Transcript ZERT Patching

ZERT
Binary Patching
Gil Dabah
Who Am I?




“Israeli programmer and reverse engineering
enthusiast Gil Dabah”, eWeek (09/22/06)
“Israeli reverse-engineering specialist Gil
Dabah”, CNET (09/25/06)
Computer’s “Hacker”
Programmer, working at DigiCash
ZERT Binary Patching
[2 of 37]
About ZERT





Zero-day Emergency Response Team
Zero-day meaning?
Foundation
Goal
Incident-Response
ZERT Binary Patching
[3 of 37]
Menu



Patching In General
VML Vulnerability
ANI Vulnerability
ZERT Binary Patching
[4 of 37]
What is Patching?







Changing an existing software data.
That data can be either a code or real data
(strings, structures, etc).
Usually the goal is to change behavior.
Sometimes you enhance the software.
Patching can be done on-disc, or in-memory.
Known patching is cracking games/software.
…or uncracking software like ZERT does.
ZERT Binary Patching
[5 of 37]
Problems with Patching






Different versions (E.G: 23 versions of VGX).
Code changes.
Code moves.
No room for the extra patching code/data.
MS Hot Patching MOV EDI, EDI.
Windows File-Protection.
ZERT Binary Patching
[6 of 37]
Patching Alternatives
Every change affect file integrity.
We want to change as less as possible bytes.
1) PE Patching - add a section/fine a cave.



In a short development time it’s not possible to make it reliable.
Too big a change.
Time consuming.
Per Version Patching.
2)


Requires all versions.
Doesn’t support unknowns.
ZERT Binary Patching
[7 of 37]
Patching Alternatives
Using Hot Patching Bytes:
3)

A few places to patch (all callers, more signatures).
7 bytes are usually not enough.

CC, CC, CC, CC, CC, 8B, FF

Spot Patching
4)



Simple.
Search&replace patching.
Not always possible  Generic
ZERT Binary Patching
[8 of 37]
Section #1
ZERT VML PATCHER
ZERT Binary Patching
[9 of 29]
VML





Vector Markup Language
An XML language used to produce vector
graphics.
Submitted as a proposed standard by MS
and Macromedia in ’98 to the W3C.
Eventually rejected.
But still in use by Internet Explorer and Office
(and Outlook).
ZERT Binary Patching
[10 of 37]
VML Rendering
ZERT Binary Patching
[11 of 37]
VML Zero-Day





Was first seen in September 2006.
Officially on the 19th, but actually before.
Adam Thomas, a researcher from Sunbelt
Software, found it ITW.
The exploitation downloads a trojan or
adware.
For example an adware that downloads and
displays popup advertisements.
ZERT Binary Patching
[12 of 37]
VML Vulnerability





Stack-based buffer overflow in the processing
of malformed VML "fill method" attributes.
Affected file: VGX.DLL
(symbol: Ptok@TOKENS@_IE5_SHADETYPE_TEXT).
Vulnerable systems: all IE versions, with
latest XP SP 2 patches.
Surf and get owned.
What if DEP is enabled?
ZERT Binary Patching
[13 of 37]
HTML Exploitation
<html xmlns:v="urn:schemas-microsoft-com:vml">
<head>
<style>
v\:* { behavior: url(#default#VML);}
</style>
</head>
<body>
<v:rect><v:fill method=“AAAA…></v:fill></v:rect>
</body>
</html>
ZERT Binary Patching
[14 of 37]
Vulnerability Point




To locate vulnerable image, simply crash IE.
Attack ‘fill method’ with a big buffer, raises
access violation.
Writing to a pointer which is found on local
stack.
Now that we got the vulnerable function we
start analyzing the code.
ZERT Binary Patching
[15 of 37]
mov edx,
[ecx+VML.szInput]
Ptok Function
Disassembly
mov dx, [ebx+edx*2]
mov [edi], dx
ZERT Binary Patching
[16 of 37]
Code Analysis
class TOKENS {
public:
WCHAR *Ptok(void);
private:
LPWSTR szInput; // pointer to input string on heap
int nSize; // length of input string (in WCHARs)
int idxInput; // index used within the for()loop
WCHAR szOutput[256]; // output buffer for string
};
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee.
ZERT Binary Patching
[17 of 37]
Code Analysis:C++ Translation
WCHAR *TOKENS::Ptok(void)
{
register int idxCurr;
if (szInput == NULL) return(NULL);












