ZERT Binary Patching Gil Dabah. ZERT Binary Patching Who Am I? “Israeli programmer and reverse...

ZERT

Binary Patching

Gil Dabah

ZERT Binary Patching

Who Am I?

“Israeli programmer and reverse engineering enthusiast Gil Dabah”, eWeek (09/22/06)

“Israeli reverse-engineering specialist Gil Dabah”, CNET (09/25/06)

Computer’s “Hacker” Programmer, working at DigiCash

[2 of 37]


About ZERT

Zero-day Emergency Response Team Zero-day meaning? Foundation Goal Incident-Response

[3 of 37]

Menu

Patching In General VML Vulnerability ANI Vulnerability

ZERT Binary Patching [4 of 37]


What is Patching?

Changing an existing software data. That data can be either a code or real data

(strings, structures, etc). Usually the goal is to change behavior. Sometimes you enhance the software. Patching can be done on-disc, or in-memory. Known patching is cracking games/software. …or uncracking software like ZERT does.

[5 of 37]


Problems with Patching

Different versions (E.G: 23 versions of VGX). Code changes. Code moves. No room for the extra patching code/data. MS Hot Patching MOV EDI, EDI.

Windows File-Protection.

[6 of 37]


Patching Alternatives

Every change affect file integrity.

We want to change as less as possible bytes.

1) PE Patching - add a section/fine a cave. In a short development time it’s not possible to make it reliable. Too big a change. Time consuming.

2) Per Version Patching. Requires all versions. Doesn’t support unknowns.

[7 of 37]


Patching Alternatives

3) Using Hot Patching Bytes: A few places to patch (all callers, more signatures). 7 bytes are usually not enough. CC, CC, CC, CC, CC, 8B, FF

4) Spot Patching Simple. Search&replace patching. Not always possible Generic

[8 of 37]

ZERT VML PATCHERSection #1



VML

Vector Markup Language An XML language used to produce vector

graphics. Submitted as a proposed standard by MS

and Macromedia in ’98 to the W3C. Eventually rejected. But still in use by Internet Explorer and Office

(and Outlook).

[10 of 37]


VML Rendering

[11 of 37]


VML Zero-Day

Was first seen in September 2006. Officially on the 19th, but actually before. Adam Thomas, a researcher from Sunbelt

Software, found it ITW. The exploitation downloads a trojan or

adware. For example an adware that downloads and

displays popup advertisements.

[12 of 37]


VML Vulnerability

Stack-based buffer overflow in the processing of malformed VML "fill method" attributes.

Affected file: VGX.DLL

(symbol: Ptok@TOKENS@_IE5_SHADETYPE_TEXT). Vulnerable systems: all IE versions, with

latest XP SP 2 patches. Surf and get owned. What if DEP is enabled?

[13 of 37]


HTML Exploitation

<html xmlns:v="urn:schemas-microsoft-com:vml"><head>

<style>v\:* { behavior: url(#default#VML);}

</style></head><body><v:rect><v:fill method=“AAAA…></v:fill></v:rect></body></html>

[14 of 37]


Vulnerability Point

To locate vulnerable image, simply crash IE. Attack ‘fill method’ with a big buffer, raises

access violation. Writing to a pointer which is found on local

stack. Now that we got the vulnerable function we

start analyzing the code.

[15 of 37]


Ptok Function Disassembly

mov dx, [ebx+edx*2]

mov [edi], dx

mov edx, [ecx+VML.szInput]

[16 of 37]


Code Analysis

class TOKENS { public:

WCHAR *Ptok(void); private:

LPWSTR szInput; // pointer to input string on heapint nSize; // length of input string (in WCHARs)int idxInput; // index used within the for()loopWCHAR szOutput[256]; // output buffer for string

};

This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee.

