How to-catch-a-chameleon-steven seeley-ruxcon-2012

Steven Seeley – Ruxcon 2012

Steven [email protected]

@net__ninja

How to catch a chameleon


C:\> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team

● ruby python developer● reverse engineering● exploit developer


Disclaimer(s)No zerodays were hurt during the making of this presentation

Sorry but some windows heap knowledge is assumed


Agenda ● What is 'heaper' ?

● Development motivators

● Meta data attack techniques

● Functional design

● Installation

● Using heaper

● Demo analysing a heap overflow

● Limitations

● Future work

● Conclusion


But first.An entomologist's lesson.


Definition of a chameleon?

Chameleon (n) A small slow-moving Old World lizard

with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color


Definition of a chameleon?

Chameleon (n) A small slow-moving Old World lizard

with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color


A chameleon's diet


Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*

Protruding, rotating eyes Symptoms of long debugging sessions

Ability to change color rapidly

Ability to change its state rapidly

Kills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation

Similarities

* Some, such as implementations on mobile platforms, example: WebKit


What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool:

● Visualize the heap layout● Determine exploitable conditions using meta-data● Find application specific heap primitives● Find application specific function pointers● Modify heap structures on the fly for simulation


Development motivators


Meta data attack techniquesTechnique Platform Difficulty* Reliability* Supported

Coalesce unlink() NT 5.[0/1] 10% 100% Yes

VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No

Lookaside head overwrite NT 5.2 50-60% Unknown Yes

Freelist insert/search/relink NT 5.2 Unknown Unknown Yes

Bitmap flip NT 5.2 50-60% Unknown Yes

Heap cache desycronisation NT 5.2 90% Unknown No

Critical section unlink() NT 5.2 50% 70% No

FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes

Segment Offset NT 6.[0/1] 50% 80% Yes

Depth De-sync NT 6.[0/1] 50% 70% Yes

UserBlocks Overwrite NT 6.2 90% 40% No

Application data ANY Unknown Unknown Yes

difficulty/reliability* - estimated based specific testing, will vary largely depending on context


Functional design● Object oriented design● Easily extend-able● Chunk validation based on allocator ordering & categorization

● General heuristics check per allocator


Functional designchunk validation:

Full unlink() macro validation!


Functional designchunk validation:

● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets:

● 0x0026fee8+0x0 is the size● 0x0026fee8+0x2 is the previous chunks size● 0x0026fee8+0x4 is the cookie● 0x0026fee8+0x8 is the Flink/Blink

Therefore, we can validate the chunk based on its positioning and by reading memory


Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)

-> Checks ListHint[0x7f] and ListHint[0x7ff]














Functional designChunk validation on ListHint[n]:

-> Windows 7 LFH (size is encoded)

-> Checks ListHint[n]














Functional designChunk validation on FreeList[0]:

-> Windows 2000/XP FreeList[0]


Functional designChunk validation on FreeList[0]:

-> Windows 2000/XP FreeList[0]

size, flink, blink pwned! Chunk overwrite!


Functional designChunk validation on FreeList[n]:

-> Windows 2000/XP FreeList[n]


Functional designChunk validation on FreeList[n]:

-> Windows 2000/XP FreeList[n]

size, flink, blink pwned! Chunk overwrite!


Functional designGraphing:

We all know that little

green men in the debugger

can be hard to understand


Functional designGraphing:

visualize the heap


Functional designEasy to use:

● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesn't exist

● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size

● n-4 byte write simulation on function pointers with the ability to restore the said function pointers

● The ability to modify a single BIT in the FreeListInUse struct

● 'update' command for easily updating heaper.

● 'config' command to configure the output directory of logs and graphs

● Everything is logged in a new “heaper” window


● Prerequisites:

● Immunity Debugger v1.85 and above● Graphviz v2.28.0 and above -http://www.graphviz.org/● Pyparsing - http://sourceforge.net/projects/pyparsing/● PyDot - http://code.google.com/p/pydot/

1. Install Immunity Debugger :->

2. Add 'c:\python27' to your path environment

3. Run the Graphviz MSI packaged installer

4. Navigate into your pydot and pyparsing directories and execute 'python setup install'

4. Copy heaper to the 'C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\' directory

Installation

http://www.graphviz.org/

http://sourceforge.net/projects/pyparsing/

http://code.google.com/p/pydot/


Using heaper


Usage and help menuRun '!heaper help <cmd>' to learn about the cmd and its options


