j00ru's SECURE 2014 presentation

The following is a translation of
http://j00ru.vexillium.org/blog/23_10_14/Ucieczka%20z%20Matrixa.pdf
using Google Translate.
That presentation is linked from http://j00ru.vexillium.org/?p=2454


Escape from the Matrix:
(un) safe malware analysis
Matthew "j00ru" Jurczyk


Mateusz Jurczyk
===============
• ISE @ Project Zero, Google
• Dragon Sector Team Vice-Captain
• @j00ru
• http://j00ru.vexillium.org/


What will this be about?
========================
• The malware.
• The tools for their analysis.
• The security vulnerabilities in these.
• About their active use in order to implement
malicious code on a victim machine.
In short, what dangers lie in wait for analysts
malicious software on real examples.


What will this NOT be about?
============================
The passive hindering analysis
(obfuscation, anti-debugging tricks, steganography
etc.)


A year ago, SECURE ...
=======================
"The thing about increasing (in) security. Food
for thought. "
Gynvael Coldwind


A year ago, SECURE ...
======================
Gynvael showed that anti-virus applications
in addition to detecting threats can seriously
increase the attack surface of the system
computer.


A year ago, SECURE ...
======================
• AV programs that in the end a great target for
bughunter and attacking:
- Most often written in the native languages (yield) ...
- Parse complex data formats: files
executables, archives, documents, ...
- With administrator rights or the kernel ...
- Taking as input each file appears in the
machine.


The thesis is confirmed
=======================
Over the last year there is even more evidence:
- Joxean Koret, Breaking Anti-Virus Software, Syscan 2014 [1].
- Dozens of critical errors in most AV products.
Tavis Ormandy • Denial of Service in Microsoft Malware
Engine Protection, June 2014 [2].


The thesis is confirmed
=======================
Twitter post from Joxean Koret (@matalaz) on Oct 17: "There are some antivirus that I wonder if they happen to know how to code at all.  I'm not talking about secure aware coding."


Okay, ...
=========
... Anti-virus may not be entirely safe.
And if you generalize a bit the problem, and we consider the
the entire set of software that "contact" with malignant
software?
For example, the tools for the analysis of
malware?


A brief digression
==================
• Year 2012 on a popular website with the tip .cn
(China) find the SWF file with interesting me
functionality.
• Cheerfully I load this file into Sothink SWF Decompiler,
one of the better decompilers for Flash files.
• waits for a few seconds, then ...


A brief digression
==================
(screenshot of crash fo SWFDecompiler.exe)


A brief digression
==================
Pinning debugger, and there:
(screenshot of windbg with access violation at 0x41414141)


Coming back to the topic ...
=============================
Can we trust the tools, which on a daily basis
people use the AV companies, other organizations, and
properly and ourselves?
- Who has not started once ProcessExplorer,
ProcessMonitora or Wireshark?
Simple answer: Unfortunately not. :(


(slide 16, can't copy text to translate)


Examples
========


Hex-Rays IDA Pro
================
• IDA Pro is currently the best available on the market
disassembler executable files.
- Runs on Windows, GNU / Linux, OS X.
- The vast user base: an essential tool
each reverse-engineer.
- Opportunity to buy dekompilatorów platforms
IA-32, IA-64 and ARM 32.


familiar sight
==============
(screenshot of IDA Pro)


Hex-Rays invests in safety
==========================
• ASLR, DEP, / GS and other collateral default
included in the executable and libraries.
• Self, safer implementation of standard
C function such as strncat and strncpy.
• Bug bounty program: for each critical error in
deasemblerze or dekompilatorze company pays 3000
USD.


