Chun Feng Microsoft Corporation

Chun Feng

Microsoft CorporationThe Butterfly Effect and the “Shellcode Storm”

Butterfly Effect

Tiny change Large-scale alterations

Butterfly Effect in Computer Security Systems

• CVE-2010-1297• CVE-2010-2884• CVE-2010-3654• CVE-2011-0609

Clean SWF file Exploit1 byte change

Adobe Flash is Pervasive

99%http://www.adobe.com/products/player_census/flashplayer/

Attacks on Adobe Flash Player

2008 2009 2010 20110

10

20

30

40

50

60

70

20 22

60

14

42?

Number of Reported Adobe Flash Player Related Vulnerabilities

How Adobe Flash File Works

Compile

Developer User

AVM (ActionScript Virtual Machine )

JIT Compile

ByteCode Verifier

MIR Code Generator

MD Code Generator

Native Code (x86, PPC)

ActionScript3

Code ExampleMIR (intermediate machine independent language):@5 arg 0@10 ldop 4(@5)@22 def @10@37 use @22 [1]@38 imm 8@42 add @37 @38

X86 native code:mov eax, 16(ebp)mov edx, 4(eax)mov -84(ebp), edxmov ecx, -84(ebp)add ecx, 8mov -76(ebp), ecxmov eax, -76(ebp)

ActionScript 3:public function add8(a:int): int{

return a+8;}

Adobe Byte Code (stack machine):pushscope getlocal_1 pushbyte 8 add returnvalue

CVE-2010-1297 Overview

Time: Early June, 2010

Adobe Flash player version <= 10.0.45.2Adobe Reader version <= 9.3.2 Sample contains 0-day exploit hosted on a webpage (malformed SWF + JavaScript heap spray)

CVE-2010-1297 Demo

CVE-2010-1297 Analysis

1 byte changed in function:

Public RadioButton.configUI ( ):void

4F D2 02 00 callpropvoid fl.controls:LabelButton.configUI, 0

40 D2 02 newfunction TextInput:drawBackground 00

Debugging Obstacles

• Pageguard exception– Trouble with Ollydbg; use Windbg, type

command “sxi gp”

• 15 seconds timeout– Less intrusive debugging - can’t use single step

/ trace!

• Understand JIT compiled code


1. How is the control transferred to shellcode?

2. The root cause of this vulnerability

Control Transfer Analysis - Method 1 (Quick & Dirty)

1. Remove the JavaScript heap spray code to cause a crash rather than have shellcode executed

2. Locate the instruction causing the crash

Problems:

• May not be 100% accurate• Doesn’t work if the heap spray code is encrypted

Analyze Control Transfer – Method 2 (More Precise)

Assumption: Transferred via call instruction

The return address for this call will be pushed onto the stack

463bd28d ff510c call dword ptr [ecx+0Ch] ;[4198000c]=0c050c05463bd290 83c40c add esp,0Ch Dump stack at the 1st instruction of shellcode (address 0c050c05)

Stack

463bd29041980000000000000013e364

Analyze Control Transfer – Method 2 (contd.)

At the 1st instruction of the shellcode, the return address is at the top of the stack

Problems – we are unable stop there:

• The address of 1st instruction of the shellcode is not predictable

• Single step doesn’t work (15 secs timeout)

Analyze Control Transfer – Method 2 (contd.)

or al, 5, ; pseudo NOP start ESP = ESP0// …or al, 5 ; pseudo NOP end ESP = ESP0

or al,00C; 1st instruction of shellcode ESP= ESP0

// ... more code (more bytes pushed onto the stack)

Call URLDownloadToFileA; ESP = ESP1

Stack

Ret. address of call

ESP1

ESP0

delta = ESP0-ESP1 is calculable!Put breakpoint at URLDownloadToFileA(), then calculate ESP0 = ESP1 + Delta

Control Transfer Analysis Demo

Control Transfer Found!

463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05




What’s Really Wrong?

• No document for JIT compiler• No PDB symbol file available


Useful Trick

Revealed by http://jpauclair.net

Windows: C:\Documents and Settings\<username>\mm.cfg

AS3Verbose = 1

Details of JIT runtime trace:

C:\Documents and Settings\<username>\Application Data\Macromedia\Flash Player\Logs\flashlog.txt

http://jpauclair.net/

Example of the Useful Trick26:callpropvoid fl.controls:BaseButton::drawBackground 0 @63 ldop 16(@62) @64 ldop 812(@63) ……@63 ldop 16(@62) 060BD6E4 mov eax, 16(ebx) active: eax(63-64) ebx(62-69) edi(2-142) @64 ldop 812(@63) 060BD6E7 mov ecx, 812(eax) active: ecx(64-70) ebx(62-69) edi(2-142)

Internals of JIT Compiled Code

Each JIT compiled function has three parameters:

func(MethodEnv*, int argc, uint32 *ap)

For example:

RadioButton.configUI ():void

• argc = 0

• ap[0] = RadioButton instance (“this” pointer)

Using the Useful Trick

protected function drawBackground():void {

var bg:DisplayObject = background;

var styleName:String = (enabled) ? "upSkin" : "disabledSkin";…}


Using the Useful Trick (contd.)

