objectflash
flashfxp 时间:2021-02-14 阅读:(
)
WeaponsofTargetedAttackModernDocumentExploitTechniquesMing-chiehPanSung-tingTsaiBlackHatUSA2011AbstractThemostcommonandeffectivewayisusingdocumentexploitinthetargetedattack.
Duetothepoliticalissue,wehavehadopportunitiestoobserveAPT(advancedpersistentthreat)attacksinTaiwansince2004.
Thereforewehavestudiedandresearchedmaliciousdocumentforalongperiodoftime.
Recently,wefoundAPTattacks(e.
g.
RSA)usedthesametechniqueaswedisclosedlastyear,e.
g.
embeddingflashexploitinanexceldocument.
Inordertoprotectusersagainstmaliciousdocumentandtargetedattacks,wewouldliketodiscussthepast,present,andfutureofdocumentexploitfromtechnicalperspective,andpredictpossibletechniquescouldbeusedinamaliciousdocumentinthefuturebydemonstrating"proofofconcept"exploits.
Thepresentationwillcoverfourmajortypesofdocumentattacks:Advancedfuzzingtechniques.
Techniquestoagainstexploitmitigationtechnologies(DEP/ASLR).
Techniquestobypasssandboxandpolicycontrol.
Techniquestodefeatbehaviorbasedprotection,suchashostIPS.
ContentsAbstract.
11.
Introduction.
31.
1.
Background.
31.
2.
TargetedAttackandDocumentExploit.
31.
3.
CatandMouseGame.
31.
4.
ContentsofthePaper32.
RecentDocumentExploitAttacks42.
1.
HybridDocumentExploit42.
2.
IncompleteProtection52.
3.
AdvancedMemoryAttackTechniques52.
4.
VendorResponses.
52.
5.
OurFindinginRealAttacks53.
FutureDocumentExploitAttacks.
63.
1.
AdvancedFuzzingTechniques63.
2.
TechniquestoAgainstExploitMitigationTechnologies63.
3.
TechniquestoBypassSandbox/Policy/Accesscontrol.
103.
4.
Techniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandbox.
.
.
134.
Conclusion15Reference.
171.
Introduction1.
1.
BackgroundAPT(AdvancedPersistentThreat)hasbecomeverypopularin2011.
Actuallywehavealreadyknownthiskindofattacksince2004.
Duetothepoliticalissue,GovernmentunitsandlargeenterprisesinTaiwanhasbeentargetedformanyyears.
Theyhavekeptreceivingpurpose-madee-mailsandmalwares(exploits),neverstopped.
Thuswehavechancestoobservetheattacktrendandwealsospentalotoftimeondocumentexploitresearch.
Nowadays,notonlyinTaiwan,thiskindofsilentthreatareattackingwholeworld,e.
g.
GoogleAuroraattackandrecentRSAattack.
Unlikenormalcyber-criminals,theyarehackingfortheinformation,notforprofit.
Andunfortunately,mostofsecuritysoftwarecouldn'tprotecteffectively.
Wearegoingtodiscussdocumentexploitfromtechnicalperspective,introduceattacktechniquesthatmightbeusedinfuture.
Wewishapplicationandsecurityvendorscouldbeawareoftheattackandhavenewapproachestoprotectpeople.
1.
2.
TargetedAttackandDocumentExploitAttackersendsane-mailwithspecificcontentanddocumentexploit(antiviruscouldn'tdetect)tohistargets.
Afteropenthedocument,attackercouldtakecontrolofthevictim'ssystem.
Itisthemostcommonwayandnoteasytobeawareof.
Themaliciousdocumentusuallyincludesmaliciouswebpage(attackingbrowsers),officedocument,PDF,andFlash.
Documentexploitisactuallytheweaponoftargetedattack.
1.
3.
CatandMouseGameExploitattackanddefenseislikeacatandmousegame.
Vendorskeeppatchingapplicationandinventingnewtechnologiestopreventattack,howeverattackersalwayscanfindwaystodefeatthoseprotections.
Soifwecouldbeaheadofattackersbyguessingtheirnexttricks,wemighthavebetterprotectionsforpeople.
1.
4.
ContentsofthePaperInthispaperwewilldiscussdocumentexploitfromtechnicalperspective.
Recentdocumentexploittechniqueswillbeintroducedinchapter2.
Chapter3willcoverfourmajortypesofnewdocumentattacks,includingourlatestfindings:Advancedfuzzingtechniques:ourflashAVMfuzzingtechniquewillbeintroduced.
Techniquestoagainstexploitmitigationtechnologies:ournewJITsprayingtechniqueswillbeintroduced.
