extracting a 19 year old code execution from winrar
play

Extracting a 19-Year-Old Code Execution From WinRAR Introduction | - PowerPoint PPT Presentation

Jan 02, 2023 •10 likes •1.13k views

Extracting a 19-Year-Old Code Execution From WinRAR Introduction | Who Am I? I am a vulnerability researcher @ Check Point Research Worked @ Akamai as a security researcher Worked @ IBM as a malware researcher Twituer: @

  1. ACE 101 | ACE?! • ACE is a data compression archive fjle format • Developed by Marcel Lemke in ~1998, bought by e-merge GmbH • Peak of its popularity 1999–2001, it had a betuer compression rates than RAR • Creatjon/compression of an ACE archive is protected by a patent • Extractjon/decompression of ACE archive is * not* protected by a patent • A shareware named WinAce by e-merge is used to compress ACE fjles • e-merge provided a freeware DLL for ACE decompression

  2. ACE 101 | ACE?!

  3. ACE 101 | ACE?!

  4. ACE 101 | Understanding the ACE fjle format • We found a pure python project named acefjle, its features are: 1. It can extracts ACE archives. 2. It has a helpful feature that prints the fjle format header

  5. ACE 101 | Understanding the ACE fjle format

  6. ACE 101 | Understanding the ACE fjle format

  7. ACE 101 | Understanding the ACE fjle format

  11. Is there a chance to fjnd a critical vulnerability?

  12. It’s a GOLD MINE !

  13. ake #2 | Improved WinRAR generic fuzzer Fuzzing T (CRC bypass) • Changed the corpus to ACE fjle only • We patched the CRC checks in unacv2.dll

  14. ake #2 | Results and Conclusions Fuzzing T (CRC bypass) • WinRAR loads and unloads unacev2.dll for each fuzzing iteratjon • WinAFL generates test cases that triggers other formats parsing code • This fuzzing approach is too slow, we need a difgerent approach!

  15. ake #3 | Creation of a custom harness Fuzzing T (Ace dedicated fuzzer) • RE how WinRAR uses unacev2.dll for ACE fjle extractjon and mimicked it • Quick RE founds that 2 exported functjons should be called in this order: 1. An initjalizatjon functjon named ACEInitDll: 2. An extractjon functjon named ACEExtract:

  16. Let’s Search For An Open Source!

  17. ake #3 | Searching for an open source Fuzzing T (Ace dedicated fuzzer) • Found a project named FarManager that uses unace.dll • FarManager includes a detailed header fjle for the unknown structs: • Loading the headers to IDA, ease the RE of how WInRAR uses the dll • We mimicked our harness in the same way

  18. ake #3 | What is this fjle?! Fuzzing T • Summarize

  19. For example, R:\ACE_FUZZER\output_folders\Slave_2\ Bug Analysis | Quick Bug Analysis • The harness extracts the archive to sub-directories under “output_folders” • Why do we have a new folder named sourbe in the parent folder? • Inside the sourbe folder we found a fjle named RED VERSION

  20. Bug Analysis | Quick Bug Analysis

  23. Our fjrst assumption was the fjrst character of the fjlename fjeld (the ‘\’ char) triggers the vulnerability Bug Analysis | Quick Bug Analysis Conclusions we arrived at these conclusions: 1. The fjrst char should be a ‘\’ 2. * should be included in the fjlename at least once

  24. Bug Analysis | Trying the exploit on WinRAR • YES! The sourbe folder was created in the root of drive C:\sourbe

  25. Bug Analysis | Trying the exploit on WinRAR • What about the fjle?! • It was not created!

  26. Bug Analysis | Why did the harness and WinRAR behave difgerently? Callbacks defjned in the harness difger from those defjned in WinRAR

  27. Bug Analysis | ACE callback functions • We mentjoned this signature when calling the exported functjon • Inner member of ACEInitDllStruc contains pointers to 4 callback functjons

  28. Bug Analysis | ACE callback functions • The callbacks are called by the unacev2.dll during the extractjon process. • The callbacks validate operatjon that about to happen • If the operatjon is allowed, the following constant returned to the dll: ACE_CALLBACK_RETURN_OK • if the operatjon is not allowed by the callback functjon, it returns: • ACE_CALLBACK_RETURN_CANCEL • If the operatjon is not allowed by the callback it will be aborted.

