objectflash

flashfxp  时间:2021-02-14  阅读:()
WeaponsofTargetedAttackModernDocumentExploitTechniquesMing-chiehPanSung-tingTsaiBlackHatUSA2011AbstractThemostcommonandeffectivewayisusingdocumentexploitinthetargetedattack.
Duetothepoliticalissue,wehavehadopportunitiestoobserveAPT(advancedpersistentthreat)attacksinTaiwansince2004.
Thereforewehavestudiedandresearchedmaliciousdocumentforalongperiodoftime.
Recently,wefoundAPTattacks(e.
g.
RSA)usedthesametechniqueaswedisclosedlastyear,e.
g.
embeddingflashexploitinanexceldocument.
Inordertoprotectusersagainstmaliciousdocumentandtargetedattacks,wewouldliketodiscussthepast,present,andfutureofdocumentexploitfromtechnicalperspective,andpredictpossibletechniquescouldbeusedinamaliciousdocumentinthefuturebydemonstrating"proofofconcept"exploits.
Thepresentationwillcoverfourmajortypesofdocumentattacks:Advancedfuzzingtechniques.
Techniquestoagainstexploitmitigationtechnologies(DEP/ASLR).
Techniquestobypasssandboxandpolicycontrol.
Techniquestodefeatbehaviorbasedprotection,suchashostIPS.
ContentsAbstract.
11.
Introduction.
31.
1.
Background.
31.
2.
TargetedAttackandDocumentExploit.
31.
3.
CatandMouseGame.
31.
4.
ContentsofthePaper32.
RecentDocumentExploitAttacks42.
1.
HybridDocumentExploit42.
2.
IncompleteProtection52.
3.
AdvancedMemoryAttackTechniques52.
4.
VendorResponses.
52.
5.
OurFindinginRealAttacks53.
FutureDocumentExploitAttacks.
63.
1.
AdvancedFuzzingTechniques63.
2.
TechniquestoAgainstExploitMitigationTechnologies63.
3.
TechniquestoBypassSandbox/Policy/Accesscontrol.
103.
4.
Techniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandbox.
.
.
134.
Conclusion15Reference.
171.
Introduction1.
1.
BackgroundAPT(AdvancedPersistentThreat)hasbecomeverypopularin2011.
Actuallywehavealreadyknownthiskindofattacksince2004.
Duetothepoliticalissue,GovernmentunitsandlargeenterprisesinTaiwanhasbeentargetedformanyyears.
Theyhavekeptreceivingpurpose-madee-mailsandmalwares(exploits),neverstopped.
Thuswehavechancestoobservetheattacktrendandwealsospentalotoftimeondocumentexploitresearch.
Nowadays,notonlyinTaiwan,thiskindofsilentthreatareattackingwholeworld,e.
g.
GoogleAuroraattackandrecentRSAattack.
Unlikenormalcyber-criminals,theyarehackingfortheinformation,notforprofit.
Andunfortunately,mostofsecuritysoftwarecouldn'tprotecteffectively.
Wearegoingtodiscussdocumentexploitfromtechnicalperspective,introduceattacktechniquesthatmightbeusedinfuture.
Wewishapplicationandsecurityvendorscouldbeawareoftheattackandhavenewapproachestoprotectpeople.
1.
2.
TargetedAttackandDocumentExploitAttackersendsane-mailwithspecificcontentanddocumentexploit(antiviruscouldn'tdetect)tohistargets.
Afteropenthedocument,attackercouldtakecontrolofthevictim'ssystem.
Itisthemostcommonwayandnoteasytobeawareof.
Themaliciousdocumentusuallyincludesmaliciouswebpage(attackingbrowsers),officedocument,PDF,andFlash.
Documentexploitisactuallytheweaponoftargetedattack.
1.
3.
CatandMouseGameExploitattackanddefenseislikeacatandmousegame.
