 All right, next is Matt from WebSense and he's going to be talking about exploit spotting. So let's just give him a hand here. Big hand. Yeah, thank you. So I'm going to talk about exploit spotting and locating vulnerabilities out of vendor patches automatically. So let me introduce you myself first because this is very relevant what I'm going to talk today. So my current employer is WebSense Incorporation and I'm performing some malware and exploit detection. And my former employer was EI Digital Security and I developed IPS security products there like five years and I dipped vendor patches regularly over there. So you will know why I had to like the vendor patches. Before I was just like software engineer there but I still had to like dip the vendor patches there. So, and also I found some vulnerabilities like MS-06, 070, RPC vulnerability or CAO server and I used just stating methods to find that kind of stuff there. And I also developed Darren Grimm, it's a binary dipping tool and it was a kind of weekend project. And at this point I want to give you a simple question here. Do you really believe that if a patch is out, every security problems will be gone. So whenever there are some GRO days out, most people talk about the patches. When the patches is out or like just like the LNK like GRO day this time, people always talk about what is that patches. So next week they will release patch or yeah that kind of stuff. But do you really believe that if they release the patch, everyone will like patch their system immediately or within a day or two days? My answer is no actually. So let's look at comfical one. It was like spread like 2008 or 2009 and actually it used a vulnerability like patched at least a few months ago. So even though the patch was out, most, a lot of people didn't patch for some reason. The comfical one like infected more than 8 million computers over the world. And how about the driver exploits? They only include, they usually include one day exploits, the exploits that has patches. But there are some GRO days but they are very rare. And how about the meta-sploit and core impact and canvas? The exploit frameworks usually not about the GRO days. They are about the exploits for the like vulnerabilities that has patches usually. Or they gather the information from POC code actually. So let's talk about exploits and security products. By exploits I'm talking about the POC and exploit packs and drive by exploits and exploit frameworks like meta-sploit, canvas and core impact. Exploit frameworks are also security products for testing. And by security products I mean antivirus and web filter and mail filter and IDS like a snort and IPS and vulnerability scanner like a retina. You remember, anyone remember retina? Yeah? Yeah, a few of them, a lot, yeah actually, from EI actually. So retina or yeah, that kind of stuff. And basically what security industry is doing is creating signatures for vulnerabilities. So they have matching signatures for each matching vulnerabilities. So even vulnerability scanner has their own signatures for every matching like a CV number or something. So what exploits are doing these days are like using obfuscation to evade all the signature systems like IDS or IPS. And like if you look at some JavaScript exploits you will see some like a random bite there. You will never see the direct, the explicit exploit there. So this is all about the evading the security product. So I mean if you find some vulnerability that has been patched but is not known to the security vendors then it might be very serious concern because many systems doesn't patch for some reason and the exploits try to evade the like IDS and IPS system but if they find the attackers find the one they exploit they can still like exploit the system like by evading the IPS and IDS. For example if there are some product system like selling some stuff like if they are running some IIS and they have like a lot of traffic there if they like need to if they recycle the machine I heard that it takes more than 20 minutes. I'm not so sure why it takes more than 20 minutes but it's a lot of loss for them so they will not turn off the machine every month. So they will do that like every three months or six months and there are some time frame the attackers can like use one they exploit to like own the machine. So you might wonder there are like a real example that has been a problem passed in the past so I gathered some like examples here like for someone is MS07004 it was a VML issue and the patches were out but nobody wrote any exploits about that because they didn't have any information about that like of all our reality. The vendor just released the patch and they just released advisory saying we like patch is something wrong inside the VML module or something like that and that was it. But a guy from like Korea actually he's my friend and he used my tool to like reverse the patch and wrote the exploit in a few hours. And the second example is MS08067. Actually this one was used for config around actually. So his name is Steve Ridley. Actually he used my tool he also used my tool to like diff the patches and create the exploit like in a few hours. You can look up the blog here and you can read the whole story. And the next one is very interesting one like MS10024 and this is a kind of undisclosed vulnerability from Microsoft and they were releasing patches for other vulnerability and they included some undisclosed like vulnerability patches inside it. And actually it was caught by core security lab here. So yeah it's a little bit like embarrassing. So you can know that why binary dipping matter here. So the first you can use binary dipping to create exploit like if you have POC you can just use that like to put your own shell code or like make it more reliable. So you can use that