bypassing different defense schemes via crash resistant
play

Bypassing Different Defense Schemes via Crash-Resistant Probing of - PowerPoint PPT Presentation

Oct 10, 2022 •270 likes •1.13k views

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec since 2010 Currently in academia

  1. Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Görtz Institute for IT-Security Bochum, Germany

  2. About me • Playing with InfoSec since 2010 • Currently in academia at Systems Security Group @ Horst Görtz Institute / Ruhr University Bochum • Focusing on binary analysis / attacks / defenses / static and dynamic analysis • Little time for bug hunting and exploiting • Fun fact: Recently discovered favorite toy: DynamoRIO CanSecWest 2016

  3. Agenda • Crash-Resistance • Crash-Resistance in IE 32-bit (CVE 2015-6161) • Memory Scanning : Bypass ASLR • Export Resolving : Bypass EMET's EAF+ • Function Chaining : Bypass Control Flow Guard & EMET's UNC library path restriction • Crash-Tolerant Function Dispatching : Fun ! • Mitigations/Fixes CanSecWest 2016

  4. Crash-Resistance

  5. Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  6. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  7. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  8. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  9. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Program should int main(){ MSG msg; terminate abnormally SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  10. Crash-Resistance CanSecWest 2016

  11. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Instead: int main(){ MSG msg; Program runs endlessly SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  12. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  13. Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000001=?? 0:000:x86> gn (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000002=?? 0:000:x86> !exchain [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker+36882 func: USER32!DispatchMessageWorker+36895 CanSecWest 2016

  14. Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000001=?? pass exception unhandled 0:000:x86> gn (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000002=?? 0:000:x86> !exchain [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker+36882 func: USER32!DispatchMessageWorker+36895 CanSecWest 2016

  15. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); access violation } printf("read done"); __except( filter ) } filter returns 1 { int main(){ execute handler MSG msg; } SetTimer(0, 0, 1, crash); continue execution while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  16. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); } printf("read done"); __except( filter ) } { int main(){ MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  17. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); Program continues while (1){ running despite GetMessage(&msg, NULL, 0, 0); producing faults DispatchMessage(&msg); } } CanSecWest 2016

  18. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); Program continues while (1){ running despite GetMessage(&msg, NULL, 0, 0); producing faults DispatchMessage(&msg); } } CanSecWest 2016

  19. Crash-Resistance DEMO 1 CanSecWest 2016

  20. Crash-Resistance • Similar issues: - ”Why it's not crashing ?” [1] - ANI Vulnerability (CVE 2007-0038) [2] - ”Escaping VMware Workstation through COM1” (JPEG2000 parsing) [3] - ”The Art of Leaks” (exploit reliability) [4] CanSecWest 2016

  21. Crash-Resistance in Internet Explorer 11

  22. Crash-Resistance in IE 11 JS callback() set with setInterval() or setTimeout() in web worker is crash-resistant: • Start worker • Launch timed callback() with setInterval() • callback() function may produce access violations without forcing IE into termination (a) : if an AV is triggered in callback() , then callback() stops running and is executed anew (b) : if callback() produces no fault, it is executed completely and then started anew → usable as side channel CanSecWest 2016

  23. Crashless Memory Scanning in Internet Explorer 11

  24. Memory Scanning The Plan: • Spray the heap • Use vulnerabilty to change a byte → Create a type confusion and craft fake JS objects • Utilize fake objects in web worker with setInterval() to scan memory in a crash-resistant way → Discover Thread Environment Block (TEB) → Discover DLL Base Addresses • Don't control EIP yet – instead: use only JS → bypass ASLR CanSecWest 2016

  25. Memory Scanning Spray the heap • Alternate between Object Arrays and Integer Arrays • Object Arrays become aligned to 0xYYYY0000 • Integer Arrays become aligned to +f000 +f400 +f800 +fc00 → Object Array: ObjArr[0] = new String() // saved as reference; bit 0 never set ObjArr[1] = 4 // integer saved as 9 = 4 << 1 | 1 → Integer Array: IntArr[0] = 4 // saved as 4 CanSecWest 2016

