exploiting memory corruption vulnerabilities in the java
play

Exploiting Memory Corruption Vulnerabilities in the Java Runtime - PowerPoint PPT Presentation

Oct 17, 2022 •287 likes •750 views

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &

  1. Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011

  2. About the Presenter • Joshua J. Drake, aka jduck – Employed with Accuvant LABS • Research – Vulnerabilities & Exploitation • Consulting – Binary/Source Audit, Reverse Engineering – Contributor • Formerly Lead Exploit Developer

  3. Overview • Background • Hurdles • Exploiting • Demos • Conclusion

  4. Motivation • …share information and techniques to make Java Runtime Environment (JRE) exploitation easier. – JRE architecture information – Various hurdles encountered during dev • i.e. CVE-2009-3867, CVE-2009-3869 – Provide tools for future work

  5. Background • Why Java? • Popular? • Maybe a ‘ lil. More claims here: http://www.java.com/en/about/

  6. Background • Java is cross-platform!

  7. Background • Java SE 6 focus – Tested latest (6u27) – JRE 7 GA is released! • Buggy! – Slow adoption…

  8. Background - Security • 27 updates over about 5 years • Well over 100 CVEs • Targeted in 73% of exploit kits • 10 exploits in – 4 Windows specific – 1 meatware attack (java_signed_applet) – 3 involve memory corruption

  9. Background • What does the “JRE” include? JRE http://java.sun.com/products/hotspot/whitepaper.html - Recommended Reading

  10. Background • Java has a plentiful attack surface! – Browser Plug-in • Automatically installed • Applets – 70% of Metasploit Java exploits use Applets • “ LiveConnect ” Java/Browser interface – Java Web Start & JNLP – More

  11. Background - Applets • Attackers use applets because… – Applet Java code and JAR contents are 100% attacker controlled – Tons of native library code is reachable • Images, Sounds, Compressors and more • Includes embedded copies of open source (zlib, etc) Trusted Untrusted Signed Unsigned Runs with full user privileges Subject to Java “sandbox” User is Prompted No prompting

  12. Background - Technical • Java Virtual Machine (JVM) – Named “ HotSpot ” – Written in native code – Processes Java Bytecode – Might just-in-time compile – Executes or Interprets resulting code

  13. Background – Security • Process Architecture – Plug-in loads in Browser address space • Includes several libraries – Since Update 10 • Java.exe runs as an external process • Can Pass options to Java.exe via HTML – Still no DEP – Still no ASLR

  14. Background – Security • All JRE 6 releases ship same msvcr71.dll – v7.10.3052.4 • md5 86f1895ae8c5e8b17d99ece768a70732 • Loads in all components! – Browser itself – Java.exe for applets • Public ROP chains target this DLL

  15. Background - Technical • Two major kinds of heaps – Java Object heap (more in a sec) – Native heap (from msvcr71.dll) • msvcrt.dll implements malloc too, nothing imports it • Just a wrapper around HeapAlloc – OS-specific allocator security properties apply » ASLR Someone had fun! » Safe-unlinking » Meta-data validation » etc

  16. Background - Technical • Java Object heap – Garbage Collected – Allocated via VirtualAlloc – Was Read/Write/Execute until update 18 !! – Predictable address • Between 0x22000000 and 0x26000000 • Due to “Class Data Sharing” ??

  17. Hurdles Joshua J. Drake Inaugural DerbyCon October 2 nd 2011

  18. Hurdles - I • Debugging JVM started from browser • Process terminates out from under you! – Surprise! • Why does this happen? Continue after a while Single step exception?! Oh no! Process DIED!

  19. Hurdles - Watchdog • Java Plugin Watchdog – Watches over external jp2launcher.exe process Java_java_lang_ProcessImpl_destroy (inside java.dll) TerminateProcess

  20. Hurdles - Watchdog • Prevent the watchdog from interfering! 1. Patch up the “java.dll” binary – NOP out the TerminateProcess call – Or just change JNZ -> JMP 2. Use breakpoints, runtime patching, etc – Must be done each execution 

  21. Hurdles - Watchdog

  22. Hurdles – Random AVs • Spurious access violations while debugging • Not sure why… Let’s speculate. – Expected AV in JIT’d code? – Crap code wrapped in catch-all handler? – If you know or have another idea, speak up! • Just pass and pretend its not happening ;-P

  23. Hurdles - Encoding • Java uses UTF-8 for all strings – Invalid sequences replaced with ‘?’ • Check this out: (from @mihi42)

