Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia

Published byNancy Ellis Modified over 9 years ago

Similar presentations

Presentation on theme: "Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia"— Presentation transcript:

1 Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia http://null.co.in/http://nullcon.net/

2 Introduction Need Process

3 http://null.co.in/ http://nullcon.net/ Finding a 0day vulnerability Vulnerability reaches the vendor Vendor finds a fix Releases a patch to fix the vulnerability Introduction Birth of a security patch Microsoft patches Reverse engineer the patch Locate the vulnerability patched Highlight the difficulties Discussion in the presentation

4 For reversing and obtaining binary difference in my demos I would be using DarunGrim2 How DarunGrim works? The schema of DarunGrim is shown in the figure To generate diffing results – Binaries are disassembled in IDA Pro in the background and darungrim IDA plugin is run which creates the sqlite database – Diffing Engine, the heart of DarunGrim2. The sqlite db from IDA and the binaries from GUI are fed into this engine as inputs http://null.co.in/ http://nullcon.net/ Introduction

5 Algorithm ? Main algorithm of DarunGrim is Basic block fingerprint hash map Each basic block is 1 entity whose fingerprint is generated from the instruction sequence Fingerprint hash generated by IDA Pro Two fingerprint hash tables one each for unpatched and patched binary For finding the binary difference, each unique fingerprint from original binary is searched against the fingerprints of patched binary for a match All fingerprints in the original binary hash tables are either matched or unmatched http://null.co.in/ http://nullcon.net/ Introduction

6 Algorithm ? Contd.. For a function to be called matching, all the basic blocks in the function should be matching For unmatched functions DarunGrim calculates percentage match Match rate based on fingerprint string match – Similar to GNU Diff algorithm which is finding longest common subsequence http://null.co.in/ http://nullcon.net/ Introduction

7 Vulnerability Vs Exploit based signatures Exploit signatures Created by using byte string patterns or regular expressions These are exploit specific They are used widely mainly because of the ease of their creation Cater to only one type of input satisfying that vulnerability condition Fail: different attacks can exploit the same vulnerability, so exploit based signatures will fail For eg. Exploit based signature – ESig = “docx?AAAAAAAAAAA...” – It will fail if some exploit uses a long string of B’s instead of A’s http://null.co.in/ http://nullcon.net/ Introduction

8 Vulnerability Vs Exploit based signatures Vulnerability signatures Based on the properties of the vulnerability and not on the properties of the exploit It is a superset of all the inputs satisfying a particular vulnerability condition For eg. Vulnerability based signature for previous case – VSig = MATCH_STR (Buffer,"docx?(.*)$",limit) – Matches string in buffer with the regex – It is effective against any alphabet unlike exploit signature http://null.co.in/ http://nullcon.net/ Introduction Vulnerability Signature Exploit Signature

9 Vulnerability Vs Exploit based signatures Vulnerability signatures contd.. For a good vulnerability signature – It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network. – It should allow very few false positives, as too many false positives may lead to a DoS attack for the system. – The signature matching time should not create a considerable delay for the software and services. http://null.co.in/ http://nullcon.net/ Introduction

10 The first step of creating an undisclosed exploit is to find the vulnerability to exploit it. To verify if the patch released by Microsoft is working as per it is designed. To create vulnerability based signatures. http://null.co.in/ http://nullcon.net/ Need

11 Finding patchesExtraction of filesBinary DifferencingDifferencing AnalysisDebugging http://null.co.in/ http://nullcon.net/ Process

12 http://null.co.in/ http://nullcon.net/ Process Pick a vulnerability and download its patch Pick a vulnerability just before this one that patched the same program or dll – If unavailable, use the same dll from your system Finding patches GDR or QFE/LDR ?? File Versioning Quick-fix Use open source ms-patch-tools to easily get the file versions to compare

13 http://null.co.in/ http://nullcon.net/ Process Finding patches DEMO

14 http://null.co.in/ http://nullcon.net/ Process The traditional way of extracting file from patch –.exe /x – Works only till Windows XP and earlier versions of Windows Above method cannot be used on Win7 and Vista patches delivered as msu Extraction of files Finding patches

15 http://null.co.in/ http://nullcon.net/ Process Use expand command – expand -F:*.msu C:\ – expand -F:*.cab C:\ Extraction of files Finding patches

16 http://null.co.in/ http://nullcon.net/ Process Extraction of files Finding patches DEMO