[17 of 37]


WCHAR *TOKENS::Ptok(void){

register int idxCurr;if (szInput == NULL) return(NULL);

Code Analysis:C++ Translation

for (idxCurr=0; idxInput < nSize && szInput[idxInput] != '\0'; idxInput++) { if (szInput[idxInput] == ' ') { if (idxCurr) break; // Encountered non-leading space else continue; // Encountered leading space } szOutput[idxCurr]=szInput[idxInput]; // Copy the WCHAR idxCurr++; } if (idxCurr > 0) { szOutput[idxCurr]='\0'; // NULL terminate return(szOutput); } return(NULL);}

if (nSize >= 256) {

// Added by the ZERT patch

return(NULL);

}

This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee.[18 of 37]


Using Ptok Rather Than strtok

Ptok is an enhanced strtok, using a class and a local storage.

It supports multiple concurrent readings. It doesn’t modify the original string! Tokenize: “We've got explosives!

KABOOOOOM!” Results in: “We’ve”, “got”, “explosives!”,

“KABOOOOOM!” Input string is now nullified: “We’ve\0got\0…

[19 of 37]


Writing a Binary Signature

A unique sequence of bytes. Might be masked or not.

“GIF87A”,”GIF89A” “GIF8*A” Must be found the exact times you expect. Genericness is a plus.

[20 of 37]


VGX’s Ptok Signature

Ptok is like a library function (very small, used in one place).

No code changes in all versions. Goal: Use the whole function as a signature.

[21 of 37]


Compiler’s Bad Day???

>>> import distorm >>> distorm.Decode(0,"\x66\x8b\x14\x53")[0]

[2] 'MOV DX, [EBX+EDX*2]' >>> distorm.Decode(0,"\x0f\xb7\x14\x53")[0]

[2] 'MOVZX EDX, [EBX+EDX*2]'

[22 of 37]


Closing The Vulnerability [v1]

;Removed leading space checks,added input-size test.mov edx, [ecx]push ebxpush esixor esi, esicmp edx, esi ; if (szInput == NULL)push edijz short Return ; return NULLcmp dword [ecx+4], 0x100 ; if (nSize >= 0x100)jae Return ; return NULL

[23 of 37]


Bypassing WFP

Examining VGX.DLL’s export table: DllCanUnloadNow, DllGetClassObject, DllRegisterServer,

DllUnregisterServer. VGX.DLL is a COM in-proc DLL. Can be registered and unregistered. Anti Virus issues.

[24 of 37]


ZERT Patcher

1) Read vgx.dll file to memory.

2) Search for binary signature.

3) Apply patch.

4) Save data to a new file “patchedvgx.dll”.

5) Unregister original “vgx.dll”.

6) Register “patchedvgx.dll”.

* Supports both GUI and Console versions.

[25 of 37]


ZERT’s Patch VS. MS’s

MS can simply recompile. We have to:

Make room for the input size test. Preserve functionality.

MS patch: Copy until buffer is full (< 0xfe). Our V1 patch: Don’t copy if length >= 0x100. Patch V2 is MS code but crunched into 0x5b

bytes (from 0x63).

[26 of 37]


64 Bits Patching Challenges

Finding VP (Ptok) without Windows 64. RIP Relative. MS code was changed from 32 bits version,

yet unpatched.

[27 of 37]


32bits VS 64bits VGX.DLL

[28 of 37]


Pre-Patched

Version Compilation Timestamp

Date Pre-Patched?

5.0.3014.1003 0x38439A32 Nov 30 1999 Yes

7.0.5112.0 0x43D80C1D Jan 26 2006 No

7.0.5450.4 0x449C16C7 Jun 23 2006 Yes

[29 of 29]

ZERT ANI PATCHERSection #2


Windows Animated Cursors

It all began in 2005, eEye discovered a vulnerability in USER32.DLL handling .ANI files.

(Incompletely) fixed by MS05-002 – XPSP2 was already immune.

In 2006, a similar vulnerability discovered by Determina (Alexander Sotirov).

