objectflash

flashfxp  时间:2021-02-14  阅读:()
WeaponsofTargetedAttackModernDocumentExploitTechniquesMing-chiehPanSung-tingTsaiBlackHatUSA2011AbstractThemostcommonandeffectivewayisusingdocumentexploitinthetargetedattack.
Duetothepoliticalissue,wehavehadopportunitiestoobserveAPT(advancedpersistentthreat)attacksinTaiwansince2004.
Thereforewehavestudiedandresearchedmaliciousdocumentforalongperiodoftime.
Recently,wefoundAPTattacks(e.
g.
RSA)usedthesametechniqueaswedisclosedlastyear,e.
g.
embeddingflashexploitinanexceldocument.
Inordertoprotectusersagainstmaliciousdocumentandtargetedattacks,wewouldliketodiscussthepast,present,andfutureofdocumentexploitfromtechnicalperspective,andpredictpossibletechniquescouldbeusedinamaliciousdocumentinthefuturebydemonstrating"proofofconcept"exploits.
Thepresentationwillcoverfourmajortypesofdocumentattacks:Advancedfuzzingtechniques.
Techniquestoagainstexploitmitigationtechnologies(DEP/ASLR).
Techniquestobypasssandboxandpolicycontrol.
Techniquestodefeatbehaviorbasedprotection,suchashostIPS.
ContentsAbstract.
11.
Introduction.
31.
1.
Background.
31.
2.
TargetedAttackandDocumentExploit.
31.
3.
CatandMouseGame.
31.
4.
ContentsofthePaper32.
RecentDocumentExploitAttacks42.
1.
HybridDocumentExploit42.
2.
IncompleteProtection52.
3.
AdvancedMemoryAttackTechniques52.
4.
VendorResponses.
52.
5.
OurFindinginRealAttacks53.
FutureDocumentExploitAttacks.
63.
1.
AdvancedFuzzingTechniques63.
2.
TechniquestoAgainstExploitMitigationTechnologies63.
3.
TechniquestoBypassSandbox/Policy/Accesscontrol.
103.
4.
Techniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandbox.
.
.
134.
Conclusion15Reference.
171.
Introduction1.
1.
BackgroundAPT(AdvancedPersistentThreat)hasbecomeverypopularin2011.
Actuallywehavealreadyknownthiskindofattacksince2004.
Duetothepoliticalissue,GovernmentunitsandlargeenterprisesinTaiwanhasbeentargetedformanyyears.
Theyhavekeptreceivingpurpose-madee-mailsandmalwares(exploits),neverstopped.
Thuswehavechancestoobservetheattacktrendandwealsospentalotoftimeondocumentexploitresearch.
Nowadays,notonlyinTaiwan,thiskindofsilentthreatareattackingwholeworld,e.
g.
GoogleAuroraattackandrecentRSAattack.
Unlikenormalcyber-criminals,theyarehackingfortheinformation,notforprofit.
Andunfortunately,mostofsecuritysoftwarecouldn'tprotecteffectively.
Wearegoingtodiscussdocumentexploitfromtechnicalperspective,introduceattacktechniquesthatmightbeusedinfuture.
Wewishapplicationandsecurityvendorscouldbeawareoftheattackandhavenewapproachestoprotectpeople.
1.
2.
TargetedAttackandDocumentExploitAttackersendsane-mailwithspecificcontentanddocumentexploit(antiviruscouldn'tdetect)tohistargets.
Afteropenthedocument,attackercouldtakecontrolofthevictim'ssystem.
Itisthemostcommonwayandnoteasytobeawareof.
Themaliciousdocumentusuallyincludesmaliciouswebpage(attackingbrowsers),officedocument,PDF,andFlash.
Documentexploitisactuallytheweaponoftargetedattack.
1.
3.
CatandMouseGameExploitattackanddefenseislikeacatandmousegame.
