chun feng microsoft corporation
DESCRIPTION
Chun Feng Microsoft Corporation. The Butterfly Effect and the “Shellcode Storm”. Butterfly Effect. Tiny change. Large-scale alterations. Butterfly Effect in Computer Security Systems. CVE-2010-1297 CVE-2010-2884 CVE-2010-3654 CVE-2011-0609 Clean SWF fileExploit. 1 byte change. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/1.jpg)
Chun Feng
Microsoft CorporationThe Butterfly Effect and the “Shellcode Storm”
![Page 2: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/2.jpg)
Butterfly Effect
Tiny change Large-scale alterations
![Page 3: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/3.jpg)
Butterfly Effect in Computer Security Systems
• CVE-2010-1297• CVE-2010-2884• CVE-2010-3654• CVE-2011-0609
Clean SWF file Exploit1 byte change
![Page 4: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/4.jpg)
Adobe Flash is Pervasive
99%http://www.adobe.com/products/player_census/flashplayer/
![Page 5: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/5.jpg)
Attacks on Adobe Flash Player
2008 2009 2010 20110
10
20
30
40
50
60
70
20 22
60
14
42?
Number of Reported Adobe Flash Player Related Vulnerabilities
![Page 6: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/6.jpg)
How Adobe Flash File Works
Compile
Developer User
AVM (ActionScript Virtual Machine )
JIT Compile
ByteCode Verifier
MIR Code Generator
MD Code Generator
Native Code (x86, PPC)
ActionScript3
![Page 7: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/7.jpg)
Code ExampleMIR (intermediate machine independent language):@5 arg 0@10 ldop 4(@5)@22 def @10@37 use @22 [1]@38 imm 8@42 add @37 @38
X86 native code:mov eax, 16(ebp)mov edx, 4(eax)mov -84(ebp), edxmov ecx, -84(ebp)add ecx, 8mov -76(ebp), ecxmov eax, -76(ebp)
ActionScript 3:public function add8(a:int): int{
return a+8;}
Adobe Byte Code (stack machine):pushscope getlocal_1 pushbyte 8 add returnvalue
![Page 8: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/8.jpg)
CVE-2010-1297 Overview
Time: Early June, 2010
Adobe Flash player version <= 10.0.45.2Adobe Reader version <= 9.3.2 Sample contains 0-day exploit hosted on a webpage (malformed SWF + JavaScript heap spray)
![Page 9: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/9.jpg)
CVE-2010-1297 Demo
![Page 10: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/10.jpg)
CVE-2010-1297 Analysis
1 byte changed in function:
Public RadioButton.configUI ( ):void
4F D2 02 00 callpropvoid fl.controls:LabelButton.configUI, 0
40 D2 02 newfunction TextInput:drawBackground 00
![Page 11: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/11.jpg)
Debugging Obstacles
• Pageguard exception– Trouble with Ollydbg; use Windbg, type
command “sxi gp”
• 15 seconds timeout– Less intrusive debugging - can’t use single step
/ trace!
• Understand JIT compiled code
![Page 12: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/12.jpg)
CVE-2010-1297 Analysis
1. How is the control transferred to shellcode?
2. The root cause of this vulnerability
![Page 13: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/13.jpg)
Control Transfer Analysis - Method 1 (Quick & Dirty)
1. Remove the JavaScript heap spray code to cause a crash rather than have shellcode executed
2. Locate the instruction causing the crash
Problems:
• May not be 100% accurate• Doesn’t work if the heap spray code is encrypted
![Page 14: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/14.jpg)
Analyze Control Transfer – Method 2 (More Precise)
Assumption: Transferred via call instruction
The return address for this call will be pushed onto the stack
463bd28d ff510c call dword ptr [ecx+0Ch] ;[4198000c]=0c050c05463bd290 83c40c add esp,0Ch Dump stack at the 1st instruction of shellcode (address 0c050c05)
Stack
463bd29041980000000000000013e364
![Page 15: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/15.jpg)
Analyze Control Transfer – Method 2 (contd.)
