37
Bruce Dang Secure Windows Initiative (SWI) Microsoft 9/23/08 Bruce Dang | [email protected] | Secure Windows Initiative | Microsoft 1
BruceDangSecureWindowsInitiative(SWI)Microsoft
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 1
Introduction Officebinaryfileformat(<=2003) Bugs Defensivemechanisms Exploitstructures Analysistechniques Detectionmechanisms Thesurprise… Patchprocess(end‐to‐end)9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 2
Targetedattacks Verypopularinthelastcoupleyears Bypassesperimetersecuritydevices/software Difficulttodetect Notechnicalinformationinthepublic
Therearethingsyoucandotomitigateandstopmostoftheattacks.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 3
StructuredStorage/OLESS Filesysteminsideabinaryfile Dividedataintostorageandstreams(storage=directory,stream=file)
12‐pagespecification Application‐specificdatastoredinsidestorage/streams.
Canbefrustratingtoparsemanually
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 4
StgOpenStorage()onthefile.YougetbackanIStorageobject.
IStorage‐>EnumElements()enumeratesallofthestoragesandstreams.
IStorage‐>OpenStream()opensupwhateverstreamyouwant.ReturnsanIStreamobject.
IStream‐>Stat()tellsyouthestreamsize. IStream‐>Read()readsnbytesfromthestream.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 5
HRESULT hr;IStorage *is;IStream *stream;IEnumSTATSTG *penum;STATSTG statstg;StgOpenStorage(L“foo.ppt", NULL, STGM_DIRECT |
STGM_READ | STGM_SHARE_EXCLUSIVE, NULL, 0, &is);is->EnumElements(NULL, NULL, NULL, &penum);hr = penum->Next(1, &statstg, 0);while( hr == S_OK) {
wprintf(L"name = %s\tsize = 0x%08x\n”,statstg.pwcsName, statstg.cbSize);
...is->OpenStream(statstg.pwcsName, NULL, STGM_READ |
STGM_SHARE_EXCLUSIVE, 0, &stream);stream->Read(data, statstg.cbSize, NULL);... parse data ...
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 6
Abitsimpler.Goodforexperiments.from pythoncom import *ostore = StgOpenStorage(sys.argv[1], None, 0x10, None, 0)estat = ostore.EnumElements()str = estat.Next()while str != ():
if str[0][0] == "PowerPoint Document":len = str[0][2]
str = estat.Next()ostream = ostore.OpenStream("PowerPoint Document", None,
0x10, 0)data = ostream.Read(len)...parse data...
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 7
Storesdatainthe“PowerPointDocument”stream.OpenStream(L“PowerPoint Document”, ...)
TwotypesofPowerPointdatastructures Container–a“directory”▪ Containsothercontaineroratoms.
Atom–a“file” RecordsfollowTLVstyle MSOobjectsfollowthesameformat
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 8
1structtorulethemalltypedef struct{ uint2 recVer:4; uint2 recInstance:12; uint2 recType; uint4 recLen;} PPTRHDR_t;
IfrecVer=0xF,thentherecordisacontainer;else,itisanatom
recTypereferstotherecordtype.Thereare~100oftheseinPowerPoint.Youcanlookthemupthefileformatspecification.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 9
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 10
typedef struct{ uint2 recVer:4; uint2 recInstance:12; uint2 recType; uint4 recLen;} PPTRHDR_t;
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 11
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 12
*Datafromthestream*
Documentcontainer
Documentatom
Slidecontainer
Slidecontainer
UserEditAtomatom(usuallylast)
1slidecontainerperslide
Environmentcontainer
Dataisstoredinsidethe“Workbook”stream Nocontainers/atoms.JustplainBIFFrecords. BIFFrecordsalsofollowTLVformat Recorddatahasanupperboundof~2000‐8000bytes(BIFFversiondependent).Iflonger,useaCONTINUErecord
Datainsidethe“Workbook”streamisorganizedlike:BOF<data>EOFBOF<data>EOFBOF<data>EOF…
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 13
Nothingoutoftheordinary:integerover/underflow,off‐by‐one,doublefree,uninitializedvariables,badpointerreuse,stack/heapoverflow,…
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 14
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 15
UseMOICE Free ItrequiresOffice2003 ItonlyworksonOLEstructuredstoragefiles ItusestheOffice2007compatibilitypack ItconvertsyourbinaryfileformattothenewXMLformatandopensitup
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 16
Office2003SP3 Free Resultofamajorsecurity/SDLpush IfyouhadOffice2003SP3,thenyouwouldnotbeaffectedbyanyoftheOfficezero‐daysacknowledgedinthepublicsince.