17 Finding patches http://null.co.in/ http://nullcon.net/ Process DarunGrim v2 used for binary difference – Feed in the two binaries to be compared – Generates a list of functions with the %age match between the two files Extraction of files Binary Differencing Not every function %age < 100 is changed Includes false positives which requires manual analysis

18 Finding patches http://null.co.in/ http://nullcon.net/ Process Extraction of files Binary Differencing DEMO

19 Finding patches http://null.co.in/ http://nullcon.net/ Process Manual inspection of functions with less than 100% match – Remove false positives generated by problems like Instruction reordering Lot of reordering happening over different releases marks even the same blocks as unmatched Split blocks Block in the graph which has only parent and the parent has only one child leads to a split block. causing a problem in the matching process Can be improved by merging the two blocks and treating as a single block. Extraction of filesBinary Differencing Differencing Analysis

20 Hot patching Instructions like mov eax, eax at the start of functions are a sign of hot patching leading to a mismatch in the block By just ignoring the instruction we can get a match Compiler optimizations Different compilers and even different versions of the same compiler perform different optimizations which also creates problems in getting proper difference – Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched http://null.co.in/ http://nullcon.net/ Finding patches Process Extraction of filesBinary Differencing Differencing Analysis

21 Finding patches http://null.co.in/ http://nullcon.net/ Process Extraction of filesBinary Differencing Differencing Analysis DEMO

22 Finding patches push [ebp-2Ch] ; unsigned int call ??2@YAPAXI@Z ; operator new(uint) mov ebx, eax pop ecx mov [ebp-18h], ebx mov [ebp-3Ch], ebx mov byte ptr [ebp-4], 1 push dword ptr [ebp-2Ch] mov ecx, esi push ebx push [ebp-30h] call sub_118000C func(const *,void *,long) mov edi, eax test edi, edi jge short push [ebp-2Ch] ; unsigned int call ??2@YAPAXI@Z ; operator new(uint) pop ecx mov [ebp-14h], eax ; ebp-14h = pBuffer mov [ebp-40h], eax mov byte ptr [ebp-4], 2 push [ebp-2Ch] mov ecx, esi push ebx push edi call sub_118000C func(const *,void *,long) mov esi, eax test esi, esi jge short loc_118158A http://null.co.in/ http://nullcon.net/ Process Extraction of filesBinary Differencing Differencing Analysis

23 Finding patches http://null.co.in/ http://nullcon.net/ Process Extraction of filesBinary DifferencingDifferencing Analysis Debugging To validate our finding of analysis by debugging – Getting a crash of the application – Creating a malformed file to get the crash Would be using Immunity Debugger

24 Finding patches http://null.co.in/ http://nullcon.net/ Process Extraction of filesBinary DifferencingDifferencing Analysis Debugging DEMO

25 Conclusion Presented an overview of how the 1-day exploits and Vulnerability signatures can be created Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process Only talked about Microsoft patches but concept not limited to this. Concepts presented can be perfected by interested audience http://null.co.in/ http://nullcon.net/

26 Thanks Questions?? http://null.co.in/http://nullcon.net/

Download ppt "Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia"

Similar presentations

Debugging ACL Scripts.

Debugging ACL Scripts.
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
CS590 Z Matching Program Versions Xiangyu Zhang. CS590Z Problem Statement  Suppose a program P’ is created by modifying P. Determine the difference between.

CS590 Z Matching Program Versions Xiangyu Zhang. CS590Z Problem Statement  Suppose a program P’ is created by modifying P. Determine the difference between.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Outline Learning Assembly by an Example.  Program Formats  Some Simple Instructions  Assemble and Execute Learning Another Example  Data Definition.

Outline Learning Assembly by an Example.  Program Formats  Some Simple Instructions  Assemble and Execute Learning Another Example  Data Definition.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
The Superdiversifier: Peephole Individualization for Software Protection Mariusz H. Jakubowski Prasad Naldurg Chit Wei (Nick) Saw Ramarathnam Venkatesan.

The Superdiversifier: Peephole Individualization for Software Protection Mariusz H. Jakubowski Prasad Naldurg Chit Wei (Nick) Saw Ramarathnam Venkatesan.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.
The (5) Parts Every Computer MUST have. Humans Computers Input Devices (getting information IN) Question: What other INPUT devices can you think of?

The (5) Parts Every Computer MUST have. Humans Computers Input Devices (getting information IN) Question: What other INPUT devices can you think of?
0wning Antivirus Alex Wheeler Neel Mehta

0wning Antivirus Alex Wheeler Neel Mehta
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

Similar presentations

Ads by Google