At the 1st instruction of the shellcode, the return address is at the top of the stack
Problems – we are unable stop there:
• The address of 1st instruction of the shellcode is not predictable
• Single step doesn’t work (15 secs timeout)
![Page 16: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/16.jpg)
Analyze Control Transfer – Method 2 (contd.)
or al, 5, ; pseudo NOP start ESP = ESP0// …or al, 5 ; pseudo NOP end ESP = ESP0
or al,00C; 1st instruction of shellcode ESP= ESP0
// ... more code (more bytes pushed onto the stack)
Call URLDownloadToFileA; ESP = ESP1
Stack
Ret. address of call
ESP1
ESP0
delta = ESP0-ESP1 is calculable!Put breakpoint at URLDownloadToFileA(), then calculate ESP0 = ESP1 + Delta
![Page 17: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/17.jpg)
Control Transfer Analysis Demo
![Page 18: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/18.jpg)
Control Transfer Found!
463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05
![Page 19: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/19.jpg)
CVE-2010-1297 Analysis
1. How is the control transferred to shellcode?
2. The root cause of this vulnerability
![Page 20: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/20.jpg)
What’s Really Wrong?
• No document for JIT compiler• No PDB symbol file available
463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05
![Page 21: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/21.jpg)
Useful Trick
Revealed by http://jpauclair.net
Windows: C:\Documents and Settings\<username>\mm.cfg
AS3Verbose = 1
Details of JIT runtime trace:
C:\Documents and Settings\<username>\Application Data\Macromedia\Flash Player\Logs\flashlog.txt
![Page 22: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/22.jpg)
Example of the Useful Trick26:callpropvoid fl.controls:BaseButton::drawBackground 0 @63 ldop 16(@62) @64 ldop 812(@63) ……@63 ldop 16(@62) 060BD6E4 mov eax, 16(ebx) active: eax(63-64) ebx(62-69) edi(2-142) @64 ldop 812(@63) 060BD6E7 mov ecx, 812(eax) active: ecx(64-70) ebx(62-69) edi(2-142)
![Page 23: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/23.jpg)
Internals of JIT Compiled Code
Each JIT compiled function has three parameters:
func(MethodEnv*, int argc, uint32 *ap)
For example:
RadioButton.configUI ():void
• argc = 0
• ap[0] = RadioButton instance (“this” pointer)
![Page 24: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/24.jpg)
Using the Useful Trick
protected function drawBackground():void {
var bg:DisplayObject = background;
var styleName:String = (enabled) ? "upSkin" : "disabledSkin";…}
463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05
![Page 25: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/25.jpg)
Using the Useful Trick (contd.)
The control transfer is in JIT compiled code for TextInput.drawBackground( )
TextInput.drawBackground(MethodEnv*, int argc, uint32 *ap)
463bd1bc push ebp463bd1bd mov ebp,esp463bd1bf sub esp,50h463bd1c5 mov eax,dword ptr [ebp+10h] ; [0013e290]=43169301463bd1c8 mov eax,dword ptr [eax]; [43169301] = ??? (Unaligned pointer)
![Page 26: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/26.jpg)
Tracking Back
In TextInput.as
TextInput.draw( ) calls TextInput.drawBackground( )
In JIT compiled code TextInput.draw( ):
After 1 byte change => newfunction TextInput.drawBackground
463bcbdb 83c801 or eax,1 ; make it unaligned! … call TextInput.drawBackground( ) ; Overloaded !