  24. Hurdles - Encoding • Compile and run it… • But it was all comments?! • Java pre-processes those UTF escapes!

  25. Hurdles - Encoding • Don’t use strings! Use arrays – Their values are represented in memory contiguously • Better, but there’s still an issue…

  26. Hurdles – Integers • In Java, all integers are signed! • Use next larger type – For 0xff byte, use short integer – For 0xffff short, use long integer – etc

  27. Hurdles - Reachability • Code that seems unreachable at first – Was the case in CVE-2009-3869 • You can reach more by using Java tricks – Sub-classing – Reflection – Abusing complex interfaces • i.e. A class that takes a instance as a parameter

  28. Exploiting (yay) Joshua J. Drake Inaugural DerbyCon October 2 nd 2011

  29. Exploiting: Setup • Used a custom JNI (vuln_jni.dll) for testing – Covers several common exploit primitives

  30. Exploiting: Arbitrary Call • Fun and simple.. – Just need somewhere to jump! – Good thing JRE 6 doesn’t support ASLR! • Public ROPs work great – Nor does it support DEP! • Let’s jump into a DLL .data section!

  31. Vuln.sprintf • Here’s the code: • Two issues in this function – CWE-121: Stack Buffer Overflow – CWE-134: Uncontrolled Format String

  32. Exploiting: Format String • One of my personal favorites • Java’s C runtime has “%n” disabled – (Un)fortunately? • May still be useful – Leak memory contents – Cause buffer overflows (%1024xAAAABBBB)

  33. Exploiting: Stack BOF • Pet peeve: NOT A STACK OVERFLOW • Traditional methods can be tricky do to UTF8 issues – Just pad with stuff and control EIP – Some characters still aren’t usable • CVE-2009-3867 / CVE-2009-3869

  34. Exploiting: Write4 • Surgical! – Need to target something used for control flow • Must know it’s address (within margin of error) • A plethora of stuff to surgically overwrite – Again, lack of ASLR / DEP FTW

  35. Exploiting: Heap BOF • Heap Buffer Overflow – Depends on what you corrupt! • Unlikely to overflow Java Object Heap data – An interesting area to research =) • Native heap protections make for pain and suffering.

  36. Exploiting: CVE-2009-3867 • getSoundbank file:// URI Stack BOF – Affects JRE <= 6u16, 5u21, 1.4.2_24, 1.3.1_26 • KF’s PoC showed cross-platform PC control • version – Passes “ np ” & “ sc ” applet PARAMs • Nops and Shellcode – allows cross-platform targeting – Sprays the Java Object Heap – Overwrites saved PC (no SEH) – Jumps to Java Object Heap (was still RWX)

  37. Exploiting: CVE-2009-3869 • setDiffICM Stack BOF – Similar to previous (exec’s Java Object Heap) • Native Method: Java_sun_awt_image_ImageRepresentation_setDiffICM – Called from ImageRepresentation.setPixels • sun.awt.* can’t be used in an Applet! – java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.awt.image) • Using a custom ImageFilter we can!

  38. Demos! Joshua J. Drake Inaugural DerbyCon October 2 nd 2011

  39. Conclusions • Exploiting JRE 6 can be painful, but… • It’s easier than it should be. – Well behind the mitigation curve • No ASLR or DEP • Predictable memory layout – Vast attack surface – Buggy • Check out the examples!

  40. Recommendations • Good: – Use EMET to force ASLR and DEP – Prepare for migration to JRE 7 – Use 64-bit browser / plug-in • Better: – Disable browser plug-ins and JNLP/Web Start • Chrome neuters Java by default • BEST: UNINSTALL JRE !! – LULZ: http://harmful.cat-v.org/software/java

  41. Future Directions • Mapping Java code constructs to Native-land – How does scope translate? • Investigate JIT Spraying – Code region is RWX! • More work with JRE 7 – Does the new ASLR/DEP opt-in really help?