Vendorskeeppatchingapplicationandinventingnewtechnologiestopreventattack,howeverattackersalwayscanfindwaystodefeatthoseprotections.
Soifwecouldbeaheadofattackersbyguessingtheirnexttricks,wemighthavebetterprotectionsforpeople.
1.
4.
ContentsofthePaperInthispaperwewilldiscussdocumentexploitfromtechnicalperspective.
Recentdocumentexploittechniqueswillbeintroducedinchapter2.
Chapter3willcoverfourmajortypesofnewdocumentattacks,includingourlatestfindings:Advancedfuzzingtechniques:ourflashAVMfuzzingtechniquewillbeintroduced.
Techniquestoagainstexploitmitigationtechnologies:ournewJITsprayingtechniqueswillbeintroduced.
Techniquestobypasssandboxandpolicycontrol:aflashvulnerabilitywillbeintroducedasanexample.
Techniquestodefeatbehaviorbasedprotection:newapproachestowriteadocumentexploit.
Thiswillmakesecurityvendorsheadache.
2.
RecentDocumentExploitAttacks2.
1.
HybridDocumentExploitIfyouhaveinstalledallMicrosoftofficepatches,andthereisno0-dayvulnerabilityandexploit.
Willitbe100%safetoopenawordorexceldocumentTheanswerisno.
Moderndocumentapplicationisverycomplicated.
Mostofthemcouldembeddocumentobjectsofotherapplications.
Forexample,theExcelcouldembedanAdobeflashobject.
Inthiscase,evenyourExcelisuptodate,itisstillnot100%safewhenyouopenanExceldocumentwhichincludesaflashobjectandyourflashapplicationisvulnerable.
Mostofpeopleknowbrowsercouldincludealotofdocumentobjects,suchasPDF,flash,andothermultimediafiles.
Sotheyarecautiouswhentheyopenwebpage.
However,whentheyopenadocumentinthee-mail,theywouldnotbeawareofthedanger.
Thiskindofattackisverypopularrecently.
Aflashvulnerabilitycouldberepackedasamaliciouswebpage,aPDFexploit,orevenanofficedocumentexploit.
2.
2.
IncompleteProtectionApplicationvendorsdeliverednewtechnologiestomaketheirapplicationsafer.
Especiallytheexploitmitigationtechniquescoulddoreallygoodjobstoavoidexecutionofexploits,e.
g.
DEPandASLR.
However,itisverydifficulttodoprotectionscompletely.
Becauseapplicationisverycomplicatedaswellastheenvironmentofoperatingsystem,itisnotpossibletoupdateeverycomponent,everytooltoadopttheprotectiontechnologies.
Andyoudon'tneedtothinkthatyoucouldaskalluserstoinstallupdatesormanuallyenableprotections.
Forexample,evenyouhaveadoptedDEPandASLR,therearealwayssomeresearcherscouldfindsomemodulesarenotprotectedbyASLR,andtheycouldusethemoduletodoROP(return-orientedprogramming)andmakeeffectiveexploits.
2.
3.
AdvancedMemoryAttackTechniquesResearchersarealsofindingsomenewapproachestobypassDEPandASLR.
FlashJITsprayingtechniqueshasbeenintroducedinBHDC2010.
FlashJITcouldbypassDEP,andthesprayingtechniquecoulddefeatASLR.
ThistechniquecouldexploitthenewestOffice2010andInternetExplorer.
2.
4.
VendorResponsesVendorshavebeenworkinghardtopatchvulnerabilitiesandadoptnewprotectionsinapplications.
Flashhasstartedtoencode/encryptAVMcodeareasinceversion10.
1,andthememoryareahasbecomenon-executable.
AlsoithasbetterASLRtoarrangeitsmemorysections.
ThesenewtechniqueseffectivelymitigateJITsprayingexploit.
AndMicrosoftreleasedEnhancedMitigationExperienceToolkit2.