  29. Bug Analysis | ACE callback functions • WinRAR does validatjon for the extracted fjlename • In case of abort code the fjle will be deleted (already empty) by the dll

  31. Bug Analysis | WinRAR’s Callback / Validation Functions 1. The fjrst char does not equal “\” or “/”. 2. The fjle name doesn’t start with “Path Traversal” sequences like: a. “..\” b. “../” 3. The following “Path Traversal” sequences don’t exist in the string: c. “\..\” d. “\../” e. “/../” f. “/..\”

  32. Bug Analysis | WinRAR’s Callback / Validation Functions • The following string passes to the WinRAR callback’s validator: “\sourbe\RED VERSION_¶” • Because it start with “\” The return code is: ACE_CALLBACK_RETURN_CANCEL • The fjle write operatjon is aborted and a call to a DeleteFile() is made

  33. Bug Analysis | Why is * vital for the Path Traversal? • There is a check in unacev2.dll code that aborts the extractjon operatjon if: • relatjve path string starts with “ \ ” • This checks is triggered before the CreateFile() • However our fjlename starts with “\” “\sourbe\RED VERSION * ¶” • By adding “*” or “ ? ” characters this check is skipped !

  34. Bug Analysis | Recap • We found a Path Traversal vulnerability in unacev2.dll . • Two constraints lead to the Path Traversal vulnerability 1. The fjrst char should be ‘\’ 2. ‘*’ should be included in the fjlename at least once • WinRAR is partjally vulnerable to this Path Traversal bug

  35. Let’s Find The Root Cause!

  36. Bug Analysis | Understanding the root cause 1. We used DynamoRio to record the code coverage in unacev2.dll of: a. regular ACE fjle b. exploit fjle which triggered the bug drrun -t drcov -- harness.exe [regular ace archive path] drrun -t drcov -- harness.exe [exploit archive path] 2. We then used the lighthouse plugin for IDA • To subtracted the coverage of our exploit archive from regular ACE archive 3. we analyze the difgerence basic blocks and found the root cause

  37. Bug Analysis | Understanding the root cause

  39. • GetDevicePathLen checks if the device or drive name prefjx appears in the Path parameter, and returns the length of that string • For Example, the functjon returns: C:\some_folder\some_fjle.ext => 3 \some_folder\some_fjle.ext => 1 \\LOCALHOST\C$\some_folder\some_fjle.ext => 15 \\?\Harddisk0Volume1\some_folder\some_fjle.ext => 21 some_folder\some_fjle.ext => 0

  41. Bug Analysis | Understanding the root cause

  42. C:\some_folder\some_fjle.ext UnACE_GetDevicePathLen() Returns 3

  43. C:\some_folder\some_fjle.ext UnACE_GetDevicePathLen() Returns 3

  44. C:\some_folder\some_fjle.ext Unknown_Clean_Functjon() “some_folder\some_fjle.ext” UnACE_GetDevicePathLen() Returns 0

  45. Bug Analysis | Finding the Unknown Function • We searched in IDA strings window, references to “:” and “\” • We found several functjons that use these string • We put BP on all the suspected functjons and started a debug session • The Unknown functjon have been found afuer 5 minutes of debugging • Let’s call the unknown functjon CleanPath

  47. Bug Analysis | CleanPath() • The functjon omits all the path traversal sequences of ..\ • It omits these sequences only once from the beginning of Path: • C:\ - fjrst omits it and updates the new path • C: - omits it only if the next char is not \ • It just check of *:\ and *: (* means any char) 1. C:\try1.exe => try1.exe 2. C:try2.exe => try2.exe 3. C:\C:try3.exe => try3.exe 4. C:\C:\try4.exe => C:\try4.exe

  48. Bug Analysis | The Bug in CleanPath Function • It doesn’t omit ../ • It doesn’t check recursively the path afuer omittjng a sequence • Let’s check this sequence fjrst: C:\C:\some_folder\some_fjle.ext

