objectflash
flashfxp 时间:2021-02-14 阅读:(
)
WeaponsofTargetedAttackModernDocumentExploitTechniquesMing-chiehPanSung-tingTsaiBlackHatUSA2011AbstractThemostcommonandeffectivewayisusingdocumentexploitinthetargetedattack.
Duetothepoliticalissue,wehavehadopportunitiestoobserveAPT(advancedpersistentthreat)attacksinTaiwansince2004.
Thereforewehavestudiedandresearchedmaliciousdocumentforalongperiodoftime.
Recently,wefoundAPTattacks(e.
g.
RSA)usedthesametechniqueaswedisclosedlastyear,e.
g.
embeddingflashexploitinanexceldocument.
Inordertoprotectusersagainstmaliciousdocumentandtargetedattacks,wewouldliketodiscussthepast,present,andfutureofdocumentexploitfromtechnicalperspective,andpredictpossibletechniquescouldbeusedinamaliciousdocumentinthefuturebydemonstrating"proofofconcept"exploits.
Thepresentationwillcoverfourmajortypesofdocumentattacks:Advancedfuzzingtechniques.
Techniquestoagainstexploitmitigationtechnologies(DEP/ASLR).
Techniquestobypasssandboxandpolicycontrol.
Techniquestodefeatbehaviorbasedprotection,suchashostIPS.
ContentsAbstract.
11.
Introduction.
31.
1.
Background.
31.
2.
TargetedAttackandDocumentExploit.
31.
3.
CatandMouseGame.
31.
4.
ContentsofthePaper32.
RecentDocumentExploitAttacks42.
1.
HybridDocumentExploit42.
2.
IncompleteProtection52.
3.
AdvancedMemoryAttackTechniques52.
4.
VendorResponses.
52.
5.
OurFindinginRealAttacks53.
FutureDocumentExploitAttacks.
63.
1.
AdvancedFuzzingTechniques63.
2.
TechniquestoAgainstExploitMitigationTechnologies63.
3.
TechniquestoBypassSandbox/Policy/Accesscontrol.
103.
4.
Techniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandbox.
.
.
134.
Conclusion15Reference.
171.
Introduction1.
1.
BackgroundAPT(AdvancedPersistentThreat)hasbecomeverypopularin2011.
Actuallywehavealreadyknownthiskindofattacksince2004.
Duetothepoliticalissue,GovernmentunitsandlargeenterprisesinTaiwanhasbeentargetedformanyyears.
Theyhavekeptreceivingpurpose-madee-mailsandmalwares(exploits),neverstopped.
Thuswehavechancestoobservetheattacktrendandwealsospentalotoftimeondocumentexploitresearch.
Nowadays,notonlyinTaiwan,thiskindofsilentthreatareattackingwholeworld,e.
g.
GoogleAuroraattackandrecentRSAattack.
Unlikenormalcyber-criminals,theyarehackingfortheinformation,notforprofit.
Andunfortunately,mostofsecuritysoftwarecouldn'tprotecteffectively.
Wearegoingtodiscussdocumentexploitfromtechnicalperspective,introduceattacktechniquesthatmightbeusedinfuture.
Wewishapplicationandsecurityvendorscouldbeawareoftheattackandhavenewapproachestoprotectpeople.
1.
2.
TargetedAttackandDocumentExploitAttackersendsane-mailwithspecificcontentanddocumentexploit(antiviruscouldn'tdetect)tohistargets.
Afteropenthedocument,attackercouldtakecontrolofthevictim'ssystem.
Itisthemostcommonwayandnoteasytobeawareof.
Themaliciousdocumentusuallyincludesmaliciouswebpage(attackingbrowsers),officedocument,PDF,andFlash.
Documentexploitisactuallytheweaponoftargetedattack.
1.
3.
CatandMouseGameExploitattackanddefenseislikeacatandmousegame.
Vendorskeeppatchingapplicationandinventingnewtechnologiestopreventattack,howeverattackersalwayscanfindwaystodefeatthoseprotections.
Soifwecouldbeaheadofattackersbyguessingtheirnexttricks,wemighthavebetterprotectionsforpeople.
1.
4.
ContentsofthePaperInthispaperwewilldiscussdocumentexploitfromtechnicalperspective.
Recentdocumentexploittechniqueswillbeintroducedinchapter2.
Chapter3willcoverfourmajortypesofnewdocumentattacks,includingourlatestfindings:Advancedfuzzingtechniques:ourflashAVMfuzzingtechniquewillbeintroduced.
Techniquestoagainstexploitmitigationtechnologies:ournewJITsprayingtechniqueswillbeintroduced.