0inBlueHatv10.
TheEMETtoolcouldprovidealotofmemoryprotectionsforapplications.
ItcouldeffectivelydefeatmostofexploitswithROPtechniques.
2.
5.
OurFindinginRealAttacksRecentlywefoundexploitisusingthesametrickaswedisclosedinSyscan10'.
Doyouknowwhyattackersdon'tincludeaflashexploitinwebpageorPDFfile,andtheyonlyuseExceltospreadmaliciouse-mails.
ThereasonisExcelwillturnoffDEPwhenaflashobjectisembedded.
Itismucheasierforattackerstowriteexploits.
3.
FutureDocumentExploitAttacks3.
1.
AdvancedFuzzingTechniquesFileformatfuzzingisthemostcommonwaytodiscoveravulnerabilityofdocumentapplication.
Webelievemostofdocumentvulnerabilitydiscovers(includingvendors)arekeepingimprovingtheirfuzzingtools.
WearegoingtointroduceourFlashAVMfuzzingtechniques.
FocusonAVMinstructions.
TaketheCVE-2010-1297asexample.
Traditionalone-bytefuzzingtechniquemodifieseachbyteofthesamplefilewith256values.
WefoundwecanfocusontheAVM(actionscript)part,themethod_bodyofcodearea.
Andwealsofoundthereareonlyaround170AVMinstructions.
SoourfuzzingtoolcouldonlytrytheAVMpartwith170values.
Itreducesthetestingrangeandsavealotoftime,andwecouldstillfindsimilarvulnerabilities.
WeusetheapproachtofuzztheCVE-2010-1297,andwealsodiscoveredAPSB11-12beforeitwasdisclosed.
(ByinsertingaSetlocal_1(0xd5)incodearea)Furthermore,weaccidentlyfoundtheJITsprayingtechniquecouldstillworkduringtheautomaticfuzzingprocess.
3.
2.
TechniquestoAgainstExploitMitigationTechnologiesManyresearchersarelookingfornewtechniquestobypassDEPandASLR.
Wearethesame.
InthischapterwearegoingtoexplainhowwebringJITsprayingback,andourJITsprayingimprovements.
ThemagicB4(IN)instruction:TheoriginalJITsprayingisuse'359090903C'tofillupthecodearea.
Byourfuzzingtechnique,wefoundifwereplacethefirstXOR(AA)withIN(B4),theAVMcodeareawillnotbeencodedinmemory,andmemorysectionwillbecomeexecutable(likebefore).
Oldtrick(theXORtrick)couldbeusedagain.
However,theimprovedASLRreducedthesuccessrate.
Weneedsomeothertechniques.
Continuityofsprayedarea:OriginaltrickusedalooptoloadthesprayingfilealotoftimestodoJITspraying.
However,thisapproachhasbadcontinuityinnewversionofFlash.
Inordertohavebettercontinuity,insteadofreloadinganotherswffile,wemakealotofmethod_bodyinaswffiledirectly.
Thisapproachhasmuchbetterresult.
Inourtesting,wehavearound10000method_bodyinthesamplefileandeachmethod_body(function)includes2048XORinstructions.
Yes,thistechniqueproducesahugefile(58.
7MB).
Zlibcouldhelpustosolvetheproblem.
Aftercompression,thesamplefilesizeis268kbytes.
Followingpictureshowscontentoftheswffile:UseOR:InsteadofXORinstruction,wefoundabettersolution.
WeuseOR(A9)insteadofXOR(AA)tospraythememory.
Insteadof'359090903C',thecontentinmemorywillbe'0D0D0D0D0C'.
Thistechniquemakesiteasiertojumpintooursprayedareawhentriggerthevulnerability.
WeuseMS11-050astheexample:Whilethevulnerabilityisbeingtriggered,youcanseetheEDXvalueisimportant.
ThevalueofEDXwouldbethevalueof[EAX+70].
