bruce dang secure windows initiative (swi) microsoft · introduction office binary file format (
Post on 28-Sep-2020
2 Views
Preview:
TRANSCRIPT
BruceDangSecureWindowsInitiative(SWI)Microsoft
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 1
Introduction Officebinaryfileformat(<=2003) Bugs Defensivemechanisms Exploitstructures Analysistechniques Detectionmechanisms Thesurprise… Patchprocess(end‐to‐end)9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 2
Targetedattacks Verypopularinthelastcoupleyears Bypassesperimetersecuritydevices/software Difficulttodetect Notechnicalinformationinthepublic
Therearethingsyoucandotomitigateandstopmostoftheattacks.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 3
StructuredStorage/OLESS Filesysteminsideabinaryfile Dividedataintostorageandstreams(storage=directory,stream=file)
12‐pagespecification Application‐specificdatastoredinsidestorage/streams.
Canbefrustratingtoparsemanually
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 4
StgOpenStorage()onthefile.YougetbackanIStorageobject.
IStorage‐>EnumElements()enumeratesallofthestoragesandstreams.
IStorage‐>OpenStream()opensupwhateverstreamyouwant.ReturnsanIStreamobject.
IStream‐>Stat()tellsyouthestreamsize. IStream‐>Read()readsnbytesfromthestream.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 5
HRESULT hr;IStorage *is;IStream *stream;IEnumSTATSTG *penum;STATSTG statstg;StgOpenStorage(L“foo.ppt", NULL, STGM_DIRECT |
STGM_READ | STGM_SHARE_EXCLUSIVE, NULL, 0, &is);is->EnumElements(NULL, NULL, NULL, &penum);hr = penum->Next(1, &statstg, 0);while( hr == S_OK) {
wprintf(L"name = %s\tsize = 0x%08x\n”,statstg.pwcsName, statstg.cbSize);
...is->OpenStream(statstg.pwcsName, NULL, STGM_READ |
STGM_SHARE_EXCLUSIVE, 0, &stream);stream->Read(data, statstg.cbSize, NULL);... parse data ...
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 6
Abitsimpler.Goodforexperiments.from pythoncom import *ostore = StgOpenStorage(sys.argv[1], None, 0x10, None, 0)estat = ostore.EnumElements()str = estat.Next()while str != ():
if str[0][0] == "PowerPoint Document":len = str[0][2]
str = estat.Next()ostream = ostore.OpenStream("PowerPoint Document", None,
0x10, 0)data = ostream.Read(len)...parse data...
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 7
Storesdatainthe“PowerPointDocument”stream.OpenStream(L“PowerPoint Document”, ...)
TwotypesofPowerPointdatastructures Container–a“directory”▪ Containsothercontaineroratoms.
Atom–a“file” RecordsfollowTLVstyle MSOobjectsfollowthesameformat
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 8
1structtorulethemalltypedef struct{ uint2 recVer:4; uint2 recInstance:12; uint2 recType; uint4 recLen;} PPTRHDR_t;
IfrecVer=0xF,thentherecordisacontainer;else,itisanatom
recTypereferstotherecordtype.Thereare~100oftheseinPowerPoint.Youcanlookthemupthefileformatspecification.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 9
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 10
typedef struct{ uint2 recVer:4; uint2 recInstance:12; uint2 recType; uint4 recLen;} PPTRHDR_t;
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 11
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 12
*Datafromthestream*
Documentcontainer
Documentatom
Slidecontainer
Slidecontainer
UserEditAtomatom(usuallylast)
1slidecontainerperslide
Environmentcontainer
Dataisstoredinsidethe“Workbook”stream Nocontainers/atoms.JustplainBIFFrecords. BIFFrecordsalsofollowTLVformat Recorddatahasanupperboundof~2000‐8000bytes(BIFFversiondependent).Iflonger,useaCONTINUErecord
Datainsidethe“Workbook”streamisorganizedlike:BOF<data>EOFBOF<data>EOFBOF<data>EOF…
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 13
Nothingoutoftheordinary:integerover/underflow,off‐by‐one,doublefree,uninitializedvariables,badpointerreuse,stack/heapoverflow,…
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 14
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 15
UseMOICE Free ItrequiresOffice2003 ItonlyworksonOLEstructuredstoragefiles ItusestheOffice2007compatibilitypack ItconvertsyourbinaryfileformattothenewXMLformatandopensitup
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 16
Office2003SP3 Free Resultofamajorsecurity/SDLpush IfyouhadOffice2003SP3,thenyouwouldnotbeaffectedbyanyoftheOfficezero‐daysacknowledgedinthepublicsince.