  49. C:\C:\some_folder\some_fjle.ext UnACE_ CleanPath() CVE-2018-20250 C:\some_folder\some_fjle.ext UnACE_ GetDevicePathLen() returns 3 CreateFile() WinRAR_ CallBack() WriteFile()

  50. Exploitation process | Building an Exploit = RCE • We can extract the fjle to an arbitrary locatjon • Files in Startup Folder will be executed in boot tjme • There are 2 types of Startup Folder: • C:\ProgramData\Microsofu\Windows\Start Menu\Programs\StartUp • C:\Users \ <user name> \AppData\Roaming\Microsofu\Windows\Start Menu\ Programs\Startup • The fjrst demands high privileges / high integrity level

  51. Exploitation process | Building an Exploit • If UAC is disabled in the victjm machine we can use this path: • C:\ProgramData\Microsofu\Windows\Start Menu\Programs\StartUp • Otherwise, embed many fjles in the archive with guessed user names: • C:\Users \ John \AppData\Roaming\Microsofu\Windows\Start Menu\Programs\ Startup • C:\Users \ Robert \AppData\Roaming\Microsofu\Windows\Start Menu\ Programs\Startup • If UAC is disabled we have 100% success • If UAC is enabled the odds for success are low (guessing game)

  52. Exploitation process | Exploit Limitation WinRAR_callback() or/and CleanPath() omit these sequences: all the occurrence of these 3 sequences: 1. ..\ 3. /../ 2. \../ If path starts by these 6 sequences, they will be omitued only once: 8. C: 9. C:\ 10. C:\C: 7. / 5. ../ 6. \

  53. Exploitation process | Most Powerful Exploit • The sequence C: translated in Windows to the CWD of the process • WinRAR CWD’s is being set by the WinRAR’s shell extension • The shell extension set the CWD to the folder of the selected fjle/fjles

Recommend

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Flicker: Flicker: Minimal TCB Code Execution Minimal TCB Code Execution Jonathan M. McCune

Flicker: Flicker: Minimal TCB Code Execution Minimal TCB Code Execution Jonathan M. McCune

Flicker: Flicker: Minimal TCB Code Execution Minimal TCB Code Execution Jonathan M. McCune Carnegie Mellon University March 25, 2008 Bryan Parno, Arvind Seshadri Adrian Perrig, Michael Reiter 1 Password Reuse People often use 1

748 views • 49 slides
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by Compilers Processors ( out-of-order execution) SMP Cache Management Understanding execution order in a multithreaded context is out of reach

600 views • 48 slides
Dynamic Code Generation and Execution for Monte Carlo Simulations Vaivaswatha Nagaraj Steve

Dynamic Code Generation and Execution for Monte Carlo Simulations Vaivaswatha Nagaraj Steve

Dynamic Code Generation and Execution for Monte Carlo Simulations Vaivaswatha Nagaraj Steve Karmesin Talk ID: 23282 Outline Introduction Code Generation Compilation &amp; Execution Results Conclusion and Future Work

518 views • 30 slides
Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky DoxPara Research http://www.doxpara.com Introduction (Who am I?) Fifth Year Of Public Security Research Subjects: SSH, TCP/IP, DNS Code:

597 views • 57 slides
Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky

Network Black Ops: Extracting Unexpected Functionality from Existing Networks Dan Kaminsky DoxPara Research http://www.doxpara.com Introduction (Who am I?) Fifth Year Of Public Security Research Subjects: SSH, TCP/IP, DNS Code:

544 views • 53 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Unifying Execution of Imperative and Declarative Code Aleksandar Milicevic Massachusetts

Unifying Execution of Imperative and Declarative Code Aleksandar Milicevic Massachusetts

Motivation Outline Framework Translation Data Abstractions Evaluation Discussion Summary Unifying Execution of Imperative and Declarative Code Aleksandar Milicevic Massachusetts Institute of Technology Cambridge, MA RQE Defense, MIT

1.48k views • 99 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
a classroom experiment for Year 7 upwards Dr Kathryn Scott Research Administrator, Zitzmann

a classroom experiment for Year 7 upwards Dr Kathryn Scott Research Administrator, Zitzmann

Extracting DNA from cheek cells: a classroom experiment for Year 7 upwards Dr Kathryn Scott Research Administrator, Zitzmann Group, Department of Biochemistry Lecturer in Biochemistry, Christ Church Extracting Human DNA in the Classroom

1.28k views • 39 slides
PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I?

