TurtleSec
Turtle @pati_gallardo Sec TurtleSec
“Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.”
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
@pati_gallardo 2 TurtleSec
Heartbleed
@pati_gallardo 3 TurtleSec
What was the bug? - Buffer over-read - Attacker controlled buffer size
@pati_gallardo 4 TurtleSec What made it bad? - Remote attack - High value memory - Wide deploy
@pati_gallardo 5 CVE-2014-0160 Description TurtleSec
“The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers toobtain sensitive information from process memory via crafted packets that trigger a buffer over-read”
@pati_gallardo 6 TurtleSec
Heartbleed is a prime example of an Information Leak
@pati_gallardo 7 TurtleSec
Heartbleed is famous for how devastating it was But it also became the poster child for fuzzing
@pati_gallardo 8 TurtleSec Introduction to Memory Exploitation
CppEurope 2021 Turtle @pati_gallardo Patricia Aas Sec Patricia Aas - Trainer & Consultant TurtleSec
C++ Programmer, Application Security Currently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle @pati_gallardo Sec TurtleSec Fuzzing
@pati_gallardo 11 Corpus Valid Inputs TurtleSec Crash Crashing Inputs
Instrumented Fuzzer Target
Coverage Feedback @pati_gallardo 12 TurtleSec
Now that’s is all nice and good But most memory errors don’t cause us to crash At least not right away
@pati_gallardo 13 TurtleSec
Sanitizers
@pati_gallardo 14 Address Sanitizer TurtleSec
VS compiler instrumentation run-time library GCC
terminal $ clang++ -fsanitize=address overflow.cpp
$ ./a.out Clang ERROR: AddressSanitizer: stack-buffer-overflow @pati_gallardo 15 TurtleSec
Address Sanitizer provokes crash-like behavior for many memory bugs Supercharges fuzzing Makes it possible to find “hidden” bugs
@pati_gallardo 16 TurtleSec
Sanitizers Fuzzer Debugger Make application Provoke weird Analyze crashy behavior
@pati_gallardo 17 TurtleSec
So you found a bug. @pati_gallardo What now? 18 TurtleSec
Exploitation
@pati_gallardo 19 The Programmers Mental State Machine TurtleSec
Weird “globalthermonuclearwar” Terminate State
“David” Access Operation Secret: Denied complete
“Joshua” Access Launching Granted missiles @pati_gallardo 20 Programming the Weird Machine TurtleSec
Vulnerability Weird State
Weird State
@sergeybratus The Target @halvarflake The Shellcode @pati_gallardo 21 Shellcode TurtleSec
Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
@pati_gallardo 22 The Anatomy of an Exploit TurtleSec
Write Planting of Shellcode Memory
Information Leaks Running of Shellcode Read Memory Exploit Execute Code @pati_gallardo 23 Code Execution TurtleSec
To run your shellcode you need the instruction pointer to jump to your shellcode. The instruction pointer jumps in many different scenarios - goal here is to control where it jumps to, examples: return from a function virtual function call function pointer @pati_gallardo 24 “Primitives” TurtleSec
A vulnerability or a capability in the application that can be used as a part of a wider exploit is often referred to as a “primitive”- examples: Arbitrary Read Primitive Write-What-Where Primitive Read-Where Primitive
@pati_gallardo 25 TurtleSec Mitigations
@pati_gallardo 26 Platform and Compiler Mitigations TurtleSec
Write Address Space Layout Memory Randomization (ASLR) ASLR Non executable memory Limit interesting info? Stack Canaries Read Memory Exploit Execute Code @pati_gallardo 27 TurtleSec Cleaning Memory?
@pati_gallardo 28 TurtleSec Dead Store Elimination
The compiler is allowed to optimize away stores that cannot be detected Meaning memset’ing of memory that is never read can be removed
The Case Of The Disappearing Memset
@pati_gallardo 29 TurtleSec
@pati_gallardo The Heap 30 TurtleSec
Allocators
@pati_gallardo 31 TurtleSec
Simple Pool Allocator
@pati_gallardo 32 TurtleSec
Empty Pool
@pati_gallardo 33 TurtleSec
Initial allocations
@pati_gallardo 34 TurtleSec
Initial allocations
@pati_gallardo 35 TurtleSec
Initial allocations
@pati_gallardo 36 TurtleSec
Initial allocations
@pati_gallardo 37 TurtleSec
An allocation is freed - what now?