Bug bounty program
==================
(screenshot of hex-rays.com/bugbounty.shtml)


On the other hand, ...
======================
• Written entirely in C / C ++.
• Part of the source code available in the IDA SDK.
• A partial list of supported file formats:
(long list of formats)


On the other hand, ...
======================
• Even more supported formats assembly: more than 60 processor families:
(longer list of processors families)


Many bugs reported and repaired since 2011
==========================================
(screenshot of 13 bounties paid from hex-rays.com/bugbounty.shtml)


Is it pays to look further?
===========================
• Question in mid-August 2014.
• I decided to give it a chance.
- At 100%, not all formats are supported
exactly przeaudytowane.
- High reward is a good motivator.
• For about three weeks audits the evenings
open and closed code IDA.


Results cursory audit
=====================
• 12 different classes of errors "memory corruption" found parsers
formats:
- QNX, COFF, DBG, EPOC, DEX, PEF
• 2 errors recognized by the Hex-Rays for NOFIX due to unrealistic
attack scenario.
• The remaining 10 vulnerabilities classified as 6 separate problems.
• Corrected by the manufacturer in less than two weeks.
- Date of filing: September 6, 2014
- This patch release: September 15, 2014

(screenshot of changelog for IDA Pro with vulns from j00ru)


Types of errors found
=====================
• COFF, DBG: Heap Buffer Overflow due to an Integer Underflow.
• EPOC: 4-byte Heap Buffer Overflow due to an Off-By_one in bounds checking.
.
• DEX: Heap Buffer Overflow due to Integer Overflow.
• PEF: Multiple Heap Buffer Overflows due to Integer Handling Problems.
• PEF: Heap Memory Corruption due to logical errors in memory management.
• Many: Heap Buffer Overflows due to logical errors in memory management.


EPOC 4-byte Heap Overflow is due Off-By-One
===========================================
• EPOC is a simple executable file format used
on the operating system of the same name.
- More known as Symbian.
• It consists of a header, followed by sections
memory.
- Data section of the file can be saved to "plain text"
or compressed or DEFLATE algorithm BYTEPAIR


EPOC file format overview
=========================
(image of file format)
```
+--------------------------+
| E32 header               |
+--------------------------+
|        | Text section    |
|Code    +-----------------+
|section | Export table    |
|        +-----------------+
|        | Import table    |
+--------------------------+
|BSS section               |
+--------------------------+
|Data section              |
+--------------------------+
|Import section            |
+--------------------------+
|Relocation section        |
+--------------------------+
```


Not so fast ...
===============
• No source code format in the IDA SDK EPOC.
- It only remains to reverse engineer the file epoc.ldw.
• Very poor documentation format, in particular
algorithms (de) compression.
• The only source of knowledge is meaningful projects GnuPoc [3]
(SymbianOS SDK) and symbian-dump (publicly available
Symbian code) [4]


Further analysis of the
=======================
• After a brief analysis, it was found that Hex-Rays
advantage of DEFLATE decompression code from the package
GnuPoc.
- But we can read C code! :)
• How to decompression, the code is written
exceptionally well.


Short exercise: find the error
==============================
(image of some code related to Huffman:InteralizeL on slide 33)


Off-By-One Error
================
• The condition should read:
```
    if (p >= end) {
```
• Error allows for 4-byte (sizeof (Tuint32))
overwriting a buffer of fixed length 1316 bytes.
• In the nearby code were more mistakes
this type.


Off-By-One Error
================
(slide 36, can't copy text)
*** glibc detected *** ./idaq: free(): invalid pointer: 0x09dcecf8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75b12)[0xf5f41b12]
/opt/ida-6.6/loaders/epoc.llx(+0xce3c)[0xf55bde3c]
/opt/ida-6.6/loaders/epoc.llx(+0xd406)[0xf55be406]
/opt/ida-6.6/libida.so(+0x16c815)[0xf749b815]
/opt/ida-6.6/libida.so(load_nonbinary_file+0xde)[0xf749bb8e]
./idaq[0x80b7ff5]
./idaq[0x8134d06]
/opt/ida-6.6/libida.so(init_database+0x10d6)[0xf73d1c06]
./idaq[0x8094a1e]
./idaq[0x8284848]
./idaq[0x828497f]
./idaq[0x809605b]
./idaq[0x8096133]
./idaq[0x80963f7]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xf5ee54d3]
./idaq[0x807ed11]


PEF Multiple Heap Buffer Overflows due to Integer Handling Problems
===================================================================
- Preferred Executable Format
  - Executable file format used for many years  ago in Mac OS.
  - Currently seen only on PowerPC under the control of BeOS.
- Source code available in the IDA SDK.