iffor(nSize
>= 256)
{
(idxCurr=0;
idxInput
< nSize && szInput[idxInput] != '\0'; idxInput++) {
//
by the ZERT
if Added
(szInput[idxInput]
==patch
' ') {
return(NULL);
if (idxCurr) break; // Encountered non-leading space
}
else continue; // Encountered leading space
}
szOutput[idxCurr]=szInput[idxInput]; // Copy the WCHAR
idxCurr++;
}
if (idxCurr > 0) {
szOutput[idxCurr]='\0'; // NULL terminate
return(szOutput);
}
return(NULL);
}
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 license. By Michael Hale Lee.
ZERT Binary Patching
[18 of 37]
Using Ptok Rather Than strtok






Ptok is an enhanced strtok, using a class and
a local storage.
It supports multiple concurrent readings.
It doesn’t modify the original string!
Tokenize: “We've got explosives!
KABOOOOOM!”
Results in: “We’ve”, “got”, “explosives!”,
“KABOOOOOM!”
Input string is now nullified: “We’ve\0got\0…
ZERT Binary Patching
[19 of 37]
Writing a Binary Signature


A unique sequence of bytes.
Might be masked or not.



“GIF87A”,”GIF89A”  “GIF8*A”
Must be found the exact times you expect.
Genericness is a plus.
ZERT Binary Patching
[20 of 37]
VGX’s Ptok Signature

Ptok is like a library function



(very small, used in one place).
No code changes in all versions.
Goal: Use the whole function as a signature.
ZERT Binary Patching
[21 of 37]
Compiler’s Bad Day???





>>> import distorm
>>>
distorm.Decode(0,"\x66\x8b\x14\x53")[0][2]
'MOV DX, [EBX+EDX*2]'
>>>
distorm.Decode(0,"\x0f\xb7\x14\x53")[0][2]
'MOVZX EDX, [EBX+EDX*2]'
ZERT Binary Patching
[22 of 37]
Closing The Vulnerability [v1]
;Removed leading space checks,added input-size test.
mov
push
push
xor
cmp
push
jz
cmp
jae
edx, [ecx]
ebx
esi
esi, esi
edx, esi ; if (szInput == NULL)
edi
short Return ; return NULL
dword [ecx+4], 0x100 ; if (nSize >= 0x100)
Return ; return NULL
ZERT Binary Patching
[23 of 37]
Bypassing WFP

Examining VGX.DLL’s export table:
DllCanUnloadNow, DllGetClassObject, DllRegisterServer,
.
VGX.DLL is a COM in-proc DLL.
Can be registered and unregistered.
Anti Virus issues.
DllUnregisterServer



ZERT Binary Patching
[24 of 37]
ZERT Patcher
1)
2)
3)
4)
5)
6)
Read vgx.dll file to memory.
Search for binary signature.
Apply patch.
Save data to a new file “patchedvgx.dll”.
Unregister original “vgx.dll”.
Register “patchedvgx.dll”.
* Supports both GUI and Console versions.
ZERT Binary Patching
[25 of 37]
ZERT’s Patch VS. MS’s


MS can simply recompile.
We have to:





Make room for the input size test.
Preserve functionality.
MS patch: Copy until buffer is full (< 0xfe).
Our V1 patch: Don’t copy if length >= 0x100.
Patch V2 is MS code but crunched into 0x5b
bytes (from 0x63).
ZERT Binary Patching
[26 of 37]
64 Bits Patching Challenges



Finding VP (Ptok) without Windows 64.
RIP Relative.
MS code was changed from 32 bits version,
yet unpatched.
ZERT Binary Patching
[27 of 37]
32bits VS 64bits VGX.DLL
ZERT Binary Patching
[28 of 37]
Pre-Patched
Version
Compilation
Timestamp
Date
PrePatched?
5.0.3014.1003
0x38439A32
Nov 30 1999
Yes
7.0.5112.0
0x43D80C1D Jan 26 2006 No
7.0.5450.4
0x449C16C7 Jun 23 2006 Yes
ZERT Binary Patching
[29 of 29]
Section #2
ZERT ANI PATCHER
ZERT Binary Patching
[30 of 29]
Windows Animated Cursors