IfyouhaveOffice2003,installSP3
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 17
Office2003SP3andMOICEactuallyeliminates/mitigatesmostoftheOfficevulns.
Alwayshavethelatestpatches.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 18
UseOffice2007
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 19
Notoutoftheordinary Basicstructure
Shellcode Malware Cleandocument
Techniques
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 20
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 21
Everythingisincludedinthedocument Therecanbevariations
Multipleshellcodestages Multipletrojans Obfuscationoftrojans/doc
Techniques StandardGetEIP/PIC Customencoders PEBretrieval Filehandlebruteforce Applicationrelaunch
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 22
Whyfilehandlebruteforce? Exploitmustfinditselfinmemory(thisisnotthesameasGetEIP)
Exploitcannotsimplyscantheentireprocessaddressspacelookingforitself(speed)
Veryeasy/shortimplementationinassembly.It’sliterally:int fh;for (fh=0; fh < 65536; fh += 4){
if (GetFileSize(fh, NULL) == mysize) return fh;}
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 23
Whatitdoes(therecanbevariations) Shellcodedecodesitselfandruns Buildsupalistoffunctionpointers Findsitselfinmemory(filehandle) Readdatafromspecificlocationsinthefile Extractthetrojanandthecleandocument Runthetrojanandrelaunchtheapptoopenthenewfile
Exitthecurrentprocess SetFilePointer,ReadFile,WriteFile,CloseFile,WinExec,ExitProcess.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 24
Tools Hexeditor Disassembler Optional:Debugger(WinDBGissufficient)
Objectives Identifytheshellcode Understandit Extractthemaliciouscomponents [Identifytheexactvuln]
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 25
Howmanydoyourecognize? EB 10 5B 4B 33 C9 66 B9 96 03 8034 0B FD E2 FA EB 05 E8 EB FF FFFF
64 A1 30 00 00 00 64 8B 1D 30 00 00 00 D9 74 24 F4
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 26
DebugDOC/XLS/PPT? Staticmethod
Decodetheshellcodeandreadit Dynamicmethod
Abitmoreinteresting
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 27
Method1 Identifytheshellcode,patchthefirstfewbytesto0xCC
StartupOffice,attachWinDBGtoitand‘g’ Openupthedocument Ifyoudiditright,youshouldhittheint 3 andthensinglestepasneeded.Ifnotthenyouprobablygotinfected.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 28
Method2 Pickananyexecutable Copytheshellcodeandputitinthebinaryandseteipthere.
Singlestepjustlikeanyanexecutable.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 29
Method3 Savethefile,i.e.,“c:\temp\sc.bin” Openupnotepad.exe,calc.exe,whatever. AttachWinDBGtoit. .dvalloc<sizeofsc.bin> .readmemc:\temp\sc.binaddr<sizeofsc.bin> Realshellcodeaddress=<addr+scoffset> reip=<addr+scoffset>;t(not‘g’)
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 30
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 31
Method4(bestone) Savethefileas“c:\temp\sc.bin” Openthefileinaneditor(notepad,vim,…);anythingthatopensthefile.
AttachWinDBGtoit. .dvalloc<sizeofsc.bin> .readmemc:\temp\sc.binaddr<sizeofsc.bin> Realshellcodeaddress=<addr+scoffset> reip=<addr+scoffset>;t(not‘g’)
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 32
YouneedtobeabletofingerprintanOLEstructurestoragefile D0 CF 11 E0 A1 B1 1A E1
Getthestreamnametodeterminethefiletype(DOC,PPT,XLS)
Readthestreamcontentandparseitasweshowedearlier
Determinewhatrecordsareaffectedanddetectthem
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 33
WereleasedthefileformatspecificationsforDOC,XLS,PPT,andMSO http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx
Giventheinformationhereandthosespecifications,youcanactuallywritecodetoparseandcheckthevalidityoftherecords.
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 34
TowritegoodIDS/AVsignatures,youusuallyhavetounderstandthevulnerabilities. Reverseengineerthepatches Wewillgiveyouthevulnerabilitydetails
MAPP(MicrosoftActiveProtectionProgram)
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 35
Informationavailableat5pmPSTMonday Whatisincluded?
Atechnicaldescriptionofthevulnerability Areprofile/packettrace Crashdump/stacktrace/disassembly Detectionlogic
Howtogetthedata?
9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 36
Myteam’sblog(SWIblog):http://blogs.technet.com/swi Wetalkaboutvulnerabilitydetailsthere Itiswrittenbypeoplewhotriagethevulnerability
Gotabugtoreport?secure@microsoft.com GotinterestingOfficesamplesandwantsomehelpintriagingthem?Sendthemtous.
Myemail:bda@microsoft.com 0x3f…9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 37
top related