Download as PDF, PPTX
Uploaded byPatricia Aas
Introduction to Memory Exploitation (CppEurope 2021)
The document discusses the Heartbleed vulnerability, a severe memory exploit that allows attackers to access sensitive information from server memory without leaving traces. It outlines the attack's implications, the mechanisms behind the exploit, and the use of techniques like fuzzing and heap grooming to exploit memory errors. Furthermore, it emphasizes the importance of fixing vulnerabilities to mitigate risks associated with such exploits.
More Related Content
![Laura Garcia - Shodan API and Coding Skills [rooted2019]](https://cdn.slidesharecdn.com/ss_thumbnails/shondaapiandcodingskillsrootedcon2019-190403190029-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices](https://cdn.slidesharecdn.com/ss_thumbnails/blackhateu14attackingthelinuxprngonandroidandembeddeddevices-150720182503-lva1-app6891-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Similar to Introduction to Memory Exploitation (CppEurope 2021)
![[ENG] Hacktivity 2013 - Alice in eXploitland](https://cdn.slidesharecdn.com/ss_thumbnails/exploitland-131019060054-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Introduction to Memory Exploitation (CppEurope 2021)
- 1.
- 2. TurtleSec @pati_gallardo 2 “Basically, anattacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.” https://www.schneier.com/blog/archives/2014/04/heartbleed.html
- 3.
- 4. TurtleSec @pati_gallardo 4 What wasthe bug? - Buffer over-read - Attacker controlled buffer size
- 5. TurtleSec @pati_gallardo 5 What madeit bad? - Remote attack - High value memory - Wide deploy
- 6. TurtleSec @pati_gallardo 6 “The (1)TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” CVE-2014-0160 Description
- 7. TurtleSec @pati_gallardo 7 Heartbleed isa prime example of an Information Leak
- 8. TurtleSec @pati_gallardo 8 Heartbleed isfamous for how devastating it was But it also became the poster child for fuzzing
- 9. TurtleSec @pati_gallardo Introduction to Memory Exploitation CppEurope2021 Patricia Aas Turtle Sec
- 10. TurtleSec @pati_gallardo Patricia Aas - Trainer& Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
- 11.
- 12.
- 13. TurtleSec @pati_gallardo 13 Now that’sis all nice and good But most memory errors don’t cause us to crash At least not right away
- 14.
- 15. TurtleSec @pati_gallardo 15 compiler instrumentation run-timelibrary Address Sanitizer terminal $ clang++ -fsanitize=address overflow.cpp $ ./a.out ERROR: AddressSanitizer: stack-buffer-overflow @pati_gallardo Clang GCC VS
- 16. TurtleSec @pati_gallardo 16 Address Sanitizerprovokes crash-like behavior for many memory bugs Supercharges fuzzing Makes it possible to find “hidden” bugs
- 17.
- 18. TurtleSec @pati_gallardo 18 @pati_gallardo 18 Soyou found a bug. What now?
- 19.
- 20. TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied The Programmers MentalState Machine “David” “Joshua” Weird State “globalthermonuclearwar” Terminate 20
- 21. TurtleSec @pati_gallardo The Target TheShellcode @halvarflake Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus 21
- 22. TurtleSec @pati_gallardo Shellcode Piece of code,typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system. 22
- 23. TurtleSec @pati_gallardo Exploit Write Memory Read Memory ExecuteCode Information Leaks Running of Shellcode Planting of Shellcode The Anatomy of an Exploit 23
- 24. TurtleSec @pati_gallardo 24 To runyour shellcode you need the instruction pointer to jump to your shellcode. The instruction pointer jumps in many different scenarios - goal here is to control where it jumps to, examples: return from a function virtual function call function pointer Code Execution
- 25. TurtleSec @pati_gallardo 25 A vulnerabilityor a capability in the application that can be used as a part of a wider exploit is often referred to as a “primitive”- examples: Arbitrary Read Primitive Write-What-Where Primitive Read-Where Primitive “Primitives”
- 26.
- 27. TurtleSec @pati_gallardo Exploit Write Memory Read Memory ExecuteCode ASLR Limit interesting info? Non executable memory Stack Canaries Address Space Layout Randomization (ASLR) Platform and Compiler Mitigations 27
- 28.
