70
TurtleSec @pati_gallardo Turtle Sec @pati_gallardo
TurtleSec
@pati_gallardoTurtleSec@pati_gallardo
TurtleSec
@pati_gallardo 2
“Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times
to grab a different random 64K of memory. This means that anything in memory
-- SSL private keys, user keys, anything -- is vulnerable.And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.”
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
TurtleSec
@pati_gallardo 3@pati_gallardo 3
Heartbleed
TurtleSec
@pati_gallardo 4
What was the bug?- Buffer over-read- Attacker controlled buffer size
TurtleSec
@pati_gallardo 5
What made it bad?- Remote attack- High value memory- Wide deploy
TurtleSec
@pati_gallardo 6
“The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read”
CVE-2014-0160 Description
TurtleSec
@pati_gallardo 7
Heartbleed is a prime example of anInformation Leak
TurtleSec
@pati_gallardo 8
Heartbleed is famous for how devastating it wasBut it also became
the poster child for fuzzing
TurtleSec
@pati_gallardo
Introduction to Memory Exploitation
CppEurope 2021Patricia Aas
TurtleSec
TurtleSec
@pati_gallardo
Patricia Aas - Trainer & Consultant
C++ Programmer, Application SecurityCurrently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera SoftwareMaster in Computer SciencePronouns: she/they Turtle
Sec
TurtleSec
@pati_gallardo 11@pati_gallardo 11
Fuzzing
TurtleSec
@pati_gallardo
Corpus
FuzzerInstrumented
Target
Valid InputsCrash
Crashing Inputs
Coverage Feedback12
TurtleSec
@pati_gallardo 13
Now that’s is all nice and goodBut most memory errors don’t cause us to crash
At least not right away
TurtleSec
@pati_gallardo 14@pati_gallardo 14
Sanitizers
TurtleSec
@pati_gallardo 15
compiler instrumentationrun-time library
Address Sanitizer
terminal$ clang++ -fsanitize=address overflow.cpp$ ./a.out ERROR: AddressSanitizer: stack-buffer-overflow
@pati_gallardo
Clan
gGC
CVS
TurtleSec
@pati_gallardo 16
Address Sanitizer provokes crash-like behaviorfor many memory bugs
Supercharges fuzzingMakes it possible to find “hidden” bugs
TurtleSec
@pati_gallardo
DebuggerFuzzerSanitizers
17
Make application crashy
Provoke weird behavior
Analyze
TurtleSec
@pati_gallardo 18@pati_gallardo 18
So you found a bug.What now?
TurtleSec
@pati_gallardo 19@pati_gallardo 19
Exploitation
TurtleSec
@pati_gallardo
Secret:
Access Granted
Operation complete
Launching missiles
Access Denied
The Programmers Mental State Machine
“David”
“Joshua”
Weird State“globalthermonuclearwar” Terminate
20
TurtleSec
@pati_gallardoThe Target The Shellcode@halvarflake
Weird State
Weird State
Programming the Weird Machine
Vulnerability
@sergeybratus
21
TurtleSec
@pati_gallardo
Shellcode
Piece of code, typically in machine code, that is delivered and executed as a part of an exploit.
Called “shellcode” because a traditional use was to start a shell, for example sh.
In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
22
TurtleSec
@pati_gallardo
Exploit
Write Memory
Read Memory Execute Code
Information Leaks Running of Shellcode
Planting of Shellcode
The Anatomy of an Exploit
23
TurtleSec
@pati_gallardo 24
To run your shellcode you need the instruction pointer to jump to your shellcode.
The instruction pointer jumps in many different scenarios- goal here is to control where it jumps to, examples:
return from a functionvirtual function call
function pointer
Code Execution
TurtleSec
@pati_gallardo 25
A vulnerability or a capability in the application that can be used as a part of a wider exploit
is often referred to as a “primitive”- examples:Arbitrary Read Primitive
Write-What-Where PrimitiveRead-Where Primitive
“Primitives”
TurtleSec
@pati_gallardo 26@pati_gallardo 26
Mitigations
TurtleSec
@pati_gallardo
Exploit
Write Memory
Read Memory Execute Code
ASLRLimit interesting info?
Non executable memoryStack Canaries
Address Space Layout Randomization (ASLR)
Platform and Compiler Mitigations
27
TurtleSec
@pati_gallardo 28@pati_gallardo 28
Cleaning Memory?