@pati_gallardo 38 TurtleSec Free
An allocation is freed - what now?
@pati_gallardo 39 TurtleSec Free
Another allocation is freed - what now?
@pati_gallardo 40 TurtleSec Free
Another allocation is freed - what now?
@pati_gallardo 41 TurtleSec Free
Another allocation is freed - what now?
@pati_gallardo 42 TurtleSec Free link?
coalesce?
@pati_gallardo 43 TurtleSec
So… how can we exploit this behavior? We can allocate!
@pati_gallardo 44 TurtleSec
Heap Spraying
@pati_gallardo 45 Heap Spraying TurtleSec
Fill memory with a certain byte sequence possibly shellcode so that a “random” jump might hit it
@pati_gallardo 46 Heap Spraying TurtleSec
Normal Allocation
Initial state
@pati_gallardo 47 Heap Spraying TurtleSec
Normal Allocation
Fill memory with shellcode Shellcode @pati_gallardo 48 TurtleSec
This is a bit scattershot Can we have more control?
@pati_gallardo 49 TurtleSec
Heap Grooming (Heap Feng Shui) @pati_gallardo 50 TurtleSec Create predictable memory patterns Trick the allocator to allocate a specific chunk A chunk you can control Let’s see it in action
@pati_gallardo 51 TurtleSec
Putting it all together
@pati_gallardo 52 “The Shadow Brokers” TurtleSec Hacking group behind a leak in 2016-17 The leaked exploits and tools are believed to be NSAs The Shadow Brokers are suspected to be Russian The leak was done in several batches Most famous is the Eternal Blue exploit
@pati_gallardo 53 Very Light Background: Windows SMBv1 TurtleSec SMB messages
Request Client Server Response
Aside: This is the diagram of all things computer @pati_gallardo 54 TurtleSec
Eternal Exploits EternalBlue
@pati_gallardo 55 TurtleSec
EternalBlue EternalChampion DoublePulsar EternalSynergy EternalRomance
@pati_gallardo 56 Write-What-Where Primitive and Remote Code ExecutionTurtleSec
EternalBlue
Linear Buffer Overrun, Heap Spray / Heap Grooming
@pati_gallardo 57 Main bug TurtleSec “When updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated.” Microsoft Defender Security Research Team
@pati_gallardo 58 Heap Grooming and Spray TurtleSec
- Primes the heap - Fills with blocks ready for shellcode - Makes room for buffer that will overrun - Overrun will prepare code execution - Hopes to overrun into one of the prepared blocks
@pati_gallardo 59 Heap Grooming TurtleSec
Initial state
@pati_gallardo 60 Heap Grooming TurtleSec
Grooming Packet
Filling gaps to make allocations predictable
@pati_gallardo 61 Heap Grooming TurtleSec
Grooming Packet Grooming Packet
Prefill before making pattern
@pati_gallardo 62 Heap Grooming TurtleSec
Grooming Packet Grooming Packet
Make room for your objects Free up holes
@pati_gallardo 63 Heap Grooming TurtleSec
Grooming Packet Grooming Packet
Pattern: Fish in a barrel Overflow Packet
@pati_gallardo 64 Heap Grooming TurtleSec
Grooming Packet Grooming Packet Ready for Execution
Pattern: Fish in a barrel Overflow Packet
@pati_gallardo 65 Heap Grooming TurtleSec
Grooming Packet Grooming Packet Ready for Execution
shellcode
@pati_gallardo 66 Code Execution TurtleSec
When connection is closed the shellcode is executed in the block(s) that have been overrun Installs the DoublePulsar backdoor implant @pati_gallardo 67 TurtleSec
How does that affect me?
@pati_gallardo 68 TurtleSec
There is no magic here These are bugs you can find The tools they use are tools you can use Basically: Fix Bugs
@pati_gallardo 69 TurtleSec
Turtle @pati_gallardo Sec