bruce dang secure windows initiative (swi) microsoft · introduction office binary file format (

BruceDangSecureWindowsInitiative(SWI)Microsoft

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 1

Introduction Officebinaryfileformat(<=2003) Bugs Defensivemechanisms Exploitstructures Analysistechniques Detectionmechanisms Thesurprise… Patchprocess(end‐to‐end)9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 2

Targetedattacks Verypopularinthelastcoupleyears Bypassesperimetersecuritydevices/software Difficulttodetect Notechnicalinformationinthepublic

Therearethingsyoucandotomitigateandstopmostoftheattacks.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 3

StructuredStorage/OLESS Filesysteminsideabinaryfile Dividedataintostorageandstreams(storage=directory,stream=file)

12‐pagespecification Application‐specificdatastoredinsidestorage/streams.

Canbefrustratingtoparsemanually

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 4

StgOpenStorage()onthefile.YougetbackanIStorageobject.

IStorage‐>EnumElements()enumeratesallofthestoragesandstreams.

IStorage‐>OpenStream()opensupwhateverstreamyouwant.ReturnsanIStreamobject.

IStream‐>Stat()tellsyouthestreamsize. IStream‐>Read()readsnbytesfromthestream.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 5

HRESULT hr;IStorage *is;IStream *stream;IEnumSTATSTG *penum;STATSTG statstg;StgOpenStorage(L“foo.ppt", NULL, STGM_DIRECT |

STGM_READ | STGM_SHARE_EXCLUSIVE, NULL, 0, &is);is->EnumElements(NULL, NULL, NULL, &penum);hr = penum->Next(1, &statstg, 0);while( hr == S_OK) {

wprintf(L"name = %s\tsize = 0x%08x\n”,statstg.pwcsName, statstg.cbSize);

...is->OpenStream(statstg.pwcsName, NULL, STGM_READ |

STGM_SHARE_EXCLUSIVE, 0, &stream);stream->Read(data, statstg.cbSize, NULL);... parse data ...

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 6

Abitsimpler.Goodforexperiments.from pythoncom import *ostore = StgOpenStorage(sys.argv[1], None, 0x10, None, 0)estat = ostore.EnumElements()str = estat.Next()while str != ():

if str[0][0] == "PowerPoint Document":len = str[0][2]

str = estat.Next()ostream = ostore.OpenStream("PowerPoint Document", None,

0x10, 0)data = ostream.Read(len)...parse data...

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 7

Storesdatainthe“PowerPointDocument”stream.OpenStream(L“PowerPoint Document”, ...)

TwotypesofPowerPointdatastructures Container–a“directory”▪ Containsothercontaineroratoms.

Atom–a“file” RecordsfollowTLVstyle MSOobjectsfollowthesameformat

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 8

1structtorulethemalltypedef struct{ uint2 recVer:4; uint2 recInstance:12; uint2 recType; uint4 recLen;} PPTRHDR_t;

IfrecVer=0xF,thentherecordisacontainer;else,itisanatom

recTypereferstotherecordtype.Thereare~100oftheseinPowerPoint.Youcanlookthemupthefileformatspecification.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 9

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 10

typedef struct{ uint2 recVer:4; uint2 recInstance:12; uint2 recType; uint4 recLen;} PPTRHDR_t;

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 11

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 12

*Datafromthestream*

Documentcontainer

Documentatom

Slidecontainer

Slidecontainer

UserEditAtomatom(usuallylast)

1slidecontainerperslide

Environmentcontainer

Dataisstoredinsidethe“Workbook”stream Nocontainers/atoms.JustplainBIFFrecords. BIFFrecordsalsofollowTLVformat Recorddatahasanupperboundof~2000‐8000bytes(BIFFversiondependent).Iflonger,useaCONTINUErecord

Datainsidethe“Workbook”streamisorganizedlike:BOF<data>EOFBOF<data>EOFBOF<data>EOF…

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 13

Nothingoutoftheordinary:integerover/underflow,off‐by‐one,doublefree,uninitializedvariables,badpointerreuse,stack/heapoverflow,…

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 14

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 15

UseMOICE Free ItrequiresOffice2003 ItonlyworksonOLEstructuredstoragefiles ItusestheOffice2007compatibilitypack ItconvertsyourbinaryfileformattothenewXMLformatandopensitup

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 16

Office2003SP3 Free Resultofamajorsecurity/SDLpush IfyouhadOffice2003SP3,thenyouwouldnotbeaffectedbyanyoftheOfficezero‐daysacknowledgedinthepublicsince.

IfyouhaveOffice2003,installSP3

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 17

Office2003SP3andMOICEactuallyeliminates/mitigatesmostoftheOfficevulns.