as a template for your exploit. But if you don't have any POC code then in that case you need to figure it out yourself. Maybe you can get some information from the vendors but I don't believe any vendors will like release any like a technical information to like any exploit writers. So the only way I think is using binary dipping. And maybe people start to look into like a binary dipping. Maybe the meta-sploit arsenal will increase by far now maybe I'm not so sure. But the other use for like a binary dipping is actually generating signatures. So with the same technology you can create exploits or you can create defense mechanism or something like that. So IPS and vulnerability scanner or even AV uses like signatures for like detect the binaries, the attacking binaries or attacking websites or like exploit. So if there is any POC they can use that POC for their like signature template or something. But if there are no POC then where will they get the information? Only vendors. So there are some vendors actually provide that like actual technical information. Like Microsoft they have a program called MAPP. You can just call it like a map. So how many people heard about map here? Yeah looks like not many. Yeah it's always like not many. Under 10 people. So looks like it's not that popular now. But it was launched I remember like two years ago at Blackhead. So it's been two years and they provide real like a real technical information to the like a security vendors like maybe yeah our company also get that information and all the like any security vendors that are like willing to get some information they can just contact MAP like a coordinator and they can like get sign some document maybe and they can get the information every like a patch Tuesday or whenever there are some zero days are out they can get the information. They send it through the mail and you can get the information like very quickly. But if you don't have that kind of luck to have map then patch on once is the only way and there are other problems like even though you have the map they still doesn't disclose the information fully. They still hide some information and like they only write just one vulnerability in their report but actually if you deep the binary you can catch that they like included like more than four or five other maybe sometimes like one or two vulnerabilities in their patches. The one example was that one that I showed like MS 10 024 that one that one was caught by Colette. So let's talk about the binary dipping tool itself. There are some limitations with the current binary dipping tools like a bean diff or other like patch diff too and there are also turbo diff and dark green and that is my tool and there are like a four major dipping tools out there and but there are some limitations and there are two of them I just wrote here and one is like a managing fires is very like a boring job. So if the Microsoft release a patch like they include like so for example 12 patches then there are like because they like release patches for every OS is or something like that then it will include like maybe 40 or 50 different binaries and you need to manage all the binaries and you need to find the old binaries for that matching binary. So it's kind of very time-consuming and boring. So sometimes it takes more time to find that old binary or something like that so it's very time-consuming. So the other problem is that how do we know which function has security updates not like a feature updates. So sometimes they include just feature updates or yeah something like that. I will talk about this later. So I wrote upgrade the dark green and each dark green three now it has web interface and it's a very user friendly and it has a bin collector it manages all the files for you and it has a security implication score that shows what function has more security implication inside this. So you can know what function has more probability of having some security related patches inside it. So the security implication score itself is based on signatures. So there are some patterns like appearing like in the security patches. And there are some noises like it's for like eliminating some like noises caused by like a feature updates like they didn't patch it. They didn't like didn't patch any security related problems but they did like just upgrade some functionality or something and that kind of thing or they can do some kind of code refactoring and or they just change it the optimization level and they will that will create a lot of false positives also the disassembler is not like a disassembling itself is not like a deterministic problem so there can be a lot of problems in like recognizing some code parts or data parts and it makes a lot of false positives and as I said security implication score is a signature based scoring system so something like a string length you can use string length to like patch some kind of what is that the stagger flow so you should use string length to fix that kind of problem so it will it should appear in the patched part so how about the safe string API so something like Microsoft SDL like they recommend using like a new API new like a new safe string related API so in that case they should use a safe string API to fix the old problem so you will find that like a safe string API from the patched part so you can use that for like signatures for locating security related patches or about some like a constant numbers some big numbers maybe to fix some integer of loss so this code is written in Python and it's in Python so you can just rewrite a part if you have your own logic so you can just rewrite the part and you can test it yourself so the actual question will be is it working or not so I have a example I have an example here like acroald32.dll from adobe and they patched they released 