The process_loader_data
=======================
• The process data addressed shifts defined in the header file.
(image of code for process_loader_data function)


structure pef_loader_t
=======================
• All offsets are defined as 32-bit, fully controlled field.
(image of pef_loader_t struct)
• IDA Pro 6.6 is available only in 32-bit version, which favors
formation of Integer overflow errors while performing
operations on indicators and offsets.


Although the verification is ...
================================
(image of code, and text I can't copy)


As a result, the buffer overflows
=================================
(image of seg fault output)


more errors
===========
- In process_loader_data were 4 Integer
Overflowy leading to memory corruption.
- For the observant: shown earlier in Listing.  There is one more logical error.
  - Indicators for semantically distinct structure in the file calculated are based on a single input buffer.
  - Structures can (and should) overlap in memory.
  - A modification can lead to an unexpected change another.


BADMEMSIZE
==========
• IDA internally uses its own memory container for lists and
buffers:
- qvector
- Bytevec_t (inherited from qvector)
• These classes provide some standard methods, such as:
- :: Growfill
- :: Append
- :: Reserve
- :: Resize


Protection against Integer overflows
====================================
• These methods detect overflow situations
integer variable.
• handle them but in a rather unusual way.
- Rather than return an error code or throw an exception, lined
the size of the required buffer at a constant BADMEMSIZE.
- Assumption: malloc (BADMEMSIZE) never
fail.


example
=======
(image of code for checking an append and setting a var to the value BADMEMSIZE)


What is BADMEMSIZE?
===================
```
#ifdef __X64__
#define BADMEMSIZE 0xDEADBEEFDEADBEEF
#else
#define BADMEMSIZE 0xDEADBEEF
#endif
```


Hmm ...
=======
• IDA is only available in 32-bit, So we consider a fixed 0xDEADBEEF.
• 0xDEADBEEF = 3 735 928 559
- Almost the entire 32-bit address space.
- Well, "Almost". Let's see if in fact allocation of this size never fails.


Windows
=======
(image of process explorer showing memory usages for processes)


Mac OS X
========
CG image 0ad39000-0ad45000 [ 48K] rw-/rwx SM=PRV
OpenGL GLSL 0aec8000-0aeca000 [ 8K] rw-/rwx SM=ZER
MALLOC_LARGE (freed) 0aeca000-0af0b000 [ 260K] rw-/rwx SM=PRV
MALLOC_LARGE (freed) 0af8c000-0afcd000 [ 260K] rw-/rwx SM=PRV
CG image 0afed000-0b000000 [ 76K] rw-/rwx SM=PRV
MALLOC_SMALL 0b000000-0b800000 [ 8192K] rw-/rwx SM=COW
__DATA 0bfbc000-0bffe000 [ 264K] rw-/rwx SM=COW
__DATA 0bffe000-0c023000 [ 148K] rw-/rwx SM=PRV
__DATA 0c12f000-0c145000 [ 88K] rw-/rwx SM=ZER
MALLOC_LARGE (freed) 0c246000-0c287000 [ 260K] rw-/rwx SM=PRV
CG image 0c367000-0c3cb000 [ 400K] rw-/rwx SM=PRV
VM_ALLOCATE 0c3cb000-0c3ce000 [ 12K] rw-/rwx SM=PRV
Memory Tag 241 0c3cf000-0c3e5000 [ 88K] rw-/rwx SM=COW
MALLOC_TINY 0c400000-0c500000 [ 1024K] rw-/rwx SM=PRV
MALLOC_SMALL (freed) 0c800000-0d000000 [ 8192K] rw-/rwx SM=COW
__DATA 488c5000-49599000 [ 12.8M] rw-/rwx SM=COW
__DATA 49599000-495a8000 [ 60K] rw-/rwx SM=PRV
__DATA 8ff08000-8ff0a000 [ 8K] rw-/rwx SM=PRV
__DATA 8ff0a000-8ff32000 [ 160K] rw-/rwx SM=COW
__DATA a032f000-a0330000 [ 4K] rw-/rwx SM=COW
__DATA a0330000-a0331000 [ 4K] rw-/rwx SM=COW


