Modern Exploits, Mitigations, And Bypass TechniquesChris Hernandez

Hi Everyone Im Chris and Ill be talking about Exploits, exploit mitigations and bypass techniques.

My goal really is to hel1

$whoamiChris Hernandez Red TeamerFormer:Pentester / Redteamer @Veris Group Exploit / Bug ResearchBlog= Nopsled.ninja @piffd0s

Just briefly let me tell you my story .Ive worn various security hats in my career, some defensive and offensive, from helpdesk to redteaming Ive done about everything in between and I like to think that that gives me some perspective on the challenges of security in an organization.

2

TopicsBrief overview motivation behind exploit developmentBackground of the history of exploitsExamples of significant exploit mitigationsExamples of significant mitigation bypassNext steps

We have a lot to cover, we will start at the basics and work our way up to more modern techniques

If I go to slow you might get bored, if I go too fast I might loose you, if you have any questions feel free to reach out to me at the end of the slides

Some of you in the room might be on the defensive side, some of you may be on the offensive side, others are key dicision makers on information security policy.

The important thing I want you to take away from this presentation is that everyone has a responsibility to know how these technologies work, so that we can be better prepared to defend the organisations we work for.

This will really be a 1000 ft view of exploits, and we will dive up close in a few instances to give more perspective.3

Overview Motivations0-day sales and bug bounty programs are gaining popularity and can be quite lucrativeMitigation Bypass Bounty Microsoft will payout $100K for a bypass and an additional $100K for a bypass defenseAt Pwn2Own 2016 $85K was awarded for a MS edge exploitZerodium Paid out $1m for RCE on IOSGreymarket $$$Ethical, and non-ethical researchers are working hard to find and exploit vulnerabilities

So first I need to clarify a little bit about what drives the evolution of the exploit development market which has become a huge industry.

This market didnt really exist 10 15 years ago, back then people worked for notoriety, or just to see what happened, the bottom line was, there wasnt an ethical way to easily sell exploits.

Fast forward 15 years, the stakes are even higher, people can now make significant incomes. And because this is a Very popular and profitable market,there are a ton of really smart people working on exploits

Its important to realize that money is a very large motivator for the exploit development and sales markets.It might not be the only motivator but it is a large oneTheres also demand for Zero day protection services in which companies buy exploits so that they are the first who are aware of the vulnerabilities.Then there is demand for the exploit itself, either from the vendor, and ethical or unethical resellers.

People used to do it more for street cred, but now that there is so much money out there, they do that less and less.

Ill give you an example, I really wanted to get a CVE (common vulnerabilities and exposures) so that I could sort of prove to the world that I had what it takes to get a vulnerability. I got my first CVE then I tried a few bug bounties, and the first time I got a bug bounty, I was like screw the cve Ill take the money!

4

Just as an example, in 2015 google paid out a total of $2million 5

A popular exploit buyer zerodium has a publically available payout scale that ranges from 10k to 500k6

Exploits 101- What's an exploit?

It all starts with poorly written/compiled (vulnerable) code.Code might not check for edge cases, or it trusts user input implicitly, or reads input into a buffer without bounds.In order for an exploit to be written, a software vulnerability must first existSomeone finds the vulnerability, then writes code to take advantage of (exploit) the vulnerabilityA simple example of this is code that uses vulnerable C functions like strcpyStrcpy has no length argument, and is only null terminated

These are some examplesNow that weve covered some basics of software exploits we need to discuss exploit mitigation controls

Gets = get string from std inIf you allocate 10 byte buffer for a name, and a user supplies 2000 characters gets() will simply copy all of it in (buffer overflow)

7

A Brief History of ExploitsEarliest malicious example was Morris Worm 1988 (exploited finger daemon on Unix systems)Aleph one wrote Smashing the stack for fun and profit 1996 < Early how to guide for exploiting stack buffer overflowsCode Red 2001 < Exploited buffer overflow in IIS 359,000 hosts affectedSQL Slammer 2003 < Exploited buffer over flow in MS SQL server ~ 75,000 hosts affected

* "Security of the Internet. CERT/CC". Cert.org. 1998-09-01

Listed some notable exploits due to the size and significance of damage done.

Microsoft products kept being exploited with remote code execution exploits, and this had to be fixed.

The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies*

----- Meeting Notes (5/16/16 15:42) -----lookup cve8

What can be done to defend my poor weak insecure application?

Enter Exploit mitigations

Controls exist to mitigate the exploitation of software vulnerabilities

Primary categories of controls are:OS controls ASLR, DEP (AlwaysOn)Compile Time: Stack Canaries, SafeSEHApplication opt-in: Dynamicbase, DEP (App - OptIn)

OS - CONTROLS Compile-TimeOpt-In

Important to understand that the amount of vulnerable ( poorly written code) has not necisarrily decreased, but the amount of vulnerable code that can be exploited usefully has been decreasing significantly.