Techniquestobypasssandboxandpolicycontrol:aflashvulnerabilitywillbeintroducedasanexample.
Techniquestodefeatbehaviorbasedprotection:newapproachestowriteadocumentexploit.
Thiswillmakesecurityvendorsheadache.
2.
RecentDocumentExploitAttacks2.
1.
HybridDocumentExploitIfyouhaveinstalledallMicrosoftofficepatches,andthereisno0-dayvulnerabilityandexploit.
Willitbe100%safetoopenawordorexceldocumentTheanswerisno.
Moderndocumentapplicationisverycomplicated.
Mostofthemcouldembeddocumentobjectsofotherapplications.
Forexample,theExcelcouldembedanAdobeflashobject.
Inthiscase,evenyourExcelisuptodate,itisstillnot100%safewhenyouopenanExceldocumentwhichincludesaflashobjectandyourflashapplicationisvulnerable.
Mostofpeopleknowbrowsercouldincludealotofdocumentobjects,suchasPDF,flash,andothermultimediafiles.
Sotheyarecautiouswhentheyopenwebpage.
However,whentheyopenadocumentinthee-mail,theywouldnotbeawareofthedanger.
Thiskindofattackisverypopularrecently.
Aflashvulnerabilitycouldberepackedasamaliciouswebpage,aPDFexploit,orevenanofficedocumentexploit.
2.
2.
IncompleteProtectionApplicationvendorsdeliverednewtechnologiestomaketheirapplicationsafer.
Especiallytheexploitmitigationtechniquescoulddoreallygoodjobstoavoidexecutionofexploits,e.
g.
DEPandASLR.
However,itisverydifficulttodoprotectionscompletely.
Becauseapplicationisverycomplicatedaswellastheenvironmentofoperatingsystem,itisnotpossibletoupdateeverycomponent,everytooltoadopttheprotectiontechnologies.
Andyoudon'tneedtothinkthatyoucouldaskalluserstoinstallupdatesormanuallyenableprotections.
Forexample,evenyouhaveadoptedDEPandASLR,therearealwayssomeresearcherscouldfindsomemodulesarenotprotectedbyASLR,andtheycouldusethemoduletodoROP(return-orientedprogramming)andmakeeffectiveexploits.
2.
3.
AdvancedMemoryAttackTechniquesResearchersarealsofindingsomenewapproachestobypassDEPandASLR.
FlashJITsprayingtechniqueshasbeenintroducedinBHDC2010.
FlashJITcouldbypassDEP,andthesprayingtechniquecoulddefeatASLR.
ThistechniquecouldexploitthenewestOffice2010andInternetExplorer.
2.
4.
VendorResponsesVendorshavebeenworkinghardtopatchvulnerabilitiesandadoptnewprotectionsinapplications.
Flashhasstartedtoencode/encryptAVMcodeareasinceversion10.
1,andthememoryareahasbecomenon-executable.
AlsoithasbetterASLRtoarrangeitsmemorysections.
ThesenewtechniqueseffectivelymitigateJITsprayingexploit.
AndMicrosoftreleasedEnhancedMitigationExperienceToolkit2.
0inBlueHatv10.
TheEMETtoolcouldprovidealotofmemoryprotectionsforapplications.
ItcouldeffectivelydefeatmostofexploitswithROPtechniques.
2.
5.
OurFindinginRealAttacksRecentlywefoundexploitisusingthesametrickaswedisclosedinSyscan10'.
Doyouknowwhyattackersdon'tincludeaflashexploitinwebpageorPDFfile,andtheyonlyuseExceltospreadmaliciouse-mails.
ThereasonisExcelwillturnoffDEPwhenaflashobjectisembedded.
Itismucheasierforattackerstowriteexploits.
3.
FutureDocumentExploitAttacks3.
1.
AdvancedFuzzingTechniquesFileformatfuzzingisthemostcommonwaytodiscoveravulnerabilityofdocumentapplication.
Webelievemostofdocumentvulnerabilitydiscovers(includingvendors)arekeepingimprovingtheirfuzzingtools.
WearegoingtointroduceourFlashAVMfuzzingtechniques.
FocusonAVMinstructions.
TaketheCVE-2010-1297asexample.
Traditionalone-bytefuzzingtechniquemodifieseachbyteofthesamplefilewith256values.
WefoundwecanfocusontheAVM(actionscript)part,themethod_bodyofcodearea.
Andwealsofoundthereareonlyaround170AVMinstructions.
SoourfuzzingtoolcouldonlytrytheAVMpartwith170values.
Itreducesthetestingrangeandsavealotoftime,andwecouldstillfindsimilarvulnerabilities.