TurtleSec
@pati_gallardo
The Case Of The Disappearing Memset@pati_gallardo 29
Dead Store Elimination
The compiler is allowed to optimize away stores that cannot be detectedMeaning memset’ing of memory that is never read can be removed
TurtleSec
@pati_gallardo 30@pati_gallardo 30The Heap
TurtleSec
@pati_gallardo 31@pati_gallardo 31
Allocators
TurtleSec
@pati_gallardo
Simple Pool Allocator
32
TurtleSec
@pati_gallardo
Empty Pool
33
TurtleSec
@pati_gallardo
Initial allocations
34
TurtleSec
@pati_gallardo
Initial allocations
35
TurtleSec
@pati_gallardo
Initial allocations
36
TurtleSec
@pati_gallardo
Initial allocations
37
TurtleSec
@pati_gallardo
An allocation is freed - what now?
38
TurtleSec
@pati_gallardo
An allocation is freed - what now?
Free
39
TurtleSec
@pati_gallardo
Another allocation is freed - what now?
Free
40
TurtleSec
@pati_gallardo
Another allocation is freed - what now?
Free
41
TurtleSec
@pati_gallardo
Another allocation is freed - what now?
Free
42
TurtleSec
@pati_gallardo
Free
coalesce?
link?
43
TurtleSec
@pati_gallardo 44
So… how can we exploit this behavior?We can allocate!
TurtleSec
@pati_gallardo 45@pati_gallardo 45
Heap Spraying
TurtleSec
@pati_gallardo 46
Fill memory with a certain byte sequencepossibly shellcode
so that a “random” jump might hit it
Heap Spraying
TurtleSec
@pati_gallardo 47
Normal Allocation
Heap Spraying
Initial state
TurtleSec
@pati_gallardo 48
Normal Allocation
Heap Spraying
Fill memory with shellcode Shellcode
TurtleSec
@pati_gallardo 49
This is a bit scattershotCan we have more control?
TurtleSec
@pati_gallardo 50@pati_gallardo 50(Heap Feng Shui)
Heap Grooming
TurtleSec
@pati_gallardo 51
Create predictable memory patternsTrick the allocator to allocate a specific chunk
A chunk you can controlLet’s see it in action
TurtleSec
@pati_gallardo 52@pati_gallardo 52
Putting it all together
TurtleSec
@pati_gallardo 53
“The Shadow Brokers”
Hacking group behind a leak in 2016-17The leaked exploits and tools are believed to be NSAs
The Shadow Brokers are suspected to be RussianThe leak was done in several batches
Most famous is the Eternal Blue exploit
TurtleSec
@pati_gallardo 54
Very Light Background: Windows SMBv1
Request
ResponseClient Server
SMB messages
Aside: This is the diagram of all things computer
TurtleSec
@pati_gallardo 55@pati_gallardo 55
EternalBlueEternal Exploits
TurtleSec
@pati_gallardo
DoublePulsar
EternalBlue
EternalRomance
EternalChampion
EternalSynergy
56
TurtleSec
@pati_gallardo
EternalBlue
Write-What-Where Primitive and Remote Code Execution
Linear Buffer Overrun, Heap Spray / Heap Grooming
57
TurtleSec
@pati_gallardo
“When updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated.”Microsoft Defender Security Research Team
58
Main bug
TurtleSec
@pati_gallardo
- Primes the heap- Fills with blocks ready for shellcode- Makes room for buffer that will overrun- Overrun will prepare code execution- Hopes to overrun into one of the prepared blocks
59
Heap Grooming and Spray
TurtleSec
@pati_gallardo
Heap Grooming
Initial state
60
TurtleSec
@pati_gallardo
Heap Grooming
Filling gaps to make allocations predictable
Grooming Packet
61
TurtleSec
@pati_gallardo
Heap Grooming
Prefill before making pattern
Grooming Packet Grooming Packet
62
TurtleSec
@pati_gallardo
Heap Grooming
Make room for your objects
Grooming Packet Grooming Packet
63
Free up holes
TurtleSec
@pati_gallardo
Heap Grooming
Pattern: Fish in a barrel
Grooming Packet Grooming Packet
64
Overflow Packet
TurtleSec
@pati_gallardo
Heap Grooming
Pattern: Fish in a barrel
Grooming Packet Ready for ExecutionGrooming Packet
65
Overflow Packet
TurtleSec
@pati_gallardo
Heap Grooming
Grooming Packet Grooming Packet
shellcode
Ready for Execution
66
TurtleSec
@pati_gallardo
When connection is closed the shellcode is executed in the block(s) that have been overrunInstalls the DoublePulsar backdoor implant
67
Code Execution
TurtleSec
@pati_gallardo 68@pati_gallardo 68
How does that affect me?
TurtleSec
@pati_gallardo 69
There is no magic hereThese are bugs you can find
The tools they use are tools you can use
Basically: Fix Bugs
TurtleSec
@pati_gallardoTurtleSec@pati_gallardo