- 29. TurtleSec @pati_gallardo The Case OfThe Disappearing Memset @pati_gallardo 29 Dead Store Elimination The compiler is allowed to optimize away stores that cannot be detected Meaning memset’ing of memory that is never read can be removed
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38. TurtleSec @pati_gallardo An allocation isfreed - what now? 38
- 39. TurtleSec @pati_gallardo An allocation isfreed - what now? Free 39
- 40. TurtleSec @pati_gallardo Another allocation isfreed - what now? Free 40
- 41. TurtleSec @pati_gallardo Another allocation isfreed - what now? Free 41
- 42. TurtleSec @pati_gallardo Another allocation isfreed - what now? Free 42
- 43.
- 44. TurtleSec @pati_gallardo 44 So… howcan we exploit this behavior? We can allocate!
- 45.
- 46. TurtleSec @pati_gallardo 46 Fill memorywith a certain byte sequence possibly shellcode so that a “random” jump might hit it Heap Spraying
- 47. TurtleSec @pati_gallardo 47 Normal Allocation HeapSpraying Initial state
- 48. TurtleSec @pati_gallardo 48 Normal Allocation HeapSpraying Fill memory with shellcode Shellcode
- 49. TurtleSec @pati_gallardo 49 This isa bit scattershot Can we have more control?
- 50. TurtleSec @pati_gallardo 50 @pati_gallardo 50 (HeapFeng Shui) Heap Grooming
- 51. TurtleSec @pati_gallardo 51 Create predictablememory patterns Trick the allocator to allocate a specific chunk A chunk you can control Let’s see it in action
- 52. TurtleSec @pati_gallardo 52 @pati_gallardo 52 Puttingit all together
- 53. TurtleSec @pati_gallardo 53 “The ShadowBrokers” Hacking group behind a leak in 2016-17 The leaked exploits and tools are believed to be NSAs The Shadow Brokers are suspected to be Russian The leak was done in several batches Most famous is the Eternal Blue exploit
- 54. TurtleSec @pati_gallardo 54 Very LightBackground: Windows SMBv1 Request Response Client Server SMB messages Aside: This is the diagram of all things computer
- 55.
- 56.
- 57. TurtleSec @pati_gallardo EternalBlue Write-What-Where Primitive andRemote Code Execution Linear Buffer Overrun, Heap Spray / Heap Grooming 57
- 58. TurtleSec @pati_gallardo “When updating thelength of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated.” Microsoft Defender Security Research Team 58 Main bug
- 59. TurtleSec @pati_gallardo - Primes theheap - Fills with blocks ready for shellcode - Makes room for buffer that will overrun - Overrun will prepare code execution - Hopes to overrun into one of the prepared blocks 59 Heap Grooming and Spray
- 60.
- 61. TurtleSec @pati_gallardo Heap Grooming Filling gapsto make allocations predictable Grooming Packet 61
- 62. TurtleSec @pati_gallardo Heap Grooming Prefill beforemaking pattern Grooming Packet Grooming Packet 62
- 63. TurtleSec @pati_gallardo Heap Grooming Make roomfor your objects Grooming Packet Grooming Packet 63 Free up holes
- 64. TurtleSec @pati_gallardo Heap Grooming Pattern: Fishin a barrel Grooming Packet Grooming Packet 64 Overflow Packet
- 65. TurtleSec @pati_gallardo Heap Grooming Pattern: Fishin a barrel Grooming Packet Ready for Execution Grooming Packet 65 Overflow Packet
- 66. TurtleSec @pati_gallardo Heap Grooming Grooming PacketGrooming Packet shellcode Ready for Execution 66
- 67. TurtleSec @pati_gallardo When connection isclosed the shellcode is executed in the block(s) that have been overrun Installs the DoublePulsar backdoor implant 67 Code Execution
- 68. TurtleSec @pati_gallardo 68 @pati_gallardo 68 Howdoes that affect me?
- 69. TurtleSec @pati_gallardo 69 There isno magic here These are bugs you can find The tools they use are tools you can use Basically: Fix Bugs
- 70.