Inthiscase,itisactually[0x0c0c0c0c+70].
IfwestilluseXORtrick,thevalueofEDXwouldbeoneofDWORDvalueof'359090903C'sprayedarea.
IfweusetheORinstruction,itwouldbeeasiertospraythepossibledestinationaddresses(thevalueofEDX).
Itworkseverywhere.
OurapproachcandefeatDEPandASLReffectively,eventheEMETallfunctionsareenabled.
ProtectionNewJITSprayingwithFlashPlayer10.
3.
181.
34(Released6/28/2011)Office2000~Office2010(DEPAlwaysOn,ASLR)worksInternetExplorer(DEPAlwaysOn,ASLR)worksAdobePDF(DEPAlwaysOn,ASLR)worksEMETv2.
1(Enabledallfunctions)worksWhenEMETisadopted,thesprayedmemorylayoutwouldbelike:WecanseethatEMETwouldskipthesensitiveaddressrange,e.
g.
0x0c0c0c0cor0x0d0d0d0d.
However,ifthevulnerabilityisthetraditionalstackoverflow,likeCVE-2010-3333,wecanstillcontrolEIP,sowecanfill0x0c0d0c0dtoenterthesprayedarea.
Thereisonethingwewouldliketomention:whenyouarewritingshellcode,youneedsomeeffortstobypassEAFprotection.
YouneedtolookforfunctionsinDLLstoaccessExportAddressTable.
(ref:http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/)3.
3.
TechniquestoBypassSandbox/Policy/AccesscontrolExceptformemoryexploitation,theattacktodesignofsecuritypolicyandresourceaccesscontrolwillbeanothertopicfordocumentexploitresearchers.
Inordertoprovidesecureexecutionenvironmentforclientsandusers,vendorsarestartingtoadoptsandboxtechnologiestotheirapplications.
Thesandboxusuallyhascomplicatedpolicyandpermissioncontroltoisolateaccesstoeachresource.
Theremightbesomelogicdesignflawsinapplications.
FlashSandboxProblemWetakeapolicydesignflawthatwefoundinFlashastheexample.
Thereare4typesofpropertiesinFlashSecurity.
SandboxType:Security.
REMOTE,Security.
LOCAL_WITH_FILE,Security.
LOCAL_WITH_NETWORK,andSecurity.
LOCAL_TRUSTED.
Thebasicideaisifyoucanaccessnetwork,youcan'taccesslocalresource,viceversa.
Theflawisinits'urlprotocol'design.
WeembedaFlashobjectinanOfficedocument.
Thisflashobjectisallowedtoaccesslocalfiles,andnotallowedtoaccessinternet.
Howeverthereisaproblemwhenhandlingthe'mms'protocol.
Whentheflashobjectopensanmmslink,IEwillbelaunched,andthenmediaplayerwillalsobelaunched(byIE)aswell.
Themediaplayerwillconnecttothelink.
Usingthisflaw,wecouldretrieveuserinformation,andusemmsprotocoltosendinformationtointernet.
Forexample,wemightstealuser'scookie,user'ssavedpassword,etc.
Andwecouldusethistechniquetoprobeuserenvironment.
Itisnotallowedtodirectlyidentifyafileexistingornot.
However,wemayuse'addEventListener'tomonitortheIOErrorEvent.
IO_ERROReventiffiledoesn'texist.
AndEvent.
COMPLETEcouldhelpustoknowthefileloadingactionhasbeencompleted.
Thereisstillaproblemthatweneedtoknowwhereuser'shomepathis,forexample,user'scookieorsavedpassword.
Actuallytherearemanylogfilesthatshowthisinformation.
Inourapproach,weusesetupapi.
app.
log.
(Windows7:'C:\Windows\inf\setupapi.
app.
log',WindowsXP:'C:\WINDOWS\setupapi.
log')varuname="mms://x.
x.
x.
x:1755/"+secret.
contents+".
asx";varreq=newURLRequest(uname);navigateToURL(req,"_blank");IncaseofIE6orIE7,asyoucansee,thecodelaunchesIEandmediaplayerautomatically.