The control transfer is in JIT compiled code for TextInput.drawBackground( )

TextInput.drawBackground(MethodEnv*, int argc, uint32 *ap)

463bd1bc push ebp463bd1bd mov ebp,esp463bd1bf sub esp,50h463bd1c5 mov eax,dword ptr [ebp+10h] ; [0013e290]=43169301463bd1c8 mov eax,dword ptr [eax]; [43169301] = ??? (Unaligned pointer)

Tracking Back

In TextInput.as

TextInput.draw( ) calls TextInput.drawBackground( )

In JIT compiled code TextInput.draw( ):

After 1 byte change => newfunction TextInput.drawBackground

463bcbdb 83c801 or eax,1 ; make it unaligned! … call TextInput.drawBackground( ) ; Overloaded !

AtomInternal representations

Lowest 3 bit used for type

0 1 2 31Untagged 000(0)Object 001(1)String 010 (2)NameSpace 011(3)Undefined 100(4)Boolean 101(5)Integer 110 (6)Double 111 (7)

0x43169301Type: ObjectActual Value: 0x43169300

The Whole Picture of the Butterfly Effect

RadioButton.configUI( ) 1 byte changed

TextInput.drawBackground ( ) func obj. created

TextInput.draw( ) emits the wrong code / parameter when calling TextInput.drawBackground( ) (which has been “overloaded”)

TextInput.drawBackground( ) doesn’t handle it correctlywhen “enabled” property is referenced

Invalid memory accessed, shellcode executed




CVE-2010-3654 Case Study

Time: Early Nov 2010

Adobe Flash Player version <= 10.1.85.3

Adobe Reader version <=9.4

Sample containing 0-day exploit distributed as a PDF file with a malformed SWF embedded


0x07 // [[17]CONSTANT_QName0x02 // NsIndex = 2(0x02)0x07 // NameIndex = 7(0x07)

0x07 // [17]CONSTANT_QName0x02 // NsIndex = 2(0x02)0x16 // NameIndex = 22(0x16)

1 byte change in MultiName constant pool (07 02 16 -> 07 02 07)

Clean Malicious

“RadioButtonGroup”

“fl.controls.RadioButtonGroup” -> “fl.controls.Button”

“Button”

The Whole Picture of the Butterfly Effect

MultiName constant pool: NameIndex changed

fl.controls.RadioButtonGroup -> fl.controls.Button

RadioButtonGroup.set_groupName -> Button.set_groupName

Invalid memory accessed, shellcode executed


Time: March 2011

Adobe Flash Player version <= 10.2.152.33 Adobe Reader version <= 10.0.1

Sample containing 0-day exploit distributed as an Excel file with one SWF file embedded

CVE-2011-0609 Case Study (contd.)

Clean

4CC4 10 07 00 00 jump loc_4CCF…

4CCF 80 2C coerce com.greensock.core.SimpleTimeline

Malicious

3EA1 10 29 00 00 jump loc_3ECE….

3ECE 66 D6 02 getproperty <namespace_set>.paused

Jump destination is changed!

Shellcode Storm Example 1 – CVE-2010-1297

Shellcode payload:• Downloads an encrypted PE file• Decrypts it (xor 0x95 skipping 0x00 and

0x95)

Decrypted PE file(Win32/Poison):• Keylogger• Backdoor:

Length Shellcode 0 4

Shellcode Backdoor versus C&C Backdoor

Receives shellcode rather than command

Pros:• Thin client – just executes whatever receives• Easy to implement new command• Payload code not written on disk

Cons:• Coding complexity – coding in shellcode• Platform dependent

Shellcode Storm Example 2 – CVE-2010-3654

Shellcode matryoshkaShellcode decrypts PE file from PDF stream

Shellcode(in decrypted PE file) decrypts a DLL from resourceShellcode(in decrypted DLL) decrypts and loads a PE file(Win32/Hupigon, aka Win32/Pigeon)

Conclusion

• Threats have been targeting Adobe flash player since it is popular and platform-independent

• 1 byte change in SWF may cause significant consequences. Attackers have been using dummy fuzzing to find vulnerabilities

• The attacks on Adobe Flash Player are likely to continue to be prevalent in the future

Q & A