  42. ANY QUESTIONS? Feel free to contact me… • @jduck1337 • IRC: jduck • Email: jdrake [circled-a] Accuvant.com • Email: jduck [circled-a] metasploit.com

  43. References Slide 3 http://kelseywinterkorn.com/ Slide 7 http://weblogs.java.net/blog/chet/archive/2007/05/consumer_jre_le.html http://adtmag.com/articles/2011/08/01/java-7-crashing.aspx Slide 8 http://www.isecpartners.com/storage/docs/presentations/EIP-final.pdf Slide 9 http://java.sun.com/products/hotspot/whitepaper .html Slide 10 https://twitter .com/#!/ifindkarma/status/115962954301714432 Slide 12 http://download.oracle.com/docs/cd/E19455-01/806-3461/ch1intro-3/index.html Slide 13 http://www.oracle.com/technetwork/java/javase/system-configurations-135212.html Slide 16 http://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf http://download.oracle.com/javase/6/docs/technotes/guides/vm/class-data-sharing.html Slide ? http://www.oracle.com/technetwork/java/javase/index-135519.html http://www.oracle.com/technetwork/java/javase/jre-install-137694.html http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

Recommend

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example Saghar Estehghari 1 Yvo Desmedt 1 , 2 1 Department of Computer Science University College London, UK 2 Research Center for Information Security

572 views • 28 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Intermission: gdb demo Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

401 views • 8 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Logistics announcements Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

521 views • 9 slides
Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven

Detecting and exploiting amino acid vulnerabilities in cancer Oncode Institute - NKI-AVL Reuven Agami Course Basic and Translational Oncology 2018 How to -specifically- kill cancer cells? Target DNA replication (chemotherapy) Suffocate them

518 views • 37 slides
Speeding Up Crossbar Resistive Memory by Exploiting In-memory Data Patterns Wen Wen Lei Zhao,

Speeding Up Crossbar Resistive Memory by Exploiting In-memory Data Patterns Wen Wen Lei Zhao,

March 12, 2018 Speeding Up Crossbar Resistive Memory by Exploiting In-memory Data Patterns Wen Wen Lei Zhao, Youtao Zhang, Jun Yang Ex Execut utive Sum ummary Problems: performance and reliability of write operations The large sneaky

560 views • 37 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to

Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to

Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and BCECHO demo counterattacks ASLR and counterattacks Stephen McCamant

528 views • 10 slides
e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

. e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java Environment . . . 3 . . Java Execution . Possible reordering due to Compiler, JVM, or CPU! Plus visibility problems due to CPU caches! .

473 views • 21 slides
Slide Set #15: Exploiting Memory Hierarchy 1 ADMIN Chapter 5 Reading 5.1, 5.3, 5.4 2

Slide Set #15: Exploiting Memory Hierarchy 1 ADMIN Chapter 5 Reading 5.1, 5.3, 5.4 2

Slide Set #15: Exploiting Memory Hierarchy 1 ADMIN Chapter 5 Reading 5.1, 5.3, 5.4 2 Memory, Cost, and Performance Ideal World: we want a memory that is Fast, Big, &amp; Cheap! Recent real world situation:

216 views • 6 slides
Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George

Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George

Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George Mason University September 26, 2013 Where Innovation Is Tradition Threat and Mitigation Introduction Background Disabling the

535 views • 31 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Search for the Memory Duplicities in the Java Applications Using Shallow and Deep Object

Search for the Memory Duplicities in the Java Applications Using Shallow and Deep Object

Reliable Software Architectures research group Search for the Memory Duplicities in the Java Applications Using Shallow and Deep Object Comparison RICHARD LIPKA, TOM POTUK FedCSIS 2019, 2. SEPTEMBER Memory issues in Java Memory leaks

565 views • 18 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

341 views • 4 slides
Large and Fast: Exploiting Memory Hierarchy

Large and Fast: Exploiting Memory Hierarchy

Large and Fast: Exploiting Memory Hierarchy chap7-1 Po-Ning Chen@CM.NCTU Memories: Review SRAM: value is stored on a pair of inverting gates very

447 views • 40 slides
Exploiting Managed Language Semantics to Mitigate Wear-out in Persistent Memory Shoaib Akram

Exploiting Managed Language Semantics to Mitigate Wear-out in Persistent Memory Shoaib Akram

Exploiting Managed Language Semantics to Mitigate Wear-out in Persistent Memory Shoaib Akram Ghent University, Belgium Flash Memory Summit 2019 Santa Clara, CA 1 Main memory capacity expansion Charge storage in DRAM a scaling limitation 1

445 views • 44 slides
Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research - Comsecuris &lt;ralf@comsecuris.com&gt; PGP fingerprint : D244D6F2E79B529BF5548F39B27967D58C07C5B7 twitter: @esizkur 1 PARENTAL ADVISORY Sparse

419 views • 28 slides
The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI Techmedia The Java Memory Model p. 1/30 Overview Part I : Motivation for weak memory models: Compromise between standard optimisations and

813 views • 46 slides

More recommend