933 recently a few months ago and I did 933 with 932 and it created like a 3, 3,630 entries like a modified functions so it's almost impossible to go through every functions to find these security patches so if you use SIS the security implications score here then if the entries with number 0 the score 0 is only 992 and the score more than 1 was only 70 so you can like save a lot of time and effort here so I will show you how the how the 3 looks like so this is the main page actually I'm running some background like a web server just like a web server to like run some their own process or something like that so I just use a web like what is that there is cherry pie I just use the cherry pie Python module to run the web server and you just connect to like a local host and you can like a designate like any port you like using like a configuration file so in this case it's 80 so you just connect to like a local host like this and each adjusts main menu and it only has four menus here and if you click here yeah files import and there are some input box here so here you don't have any files yet right so you need to like import all the files from like a remote machine or your local machine so if you want to collect some because I'm running Windows XP right now if you want to like collect all the windows XP system files you just put like a C windows here or maybe you can use to see program files anything like that then it will collect like a copy all the files to your like a library so you probably need a lot of hard disk like 20 or 30 gigs like storage space for that and or maybe you can set up some virtual machine and you just install something there and you can just like share some directory there and something like this or you can just import all the files from the remote machine and in that way you can collect all the files and binaries from other machines or for like other operating systems so it takes some time like 20 or 30 minutes and after that if you click files list the system will parse all the information from the like binaries and version from the files of version information and you deal like a sort all the files like according to their company names and like a file names and everything like that so here's the all the company names that are installing the like binaries on my system so probably you might be interested in Microsoft cooperation so click here and it will show every file from Microsoft cooperation so I used to example from like an API 32 this is kind of RPCDL that is exposed through the pipe so it has some history of a lot of vulnerabilities found like from like a five years ago or six years ago so we are interested in that file so we just find the file here and you go there and actually it will show every file that has that name that has that name so here you have all the file that API 32.dll with that name with different versions so you can see so maybe you can just want to put the latest one with the previous one like a 5.2 2600 and 5694 with the previous version like 3462 you just click it like a left one here is the previous file and this one is the like a patched file so you just click start dipping here it takes some time like five minutes or something because it will launch IDA you need actually IDA like IDA I used IDA 5.6 so probably if you are like a reverse engineer and guy you probably have IDA so you can use IDA and either locate the IDA and either launch the IDA and generate all the information and gather all the information for you so after that the result it will take five minutes so I just created some examples here so in this case it is one of the examples so after that it will like generate some table like this so you can see there were only two patched functions and you see that there are security implications score here three and two and probably three is bigger so probably this function has some patches inside it so if you click it then it will show some tables like this so from the table the left side actually left side empty right so actually the start is here so left side is unpatched file and right side is patched file so it means that the first the red block it means that the red block has been inserted to new the patch so it means that they can you see this like actually it's calling WCS LAN here I'm not so sure you guys can see this it's WCS LAN here so actually the patch is patching the vulnerability using like a calling WCS LAN so you can actually see what the actual programmer did to fix that vulnerability so it had like a stag of flow and they fixed it by just calling WCS LAN from the start of the function so this is some table view here so this is left side if something happens in left side it means that they removed that code block and something happens on right side it means that they inserted new blocks there so you just need to like look into red block or like there are also yellow blocks but there are no yellow blocks here so yellow block means the block has been modified so maybe I can find some example here yeah there are some yellow blocks here so in this case it changes some logic here so it's recognized as a kind of red block so anyway so you can click open IDA menu here so you can actually use IDA to see the diff result so in that case this is the old binary for same function so it's a net P managed IPC connect here right and if you see the graph overview it doesn't have many things here and there are some red blocks here so it looks like they removed this block from the unpatched binary so it shows two IDA the next one is patched binary so you can see that they inserted new blocks here and because it's showing the red block here right so it means that they inserted new blocks like this one and this one and just three and the first one contains that code like WCS LAN so actually you can use IDA to perform