Chun Feng
Microsoft CorporationThe Butterfly Effect and the “Shellcode Storm”
Butterfly Effect
Tiny change Large-scale alterations
Butterfly Effect in Computer Security Systems
• CVE-2010-1297• CVE-2010-2884• CVE-2010-3654• CVE-2011-0609
Clean SWF file Exploit1 byte change
Adobe Flash is Pervasive
99%http://www.adobe.com/products/player_census/flashplayer/
Attacks on Adobe Flash Player
2008 2009 2010 20110
10
20
30
40
50
60
70
20 22
60
14
42?
Number of Reported Adobe Flash Player Related Vulnerabilities
How Adobe Flash File Works
Compile
Developer User
AVM (ActionScript Virtual Machine )
JIT Compile
ByteCode Verifier
MIR Code Generator
MD Code Generator
Native Code (x86, PPC)
ActionScript3
Code ExampleMIR (intermediate machine independent language):@5 arg 0@10 ldop 4(@5)@22 def @10@37 use @22 [1]@38 imm 8@42 add @37 @38
X86 native code:mov eax, 16(ebp)mov edx, 4(eax)mov -84(ebp), edxmov ecx, -84(ebp)add ecx, 8mov -76(ebp), ecxmov eax, -76(ebp)
ActionScript 3:public function add8(a:int): int{
return a+8;}
Adobe Byte Code (stack machine):pushscope getlocal_1 pushbyte 8 add returnvalue
CVE-2010-1297 Overview
Time: Early June, 2010
Adobe Flash player version <= 10.0.45.2Adobe Reader version <= 9.3.2 Sample contains 0-day exploit hosted on a webpage (malformed SWF + JavaScript heap spray)
CVE-2010-1297 Demo
CVE-2010-1297 Analysis
1 byte changed in function:
Public RadioButton.configUI ( ):void
4F D2 02 00 callpropvoid fl.controls:LabelButton.configUI, 0
40 D2 02 newfunction TextInput:drawBackground 00
Debugging Obstacles
• Pageguard exception– Trouble with Ollydbg; use Windbg, type
command “sxi gp”
• 15 seconds timeout– Less intrusive debugging - can’t use single step
/ trace!
• Understand JIT compiled code
CVE-2010-1297 Analysis
1. How is the control transferred to shellcode?
2. The root cause of this vulnerability
Control Transfer Analysis - Method 1 (Quick & Dirty)
1. Remove the JavaScript heap spray code to cause a crash rather than have shellcode executed
2. Locate the instruction causing the crash
Problems:
• May not be 100% accurate• Doesn’t work if the heap spray code is encrypted
Analyze Control Transfer – Method 2 (More Precise)
Assumption: Transferred via call instruction
The return address for this call will be pushed onto the stack
463bd28d ff510c call dword ptr [ecx+0Ch] ;[4198000c]=0c050c05463bd290 83c40c add esp,0Ch Dump stack at the 1st instruction of shellcode (address 0c050c05)
Stack
463bd29041980000000000000013e364
Analyze Control Transfer – Method 2 (contd.)
At the 1st instruction of the shellcode, the return address is at the top of the stack
Problems – we are unable stop there:
• The address of 1st instruction of the shellcode is not predictable
• Single step doesn’t work (15 secs timeout)
Analyze Control Transfer – Method 2 (contd.)
or al, 5, ; pseudo NOP start ESP = ESP0// …or al, 5 ; pseudo NOP end ESP = ESP0
or al,00C; 1st instruction of shellcode ESP= ESP0
// ... more code (more bytes pushed onto the stack)
Call URLDownloadToFileA; ESP = ESP1
Stack
Ret. address of call
ESP1
ESP0
delta = ESP0-ESP1 is calculable!Put breakpoint at URLDownloadToFileA(), then calculate ESP0 = ESP1 + Delta
Control Transfer Analysis Demo
Control Transfer Found!
463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05
CVE-2010-1297 Analysis
1. How is the control transferred to shellcode?
2. The root cause of this vulnerability
What’s Really Wrong?
• No document for JIT compiler• No PDB symbol file available
463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05
Useful Trick
Revealed by http://jpauclair.net
Windows: C:\Documents and Settings\<username>\mm.cfg
AS3Verbose = 1
Details of JIT runtime trace:
C:\Documents and Settings\<username>\Application Data\Macromedia\Flash Player\Logs\flashlog.txt
Example of the Useful Trick26:callpropvoid fl.controls:BaseButton::drawBackground 0 @63 ldop 16(@62) @64 ldop 812(@63) ……@63 ldop 16(@62) 060BD6E4 mov eax, 16(ebx) active: eax(63-64) ebx(62-69) edi(2-142) @64 ldop 812(@63) 060BD6E7 mov ecx, 812(eax) active: ecx(64-70) ebx(62-69) edi(2-142)
Internals of JIT Compiled Code
Each JIT compiled function has three parameters:
func(MethodEnv*, int argc, uint32 *ap)
For example:
RadioButton.configUI ():void
• argc = 0
• ap[0] = RadioButton instance (“this” pointer)
Using the Useful Trick
protected function drawBackground():void {
var bg:DisplayObject = background;
var styleName:String = (enabled) ? "upSkin" : "disabledSkin";…}
463bd270 mov ecx, dword ptr [ebx+34h] ; [431492b4]=4313e080463bd276 mov edx,dword ptr [ecx+8]; [4313e088]=42fb208a463bd27b mov ecx,dword ptr [edx+284h]; [42fb230e]=41980000463bd28d call dword ptr [ecx+0Ch]; [4198000c]=0c050c05
Using the Useful Trick (contd.)
