objectflash

WeaponsofTargetedAttackModernDocumentExploitTechniquesMing-chiehPanSung-tingTsaiBlackHatUSA2011AbstractThemostcommonandeffectivewayisusingdocumentexploitinthetargetedattack.
Duetothepoliticalissue,wehavehadopportunitiestoobserveAPT(advancedpersistentthreat)attacksinTaiwansince2004.
Thereforewehavestudiedandresearchedmaliciousdocumentforalongperiodoftime.
Recently,wefoundAPTattacks(e.
g.
RSA)usedthesametechniqueaswedisclosedlastyear,e.
g.
embeddingflashexploitinanexceldocument.
Inordertoprotectusersagainstmaliciousdocumentandtargetedattacks,wewouldliketodiscussthepast,present,andfutureofdocumentexploitfromtechnicalperspective,andpredictpossibletechniquescouldbeusedinamaliciousdocumentinthefuturebydemonstrating"proofofconcept"exploits.
Thepresentationwillcoverfourmajortypesofdocumentattacks:Advancedfuzzingtechniques.
Techniquestoagainstexploitmitigationtechnologies(DEP/ASLR).
Techniquestobypasssandboxandpolicycontrol.
Techniquestodefeatbehaviorbasedprotection,suchashostIPS.
ContentsAbstract.
11.
Introduction.
31.
1.
Background.
31.
2.
TargetedAttackandDocumentExploit.
31.
3.
CatandMouseGame.
31.
4.
ContentsofthePaper32.
RecentDocumentExploitAttacks42.
1.
HybridDocumentExploit42.
2.
IncompleteProtection52.
3.
AdvancedMemoryAttackTechniques52.
4.
VendorResponses.
52.
5.
OurFindinginRealAttacks53.
FutureDocumentExploitAttacks.
63.
1.
AdvancedFuzzingTechniques63.
2.
TechniquestoAgainstExploitMitigationTechnologies63.
3.
TechniquestoBypassSandbox/Policy/Accesscontrol.
103.
4.
Techniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandbox.
.
.
134.
Conclusion15Reference.
171.
Introduction1.
1.
BackgroundAPT(AdvancedPersistentThreat)hasbecomeverypopularin2011.
Actuallywehavealreadyknownthiskindofattacksince2004.
Duetothepoliticalissue,GovernmentunitsandlargeenterprisesinTaiwanhasbeentargetedformanyyears.
Theyhavekeptreceivingpurpose-madee-mailsandmalwares(exploits),neverstopped.
Thuswehavechancestoobservetheattacktrendandwealsospentalotoftimeondocumentexploitresearch.
Nowadays,notonlyinTaiwan,thiskindofsilentthreatareattackingwholeworld,e.
g.
GoogleAuroraattackandrecentRSAattack.
Unlikenormalcyber-criminals,theyarehackingfortheinformation,notforprofit.
Andunfortunately,mostofsecuritysoftwarecouldn'tprotecteffectively.
Wearegoingtodiscussdocumentexploitfromtechnicalperspective,introduceattacktechniquesthatmightbeusedinfuture.
Wewishapplicationandsecurityvendorscouldbeawareoftheattackandhavenewapproachestoprotectpeople.
1.
2.
TargetedAttackandDocumentExploitAttackersendsane-mailwithspecificcontentanddocumentexploit(antiviruscouldn'tdetect)tohistargets.
Afteropenthedocument,attackercouldtakecontrolofthevictim'ssystem.
Itisthemostcommonwayandnoteasytobeawareof.
Themaliciousdocumentusuallyincludesmaliciouswebpage(attackingbrowsers),officedocument,PDF,andFlash.
Documentexploitisactuallytheweaponoftargetedattack.
1.
3.
CatandMouseGameExploitattackanddefenseislikeacatandmousegame.
Vendorskeeppatchingapplicationandinventingnewtechnologiestopreventattack,howeverattackersalwayscanfindwaystodefeatthoseprotections.
Soifwecouldbeaheadofattackersbyguessingtheirnexttricks,wemighthavebetterprotectionsforpeople.
1.
4.