Linux
=====
(092e6000 and f5649000 is highlighted)
...
08048000-083de000 r-xp 00000000 fc:01 5250367
083de000-083e1000 r--p 00395000 fc:01 5250367
083e1000-083e6000 rw-p 00398000 fc:01 5250367
083e6000-083f8000 rw-p 00000000 00:00 0
08e80000-092e6000 rw-p 00000000 00:00 0 [heap]
f5649000-f56c9000 rw-s 00000000 00:04 12582916
f56c9000-f56d4000 r-xp 00000000 fc:01 6817133
f56d4000-f56d5000 r--p 0000a000 fc:01 6817133
f56d5000-f56d6000 rw-p 0000b000 fc:01 6817133
f56eb000-f56ec000 rw-p 00000000 00:00 0
...


Linux
=====
BINGO
• The address space of 32-bit process on 64-bit
Linux, there is a "gap" of size ~ 0xEC000000 bytes!
• As a result of malloc (BADMEMSIZE) succeeds by assigning
0xDEADBEEF size allocation, which really entitled to
size ≥ 0x100000000.


Consequences
============
• The error is in multiple classes responsible for memory management, used by the main engine IDA and support for more than half of the input formats.
• The report for Hex-Rays is presented crash provoked using the Mach-O format.


BADMEMSIZE: crash w Mach-O
==========================
Program received signal SIGSEGV, Segmentation fault.
0xf4d98168 in ?? () from /opt/ida-6.6/loaders/macho.llx
(gdb) where
#0 0xf4d98168 in ?? () from /opt/ida-6.6/loaders/macho.llx
#1 0xf4db4aaf in ?? () from /opt/ida-6.6/loaders/macho.llx
#2 0xf4db6fec in ?? () from /opt/ida-6.6/loaders/macho.llx
#3 0xf7d7c815 in ?? () from /opt/ida-6.6/libida.so
#4 0xf7d7cb8e in load_nonbinary_file () from /opt/ida-
6.6/libida.so
...
(gdb) x/10i $eip
=> 0xf4d98168: mov (%edi,%edx,4),%ecx
 0xf4d9816b: mov %ecx,%eax
 0xf4d9816d: mov %ecx,%ebx


Hex-Rays IDA Pro: a summary
===========================
In short, there are errors and easily find them.
From the perspective of Researcher: not worth the bend and
report. :)
From a user perspective: not exactly safe
software for the analysis of files from untrusted
sources (probably 90% of use cases).


What else do you use for analysis?
==================================
Virtual machines!


Security VM
===========
- Virtual machines used for separation potentially malicious code from the competent environment.
  - The assumption of complete separation of environments executables.
But are you sure?


data Flow
=========
- Between the guest and the host is mentioned a large amount of information:
- Virtual machine implemented programmatically by VM (screen, hard disk, card network, etc..)
- Command graphics card, 3D acceleration.
- So called. additions - shared folders, drag-n-drop files, shared storage, ...


attack vectors
===============
• Each communication channel is a potential vector of attack for such isolated applications.
- Ability to attack the secondary controller VM in order to perform ring-0 code (in gueście).
- Ability to monitor VM attack in order to execute code ring-3 (in host).
- In the case of outstanding bugs (eg. CPU), the possibility of nuclear attack host.
• Example: the gaps in the testes and hypervisors associated with operating instructions SYSRET
(Rafal Wojtczuk, 2012)


testability
===========
• Multiple virtual machines is completely
open-source, allowing audit
(complex) source code.
• In addition, the channels of communication are easy targets
fuzzing (eg. VGA).