The control transfer is in JIT compiled code for TextInput.drawBackground( )
TextInput.drawBackground(MethodEnv*, int argc, uint32 *ap)
463bd1bc push ebp463bd1bd mov ebp,esp463bd1bf sub esp,50h463bd1c5 mov eax,dword ptr [ebp+10h] ; [0013e290]=43169301463bd1c8 mov eax,dword ptr [eax]; [43169301] = ??? (Unaligned pointer)
Tracking Back
In TextInput.as
TextInput.draw( ) calls TextInput.drawBackground( )
In JIT compiled code TextInput.draw( ):
After 1 byte change => newfunction TextInput.drawBackground
463bcbdb 83c801 or eax,1 ; make it unaligned! … call TextInput.drawBackground( ) ; Overloaded !
AtomInternal representations
Lowest 3 bit used for type
0 1 2 31Untagged 000(0)Object 001(1)String 010 (2)NameSpace 011(3)Undefined 100(4)Boolean 101(5)Integer 110 (6)Double 111 (7)
0x43169301Type: ObjectActual Value: 0x43169300
The Whole Picture of the Butterfly Effect
RadioButton.configUI( ) 1 byte changed
TextInput.drawBackground ( ) func obj. created
TextInput.draw( ) emits the wrong code / parameter when calling TextInput.drawBackground( ) (which has been “overloaded”)
TextInput.drawBackground( ) doesn’t handle it correctlywhen “enabled” property is referenced
Invalid memory accessed, shellcode executed
CVE-2010-1297 Analysis
1. How is the control transferred to shellcode?
2. The root cause of this vulnerability
CVE-2010-3654 Case Study
Time: Early Nov 2010
Adobe Flash Player version <= 10.1.85.3
Adobe Reader version <=9.4
Sample containing 0-day exploit distributed as a PDF file with a malformed SWF embedded
CVE-2010-3654 Case Study
0x07 // [[17]CONSTANT_QName0x02 // NsIndex = 2(0x02)0x07 // NameIndex = 7(0x07)
0x07 // [17]CONSTANT_QName0x02 // NsIndex = 2(0x02)0x16 // NameIndex = 22(0x16)
1 byte change in MultiName constant pool (07 02 16 -> 07 02 07)
Clean Malicious
“RadioButtonGroup”
“fl.controls.RadioButtonGroup” -> “fl.controls.Button”
“Button”
The Whole Picture of the Butterfly Effect
MultiName constant pool: NameIndex changed
fl.controls.RadioButtonGroup -> fl.controls.Button
RadioButtonGroup.set_groupName -> Button.set_groupName
Invalid memory accessed, shellcode executed
CVE-2011-0609 Case Study
Time: March 2011
Adobe Flash Player version <= 10.2.152.33 Adobe Reader version <= 10.0.1
Sample containing 0-day exploit distributed as an Excel file with one SWF file embedded
CVE-2011-0609 Case Study (contd.)
Clean
4CC4 10 07 00 00 jump loc_4CCF…
4CCF 80 2C coerce com.greensock.core.SimpleTimeline
Malicious
3EA1 10 29 00 00 jump loc_3ECE….
3ECE 66 D6 02 getproperty <namespace_set>.paused
Jump destination is changed!
Shellcode Storm Example 1 – CVE-2010-1297
Shellcode payload:• Downloads an encrypted PE file• Decrypts it (xor 0x95 skipping 0x00 and
0x95)
Decrypted PE file(Win32/Poison):• Keylogger• Backdoor:
Length Shellcode 0 4
Shellcode Backdoor versus C&C Backdoor
Receives shellcode rather than command
Pros:• Thin client – just executes whatever receives• Easy to implement new command• Payload code not written on disk
Cons:• Coding complexity – coding in shellcode• Platform dependent
Shellcode Storm Example 2 – CVE-2010-3654
Shellcode matryoshkaShellcode decrypts PE file from PDF stream
Shellcode(in decrypted PE file) decrypts a DLL from resourceShellcode(in decrypted DLL) decrypts and loads a PE file(Win32/Hupigon, aka Win32/Pigeon)
Conclusion
• Threats have been targeting Adobe flash player since it is popular and platform-independent
• 1 byte change in SWF may cause significant consequences. Attackers have been using dummy fuzzing to find vulnerabilities
• The attacks on Adobe Flash Player are likely to continue to be prevalent in the future
Q & A