Vendorskeeppatchingapplicationandinventingnewtechnologiestopreventattack,howeverattackersalwayscanfindwaystodefeatthoseprotections.
Soifwecouldbeaheadofattackersbyguessingtheirnexttricks,wemighthavebetterprotectionsforpeople.
1.
4.
ContentsofthePaperInthispaperwewilldiscussdocumentexploitfromtechnicalperspective.
Recentdocumentexploittechniqueswillbeintroducedinchapter2.
Chapter3willcoverfourmajortypesofnewdocumentattacks,includingourlatestfindings:Advancedfuzzingtechniques:ourflashAVMfuzzingtechniquewillbeintroduced.
Techniquestoagainstexploitmitigationtechnologies:ournewJITsprayingtechniqueswillbeintroduced.
Techniquestobypasssandboxandpolicycontrol:aflashvulnerabilitywillbeintroducedasanexample.
Techniquestodefeatbehaviorbasedprotection:newapproachestowriteadocumentexploit.
Thiswillmakesecurityvendorsheadache.
2.
RecentDocumentExploitAttacks2.
1.
HybridDocumentExploitIfyouhaveinstalledallMicrosoftofficepatches,andthereisno0-dayvulnerabilityandexploit.
Willitbe100%safetoopenawordorexceldocumentTheanswerisno.
Moderndocumentapplicationisverycomplicated.
Mostofthemcouldembeddocumentobjectsofotherapplications.
Forexample,theExcelcouldembedanAdobeflashobject.
Inthiscase,evenyourExcelisuptodate,itisstillnot100%safewhenyouopenanExceldocumentwhichincludesaflashobjectandyourflashapplicationisvulnerable.
Mostofpeopleknowbrowsercouldincludealotofdocumentobjects,suchasPDF,flash,andothermultimediafiles.
Sotheyarecautiouswhentheyopenwebpage.
However,whentheyopenadocumentinthee-mail,theywouldnotbeawareofthedanger.
Thiskindofattackisverypopularrecently.
Aflashvulnerabilitycouldberepackedasamaliciouswebpage,aPDFexploit,orevenanofficedocumentexploit.
2.
2.
IncompleteProtectionApplicationvendorsdeliverednewtechnologiestomaketheirapplicationsafer.
Especiallytheexploitmitigationtechniquescoulddoreallygoodjobstoavoidexecutionofexploits,e.
g.
DEPandASLR.
However,itisverydifficulttodoprotectionscompletely.
Becauseapplicationisverycomplicatedaswellastheenvironmentofoperatingsystem,itisnotpossibletoupdateeverycomponent,everytooltoadopttheprotectiontechnologies.
Andyoudon'tneedtothinkthatyoucouldaskalluserstoinstallupdatesormanuallyenableprotections.
Forexample,evenyouhaveadoptedDEPandASLR,therearealwayssomeresearcherscouldfindsomemodulesarenotprotectedbyASLR,andtheycouldusethemoduletodoROP(return-orientedprogramming)andmakeeffectiveexploits.
2.
3.
AdvancedMemoryAttackTechniquesResearchersarealsofindingsomenewapproachestobypassDEPandASLR.
FlashJITsprayingtechniqueshasbeenintroducedinBHDC2010.
FlashJITcouldbypassDEP,andthesprayingtechniquecoulddefeatASLR.
ThistechniquecouldexploitthenewestOffice2010andInternetExplorer.
2.
4.
VendorResponsesVendorshavebeenworkinghardtopatchvulnerabilitiesandadoptnewprotectionsinapplications.
Flashhasstartedtoencode/encryptAVMcodeareasinceversion10.
1,andthememoryareahasbecomenon-executable.
AlsoithasbetterASLRtoarrangeitsmemorysections.
ThesenewtechniqueseffectivelymitigateJITsprayingexploit.
AndMicrosoftreleasedEnhancedMitigationExperienceToolkit2.
0inBlueHatv10.
