Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia //nullcon.net

Reversing Microsoft Patches to reveal Vulnerable code

Harsimran Walia

http://null.co.in/ http://nullcon.net/

Introduction

Need

Process


Finding a 0day vulnerability

Vulnerability reaches the

vendorVendor finds a

fix

Releases a patch to fix the

vulnerability

Introduction

Birth of a security patch

Microsoft patches

Reverse engineer the

patch

Locate the vulnerability

patched

Highlight the difficulties

Discussion in the presentation

For reversing and obtaining binary difference in my demos I would be using DarunGrim2

How DarunGrim works?• The schema of DarunGrim is shown in

the figure• To generate diffing results

– Binaries are disassembled in IDA Pro in thebackground and darungrim IDA plugin is runwhich creates the sqlite database

– Diffing Engine, the heart of DarunGrim2.The sqlite db from IDA and the binaries from GUIare fed into this engine as inputs


Introduction

Algorithm ?

• Main algorithm of DarunGrim is Basic block fingerprint hash map• Each basic block is 1 entity whose fingerprint is generated from the

instruction sequence• Fingerprint hash generated by IDA Pro• Two fingerprint hash tables one each for unpatched and patched binary• For finding the binary difference, each unique fingerprint from original

binary is searched against the fingerprints of patched binary for a match• All fingerprints in the original binary hash tables are either matched or

unmatched


Introduction

Algorithm ? Contd..

• For a function to be called matching, all the basic blocks in the function should be matching

• For unmatched functions DarunGrim calculates percentage match• Match rate based on fingerprint string match

– Similar to GNU Diff algorithm which is finding longest common subsequence


Introduction

Vulnerability Vs Exploit based signatures

Exploit signatures • Created by using byte string patterns or regular expressions • These are exploit specific • They are used widely mainly because of the ease of their creation• Cater to only one type of input satisfying that vulnerability condition• Fail: different attacks can exploit the same vulnerability, so exploit based

signatures will fail • For eg. Exploit based signature

– ESig = “docx?AAAAAAAAAAA...”– It will fail if some exploit uses a long string of B’s instead of A’s


Introduction


Vulnerability signatures • Based on the properties of the vulnerability and not on

the properties of the exploit• It is a superset of all the inputs satisfying a particular

vulnerability condition• For eg. Vulnerability based signature for previous case

– VSig = MATCH_STR (Buffer,"docx?(.*)$",limit)– Matches string in buffer with the regex– It is effective against any alphabet unlike exploit signature


Introduction

VulnerabilitySignature

Exploit Signature


Vulnerability signatures contd..• For a good vulnerability signature

– It should strictly not allow any false negatives as even one exploit can pwn the system and create a gateway for the attacker into the network.

– It should allow very few false positives, as too many false positives may lead to a DoS attack for the system.

– The signature matching time should not create a considerable delay for the software and services.


Introduction

• The first step of creating an undisclosed exploit is to find the vulnerability to exploit it.

• To verify if the patch released by Microsoft is working as per it is designed.

• To create vulnerability based signatures.


Need

Finding patches

Extraction of files

Binary Differencing

Differencing Analysis

Debugging


Process


Process

• Pick a vulnerability and download its patch• Pick a vulnerability just before this one that patched the same

program or dll– If unavailable, use the same dll from your system

Finding patches

Problem

• GDR or QFE/LDR ??• File Versioning

Quick-fixUse open source

ms-patch-tools to easily get the file

versions to compare


Process

Finding patches

DEMO C:\Users\harry\Documents\Camtasia Studio\


Process

• The traditional way of extracting file from patch – <patchfilename>.exe /x– Works only till Windows XP and earlier versions of Windows

Problem

• Above method cannot be used on Win7 and Vista patches delivered as msu

Extraction of filesFinding patches


Process

• Use expand command– expand -F:* <Saved_MSU_File_Name>.msu C:\<Folder_to_extract_in> – expand -F:* <Saved_MSU_File_Name>.cab C:\<Folder_to_extract_in>

Extraction of files

Solution

Finding patches


Process

Extraction of filesFinding patches

DEMO

Finding patches


Process

• DarunGrim v2 used for binary difference– Feed in the two binaries to be compared– Generates a list of functions with the %age match between the two files

Extraction of files

Binary Differencing

Problem

• Not every function %age < 100 is changed• Includes false positives which requires manual analysis

Finding patches


Process

Extraction of files

Binary Differencing

DEMO

Finding patches


Process

• Manual inspection of functions with less than 100% match– Remove false positives generated by problems like

• Instruction reorderingLot of reordering happening over different releases marks even the same blocks as unmatched

• Split blocksBlock in the graph which has only parent and the parent has only one child leads to a split block.causing a problem in the matching processCan be improved by merging the two blocks and treating as a single block.

Extraction of filesBinary Differencing


• Hot patchingInstructions like mov eax, eax at the start of functions are a sign of hot patching leading to a

mismatch in the blockBy just ignoring the instruction we can get a match

• Compiler optimizations Different compilers and even different versions of the same compiler perform different

optimizations which also creates problems in getting proper difference

– Eventually reach a function which is indeed modified and might be the fix to the vulnerability being patched


Finding patches

Process



Finding patches


Process



DEMO unpatched.png

patched.png

Finding patches

• push [ebp-2Ch] ; unsigned intcall ??2@YAPAXI@Z ; operator new(uint)mov ebx, eaxpop ecxmov [ebp-18h], ebxmov [ebp-3Ch], ebxmov byte ptr [ebp-4], 1push dword ptr [ebp-2Ch]mov ecx, esipush ebxpush [ebp-30h]call sub_118000C func(const *,void *,long)mov edi, eaxtest edi, edijge short

• push [ebp-2Ch] ; unsigned intcall ??2@YAPAXI@Z ; operator new(uint)pop ecxmov [ebp-14h], eax ; ebp-14h = pBuffermov [ebp-40h], eaxmov byte ptr [ebp-4], 2push [ebp-2Ch]mov ecx, esipush ebxpush edicall sub_118000C func(const *,void *,long)mov esi, eaxtest esi, esijge short loc_118158A


Process



Finding patches


Process



Debugging

• To validate our finding of analysis by debugging– Getting a crash of the application– Creating a malformed file to get the crash

• Would be using Immunity Debugger

Finding patches


Process



Debugging

DEMO

Conclusion

• Presented an overview of how the 1-day exploits and Vulnerability signatures can be created

• Attempt was made to understand the process involved in reversing and the problems faced during the execution of the process

• Only talked about Microsoft patches but concept not limited to this.

• Concepts presented can be perfected by interested audience


Thanks

Questions??