Techniquestobypasssandboxandpolicycontrol:aflashvulnerabilitywillbeintroducedasanexample.
Techniquestodefeatbehaviorbasedprotection:newapproachestowriteadocumentexploit.
Thiswillmakesecurityvendorsheadache.
2.
RecentDocumentExploitAttacks2.
1.
HybridDocumentExploitIfyouhaveinstalledallMicrosoftofficepatches,andthereisno0-dayvulnerabilityandexploit.
Willitbe100%safetoopenawordorexceldocumentTheanswerisno.
Moderndocumentapplicationisverycomplicated.
Mostofthemcouldembeddocumentobjectsofotherapplications.
Forexample,theExcelcouldembedanAdobeflashobject.
Inthiscase,evenyourExcelisuptodate,itisstillnot100%safewhenyouopenanExceldocumentwhichincludesaflashobjectandyourflashapplicationisvulnerable.
Mostofpeopleknowbrowsercouldincludealotofdocumentobjects,suchasPDF,flash,andothermultimediafiles.
Sotheyarecautiouswhentheyopenwebpage.
However,whentheyopenadocumentinthee-mail,theywouldnotbeawareofthedanger.
Thiskindofattackisverypopularrecently.
Aflashvulnerabilitycouldberepackedasamaliciouswebpage,aPDFexploit,orevenanofficedocumentexploit.
2.
2.
IncompleteProtectionApplicationvendorsdeliverednewtechnologiestomaketheirapplicationsafer.
Especiallytheexploitmitigationtechniquescoulddoreallygoodjobstoavoidexecutionofexploits,e.
g.
DEPandASLR.
However,itisverydifficulttodoprotectionscompletely.
Becauseapplicationisverycomplicatedaswellastheenvironmentofoperatingsystem,itisnotpossibletoupdateeverycomponent,everytooltoadopttheprotectiontechnologies.
Andyoudon'tneedtothinkthatyoucouldaskalluserstoinstallupdatesormanuallyenableprotections.
Forexample,evenyouhaveadoptedDEPandASLR,therearealwayssomeresearcherscouldfindsomemodulesarenotprotectedbyASLR,andtheycouldusethemoduletodoROP(return-orientedprogramming)andmakeeffectiveexploits.
2.
3.
AdvancedMemoryAttackTechniquesResearchersarealsofindingsomenewapproachestobypassDEPandASLR.
FlashJITsprayingtechniqueshasbeenintroducedinBHDC2010.
FlashJITcouldbypassDEP,andthesprayingtechniquecoulddefeatASLR.
ThistechniquecouldexploitthenewestOffice2010andInternetExplorer.
2.
4.
VendorResponsesVendorshavebeenworkinghardtopatchvulnerabilitiesandadoptnewprotectionsinapplications.
Flashhasstartedtoencode/encryptAVMcodeareasinceversion10.
1,andthememoryareahasbecomenon-executable.
AlsoithasbetterASLRtoarrangeitsmemorysections.
ThesenewtechniqueseffectivelymitigateJITsprayingexploit.
AndMicrosoftreleasedEnhancedMitigationExperienceToolkit2.
0inBlueHatv10.
TheEMETtoolcouldprovidealotofmemoryprotectionsforapplications.
ItcouldeffectivelydefeatmostofexploitswithROPtechniques.
2.
5.
OurFindinginRealAttacksRecentlywefoundexploitisusingthesametrickaswedisclosedinSyscan10'.
Doyouknowwhyattackersdon'tincludeaflashexploitinwebpageorPDFfile,andtheyonlyuseExceltospreadmaliciouse-mails.
ThereasonisExcelwillturnoffDEPwhenaflashobjectisembedded.
Itismucheasierforattackerstowriteexploits.
3.
FutureDocumentExploitAttacks3.
1.
AdvancedFuzzingTechniquesFileformatfuzzingisthemostcommonwaytodiscoveravulnerabilityofdocumentapplication.
Webelievemostofdocumentvulnerabilitydiscovers(includingvendors)arekeepingimprovingtheirfuzzingtools.
WearegoingtointroduceourFlashAVMfuzzingtechniques.
FocusonAVMinstructions.
TaketheCVE-2010-1297asexample.
Traditionalone-bytefuzzingtechniquemodifieseachbyteofthesamplefilewith256values.
WefoundwecanfocusontheAVM(actionscript)part,themethod_bodyofcodearea.
Andwealsofoundthereareonlyaround170AVMinstructions.
SoourfuzzingtoolcouldonlytrytheAVMpartwith170values.
Itreducesthetestingrangeandsavealotoftime,andwecouldstillfindsimilarvulnerabilities.