![Page 27: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/27.jpg)
AtomInternal representations
Lowest 3 bit used for type
0 1 2 31Untagged 000(0)Object 001(1)String 010 (2)NameSpace 011(3)Undefined 100(4)Boolean 101(5)Integer 110 (6)Double 111 (7)
0x43169301Type: ObjectActual Value: 0x43169300
![Page 28: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/28.jpg)
The Whole Picture of the Butterfly Effect
RadioButton.configUI( ) 1 byte changed
TextInput.drawBackground ( ) func obj. created
TextInput.draw( ) emits the wrong code / parameter when calling TextInput.drawBackground( ) (which has been “overloaded”)
TextInput.drawBackground( ) doesn’t handle it correctlywhen “enabled” property is referenced
Invalid memory accessed, shellcode executed
![Page 29: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/29.jpg)
CVE-2010-1297 Analysis
1. How is the control transferred to shellcode?
2. The root cause of this vulnerability
![Page 30: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/30.jpg)
CVE-2010-3654 Case Study
Time: Early Nov 2010
Adobe Flash Player version <= 10.1.85.3
Adobe Reader version <=9.4
Sample containing 0-day exploit distributed as a PDF file with a malformed SWF embedded
![Page 31: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/31.jpg)
CVE-2010-3654 Case Study
0x07 // [[17]CONSTANT_QName0x02 // NsIndex = 2(0x02)0x07 // NameIndex = 7(0x07)
0x07 // [17]CONSTANT_QName0x02 // NsIndex = 2(0x02)0x16 // NameIndex = 22(0x16)
1 byte change in MultiName constant pool (07 02 16 -> 07 02 07)
Clean Malicious
“RadioButtonGroup”
“fl.controls.RadioButtonGroup” -> “fl.controls.Button”
“Button”
![Page 32: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/32.jpg)
The Whole Picture of the Butterfly Effect
MultiName constant pool: NameIndex changed
fl.controls.RadioButtonGroup -> fl.controls.Button
RadioButtonGroup.set_groupName -> Button.set_groupName
Invalid memory accessed, shellcode executed
![Page 33: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/33.jpg)
CVE-2011-0609 Case Study
Time: March 2011
Adobe Flash Player version <= 10.2.152.33 Adobe Reader version <= 10.0.1
Sample containing 0-day exploit distributed as an Excel file with one SWF file embedded
![Page 34: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/34.jpg)
CVE-2011-0609 Case Study (contd.)
Clean
4CC4 10 07 00 00 jump loc_4CCF…
4CCF 80 2C coerce com.greensock.core.SimpleTimeline
Malicious
3EA1 10 29 00 00 jump loc_3ECE….
3ECE 66 D6 02 getproperty <namespace_set>.paused
Jump destination is changed!
![Page 35: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/35.jpg)
Shellcode Storm Example 1 – CVE-2010-1297
Shellcode payload:• Downloads an encrypted PE file• Decrypts it (xor 0x95 skipping 0x00 and
0x95)
Decrypted PE file(Win32/Poison):• Keylogger• Backdoor:
Length Shellcode 0 4
![Page 36: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/36.jpg)
Shellcode Backdoor versus C&C Backdoor
Receives shellcode rather than command
Pros:• Thin client – just executes whatever receives• Easy to implement new command• Payload code not written on disk
Cons:• Coding complexity – coding in shellcode• Platform dependent
![Page 37: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/37.jpg)
Shellcode Storm Example 2 – CVE-2010-3654
Shellcode matryoshkaShellcode decrypts PE file from PDF stream
Shellcode(in decrypted PE file) decrypts a DLL from resourceShellcode(in decrypted DLL) decrypts and loads a PE file(Win32/Hupigon, aka Win32/Pigeon)
![Page 38: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/38.jpg)
Conclusion
• Threats have been targeting Adobe flash player since it is popular and platform-independent
• 1 byte change in SWF may cause significant consequences. Attackers have been using dummy fuzzing to find vulnerabilities
• The attacks on Adobe Flash Player are likely to continue to be prevalent in the future
![Page 39: Chun Feng Microsoft Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081420/5681625b550346895dd2ac75/html5/thumbnails/39.jpg)
Q & A