous Stack frame … Exception Registration Record NextHandler Buffer overflow void vulnerable(char *ptr){ char buf[128]; strcpy(buf, ptr); } void parent(char *ptr) { try { vulnerable(ptr); … exception … } except(…) { } }

20 Exploit: SEH Overwrite NH NH NH app!_except_handler4 k32!_except_handler4 ntdll!_except_handler4 0xfffffff f Normal SEH Chain NH 0x7c1408ac 0x414106e b Corrupt SEH Chain An exception will cause 0x7c1408ac to be called as an exception handler as: EXCEPTION_DISPOSITION Handler( PEXCEPTION_RECORD Exception, PVOID EstablisherFrame, PCONTEXT ContextRecord, PVOID DispatcherContext); pop eax ret

21 NH NH app!_except_handler4 k32!_except_handler4 NH ntdll!FinalExceptionHand ler NH app!_main+0x1c 0x4141414 1 Can’t reach validation frame! Valid SEH ChainInvalid SEH Chain ?

22 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

23

24

25 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

26

27 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

28 EAF DR0  kernel32[eat] DR1  ntdll[eat] DR2  kernelbase[eat]

29 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

30

31 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

32

33 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

34

35 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

36

37 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

38 FLASH Vector JSCRIPT9 Array VGX CDashStyle KERNEL32 MZ/PE IAT/EAT NTDLL MZ/PE IAT/EAT

39

40 Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz Free Virtual Hands-on Labs http://aka.ms/ch9nz Free Online Learning http://aka.ms/mva http://aka.ms/technetlabs Sessions on Demand

41

42

Download ppt "PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
15-213 Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo

Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
DCIM203. 2002 1994 Timely, efficient and reliable delivery is needed Today is unsustainable Replacing ‘like with like’ is a poor investment We have.

DCIM Timely, efficient and reliable delivery is needed Today is unsustainable Replacing ‘like with like’ is a poor investment We have.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.

RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
– 1 – 15-213, F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.

Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Similar presentations

Ads by Google