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I?

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I? Brad Spengler The only grsecurity developer NOT a PaX developer Computer Engineering major, Mathematics minor What is PaX? Quite

596 views • 37 slides
Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to automate PDF table extraction and export Dimiter Naydenov @dimitern 1 . 1 Overview Overview PDF: brief history, structure, representing tables Camelot

355 views • 13 slides
Learning Execution through Neural Code Fusion Zhan Shi, Kevin Swersky, Danny Tarlow, Paruhasarathy

Learning Execution through Neural Code Fusion Zhan Shi, Kevin Swersky, Danny Tarlow, Paruhasarathy

Learning Execution through Neural Code Fusion Zhan Shi, Kevin Swersky, Danny Tarlow, Paruhasarathy Ranganathan , Milad Hashemi Overview Proprietary + Confidential Motivation Background Neural Code Fusion Experimental Results

435 views • 42 slides
MASTERING STRATEGY EXECUTION 18 BEST PRACTICES FOR STRATEGY EXECUTION STRATEGY EXECUTION AS

MASTERING STRATEGY EXECUTION 18 BEST PRACTICES FOR STRATEGY EXECUTION STRATEGY EXECUTION AS

MASTERING STRATEGY EXECUTION 18 BEST PRACTICES FOR STRATEGY EXECUTION STRATEGY EXECUTION AS COMPETITIVE ADVANTAGE STRATEGY EXECUTION IS CRUCIAL FOR EVERY ORGANIZATION o Successful execution of strong and robust strategies gives any organization

641 views • 32 slides
1 Consider the execution of the following block of SPIM code. The text segment starts at

1 Consider the execution of the following block of SPIM code. The text segment starts at

1 Consider the execution of the following block of SPIM code. The text segment starts at 0x00400000 and that the data segment starts at 0x10010000. .data start: .word 0x32, 44, Top, 0x33 str: .asciiz Top .align 8 end: .space 16

1.33k views • 81 slides
Reversing a Japanese Wireless SD Card From Zero to Code Execution Guillaume VALADON - @guedou ?

Reversing a Japanese Wireless SD Card From Zero to Code Execution Guillaume VALADON - @guedou ?

Reversing a Japanese Wireless SD Card From Zero to Code Execution Guillaume VALADON - @guedou ? 2015 2018 2 ? ? 3 Get the slides at https://goo.gl/oijvdN 4 Toshiba FlashAir 5 See

1.5k views • 101 slides
Unifying Execution of Imperative and Declarative Code Aleksandar Derek Kuat Daniel Milicevic

Unifying Execution of Imperative and Declarative Code Aleksandar Derek Kuat Daniel Milicevic

Unifying Execution of Imperative and Declarative Code Aleksandar Derek Kuat Daniel Milicevic Rayside Yessenov Jackson Massachusetts Institute of Technology Cambridge, MA 33 rd International Conference on Software Engineering May 27, 2011

1.27k views • 113 slides
An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng

An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng

An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng Zhou Tsinghua University June 2011 Joint work with: Wenguang Chen (Tsinghua University), Fred Chow (ICube Technology Corp.) Contents Basic Concepts

670 views • 36 slides
Improved Static Analysis to Generate More Effjcient Code for Execution of Loop Nests in GPUs J.

Improved Static Analysis to Generate More Effjcient Code for Execution of Loop Nests in GPUs J.

Improved Static Analysis to Generate More Effjcient Code for Execution of Loop Nests in GPUs J. Nelson Amaral Department of Computjng Science Nathan Michael Z Jacky Michael N. Braedy Sarah Rebecca Eldon Dylan Thomas Ben Hao Ben Hao

779 views • 75 slides

More recommend