Public Disclosure - March 28, 2007.


Bug Description

ANI files store animated cursors. Based on RIFF multimedia file format, which is a series of tagged chunks.

LoadCursorIconFromFileMap only validated the first ‘anih’ size before parsing the rest of the chunks by calling LoadAniIcon.

LoadAniIcon parses the chunks, including ‘anih’. This time without size validation.


Malformed ANI Sample

RIFF....ACONanih

...........$...$

................

........anihX...

AAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAZERT Binary Patching [33 of 37]

First header chunk, so far so good.

Now! this is tricky, oh yeah.

Attack Vectors

Internet Explorer loading HTML file - style="CURSOR: url(‘malformed.ani')“.

Outlook. Windows Explorer.


The Patcher

USER32.DLL – Requires in-memory patching.

Using “Known DLLs” to load our .DLL to every process.

Our DllMain will locate USER32.DLL and find its code section and begin its magic work.


Vulnerable Code - LoadAniIcon

000433E0 038B 75F8 8B45 D83D 7365 7120 0F84 7C01 ..u..E.=seq ..|.

000433F0 0000 3D4C 4953 540F 84CB 0000 003D 7261 ..=LIST......=ra

00043400 7465 0F84 A600 0000 3D61 6E69 680F 85DF te......=anih...

00043410 0000 008D 45B4 508D 45D8 5053 E8E4 FAFF ....E.P.E.PS....

00043420 FF85 C00F 84E7 0100 0083 EC24 6A09 598B ...........$j.Y.

00043430 FC8D 75B4 F3A5 E844 FBFF FF85 C00F 84CA ..u....D........

00043440 0100 008B 45BC 8B7D B88B 35F0 12D4 776A ....E..}..5...wj


CMP EAX, ‘ qes’

JZ 0x187

CMP EAX, ‘TSIL’

JZ 0xe1

CMP EAX, ‘etar’

JZ 0xc7

CMP EAX, ‘hina’

JNZ 0x10b

LEA EAX, [EBP-0x4c]

PUSH EAX

LEA EAX, [EBP-0x28]

PUSH EAX

PUSH EBX

CALL Readchunk

[36 of 37]

Runtime Generic Patching

3 X-Refs to the ReadChunk function, only one needs a fix (LoadCursorIconFromFileMap).

Search for a static signature. Look back for another static signature. Disassemble forward until next call is found.

Now that we found the indirectly-call to memcpy, we have to patch it, but how?


The Fix

A pre-compiled version of the ReadChunk function, this time with size validation.

The ReadChunk internally calls to ReadFilePtrCopy, which really copies the data and overflows the stack.

Fix our pre-compiled code to call the correct ReadFilePtrCopy – calculate relative 32 bits offset.

Allocate an executable memory for the new function. Once it’s ready, we can simply relocate the original

vulnerable CALL instruction to our new immune function.

[38 of 37]ZERT Binary Patching

Potential Problems

Multiple threads might run the patched code – we patch only a DWORD.

Searching for a DWORD – must be byte-aligned.

Finding the CALL instruction – a disassembler must be used.

If-then statements code generation – following branches.


The Sad Truths

There is a function which validates the ANI header parameters after it copies it locally.

The VML vulnerability didn’t exist in IE5, which had the size validation of the buffer back then. Probably to code regression it slipped away.



Questions???

[41 of 37]


The End

[email protected]

Thanks to:

CCCZERT Members

ZERT - http://isotf.org/zerthttp://isotf.org/zert/papers/vml-details-20061004.pdf

http://www.milw0rm.com/exploits/2425 - Exploit POC

ZERT Binary Patching Gil Dabah. ZERT Binary Patching Who Am I? “Israeli programmer and reverse...

Documents

Transcript of ZERT Binary Patching Gil Dabah. ZERT Binary Patching Who Am I? “Israeli programmer and reverse...