ContentsofthePaperInthispaperwewilldiscussdocumentexploitfromtechnicalperspective.
Recentdocumentexploittechniqueswillbeintroducedinchapter2.
Chapter3willcoverfourmajortypesofnewdocumentattacks,includingourlatestfindings:Advancedfuzzingtechniques:ourflashAVMfuzzingtechniquewillbeintroduced.
Techniquestoagainstexploitmitigationtechnologies:ournewJITsprayingtechniqueswillbeintroduced.
Techniquestobypasssandboxandpolicycontrol:aflashvulnerabilitywillbeintroducedasanexample.
Techniquestodefeatbehaviorbasedprotection:newapproachestowriteadocumentexploit.
Thiswillmakesecurityvendorsheadache.
2.
RecentDocumentExploitAttacks2.
1.
HybridDocumentExploitIfyouhaveinstalledallMicrosoftofficepatches,andthereisno0-dayvulnerabilityandexploit.
Willitbe100%safetoopenawordorexceldocumentTheanswerisno.
Moderndocumentapplicationisverycomplicated.
Mostofthemcouldembeddocumentobjectsofotherapplications.
Forexample,theExcelcouldembedanAdobeflashobject.
Inthiscase,evenyourExcelisuptodate,itisstillnot100%safewhenyouopenanExceldocumentwhichincludesaflashobjectandyourflashapplicationisvulnerable.
Mostofpeopleknowbrowsercouldincludealotofdocumentobjects,suchasPDF,flash,andothermultimediafiles.
Sotheyarecautiouswhentheyopenwebpage.
However,whentheyopenadocumentinthee-mail,theywouldnotbeawareofthedanger.
Thiskindofattackisverypopularrecently.
Aflashvulnerabilitycouldberepackedasamaliciouswebpage,aPDFexploit,orevenanofficedocumentexploit.
2.
2.
IncompleteProtectionApplicationvendorsdeliverednewtechnologiestomaketheirapplicationsafer.
Especiallytheexploitmitigationtechniquescoulddoreallygoodjobstoavoidexecutionofexploits,e.
g.
DEPandASLR.
However,itisverydifficulttodoprotectionscompletely.
Becauseapplicationisverycomplicatedaswellastheenvironmentofoperatingsystem,itisnotpossibletoupdateeverycomponent,everytooltoadopttheprotectiontechnologies.
Andyoudon'tneedtothinkthatyoucouldaskalluserstoinstallupdatesormanuallyenableprotections.
Forexample,evenyouhaveadoptedDEPandASLR,therearealwayssomeresearcherscouldfindsomemodulesarenotprotectedbyASLR,andtheycouldusethemoduletodoROP(return-orientedprogramming)andmakeeffectiveexploits.
2.
3.
AdvancedMemoryAttackTechniquesResearchersarealsofindingsomenewapproachestobypassDEPandASLR.
FlashJITsprayingtechniqueshasbeenintroducedinBHDC2010.
FlashJITcouldbypassDEP,andthesprayingtechniquecoulddefeatASLR.
ThistechniquecouldexploitthenewestOffice2010andInternetExplorer.
2.
4.
VendorResponsesVendorshavebeenworkinghardtopatchvulnerabilitiesandadoptnewprotectionsinapplications.
Flashhasstartedtoencode/encryptAVMcodeareasinceversion10.
1,andthememoryareahasbecomenon-executable.
AlsoithasbetterASLRtoarrangeitsmemorysections.
ThesenewtechniqueseffectivelymitigateJITsprayingexploit.
AndMicrosoftreleasedEnhancedMitigationExperienceToolkit2.
0inBlueHatv10.
TheEMETtoolcouldprovidealotofmemoryprotectionsforapplications.
ItcouldeffectivelydefeatmostofexploitswithROPtechniques.
2.
5.
OurFindinginRealAttacksRecentlywefoundexploitisusingthesametrickaswedisclosedinSyscan10'.
Doyouknowwhyattackersdon'tincludeaflashexploitinwebpageorPDFfile,andtheyonlyuseExceltospreadmaliciouse-mails.
ThereasonisExcelwillturnoffDEPwhenaflashobjectisembedded.