the actual analysis because it's more comfortable to the reverse engineers so this is the demo so let me show you some signature examples here so I just talked about the signatures right so it's all about the signatures so what kind of signature are you talking about I just talked about string lengths or some constant number like a 0x, FFF something like that but beyond that what kind of signature can you use so this one is MS06070 and you can see that the vulnerability is in here SW printf here right side SW printf is accepting some data from ARG0 and actually this function is exposed to through RPC interface so the user can control ARG0 and it can just direct straight forward stego flow in that case this is the example that I just showed an IP manage RPC connect and just as you see it's using WCS LAN to fix the problem and you can know that you can use a string length or WCS LAN or that kind of string length check as a like what is that signature for both overflow so what about the other like a stego flow like MS08 067 this was used for config column right so it has three entries here and the first one has a security implication score 20 and you see that I'm not so sure you can see that but this is a string cch copy W API this is a new API introduced by Microsoft so it's a safe string like API or something like that so whenever they like a Microsoft patches any string related problems they are going to use these new secure APIs and we can use that as a kind of pattern to locate the security patches and this is integer overflow from MS10 030 and it is the problem inside the Microsoft Outlook client and if you use like a what like a what like a darn green you can see that I sorted by security implication score here and you can see that the first entry is like a response start method from CPAP transport looks like it's processing some response from PAP3 server so if you look into that you can see very interesting like a call inside it actually I'm not so sure you can see this each API you long long to you long so each API that converts 64 bit integer to 32 bit integer so you might wonder the original problem was integer overflow and they are using 64 bit to 32 bit conversion API to fix what is that integer overflow so you might wonder why it is working so before that if you track the input for the conversion it's coming from actually string to INT API and the buffer for like STL to INT API is coming from like PAP3 response like a header like response line so it's like attack control over if the attacker is running some fake like a PAP3 server and like what is that hijacking some like wireless traffic or something like that then maybe the attacker can control the user's machine own the user's machine so you might wonder why the Microsoft engineer used you long long to you long function to fix integer overflow not just comparing some like integers that's it was because it is recommended by STL like you long long to you long API is actually converting 64 bit integer to 32 bit but it fails if the original 64 bit value is greater than maximum 32 bit value so any value that is greater than 32 bit maximum value will not be converted it will just return error so they are fixing the problem just calling this API they don't need to like use like comparing the integers or something like that they just need to use this API so whenever they fix integer flow then they will use probably use this API because it's recommended in their guideline so maybe you can just use this as a kind of signature to like find any kind of integer flow from like a Microsoft so you might wonder from the list of the functions that has been modified that patch they only talked about like one or two like CPAP 3N iMap but it actually shows a lot of like meaningful entries here so you might wonder they might be hiding something here so I just dig into more and looks like the other method the next one like a C iMap 4 agent here resize message sequence number table is fixing same problem it's calling the old one was just calling the memory allocation routine but the patched one was calling you long long to you long just as they fixed the other integer flow so it looks like whenever they find some integer flow from their module they are fixing same kind of problem from other code parts so that is now related to each other but looks like the programmer actual programmer that is responsible for that code just learned that kind of technique or that he might not know about integer flow before and somebody reported and somebody like from the security team maybe they talked about it and he's educated maybe and he fixed the other problems with other parts of the code that has same problems so he fixed the code in other parts with the same method he's calling you long long to you long to fix some integer flow here so this is very interesting problem bug because it's very hard to exploit so looks like the server the fake IMAP server should return like more than like a few like one gigabytes of data to maybe a few gigabytes of data to the client so it's not likely to be exploitable but it's still like a security problem so looks like they fixed it for their reason but looks like they don't talk about it so they just fix it but they just don't talk about it so and let's see next example so next example is about the use after free bug usually this is very popular in the internal explorer these days and I found that I did patch for CV 2010 0249 and I found that they are using a lot of code to replace PTR so it's a small here but actually the red box there is containing some replaced PTR code there so this is also that pattern happens a lot in the code so left side the left side is the original code and right side is the patched code so they are calling replace PTR so this is the reference cross reference from like unpatched code