discovering vulnerabilities for fun and profit
TRANSCRIPT
Who Am I• Founder, 3S Labs – Information Security Services Startup• Security Tools
• Wireplay – TCP Session Replay for Network Protocol Fuzzing• RbWinDBG – Ruby interface to Windows Debugger API• HiDump – Injected Code Extraction Tool (Windows only)• […]
• Security Research (CVE)• Microsoft Office• IBM Tivoli Endpoint Manager• HP Siteprotect• […]
@abh1sek abhisek
The “Practical” Shallow Bugs
ActiveX1.bin – Rich Control Embedded in Word Document
MSCOMCTL!DLLGetDocumentation+XXX:6f5164d2 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
An approach towards Finding Vulnerabilities
Features Attack Surfaces
Architecture & Components
Protocol Analysis
Targeted FuzzingStatic Analysis
Attack Surface Analysis – Microsoft OOXML• The Past• Multiple vulnerabilities while processing binary records• Multiple vulnerabilities in processing embedded objects (image / flash)• […]
• What’s new?• Microsoft OOXML File Format• (Almost) all features of Office Binary File Format represented through XML• ZIP File Format based container (instead of OLE Structured Storage)
Attack Surface Analysis – Microsoft OOXML
https://msdn.microsoft.com/en-us/library/aa338205(v=office.12).aspx
Fuzzing Microsoft Office - OOXML• What will probably not work?• Binary fuzzing (bit flip) on input file.
• They are just ZIP files !• XML tag mutation
• It will just hit the XML parser which should be matured.
• What will probably work ?• XML mutation
• Hit the application states and NOT the XML parser• XML attributes
• Not very different from blind binary fuzzing (bit flip)• These are used to prepare and render objects
Architecture Analysis – IBM Tivoli EM• Enterprise endpoint management• Single agent for endpoint self-assessment and policy enforcement• Near real-time visibility and control from single dashboard• Target specific actions to an exact type of endpoint configuration or user type
• Primary Components• Root Server• Reports Server• Agent
Architecture Analysis – IBM Tivoli EM
Root Server AgentAgentAgentAgentTCP: 5231
S/MIME Signed HTTP
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/REST+API
• All HTTP transactions are S/MIME signed.• Any HTTP request with signature mismatch will be ignored.• Now?
Fuzzing – IBM Tivoli EM
Root ServerTCP: 5231
S/MIME Signing Proxy
HTTP Request Fuzzer( Burp / SPIKE / !! )
• Intercept communication between Agent and Root Server• Replay and fuzz intercepted HTTP requests• S/MIME sign HTTP requests through proxy
Burp plugin to sign HTTP request for Tivoli EM:https://gist.github.com/abhisek/f69f0ead1d9292cfc68260423819780d
Static Analysis – Dameware Mini Remote Control• Why?• Custom binary protocol• Encrypted packets• No documentation on protocol• Not too much prior work on DMRC reverse engineering
• Objective• Identify “crypto container”• Fuzz DMRC by replaying interception communication
• Decrypt > Mutate > Encrypt > Send to Server
DMRC Case• 1 day to setup and analyze network infrastructure• 1 day to survey protocol documentation without luck• ~3 days to reverse engineer the handshake protocol encryption• 2 days of fuzzing effort• Results?• 2 crashes – None exploitable• No CVE !!
Was it worth the effort ?
Static Analysis – Other Approaches• Taint Analysis• IDA Plugin to manually mark sinks & compute path from any point in code to
sinks.
• Binary Analysis Platform• A useful framework to implement various algorithms to “infer” possible
vulnerabilities.
https://github.com/BinaryAnalysisPlatform/bap
There will ALWAYS be another vulnerability..• Security Researcher• How to find maximum exploitable vulnerabilities in minimum or at least
practically feasible time window.
• Developer• Maximize cost of finding exploitable vulnerabilities through
securing coding practices and platform hardening.