Theinformationwouldbetransferredout.
However,therewillbeapop-upwarningmessagebeforeopeningmediaplayerwhenyouareusingIE8andIE9.
Forthissituation,wemayusesometrickstointeractwithusers,forexamplewecancreatesomeanimationwithlinks.
Ithinkmostofuserswouldstillclick'Yes'toallowtheconnection.
3.
4.
TechniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandboxIncaseofexploitislaunched,traditionalsignaturebasedmalwareprotectionisuseless,becausetheexploitormalwareisusually'customized'.
Userscanonlyrelyonbehaviorbasedprotection.
Forexample,theHIPScouldblockyourconnectiontoInternet,blockfiledroppingtosystemfolders,andblockaccesstosensitiveregistries.
ThereforedefeatingHIPSwillbecomeexploitwriter'snextmajortask.
InlineHookBypassingManyHIPSuseinlinehooktointerceptAPIandmonitorbehaviors.
MostofthemareusingMicrosoftDetourlibraryorDetour-likeapproach.
BypassingthiskindofAPIhooking,wemanyjustskipafewbeggingbytes.
WMIandCOMObjectsTheHIPSusuallydoeshooktoobservemaliciousbehaviors(Nomatterinring0orring3).
Onceitdetectsasuspiciousbehavior,itwouldcheck'who'isdoingthisbyidentifyingtheprocess.
Iftheprocessisnotinitslegitimate(white)processlist,itcouldblocktheaction.
Trytoimagine,iflegitimateprocesscoulddothingsforus,theHIPSwouldbecomeuseless.
Doinjectiontothosesystem(legitimate)processesNo,theinjectioncouldbeblocked.
WenoticedthatMicrosofthasalreadyprovidedcompletesolutions–theWMIandmanyusefulCOMobjects.
Byleveragingthetechnologies,systemprocesscoulddoeverythingforus,includingconnectingtoInternet,accessfiles/registries,andeveninstallingaMSIfile.
NotonlydefeatingHIPS,theapproachcouldalsodefeatautomationanalyzingsandboxsystem.
Themalware'process'actuallydoesnothingdirectly.
Thesandboxcouldrecordnothingifthesandboxonlytracksmalwareprocess.
WMI/COMShellcodeWritingshellcodetouseWMI,weneedtoincludesomefunctionsinole32.
dll:CoUninitialize(),CoInitializeSecurity(),CoInitializeEx(),CoCreateInstance(),CoSetProxyBlanket().
GetinstanceviaCLSID_WbemLocato(),andconnectROOT\\CIMV2.
GetObjectcanget'Win32_Process',andGetMethodcanhave'Create'.
ThenuseExecMethodtolaunchnotepad.
exe.
4.
ConclusionWehavediscussedcompletesolutionstomakeaweaponoftargetedattackwithmanynewtechniques:Howtofindvulnerabilities:AVMfuzzingtechnique.
Howtodefeatexploitmitigationtechnologies:newJITspraying.
Howtomakeanexploitwithoutmemoryhardwork:attackpolicyflaw.
Howtodefeatdesktopprotectionandanalyzingsystem:WMIandCOM.
MalwareCOMNETCOMREGCOMFILECOMProcessWebelieveattackersareworkinghardonthesetopics.
Wewishsecurityvendorscouldaddresstheseproblemstocomeoutsolutionsaheadofattackers.
Probevictim'senvironmentandcollectinformation.
(embedswfinoffice)UseNewJITtechniqueswithbrowser,PDF,Officevulnerabilities.