All of these controls can make exploitation significantly more difficult, or impossible

Exploit mitigation controls are only as strong as the weakest link, Ex. One application loads a number of modules, all of the modules except for one are using exploit mitigation controls the application is at a significant disadvantage.

10

Notable Exploit Mitigations Timeline

Worth noting that before XP SP2 there were no exploit mitigation controls built-in to windows11

Stack Canary Exploit Mitigation Example

----- Meeting Notes (5/16/16 15:42) -----call out types of canaries12

Canary BypassCVE-2013-2028

----- Meeting Notes (10/6/15 10:35) -----Nginx buffer overflow exploit example13

Example Canary BypassCVE-2013-2028

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.

BUT! There is a stack canary

----- Meeting Notes (10/6/15 10:35) -----Nginx buffer overflow exploit example

Parent process generates the cookie, child process inherits the cookie, the child process is spawned and actually serves the http requests.

is vulnerable to the buffer overflow

Thus the cookie can be brute forced.14

----- Meeting Notes (10/6/15 10:35) -----Nginx buffer overflow exploit exampleParent process generates the cookie, child process is vulnerable to the buffer overflow15

ASLR & DEP Exploit MitigationData Execution Prevention (DEP): DEP is a Windows feature that enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for exploits involving buffer overruns to succeed.Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities.

Source: http://www.microsoft.com/security/sir/strategy/default.aspx#!section_3_3

Simply explained DEP marks pages of memory as read write or execute. The idea is if you have an area of memory that is executable, or an area of memory that is writeable but not both

ASLR basically shuffles the locations of DLLs in memory.16

ASLR Example Memory shuffle

Address of modules are reloaded on each boot, this removes the predictability that older exploits relied on.17

EIP

Example of areas of memory that are marked with DEP18

DEP Bypass exampleWinapi VirtualProtectChanges the protection on a region of committed pages in the virtual address space of the calling process - MSDN

IP address - Address of shellcode

dwSize - At least as large as size of shellcode

flNewProtect - Desired new protection 0x00000040 which translates to read_write_execute

lplfOldProtect - Address of writeable region of memory

19

ASLR & DEP BypassMS14-035 Use After Free in MSHTMLCInput

20

First, a bit about use after free

C, and C++ vulnerability classPopular vulnerability class for exploit writersComplex vulnerability classExploitable because freed memory can be written to before a function calls it again. The victim function mistakenly still has a reference to memory.Difficult to detect via static analysis

Kind of like

Winnie the pooh loves honey, he saves some honey to eat for dinnerHe goes about his day in the hundred acre woodWhile he is out someone replaces the honey With a bear trap!Pooh comes home, sticks his hand in the honey jar to get some honey, and instead, he gets a bear trap!

22

ASLR & DEP BypassMS14-035 Use After Free in MSHTMLCInput

DEMO

UAF24

DEMO

UAF + Heap Spray----- Meeting Notes (5/16/16 15:50) -----explain heap spray25

Full exploitation requires an info leak bug

CVE-2012-0769

The vulnerability is that there is no validation on the address of the rectangle supplied as the argument. Anattacker can supply a Rectangle with out of bounds values, and this will lead to performing thehistogram of an area outside the BitmapData.26

DEMO

MS14-035 Use After Free in MSHTMLCInput w/ payload

27

Meet EMETWhat is the Enhanced Mitigation Experience Toolkit?EMET is utility that helps prevent vulnerabilities in software from being successfully exploited.*

EMET 5.2 released for Vista Win 8.1, Server 2008 2012R2EMET 5.5 in beta for Win 10

Heavily focused on mitigating modern attacker techniquesROP, Heapspray, SEH overwrite, Export Address Table, Stack Pivot, etc.

EMET

EMET Example

Next StepsConsider deploying EMET to high risk & high value windows systemsEnsure compile time controls are turned onAudit vendor software for effective use of exploit mitigation controlsMany major security vendors have poor mitigation controlsEnsure server and workstation environments are using OS level controls.

Vendor software as a bug bounty hunter its not uncommon to find severe vulnerabilities in security products

IOT as a great example31

Tying it all togetherThe Technologies behind exploit development and exploit mitigations are important concepts to understandBecause of the marketplace they affect more than just the researchers, exploit developers and defendersUnderstanding how an attack works, helps in reducing attack surfaceAwareness of modern exploit mitigations can significantly reduce attack surface of todays enterprise

Q & A? @piffd0s