Discovering Vulnerabilities

For Fun and Profit

Who Am I• Founder, 3S Labs – Information Security Services Startup• Security Tools

• Wireplay – TCP Session Replay for Network Protocol Fuzzing• RbWinDBG – Ruby interface to Windows Debugger API• HiDump – Injected Code Extraction Tool (Windows only)• […]

• Security Research (CVE)• Microsoft Office• IBM Tivoli Endpoint Manager• HP Siteprotect• […]

@abh1sek abhisek

Linus Law

“Given enough eyeballs, all bugs are shallow”

Fuzzing

Mutation

Generation

The “Practical” Shallow Bugs

ActiveX1.bin – Rich Control Embedded in Word Document

MSCOMCTL!DLLGetDocumentation+XXX:6f5164d2 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

The Magic Technique

Now .. The Magic Tool

http://lcamtuf.coredump.cx/afl/

An approach towards Finding Vulnerabilities

Features Attack Surfaces

Architecture & Components

Protocol Analysis

Targeted FuzzingStatic Analysis

Attack Surface Analysis – Microsoft OOXML• The Past• Multiple vulnerabilities while processing binary records• Multiple vulnerabilities in processing embedded objects (image / flash)• […]

• What’s new?• Microsoft OOXML File Format• (Almost) all features of Office Binary File Format represented through XML• ZIP File Format based container (instead of OLE Structured Storage)

Attack Surface Analysis – Microsoft OOXML

https://msdn.microsoft.com/en-us/library/aa338205(v=office.12).aspx

Fuzzing Microsoft Office - OOXML• What will probably not work?• Binary fuzzing (bit flip) on input file.

• They are just ZIP files !• XML tag mutation

• It will just hit the XML parser which should be matured.

• What will probably work ?• XML mutation

• Hit the application states and NOT the XML parser• XML attributes

• Not very different from blind binary fuzzing (bit flip)• These are used to prepare and render objects

OOXML – XML Mutation

CVE

OOXML – XML Attribute Fuzzing

CVE

OOXML – XML Attribute Fuzzing

CVE

Architecture Analysis – IBM Tivoli EM• Enterprise endpoint management• Single agent for endpoint self-assessment and policy enforcement• Near real-time visibility and control from single dashboard• Target specific actions to an exact type of endpoint configuration or user type

• Primary Components• Root Server• Reports Server• Agent

Architecture Analysis – IBM Tivoli EM

Root Server AgentAgentAgentAgentTCP: 5231

S/MIME Signed HTTP

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/REST+API

• All HTTP transactions are S/MIME signed.• Any HTTP request with signature mismatch will be ignored.• Now?

Fuzzing – IBM Tivoli EM

Root ServerTCP: 5231

S/MIME Signing Proxy

HTTP Request Fuzzer( Burp / SPIKE / !! )

• Intercept communication between Agent and Root Server• Replay and fuzz intercepted HTTP requests• S/MIME sign HTTP requests through proxy

Burp plugin to sign HTTP request for Tivoli EM:https://gist.github.com/abhisek/f69f0ead1d9292cfc68260423819780d

Static Analysis – Dameware Mini Remote Control• Why?• Custom binary protocol• Encrypted packets• No documentation on protocol• Not too much prior work on DMRC reverse engineering

• Objective• Identify “crypto container”• Fuzz DMRC by replaying interception communication

• Decrypt > Mutate > Encrypt > Send to Server

Static Analysis – DMRC Protocol

DMRC Client to Agent Communication – Whats This?

Static Analysis – DMRC Client

DMRC Case• 1 day to setup and analyze network infrastructure• 1 day to survey protocol documentation without luck• ~3 days to reverse engineer the handshake protocol encryption• 2 days of fuzzing effort• Results?• 2 crashes – None exploitable• No CVE !!

Was it worth the effort ?

Static Analysis – Other Approaches• Taint Analysis• IDA Plugin to manually mark sinks & compute path from any point in code to

sinks.

• Binary Analysis Platform• A useful framework to implement various algorithms to “infer” possible

vulnerabilities.

https://github.com/BinaryAnalysisPlatform/bap

There will ALWAYS be another vulnerability..• Security Researcher• How to find maximum exploitable vulnerabilities in minimum or at least

practically feasible time window.

• Developer• Maximize cost of finding exploitable vulnerabilities through

securing coding practices and platform hardening.

Thanks for listening

Questions?

@abh1sek abhisek