Documentos de Académico
Documentos de Profesional
Documentos de Cultura
About me
@ca0nguyen Research
Exploit developement: Windows, Linux Malware analysis Reverse engineering
0day (zero-day)
What is 0day exploit?
Security vulnerability Successful attack
Microsoft
Initial release:
August 24, 2001; 12 years ago
Support is ending
April 8, 2014; 3 months left No security updates
Does it matter?
0day exploit will last forever Antivirus cant save you
From public exploit with some modifications 0day!
Desktop Browser
Security features
Data Execution Prevention (DEP)
From XP SP2 Still good, but not enough
Application exploitability
Easy: no dream team (DEP+ASLR)
Be able to predict the allocated address
Exploit scenario
Control IP (Instruction Pointer) Jump to controlled address Bypass DEP: play ret2lib, ROP Run shellcode PWNED!
Internet Explorer
Windows XP SP3 comes with IE8
XP is main platform Exploitation on IE8/XP is easier than the other
IE8/XP exploit
Just following the rules Browser bugs
Use-after-free Type confusion
IE8/XP exploit
Use after free
Replace object freed by other one, e.g. string Heap spray with ROP chain Take control EIP: calling function from fake vtable Play ROP chain: VirtualProtect() Trigger shellcode PWNED: run calc.exe
ASLR in exploitation
Use after free
Replace object freed by other one, e.g. string Bypass ASLR: leak mem, non-ASLR module Heap spray with ROP chain Take control EIP: calling function from fake vtable Play ROP chain: VirtualProtect() Trigger shellcode PWNED: run calc.exe
Bypass ASLR
Non-ASLR module
JRE6 HXDS.DLL (Office 2007, 2010) Other browser plugins: IDM, Only working on IE8, IE9
Bypass ASLR
Using SharedUserData
Fixed in 0x7ffe0000 LdrHotPatchRoutine: remote dll loading Patched in MS13-063
Bypass ASLR
Leak memory address
Changing size of string/array object Reading extra memory Do not crash targeted application
JIT spraying
Javascript Actionscript
Targeted attack
CVE-2012-4792, CVE-2013-3893, CVE-20133897
Windows XP + IE8 Windows 7 + IE8 + non-ASLR module Same author(?) Same range of victims
CVE-2013-5065
NDPROXY
Interface WAN drivers to TAPI services TAPI enables computer telephony integration
DEMO
0day
IE8/XPSP3 full update Use-after-free Also effected on latest IE10, IE11
CVE-2013-5065
Still waiting for a security patch
Conclusion
Windows XP is old
Out of date security features Support is ending
Internet Explorer 8
Easy to breaking down
What we can do
Upgrade to Window 7, 8, 8.1 Use EMET
Thanks