The Mummy 2018 - Microsoft Summons Back Ugly …...“Fragmentation Considered Vulnerable”, Gilad, Herzberg 2011 So the vendors were quick to seal the curse • Global Counter in
Post on 19-Jul-2020
1 Views
Preview:
Transcript
TheMummy2018- MicrosoftSummonsBackUglyAttacksFromThePast
WhoamI
• RanMenscher– Israel
• IndependentSoftwareResearcher– ReverseEngineering
• OSinternals,Embedded,Applications…
• Past:VPResearch,XMCyber
– Vulnerabilities• YesJ
I’mgoingtotellyouabout
• AnunusualbuginWindowsIPstack
• FragmentationandIPIDrandomization– Overview,pastattacks– Thebug(CVE-2018-8493)– Exploitation
• Othercoolconsequences
FragmentationandReassembly
UndeniablyCursed
UndeniablyCursed
UndeniablyCursed• Reassemblysensitive toresourceexhaustion/otherDoS
UndeniablyCursed• Reassemblysensitive toresourceexhaustion/otherDoSMore
fragmentscomingup You’re
kidding…
UndeniablyCursed• Reassemblysensitive toresourceexhaustion/otherDoS• LotsofattacksurfacetoevadeIDS
Undeniablycursed• Reassemblysensitive toresourceexhaustion/otherDoS• LotsofattacksurfacetoevadeIDS
(source:onlinepresentationbyTobiasRenwick)
UndeniablyCursed• Reassemblysensitive toresourceexhaustion/otherDoS• LotsofattacksurfacetoevadeIDS• MostImplementations:IPIDsasGlobalCounter
CurseofGlobalCounter• DeNATing• IdleScanning
CurseofGlobalCounter• DeNATing• IdleScanning• Blindpacketinjection(Zalewski 03)
CurseofGlobalCounter• DeNATing• IdleScanning• Blindpacketinjection(Zalewski 03)
Valid DST Port
CurseofGlobalCounter• DeNATing• IdleScanning• Blindpacketinjection(Zalewski 03)• Trafficinterception byNAT/Tunnel(Gilad,Herzberg11)
CurseofGlobalCounter• DeNATing• IdleScanning• Blindpacketinjection(Zalewski 03)• Trafficinterception byNAT/Tunnel(Gilad,Herzberg11)
“Fragmentation Considered Vulnerable”, Gilad, Herzberg2011
Sothevendorswerequicktosealthecurse
Sothevendorswerequicktosealthecurse• GlobalCounterinWindowsuntil2012(perinterface)• windows8• DifferentIPIDperIPpath• Andtheyweresafeandhappy
For8.1,a“major”refactorhadtakenplaceforIPIDs:Mostprominentchanges:• Afunctionisn’tinline’d anymore– (but thatcouldbethecompiler)
• Anarraywaschangedtoapointer
• Whydidtheychangeit?
IPIDGENERATION
• IsaboutIP PATH
• IsaboutIP PATH
identification = base + increment
• IsaboutIP PATH
identification = base + increment
Random4bytes(init @boot)⨁
hash(key,IPPATH)
• IsaboutIP PATH
identification = base + increment
Random4bytes(init @boot)⨁
hash(key,IPPATH)increments[ hash(key,IPPATH)]
Oops
• Allocate0x8000• Initialize8… bytes• Sizeof(int *)• Mostlyzeros
Oops
• Allocate0x8000• Initialize8… bytes• Sizeof(int *)• Mostlyzeros
Oops
• 5
• IsaboutIP PATH
identification = base + increment
Random4bytes (init @boot)⨁
hash(key,IPPATH)increments[ hash(key,IPPATH)]
• key is40randombytes• hash isaToeplitz hash(RSS)• Toeplitz matrices
Key
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732
00000 55080 90366 9829588998 33569 56486 1716689406 29886 53232 4467887289 20230 91489 43798, …
• key is40randombytes• hash isaToeplitz hash• Toeplitz matrices
INPUT2 F 3
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732
00000 55080 90366 9829588998 33569 56486 1716689406 29886 53232 4467887289 20230 91489 43798,
…
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732,
• key is40randombytes• hash isaToeplitz hash• Toeplitz matrices
INPUT2 F 3
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732
00000 55080 90366 9829588998 33569 56486 1716689406 29886 53232 4467887289 20230 91489 43798,
…
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732,
• key is40randombytes• hash isaToeplitz hash• Toeplitz matrices
INPUT2 F 3
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732
00000 55080 90366 9829588998 33569 56486 1716689406 29886 53232 4467887289 20230 91489 43798,
…
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
00000 45678 67456 7867420384 09234 93759 1298747823 28002 23532 7593066783 48759 28465 93732,
• Nibblesofinput,thatareXOR8ofeachother–TheirhashesareXOR key[i]ofeachother!