IfyouhaveOffice2003,installSP3
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 17
Office2003SP3andMOICEactuallyeliminates/mitigatesmostoftheOfficevulns.
Alwayshavethelatestpatches.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 18
Notoutoftheordinary Basicstructure
Shellcode Malware Cleandocument
Techniques
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 20
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 21
Everythingisincludedinthedocument Therecanbevariations
Multipleshellcodestages Multipletrojans Obfuscationoftrojans/doc
Techniques StandardGetEIP/PIC Customencoders PEBretrieval Filehandlebruteforce Applicationrelaunch
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 22
Whyfilehandlebruteforce? Exploitmustfinditselfinmemory(thisisnotthesameasGetEIP)
Exploitcannotsimplyscantheentireprocessaddressspacelookingforitself(speed)
Veryeasy/shortimplementationinassembly.It’sliterally:int fh;for (fh=0; fh < 65536; fh += 4){
if (GetFileSize(fh, NULL) == mysize) return fh;}
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 23
Whatitdoes(therecanbevariations) Shellcodedecodesitselfandruns Buildsupalistoffunctionpointers Findsitselfinmemory(filehandle) Readdatafromspecificlocationsinthefile Extractthetrojanandthecleandocument Runthetrojanandrelaunchtheapptoopenthenewfile
Exitthecurrentprocess SetFilePointer,ReadFile,WriteFile,CloseFile,WinExec,ExitProcess.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 24
Tools Hexeditor Disassembler Optional:Debugger(WinDBGissufficient)
Objectives Identifytheshellcode Understandit Extractthemaliciouscomponents [Identifytheexactvuln]
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 25
Howmanydoyourecognize? EB 10 5B 4B 33 C9 66 B9 96 03 8034 0B FD E2 FA EB 05 E8 EB FF FFFF
64 A1 30 00 00 00 64 8B 1D 30 00 00 00 D9 74 24 F4
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 26
DebugDOC/XLS/PPT? Staticmethod
Decodetheshellcodeandreadit Dynamicmethod
Abitmoreinteresting
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 27
Method1 Identifytheshellcode,patchthefirstfewbytesto0xCC
StartupOffice,attachWinDBGtoitand‘g’ Openupthedocument Ifyoudiditright,youshouldhittheint 3 andthensinglestepasneeded.Ifnotthenyouprobablygotinfected.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 28
Method2 Pickananyexecutable Copytheshellcodeandputitinthebinaryandseteipthere.
Singlestepjustlikeanyanexecutable.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 29
Method3 Savethefile,i.e.,“c:\temp\sc.bin” Openupnotepad.exe,calc.exe,whatever. AttachWinDBGtoit. .dvalloc<sizeofsc.bin> .readmemc:\temp\sc.binaddr<sizeofsc.bin> Realshellcodeaddress=<addr+scoffset> reip=<addr+scoffset>;t(not‘g’)
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 30
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 31
Method4(bestone) Savethefileas“c:\temp\sc.bin” Openthefileinaneditor(notepad,vim,…);anythingthatopensthefile.
AttachWinDBGtoit. .dvalloc<sizeofsc.bin> .readmemc:\temp\sc.binaddr<sizeofsc.bin> Realshellcodeaddress=<addr+scoffset> reip=<addr+scoffset>;t(not‘g’)
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 32
YouneedtobeabletofingerprintanOLEstructurestoragefile D0 CF 11 E0 A1 B1 1A E1
Getthestreamnametodeterminethefiletype(DOC,PPT,XLS)
Readthestreamcontentandparseitasweshowedearlier
Determinewhatrecordsareaffectedanddetectthem
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 33
WereleasedthefileformatspecificationsforDOC,XLS,PPT,andMSO http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx
Giventheinformationhereandthosespecifications,youcanactuallywritecodetoparseandcheckthevalidityoftherecords.
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 34
TowritegoodIDS/AVsignatures,youusuallyhavetounderstandthevulnerabilities. Reverseengineerthepatches Wewillgiveyouthevulnerabilitydetails
MAPP(MicrosoftActiveProtectionProgram)
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 35
Informationavailableat5pmPSTMonday Whatisincluded?
Atechnicaldescriptionofthevulnerability Areprofile/packettrace Crashdump/stacktrace/disassembly Detectionlogic
Howtogetthedata?
9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 36
Myteam’sblog(SWIblog):http://blogs.technet.com/swi Wetalkaboutvulnerabilitydetailsthere Itiswrittenbypeoplewhotriagethevulnerability
[email protected] GotinterestingOfficesamplesandwantsomehelpintriagingthem?Sendthemtous.
Myemail:[email protected] 0x3f…9/23/08 BruceDang|[email protected]|SecureWindowsInitiative|Microsoft 37
