PDF Abuse Gets Worse

Anyone following the current abuse of PDF docs likely saw that it now also affects you even if you have JavaScript turned off: http://secunia.com/blog/44/

BUT, I'm afraid it might get much worse than that. The Secunia article that points to the iDefense advisory suggests that this might be vulnerable on Mac platforms as well. I decided I'd test this out and found that on a fully patched Mac OS X build, Safari 4, Mail.app, Preview.app, and potentially others all crash using the proof of concept exploit provide on milw0rm: http://milw0rm.com/exploits/8099

The crash is actually in PDFKit/libJBIG2 from CoreFoundation, which supports all of those applications and likely much more.

*** UPDATE:
I should mention I've done nothing to determine if this is exploitable. It just crashes where you would expect in libJBIG2 from CoreFoundation. I'm bout to go snowboarding in Utah, so I didn't have time to spend with it, but I felt it was necessary for people to know since this is in the wild at this point.

GIFAR FTW!

Hello all,

Well, it's been a good day and it's just now noon! It's always good to see your research enjoyed by others. Having it recognized as the top web application hacking technique of the year for 2008, is even cooler! Rob Carter, John Heasman, Billy Rios, and I were honored with the 2008 top web hacking technique of the year, as recognized on Jeremiah Grossman's blog and voted on by a constituent of peers including Jeff Forristal, Chris Hoff, Rich Mogul, and of course, HDM.

Getting recognized for something interesting you've done is even better when it's from people you respect and follow within industry. For anyone who didn't see the GIFAR work, you can get our most recent presentation on it from Black Hat Japan's page, linked here, which we also presented at BH USA which has video and audio available if you haven't seen it... full vid here, standard vid here, audio here.

Here's to 2009 and finding even more interesting stuff!

-Nate

nsearch - A New ImmunityDbg Searching Script

Hola, hope all in the world finds you well!

Well, some of my new research has not really been new at all, in fact, it's been catching up with all the different protections for memory corruption issues and how to get around them. This was really a necessity for me, as I was sitting on some stack-based buffer overflows that were not, what I would call, straightforward to exploit. Several protections were in play at the same time, including /GS, /SafeSEH n all modules, and DEP. To help me out with this, I wrote up an Immunity Debugger plugin that would help me search memory for potential pop/pop/ret r32 and call/jmp dword ptr[ebp/esp +/- X] and equivalent commands. I needed to find these either in some module that did not have /SafeSEH, or in a mapped, executable memory segment.

Due to the great support for Python in ImmDbg and the API it exposes to work with the debugger, this was pretty straightforward and easy to write. The examples provided by Immunity really helped out, as well. Thanks to Nico for all the help!

You can download it from the Immunity Forums, here. Which is also where I will maintain any revisions.

It has a couple of modes, which I'll describe below:

1.) Search instructions: !nsearch /a pop r32\\npop r32\\nret
This can be used to search all memory regions for a given set of commands.

This is intended to perform similar to the !search script included with Immunity Debugger, but it works a little different. It has an advantage, in that it can and will search all of memory; however, it uses imm.Assemble(), which does not currently support assembly of instructions with offsets (and possibly with numeric values). For example, call dword ptr[ebp+30] will not assemble correctly, and therefore will not be found using this mode. For this, you will need to use the /x mode and supply the opcodes for the command, or use the /f mode and code into the script the opcodes you want to look for.

2.) Search opcodes: !nsearch /x ff 55 30
This can be used to search all memory regions for a given set of opcodes.

The search is done using the imm.Search() method, but in this case, it will not first use imm.Assemble() method to assemble supplied instructions into opcodes.

This is going to be the most reliable, but also least flexible, method of using this script to search memory, as it will find exact opcodes you want, not try to get the assembly of an instruction right.

3.) Feelin Lucky: !nsearch /f
This can be used to search many opcodes at the same time.

The reasoning for using this search method is to search many opcodes at the same time that might bring you back to your shell code. There's only a couple examples right now, but this section could be easily added to. Essentially what I've done so far is use the pop pop ret combos, jmp/call dword ptr[ebp/esp+x] instructions from Litchfield's paper on exploiting win2k3, and a couple of examples from Pablo Sole's paper on DEPLib. If someone has a good list of obvious ones, I'll throw that in, otherwise, feel free to add your own favorites or required per your exploit into the code. This mode was really what the script was designed for, but I figured I'd put in the other modes to make it useful there as well. The code for this is all located within the doSearch method on approx line 96 in the first conditional, feelinlucky. It has a number of examples to show how you could add your own commands to search for.

4.) Less Mode: !nsearch /f /less
The /less mode allows for less verbose output, in this case only those modules marked "No" for /SafeSEH, those modules marked "Yes [No Handler]" for /SafeSEH (think ATL.dll), and memory pages that are not loaded modules will be displayed. This cleans it up a bit for those sploiting something with tons of modules. While I'm on the subject, ATL.dll shows up as Yes [No Handler], and it's quite often used in SEH overwrite exploits.

I've heard mention that it's usable because it was built with an "old version" of /SafeSEH checks, and I'm trying to confirm what causes that. So, I make no claims as to if every module that shows up as "Yes [No Handler]" will be usable for an SEH overwrite, but it's worth a look. I will also be trying to figure out exactly what's going on with this behavior, I just haven't gotten to it yet.

5.) Single Module Mode: !nsearch /f /singlemod modname
The /singlemod modname mode allows you to search only for usable opcodes from a single module. This is nice for cases where you know exactly which module you want to use (say a module that always starts at the same base addy in vista).

-Nate

Hello World!

Ok, it's been a long, long time since I blogged. Sorry, but sometimes the fun times in life just get in the way of things like blogging. In any case, I'm getting back to it! For those who followed me on ZDNet, you won't see nearly as many posts, for those that followed me on xs-sniper, expect something more like that.

Today you'll get two posts, cause I'm catching up with things!

-Nate