Alwayshavethelatestpatches.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 18

UseOffice2007

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 19

Notoutoftheordinary Basicstructure

Shellcode Malware Cleandocument

Techniques

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 20

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 21

Everythingisincludedinthedocument Therecanbevariations

Multipleshellcodestages Multipletrojans Obfuscationoftrojans/doc

Techniques StandardGetEIP/PIC Customencoders PEBretrieval Filehandlebruteforce Applicationrelaunch

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 22

Whyfilehandlebruteforce? Exploitmustfinditselfinmemory(thisisnotthesameasGetEIP)

Exploitcannotsimplyscantheentireprocessaddressspacelookingforitself(speed)

Veryeasy/shortimplementationinassembly.It’sliterally:int fh;for (fh=0; fh < 65536; fh += 4){

if (GetFileSize(fh, NULL) == mysize) return fh;}

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 23

Whatitdoes(therecanbevariations) Shellcodedecodesitselfandruns Buildsupalistoffunctionpointers Findsitselfinmemory(filehandle) Readdatafromspecificlocationsinthefile Extractthetrojanandthecleandocument Runthetrojanandrelaunchtheapptoopenthenewfile

Exitthecurrentprocess SetFilePointer,ReadFile,WriteFile,CloseFile,WinExec,ExitProcess.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 24

Tools Hexeditor Disassembler Optional:Debugger(WinDBGissufficient)

Objectives Identifytheshellcode Understandit Extractthemaliciouscomponents [Identifytheexactvuln]

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 25

Howmanydoyourecognize? EB 10 5B 4B 33 C9 66 B9 96 03 8034 0B FD E2 FA EB 05 E8 EB FF FFFF

64 A1 30 00 00 00 64 8B 1D 30 00 00 00 D9 74 24 F4

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 26

DebugDOC/XLS/PPT? Staticmethod

Decodetheshellcodeandreadit Dynamicmethod

Abitmoreinteresting

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 27

Method1 Identifytheshellcode,patchthefirstfewbytesto0xCC

StartupOffice,attachWinDBGtoitand‘g’ Openupthedocument Ifyoudiditright,youshouldhittheint 3 andthensinglestepasneeded.Ifnotthenyouprobablygotinfected.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 28

Method2 Pickananyexecutable Copytheshellcodeandputitinthebinaryandseteipthere.

Singlestepjustlikeanyanexecutable.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 29

Method3 Savethefile,i.e.,“c:\temp\sc.bin” Openupnotepad.exe,calc.exe,whatever. AttachWinDBGtoit. .dvalloc<sizeofsc.bin> .readmemc:\temp\sc.binaddr<sizeofsc.bin> Realshellcodeaddress=<addr+scoffset> reip=<addr+scoffset>;t(not‘g’)

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 30

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 31

Method4(bestone) Savethefileas“c:\temp\sc.bin” Openthefileinaneditor(notepad,vim,…);anythingthatopensthefile.

AttachWinDBGtoit. .dvalloc<sizeofsc.bin> .readmemc:\temp\sc.binaddr<sizeofsc.bin> Realshellcodeaddress=<addr+scoffset> reip=<addr+scoffset>;t(not‘g’)

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 32

YouneedtobeabletofingerprintanOLEstructurestoragefile D0 CF 11 E0 A1 B1 1A E1

Getthestreamnametodeterminethefiletype(DOC,PPT,XLS)

Readthestreamcontentandparseitasweshowedearlier

Determinewhatrecordsareaffectedanddetectthem

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 33

WereleasedthefileformatspecificationsforDOC,XLS,PPT,andMSO http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx

Giventheinformationhereandthosespecifications,youcanactuallywritecodetoparseandcheckthevalidityoftherecords.

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 34

TowritegoodIDS/AVsignatures,youusuallyhavetounderstandthevulnerabilities. Reverseengineerthepatches Wewillgiveyouthevulnerabilitydetails

MAPP(MicrosoftActiveProtectionProgram)

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 35

Informationavailableat5pmPSTMonday Whatisincluded?

Atechnicaldescriptionofthevulnerability Areprofile/packettrace Crashdump/stacktrace/disassembly Detectionlogic

Howtogetthedata?

9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 36

Myteam’sblog(SWIblog):http://blogs.technet.com/swi Wetalkaboutvulnerabilitydetailsthere Itiswrittenbypeoplewhotriagethevulnerability

Gotabugtoreport?secure@microsoft.com GotinterestingOfficesamplesandwantsomehelpintriagingthem?Sendthemtous.

Myemail:bda@microsoft.com 0x3f…9/23/08 BruceDang|BDA@microsoft.com|SecureWindowsInitiative|Microsoft 37