It all began in 2005, eEye discovered a
vulnerability in USER32.DLL handling .ANI
files.
(Incompletely) fixed by MS05-002 – XPSP2
was already immune.
In 2006, a similar vulnerability discovered by
Determina (Alexander Sotirov).
Public Disclosure - March 28, 2007.
ZERT Binary Patching
[31 of 37]
Bug Description



ANI files store animated cursors. Based on
RIFF multimedia file format, which is a series
of tagged chunks.
LoadCursorIconFromFileMap only validated
the first ‘anih’ size before parsing the rest of
the chunks by calling LoadAniIcon.
LoadAniIcon parses the chunks, including
‘anih’. This time without size validation.
ZERT Binary Patching
[32 of 37]
Malformed ANI Sample
RIFF....ACONanih
$...$...........
................
........anihX...
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
ZERT Binary Patching
First
header
chunk, so far so
good.
Now!
this is
tricky, oh yeah.
[33 of 37]
Attack Vectors

Internet Explorer loading HTML file style="CURSOR: url(‘malformed.ani')“.


Outlook.
Windows Explorer.
ZERT Binary Patching
[34 of 37]
The Patcher



USER32.DLL – Requires in-memory
patching.
Using “Known DLLs” to load our .DLL to
every process.
Our DllMain will locate USER32.DLL and find
its code section and begin its magic work.
ZERT Binary Patching
[35 of 37]
Vulnerable Code LoadAniIcon
CMP EAX, ‘ qes’
000433E0
038B 75F8
JZ 0x187
000433F0 0000 3D4C
CMP EAX, ‘TSIL’
00043400
7465 0F84
JZ 0xe1
CMP EAX, ‘etar’
00043410
0000 008D
JZ 0xc7
00043420 FF85 C00F
CMP EAX, ‘hina’
00043430
FC8D 75B4
JNZ 0x10b
LEA EAX, [EBP-0x4c]
00043440
0100 008B
PUSH EAX
LEA EAX, [EBP-0x28]
PUSH EAX
PUSH EBX
CALL Readchunk
8B45
4953
A600
45B4
84E7
F3A5
45BC
D83D
540F
0000
508D
0100
E844
8B7D
7365
84CB
3D61
45D8
0083
FBFF
B88B
7120
0000
6E69
5053
EC24
FF85
35F0
ZERT Binary Patching
0F84
003D
680F
E8E4
6A09
C00F
12D4
7C01
7261
85DF
FAFF
598B
84CA
776A
..u..E.=seq ..|.
..=LIST......=ra
te......=anih...
....E.P.E.PS....
...........$j.Y.
..u....D........
....E..}..5...wj
[36 of 37]
Runtime Generic Patching



3 X-Refs to the ReadChunk function, only
one needs a fix (LoadCursorIconFromFileMap).
Search for a static signature. Look back for
another static signature. Disassemble
forward until next call is found.
Now that we found the indirectly-call to
memcpy, we have to patch it, but how?
ZERT Binary Patching
[37 of 37]
The Fix





A pre-compiled version of the ReadChunk function,
this time with size validation.
The ReadChunk internally calls to ReadFilePtrCopy,
which really copies the data and overflows the stack.
Fix our pre-compiled code to call the correct
ReadFilePtrCopy – calculate relative 32 bits offset.
Allocate an executable memory for the new function.
Once it’s ready, we can simply relocate the original
vulnerable CALL instruction to our new immune
function.
ZERT Binary Patching
[38 of 37]
Potential Problems




Multiple threads might run the patched code
– we patch only a DWORD.
Searching for a DWORD – must be bytealigned.
Finding the CALL instruction – a
disassembler must be used.
If-then statements code generation –
following branches.
ZERT Binary Patching
[39 of 37]
The Sad Truths


There is a function which validates the ANI
header parameters after it copies it locally.
The VML vulnerability didn’t exist in IE5,
which had the size validation of the buffer
back then. Probably to code regression it
slipped away.
ZERT Binary Patching
[40 of 37]
Questions ???
ZERT Binary Patching
[41 of 37]
The End
[email protected]
Thanks to:
CCC
ZERT Members
ZERT - http://isotf.org/zert
http://isotf.org/zert/papers/vml-details-20061004.pdf
http://www.milw0rm.com/exploits/2425 - Exploit POC
ZERT Binary Patching