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
• Nibblesofinput,thatareXOR8ofeachother–TheirhashesareXORkey[i]ofeachother!
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
Inputsthatdifferonlybyanibblewilloutputacell’scontent!
• Nibblesofinput,thatareXOR8ofeachother–TheirhashesareXORkey[i]ofeachother!
• Hash(10.0.0.1,10.0.0.2) =1234⨁ 5453⨁ … ⨁ 0• Hash(0x80|10.0.0.1,10.0.0.2)=1234⨁ 5453⨁ …⨁ key[i]
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
Inputsthatdifferonlybyanibblewilloutputacell’scontent!
• Nibblesofinput,thatareXOR8ofeachother–TheirhashesareXORkey[i]ofeachother!
• id(10.0.0.1,10.0.0.2) =1234⨁ 5453⨁ … ⨁ 0 ⨁ secret• id(0x80|10.0.0.1,10.0.0.2)=1234⨁ 5453⨁ … ⨁ key[i] ⨁ secret
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
Inputsthatdifferonlybyanibblewilloutputacell’scontent!
• Nibblesofinput,thatareXOR8ofeachother–TheirhashesareXORkey[i]ofeachother!
• id(10.0.0.1,10.0.0.2) =1234⨁ 5453⨁ … ⨁ 0 ⨁ secret• id(0x80|10.0.0.1,10.0.0.2)=1234⨁ 5453⨁ … ⨁ key[i] ⨁ secret
Hash=tbl1[0x2] ⨁ tbl2[0xF]⨁ …
Inputsthatdifferonlybyanibblewilloutputacell’scontent!
• Nibblesofinput,thatareXOR8ofeachother–TheirhashesareXORkey[i]ofeachother!
• id(10.0.0.1,10.0.0.2) =1234⨁ 5453⨁ … ⨁ 0 ⨁ secret• id(0x80|10.0.0.1,10.0.0.2)=1234⨁ 5453⨁ … ⨁ key[i] ⨁ secret
ID1⨁ ID2=key[i]
ATTACK(keyrecovery):• GettwosamplesofIPIDs• ForIPPATHs thatdifferbyanibble.XOR8ofeachother.• Key[0]=ID1 ^ID2 (ifwehitincrement=0)• Repeatuntilconfidentofkey[0]• Repeatforotherkeyparts
identification1 = key[i]⨁ identification2
identification1 = key[i]⨁ identification2
• Butifincrement≠0• Wecandeducecontentfromthetable(=uninitializedmem)
Ifincrement1 ==0 Ifincrement2 ==0
ATTACK(readingkernelmem)• ChooseIPIDforIPPATHsknowntohaveincrement=0• UserecoveredkeytoinitializeToeplitz matrixvalues• GetIPIDsforIPPATHsdifferingbyanibblefromchosenIPPATH• CalculateexpectedIPIDsaccordingtomatrix• Sample – Expected =Tablecontent=uninitializedmem
DEMO
PredictingIPIDs• Whenincrement=0,predictionispractical• Workssimilarlytothememoryread• Problemreducedtoassessing#ofpacketssent
TakeAways
• DontFragment (DF)isnotjustanIPflag.it’sgoodadvice.
• Yes,Coderswhorefactorworkingcodearegraverobbers.
• Ifyoumixperformanceandsecurity,asimplebugwillbringyoudown.
Questions?
RanMenscherran@menschers.comTwitter:@menscherr
top related