Fuzzing VGA
===========
DEMO


Random examples
===============
HOW IS IN PRACTICE?


Security VM VirtualBox
======================
User-mode -> Kernel-mode EOP

- Tarjei Mandt, Oracle VirtualBox Integer Overflow
Vulnerabilities, 2011 [5]
- Mateusz Jurczyk, Oracle VirtualBox Integer Overflow
Vulnerabilities, 2012 [6]
- Matt Bergin, Oracle VirtualBox Guest Additions Arbitrary
Write Privilege Escalation, 2014 [7]


Security VM VirtualBox
======================
Guest -> host EOP
• Francisco Falcon, Breaking Out of VirtualBox
through 3D Acceleration, Recon, 2014 [8]
• Florian Ledoux, Advanced Exploitation of
VirtualBox 3D Acceleration VM Escape
Vulnerability, VUPEN blog, 2014 [9]

Security VM: Vmware
===================
- Derek Soeder
  – dozens of errors: CVE-2008-4279, CVE-2012-1516, CVE-2012-1517, CVE-2013-1406, CVE-2013-3519 i inne.
- Kostya Kortchinsky, CLOUDBURST: A VMware Guest to Host Escape Story, 2009 [10]
- Piotr Bania, VMware CloudBurst - VMware Guest to Host Escape Exploit, 2009 [11]
- Piotr Bania, Old vmware cloudburst exploit, 2012 [12]


Security in Xen
===============
74 errors corrected from the beginning of 2013


Security in qemu
================
- Nelson Elhage, Virtunoid: A KVM Guest Host privilege escalation exploit, 2011 [13]
- Dozens of errors primarily in the implementation of
emulated devices


Security in qemu
================
(screenshot of CVE list)


Errors on the side of the user's VM
===================================
• Shared folders
- Has anyone ever run it in programs stored in shared
folder VMki executing untrusted code?
• DLL hijacking or simply infection located in EXEka
catalog.
• No separation of network access to the host file system
through network shares.
• Other forgotten or obvious communication channels.


A Since we are already AT
VIRTUAL MACHINE ...


Other routes of escape
======================
• If you are using malware to analyze options
Remote debugging kernel, we create
another channel of communication that can become
target of the attack.
• The immediate objective in this case is
WinDbg.


Protocol KDCOM
==============
• WinDbg talking to the kernel using the Guest
KDCOM protocol.
- Kernel Debugging Communication
- Simple packet header format:
- More than 50 supported message types.


Protocol KDCOM
==============
• fully described in several references:
- Kernel and remote Debuggers [14]
- KD extension DLLs & KDCOM protocol [15]
• He lived to see the independent implementation.
- SYSPROGS VirtualKD - accelerating application sessions
Debug COM port for VirtualBox and VMWare
- SecureWorks Wind Pill - Perl implementation
Protocol.


fuzzing KDCOM
=============
• Automate testing by creating a proxy
modifying the communication between
WinDbg and the kernel.


fuzzing KDCOM
=============
• After many attempts have failed to provoke
no error in WinDbg associated
directly to support the protocol.
• Crashes occurred while the mutation
body of the message sent from the virtual
machines for debugging.


What does WinDbg parse?
=======================
pe files, of course!


Processing PE files
===================
• WinDbg supports symbols.
- Public EXEków exports in the table.
- Private, located in the corresponding PDB file.
• In order to obtain the information you need to
process executables Z Guest.
- WinDbg zczytuje of guest memory modules, memory, and
then forward them to the responsible DbgHelp API
for handling symbols.


A few words about DbgHelp
=========================
• The auxiliary library provided by
Microsoft.
• Provides high-level functionality
debuggerach useful.
- Supports symbols.
- Create process dumps.
- Hear the call stack.