UseCOMtechniquetobypassHIPSFutureAPTattackReferenceOfficeisStillYummyMing-chiehPanandSungtingTsai,2010.
http://exploitspace.
blogspot.
com/2011/06/our-presentation-in-syscan-10-singapore.
htmlas3compile.
exehttp://www.
swftools.
org/AdobeVirtualMachine2(AVM2)http://www.
adobe.
com/devnet/actionscript/articles/avm2overview.
pdfINTERPRETEREXPLOITATION:POINTERINFERENCEANDJITSPRAYINGhttp://www.
semantiscope.
com/research/BHDC2010/BHDC-2010-Paper.
pdfWritingJIT-SprayShellcodeforfunandprofithttp://dsecrg.
com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.
pdfEnhancedMitigationExperienceToolkitv2.
1http://www.
microsoft.
com/download/en/details.
aspxid=1677swfretoolhttps://github.
com/sporst/SWFREtoolsMS11-050IEmshtml!
CObjectElement.
UseAfterFreehttp://d0cs4vage.
blogspot.
com/2011/06/insecticides-dont-kill-bugs-patch.
htmlWin32_ProcessClasshttp://msdn.
microsoft.
com/en-us/library/aa394372(v=VS.
85).
aspxBypassingExportaddresstableAddressFilter(EAF)http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/HeapFengShuiinJavaScripthttps://www.
blackhat.
com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.
pdf

Spinservers美国圣何塞服务器$111/月流量10TB

Spinservers是Majestic Hosting Solutions,LLC旗下站点,主营美国独立服务器租用和Hybrid Dedicated等,数据中心位于美国德克萨斯州达拉斯和加利福尼亚圣何塞机房。TheServerStore.com,自 1994 年以来,它是一家成熟的企业 IT 设备供应商,专门从事二手服务器和工作站业务,在德克萨斯州拥有 40,000 平方英尺的仓库,库存中始终有...

pia云低至20/月,七折美国服务器

Pia云是一家2018的开办的国人商家,原名叫哔哔云,目前整合到了魔方云平台上,商家主要销售VPS服务,采用KVM虚拟架构 ,机房有美国洛杉矶、中国香港和深圳地区,洛杉矶为crea机房,三网回程CN2 GIA,带20G防御,常看我测评的朋友应该知道,一般带防御去程都是骨干线路,香港的线路也是CN2直连大陆,目前商家重新开业,价格非常美丽,性价比较非常高,有需要的朋友可以关注一下。活动方案...

俄罗斯vps主机推荐,怎么样俄罗斯vps俄罗斯vps速度怎么样?

俄罗斯vps速度怎么样?俄罗斯vps云主机节点是欧洲十大节点之一,地处俄罗斯首都莫斯科,网络带宽辐射周边欧洲大陆,10G专线连通德国法兰克福、法国巴黎、意大利米兰等,向外连接全球。俄罗斯vps云主机速度快吗、延迟多少?由于俄罗斯数据中心出口带宽充足,俄罗斯vps云主机到全球各地的延迟、速度相对来说都不错。今天,云服务器网(yuntue.com)小编介绍一下俄罗斯vps速度及俄罗斯vps主机推荐!俄...

flashfxp为你推荐
操作http操作httpcuteftpcuteFTP的使用方法?163yeah请问网易的163,126,yeah,VIP,188邮箱各有什么特点?申请支付宝账户如何申请支付宝账户tumblr上不去安卓手机版steam打不开是为什么三五互联南京最专业的网站建设公司是哪家?双尚网络做的好不好? 给分求答案123456hd手机卡上出现符号hd怎么取消如何发帖子请问在网上发帖子怎么发?如何发帖子如何发表帖子
鲁诺vps com域名抢注 主机测评网 512av http500内部服务器错误 谁的qq空间最好看 169邮箱 东莞数据中心 双线机房 新睿云 根服务器 阿里云手机官网 网页加速 广东主机托管 北京主机托管 网站防护 小夜博客 SmartAXMT800 windowssever2008 ncp是什么 更多