ZERT Binary Patching Gil Dabah
ZERT Binary Patching Who Am I? “Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek ( 09/22/06 ) “Israeli reverse-engineering specialist Gil Dabah”, CNET ( 09/25/06 ) Computer’s “Hacker” Programmer, working at DigiCash [2 of 37]
ZERT Binary Patching About ZERT Zero-day Emergency Response Team Zero-day meaning? Foundation Goal Incident-Response [3 of 37]
Menu Patching In General VML Vulnerability ANI Vulnerability ZERT Binary Patching[4 of 37]
ZERT Binary Patching What is Patching? Changing an existing software data. That data can be either a code or real data (strings, structures, etc). Usually the goal is to change behavior. Sometimes you enhance the software. Patching can be done on-disc, or in-memory. Known patching is cracking games/software. …or uncracking software like ZERT does. [5 of 37]
ZERT Binary Patching Problems with Patching Different versions ( E.G: 23 versions of VGX ). Code changes. Code moves. No room for the extra patching code/data. MS Hot Patching MOV EDI, EDI. Windows File-Protection. [6 of 37]
ZERT Binary Patching Patching Alternatives Every change affect file integrity. We want to change as less as possible bytes. 1) PE Patching - add a section/fine a cave. In a short development time it’s not possible to make it reliable. Too big a change. Time consuming. 2) Per Version Patching. Requires all versions. Doesn’t support unknowns. [7 of 37]
ZERT Binary Patching Patching Alternatives 3) Using Hot Patching Bytes: A few places to patch (all callers, more signatures). 7 bytes are usually not enough. CC, CC, CC, CC, CC, 8B, FF 4) Spot Patching Simple. Search&replace patching. Not always possible Generic [8 of 37]
ZERT VML PATCHER Section #1 ZERT Binary Patching[9 of 29]
ZERT Binary Patching VML Vector Markup Language An XML language used to produce vector graphics. Submitted as a proposed standard by MS and Macromedia in ’98 to the W3C. Eventually rejected. But still in use by Internet Explorer and Office (and Outlook). [10 of 37]
ZERT Binary Patching VML Rendering [11 of 37]
ZERT Binary Patching VML Zero-Day Was first seen in September Officially on the 19 th, but actually before. Adam Thomas, a researcher from Sunbelt Software, found it ITW. The exploitation downloads a trojan or adware. For example an adware that downloads and displays popup advertisements. [12 of 37]
ZERT Binary Patching VML Vulnerability Stack-based buffer overflow in the processing of malformed VML "fill method" attributes. Affected file: VGX.DLL ( symbol: ). Vulnerable systems: all IE versions, with latest XP SP 2 patches. Surf and get owned. What if DEP is enabled? [13 of 37]
ZERT Binary Patching HTML Exploitation v\:* { behavior: url(#default#VML);} [14 of 37]
ZERT Binary Patching Vulnerability Point To locate vulnerable image, simply crash IE. Attack ‘fill method’ with a big buffer, raises access violation. Writing to a pointer which is found on local stack. Now that we got the vulnerable function we start analyzing the code. [15 of 37]
ZERT Binary Patching Ptok Function Disassembly mov dx, [ebx+edx*2] mov [edi], dx mov edx, [ecx+VML.szInput] [16 of 37]
ZERT Binary Patching Code Analysis class TOKENS { public: WCHAR *Ptok(void); private: LPWSTR szInput; // pointer to input string on heap int nSize; // length of input string (in WCHARs) int idxInput; // index used within the for()loop WCHAR szOutput[256]; // output buffer for string }; This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee. [17 of 37]
ZERT Binary Patching WCHAR *TOKENS::Ptok(void) { register int idxCurr; if (szInput == NULL) return(NULL); Code Analysis:C++ Translation for (idxCurr=0; idxInput < nSize && szInput[idxInput] != '\0'; idxInput++) { if (szInput[idxInput] == ' ') { if (idxCurr) break; // Encountered non-leading space else continue; // Encountered leading space } szOutput[idxCurr]=szInput[idxInput]; // Copy the WCHAR idxCurr++; } if (idxCurr > 0) { szOutput[idxCurr]='\0'; // NULL terminate return(szOutput); } return(NULL); } if (nSize >= 256) { // Added by the ZERT patch return(NULL); } This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee. [18 of 37]
ZERT Binary Patching Using Ptok Rather Than strtok Ptok is an enhanced strtok, using a class and a local storage. It supports multiple concurrent readings. It doesn’t modify the original string! Tokenize: “We've got explosives! KABOOOOOM!” Results in: “We’ve”, “got”, “explosives!”, “KABOOOOOM!” Input string is now nullified: “We’ve\0got\0… [19 of 37]
ZERT Binary Patching Writing a Binary Signature A unique sequence of bytes. Might be masked or not. “GIF87A”,”GIF89A” “GIF8*A” Must be found the exact times you expect. Genericness is a plus. [20 of 37]
ZERT Binary Patching VGX’s Ptok Signature Ptok is like a library function ( very small, used in one place ). No code changes in all versions. Goal: Use the whole function as a signature. [21 of 37]