Itismucheasierforattackerstowriteexploits.
3.
FutureDocumentExploitAttacks3.
1.
AdvancedFuzzingTechniquesFileformatfuzzingisthemostcommonwaytodiscoveravulnerabilityofdocumentapplication.
Webelievemostofdocumentvulnerabilitydiscovers(includingvendors)arekeepingimprovingtheirfuzzingtools.
WearegoingtointroduceourFlashAVMfuzzingtechniques.
FocusonAVMinstructions.
TaketheCVE-2010-1297asexample.
Traditionalone-bytefuzzingtechniquemodifieseachbyteofthesamplefilewith256values.
WefoundwecanfocusontheAVM(actionscript)part,themethod_bodyofcodearea.
Andwealsofoundthereareonlyaround170AVMinstructions.
SoourfuzzingtoolcouldonlytrytheAVMpartwith170values.
Itreducesthetestingrangeandsavealotoftime,andwecouldstillfindsimilarvulnerabilities.
WeusetheapproachtofuzztheCVE-2010-1297,andwealsodiscoveredAPSB11-12beforeitwasdisclosed.
(ByinsertingaSetlocal_1(0xd5)incodearea)Furthermore,weaccidentlyfoundtheJITsprayingtechniquecouldstillworkduringtheautomaticfuzzingprocess.
3.
2.
TechniquestoAgainstExploitMitigationTechnologiesManyresearchersarelookingfornewtechniquestobypassDEPandASLR.
Wearethesame.
InthischapterwearegoingtoexplainhowwebringJITsprayingback,andourJITsprayingimprovements.
ThemagicB4(IN)instruction:TheoriginalJITsprayingisuse'359090903C'tofillupthecodearea.
Byourfuzzingtechnique,wefoundifwereplacethefirstXOR(AA)withIN(B4),theAVMcodeareawillnotbeencodedinmemory,andmemorysectionwillbecomeexecutable(likebefore).
Oldtrick(theXORtrick)couldbeusedagain.
However,theimprovedASLRreducedthesuccessrate.
Weneedsomeothertechniques.
Continuityofsprayedarea:OriginaltrickusedalooptoloadthesprayingfilealotoftimestodoJITspraying.
However,thisapproachhasbadcontinuityinnewversionofFlash.
Inordertohavebettercontinuity,insteadofreloadinganotherswffile,wemakealotofmethod_bodyinaswffiledirectly.
Thisapproachhasmuchbetterresult.
Inourtesting,wehavearound10000method_bodyinthesamplefileandeachmethod_body(function)includes2048XORinstructions.
Yes,thistechniqueproducesahugefile(58.
7MB).
Zlibcouldhelpustosolvetheproblem.
Aftercompression,thesamplefilesizeis268kbytes.
Followingpictureshowscontentoftheswffile:UseOR:InsteadofXORinstruction,wefoundabettersolution.
WeuseOR(A9)insteadofXOR(AA)tospraythememory.
Insteadof'359090903C',thecontentinmemorywillbe'0D0D0D0D0C'.
Thistechniquemakesiteasiertojumpintooursprayedareawhentriggerthevulnerability.
WeuseMS11-050astheexample:Whilethevulnerabilityisbeingtriggered,youcanseetheEDXvalueisimportant.
ThevalueofEDXwouldbethevalueof[EAX+70].
Inthiscase,itisactually[0x0c0c0c0c+70].
IfwestilluseXORtrick,thevalueofEDXwouldbeoneofDWORDvalueof'359090903C'sprayedarea.
IfweusetheORinstruction,itwouldbeeasiertospraythepossibledestinationaddresses(thevalueofEDX).
Itworkseverywhere.
OurapproachcandefeatDEPandASLReffectively,eventheEMETallfunctionsareenabled.
ProtectionNewJITSprayingwithFlashPlayer10.
3.
181.
34(Released6/28/2011)Office2000~Office2010(DEPAlwaysOn,ASLR)worksInternetExplorer(DEPAlwaysOn,ASLR)worksAdobePDF(DEPAlwaysOn,ASLR)worksEMETv2.