and replace PTR is called only from six places but from the patched code they are calling a lot of replace PTR so looks like they are all related to some kind of event processing so I looked into replace PTR function so looks like it's just about replacing pointer so the name tells everything so it's just about like a replacing pointer and looks like the old code was like now replacing the pointer for some reason and it made like some problem like use after free because the invalid pointer was still there and it was not replaced for some reason and it was causing the kind of use after free so maybe you can use replace PTR string as a kind of signature for like a future same if someone just finds the same bug maybe they will use same like replace PTR to fix that kind of problem so maybe you can use that API as a kind of signature for like that problem and there are other things I found like the original one it's a method inside the C markup and it destroys plate tree or something like that and actually the original one and looks like the name implies that it's destroying some like a memory structure or something right so the original one was just calling man free so it just destroyed the memory whenever it's called but the patched one is calling C tree node release method and if you look into that method if you can read this disassembly then you can know that it's doing some kind of reference count check so it's decreasing the reference count and if the reference count is not zero they just return and looks like somebody is still using me or something like that so it will not free the memory so when the reference count reaches zero then it will free the memory so looks like as I told maybe you can use replace PTR or man free or other patterns for like use after free bug so let's talk about another use after free bug actually this is the number is a CV 2010 0806 and actually this vulnerability was used for like attacking Google so it was like a few months like almost six or seven months ago and the if you look into maybe some of you already look into this exploit code so it's from the wildlife like exploit code I just guess take house some very important part and if you look into that it's adding some behavior here the default user data this is very important keyword here it's adding some behavior called default user data if you look up MSDN it will show every like behavior that is available for Internet Explorer so this is one of them so the attack only meant for this behavior so you must use this string here so and it's setting attribute and this is the key the ass is the key here and window is the value and in place of window here it's meant to use some string here so you are like setting some attribute using some string but in this case the attacker was setting attribute using some object and it's a very serious problem here because let's see this first if I deep the patch you can see that they patched two methods here and both of them has same patterns inside and they are the pattern is like this one they are some change inside a variant to change type EX call and the original one the variant to change type EX takes a first and second argument and first one is destination and second one is source so they are just changing the type of variant object variant type variable from source to destination and they are using same one and it will destroy the original like data and it will cause what is that the user and they are fixing it by just using different argument for destination so they are just allocating some local variable and they are using it for like destination for variant to change type EX so this is a very good example because I never know I never knew about this variant to change type EX issue before I deep this patch so you can actually learn something from the patch because now I know the variant to change type EX can cause some kind of memory corruption error so maybe if I do some kind of other like code auditing or something like that then you can use this knowledge for like that kind of stuff so in this case there are very interesting stuff here like because there is not only one exploit out there but they patched two methods so what does it mean? It means that they patched something silently without letting people know so I tracked down the one method they patched was C process to user data which probably linked to related to that what is that default to user data behavior but the other one was C process to use the data peer and I traced back where that like classes used and actually it was used by default to save the history and default to save a snapshot behavior so I could create some other exploit using that knowledge just in like a few hours because I need to figure out how to use that behavior I grabbed some examples from the internet and I just changed it to use some set attribute for like a document or window object something not string so it was like a very easy create new exploit so I think no IPS or ideas have that patterns inside them so somebody is very like malicious intent then they can just create some kind of exploit and they can evade the IPS because they don't have the patterns inside them so this is some kind but this was patched like almost half a year ago so I think it's okay or something like that so in this point there are something to think about so probably MS could just release that information like we also have like a default to save history and we also have some problems inside the default to save snapshot and also as I showed like we also have some problems inside the IMAP client and it will overflow if the attacker returns a lot of entries they could just write about that in the first place but looks like they didn't do that so even though they are trying to provide some programs called like a map MAPP looks like they are missing