WeusetheapproachtofuzztheCVE-2010-1297,andwealsodiscoveredAPSB11-12beforeitwasdisclosed.
(ByinsertingaSetlocal_1(0xd5)incodearea)Furthermore,weaccidentlyfoundtheJITsprayingtechniquecouldstillworkduringtheautomaticfuzzingprocess.
3.
2.
TechniquestoAgainstExploitMitigationTechnologiesManyresearchersarelookingfornewtechniquestobypassDEPandASLR.
Wearethesame.
InthischapterwearegoingtoexplainhowwebringJITsprayingback,andourJITsprayingimprovements.
ThemagicB4(IN)instruction:TheoriginalJITsprayingisuse'359090903C'tofillupthecodearea.
Byourfuzzingtechnique,wefoundifwereplacethefirstXOR(AA)withIN(B4),theAVMcodeareawillnotbeencodedinmemory,andmemorysectionwillbecomeexecutable(likebefore).
Oldtrick(theXORtrick)couldbeusedagain.
However,theimprovedASLRreducedthesuccessrate.
Weneedsomeothertechniques.
Continuityofsprayedarea:OriginaltrickusedalooptoloadthesprayingfilealotoftimestodoJITspraying.
However,thisapproachhasbadcontinuityinnewversionofFlash.
Inordertohavebettercontinuity,insteadofreloadinganotherswffile,wemakealotofmethod_bodyinaswffiledirectly.
Thisapproachhasmuchbetterresult.
Inourtesting,wehavearound10000method_bodyinthesamplefileandeachmethod_body(function)includes2048XORinstructions.
Yes,thistechniqueproducesahugefile(58.
7MB).
Zlibcouldhelpustosolvetheproblem.
Aftercompression,thesamplefilesizeis268kbytes.
Followingpictureshowscontentoftheswffile:UseOR:InsteadofXORinstruction,wefoundabettersolution.
WeuseOR(A9)insteadofXOR(AA)tospraythememory.
Insteadof'359090903C',thecontentinmemorywillbe'0D0D0D0D0C'.
Thistechniquemakesiteasiertojumpintooursprayedareawhentriggerthevulnerability.
WeuseMS11-050astheexample:Whilethevulnerabilityisbeingtriggered,youcanseetheEDXvalueisimportant.
ThevalueofEDXwouldbethevalueof[EAX+70].
Inthiscase,itisactually[0x0c0c0c0c+70].
IfwestilluseXORtrick,thevalueofEDXwouldbeoneofDWORDvalueof'359090903C'sprayedarea.
IfweusetheORinstruction,itwouldbeeasiertospraythepossibledestinationaddresses(thevalueofEDX).
Itworkseverywhere.
OurapproachcandefeatDEPandASLReffectively,eventheEMETallfunctionsareenabled.
ProtectionNewJITSprayingwithFlashPlayer10.
3.
181.
34(Released6/28/2011)Office2000~Office2010(DEPAlwaysOn,ASLR)worksInternetExplorer(DEPAlwaysOn,ASLR)worksAdobePDF(DEPAlwaysOn,ASLR)worksEMETv2.
1(Enabledallfunctions)worksWhenEMETisadopted,thesprayedmemorylayoutwouldbelike:WecanseethatEMETwouldskipthesensitiveaddressrange,e.
g.
0x0c0c0c0cor0x0d0d0d0d.
However,ifthevulnerabilityisthetraditionalstackoverflow,likeCVE-2010-3333,wecanstillcontrolEIP,sowecanfill0x0c0d0c0dtoenterthesprayedarea.
Thereisonethingwewouldliketomention:whenyouarewritingshellcode,youneedsomeeffortstobypassEAFprotection.
YouneedtolookforfunctionsinDLLstoaccessExportAddressTable.
(ref:http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/)3.
3.
TechniquestoBypassSandbox/Policy/AccesscontrolExceptformemoryexploitation,theattacktodesignofsecuritypolicyandresourceaccesscontrolwillbeanothertopicfordocumentexploitresearchers.
Inordertoprovidesecureexecutionenvironmentforclientsandusers,vendorsarestartingtoadoptsandboxtechnologiestotheirapplications.
Thesandboxusuallyhascomplicatedpolicyandpermissioncontroltoisolateaccesstoeachresource.
Theremightbesomelogicdesignflawsinapplications.
FlashSandboxProblemWetakeapolicydesignflawthatwefoundinFlashastheexample.
Thereare4typesofpropertiesinFlashSecurity.
SandboxType:Security.
REMOTE,Security.
LOCAL_WITH_FILE,Security.
LOCAL_WITH_NETWORK,andSecurity.