  26. Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 | 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd 10110000 L0x0c 0:036> dd 10110000 L0x0c 10110000 00000000 0000eff0 00000000 00000000 10110000 00000000 0000eff0 00000000 00000000 10110010 00000000 000000fc 00003bf8 00000000 10110010 00000000 000000fc 00003bf8 00000000 10110020 1011f101 100ff1b0 80000002 80000002 10110020 1011f101 100ff1b0 80000002 80000002 0:036> dds 100ff1b0 L1 0:036> dds 100ff1b0 L1 100ff1b0 7193803c jscript9!Js::TypedArray<unsigned int,0>::`vftable' 100ff1b0 7193803c jscript9!Js::TypedArray<unsigned int,0>::`vftable' CanSecWest 2016

Recommend

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology Lab/Security # /usr/bin/whoami Itzhak (Zuk) Avraham Researcher at Samsung Electronics Partner at PIA Follow me on twitter under

473 views • 31 slides
Checkmate? Review of the Epidemiology and our Last Line of Defense for Carbapenem-Resistant

Checkmate? Review of the Epidemiology and our Last Line of Defense for Carbapenem-Resistant

Checkmate? Review of the Epidemiology and our Last Line of Defense for Carbapenem-Resistant Enterobacteriaceae Kieran Shah, Clinical Pharmacy Specialist Critical Care, Surrey Memorial Hospital Presenter disclosure I have no current or past

744 views • 50 slides
Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David Malone and Josh Tobin. 2008-12-11 1 Hash Table Lookup scheme to avoid cost of searching full list. carrot zuchinni . . . . . . apricot apple

406 views • 16 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project

Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project

Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project 1 Outline Crash course on Tor Goals for blocking resistance Assumptions (threat model) What Tor offers now Current proxy

1.07k views • 70 slides
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture &amp; Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen &amp; Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
An introduction to using slip-resistant flooring from Altro discover altro.com/slip-resistant

An introduction to using slip-resistant flooring from Altro discover altro.com/slip-resistant

An introduction to using slip-resistant flooring from Altro discover altro.com/slip-resistant Typical applications Healthcare Education Back-of-house High traffic areas Manufacturing and industrial areas General

536 views • 43 slides
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

583 views • 45 slides
R&amp;D on graphite based oxidation resistant materials and radiation resistant tungsten J

R&amp;D on graphite based oxidation resistant materials and radiation resistant tungsten J

The High Power Targetry R&amp;D Roadmap for High Energy Physics Workshop @Fermilab, USA 31st May, 2017 R&amp;D on graphite based oxidation resistant materials and radiation resistant tungsten J PARC Center, High Energy Accelerator Research

625 views • 23 slides
Multi-drug Resistant Organisms (MDROs) in Healthcare Facilities Gail Bennett RN, MSN, CIC 1

Multi-drug Resistant Organisms (MDROs) in Healthcare Facilities Gail Bennett RN, MSN, CIC 1

Multi-drug Resistant Organisms (MDROs) in Healthcare Facilities Gail Bennett RN, MSN, CIC 1 What we will cover: General information Specific MDROs Methicillin Resistant Staph aureus (MRSA) Vancomycin Resistant Enterococci (VRE)

993 views • 57 slides
Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants

Entrepreneurship Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants to become your own boss, set your own schedule, work from anywhere in the world, make a lot of money, love what you do, AND

1.06k views • 79 slides
Managing Glyphosate-Resistant Weeds in Glyphosate-Resistant Crops Dr. Bill McCloskey Extension

Managing Glyphosate-Resistant Weeds in Glyphosate-Resistant Crops Dr. Bill McCloskey Extension

Managing Glyphosate-Resistant Weeds in Glyphosate-Resistant Crops Dr. Bill McCloskey Extension Weed Specialist * RR Flex cotton * RR alfalfa * RR Corn * Tree crops lemons, pecans, pistachios, etc. * General farm weed control/sanitation

808 views • 50 slides
Challenges of Implementing Fair Defense Act Requirements &amp; Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements &amp; Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements &amp; Indigent Defense Grant Opportunities Effective Post-Arrest and Indigent Defense Practices Longview, TX August 10, 2018 Scott Ehlers, Special Counsel T exas Indigent Defense

676 views • 30 slides

More recommend