A few words about DbgHelp
=========================
• Parse complex
file formats such as PE or
PDB.
• The quality of the code is he made a,
practically lack of any
input validation.
"GREAT


Sample susceptibility DbgHelp
=============================
• Many out-of-bounds reads by the lack of validation fields PE structures, for example.
IMAGE_FILE_HEADER.NumberOfSections.
• Arbitrary read while operating the Export Table.
• Out-of-bounds read by the lack of validation of serial numbers in Import
Table.
• Arbitrary read the manual COFF Symbol Table.
• Out-of-bounds write by the lack of validation of serial numbers in
Export Table.
• Integer overflow during dynamic allocation of the internal array to
Operating Export Table.


In carrying out the code from the kernel virtual
the machine can lead to violations of
WinDbg memory integrity, and potentially
controlled to run the code.
Research described precisely in 2010, the blog
[16]


WinDbg and logical errors
=========================
• Exactly at the same time Alex Ionescu found that
KDCOM protocol allows the execution of any
WinDbg command from the Guest.
• This command allows you to run any .shell
program with controlled parameters.
• The result is 100% stable performance
controlled code on the host from the Guest.


WinDbg and logical errors
=========================
Solution: run windbg.exe with flag -Secure.
Secure Mode disables the debugger any options for him
tampering with the system on which it is running.


THIS IS NOT THE END!


Wireshark
=========
(list of vuln counts)


Other tools
===========
Any kind of dissectory, less known deasemblery etc.
are often equally susceptible.
Just devotes less attention to them, which are the most
tested worse than the widely known applications.
Example: said at the beginning of Sothink SWF Decompiler.


The moral?


Are there currently active malware attacks on analysts or detection systems?
============================================================================
probably* not

* At least I do not know.


And could they?
===============
Definitely yes


Conclusion?
===========
Obviously not in this thing to stop
use of these tools. :)
Well, however, apply the basic practices
security - but it all depends on
situation and threat model


suggestions
============
• Use new operating systems
- Each program is much more secure than Windows 8.1 to Windows
Vista.
- Which is the way "fault" Microsoft, but it is a topic for a separate discussion.
• Reduce the attack surface
- Enable only the strictly necessary devices in the VM.
- Use of additions and other additional technologies (eg. 3D acceleration)
only if necessary.
- In general: reducing to a minimum the number of lines of code that process
untrusted data


suggestions
===========
Whether it is likely that someone will create a
stable exploit our version of IDA Pro?

Sure.


suggestions
===========
And whether it is likely that someone will attack
exploit host under our version of IDA Pro,
fired in sandboksie operating in truncated
Microsoft virtual machine?
Possible, but unlikely.


The end
=======
j00ru.vx@gmail.com
http://j00ru.vexillium.org
@j00ru


Materials
=========
[1] http://mincore.c9x.org/breaking_av_software.pdf
[2] https://technet.microsoft.com/en-us/library/security/2974294.aspx
[3] https://github.com/mstorsjo/gnupoc-package
[4] http://sourceforge.net/projects/symbiandump/
[5] http://mista.nu/blog/2011/07/19/oracle-virtualbox-integer-overflow-vulnerabilities/
[6] http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
[7] https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt
[8] http://recon.cx/2014/slides/Breaking_Out_of_VirtualBox_through_3D_Acceleration-Francisco_Falcon.pdf
[9] http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php
[10] http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
[11] http://blog.piotrbania.com/2009/09/vmware-cloudburst-vmware-guest-to-host.html
[12] http://blog.piotrbania.com/2012/07/old-vmware-cloudburst-exploit.html
[13] https://media.blackhat.com/bh-us-11/Elhage/BH_US_11_Elhage_Virtunoid_WP.pdf
[14] http://www.developerfusion.com/article/84367/kernel-and-remote-debuggers/
[15] http://articles.sysprogs.org/kdvmware/kdcom.shtml
[16] http://j00ru.vexillium.org/?p=405