WeusetheapproachtofuzztheCVE-2010-1297,andwealsodiscoveredAPSB11-12beforeitwasdisclosed.
(ByinsertingaSetlocal_1(0xd5)incodearea)Furthermore,weaccidentlyfoundtheJITsprayingtechniquecouldstillworkduringtheautomaticfuzzingprocess.
3.
2.
TechniquestoAgainstExploitMitigationTechnologiesManyresearchersarelookingfornewtechniquestobypassDEPandASLR.
Wearethesame.
InthischapterwearegoingtoexplainhowwebringJITsprayingback,andourJITsprayingimprovements.
ThemagicB4(IN)instruction:TheoriginalJITsprayingisuse'359090903C'tofillupthecodearea.
Byourfuzzingtechnique,wefoundifwereplacethefirstXOR(AA)withIN(B4),theAVMcodeareawillnotbeencodedinmemory,andmemorysectionwillbecomeexecutable(likebefore).
Oldtrick(theXORtrick)couldbeusedagain.
However,theimprovedASLRreducedthesuccessrate.
Weneedsomeothertechniques.
Continuityofsprayedarea:OriginaltrickusedalooptoloadthesprayingfilealotoftimestodoJITspraying.
However,thisapproachhasbadcontinuityinnewversionofFlash.
Inordertohavebettercontinuity,insteadofreloadinganotherswffile,wemakealotofmethod_bodyinaswffiledirectly.
Thisapproachhasmuchbetterresult.
Inourtesting,wehavearound10000method_bodyinthesamplefileandeachmethod_body(function)includes2048XORinstructions.
Yes,thistechniqueproducesahugefile(58.
7MB).
Zlibcouldhelpustosolvetheproblem.
Aftercompression,thesamplefilesizeis268kbytes.
Followingpictureshowscontentoftheswffile:UseOR:InsteadofXORinstruction,wefoundabettersolution.
WeuseOR(A9)insteadofXOR(AA)tospraythememory.
Insteadof'359090903C',thecontentinmemorywillbe'0D0D0D0D0C'.
Thistechniquemakesiteasiertojumpintooursprayedareawhentriggerthevulnerability.
WeuseMS11-050astheexample:Whilethevulnerabilityisbeingtriggered,youcanseetheEDXvalueisimportant.
ThevalueofEDXwouldbethevalueof[EAX+70].
Inthiscase,itisactually[0x0c0c0c0c+70].
IfwestilluseXORtrick,thevalueofEDXwouldbeoneofDWORDvalueof'359090903C'sprayedarea.
IfweusetheORinstruction,itwouldbeeasiertospraythepossibledestinationaddresses(thevalueofEDX).
Itworkseverywhere.
OurapproachcandefeatDEPandASLReffectively,eventheEMETallfunctionsareenabled.
ProtectionNewJITSprayingwithFlashPlayer10.
3.
181.
34(Released6/28/2011)Office2000~Office2010(DEPAlwaysOn,ASLR)worksInternetExplorer(DEPAlwaysOn,ASLR)worksAdobePDF(DEPAlwaysOn,ASLR)worksEMETv2.
1(Enabledallfunctions)worksWhenEMETisadopted,thesprayedmemorylayoutwouldbelike:WecanseethatEMETwouldskipthesensitiveaddressrange,e.
g.
0x0c0c0c0cor0x0d0d0d0d.
However,ifthevulnerabilityisthetraditionalstackoverflow,likeCVE-2010-3333,wecanstillcontrolEIP,sowecanfill0x0c0d0c0dtoenterthesprayedarea.
Thereisonethingwewouldliketomention:whenyouarewritingshellcode,youneedsomeeffortstobypassEAFprotection.
YouneedtolookforfunctionsinDLLstoaccessExportAddressTable.
(ref:http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/)3.
3.
TechniquestoBypassSandbox/Policy/AccesscontrolExceptformemoryexploitation,theattacktodesignofsecuritypolicyandresourceaccesscontrolwillbeanothertopicfordocumentexploitresearchers.
Inordertoprovidesecureexecutionenvironmentforclientsandusers,vendorsarestartingtoadoptsandboxtechnologiestotheirapplications.
Thesandboxusuallyhascomplicatedpolicyandpermissioncontroltoisolateaccesstoeachresource.
Theremightbesomelogicdesignflawsinapplications.
FlashSandboxProblemWetakeapolicydesignflawthatwefoundinFlashastheexample.
Thereare4typesofpropertiesinFlashSecurity.
SandboxType:Security.
REMOTE,Security.
LOCAL_WITH_FILE,Security.
LOCAL_WITH_NETWORK,andSecurity.