TheEMETtoolcouldprovidealotofmemoryprotectionsforapplications.
ItcouldeffectivelydefeatmostofexploitswithROPtechniques.
2.
5.
OurFindinginRealAttacksRecentlywefoundexploitisusingthesametrickaswedisclosedinSyscan10'.
Doyouknowwhyattackersdon'tincludeaflashexploitinwebpageorPDFfile,andtheyonlyuseExceltospreadmaliciouse-mails.
ThereasonisExcelwillturnoffDEPwhenaflashobjectisembedded.
Itismucheasierforattackerstowriteexploits.
3.
FutureDocumentExploitAttacks3.
1.
AdvancedFuzzingTechniquesFileformatfuzzingisthemostcommonwaytodiscoveravulnerabilityofdocumentapplication.
Webelievemostofdocumentvulnerabilitydiscovers(includingvendors)arekeepingimprovingtheirfuzzingtools.
WearegoingtointroduceourFlashAVMfuzzingtechniques.
FocusonAVMinstructions.
TaketheCVE-2010-1297asexample.
Traditionalone-bytefuzzingtechniquemodifieseachbyteofthesamplefilewith256values.
WefoundwecanfocusontheAVM(actionscript)part,themethod_bodyofcodearea.
Andwealsofoundthereareonlyaround170AVMinstructions.
SoourfuzzingtoolcouldonlytrytheAVMpartwith170values.
Itreducesthetestingrangeandsavealotoftime,andwecouldstillfindsimilarvulnerabilities.
WeusetheapproachtofuzztheCVE-2010-1297,andwealsodiscoveredAPSB11-12beforeitwasdisclosed.
(ByinsertingaSetlocal_1(0xd5)incodearea)Furthermore,weaccidentlyfoundtheJITsprayingtechniquecouldstillworkduringtheautomaticfuzzingprocess.
3.
2.
TechniquestoAgainstExploitMitigationTechnologiesManyresearchersarelookingfornewtechniquestobypassDEPandASLR.
Wearethesame.
InthischapterwearegoingtoexplainhowwebringJITsprayingback,andourJITsprayingimprovements.
ThemagicB4(IN)instruction:TheoriginalJITsprayingisuse'359090903C'tofillupthecodearea.
Byourfuzzingtechnique,wefoundifwereplacethefirstXOR(AA)withIN(B4),theAVMcodeareawillnotbeencodedinmemory,andmemorysectionwillbecomeexecutable(likebefore).
Oldtrick(theXORtrick)couldbeusedagain.
However,theimprovedASLRreducedthesuccessrate.
Weneedsomeothertechniques.
Continuityofsprayedarea:OriginaltrickusedalooptoloadthesprayingfilealotoftimestodoJITspraying.
However,thisapproachhasbadcontinuityinnewversionofFlash.
Inordertohavebettercontinuity,insteadofreloadinganotherswffile,wemakealotofmethod_bodyinaswffiledirectly.
Thisapproachhasmuchbetterresult.
Inourtesting,wehavearound10000method_bodyinthesamplefileandeachmethod_body(function)includes2048XORinstructions.
Yes,thistechniqueproducesahugefile(58.
7MB).
Zlibcouldhelpustosolvetheproblem.
Aftercompression,thesamplefilesizeis268kbytes.
Followingpictureshowscontentoftheswffile:UseOR:InsteadofXORinstruction,wefoundabettersolution.
WeuseOR(A9)insteadofXOR(AA)tospraythememory.
Insteadof'359090903C',thecontentinmemorywillbe'0D0D0D0D0C'.
Thistechniquemakesiteasiertojumpintooursprayedareawhentriggerthevulnerability.
WeuseMS11-050astheexample:Whilethevulnerabilityisbeingtriggered,youcanseetheEDXvalueisimportant.
ThevalueofEDXwouldbethevalueof[EAX+70].
Inthiscase,itisactually[0x0c0c0c0c+70].
