Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Interpreter exploitation

No description
by

tal kirshenzweig

on 27 January 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Interpreter exploitation

Remote exploits are dwindling.
Perimeter defenses becomes standard.
Operating system uses mitigation techniques. Data Execution Prevention (DEP)
Address Space Layout Randomization (ASLR) By: Dionysus Blazakis Presented by: Tal Kirshenzweig 039068630 Interpreter Exploitation Attacker's life is HARD... the preferred attack vector is to exploit the client-side But how??? The browser is a ripe target for exploitation Plug-ins robust parser Web 2.0 high performance scripting environment JIT Garbage collector Memory A little definitions DEP - Data Execution Prevention
ASLR - Address Space Layout Randomization
JIT compilation - Just In Time
ActionScript DEP A security feature included in modern operating systems. Its intention is to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. ASLR A computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space. This method makes it more difficult for an attacker to predict target addresses. JIT compilation is a method to improve the runtime performance of computer programs based on byte code. The program is stored in memory as byte code, but the code segment currently running is preparatively compiled to physical machine code in order to run faster.
JIT compilers represent a hybrid approach, with translation occurring continuously, as with interpreters, but with caching of translated code to minimize performance degradation.

The code can be compiled when it is about to be executed (hence the name "just-in-time"). ActionScript is an object-oriented language originally developed by Macromedia Inc. (now owned by Adobe Systems). It is a dialect of ECMAScript and is used primarily for the development of websites and software targeting the Adobe Flash Player platform, used on Web pages in the form of embedded SWF files. Up until now things were relatively easy We need to find a 0-day in a browser (IE, etc.), reader (adobe PDF) or Flash (also Adobe)
Create/steal a Flash game to put on a site. It will incorporate the 0-day.
E-mail a link to someone via spoofing or hacking. All that's left is a simple heap spray we will have code execution. DEP ASLR Heap Spraying Is an attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process' heap and fill the bytes in these blocks with the right values. Taking advantage of the fact that the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. Lets try something else Maybe we can use ROP (Return-oriented programming)?
reuse existing code to build a first-stage shellcode.
the reused code will all be located on executable memory pages. find a loaded DLL that is not ASLR protected
or
leak the load address of the module and use the available code to manufacture return-oriented shellcode That will show DEP how is the boss!
but where is the DLL? where is the module? ASLR NOT AGAIN... New plan Lets find a new way to spray the heap then turned to ROP

Where to start spraying? Adobe's Flash Player ActionScript core interpreter is open source! GOOD VERY GOOD Scripting environments are the perfect target for... Pointer Inference In a scripting environments
the objects usually live on the heap
the runtime language and libraries provide multiple ways to manipulate and inspect objects.
Scripting languages are dynamically typed.
Objects stored by reference are often stored in the same type as those stored by value. The goal is to find a way to determine the memory address of a script object in the interpreter/virtual machine. Pointer Inference We need to know some logic before technique type association at runtime heap Tamarin
uses tagged pointers to store
ActionScript objects within the VM. all runtime objects must store both value and type. An object on the VM heap is called an "Atom" Stored by value Stored by reference Define Integer Define Object ActionScript Python var x = 42; >>> def atomFromInteger (n):
return (n<<3) | 6

>>> '0x%08x' % (atomFromInteger(42), )
'0x00000156 42 = 0x2A = b00101010
Integer tag = 6 = 0x6 = b110
Atom = 00101010 110 = 0x156 var z = new Dictionary(); >>> def atomFromObject (obj):
return (obj & ~7) | 1

>>> a = AS.HeapAlloc (size_of_Dictionary)
>>> Dictionary.initialize (a)
>>> '0x%08x' % (atomFromObject (a) , )
'0x00c8b301 obj is allocated at 0x00c8b300
Object tag = 1 = 0x1 = b001
Atom = 0x00c8b30 | b001
Atom = 0x00c8b31 ActionScript Dictionary Objects The Dictionary is a built-in class that can hold objects in a table More to the point a Hash Table.
Objects are stored as a couple (Key / Value) and are mapped in the table by using the hash from the key Atom Hash Table facts can be iterated.
iteration order from lowest to highest hash value (the hashed key).
the table size is a power of 2.
table grows is the number of empty cells drops below 20% of the total size mapping according to the key Atom value an integer that is less than the hashtable's size will be placed at that offset in the table the Atom value of an Object is a memory address If Atom types can be mixed in the hashtable, integers are compared to addresses Breakthrough The ordering of a mixed HT leaks address bits find a bound on the Object Atom Integer var even = new Dictionary();
var odd = new Dictionary();
var index;
for (index = 0; index < 8; index +=1){
even [index * 2] = true;
odd {index * 2 + 1] = true;
}

