0day: reason why you (or companies) should not use XP anymore

About me
@ca0nguyen Research
Exploit developement: Windows, Linux Malware analysis Reverse engineering

0day (zero-day)
What is 0day exploit?
Security vulnerability Successful attack

0day hunting, is it easy?

Its not an easy job, but always possible 0ne 0day can own your system Easier on XP

Microsoft
Initial release:
August 24, 2001; 12 years ago

Latest stable release:

5.1 Build 2600: Service Pack 3 April 21, 2008; 5 years ago

Support is ending
April 8, 2014; 3 months left No security updates

Does it matter?
0day exploit will last forever Antivirus cant save you
From public exploit with some modifications 0day!

Desktop OS Market Share

NetApplication November, 2013

Desktop Browser

NetApplication November, 2013, 2013

Security features
Data Execution Prevention (DEP)
From XP SP2 Still good, but not enough

Address space layout randomization (ASLR)

Important feature But just from Vista

Application exploitability
Easy: no dream team (DEP+ASLR)
Be able to predict the allocated address

Exploit scenario
Control IP (Instruction Pointer) Jump to controlled address Bypass DEP: play ret2lib, ROP Run shellcode PWNED!

Internet Explorer
Windows XP SP3 comes with IE8
XP is main platform Exploitation on IE8/XP is easier than the other

IE8/XP exploit
Just following the rules Browser bugs
Use-after-free Type confusion

IE8/XP exploit
Use after free
Replace object freed by other one, e.g. string Heap spray with ROP chain Take control EIP: calling function from fake vtable Play ROP chain: VirtualProtect() Trigger shellcode PWNED: run calc.exe

ASLR in exploitation
Use after free
Replace object freed by other one, e.g. string Bypass ASLR: leak mem, non-ASLR module Heap spray with ROP chain Take control EIP: calling function from fake vtable Play ROP chain: VirtualProtect() Trigger shellcode PWNED: run calc.exe

Bypass ASLR
Non-ASLR module
JRE6 HXDS.DLL (Office 2007, 2010) Other browser plugins: IDM, Only working on IE8, IE9

Bypass ASLR
Using SharedUserData
Fixed in 0x7ffe0000 LdrHotPatchRoutine: remote dll loading Patched in MS13-063

Bypass ASLR
Leak memory address
Changing size of string/array object Reading extra memory Do not crash targeted application

JIT spraying
Javascript Actionscript

Targeted attack
CVE-2012-4792, CVE-2013-3893, CVE-20133897
Windows XP + IE8 Windows 7 + IE8 + non-ASLR module Same author(?) Same range of victims

CVE-2013-5065
NDPROXY
Interface WAN drivers to TAPI services TAPI enables computer telephony integration

Off-by-one/Out of array index

Array size vs. array index

DEMO
0day
IE8/XPSP3 full update Use-after-free Also effected on latest IE10, IE11

CVE-2013-5065
Still waiting for a security patch

Conclusion
Windows XP is old
Out of date security features Support is ending

Internet Explorer 8
Easy to breaking down

What we can do
Upgrade to Window 7, 8, 8.1 Use EMET

Thanks