IfwestilluseXORtrick,thevalueofEDXwouldbeoneofDWORDvalueof'359090903C'sprayedarea.
IfweusetheORinstruction,itwouldbeeasiertospraythepossibledestinationaddresses(thevalueofEDX).
Itworkseverywhere.
OurapproachcandefeatDEPandASLReffectively,eventheEMETallfunctionsareenabled.
ProtectionNewJITSprayingwithFlashPlayer10.
3.
181.
34(Released6/28/2011)Office2000~Office2010(DEPAlwaysOn,ASLR)worksInternetExplorer(DEPAlwaysOn,ASLR)worksAdobePDF(DEPAlwaysOn,ASLR)worksEMETv2.
1(Enabledallfunctions)worksWhenEMETisadopted,thesprayedmemorylayoutwouldbelike:WecanseethatEMETwouldskipthesensitiveaddressrange,e.
g.
0x0c0c0c0cor0x0d0d0d0d.
However,ifthevulnerabilityisthetraditionalstackoverflow,likeCVE-2010-3333,wecanstillcontrolEIP,sowecanfill0x0c0d0c0dtoenterthesprayedarea.
Thereisonethingwewouldliketomention:whenyouarewritingshellcode,youneedsomeeffortstobypassEAFprotection.
YouneedtolookforfunctionsinDLLstoaccessExportAddressTable.
(ref:http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/)3.
3.
TechniquestoBypassSandbox/Policy/AccesscontrolExceptformemoryexploitation,theattacktodesignofsecuritypolicyandresourceaccesscontrolwillbeanothertopicfordocumentexploitresearchers.
Inordertoprovidesecureexecutionenvironmentforclientsandusers,vendorsarestartingtoadoptsandboxtechnologiestotheirapplications.
Thesandboxusuallyhascomplicatedpolicyandpermissioncontroltoisolateaccesstoeachresource.
Theremightbesomelogicdesignflawsinapplications.
FlashSandboxProblemWetakeapolicydesignflawthatwefoundinFlashastheexample.
Thereare4typesofpropertiesinFlashSecurity.
SandboxType:Security.
REMOTE,Security.
LOCAL_WITH_FILE,Security.
LOCAL_WITH_NETWORK,andSecurity.
LOCAL_TRUSTED.
Thebasicideaisifyoucanaccessnetwork,youcan'taccesslocalresource,viceversa.
Theflawisinits'urlprotocol'design.
WeembedaFlashobjectinanOfficedocument.
Thisflashobjectisallowedtoaccesslocalfiles,andnotallowedtoaccessinternet.
Howeverthereisaproblemwhenhandlingthe'mms'protocol.
Whentheflashobjectopensanmmslink,IEwillbelaunched,andthenmediaplayerwillalsobelaunched(byIE)aswell.
Themediaplayerwillconnecttothelink.
Usingthisflaw,wecouldretrieveuserinformation,andusemmsprotocoltosendinformationtointernet.
Forexample,wemightstealuser'scookie,user'ssavedpassword,etc.
Andwecouldusethistechniquetoprobeuserenvironment.
Itisnotallowedtodirectlyidentifyafileexistingornot.
However,wemayuse'addEventListener'tomonitortheIOErrorEvent.
IO_ERROReventiffiledoesn'texist.
AndEvent.
COMPLETEcouldhelpustoknowthefileloadingactionhasbeencompleted.
Thereisstillaproblemthatweneedtoknowwhereuser'shomepathis,forexample,user'scookieorsavedpassword.
Actuallytherearemanylogfilesthatshowthisinformation.
Inourapproach,weusesetupapi.
app.
log.
(Windows7:'C:\Windows\inf\setupapi.
app.
log',WindowsXP:'C:\WINDOWS\setupapi.
log')varuname="mms://x.
x.
x.
x:1755/"+secret.
contents+".
asx";varreq=newURLRequest(uname);navigateToURL(req,"_blank");IncaseofIE6orIE7,asyoucansee,thecodelaunchesIEandmediaplayerautomatically.