LOCAL_TRUSTED.
Thebasicideaisifyoucanaccessnetwork,youcan'taccesslocalresource,viceversa.
Theflawisinits'urlprotocol'design.
WeembedaFlashobjectinanOfficedocument.
Thisflashobjectisallowedtoaccesslocalfiles,andnotallowedtoaccessinternet.
Howeverthereisaproblemwhenhandlingthe'mms'protocol.
Whentheflashobjectopensanmmslink,IEwillbelaunched,andthenmediaplayerwillalsobelaunched(byIE)aswell.
Themediaplayerwillconnecttothelink.
Usingthisflaw,wecouldretrieveuserinformation,andusemmsprotocoltosendinformationtointernet.
Forexample,wemightstealuser'scookie,user'ssavedpassword,etc.
Andwecouldusethistechniquetoprobeuserenvironment.
Itisnotallowedtodirectlyidentifyafileexistingornot.
However,wemayuse'addEventListener'tomonitortheIOErrorEvent.
IO_ERROReventiffiledoesn'texist.
AndEvent.
COMPLETEcouldhelpustoknowthefileloadingactionhasbeencompleted.
Thereisstillaproblemthatweneedtoknowwhereuser'shomepathis,forexample,user'scookieorsavedpassword.
Actuallytherearemanylogfilesthatshowthisinformation.
Inourapproach,weusesetupapi.
app.
log.
(Windows7:'C:\Windows\inf\setupapi.
app.
log',WindowsXP:'C:\WINDOWS\setupapi.
log')varuname="mms://x.
x.
x.
x:1755/"+secret.
contents+".
asx";varreq=newURLRequest(uname);navigateToURL(req,"_blank");IncaseofIE6orIE7,asyoucansee,thecodelaunchesIEandmediaplayerautomatically.
Theinformationwouldbetransferredout.
However,therewillbeapop-upwarningmessagebeforeopeningmediaplayerwhenyouareusingIE8andIE9.
Forthissituation,wemayusesometrickstointeractwithusers,forexamplewecancreatesomeanimationwithlinks.
Ithinkmostofuserswouldstillclick'Yes'toallowtheconnection.
3.
4.
TechniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandboxIncaseofexploitislaunched,traditionalsignaturebasedmalwareprotectionisuseless,becausetheexploitormalwareisusually'customized'.
Userscanonlyrelyonbehaviorbasedprotection.
Forexample,theHIPScouldblockyourconnectiontoInternet,blockfiledroppingtosystemfolders,andblockaccesstosensitiveregistries.
ThereforedefeatingHIPSwillbecomeexploitwriter'snextmajortask.
InlineHookBypassingManyHIPSuseinlinehooktointerceptAPIandmonitorbehaviors.
MostofthemareusingMicrosoftDetourlibraryorDetour-likeapproach.
BypassingthiskindofAPIhooking,wemanyjustskipafewbeggingbytes.
WMIandCOMObjectsTheHIPSusuallydoeshooktoobservemaliciousbehaviors(Nomatterinring0orring3).
Onceitdetectsasuspiciousbehavior,itwouldcheck'who'isdoingthisbyidentifyingtheprocess.
Iftheprocessisnotinitslegitimate(white)processlist,itcouldblocktheaction.
Trytoimagine,iflegitimateprocesscoulddothingsforus,theHIPSwouldbecomeuseless.
Doinjectiontothosesystem(legitimate)processesNo,theinjectioncouldbeblocked.
WenoticedthatMicrosofthasalreadyprovidedcompletesolutions–theWMIandmanyusefulCOMobjects.
Byleveragingthetechnologies,systemprocesscoulddoeverythingforus,includingconnectingtoInternet,accessfiles/registries,andeveninstallingaMSIfile.
NotonlydefeatingHIPS,theapproachcouldalsodefeatautomationanalyzingsandboxsystem.
Themalware'process'actuallydoesnothingdirectly.
Thesandboxcouldrecordnothingifthesandboxonlytracksmalwareprocess.
WMI/COMShellcodeWritingshellcodetouseWMI,weneedtoincludesomefunctionsinole32.
dll:CoUninitialize(),CoInitializeSecurity(),CoInitializeEx(),CoCreateInstance(),CoSetProxyBlanket().
GetinstanceviaCLSID_WbemLocato(),andconnectROOT\\CIMV2.
GetObjectcanget'Win32_Process',andGetMethodcanhave'Create'.
ThenuseExecMethodtolaunchnotepad.
exe.
4.
ConclusionWehavediscussedcompletesolutionstomakeaweaponoftargetedattackwithmanynewtechniques:Howtofindvulnerabilities:AVMfuzzingtechnique.