LOCAL_TRUSTED.
Thebasicideaisifyoucanaccessnetwork,youcan'taccesslocalresource,viceversa.
Theflawisinits'urlprotocol'design.
WeembedaFlashobjectinanOfficedocument.
Thisflashobjectisallowedtoaccesslocalfiles,andnotallowedtoaccessinternet.
Howeverthereisaproblemwhenhandlingthe'mms'protocol.
Whentheflashobjectopensanmmslink,IEwillbelaunched,andthenmediaplayerwillalsobelaunched(byIE)aswell.
Themediaplayerwillconnecttothelink.
Usingthisflaw,wecouldretrieveuserinformation,andusemmsprotocoltosendinformationtointernet.
Forexample,wemightstealuser'scookie,user'ssavedpassword,etc.
Andwecouldusethistechniquetoprobeuserenvironment.
Itisnotallowedtodirectlyidentifyafileexistingornot.
However,wemayuse'addEventListener'tomonitortheIOErrorEvent.
IO_ERROReventiffiledoesn'texist.
AndEvent.
COMPLETEcouldhelpustoknowthefileloadingactionhasbeencompleted.
Thereisstillaproblemthatweneedtoknowwhereuser'shomepathis,forexample,user'scookieorsavedpassword.
Actuallytherearemanylogfilesthatshowthisinformation.
Inourapproach,weusesetupapi.
app.
log.
(Windows7:'C:\Windows\inf\setupapi.
app.
log',WindowsXP:'C:\WINDOWS\setupapi.
log')varuname="mms://x.
x.
x.
x:1755/"+secret.
contents+".
asx";varreq=newURLRequest(uname);navigateToURL(req,"_blank");IncaseofIE6orIE7,asyoucansee,thecodelaunchesIEandmediaplayerautomatically.
Theinformationwouldbetransferredout.
However,therewillbeapop-upwarningmessagebeforeopeningmediaplayerwhenyouareusingIE8andIE9.
Forthissituation,wemayusesometrickstointeractwithusers,forexamplewecancreatesomeanimationwithlinks.
Ithinkmostofuserswouldstillclick'Yes'toallowtheconnection.
3.
4.
TechniquestodefeatbehaviorbasedprotectionandautomaticanalyzingsandboxIncaseofexploitislaunched,traditionalsignaturebasedmalwareprotectionisuseless,becausetheexploitormalwareisusually'customized'.
Userscanonlyrelyonbehaviorbasedprotection.
Forexample,theHIPScouldblockyourconnectiontoInternet,blockfiledroppingtosystemfolders,andblockaccesstosensitiveregistries.
ThereforedefeatingHIPSwillbecomeexploitwriter'snextmajortask.
InlineHookBypassingManyHIPSuseinlinehooktointerceptAPIandmonitorbehaviors.
MostofthemareusingMicrosoftDetourlibraryorDetour-likeapproach.
BypassingthiskindofAPIhooking,wemanyjustskipafewbeggingbytes.
WMIandCOMObjectsTheHIPSusuallydoeshooktoobservemaliciousbehaviors(Nomatterinring0orring3).
Onceitdetectsasuspiciousbehavior,itwouldcheck'who'isdoingthisbyidentifyingtheprocess.
Iftheprocessisnotinitslegitimate(white)processlist,itcouldblocktheaction.
Trytoimagine,iflegitimateprocesscoulddothingsforus,theHIPSwouldbecomeuseless.
Doinjectiontothosesystem(legitimate)processesNo,theinjectioncouldbeblocked.
WenoticedthatMicrosofthasalreadyprovidedcompletesolutions–theWMIandmanyusefulCOMobjects.
Byleveragingthetechnologies,systemprocesscoulddoeverythingforus,includingconnectingtoInternet,accessfiles/registries,andeveninstallingaMSIfile.
NotonlydefeatingHIPS,theapproachcouldalsodefeatautomationanalyzingsandboxsystem.
Themalware'process'actuallydoesnothingdirectly.
Thesandboxcouldrecordnothingifthesandboxonlytracksmalwareprocess.
WMI/COMShellcodeWritingshellcodetouseWMI,weneedtoincludesomefunctionsinole32.
dll:CoUninitialize(),CoInitializeSecurity(),CoInitializeEx(),CoCreateInstance(),CoSetProxyBlanket().
GetinstanceviaCLSID_WbemLocato(),andconnectROOT\\CIMV2.
GetObjectcanget'Win32_Process',andGetMethodcanhave'Create'.
ThenuseExecMethodtolaunchnotepad.
exe.
4.