Theinformationwouldbetransferredout.
However,therewillbeapop-upwarningmessagebeforeopeningmediaplayerwhenyouareusingIE8andIE9.
Forthissituation,wemayusesometrickstointeractwithusers,forexamplewecancreatesomeanimationwithlinks.
Ithinkmostofuserswouldstillclick'Yes'toallowtheconnection.
3.
4.
TechniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandboxIncaseofexploitislaunched,traditionalsignaturebasedmalwareprotectionisuseless,becausetheexploitormalwareisusually'customized'.
Userscanonlyrelyonbehaviorbasedprotection.
Forexample,theHIPScouldblockyourconnectiontoInternet,blockfiledroppingtosystemfolders,andblockaccesstosensitiveregistries.
ThereforedefeatingHIPSwillbecomeexploitwriter'snextmajortask.
InlineHookBypassingManyHIPSuseinlinehooktointerceptAPIandmonitorbehaviors.
MostofthemareusingMicrosoftDetourlibraryorDetour-likeapproach.
BypassingthiskindofAPIhooking,wemanyjustskipafewbeggingbytes.
WMIandCOMObjectsTheHIPSusuallydoeshooktoobservemaliciousbehaviors(Nomatterinring0orring3).
Onceitdetectsasuspiciousbehavior,itwouldcheck'who'isdoingthisbyidentifyingtheprocess.
Iftheprocessisnotinitslegitimate(white)processlist,itcouldblocktheaction.
Trytoimagine,iflegitimateprocesscoulddothingsforus,theHIPSwouldbecomeuseless.
Doinjectiontothosesystem(legitimate)processesNo,theinjectioncouldbeblocked.
WenoticedthatMicrosofthasalreadyprovidedcompletesolutions–theWMIandmanyusefulCOMobjects.
Byleveragingthetechnologies,systemprocesscoulddoeverythingforus,includingconnectingtoInternet,accessfiles/registries,andeveninstallingaMSIfile.
NotonlydefeatingHIPS,theapproachcouldalsodefeatautomationanalyzingsandboxsystem.
Themalware'process'actuallydoesnothingdirectly.
Thesandboxcouldrecordnothingifthesandboxonlytracksmalwareprocess.
WMI/COMShellcodeWritingshellcodetouseWMI,weneedtoincludesomefunctionsinole32.
dll:CoUninitialize(),CoInitializeSecurity(),CoInitializeEx(),CoCreateInstance(),CoSetProxyBlanket().
GetinstanceviaCLSID_WbemLocato(),andconnectROOT\\CIMV2.
GetObjectcanget'Win32_Process',andGetMethodcanhave'Create'.
ThenuseExecMethodtolaunchnotepad.
exe.
4.
ConclusionWehavediscussedcompletesolutionstomakeaweaponoftargetedattackwithmanynewtechniques:Howtofindvulnerabilities:AVMfuzzingtechnique.
Howtodefeatexploitmitigationtechnologies:newJITspraying.
Howtomakeanexploitwithoutmemoryhardwork:attackpolicyflaw.
Howtodefeatdesktopprotectionandanalyzingsystem:WMIandCOM.
MalwareCOMNETCOMREGCOMFILECOMProcessWebelieveattackersareworkinghardonthesetopics.
Wewishsecurityvendorscouldaddresstheseproblemstocomeoutsolutionsaheadofattackers.
Probevictim'senvironmentandcollectinformation.
(embedswfinoffice)UseNewJITtechniqueswithbrowser,PDF,Officevulnerabilities.