1(Enabledallfunctions)worksWhenEMETisadopted,thesprayedmemorylayoutwouldbelike:WecanseethatEMETwouldskipthesensitiveaddressrange,e.
g.
0x0c0c0c0cor0x0d0d0d0d.
However,ifthevulnerabilityisthetraditionalstackoverflow,likeCVE-2010-3333,wecanstillcontrolEIP,sowecanfill0x0c0d0c0dtoenterthesprayedarea.
Thereisonethingwewouldliketomention:whenyouarewritingshellcode,youneedsomeeffortstobypassEAFprotection.
YouneedtolookforfunctionsinDLLstoaccessExportAddressTable.
(ref:http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/)3.
3.
TechniquestoBypassSandbox/Policy/AccesscontrolExceptformemoryexploitation,theattacktodesignofsecuritypolicyandresourceaccesscontrolwillbeanothertopicfordocumentexploitresearchers.
Inordertoprovidesecureexecutionenvironmentforclientsandusers,vendorsarestartingtoadoptsandboxtechnologiestotheirapplications.
Thesandboxusuallyhascomplicatedpolicyandpermissioncontroltoisolateaccesstoeachresource.
Theremightbesomelogicdesignflawsinapplications.
FlashSandboxProblemWetakeapolicydesignflawthatwefoundinFlashastheexample.
Thereare4typesofpropertiesinFlashSecurity.
SandboxType:Security.
REMOTE,Security.
LOCAL_WITH_FILE,Security.
LOCAL_WITH_NETWORK,andSecurity.
LOCAL_TRUSTED.
Thebasicideaisifyoucanaccessnetwork,youcan'taccesslocalresource,viceversa.
Theflawisinits'urlprotocol'design.
WeembedaFlashobjectinanOfficedocument.
Thisflashobjectisallowedtoaccesslocalfiles,andnotallowedtoaccessinternet.
Howeverthereisaproblemwhenhandlingthe'mms'protocol.
Whentheflashobjectopensanmmslink,IEwillbelaunched,andthenmediaplayerwillalsobelaunched(byIE)aswell.
Themediaplayerwillconnecttothelink.
Usingthisflaw,wecouldretrieveuserinformation,andusemmsprotocoltosendinformationtointernet.
Forexample,wemightstealuser'scookie,user'ssavedpassword,etc.
Andwecouldusethistechniquetoprobeuserenvironment.
Itisnotallowedtodirectlyidentifyafileexistingornot.
However,wemayuse'addEventListener'tomonitortheIOErrorEvent.
IO_ERROReventiffiledoesn'texist.
AndEvent.
COMPLETEcouldhelpustoknowthefileloadingactionhasbeencompleted.
Thereisstillaproblemthatweneedtoknowwhereuser'shomepathis,forexample,user'scookieorsavedpassword.
Actuallytherearemanylogfilesthatshowthisinformation.
Inourapproach,weusesetupapi.
app.
log.
(Windows7:'C:\Windows\inf\setupapi.
app.
log',WindowsXP:'C:\WINDOWS\setupapi.
log')varuname="mms://x.
x.
x.
x:1755/"+secret.
contents+".
asx";varreq=newURLRequest(uname);navigateToURL(req,"_blank");IncaseofIE6orIE7,asyoucansee,thecodelaunchesIEandmediaplayerautomatically.
Theinformationwouldbetransferredout.
However,therewillbeapop-upwarningmessagebeforeopeningmediaplayerwhenyouareusingIE8andIE9.
Forthissituation,wemayusesometrickstointeractwithusers,forexamplewecancreatesomeanimationwithlinks.
Ithinkmostofuserswouldstillclick'Yes'toallowtheconnection.
3.
4.
TechniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandboxIncaseofexploitislaunched,traditionalsignaturebasedmalwareprotectionisuseless,becausetheexploitormalwareisusually'customized'.
Userscanonlyrelyonbehaviorbasedprotection.
Forexample,theHIPScouldblockyourconnectiontoInternet,blockfiledroppingtosystemfolders,andblockaccesstosensitiveregistries.
ThereforedefeatingHIPSwillbecomeexploitwriter'snextmajortask.