ZERT Binary Patching Compiler’s Bad Day??? >>> import distorm >>> distorm.Decode(0,"\x66\x8b\x14\x53")[0][2] 'MOV DX, [EBX+EDX*2]' >>> distorm.Decode(0,"\x0f\xb7\x14\x53")[0][2] 'MOVZX EDX, [EBX+EDX*2]' [22 of 37]
ZERT Binary Patching Closing The Vulnerability [v1] ;Removed leading space checks,added input-size test. mov edx, [ecx] push ebx push esi xor esi, esi cmp edx, esi ; if (szInput == NULL) push edi jz short Return ; return NULL cmp dword [ecx+4], 0x100 ; if (nSize >= 0x100) jae Return ; return NULL [23 of 37]
ZERT Binary Patching Bypassing WFP Examining VGX.DLL’s export table: DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer. VGX.DLL is a COM in-proc DLL. Can be registered and unregistered. Anti Virus issues. [24 of 37]
ZERT Binary Patching ZERT Patcher 1) Read vgx.dll file to memory. 2) Search for binary signature. 3) Apply patch. 4) Save data to a new file “patchedvgx.dll”. 5) Unregister original “vgx.dll”. 6) Register “patchedvgx.dll”. * Supports both GUI and Console versions. [25 of 37]
ZERT Binary Patching ZERT’s Patch VS. MS’s MS can simply recompile. We have to: Make room for the input size test. Preserve functionality. MS patch: Copy until buffer is full (< 0xfe). Our V1 patch: Don’t copy if length >= 0x100. Patch V2 is MS code but crunched into 0x5b bytes (from 0x63). [26 of 37]
ZERT Binary Patching 64 Bits Patching Challenges Finding VP (Ptok) without Windows 64. RIP Relative. MS code was changed from 32 bits version, yet unpatched. [27 of 37]
ZERT Binary Patching 32bits VS 64bits VGX.DLL [28 of 37]
ZERT Binary Patching Pre-Patched VersionCompilation Timestamp DatePre- Patched? x38439A32 Nov Yes x43D80C1DJan No x449C16C7Jun Yes [29 of 29]
ZERT ANI PATCHER Section #2 ZERT Binary Patching[30 of 29]
Windows Animated Cursors It all began in 2005, eEye discovered a vulnerability in USER32.DLL handling.ANI files. (Incompletely) fixed by MS – XPSP2 was already immune. In 2006, a similar vulnerability discovered by Determina (Alexander Sotirov). Public Disclosure - March 28, ZERT Binary Patching[31 of 37]
Bug Description ANI files store animated cursors. Based on RIFF multimedia file format, which is a series of tagged chunks. LoadCursorIconFromFileMap only validated the first ‘anih’ size before parsing the rest of the chunks by calling LoadAniIcon. LoadAniIcon parses the chunks, including ‘anih’. This time without size validation. ZERT Binary Patching[32 of 37]
Malformed ANI Sample RIFF....ACONanih $...$ anihX... AAAAAAAAAAAAAAAA ZERT Binary Patching[33 of 37] First header chunk, so far so good. Now! this is tricky, oh yeah.
Attack Vectors Internet Explorer loading HTML file - style="CURSOR: url(‘malformed.ani')“. Outlook. Windows Explorer. ZERT Binary Patching[34 of 37]
The Patcher USER32.DLL – Requires in-memory patching. Using “Known DLLs” to load our.DLL to every process. Our DllMain will locate USER32.DLL and find its code section and begin its magic work. ZERT Binary Patching[35 of 37]
Vulnerable Code - LoadAniIcon E0 038B 75F8 8B45 D83D F84 7C01..u..E.=seq..| F D4C F 84CB D =LIST......=ra F84 A D61 6E69 680F 85DF te......=anih D 45B4 508D 45D E8E4 FAFF....E.P.E.PS FF85 C00F 84E EC24 6A09 598B $j.Y FC8D 75B4 F3A5 E844 FBFF FF85 C00F 84CA..u....D B 45BC 8B7D B88B 35F0 12D4 776A....E..}..5...wj ZERT Binary Patching CMP EAX, ‘ qes’ JZ 0x187 CMP EAX, ‘TSIL’ JZ 0xe1 CMP EAX, ‘etar’ JZ 0xc7 CMP EAX, ‘hina’ JNZ 0x10b LEA EAX, [EBP-0x4c] PUSH EAX LEA EAX, [EBP-0x28] PUSH EAX PUSH EBX CALL Readchunk [36 of 37]
Runtime Generic Patching 3 X-Refs to the ReadChunk function, only one needs a fix (LoadCursorIconFromFileMap). Search for a static signature. Look back for another static signature. Disassemble forward until next call is found. Now that we found the indirectly-call to memcpy, we have to patch it, but how? ZERT Binary Patching[37 of 37]
The Fix A pre-compiled version of the ReadChunk function, this time with size validation. The ReadChunk internally calls to ReadFilePtrCopy, which really copies the data and overflows the stack. Fix our pre-compiled code to call the correct ReadFilePtrCopy – calculate relative 32 bits offset. Allocate an executable memory for the new function. Once it’s ready, we can simply relocate the original vulnerable CALL instruction to our new immune function. [38 of 37]ZERT Binary Patching
Potential Problems Multiple threads might run the patched code – we patch only a DWORD. Searching for a DWORD – must be byte- aligned. Finding the CALL instruction – a disassembler must be used. If-then statements code generation – following branches. [39 of 37]ZERT Binary Patching
The Sad Truths There is a function which validates the ANI header parameters after it copies it locally. The VML vulnerability didn’t exist in IE5, which had the size validation of the buffer back then. Probably to code regression it slipped away. [40 of 37]ZERT Binary Patching
Questions ??? [41 of 37]
ZERT Binary Patching The End Thanks to: CCC ZERT Members ZERT Exploit POC