How Safe is your Link ?

1. How safe is your link ? Old school exploitation vs new mitigations

2. • Peter Hlavatý • Specialized Software Engineer at ESET • Points of interest : • vulnerability research • exploit mitigations • kernel development • bootkit research • malware detection and removal algo • @zer0mem • research blog : http://zer0mem.sk/ #whoami

3. • As nico mentioned in his talk, Aleatory Persistent Threat, old school heap specific exploiting is dying • windows version ++  attack difficulty ++ • weak implementation == place for exploiting of mechanism Introduction

4. Windows memory management Lets take a look at algo

5. Quick lookup at RtlpAllocateHeap FreeLists-UnLink-Search Algorithm Really, some security improvements in algorithm are obvious... • Validating / Encoding headers • RtlpAnalyzeHeapFailure • SafeLinking

6. • code1 = _Heap.EncodeFlagsMask ? code1 ^ _Heap.Encoding.Code1 : code1 • valid = code1.Flags ^ (BYTE)code1.Size ^ (code1.Size >> 8) == code1.SmallTagIndex • size = code1.Size • _Heap.EncodeFlagsMask initialy set to default value • _Heap.Encoding.Code1 set to random value I.Validating / Encoding headers

7. • cs:RtlpDiSableBreakOnFailureCookie • x64 by default, x86 not! • x86Win binaries by default • What about 3rd party ? • RtlpGetModifiedProcessCookie • call NtQueryInformationProcess II. RtlpAnalyzeHeapFailure

8. • heap_entry.flink.blink != heap_entry.blink.flink || heap_entry.flink.blink != heap_entry • Pretty easy check don’t you think ? III. SafeLinking

9. RtlpHeapAlloc search in FreeLists

10. • FreeListsSearch • missing validation checks ? • RtlpAnalyzeHeapFailure • Results in : kill app or not? 3rd party ? • SafeLink Check • Is implemented smart enough? Problems ?

11. Exploitation 1 Show me your gong-fu :: technique

12. BuildOwnHeap - IDEA

13. RULLING UNDER ENCODING LOGIC • LowerBoundary of HEAP_ENTRY.Size : • Interesting test : _Heap.EncodeFlagsMask & HEAP_ENTRY.Code1 • If not matched, then it is not XORED! • What about 0-size ?  Implementation shortcut

14. RULLING UNDER ENCODING LOGIC • UpperBoundary (I.) of HEAP_ENTRY.Size : • Interesting xoring value : _Heap.Encoding.Code1 set to random value • this case  too much random == too much predicatability • If (HEAP_ENTRY.Size set to 0101010101010101b) then (_Heap.Encoding.Code1 ^ HEAP_ENTRY.Size)  high probability to be big number  Implementation shortcut

15. RULLING UNDER ENCODING LOGIC • UpperBoundary (II.) of HEAP_ENTRY.Size : • based on XOR • two heap_entry chunks on freelist • 1st set HEAP_ENTRY.Size to 0x8000 • 2nd set HEAP_ENTRY.Size to 0x0 • After XOR one of HEAP_ENTRY.Size will be for sure equal to 0x8000 which is big number  Implementation shortcut

16. BuildOwnHeap - implementation • Looka looka - SafeLink Check ?

17. Attack!

18. • SafeLink Check • HeapSpray fake list fulfill conditions • Validation & RtlpAnalyzeHeapFailure? • I am 3rd Party • Problems : • Works for x86 binaries • Already fixed in win7sp1 Results ?

19. Good enough ? … not ... Can it be improved ?

20. Seems familiar ? • Validating / Encoding headers • RtlpAnalyzeHeapFailure • SafeLinking Quick lookup to RtlpFreeHeap FreeLists-Link-Search Algorithm

21. • heap_entry.Blink.Flink != heap_entry • … SafeLinking, changed !?

22. • Again, no validation here required • Performance vs security ? RtlpFreeHeap search in FreeLists

23. Previous IDEA – imporving .. • What do you think happen with valid chunk, with size is bigger than size of already overwritten HEAP_ENTRY, when it is attempted to be freed ? 

24. 1) Memory leak! 2) Relinking already used memory! Final Exploitation

25. Exploitation 2 - showtime …improving, improving, success…

26. • Same as in first attack : • HeapSpray attack • sizeof(HEAP_ENTRY) + sizeof(LIST_ENTRY>Flink) overflow, that cause overwritting HEAP_ENTRY on FreeList • Second attack specific : • Ability to force application to free already used ‘good sized’ memory  memory leak • RW access to our heapsprayed buffer  relinking Prerequisites

27. Attack!

28. Visualisation of exploitation - init

29. Visualisation of exploitation - heapspray

30. Visualisation of exploitation - overwrite

31. Visualisation of exploitation – free(*)

32. • Success! Results

33. Live Demo Win7 SP1

34. • Conclusions : • Mitigations are as good as they weakest point ! • Implement minimalistic approach, but cover all responsibilities of the code • Speed performance < safe environment Done

35. • Reported to microsoft about 2 years ago • But still present in win7sp1, and was usable even in win8CP ! • In final release of win8 it is finally patched! • FreeListSearch algo now validate each walked HEAP_ENTRY Addition technique info

36. Video Demo win8 CP, ie10

37. References Brett Moore : Exploiting Freelist[0] On XP Service Pack 2 http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service %20Pack%202.pdf Chris Valasek : Understanding the Low Fragmentation Heap http://illmatics.com/Understanding_the_LFH.pdf Brett Moore : Heaps About Heaps http://seclists.org/vuln-dev/2008/Jul/0 Alexander Sotirov : Heap Feng Shui in JavaScript http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf Nico Waisman : Aleatory Persistent Threat http://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf … and many others usefull exploit techniques related materials …

How Safe is your Link ?

Peter Hlavaty

How Safe is your Link ?