Analyzing windows structsDisplay the PEB structure


Analyzing windows structsDisplay the TEB's for the process (no struct) – No TEB struct boo


Analyzing windows structsAnalyze a _heap struct


Analyzing the FreelistInUse bitmask



Bit flipping



Bit flipping


Dumping function pointers● Finds function pointers despite if they are writable or not

● Depreciated and will be removed in the next major release


Finding writable pointers


Finding writable pointers● Similar to the dump function pointers routine but

executes the action across the whole module

● This can be executed against all modules

● As the name states, only writable function pointers to facilitate a write 4 condition

● Don't be fooled, it doesn't just dump the IAT

● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers.


Finding writable pointersUse any of these to transfer code execution


Analyzing the allocator state NT 5.x

Lookaside - chunk analysis



Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first

byte in the chunk header (size)● If userdata == flink, possible exploitation



Lookaside with verbose mode (-v)



Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been

overwritten● Much like 'dt _general_lookaside_list

<addr>' in windbg



Lookaside - graphing



Lookaside - vuln analysis

●

● Set a (Function pointer-0x8) to equal the new Lookaside chunk address



Lookaside - vuln analysis



FreeList - chunk analysis



FreeList with verbose mode (-v)



FreeList - graphing



FreeList - vuln analysis



FreeList - vuln analysis



LFH - UserBlocks analysis



LFH - UserBlocks analysis



LFH - UserBlocksCache analysis

0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY

+0x000 UserBlocks : _SLIST_HEADER+0x008 AvailableBlocks : Uint4B



LFH - buckets

0:004> dt _heap_bucketntdll!_HEAP_BUCKET

+0x000 BlockUnits : Uint2B+0x002 SizeIndex : Uchar+0x003 UseAffinity : Pos 0, 1 Bit+0x003 DebugFlags : Pos 1, 2 Bits



LFH - graphing UserBlocks



LFH - vuln analysis



LFH - vuln analysis



LFH - vuln analysis



ListHint - analysis



ListHint - analysis



FreeList - analysis



FreeList - analysis



FreeList - graphing



FreeList/ListHint - vuln analysis



FreeList/ListHint - vuln analysis


Hooking the heap manager


Hooking the heap managerHard hooking

● HeapAlloc/HeapFree

● Can be extended

for other heap functions

● Discover primitives


Hooking the heap managerSoft hooking

Use only for testing, not designed to be used with large applications


PatchingPatching - PEB

● A binary may be compiled in debug mode

● What if we are trying to execute a function pointer that assumes the process is not being debugged ?


UpdatingUpdate to the latest version with ease

The update function just generates a git hash and compares digests. There is no version tracking yet.


ConfiguringConfigure the home directory on where to store graphs and logs


Detecting exploitable conditions


Detecting exploitable conditions● Detecting exploitable conditions can be very

difficult and prone to many false positives.● If you overwrite a specific chunk, then just due

to the amount of data you overwrote with, it may/may not be deemed exploitable

● Therefore understanding the limitations of each of the conditions is required for accurate analysis.



LFH – FreeEntryOffset Overwrite



LFH – FreeEntryOffset Overwrite



FreeList/ListHint – No technique suggestion*

● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far.



Lookaside – chunk overwrite



Lookaside – chunk overwrite



FreeList[n] – Bitflip attack



FreeList[n] – Bitflip attack


Demo - MS12-037


Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data

attacks for now● Does not log analysis findings external to the

debugger● Needs a decent heap search function● Need to support other heap implementations


Future work● Support LFH analysis on Windows 8● Support other heap manager implementations

(jemalloc)● Support more meta-data attacks● Perform log analysis● Detect 'interesting' application data on the

heap● Add a decent search function● Improve the heuristics engine


Conclusion● Run-time analysis of the heap to detect meta-

data attack conditions is complex● Some form of solver maybe more applicable to

this type of analysis :->● Whilst heaper is not turing complete, it will

solve many corner cases.● Immunity will continue to be a leader in the

development and application of heap exploitation techniques


Thanks!You know who you are ;-)


Code design/improvements/patches/ideas are very welcome :>

[email protected] more information please execute:

$ git clone https://github.com/mrmee/heaper.git

$ wget -r http://net-ninja.net/

https://github.com/mrmee/heaper.git

http://net-ninja.net/


MIAMI

Technology

How to-catch-a-chameleon-steven seeley-ruxcon-2012