some information for some reason maybe intentionally or by mistake or something like that so it looks like it's not a good like good behavior like from like because like what is that the security vendors should default the binaries themselves even though they have MAPP they can't trust MAPP because MAPP doesn't include some valuable information for some times so I showed the first one was caught by Core Impact a few months ago and I showed two examples here from Microsoft I only showed two but I might find more if you look into more like patches so it's a kind of just problems for security vendors not having the full information so let's talk about other things so this is about exploit spotting so there are some other problems like even though you have deep entries so exploit writing might be very hard because something like Adobe Acrobat I did test with some Adobe Acrobat patches and just I said it will create generate a lot of patches to list or something like that I used like a cool type example here and it created like a more than 20 or 30 entries so actually they said they patched just one like one vulnerability like CV 2010-2024 and I used some public exploits out there and I pinpointed the exact function that was patching that problem so it is this entry here the red box here this one is actually that one CV 2010-2024 then how about the others like looks like they fixed a lot of problems the other problems here so looks like they might have found similar problems in other codes and looks like they patched it so with the original exploit code from the exploit DB you never hit the other functions so how can you hit other functions and how can you make an exploit for them even though you don't know anything about cool type so I used this method called the mini code coverage test so I just let me show you so here's the method I just Google random PDF document from the like all the places from the internet and like I make some library of the PDFs like more than 10,000 or something like that and you execute Adobe Acroba reader with some break points inside it like from this deep to least you just need to like from I used the unpatched one so you just need to look into one, two, three, five, six, eight points so you need to break point eight points of the cool type.dll to see if the sample is hitting the point to see if it's using any kind of cool type related code there so you just put like eight points of break point to Adobe Acroba and you just run the like something like a forging test you just execute acroba for every files and you if you hit any break point there it means that the PDF document contains some template that you can use for your like a testing so actually I didn't use debugger but I just used assigned some debugger as a kind of GT debugger and I just replaced some bytes inside the cool type.dll to like bring up debugger so I just put 0xCC some the exact point like eight points I find that and just do that and it's very fast or something like that and after that like if you run something and you can collect all the like a PDF samples that is related to that one day exploit so and after that usually the PDF documents are like a compressed you can use a PDF TK tool to decompress the PDF documents and you can actually see the actual the memory they showing up in the what is that the debugger is appearing inside the actual PDF document so you can just find that actual byte from the PDF template and you just modify that template and you can trigger the crash condition or that kind of thing so this is very easy to achieve or something like that so within a few hours by diffing the binary and collecting some PDF documents and using the mini coverage method that I suggest you can create some real like a one day exploit template or something like that within a few hours so I found that what I tested is all about the out of bounds memory access so I'm not so sure it's exploitable or not but maybe you can just use this method to like achieve other one day exploit writing so this the mini coverage test was attempt to use dynamic method for binary diffing so how about state analysis how about you can you use state data analysis or something like that for like binary diffing so I was trying to write some tools to do that like tracing all the variables back to and see if it is like a tangible or not looks like it is very hard job looks like there are some issues like C++ issues if the code is using C++ it is very hard to trace back all the variables and there are also if the binary is very big usually it generates incomplete disassembly list so I was just trying to make some attempt to write some state analysis tool and it was called I.Tracker but looks like it's now releaseable right now but I'm still working on that kind of code and maybe sometime it will be combined to like binary diffing tool and yeah it looks like in few months maybe I'm not so sure so I did some attempt but looks like it's not working very well so conclusions here binary diffing can benefit IPS rule writers or AV rule writers anyone like that or also it can benefit some exploiting writers like if you are interested in like writing some exploiting modules or something like that maybe you must start with binary diffing so in that way you can find something nobody ever like a found so and there are some typical patterns inside patches so you can use that for like to benefit binary diffing itself and it is called the security implication score in Darren Green 3 and it helps a lot and you can use dynamic analysis or stating method for binary diffing and looks like dynamic analysis is very helpful in like writing some one day exploits and any questions looks like I'm not sure so looks like we have clinic room over there so anyone have any questions come to the room and ask you questions to me thank you