ConclusionWehavediscussedcompletesolutionstomakeaweaponoftargetedattackwithmanynewtechniques:Howtofindvulnerabilities:AVMfuzzingtechnique.
Howtodefeatexploitmitigationtechnologies:newJITspraying.
Howtomakeanexploitwithoutmemoryhardwork:attackpolicyflaw.
Howtodefeatdesktopprotectionandanalyzingsystem:WMIandCOM.
MalwareCOMNETCOMREGCOMFILECOMProcessWebelieveattackersareworkinghardonthesetopics.
Wewishsecurityvendorscouldaddresstheseproblemstocomeoutsolutionsaheadofattackers.
Probevictim'senvironmentandcollectinformation.
(embedswfinoffice)UseNewJITtechniqueswithbrowser,PDF,Officevulnerabilities.
UseCOMtechniquetobypassHIPSFutureAPTattackReferenceOfficeisStillYummyMing-chiehPanandSungtingTsai,2010.
http://exploitspace.
blogspot.
com/2011/06/our-presentation-in-syscan-10-singapore.
htmlas3compile.
exehttp://www.
swftools.
org/AdobeVirtualMachine2(AVM2)http://www.
adobe.
com/devnet/actionscript/articles/avm2overview.
pdfINTERPRETEREXPLOITATION:POINTERINFERENCEANDJITSPRAYINGhttp://www.
semantiscope.
com/research/BHDC2010/BHDC-2010-Paper.
pdfWritingJIT-SprayShellcodeforfunandprofithttp://dsecrg.
com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.
pdfEnhancedMitigationExperienceToolkitv2.
1http://www.
microsoft.
com/download/en/details.
aspxid=1677swfretoolhttps://github.
com/sporst/SWFREtoolsMS11-050IEmshtml!
CObjectElement.
UseAfterFreehttp://d0cs4vage.
blogspot.
com/2011/06/insecticides-dont-kill-bugs-patch.
htmlWin32_ProcessClasshttp://msdn.
microsoft.
com/en-us/library/aa394372(v=VS.
85).
aspxBypassingExportaddresstableAddressFilter(EAF)http://skypher.
com/index.
php/2010/11/17/bypassing-eaf/HeapFengShuiinJavaScripthttps://www.
blackhat.
com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.
pdf
RAKsmart怎么样?RAKsmart香港机房新增了付费的DDoS高防保护服务,香港服务器默认接入20Mbps的大陆优化带宽(电信走CN2、联通和移动走BGP)。高防服务器需要在下单页面的IP Addresses Option里面选择购买,分:40Gbps大陆优化高防IP-$461/月、100Gbps国际BGP高防IP-$692/月,有兴趣的可以根据自己的需求来选择!点击进入:RAKsmart官...
VPSDime是2013年成立的国外VPS主机商,以大内存闻名业界,主营基于OpenVZ和KVM虚拟化的Linux套餐,大内存、10Gbps大带宽、大硬盘,有美国西雅图、达拉斯、新泽西、英国、荷兰机房可选。在上个月搞了一款达拉斯Linux系统VPS促销,详情查看:VPSDime夏季促销:美国达拉斯VPS/2G内存/2核/20gSSD/1T流量/$20/年,此次推出一款Windows VPS,依然是...
百纵科技官网:https://www.baizon.cn/百纵科技:美国云服务器活动重磅来袭,洛杉矶C3机房 带金盾高防,会员后台可自助管理防火墙,添加黑白名单 CC策略开启低中高.CPU全系列E52680v3 DDR4内存 三星固态盘列阵。另有高防清洗!美国洛杉矶 CN2 云服务器CPU内存带宽数据盘防御价格1H1G10M10G10G19元/月 购买地址2H1G10M10G10G29元/月 购买...
flashfxp为你推荐
http404未找到为什么网站上传,打开看不到,显示HTTP 404 - 未找到文件苹果appstore宕机苹果appstore打不开怎么办www.topit.mehttp://www.topit.me/ 中自己上传的照片如何删除银花珠树晓来看姗姗而来的 作文易名网诚询,易名网注册的域名怎么转到喜欢的网页上啊?碧海银沙网怎样在碧海银沙网里发布图片?科创板首批名单首批公布的24个历史文化明城是那些如何发帖子如何发表帖子zencart模板zen cart模板怎么进行二次开发修改财务单据会计里各种票据的定义及区分
tk域名注册 什么是二级域名 过期已备案域名 域名交易网 中国万网域名 hostmaster 分销主机 linkcloud mediafire下载工具 gateone 国外免费空间 免费mysql paypal注册教程 吉林铁通 ca187 卡巴斯基免费试用版 香港亚马逊 中国电信网络测速 华为k3 97rb 更多