Howtodefeatexploitmitigationtechnologies:newJITspraying.
Howtomakeanexploitwithoutmemoryhardwork:attackpolicyflaw.
Howtodefeatdesktopprotectionandanalyzingsystem:WMIandCOM.
MalwareCOMNETCOMREGCOMFILECOMProcessWebelieveattackersareworkinghardonthesetopics.
Wewishsecurityvendorscouldaddresstheseproblemstocomeoutsolutionsaheadofattackers.
Probevictim'senvironmentandcollectinformation.
(embedswfinoffice)UseNewJITtechniqueswithbrowser,PDF,Officevulnerabilities.
UseCOMtechniquetobypassHIPSFutureAPTattackReferenceOfficeisStillYummyMing-chiehPanandSungtingTsai,2010.
http://exploitspace.
blogspot.
com/2011/06/our-presentation-in-syscan-10-singapore.
htmlas3compile.
exehttp://www.
swftools.
org/AdobeVirtualMachine2(AVM2)http://www.
adobe.
com/devnet/actionscript/articles/avm2overview.
pdfINTERPRETEREXPLOITATION:POINTERINFERENCEANDJITSPRAYINGhttp://www.
semantiscope.
com/research/BHDC2010/BHDC-2010-Paper.
pdfWritingJIT-SprayShellcodeforfunandprofithttp://dsecrg.
com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.
pdfEnhancedMitigationExperienceToolkitv2.
1http://www.
microsoft.
com/download/en/details.
aspxid=1677swfretoolhttps://github.
com/sporst/SWFREtoolsMS11-050IEmshtml!
CObjectElement.
UseAfterFreehttp://d0cs4vage.
blogspot.
com/2011/06/insecticides-dont-kill-bugs-patch.
htmlWin32_ProcessClasshttp://msdn.
microsoft.
com/en-us/library/aa394372(v=VS.
85).
aspxBypassingExportaddresstableAddressFilter(EAF)http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/HeapFengShuiinJavaScripthttps://www.
blackhat.
com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.
pdf
GigsGigsCloud是一家成立于2015年老牌国外主机商,提供VPS主机和独立服务器租用,数据中心包括美国洛杉矶、中国香港、新加坡、马来西亚和日本等。商家VPS主机基于KVM架构,绝大部分系列产品中国访问速度不错,比如洛杉矶机房有CN2 GIA、AS9929及高防线路等。目前Los Angeles - SimpleCloud with Premium China DDOS Protectio...
炭云怎么样?炭云(之前的碳云),国人商家,正规公司(哈尔滨桓林信息技术有限公司),主机之家测评介绍过多次。现在上海CN2共享IP的VPS有一款特价,上海cn2 vps,2核/384MB内存/8GB空间/800GB流量/77Mbps端口/共享IP/Hyper-v,188元/年,特别适合电信网络。有需要的可以关注一下。点击进入:炭云官方网站地址炭云vps套餐:套餐cpu内存硬盘流量/带宽ip价格购买上...
Hostiger商家我们可能以前也是有见过的,以前他们的域名是Hostigger,后来进行微调后包装成现在的。而且推出Columbus Day哥伦布日优惠活动,提供全场的VPS主机首月7折月付2.79美元起的优惠。这里我们普及一下基础知识,Columbus Day ,即为每年10月12日,是一些美洲国家的节日,纪念克里斯托弗·哥伦布在北美登陆,为美国的联邦假日。Hostiger 商家是一个成立于2...
flashfxp为你推荐
elevatedto操作http开启javascript电脑怎样开启javascript?????????要步骤!!!!!!?!中国企业在线有什么B2B网站可以做国外的?多给些。。回答的好追加波音737起飞爆胎为什么客机每次起飞都要先跑一段距离重庆杨家坪猪肉摊主杀人重庆一市民发现买的新鲜猪肉晚上发蓝光.专家解释,猪肉中含磷较多且携带了一种能发光的细菌--磷光杆菌时360免费建站搭建卡盟分站(卡乐购系统,免费360网站收录)只要29元,想建的找2208647548!密码cuteftp温州商标注册温州注册商标需要注册公司吗传奇域名自己的传奇服务器怎么建设?
美国vps 免费顶级域名 ix主机 天猫双十一秒杀 个人免费空间 免空 泉州电信 腾讯实名认证中心 服务器托管什么意思 美国免费空间 idc查询 香港亚马逊 沈阳主机托管 数据库空间 石家庄服务器托管 美国迈阿密 杭州电信 服务器托管价格 电信主机托管 重庆联通服务器托管 更多