UseCOMtechniquetobypassHIPSFutureAPTattackReferenceOfficeisStillYummyMing-chiehPanandSungtingTsai,2010.
http://exploitspace.
blogspot.
com/2011/06/our-presentation-in-syscan-10-singapore.
htmlas3compile.
exehttp://www.
swftools.
org/AdobeVirtualMachine2(AVM2)http://www.
adobe.
com/devnet/actionscript/articles/avm2overview.
pdfINTERPRETEREXPLOITATION:POINTERINFERENCEANDJITSPRAYINGhttp://www.
semantiscope.
com/research/BHDC2010/BHDC-2010-Paper.
pdfWritingJIT-SprayShellcodeforfunandprofithttp://dsecrg.
com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.
pdfEnhancedMitigationExperienceToolkitv2.
1http://www.
microsoft.
com/download/en/details.
aspxid=1677swfretoolhttps://github.
com/sporst/SWFREtoolsMS11-050IEmshtml!
CObjectElement.
UseAfterFreehttp://d0cs4vage.
blogspot.
com/2011/06/insecticides-dont-kill-bugs-patch.
htmlWin32_ProcessClasshttp://msdn.
microsoft.
com/en-us/library/aa394372(v=VS.
85).
aspxBypassingExportaddresstableAddressFilter(EAF)http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/HeapFengShuiinJavaScripthttps://www.
blackhat.
com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.
pdf

青云互联:洛杉矶CN2弹性云限时七折,Cera机房三网CN2gia回程,13.3元/月起

青云互联怎么样?青云互联是一家成立于2020年6月份的主机服务商,致力于为用户提供高性价比稳定快速的主机托管服务,目前提供有美国免费主机、香港主机、香港服务器、美国云服务器,让您的网站高速、稳定运行。目前,美国洛杉矶cn2弹性云限时七折,美国cera机房三网CN2gia回程 13.3元/月起,可选Windows/可自定义配置。点击进入:青云互联官网青云互联优惠码:七折优惠码:dVRKp2tP (续...

水墨云历史黑名单IDC,斟酌选购

水墨云怎么样?本站黑名单idc,有被删除账号风险,建议转出及数据备份!水墨云ink cloud Service是成立于2017年的商家,自2020起开始从事香港、日本、韩国、美国等地区CN2 GIA线路的虚拟服务器租赁,同时还有台湾、国内nat vps相关业务,也有iplc专线产品,相对来说主打的是大带宽服务器产品。注意:本站黑名单IDC,有被删除账号风险,请尽量避免,如果已经购买建议转出及数据备...

Sharktech鲨鱼服务器商提供洛杉矶独立服务器促销 不限流量月99美元

Sharktech(鲨鱼服务器商)我们还是比较懂的,有提供独立服务器和高防服务器,而且性价比都还算是不错,而且我们看到有一些主机商的服务器也是走这个商家渠道分销的。这不看到鲨鱼服务器商家洛杉矶独立服务器纷纷促销,不限制流量的独立服务器起步99美元,这个还未曾有过。第一、鲨鱼机房服务器方案洛杉矶机房,默认1Gbps带宽,不限流量,自带5个IPv4,免费60Gbps / 48Mpps DDoS防御。C...

flashfxp为你推荐
phpcms模板phpcms在后台怎样改模板开启javascript启用javascript是甚么意思抢米网抢小米手机需要下什么软件 速求tumblr上不去百度为什么经常打不开广告后台我是卖家,淘宝上买家评价中的广告和图片后台可以删除吗?顽固木马专杀工具360顽固木马专杀工具打不开?dedecms为什么大家都说织梦dedecms不安全?权限777777权限是什么?论坛头像图片论坛头像宽度必须是 1 -- 160 之间的一个整数。头像高度必须是 1 -- 160 之间的一个整数。异步传输同步传输和异步传输有什么区别
星星海 pw域名 l5520 网站监控 ibrs 炎黄盛世 工信部icp备案号 工作站服务器 免费网页空间 双线机房 买空间网 umax 上海联通 香港博客 美国主机侦探 ncp alertpay wordpress安装 ddos攻击小组 主机游戏 更多