InlineHookBypassingManyHIPSuseinlinehooktointerceptAPIandmonitorbehaviors.
MostofthemareusingMicrosoftDetourlibraryorDetour-likeapproach.
BypassingthiskindofAPIhooking,wemanyjustskipafewbeggingbytes.
WMIandCOMObjectsTheHIPSusuallydoeshooktoobservemaliciousbehaviors(Nomatterinring0orring3).
Onceitdetectsasuspiciousbehavior,itwouldcheck'who'isdoingthisbyidentifyingtheprocess.
Iftheprocessisnotinitslegitimate(white)processlist,itcouldblocktheaction.
Trytoimagine,iflegitimateprocesscoulddothingsforus,theHIPSwouldbecomeuseless.
Doinjectiontothosesystem(legitimate)processesNo,theinjectioncouldbeblocked.
WenoticedthatMicrosofthasalreadyprovidedcompletesolutions–theWMIandmanyusefulCOMobjects.
Byleveragingthetechnologies,systemprocesscoulddoeverythingforus,includingconnectingtoInternet,accessfiles/registries,andeveninstallingaMSIfile.
NotonlydefeatingHIPS,theapproachcouldalsodefeatautomationanalyzingsandboxsystem.
Themalware'process'actuallydoesnothingdirectly.
Thesandboxcouldrecordnothingifthesandboxonlytracksmalwareprocess.
WMI/COMShellcodeWritingshellcodetouseWMI,weneedtoincludesomefunctionsinole32.
dll:CoUninitialize(),CoInitializeSecurity(),CoInitializeEx(),CoCreateInstance(),CoSetProxyBlanket().
GetinstanceviaCLSID_WbemLocato(),andconnectROOT\\CIMV2.
GetObjectcanget'Win32_Process',andGetMethodcanhave'Create'.
ThenuseExecMethodtolaunchnotepad.
exe.
4.
ConclusionWehavediscussedcompletesolutionstomakeaweaponoftargetedattackwithmanynewtechniques:Howtofindvulnerabilities:AVMfuzzingtechnique.
Howtodefeatexploitmitigationtechnologies:newJITspraying.
Howtomakeanexploitwithoutmemoryhardwork:attackpolicyflaw.
Howtodefeatdesktopprotectionandanalyzingsystem:WMIandCOM.
MalwareCOMNETCOMREGCOMFILECOMProcessWebelieveattackersareworkinghardonthesetopics.
Wewishsecurityvendorscouldaddresstheseproblemstocomeoutsolutionsaheadofattackers.
Probevictim'senvironmentandcollectinformation.
(embedswfinoffice)UseNewJITtechniqueswithbrowser,PDF,Officevulnerabilities.
UseCOMtechniquetobypassHIPSFutureAPTattackReferenceOfficeisStillYummyMing-chiehPanandSungtingTsai,2010.
http://exploitspace.
blogspot.
com/2011/06/our-presentation-in-syscan-10-singapore.
htmlas3compile.
exehttp://www.
swftools.
org/AdobeVirtualMachine2(AVM2)http://www.
adobe.
com/devnet/actionscript/articles/avm2overview.
pdfINTERPRETEREXPLOITATION:POINTERINFERENCEANDJITSPRAYINGhttp://www.
semantiscope.
com/research/BHDC2010/BHDC-2010-Paper.
pdfWritingJIT-SprayShellcodeforfunandprofithttp://dsecrg.
com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.
pdfEnhancedMitigationExperienceToolkitv2.
1http://www.
microsoft.
com/download/en/details.
aspxid=1677swfretoolhttps://github.
com/sporst/SWFREtoolsMS11-050IEmshtml!
CObjectElement.
UseAfterFreehttp://d0cs4vage.
blogspot.
com/2011/06/insecticides-dont-kill-bugs-patch.
htmlWin32_ProcessClasshttp://msdn.
microsoft.
com/en-us/library/aa394372(v=VS.
85).
aspxBypassingExportaddresstableAddressFilter(EAF)http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/HeapFengShuiinJavaScripthttps://www.
blackhat.
com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.
pdf