var victim = AAAAAAA;
even [victim] = true;
odd [victim] = true; var curr, evenPrev, oddPrev;
for(curr in even) {
if (curr == victim) { break; }
evenPrev = curr;
}
for(curr in odd) {
if (curr == victim) { break; }
oddPrev = curr;
} The 2 Integers should differ by 17 according to the quadratic probing, unless the probe warpped over the table. the smaller integer from the Dicationary that didn’t have the collision. Figuring the leak didn't warpped warpped the larger value is from the Dictionary that didn’t have the collision. probe we have the Integer in an Atom form that is 8 smaller then the victim Atom to get the victim atom from the integer x: (x << 3 + 8)
or more to the point ((x + 1) << 3) evenPrev = 0 (atom: 0x0000006)
oddPrev =1 (atom: 0x000000E) evenPrev is smaller
0x00+1<<3=8 LSB of the victim address JIT Spray in order to bypass the DEP protection we will use the interpreter JIT compiler and coerce is to it's engine to spit out code that has a useful code, that means the code will have embedded shellcode. how the JIT works can be seen in the next ActionScript code: JIT results Imagine entering at 0x0347006A instead of 0x03470069... A more realistic example ActionScript allows the dynamic loading (and runtime generation) of bytecode.
Using this type of reflection, we can force the repeated loading of a given bytecode file spraying the constructed JIT code on the heap. This is the JIT spray With a reasonable guess and luck, the attacker can execute shellcode despite ASLR and DEP. Putting it together String Atom value=address C++ instance length pointer to buffer Heap To try and find a use for this pointer, we must understand the Flash heap. Flash objects are allocated with VirtualAlloc.
On heap expansion the allocator tries to allocate the next chunk contiguously in 16MB increments.
If allocation fails the next try will be without the contiguous constraint, only with a block that will fit the request.
Pages for the JIT engine are allocated with VirtualAlloc that count the opcodes to estimate the needed space. With these details, we can come up with a use for the heap address primitive. The plan is to put the two techniques together for a reliable bypass of DEP and ASLR. To do this, we must use the heap address primitive to determine the address of a JIT block. This is the method 16.0625MB 1. Open a SWF file that contains enough bytecode to force an allocation of 0x01010000 bytes. 2. Open a SWF fifile that sprays the heap with many small ActionScript objects forcing the heap to grow past the big block. 3. Open a second SWF forcing an allocation of 0x00FF0000 bytes. 15.9375MB 4. Remove the first large SWF file this will deallocate / unmap the 0x1010000 bytes. 5. Spray more than 16MB of small ActionScript objects, keeping them in a linked list structure. 6. Load the SWF with the JIT Spray.
Each script will be small and reserve the minimum
(0x00010000 bytes) 64KB 64KB 64KB 64KB 7. Iterate over the linked list structure at large intervals (0x00100000) recording the address of the object. 2nd SWF Linked ActionScript Linked ActionScript JIT spray 8. When an unsmooth edge is found in the recorded addresses, this marks the start of the newly mapped space. This new space should be the start of the memory used for the first SWF. 9. A tight bound can be obtained for the start address by refining the above search using successively smaller intervals and updating the bounds. 10. Finally, we know the JIT spray should have reached this address we’ve found in the previous step +0x01000000. VirtualAlloc will map pages at a 64KB granularity and does so with a linear scan fifinding the first hole that matches the size requested. Although this process is reliable, with the current speed of the address leak it takes between 5 and 10 minutes to trigger.
If a different address leak were found this would be quicker. On a lightly used browser a straightforward JIT spray can be used and a predictable address is not hard to find.
In a browser with a lot of memory activity, the longer method is more reliable.
Full transcript